Lab Guide Обучение ISE

SISE
Implementing and
Configuring Cisco
Identity Services
Engine
Version 2.3
Fast Lane Lab Guide

Version 2.3.0
ATTENTION
The Information contained in this guide is intended for training purposes only. This guide contains information and activities that, while
beneficial for purposes of training in a close, non-production environment, can result in downtime or other severe consequences and
therefore are not intended as a reference guide. This guide is not a technical reference and should not, under any circumstances be
used in a production environment. Customers should refer to the published specifications applicable to specific products for technical
information. The information in this guide is distributed AS IS, and the use of this information or implementation of any recommendations
or techniques herein is a customer’s responsibility.
COPYRIGHT
© 2018 Fast Lane GmbH. All rights reserved.
All other brands and product names are trademarks of their respective owners.
No part of this book covered by copyright may be reproduced in any form or by any means (graphic, electronic, or mechanical, including
photocopying, recording, taping, or storage in an electronic retrieval system) without prior written permission of the copyright owner.
Fast Lane reserves the right to change any products described herein at any time and without notice. Fast Lane assumes no
responsibility or liability arising from the use of products or materials described herein, except as expressly agreed to in writing by
Fast Lane. The use or purchase of this product or materials does not convey a license under any patent rights, trademark rights, or any
other intellectual property rights of Fast Lane.
The product described in this manual may be protected by one or more patents, foreign patents, or pending applications.
II Implementing and Configuring Cisco Identity Services Engine (SISE2.3) v2.3.0 © 2018 Fast Lane
Table of Contents
SISE Lab Guide 1
Overview 1
Outline 1
Lab 1-1: Complete Cisco ISE GUI Setup 3
Activity Objective 3
Visual Objective 3
Required Resources 3
Task 1: Verify Cisco ISE setup using CLI (skip if done Lab1-1) 4
Task 2: Initial Login and Initial Message Management 6
Task 3: Disable Profiling 12
Lab 2-1: Integrate Cisco ISE with Active Directory 23
Visual Objective 23
Task 1: Configure Active Directory Integration 24
Task 2: Configure LDAP Integration 29
Lab 2-2: Basic Policy Configuration 33
Visual Objective 33
Command List 34
Task 1: Adjusting Radius Settings 35
Task 2: Create Network Devices and Network Device Groups 37
Task 3: Create Wired and Wireless Policy Sets 47
Task 4: Create Authentication Policy for the Wired and Wireless Policy Set 50
Task 5: Authorization Policy Configuration for AD Employees and AD Contractors 53
Task 6: Client Access – Wired 59
Task 7: Client Access – Wireless 65
Task 8: Creating a Global Exception 70
Task 9: Network visibility with Context Visibility 72
Lab 3-1: Configure Guest Access 74
Visual Objective 74
Task 1: Guest Settings 75
Task 2: Guest Locations 77
Lab 3-2: Guest Access Operations 78
Visual Objective 78
Task 1: Hotspot Portal Operations 80
Task 2: Self-Registration Portal Operations (Optional) 96
Task 3: Enabling Self-Registration with Sponsor Approval (Optional) 110
Task 4: Sponsored Guest Logins 117
Task 5: Guest Account Management via the Sponsor Portal 132
Lab 3-3: Create Guest Reports 134
Visual Objective 134
Task 1: Running Reports from Cisco ISE Dashboard 135
Lab 4-1: Configuring Profiling 138
Command List 138
Task 1: Configuring Profiling in Cisco ISE 139
Task 2: Configure the Feed Service 144
Task 3: Configuring Profiling in Cisco ISE 146
Task 4: NAD Configuration for Profiling 148
Lab 4-2: Customizing the Cisco ISE Profiling Configuration 150
Task 1: Examine Endpoint Data 151
Task 2: Create a Logical Profile 156
Task 3: Creating a New Authorization Policy using a Logical Profile 157
Task 4: Create a Custom Profile Policy 158
Task 5: Testing Authorization Policies with Profiling Data 162
Lab 4-3: ISE Profiling Reports 166
Task 1: Run Cisco ISE Profiling Reports 167
Task 2: Endpoint Profile Changes Report 169
Task 3: Context Visibility Dashlet Reports 170
Lab 5-1: BYOD Configuration 172
Task 1: Portal Provisioning 174
Task 2: Provisioning Configuration 178
Task 3: Policy Configuration 183
Task 4: Employee Tablet Registration 190
Lab 5-2: Device Blacklisting 197
Task 1: Blacklist a Device 199
Task 2: Lost Access Verification. 202
Task 3: Endpoint Record Observations 203
Task 4: Un-Blacklist the Device 207
Task 5: Verify Access Capability 208
Task 6: Blacklisting a Stolen Device 209
Lab 6-1: Compliance 212
Task 1: Posture Preparation 213
Task 2: Authorization Profiles 217
Task 3: Adjusting Authorization Policy for Compliance 220
Lab 6-2: Configuring Client Provisioning 224
Task 1: Client Updates 225
Task 2: Client Resources 226
Task 3: Client Provisioning Policies 231
Lab 6-3: Configuring Posture Policies 233
Task 1: Configuring Posture Conditions 234
Task 2: Configuring Posture Remediation 237
Task 3: Configuring Posture Requirements 240
Task 4: Configuring Posture Policies 243
Lab 6-4: Testing and Monitoring Compliance Based Access 245
IV Implementing and Configuring Cisco Identity Services Engine (SISE 2.3) v2.3.0 © 2018 Fast Lane
Command List 246
Task 1: Web Agent Access 247
Task 2: AnyConnect Unified Agent Access 253
Lab 6-5: Compliance Policy Testing 257
Task 1: Configure a Faulty Policy 258
Task 2: Use Posture Reports for Troubleshooting 259
Task 3: Using the Posture Troubleshooter 260
Task 4: Policy Correction and Testing 262
(Optional) Lab 6-6: MDM Integration with Cisco ISE 264
Task 1: MDM Integration 265
Task 2: Configuring Cisco ISE Policy for MDM 269
(Optional) Lab 6-7: MDM Access and Configuration 273
Task 1: MDM Access 274
(Optional) Lab 6-8: Client Access with MDM 277
Task 1: Preparing the Tablet 278
Task 2: Client Onboarding with MDM Enrollment 279
Lab 7-1: Using Cisco ISE for VPN Access 286
Command List 287
Task 1: Lab Preparation 288
Task 2: Testing VPN Client Access 295
Lab 7-2: Configuring Cisco AMP for ISE 301
Command List 302
Task 1: Configuring the Cisco AMP Cloud 303
Task 2: Configuring Posture Policies and Conditions 306
Task 3: Configuring Posture, AMP and AnyConnect Profiles 308
Task 4: Enabling and Provisoning TC-NAC Services 311
Task 5: Verify Provisioning of AMP for Endpoints (Optional) 314
Lab 8-1: Cisco ISE Integrated Solutions with APIs 317
Task 1: Configuring Cisco ISE System Certificates for REST and pxGrid 318
Task 2: Preparing the Cisco WSA 321
Task 3: Configuring Security Groups, Authorization Policy, and Enabling pxGrid on ISE 329
Task 4: Enabling pxGrid on WSA 331
Task 5: WSA Identity and Access Policies (Optional) 335
Task 6: Testing Corporate PC (Optional) 340
Lab 9-1: Configure TACACS+ for Cisco ISE for Basic Device Administration 345
 2018 Fast Lane TOC V

Task 1: Policy Configuration for AD Employees and AD Contractors 346
Lab 9-2: Configure TACACS+ Command Authorization 353
Task 1: Configure Command Sets 354
Task 2: TACACS+ Features 357
(Optional) Lab 9-3: Configuring Backups and Patching 360
Task 1: Configuring Backups 361
(Optional) Lab 9-4: Configuring Administrative Access 365
Task 1: Administrative Access 366
Task 2: Administrator Access and Authorization 367
Task 3: Testing AD Administrative Access 370
(Optional) Lab 9-5: Review of General Tools 371
Task 1: RADIUS Authentication Troubleshooting 372
Task 2: TCPDump 373
(Optional) Lab 9-6: Report Operations 375
Task 1: Running Report with Filters 376
Task 2: Saving and Scheduling Reports 377
Task 3: Favorite Reports 379
VI Implementing and Configuring Cisco Identity Services Engine (SISE 2.3) v2.3.0 © 2018 Fast Lane
SISE Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for
this course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
 Lab 1-1: Complete Cisco ISE GUI Setup
 Lab 2-1: Integrate Cisco ISE with Active Directory
 Lab 2-2: Basic Policy Configuration
 Lab 3-1: Configure Guest Access
 Lab 3-2: Guest Access Operations
 Lab 3-3: Guest Reports
 Lab 4-1: Configuring Profiling
 Lab 4-2: Customizing the Cisco ISE Profiling Configuration
 Lab 4-3: ISE Profiling Reports
 Lab 5-1: BYOD Configuration
 Lab 5-2: Device Blacklisting
 Lab 6-1: Compliance
 Lab 6-2: Configuring Client Provisioning
 Lab 6-3: Configuring Posture Policies
 Lab 6-4: Testing and Monitoring Compliance Based Access
 Lab 6-5: Compliance Policy Testing
 (Optional) Lab 6-6: MDM Integration with Cisco ISE
 (Optional) Lab 6-7: MDM Access and Configuration
 (Optional) Lab 6-8: Client Access with MDM
 Lab 7-1: Configure Cisco ISE for VPN Access
 Lab 7-2: Configuring Cisco AMP for ISE
 Lab 8-1: Cisco ISE Integrated Solutions with APIs
 Lab 9-1: Configure TACACS+ for Cisco ISE for Basic Device Administration
 Lab 9-2: Configure TACACS+ Command Authorization
 (Optional) Lab 9-3: Configuring Backups and Patching
 (Optional) Lab 9-4: Configuring Administrative Access
 (Optional) Lab 9-5: Review of General Tools
 (Optional) Lab 9-6: Report Operations
2 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 1-1: Complete Cisco ISE GUI Setup
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will you will complete the GUI portion of the setup for this lab
environment. After completing this activity, you will be able to meet these objectives:
 Log into Cisco ISE and process initial information messages
 Disable profiling
 Perform administrative certificate management services for Cisco ISE with a CA
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
 Admin PC
 ISE-1 (bootstrap)
© 2018 Fast Lane Lab Guide 3

Task 1: Verify Cisco ISE setup using CLI (skip if done Lab1-1)
In this task, ISE has been partially preconfigured for you. This task will allow you to get
familiar with ISE’s console CLI to verify system setup.
Activity Procedure
Complete these steps:
Step 1 Access the Cisco ISE console according to your lab access procedures provided
by your instructor
Step 2 At the login prompt, enter a username of admin and password of 1234QWer
Step 3 You should see the following prompt:

ise-1/admin#
Step 4 Enter the following command and observe the following output and the status of
the services.
show application status ise
ise-1/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
Database Listener running 15799
Database Server running 60 PROCESSES
Application Server running 20529
Profiler Database running 17282
ISE Indexing Engine running 22806
AD Connector running 24122
M&T Session Database running 14158
M&T Log Collector running 20766
M&T Log Processor running 20574
Certificate Authority Service running 23826
EST Service running 30148
SXP Engine Service disabled
Docker Daemon running 23242
TC-NAC Service disabled
Wifi Setup Helper Container disabled

pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
Step 5 Verify NTP synchronization. At the command prompt, type the following
command:
show ntp
ise-1/admin# show ntp

Configured NTP Servers:
ntp.demo.local
synchronised to NTP server (10.1.100.10) at stratum 4

time correct to within 134 ms
polling server every 64 s
remote refid st t when poll reach delay offset jitter

==============================================================================
127.127.1.0 .LOCL. 10 l 133 64 374 0.000 0.000 0.000
*10.1.100.10 144.76.14.132 3 u 36 64 377 0.476 11.754 8.993
* Current time source, + Candidate , x False ticker
Warning: Output results may conflict during periods of changing synchronization.
ise-1/admin#
Step 6 Observe the following output paying attention to the * at the beginning of the line
and the text above indicating “synchronized to NTP Server…”
Step 7 Verify DNS Name Resolution. At the command prompt enter the following
command:
nslookup ise-1.demo.local
ise-1/admin# nslookup ise-1.demo.local

Trying "ise-1.demo.local"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ise-1.demo.local. IN ANY
;; ANSWER SECTION:
ise-1.demo.local. 3600 IN A 10.1.100.21
Received 50 bytes from 10.1.100.10#53 in 5 ms
ise-1/admin#
Activity Verification
You have completed this task when you attain this result:
 Successfully observed Cisco ISE services status
 Successfully observed NTP synchronization
 Successfully performed a nslookup to verify proper name resolution

Task 2: Initial Login and Initial Message Management
In this task, you will perform an initial login to Cisco ISE. During initial login, certain pop-
up messages are presented to the user. You will be observing these messages and selecting
options to reduce these messages during logins.
Activity Procedure
Step 1 Access your Admin PC. Use the credentials Administrator / 1234QWer
Step 2 Open the Firefox web browser and navigate to https://ise-1.demo.local
Note You can use the toolbar shortcut as well
Step 3 Accept the Your connection is not secure message by expanding Advanced and
click Add Exception. Uncheck the Permanently store this exception checkbox
at the bottom.
Step 4 Click Confirm Security Exception.
Step 5 Login with the credentials that you configured during the setup script (admin /
1234QWer).
Step 6 If showing up, for the Visibility Setup Wizard pop-up, click Do not show this
again.
Step 7 Navigate the various sub-menu options available under the Home screen tab. In
later labs, you will be configuring other aspects of ISE and these dashboards will
be populated and updated accordingly. Since we have no devices or users who are
yet defined, many dashboards are empty.

Step 8 Navigate to Context Visibility > Endpoints. Again, explore the various sub-
menus available here. Do the same with the Network Devices menu available
under Context Visibility.
Note Context Visibility provides the administrator with a more holistic view of the network. It
allows for quick sorting and filtering of context information. Administrators can view
dashlets to get detailed informational data.
Step 9 These dashboards and dashlets can be customized to meet your needs. By
clicking the “gear” icon on the right, you will find some of the options available
to you and customizable options.
These options will change depending on which main menu heading you are
viewing, Home, or Context Visibility. Take a moment to explore these options.
Step 10 Back under the Home tab, you can add additional dashboards in two ways. Click
the “gear” icon on the far right of the page. The wheel icon gives you more
option beyond this, such as adding additional dashlets to the present view. You
can also change the layout of the display and manage dashboards as well.
Step 11 Add a new test dashboard by using either method that is mentioned above. Name
it MYTEST and click Apply when done. Then select 2 or 3 dashlet parameters
of your choice to be included with that dashboard. Then click Save. You can then
view this new dashboard once complete and it will appear as a sub-menu option.
Step 12 By clicking the gear icon on the right, notice that you can rename this dashboard,
and add additional dashlets. If you click Add Dashlets, you will see that you can
configure the dashboard to display what is important to you, for your
environment. Click Close to exit.

Step 13 Now, go ahead and delete this Dashboard by clicking the X next to the MYTEST
name and click OK on the pop-up warning window to delete the dashboard. You
will be adding dashboards in later labs that will be more relevant to the task being
performed.
Step 14 Similarly, by navigating to the Context Visibility page and clicking the gear
icon on the right, you are presented with options to create new views, or directly
jump to a preexisting dashboard. Again, you will be customizing these pages in
later labs where appropriate.
Step 15 Next, navigate to the other menu options available just to familiarize yourself
with GUI navigation. You will be accessing most of the configuration options
available in much more detail throughout the entire course.
The Operations tab will allow you to view live logs and live sessions for things
such as RADIUS and TACACS+ sessions.
 The Policy tab is where you will perform authentication and
authorization configurations, as well as profiling, provisioning, and
posture. Take the time to view the default polices that come with ISE for
authentication, authorization, profiling, and provisioning. You will be
modifying some of these and adding new policy configurations in later
labs.
 The Administrations tab is where you will perform system functions,
identity management, add network resources, device portals, and other
services available on Cisco ISE.
 There is a new menu option available with ISE version 2.1 that is called
Work Centers. The Work Centers provide guided workflow process for
configuring various ISE services. Work Centers also provide direct links
to specific configuration pages. Take some time to click the various sub
menu options, and pay particular notice to the overview pages. These
help guide you through the ISE workflow process. For example, choose
the “Overview” option under the headings for BYOD, or Guest Access,
or Network Access.
You have completed this task when you attain these results:
 You have successfully logged in the Cisco ISE using the credentials provided during
the first lab.
 You have processed the initial messages that are shown to the user upon login
 Familiarized yourself with the Cisco ISE user interface

Task 3: Disable Profiling
In this test, you will disable profiling which is enabled by default during the Cisco ISE
installation process. You will be enabling profiling in a later lab.
Activity Procedure
Step 1 Navigate to Administration > System > Deployment.
Step 2 Click the ise-1 hostname hyperlink.
Step 3 Uncheck the Enable Profiling Service checkbox. Verify with the following
screenshot.
Step 4 Scroll down and click Save.
Step 5 After a minute, you will see the following message. Click OK or let it restart
automatically.
Note System services are being reconfigured and restarted. The message will auto close and
the browser will automatically log you out if you do not click the OK button.
Step 6 After a few minutes, log back in to the ISE Admin Portal.
Note You may check the status of the service restart via the console or CLI using the
command show application status ise. Once the Application Server is running, you will
be able to log in. If you check before the service is reconfigured, you may see the service
still in a running state. An attempt to log in will show a “Server is undergoing
administrative maintenance. Please try again later.” Message.
Step 7 Once logged in, click the ise-1 in the upper right of the window and verify that
Session is the only Policy Service (Identity Mapping,Session) service running.
Step 8 Click Server Information.

Note If you see (ALL) instead of (Session,SXP), perform steps 1 through 7 again paying
attention to step 5.
Step 9 Click OK of the notification to close it.
 You have disabled profiling in Cisco ISE
Task 4: Certificate Enrollment
In this task, you will enroll Cisco ISE with the certificate authority in your pod.
Activity Procedure
Download CA certificate
Step 1 In the web browser on the admin PC, open a new tab and navigate to
http://ad1.demo.local/certsrv.
Step 2 When prompted use the credentials administrator / 1234QWer.
Step 3 Click the link Download a CA certificate, certificate chain, or CRL.
Step 4 Click the Download CA certificate link.
Step 5 Click OK to save the file.
Note If using Firefox, you may have to click the install this CA certificate link at the top in order to
install the CA certificate in the browser. This must be performed due to the fact that Firefox
uses a separate certificate store from the operating system. Select Trust this CA to identify
websites and click OK.
Install CA certificate
Step 6 In the Cisco ISE admin portal tab, navigate to Administration > System >
Certificates.
Step 7 Then select Trusted Certificates under Certificate Management.
Step 8 Click the Import button in the right-hand pane.
Step 9 Click the Browse… button and navigate to your Downloads folder.
(C:\Users\Administrator\Downloads).
Step 10 Select the file certnew.cer and then select the Open button.
Note You may or may not see the.cer extension depending upon your Windows Explorer
configuration.
Step 11 In the Friendly Name field enter demo.local CA Certificate.

Step 12 Select the following three options as indicated in the screenshot.
Step 13 In the Description field enter, CA cert from ad1.demo.local.

Step 14 Click Submit at the bottom.

Generate Certificate Signing Request
Step 15 In the left pane, select Certificate Signing Requests under Certificate
Management.
Step 16 Click the button at the top of the right pane, Generate Certificate Signing
Requests (CSR).
Step 17 Perform the following procedure to generate your CSR.
Certificate Signing Request Procedure
Step Action Notes
1. Verify Usage is set to Admin
2. Check Allow Wildcard Certificates Click the information (i) to read

important wildcard certificate
configuration information.
3. In the Subject area, use the following: $FQDN$ should be a preexisting

CN $FQDN$ entry. There is no need to modify
it.
OU IT
O ISE Lab
L San Jose
ST California
C US
4. In the Subject Alternative Name area, configure the Click the plus(+) sign to add
following: additional SAN entries.
DNS Name aaa.demo.local  The aaa name is a CNAME
DNS Name ise-1.demo.local record.
DNS Name ise.demo.local  The ise name is a CNAE

record.
DNS Name *.demo.local
 Adding the IP address as
DNS Name 10.1.100.21 both a DNS Name and IP
IP address 10.1.100.21 Address addresses a
compatibility issue with
Microsoft Windows Clients.
5. Verify the Key Length is 2048
6. Verify the Digest to Sign with is SHA-256
7. Verify your settings with the screenshot below
8. Click Generate
Step 18 You will receive a confirmation pop-up window notifying you that you have
successfully generated your CSR.
Step 19 Click the Export button.

Step 20 Save the file.
Process CSR with CA
Step 21 In the left pane, click Certificate Signing Requests again.
Step 22 In the right pane select the check box to the left of the previously processed CSR.
Step 23 Click the View button in the toolbar.

Step 24 Observe the CSR Details.
Step 25 Click the tab CSR Contents and observe the text of the certificate request.
Step 26 Highlight (Ctrl-A) and copy the complete contents to the clipboard (Right-click
and selecting Copy or pressing Ctrl-C will both work).
Step 27 Click Close.
Step 28 Return to the tab for the Microsoft Active Directory Certificate Services page.
(http://ad1.demo.local/certsrv with username administrator, password 1234QWer)
Step 29 Click the Home link in the upper right-hand corner.
Step 30 Click the Request a certificate link.
Step 31 Click the advanced certificate request link.
Step 32 Right-click and paste the contents into the Saved Requests field.
Step 33 From the Certificate Template drop-down select Web Server.
Step 34 Click the Submit> button.
Step 35 Select Base 64 encoded.
Step 36 Click Download certificate.
Step 37 Click OK to save the file.
Step 38 Open the Downloads folder and rename the certnew(1).cer certificate into “ise-1
Admin Cert.cer”
Install (Bind) CA signed certificate
Step 39 Return to the Cisco ISE browser tab.
Step 40 In the Certificate Management > Certificate Signing Requests page, select the
check box to the left of the previously processed CSR.
Step 41 The small toolbar above, click the Bind Certificate button.
Step 42 Click Browse and navigate to the Downloads folder again if necessary.
Step 43 Select the file ise-1 Admin Cert.cer.
Step 44 Click Open.
Step 45 In the Friendly Name field enter ise-1 Admin Cert.
Step 46 Select Admin, to assign the certificate to the Admin role.
Step 47 Click Submit.
Step 48 If the following pop-up window appears, click Yes.
Step 49 The system will log you out and restart services.
Step 50 Log back in after a few minutes.

Note You may check the status of the service restart via the console or CLI using the
command show application status ise. Once the Application Server is running, you will
be able to log in.
Certificate Verification
Step 51 In your browser URL bar, click the lock icon to the left of https://. Observe the
following field which indicates a trusted CA signed certificate.
Step 52 Click on the right side arrow and then More Information.
Step 53 Click View Certificate.
Step 54 Observe the Issued By is the root-CA for your pod.
Step 55 Click the Details tab and scroll down to Certificate > Extensions > Certificate
Subject Alt Name and observe your wildcard configuration.
Step 56 Close all of the pop-up windows.

Modify Certificate Usage
You will be adding other usages to the certificate you just installed. Since ISE 1.3, multiple
certificates can be utilized for different purposes. The system creates a self-signed certificate
as assigns all functions to that certificate. You will bring those roles over to the CA signed
certificate you installed in the previous section.
Step 57 Return to Administration > System > Certificates.
Step 58 In the left pane, select System Certificates.
Step 59 Select the ise-1 Admin Cert from the list.
Step 60 Click Edit in the toolbar.
Step 61 In the Usage area, select EAP Authentication.

Step 62 Click OK on the warning.
Step 63 Select Portal and add a new Portal Group Tag by entering ISE Lab CGT.

Step 65 Verify your results with the following screenshot.
 You have successfully installed the CA certificate on Cisco ISE
 You have successfully enrolled Cisco ISE into your pod CA
 You have verified the certificate via your web browser
 You have additionally configured the installed certificate for EAP and Portal usage
Lab 2-1: Integrate Cisco ISE with Active Directory
Activity Objective
In this activity, you will integrate Cisco ISE with Active Directory. After completing this
activity, you will be able to meet these objectives:
 Perform a native immigration of Cisco ISE to Microsoft Active Directory
 Populate the Cisco ISE dictionary with Active Directory attributes
 Configure a LDAP integration
 Populate the Cisco ISE dictionary with LDAP attributes
Visual Objective
Required Resources
 Admin PC
 ISE-1

Task 1: Configure Active Directory Integration
In this task, you will configure Cisco ISE to integrate with Microsoft Active Directory. You
will then configure active directory group and user attributes for utilization in Cisco ISE in
later labs.
Activity Procedure
Join Microsoft Active Directory
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select Active Directory.
Step 2 In the right pane, click Add in the toolbar.
Step 3 Enter demo.local in both the Join Point Name and the Active Directory
Domain fields.

Step 5 In the pop-up window asking if you would like to join all ISE nodes to this
Active Directory Domain, click Yes.
Step 6 In the Join Domain box, use the credentials Administrator / 1234QWer
Step 7 Select Specify Organization Unit checkbox.
Step 8 Modify the DN value to match the following.
OU=ISE,OU=HCC,DC=DEMO,DC=LOCAL
Tip Since ISE 1.3 you can optionally specify the location that the ISE computer account(s)
will be created instead of using the default Computers container. If used, the OU must be
pre-created. ISE will not create an OU structure in Active Directory to match what is
entered here.
Step 9 Click OK.
Step 10 Once the process is Completed, click the Close button.
Run Diagnostic Tools
Step 11 Select the ise-1.demo.local node from the list
Step 12 From the toolbar, click Diagnostic Tool.
Step 13 Observe the different test names and that some are external, referenced by the
join point demo.local, and some are internal, referenced by the join point System.
Step 14 Click the button Run All Tests.
Note The test may take a minute to run.
Step 15 All tests should run with a status of Successful. Compare your output with the
following screenshot.

Tip Click the toolbar button View Test Details to view a text based output report where data
can be copied out for a baseline to compare against in the future.
Note In the case that the NTP check failed, check the status on the CLI “show ntp”. It’s a
know bug in some version.
Tip You may also click any of the Result and Remedy hyperlinks for that test specific output.
Step 16 Scroll down and click Close.

Add Active Directory attributes to Cisco ISE dictionary
Step 17 In the left pane, click the demo.local entry under Active Directory.
Step 18 In the right pane, click the Groups tab.
Step 19 Click the +Add button on the toolbar and choose Select Groups from Directory.
Step 20 Cisco ISE 1.3 and above has expanded the filter capabilities in selecting groups
from Active Directory. Leave the Type Filter as ALL and click the Retrieve
Groups… button.
Step 21 Observe the list and notice there are many groups that likely would not be
applicable for utilization in Cisco ISE for policy matching.
Step 22 Now change the Type Filter to GLOBAL and click the Retrieve Groups…
button.
Step 23 The resulting list is now likely more appropriate for policy usage. Select the
entire list of groups by checking the box in the header field.
Step 24 From that list, deselect the following groups.

 demo.local/Users/DnsUpdateProxy
 demo.local/Users/Domain Controllers
 demo.local/Users/Domain Guests
 demo.local/Users/Group Policy Creator Owners
 demo.local/Users/Read-only Domain Controllers
Step 25 Click OK.
Step 26 Your list should match the following screenshot.
Step 27 Click Save at the bottom.
Step 28 In the right pane, click the Attributes tab.
Step 29 Click the +Add button on the toolbar and choose Select Attributes from
Directory.
Step 30 Enter employee2 in the Sample User or Machine Account text box and click the
Retrieve Attributes… button.
Step 31 Select badPwdCount and userPrincipalName from the list and click OK.
Note Only set attributes will be shown. If one account does not have an attribute set and a
different account does, for example Job Title or Department, it will show those attributes
when retrieving attributes from the account with the attribute set. An attribute could be set
after this list is pulled, and if that user is queried again the additional attribute will show in
the list.

Test Authentication
A new feature since ISE 1.3 is the ability to perform various methods of testing user
authentication to Active Directory. You will explore this feature in this section.
Step 33 In the left pane, click the demo.local entry under Active Directory.
Step 34 In the right pane, select the ISE node ise-1.demo.local checkbox.
Step 35 Select Test User from the toolbar.
Step 36 Change the Authentication Type to Lookup.
Step 37 Enter the username employee2.
Step 38 Click the Test button.
Step 39 Observe the test result in the box below. Observe the Processing Steps in the
bottom of the Authentication Result tab. Click the Groups and then Attributes
tabs and observe the details therein.

Step 40 Change the Authentication Type to Kerberos.
Step 41 In the Password field enter 1234QWer.
Step 43 Observe the test results in the box below. Observe the Processing Steps at the
bottom of the Authentication Result tab. Notice that the Authentication Ticket
(TGT) requests succeeded and the next two line items indicating Kerberos
success.
Step 44 Change the Authentication Type to MS-RPC.

Step 46 Observe the test results in the box below. Observe the Processing Steps at the
bottom of the Authentication Result tab.
Step 47 Close the test user authentication pop-up window.
 You have successfully joined the Cisco ISE to demo.local.
 You have successfully added active directory groups and user attributes to Cisco ISE.
 You have successfully tested user authentication via all three authentication types.
Task 2: Configure LDAP Integration
In this task, you will configure Cisco ISE to integrate with LDAP. You will then configure
LDAP group and user attributes for utilization in Cisco ISE in later labs
Activity Procedure
Configure LDAP as an External Identity Source
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select LDAP.
Step 2 In the right pane, click +Add in the toolbar.
Step 3 In the Name field enter LDAP_demo_local.
Step 4 In the Description field enter demo.local LDAP configuration.
Step 5 In the drop-down for Schema, select Active Directory.
Step 6 Click the Connection tab.
Step 7 In the Hostname/IP field enter ad1.demo.local.
Step 8 Select Authenticated Access.
Step 9 In the Admin DN field enter cn=administrator,cn=users,dc=demo,dc=local.
Step 10 In the password field enter 1234QWer.
Step 11 Verify your settings with the screenshot below.

Step 12 Scroll down and click the Test Bind to Server button. This should be successful.
Note Observe the response time for future comparison. Make note of it in this lab guide if
needed.
Step 13 Now that you have successfully verified in LDAP connection, modify the
configuration to perform a secure LDAP (LDAPS) lookup. Change the Port from
389 to 636.
Step 14 Enable Secure Authentication.
Step 15 In the LDAP Server Root CA certificate drop-down, select demo.local CA
Certificate.
Step 16 Verify your configuration with the following screenshot.
Step 17 Click the Test Bind to Server button. This should be successful.
Note Observe the response time between the previous clear text LDAP bind in the LDAPS
bind. Additional time is required to set up and verify the SSL tunnel before the performing
of the LDAP lookup. Keep this in mind when designing and architecting the placement of
Cisco ISE in a production environment.
Step 18 Click the Directory Organization tab.

Step 19 In the Subject Search Base field enter dc=demo,dc=local.
Step 20 In the Group Search Base field enter dc=demo,dc=local.

Step 21 As you will not be using LDAP for MAC address lookups, leave the search
pattern as is.
Step 22 Click Submit at the bottom to save this configuration.
Add LDAP attributes to Cisco ISE dictionary
Step 23 Select Groups from the tabs at the top.
Step 24 Click the +Add button on the toolbar and choose Select Groups from Directory.
Step 25 Accept the default filter (*) and click the Retrieve Groups… button.
Step 26 Select CN=Contractors,OU=Groups,OU=HCC,DC=demo,DC=local from the
list.
Step 27 Click OK.
Step 28 Select Attributes from the tabs at the top.
Step 29 Click the +Add button on the toolbar and choose Select Attributes from
Directory.
Step 30 Enter contractor2@demo.local in the Example Subject text box and click the
Retrieve Attributes… button.
Step 31 From the list of attributes select userPrincipleName.
Step 32 Click OK.
Step 33 Scroll to the bottom and click Submit.
Note You have configured your pod Active Directory as an External Identity Source. This
configuration will be utilized for authentication in later labs.
 You have successfully configured and tested Cisco ISE to pull data from your pod’s
active directory via LDAP
 You have successfully modified your configuration of Cisco ISE to authenticate and pull
data from your pod’s Active Directory server via LDAPS.
Lab 2-2: Basic Policy Configuration
Activity Objective
In this activity, you will configure a basic access policy for employees and consultants. After
completing this activity, you will be able to meet these objectives:
 Configure Cisco ISE to utilize Policy Sets
 Configure Cisco ISE Policy Set differentiation filters
 Configure an Identity Access Restricted global exception policy
 Configure policies sets for both wired and wireless access
 Configure a policy for Active Directory employees and consultants
 Configure a policy for wired access
 Configure a policy for wireless access
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD
 vWLC

Command List
The table describes the commands that are used in this activity.
Lab Commands
Command Description
show aaa servers Show the status of connections to AAA

servers configured on the switch.
test aaa group radius <username> Perform a test authentication to the AAA
<password> new-code server via the internal switch AAA sub-
system.
show authentication sessions interface Show authentication information details

GigabitEthernet 1/0/1 detail for Port GigabitEthernet1/0/1.
Task 1: Adjusting Radius Settings
In this task, you will adjusting radius settings to prevent dropping client connections, base
don failed logins.
Activity Procedure
Adjusting RADIUS settings

In this section, you will be disabling log suppression. Log suppression is enabled by default
to reduce monitoring data storage. By disabling log suppression, you will be able to view
repeated successful authentications and anomalous clients. This will provide you with a
more functional flow of every authentication and authentication attempt in your lab
environment.
Note This step is traditionally used for troubleshooting. It is not recommended for normal Cisco
ISE operations.
Step 1 Navigate to Administration > System > Settings.

Step 2 In the left pane navigate to Protocols > RADIUS. In the right pane uncheck
Suppress repeated failed clients and Suppress repeated successful
authentications. Click OK to the pop-up notification messages.
Step 3 Confirm your settings with the following screenshot.
Step 4 Click Save and acknowledge the informational message.

Tip The Reset To Defaults button is the most convenient way to go back to the original
configuration.
 You have successfully enabled Cisco ISE to utilize Policy Sets.
 You have successfully logged in and observe the policy set configuration.
Task 2: Create Network Devices and Network Device Groups
In this task, you will create and configure Network Devices for Wired and Wireless Access.
Addional you create Network Device Groups and you will assign the NDG to the NADs.
Activity Procedure
Create Network Access Devices
Step 1 In the Cisco ISE admin portal, navigate to Administration > Network
Resources > Network Devices.
Step 2 In the right pane click the +Add button from the toolbar.
Step 3 Add the following network device using the information in the table below.
Network Device – 3k-access
Attribute Value
Name 3k-access
Description 3650 access switch
IP Address 10.1.100.1 /32
Device Profile Cisco
Model Name <blank>
Software Version <blank>
Network Device Group
Location All Locations
IPSEC Is IPSEC Device
Device Type All Device Types
RADIUS Authentication Settings Checked
Shared Secret 1234QWer

TACACS+ Authentication Settings Unchecked
SNMP Settings Unchecked
Advanced TrustSec Settings Unchecked

Step 5 Access your 3k-access switch console.

Step 6 To save time, your switch has been preconfigured for the appropriate AAA and
RADIUS configuration to interoperate with Cisco ISE. Verify communication
with the radius server by performing the following command. Your output should
resemble the screenshot below with a state of UP.
3k-access# show aaa servers
3k-access#show aaa servers
RADIUS: id 1, priority 1, host 10.1.100.21, auth-port 1812, acct-port 1813

State: current UP, duration 290158s, previous duration 0s
Dead: total time 0s, count 61
Quarantined: No
Authen: request 296, timeouts 190, failover 0, retransmission 144
Response: accept 8, reject 1, challenge 97
Response: unexpected 0, server error 0, incorrect 0, time 105ms
Transaction: success 106, failure 46
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Account: request 4, timeouts 0, failover 0, retransmission 0
Request: start 3, interim 0, stop 1
Response: start 3, interim 0, stop 1
Elapsed time since counters last cleared: 3d10h47m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 21 hours, 15 minutes ago: 9
low - 10 hours, 48 minutes ago: 0
average: 0
Step 7 Perform a test authentication via the switch CLI. Your test results should be
User successfully authenticated.
3k-access# test aaa group radius employee1 1234QWer new-code
3k-access#test aaa group radius employee1 1234QWer new-code
User successfully authenticated
USER ATTRIBUTES
username 0 "employee1"
Step 8 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 9 Click the Details for the sucessful employee authentication.
Step 10 Observe in the opened tab that the authentication failed due to ambiguous
credentials. This is due to your lab using the same usernames and passwords for
simplicity in both Active Directory domains.
Step 11 In the right column examine the steps to see the specifics.

Step 12 Return to the switch and perform the same test again using the NetBIOS name
format for the username. This should also be successful.
3k-access# test aaa group radius demo\employee1 1234QWer new-code
3k-access#test aaa group radius demo\employee1 1234QWer new-code
User successfully authenticated
USER ATTRIBUTES
username 0 "demo\employee1"
Note You could also test the username in UPN format, employee1@demo.local
Step 13 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 14 Click the Details for the successful employee authentication.
Step 15 Observe in the opened tab that the authentication failed due to ambiguous
credentials. This is due to your lab using the same usernames and passwords for
simplicity in both Active Directory domains.
Step 16 In the right column examine the steps to see the specifics.

Step 17 Add the following network device using the information in the table below.
Network Device – vwlc
Attribute Value
Name vwlc
Description Pod vWLC
IP Address 10.1.100.61 /32
Model Name <blank>
Location All Locations
IPSEC Is IPSEC Device
Device Type All Device Types
Authentication Settings Checked

TACACS+ Authentication Settings Unchecked

Create and Assign Network Access Device Groups
Step 19 Navigate to Administration> Network Resources> Network Device Groups.
Step 20 In the top menu Choose group select All Device Types.
Step 21 In the menu click +Add and separately create the following network
device groups. Select All Device Types as Parent Group for each new group.
Network Device Groups – Device Types
Name Description
Wired Wired Access Switches
Wireless WLCs
VPN VPN Access Devices
Step 22 When complete your configuration should match the following screenshot.
Step 23 In the top menu Choose group select All Locations.

Step 24 In the menu click +Add and separately create the following network device group
locations. Select All Locations as Parent Group for each new group.
Network Device Groups – Locations
Name Description
HQ Headquarters
Branch Branch
RnD Lab Research and Development Lab
Step 25 When complete your configuration should match the following screenshot.
Assign Network Device Groups
Step 26 Click Network Devices.
Step 27 Add the 3k-access and the wlc network devices with the following information,
using the screenshot as an example template.
Network Device – Network Device Group Configuration
Device Name Device Type Location
3k-access Wired HQ
vwlc Wireless HQ
Step 28 Once completed your configuration should match the following screenshot.

 You have configured the 3k-access switch as a network device in Cisco ISE.
 You have configured the vwlc as a network device in Cisco ISE.
 You have create different NDG and assign the groups to the network devices.
 You have successfully performed test authentications via the switch CLI.
Task 3: Create Wired and Wireless Policy Sets
In this task, you will create and configure multiple policy sets, one for wired and one for
wireless. For academic purposes, you will have the option to create an additional policy set
at the end of this task. This policy set will not contain any policies nor be used in this lab,
but instead is being created to give you one additional example of a possible policy set
option.
Activity Procedure
Policy Set Creation – Wired Access
Step 1 Navigate to Policy > Policy Sets.
Step 2 Click the plus icon (+) in the toolbar to create a new Policy Set.
Step 3 Verify that New Policy Set 1 is created above the default policy set.
Step 4 Click the words New Policy Set 1 to edit the field.
Step 5 Enter Wired_Access as the policy set Name.
Step 6 Enter Wired Access in the Description field.
Step 7 Click in the Conditions field to create a new condition and treat the following
condition:
Step 8 Click the New button.
Step 9 Click the words Click to add an attribute to select an attribute for the new
condition.
Step 10 Click the Symbol Network device.

DEVICE:Device Type EQUALS All Device Types#Wired
Step 11 Select DEVICE:Device Type in the menu.
Step 12 Leave the Operator unchanged (Equals).
Step 13 Select from the Drop-Down Menu (Choose from list or type) All Device
Types#Wired.
Step 14 Click Use at the bottom.

Step 15 Your policy set condition should look like the following screenshot.
Step 16 Assign the from the Allowed Protocols Dop-Down Menu Default Network
Access.
Step 17 Click Save.

Policy Set Creation - Wireless Access
Step 18 Click the Gear icon on the right side of the Wired_Access policy set and select
Duplicate below to create a new policy set for wireless access.
Step 19 Configure this policy set according to the following table and compare your
results with the following screenshot.
Policy Set – Wireless Access
Name Description Condition(s)
Wireless_Access Wireless Access DEVICE:Device Type EQUALS All Device Types#Wireless
Step 20 Click Save.

Step 21 Your policy sets screen should match the following screenshot.
 You have configured two policy sets
 Wired Access
 Wireless Access

Task 4: Create Authentication Policy for the Wired and
Wireless Policy Set
In this task, you will create a few default policies to both wired and wireless policy sets.
Activity Procedure
You can’t delete or disable the default policy set, also you can’t delete authentication or
authorization rules in the default set. You can only modified rules in the default set. The
recommend way is, to configured your own policy sets and rules above the default set.
Step 1 Access the ISE admin portal via the Admin PC.
Step 2 Navigate to Policy > Policy Set > Wired_Access.
Step 3 Click the arrow > on the right side from your Wired_Access sets to change the
view.
Step 4 Expand the Authentication Policy view.
Step 5 Click the + symbol to create a new authentication policy.

Step 6 Click the words Authenticaion Rule 1 and change the name to MAB.
Step 7 Click the + symbol to assign a condition to the rule.
Step 8 Move (Drag & Drop) the condition Wired_MAB from the Library to the
Editor.
Step 9 Click the Use button..

Step 10 Change the Identity Source to Internal Endpoints.
Step 11 Click the gear symbol on the right side from the MAB rule.
Step 12 Click Insert new row below from the Drop-Down Menu.
Step 13 Enter the rule name DOT1X and assign the condition Wired_802.1X. Change
the Identity Source to All_User_ID_Stores.
Step 14 Change the Identity Source from the Default rule to DenyAccess.
Step 15 Your Authentication Policy should be the same as the screenshot below.
Step 16 Click the Save button.

Step 17 Navigate to Policy > Policy Set > Wireless_Access.
Step 18 Click the arrow > on the right side from your Wireless_Access sets to change the
view.
Step 19 Repeat the steps 5 to 16 but use the following conditions from the library.
Authentication Rule Condition from Libary
MAB Wireless_MAB
DOT1X Wireless_802.1X

Step 20 The Authentication Policy should be as the screenshot below.
 You have configured authentication rules for MAB and 802.1x in the Wired_Access and
Wireless_Access policy set.
Task 5: Authorization Policy Configuration for AD Employees
and AD Contractors
In this task, you will configure Cisco ISE to process domain employees and domain
contractors.
Activity Procedure
Create Authorization Profiles
Step 1 Navigate to Policy > Policy Elements > Results then to Authorization >
Downloadable ACLs.
Step 2 Click +Add in the right pane toolbar.
Step 3 Create a dACL for the employees with the following attributes:
Downloadable ACL – acl_employee
Attribute Value
Name acl_employee
Description Employee access ACL restricting access to the Quarantine Network.
DACL Content deny ip any 10.1.30.0 0.0.0.255

permit ip any any
Step 5 Click Check DCAL Syntax to verify you entered all ACL statements correctly.
Step 6 Create another dACL for the contractors using the following attributes:
Downloadable ACL – acl_contractor
Attribute Value
Name acl_contractor
Description Contractor access ACL restricting access to the Quarantine and AP

network.
DACL Content deny ip any 10.1.30.0 0.0.0.255

deny ip any 10.1.90.0 0.0.0.255
permit ip any any

Step 8 Create another dACL for Domain Computers using the following attributes:
Downloadable ACL – acl_machine
Attribute Value
Name acl_machine
Description Domain computer ACL that only allows access to DHCP, DNS, and
the DC.
DACL Content permit udp any eq bootpc any eq bootps

permit udp any any eq domain
permit ip any host 10.1.100.10

Step 10 In the left pane click Authorization Profiles.
Step 11 Add an Authorization Profile by clicking +Add in the right pane toolbar.
Step 12 Create the following Authorization Profile for employees (Wired):
Note Leave all other settings at their defaults.
Employee Authorization Profile
Attribute Name Value
Name Wired Employee Access
Common Tasks
DACL Name acl_employee

Step 14 Create another profile for the contractors (Wired) using the following attributes:
Contractor Authorization Profile
Name Wired Contractor Access
Common Tasks
DACL Name acl_contractor

Step 16 Create another profile for the domain computers (Wired) using the following
attributes:
Domain Computer Authorization Profile
Name Wired Domain Computer Access
Common Tasks
DACL Name acl_machine
Step 18 Create the following Authorization Profile for employees (Wireless):

Employee Authorization Profile
Name Wireless Employee Access
Common Tasks
Airespace ACL Name EMPLOYEE_ACL
Step 20 Create another profile for the contractors (Wireless) using the following
attributes:
Contractor Authorization Profile
Name Wireless Contractor Access
Common Tasks
Airespace ACL Name CONTRACTOR_ACL
Step 22 Create another profile for the domain computers (Wireless) using the following
attributes:
Domain Computer Authorization Profile
Name Wireless Domain Computer Access
Common Tasks
Airespace ACL Name MACHINE_ACL

Authorization Policy
Step 24 Return to the Policy > Policy Sets > Wired_Access > Authorization Policy.
Step 25 Add the following policy above the Default policy by clicking on the gear icon
on the right. From the menu, select Insert new row above.
Step 26 Add the following policy for Employees:

Employee Authorization Policy
Attribute Value
Rule Name Wired AD Employees

Conditions demo.local:ExternalGroups Equals
(identity groups and other demo.local/HCC/Groups/Employees
conditions)
Results (Profiles) Wired Employee Access

Step 27 While in the condition definition, save the condition to the library by clicking the
Save button.
Note This will facilitate a more rapid use of this condition in future policies instead of having to
build it every time.
Step 28 In the Condition Name field enter Demo-Employees and click the green
checkmark.
Step 29 Click Save at the bottom of the window.

Step 30 Click the Use button.
Step 31 Add another policy above the built-in Default policy policy by clicking on the
gear icon on the right. From the menu, select Insert new row above.
Step 32 Add the following policy for Contractors, saving (adding) the condition to the
library as Demo-Contractors:
Contractor Authorization Policy
Attribute Value
Rule Name Wired AD Contractors

Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/Contractors
(identity groups and other
conditions)
Results (Profiles) Wired Contractor Access
Step 33 Add another policy above the built-in Default policy by clicking on the gear icon
on the right. From the menu, select Insert new row above.
Step 34 Add the following policy for Domain Computers, saving (adding) the condition
to the library as Demo-Computers:
Computers Authorization Policy
Attribute Value
Rule Name Wired AD Computers

Conditions demo.local:ExternalGroups Equals demo.local/Users/Domain Computers
conditions)
Results (Profiles) Standard > Wired Domain Computer Access
Step 35 Verify your policies with the following screenshot.
Note Rule order is important as rules are processed from top down.

Policy Rule Process for the Wireless Policy Set
Step 1 Navigate to the Policy > Policy Sets > Wireless_Access > Authorization
Policy.
Step 2 Add the following policy above the Default Policy. Use the following parameters
from the table below:
Rule Conditions (Library) Permission
Wireless AD Employees Demo-Employee Wireless Employee Access
Wireless AD Contractors Demo-Contractors Wireless Contractor Access
Wireless AD Computers Demo-Computers Wireless Domain Computer Access
Step 3 Scroll down and verify your Authorization Policy rule order is as follows.
Wireless_Access Authorization Policy Order
Status Rule Name
Enabled Wireless AD Employees
Enabled Wireless AD Contractors
Enabled Wireless AD Computers
Enabled Default
Step 4 Change, if needed, the permissions from the Default policy to DenyAccess.
 Examined the built-in authentication and authorization policies.
 Created employee, contractor and machine downloadable ACL’s (dACL’s )
 Created employee, contractor, and domain computer authorization profiles
 Created employee, contractor, and domain computer authorization policies saving the
conditions to the library.
Task 6: Client Access – Wired
In this task, you will be configuring Cisco ISE to provide wired access to clients.
Activity Procedure
Step 1 Access your 3k-access switch console.
Step 2 Perform the test using the NetBIOS name format for the username. This should
now rejected, there isn’t any matching authentication rules.
3k-access# test aaa group radius demo\employee1 1234QWer new-code
3k-access#test aaa group radius demo\employee1 1234QWer new-code
User rejected
Note You could also test the username in UPN format, employee1@demo.local
Test Client Wired Access

Step 3 Access your W10PC-Corp.
Step 4 Log in with the credentials W10PC-CORP\student / 1234QWer
Step 5 Open up network settings and enable the NIC if not enabled.
Step 6 Open Services from Windows Administrative Tools in the Start menu.
Step 7 Verify and, if necessary, modify the Wired AutoConfig service to have a startup
type of Automatic and then Start the service.

Step 8 Click OK.
Step 9 Close the services console.
Step 10 Return to the NIC settings and open the properties for the NIC.
Step 11 Click the Authentication tab.
Step 12 Configure and verify the settings with the following screenshot.
Step 13 Click the button Additional Settings…

Step 14 Enable the Specify authentication mode and verify the mode is User or
computer authentication.
Step 15 Click OK.
Step 16 Click the Settings button.
Step 17 In the list of Trusted Root Certification Authorities select root–CA. Verify all
other settings with the screenshot below
Step 18 Click the Configure… button. And verify that Automatically use my Windows
login name and password (and domain if any) is enabled
Step 19 Click OK three times to close all the windows.
Step 20 Restart the client machine using the Start menu.
Step 21 While the PC is restarting access the 3k-access switch and verify that the
interface GigabitEthernet 1/0/1 is enabled. In the case that the interface is
disabled, enable the interface with a no shutdown command.
Step 22 Return to the ISE Admin portal and navigate to Operations > Radius > Live
Logs.
Step 23 After a minute or so, you should see the local machine login via 802.1X using
the machine credentials and be assigned the Domain Computer Access
Authorization Profile.

Note The Failed MAB access attempt was when the NIC came up and attempted to access
the network before the WiredAutoConfig services came online and sent the 802.1X
machine credentials.
Step 24 Return to the W10PC-Corp and login using the credentials demo\employee1 /
1234QWer
Step 25 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout in the second
should succeed according to the dACL which you configured for
employee access.
Step 26 Access the 3k-access switch console.

Step 27 Perform the following command to observe the interface session information
paying particular attention to the username and the server policies which should
include the acl_employee dACL.
3k-access# show authentication sessions interface gi 1/0/1 detail
3k-access#show authentication sessions interface GigabitEthernet 1/0/1

details
Interface: GigabitEthernet1/0/1
IIF-ID: 0x106EB400000005B
MAC Address: 6805.ca00.9e5a
IPv6 Address: Unknown
IPv4 Address: 10.1.10.201
User-Name: DEMO\employee1
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000FAF036F3ADA
Acct Session ID: 0x00000FA6
Handle: 0x19000002
Current Policy: POLICY_Gi1/0/1
Server Policies:
ACS ACL: xACSACLx-IP-acl_employee-575a8f87
Method status list:

Method State
dot1x Authc Success
Step 28 Return to the Cisco ISE admin portal and navigate to Operations > Radius >
Live Log.
Step 29 Observe the new record details for the employee1 access.
Step 30 Click the DEMO\employee1 authentication details icon. Observe the details on
the steps included in this record.
Step 31 Return to the W10PC-Corp and Log Off the employee1 user.
Step 32 Log in using the credentials demo\contractor1 / 1234QWer
Step 33 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout in the second
should also fail according to the dACL which you configured for contractor
access.
Step 34 Now attempt to ping 10.1.100.1. This should succeed.

Step 35 Return to the Cisco ISE admin portal on the Admin PC.
Step 36 Observe the new contractor1 authentication success record. Also observe the
machine login that occurred between the employee1 logoff and the contractor1
logon.
 You have configured the 3k-access switch as a network device in Cisco ISE.
 You have successfully performed test authentications via the switch CLI.
 You have successfully configured the W10PC-Corp to authenticate via 802.1X.
 You have successfully logged in as a both employee1 and contractor1 and observed the
dACL restrictions appropriate for each username.
 You have observed the authentication records in Cisco ISE.
Task 7: Client Access – Wireless
In this task, you will configure the Cisco WLC as a network device in Cisco ISE, modify the
authorization profiles to process wireless access, and test a wireless authentication.
Activity Procedure
Step 1 On your Admin PC, open a new tab in your browser and access your pod vWLC.
Use the bookmark or https://wlc.demo.local.
Step 2 Log in with the Username admin and the password 1234QWer.
Step 3 Click WLANs and verify you have three (3) WLANs for your pod. A guest
WLAN, a wpa2e WLAN, and a hotspot WLAN.
Step 4 Make Note of the 3 WLAN SSID’s and the WLAN numbers as these are the
SSID’s for your specific POD.
Note If you do not have these WLANs, notify your instructor.
Step 5 Enable each of these WLANs by clicking on the WLAN numbers and changing
the Status to Enabled and Applying the configuration.
Step 6 Navigate to SECURITY then AAA > RADIUS > Authentication and verify
that Cisco ISE has been configured as a RADIUS server.
Step 7 Navigate to AAA > RADIUS > Accounting and verify that Cisco ISE has also
been configured as a RADIUS server.
Step 8 Navigate to WIRELESS and observe your pod AP. In your pod’s default
configuration, the AP should be Admin Status Enabled.
If not, enable your AP by clicking on the AP Name and under the General tab
change Admin Status to Enabled. Then Apply your configuration.

Wireless Access
In this section, you will be using your pods wireless device to access the wireless networks
that are configured for your specific pod.
Note It is critical to make sure that you only associate to your pod’s SSID’s.
Step 9 On your W10PC-Corp, log off and login again as W10PC-CORP\student /

1234QWer.
Step 10 Access the Android tablet by launching the ANDROID CONTROL via Vysor
link on the desktop.
Step 11 The connection to the Tablet will automatically open, otherwise click View.
Step 12 If the Tablet is locked, you can unlock it with the PIN “1234”.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
Tablet Clean up
It may be necessary to clean up your Tablet from a previous class. Perform the steps listed
below.
Step 13 Navigate to Settings > Security select Clear credentials (if not grayed out)
Step 14 Confirm the message.
Wireless Access via Tablet
Step 15 Press the home button (middle bottom button)
Step 16 Open the Widget/Icon for WLAN
Step 17 Enable WLAN if not already enabled, by clicking the slider.
Step 18 From the list identify and click your pod WPA SSID (##-wpa2e).
Note If you don’t find the SSID, then review your vWLC or notify your instructor.
Step 19 Enter employee1@demo.local as Identity and 1234QWer as the password and

leave all other parameters at their defaults. Then click Connect.
Step 20 The WLAN should now mark as Connected.

Step 21 Return to the Admin Portal of Cisco ISE.
Step 22 Navigate to Operations > Radius > Live Logs.
Step 23 Identify the employee1 access record from the vwlc from the list.

Step 24 Click icon to see the Authentication Details.
Step 25 Identify the following fields to indicate that you matched the correct policy.
Step 26 Scroll down to the results section and observe the Airespace ACL you
configured before being assigned.
Note If you do not see employee exactly as it is in the above screenshot, as UPPERCASE,
you will need to modify your authorization profile as ACL names are case-sensitive.
Step 27 Navigate to your pod vWLC tab in the browser.

Step 28 On the MONITOR page, click Clients in the left pane.
Step 29 In the list of clients observe the client MAC address and the username
employee1@demo.local.
Step 30 Click the MAC address hyperlink.

Step 31 In the General tab, scroll down to the Security Information section. Observe
both the Radius NAC State as RUN and the IPv4 ACL Name field as the
assigned ACL name, EMPLOYEE, which you configured in the Employee
Access Authorization Profile.
Clean up
Now that you have successfully accessed a wireless network, you will disconnect the
wireless device.
Step 32 Return to your Tablet.
Step 33 Via the WLAN icon, turn off WLAN by clicking the slider.
Step 34 Return to your Cisco ISE admin portal.
 You have verified the vWLC configuration
 You have added the vWLC to Cisco ISE as a network device
 You have adjusted RADIUS settings to show every authentication message in Cisco ISE
 You have access the wireless network view your Tablet
 You have verified proper authorization profile configuration from ISE to the vWLC.

Task 8: Creating a Global Exception
In this task, you will configure a global exception authorization policy which will apply to
all policies (globally) and as an exception policy will be processed before all of the policies.
Activity Procedure
Step 1 In your policy set navigate to Wired_Access > Authorization Policy - Global
Exceptions.
Step 2 Click the + button to create a new rule.
Step 3 Create the following rule. For this rule scenario you are creating an exception for
the demo.local IT staff who are performing an audit of the demo.local network.
Tip You could save the demo.local conditions to the library to facilitate a more efficient reuse
in the future.
Global Exception Policy
Attribute Value
Rule Name Domain IT Audit Exception

Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/IT Staff
conditions)
Results (Profiles) PermitAccess
Step 4 Click Use and verify your policy against the following screenshot.

Policy Test
Step 6 On your W10PC-Corp log in as demo/itadmin / 1234QWer and observe the
result.
Step 7 Return to your Cisco ISE admin portal
Step 8 Navigate to Operations > Radius > Live Logs and find the itadmin@demo.local
authentication.
Step 9 Click the authentication details icon.
Step 10 Observe that the Authorization policy name is under Wired_Access and is
Domain IT Audit Exception, the name you created as a Global Exception policy
name.
Step 11 Return to your admin portal and navigate to Policies > Policy Sets.
Step 12 Navigate to your Wireless_Access > Authorization Policy – Global Exceptions
and notice there is an indicator of (1).
Step 13 Expand the exceptions policy and observe the global exceptions rule that you
created earlier.
 You have successfully created a global exception.
 You have successfully performed a CLI test authentication using a local user account
and observe the matching of the employee authorization profile.
 You have observed the global exception in each of the policy set rules.

Task 9: Network visibility with Context Visibility
A new feature in Cisco ISE since 2.1 is Context Visibility. This feature allows you to see,
and create groups, for ease of visibility into your network environment.
Activity Procedure
Step 1 Return to the ISE Admin Portal, and navigate to Context Visibility > Endpoints
> Authentications. Notice the Android endpoint can also be seen here.
Step 2 By clicking the endpoints MAC address, you can drill down to view further
details on the chosen endpoint. By clicking the various tabs, you can view
additional details such as Authentication, Threats, and Vulnerabilities, for that
endpoint.
Step 3 From this screen, click the Network Devices option to view further information
on network devices that are seen by ISE.
Step 4 On the right side of this screen, clicking on the # of endpoints that are associated
with the network device, you can view additional useful information on endpoints
that are seen on the network by ISE.
a
 You observed network device details via the feature context visibility.

Lab 3-1: Configure Guest Access
Activity Objective
In this activity, you will configure the settings in Cisco ISE that are the core components of
Guest Access. After completing this activity, you will be able to meet these objectives:
 Configure Guest Settings for Guest Access in Cisco ISE
 Configure the Guest Locations the SSID feature in Cisco ISE
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: Guest Settings
In this task, you will configure the basic settings for guest operations.
Activity Procedure
Step 1 On your pod Admin PC in the Cisco ISE admin portal navigate to Work Centers
> Guest Access> Settings.
Mail Settings
Step 2 Expand Guest Email Settings and modify the Default ‘From’ email address to
be sponsor@demo.local.
Step 3 Click Save.
Step 4 Still in the Guest Email Settings, click the helpful “Configure SMTP server at:
Work Centers > Guest Access > Administration > SMTP Server” hyperlink.
Step 5 In the SMTP Server settings enter mail.demo.local and click Save.
Custom Fields
Step 6 Return to Work Centers > Guest Access > Settings and expand Custom Fields.
Step 7 Add the following custom field and then click Add.
Guest Custom Field
Custom field name Data type Tip text
Person Visiting String Enter the person’s name you are visiting.
Step 8 Click Save.

Guest Username Policy
Step 9 Expand Guest Username Policy.
Step 10 For lab purposes modify the Minimum username length to 4 and then also
modify the Characters Allowed in Randomly – Generated Usernames,
Minimum alphabetic field to 4 as well.
Step 11 Click Save.
Guest Password Policy
Step 1 Expand Guest Password Policy.
Step 2 For lab purposes modify the Minimum password length to 4, and then also
modify the Minimum uppercase, to 2. Change the settings for Special to None.
Step 3 Click Save.
Guest Purge Policy

Step 4 Expand Guest Account Purge Policy.
Step 5 In the Time of purge field notice the time is set to 1:00 AM. Due to the fact that
Cisco ISE is set up for the UTC time zone, and adjustment needs to be made as
corporate policy dictates now that this occur after midnight local time.
Here you, the student, have an option, you can choose to configure according
to your actual local time zone of your class or you can configure according to the
Pacific Time zone.
If you are using the Pacific Time zone, enter 11:00 AM.
Step 6 Click Save or leave all fields unchanged.
 You have configured mail (SMTP) settings for Cisco ISE.
 You have added a custom field for guest access.
 You have modified the guest username policy.
 You have modified the guest password policy.
 You have adjusted the purge policy time for either the Pacific or your local time zone.
Task 2: Guest Locations
In this task, you will configure locations. You will configure a few set locations and you will
also configure the location of your class. This will be used later to align the access times
with your local class time zone.
Activity Procedure
Step 1 Navigate to Work Centers > Guest Access > Settings and then select Guest
Locations and SSIDs.
Step 2 In the Guest Locations area enter the following location and time zone
information. Finish by adding your class city and time zone.
Tip In the time zone area begin typing to activating filtering.
Guest Locations
Location name Time Zone
New York America/New_York
Chicago America/Chicago
London Europe/London
Dubai Asia/Dubai
Sydney Australia/Sydney
<YOUR CITY> <YOUR TIME ZONE>
Step 3 In the Guest SSID’s field enter your guest SSID (##-guest ) from your
vWLC WLAN.
This feature is helpful if for instance your organizational guest network has
different SSIDs based on location. For example, Guest-US, Guest-EU, Guest-
APAC, etc.
Tip Do not navigate away to your vWLC web page as you will lose your Guest Location
form data.
Step 4 Click Save.
 You have configured the Guest Settings according to the task instructions.

Lab 3-2: Guest Access Operations
This activity has you exploring multiple Cisco ISE guest access configurations and
operations. The lab helps you to really understand how various guest access scenarios work
and why you might want to use them in your organization. You will start with configuring
Cisco ISE guest access using a hotspot portal. This portal is for organizations who want the
simplest method of providing guest access, with less concern for strict control over who uses
the service, or tracking who uses the service. Some organizations require a bit more control
and awareness concerning who uses guest access. You will learn how to accommodate these
scenarios, such as guest access for self-registration, and self-registration with sponsor
approval. Finally, you will configure and validate sponsored guest access.
Activity Objective
In this activity, you will explore multiple Cisco ISE guest access configurations and
operations. After completing this activity, you will be able to meet these objectives:
 Configure Cisco ISE guest access using a hotspot portal
 Configure Cisco ISE guest access for self-registration
 Configure Cisco ISE guest access for self-registration with sponsor approval
 Configure Cisco ISE guest access for sponsored guest access
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 vWLC
 W10PC-Corp

Task 1: Hotspot Portal Operations
In this task, you will configure Cisco ISE guest access with a hotspot portal. This type of
access is appropriate were accepting and AUP only is sufficient to meet network security
policy.
Activity Procedure
Configuration
Step 1 On the Admin PC in the Cisco ISE admin portal navigate to Work Centers >
Guest Access.
Step 2 Take a moment and read the Guest Access Overview. Note that at the bottom of
the overview screen a hyperlink for the reports is included. Do not click this now.
Step 3 In the top, click Portals & Components.
Step 4 In the left pane, click Guest Portals.
Step 5 In the right pane, click the Create button.
Step 6 In the pop-up select Hotspot Guest Portal and then click Continue…
Step 7 In the Portals Settings and Customization window configure the following:
Hotspot Portal Settings and Customization
Attribute Value
Portal Name Demo – Hotspot
Description The demo.local Hotspot
Portal Behavior and Flow Settings
Portal Settings
HTTPS Port 8443
Allowed interfaces Gigabit Ethernet 0
Certificate group tag ISE Lab CGT
Endpoint identity group GuestEndpoints
Display language Use browser locale
Acceptable Use Policy (AUP) Page Settings
Include in AUP page [X]
Require an access code [X] 1234
Require scrolling to the end of AUP [ ]
Post – Access Banner Page Settings
Included Post–Access Banner page [ ]
VLAN DHCP Release Page Settings
Enable VLAN DHCP release [ ]
Delay to release 1
Delay to CoA 8
Delay to renew 12
Authentication Success Settings
Once authenticated, take guest to Authentication Success page
Support Information Is Settings
Included Support Information page [X]
Fields to include [ X ] MAC address

[ X ] IP address
[ X ] Browser user agent
[ ] Policy server
[ X ] Failure could
Empty fields Hide field
Step 8 Scroll to the top and click Save.

Step 9 In the pop-up window, click OK to change the certificate for all the portals on the
same port.
Step 10 In your Firefox browser, open the tools/guest toolbar hyperlink in a new tab.
(Right-click guest).
Step 11 Click the link the iseiscool-images.zip link and save the file.
Step 12 Click the down arrow in the upper right corner of Firefox the on the folder icon of
the file to open the location the file was saved.
Step 13 Right-click the file name and select Extract All. Accept the default location and
click Extract.
Step 14 Return to the ISE admin portal.
Step 15 In the customization setting area click Portal Page Customization.

Step 16 Before making any modifications, observe the Preview on the right side of the
page. This is the Mobile preview page. Below this preview is the Desktop
Preview link. Clicking on it will open up a new browser window.
Step 17 Scroll back up to the top and to the right of the Portal Theme select the
Tweaks…button.
Step 18 Observe the color options that you can modify. Click the color square at the end
of the Banner Color line. Play around with the color tool as you see fit. Pick a
custom color or enter #8a099b in the hex box.
Step 19 Click OK.
Step 20 Leave all other colors the default and click OK.
Step 21 Images can be uploaded by clicking on the buttons in the Images section. They
can also be deleted or reset to default with the X and circled arrow buttons
respectively.
Step 22 Delete the Banner Image.
Step 23 Scroll back to the preview area and click Refresh Preview and observe the
purple (or your custom color) banner.
Step 24 Upload the following images:
Image File Location
Logo (Mobile) C:\users\admin\Downloads\iseiscool-images\iseiscool_logo_hotspot.png
Logo (Desktop) C:\users\admin\Downloads\iseiscool-images\iseiscool_logo_hotspot.png
Banner C:\users\admin\Downloads\iseiscool-images\iseiscool_banner.png

Step 25 Remove the Text Elements > Banner title, as the image contains the text in
graphical format.
Step 26 Click in the Footer Elements box to the right to activate the preview change and
review the preview
Step 27 Scroll down to the AUP text box. Wherever you see Cisco Systems in the AUP
change it to The Demo Shop.
Step 28 Select or highlight one of the “The Demo Shop” names and bold it using the
toolbar for the AUP text section. Make any other text modifications you desire.
Step 29 In the Left Pane select Authentication Success.
Step 30 Edit both Browser Page Title and the Content Title and modify them to Access
Granted.
Step 31 Scroll down to Optional Content 2 and add the following text: Use coupon code
130 at checkout for extra savings!
Step 32 Using the toolbar, bold and underline 130 then change the font color of 130 to
red. Then select the text and change the font size to large.
Step 33 Scroll to the right and click Refresh Preview to review your work.

Step 34 In the left pane, click Support Information.
Step 35 Scroll down and in the Support Information Text field; modify the phone
number from (xxx)-xxx-xxxx to (555) 555-1234.
Step 36 In the left pane, click Messages > Error Messages.
Step 37 Observe the error messages and the message text that the users would be shown
in the event of an error.
Step 38 Each line of the message Text is inline editable. Modify the
ui_invalid_access_code_error message text to read: Wrong access code. See
the front desk for assistance.
Tip You might want to change the ui_invalid_license_error from “No valid system license
exists.” to something generic since this will be seen by customers.
Step 39 Scroll to the top and click Save.

Step 40 In the left pane, click Acceptable Use Policy and under the preview section click
the link Desktop Preview and observe the desktop preview in a new tab. Close
the tab when you are done.
Step 41 Back in the Admin Portal click Close.
Step 42 As indicated below the Guest Portals list in the right pane, you must create an
authorization profile. Click the hyperlink to go there now. Your portal will not be
Authorized until you create an Authorization Profile referencing this portal and
then an Authorization policy that references the related Authorization Profile.
Step 44 Create the following authorization profile:
Hotspot Authorization Profile
Name Hotspot Access
Common Tasks
Web Redirection Hot Spot

ACL: ACL-WEBAUTH-REDIRECT
Value: Demo - Hotspot
Step 45 Scroll down and click Submit.

Step 47 Create the following authorization profile for guest access. .
Guest Authorization Profile
Name Guest Access
Common Tasks
Airespace ACL Name GUEST_ACL

Step 49 Navigate to Policy > Policy Sets and access the Wireless_Access >
Authorization Policy policy set.
Step 50 Add the following Authorization Policy rule above the Wireless AD Employees
rule.
Note Make sure your WLAN ID for your ##_hotspot WLAN is correct.
Hotspot Authorization Policy
Attribute Value
Rule Name Hotspot

Conditions Airespace:Airespace-Wlan-Id EQUALS 2
conditions)
Results (Profiles) Hotspot Access
Step 51 Add another rule above the Hotspot rule you just created with the following
parameters.
Guest Access Authorization Policy
Attribute Value
Rule Name Guest Access

Conditions IdentityGroup:Name CONTAINS Endpoint Identity
(identity groups and other Groups:GuestEndpoints
conditions)
Results (Profiles) Guest Access


Step 54 Navigate to Work Centers > Guest Access > Portals & Components and then
click Guest Portals.
Step 55 Observe that the Demo – Hotspot portal is now Authorized compared to the
other default portals.
Step 56 Click Demo – Hotspot to enter the configuration for that portal.
Step 57 In the right side, examine the Guest Flow. This diagram is based on the settings
you configured on the left. In this simple hotspot flow, the user will need to
accept the AUP (1) and then they will have successfully logged on the network
(2). You have enabled Support Information and that is represented in the block on
the right.
Step 58 When you test access in the next section, you will observe this flow.
Test Access
Step 59 On your W10PC-Corp log in as student / 1234QWer.
Step 60 Access your Tablet according to your lab specific instructions.
in troubleshooting.
Step 61 Use the link WLAN to open the Wlan list.

Step 62 Enable WLAN.
Step 63 From the list identify your pod ##-wpa2e SSID. The Tablet should automatically
connect to this WLAN. Click this WLAN.
Step 64 At the bottom, click FORGET in order to clear any previous cached settings or
credentials.
Step 65 Click the hotspot SSID for your pod.
Step 66 Open a browser on the Tablet.

Step 67 If you are not automatically redirected to the ISE hotspot portal, try to open a
webpage on cisco.com, for example.
Step 68 You are presented a warning page “Your connection is not private”.
Step 69 Click Advanced and then click Proceed to ise-1.demo.local (unsafe).
Step 70 Observe the modifications that you made. For example, the Banner and “The
Demo Shop” and its initial name bolding.
Step 71 Click in the Access code box and enter an incorrect access code of 5678 and click
Accept and observe the result which should match the error message you
configured.
Hint Don’t use the keypad to enter the access code. In the case that you use the keypad, the
tablet will be lock and use must unlock the device again (PIN 1234). Use the keyboard on
the tablet´, to enter the access code.

Step 72 Click the Contact Support link at the bottom. Observe the Support Information
page opens in a new tab. Observe the modification of the help desk phone
number.
Step 73 Close this tab to return to the AUP page.

Step 74 Now enter to correct access code: 1234 and click Accept.
Step 75 This is correlates to the AUP, step 1, in the previous flow diagram.
Step 76 You should see the customized Access Granted messages with the coupon code
that you configured at the bottom.
Step 77 This correlates to the Success, step 2, in the previous flow diagram.
Step 78 Now surf to Cisco.com again. This should succeed.
Step 79 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 80 Navigate to Operations > Radius > Live Logs and observe the authentication
records. Notice the first Hotspot access and then the Identity Group
GuestEndpoints and Guest Access Authorization Profile match.
Step 81 Note the endpoint MAC address below.
Step 82 Navigate to Context Visibility > Endpoints .

Step 83 Find the Tablets MAC address and click the Endpoint Profile name or select the
checkbox and click Edit in the toolbar.
Step 84 Observe the following fields which correlate with the configuration you made
earlier. Also notice the device has been statically assigned to the GuestEndpoints
Identity Group.
Note Observe the new Description feature. You can enter a description and scroll to the
bottom and click Save.
Tip You may have noticed that the system has effectively profiled the device as an Android
Tablet even though we disabled Profiling earlier in the lab. Further details will be
covered in detail later in the lecture, but briefly, the Cisco ISE always gathers HTTP
headers when a portal is access and the endpoint utilizing the portal is profiled based
solely on that data.

 You have created a guest hotspot portal.
 You have configured and customized the guest hotspot portal.
 You have configured a guest and hotspot authorization profile.
 You have modified the authorization policy for hotspot access and subsequent guest
access.
 You have accessed the hotspot SSID network and processed through the hotspot guest
flow.
 You have observed the authentication process and records in Cisco ISE.

Task 2: Self-Registration Portal Operations (Optional)
In this task, you will configure Cisco ISE guest access for guest self-registration. This type
of access is appropriate where to start I do connect to the network and create their own
parameter limited accounts.
Activity Procedure
Configure Guest Type
In this section, you will configure a custom guest type that will restrict access to business
days and hours.
Step 1 In the Cisco ISE Admin portal, navigate to Work Centers > Guest Access >
Portals&Components and then select Guest Types.
Step 2 In the right pane observe the four default guest types, Contractor, Daily,
SocialLogin and Weekly.
Step 3 In the right pane click the Create button.
Step 4 Configure a guest type according to the following table.
Guest Type
Attribute Value
Guest type name Business Daily
Description Business Hours on Business Days
Collect Additional Data
Custom Fields… Person Visiting
Required [ ]
Tip <leave default>
Maximum Access Time
Maximum account duration 5 days Default 2
Allow access only on these days [X]

and times
From 9:00 AM
To 5:00 PM
Days [ ] Sun [ X ] Mon [ X ] Tue [ X ] Wed [ X ] Thu [ ] Fri [ ] Sat
From 9:00 AM
To 9:00 PM
Days [ ] Sun [ ] Mon [ ] Tue [ ] Wed [ ] Thu [ X ] Fri [ ] Sat
Login Options
Maximum simultaneous logins [X] 2
When guest exceeds limit Disconnect the oldest connection
Maximum devices guest can 2

register
Store device information in GuestEndpoints

endpoint identity group
Allow guest to bypass the Guest [ ]

portal
Account Expiration Notification
Send account expiration [X] 5 hours Before account

notification expires
Email [X]
Use customization from Self–Registered Guest Portal (default)
Messages Your account at The Demo Shop is going to expiring 5 hours.
Copy text from
Send test email to me at
SMS [ ]
Messages Your account at The Demo Shop is going to expire in 5 hours.
Copy text from
Send test SMS to me at
Provider
Sponsor Groups
All_Accounts (default) , Group_Accounts (default), Own Accounts (default)
Step 5 Scroll up and click Save. If you are sending a test SMS message, do so now.
Step 6 Click Close.
Configure Guest Portal
Step 7 Navigate to Work Centers > Guest Access > Portals & Components.
Step 9 In the right pane, click the Create button.
Step 10 In the pop-up window, select Self-Registered Guest Portal and then click
Continue…
Step 11 In the Portals Settings and Customization window configure the following:
Self-Registration Portal Settings and Customization
Attribute Value
Portal Name Demo-Self-Reg
Description The Demo Self-Registration Portal
Portal Settings
HTTPS Port 8443
Authentication method Guest_Portal_Sequence
Employees using this portal as guest inherent Weekly (default)

login options from
Login Page Settings

Require an access code [ ]
Maximum failed login attempts before rate 5

limiting
Time between login attempts when rate limiting 2
Include in AUP page [X] on page
Require acceptance [X]
Require scrolling to the end of AUP [X]
Allow guest to create their own accounts [X]
Allow social login [ ]
Allow guest to change password after login [ ]
Registration Form Settings
Assign to guest type Business Daily
Account valid for 1 Days
Require a registration code [ ]
Fields to include Required
[ X ] User name [ ]
[ X ] First name [X]
[ X ] Last name [X]
[ X ] Email address [ ]
[ X ] Phone number [ ]
[ X ] Company [ ]
[ X ] Location [X]
Guest can choose from these locations to set  San Jose

their time zone  <SELECT YOUR LOCATION FROM THE LIST>
SMS Service Provider [ ] [ ]
Guest can choose from these SMS providers [ ] Global Default

[ ] T–Mobile
[ ] ATT
[ ] Verizon
[ ] ClickatellViaSMTP
[ ] Orange
[ ] In mobile
[ ] TheRingRingCompany
[ ] Sprint
Person being visited [X] [X ]
Reason for visit [X] [X]
Custom Fields [ ]
Include in AUP [X] on page
Require acceptance [ ]
Only allow guests with an email address from [ ]
Do not allow guests with an email address from [ X ] example.com
Require guest to be approved [ ]
After registration submission, direct guest to Self-registration Success page
Send Credential Notification Automatically Using [ X ] Email [ ] SMS
Self-Registration Success Settings
Include this information on the Self-Registration [ X ] User name

Success page [ X ] Password
[ X ] First name
[ X ] Last name
[ X ] Email address
[ X ] Phone number
[ X ] Company
[ X ] Location
[ ] SMS Service Provider
[ X ] Person being visited
[ X ] Reason for visit
Allow guest to send information to solve using [ X ] Print

[ X ] Email
[ ] SMS
Include in AUP [X] on page
Require scrolling to end of the AUP [ ]
Allow guest to log in directly from the Self- [X]

Registration Success Page
Use different AUP for employees [ ]
Skip AUP for employees [X]
Require scrolling to end of AUP [ ]
Show AUP Every 1 days
Guest Change Password Settings
Require guest to change password at first login [ ]
Guest Device Registration Settings
Automatically register Guest devices [X]
Allow guest register devices [X]
BYOD Settings
Allow employees to use personal devices on the [ ]

network
Endpoint identity group RegisteredDevices
Allow employees to choose to guest access only [ ]
Display Device ID field during restriction [ ]
After successful device configuration take Success page

employee to
Guest Device Compliance Settings
Require guest device compliance [ ]
Post-Login Banner Page Settings

Delay to release 1
Delay to CoA 8
Delay to renew 12
Once authenticated, take guest to Authentication Success page

[ X ] IP address
[ X ] Policy server
[ X ] Failure could
Step 12 Scroll up and click Save.
Step 13 Examine the Guest Flow and when you are comfortable in your understanding of
the flow continue to the next step.
Step 14 Click Portal Page Customizations.

Step 15 Examine the customization options. They are similar to the Hotspot portal
customizations with the option to customize the additional pages in this self-
registration flow. For time sake you will only add a footer and modify one other
field. Add the following text to the Footer Elements: All access is logged.
Tip Remember if adding support information to the guest flow as an option, modify the
Support information text phone number from all Xs to an actual number.
Note You will not be modifying the AUP to change the company name from Cisco Systems to
The Demo Shop due to time constraints.

Step 16 Scroll down in on the right side, click Refresh Preview.
Step 17 Observe the footer you created.
Step 18 Change to a different page by clicking on the boxes to the left and observe the
footer is consistent.
Step 19 Change the Banner title to Guest Portal.
Step 21 In the left pane, select Notifications and then Print.
Step 22 Observe the variables that are used in the text.
Step 23 Create a new line at the bottom of the text box. Add the text “Location: “
Step 24 In the toolbar, click the Insert Variable icon and observe variables which are
available. Select Location name to insert that variable.
Step 25 Verify your work with the following screenshot.
Step 26 Scroll up and click Save then Close.

Step 27 Use the shortcut hyperlink to create and Authorization profile at the bottom of
the page.
Step 28 Select Hotspot Access and then click Duplicate in the tool bar.
Step 29 Modify the authorization profile according to the table below.
Self-Registration Authorization Profile
Name Self-Registration Portal
Common Tasks

Web Redirection Centralized Web Auth
Value: Demo-Self-Reg
Display Certificates Renewal [X]

Message
Static IP/Host name [ ]
Supress Profiler CoA for [ ]

endpoints in Logical Profile

Step 31 Navigate to Policy > Policy Sets and access the Wireless_Access policy set.
Step 32 Expand the Authorization Policy.
Step 33 At the end of the line for the Hotspot rule, click the gear icon and select Insert
new row Above
Step 34 Create the new rule to match the following Authorization Policy rule.
Self-Registration Authorization Policy
Attribute Value
Rule Name Self-Registration

conditions)
Results (Profiles) Self-Registration Portal
Step 35 Click Use at the end of the line.

Step 36 Disable the Hotspot rule.
Test Access
Step 39 On your W10PC-Corp access your Tablet according to your lab specific
instructions.
in troubleshooting.
Step 40 Navigate to WLAN.

Step 41 From the list identify your hotspot SSID you used previously.
credentials.
Step 43 Turn off Wi-Fi.
Step 44 Return to the Cisco ISE admin portal.
Step 45 Navigate to Context Visibility > Endpoints.
Step 46 Select the Tablet and then Delete it using the toolbar. Confirm Yes to delete.
Note You may have to manually clear the client from the WLC (Naviagte to WLC GUI >
Monitor > Clients Click on the client to be cleared > Remove) if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.

Step 47 Access the Tablet and enable the Wi-Fi.
Step 48 Access the Guest SSID for your pod.
Step 49 Open a browser and try to browse to cisco.com.
Step 50 You are automatically redirected to the ISE hotspot portal.
Step 51 Use your mouse to scroll down to the bottom and click Or register for guest
access.
Step 52 Create an account using the following information.
Create Guest Account
Attribute Value
Username
First name John
Last name Watson
Email address guest@demo.local
Phone number
Company Holmes Investigations
Location <SELECT YOUR LOCATION>
Person being visited (email) admin@demo.local
Reason for visit Consultation
Person visiting Mycroft

Step 53 Click Register.
Step 54 Observe your account details.
Step 55 Observe the details.

Step 56 Click I agree to the terms and then Sign On.
Step 57 Accept the AUP.
Step 58 In the Device Registration window Click No, skip registration.
Step 59 Now try to access Cisco.com. This should succeed.
Step 61 Navigate to Operations > Radius > Live Log and observe the authentication
records. Notice the first Self-Registration Portal access was based on the MAC
address and then the records switch to using the username identity with the Guest
Access Authorization Profile match.
Step 62 Navigate to Conext Visibility > Endpoints.

Step 63 Find the Tablets MAC address and click it.
Step 64 Scroll down the Attributes list and observe the following fields which now
provide more meaningful information about the endpoint instead of just a MAC
address.
 You have created a guest self registration portal.
 You have configured and customized the self registration portal.
 You have configured a self registration authorization profile
 You have modified the authorization policy for self registration access
 You have accessed the open SSID network and processed through the self registration guest
flow.
 You have observed the authentication process and records in Cisco ISE

Task 3: Enabling Self-Registration with Sponsor Approval
(Optional)
In this task, you will enable self-registration with the requirement of obtaining sponsor
approval before access is granted to the network.
Activity Procedure
Remove Endpoint from Cisco ISE
Step 1 On your W10PC-Corp, access your Tablet according to your lab specific
instructions.
Step 5 In Cisco ISE, navigate to Context Visibility > Endpoints and then in the left
pane select Endpoints.
Step 6 Select the Tablet and then delete (Click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
Modify Self-Registration portal to require Sponsor Approval

Step 7 Navigate to Work Centers > Guest Access > Portals & Components.
Step 9 In the right pane, activate or select the Demo-Self-Reg by left-clicking on the
blue area with no text (see screenshot below). The box will turn a darker blue
once selected.
Step 10 In the toolbar click Duplicate.
Step 11 Once the duplication process is complete, click the Demo-Self-Reg_Copy1
portal to edit it.
Step 12 In the Portals Settings and Customization window modify the following
settings only:
Self-Registration Portal Settings and Customization
Attribute Value
Portal Name Demo-Self-Reg-Approval-Required
Description The Demo Self-Registration Portal
Registration From Settings
Require guest to be approved [X]
Email approval request to sponsor email addresses listed below

sponsor@demo.local
Step 13 Scroll up and click Save then Close.

the page.
Step 15 Select Self-Registration Portal and then click Duplicate in the tool bar.
Step 16 Modify the authorization profile according to the table below.
Self-Registration with Approval Authorization Profile
Name Self-Registration Portal with Approval
Common Tasks

Value: Demo-Self-Reg-Approval-Required
Display Certificates [X]

Renewal Message
Supress Profiler CoA [ ]

for endpoints in
Logical Profile

Step 19 Expand Authorization Policy.
Step 20 At the end of the line for the Self-Registration rule, click the gear icon and select
Insert new row above
Step 21 Create a new rule to match the following Authorization Policy rule.
Self-Registration with Approval Authorization Policy
Attribute Value
Rule Name Self-Reg with Approval

conditions)
Results (Profiles) Self-Registration Portal with Approval

Step 23 Disable the Self-Registration rule.

Test Access
instructions.
in troubleshooting.

Step 28 Enable the Wi-Fi. Your Tablet should associate to the ##-guest SSID.
Step 29 Open a browser.
Step 30 If you are not automatically redirected to the ISE Self-Registration portal, type in
cisco.com, for example.
Step 31 On the Sponsored Guest Portal Page, use your mouse to scroll down to the
bottom and click Or register for guest access.
Step 32 Create an account using the following information.
Create Account
Attribute Value
Username
First name Sherlock
Last name Holmes
Email address guest@demo.local
Phone number
Company Holmes Investigations
Location <Your Location>
Person being visited (email) admin@demo.local
Reason for visit To find Watson!
Person visiting Mycroft

Step 33 Click Register.
Step 34 Note that your account is created but there are no credentials. Select the checkbox
to agree to the terms and conditions, then click Sign On.
Step 35 Since you have no credentials, username and password, you are unable to sign in.
Step 37 Navigate to Work Centers > Guest Access > Manage Accounts.
Step 38 Click the Managed Accounts button.
Step 39 The default sponsor portal opens open a new tab. Notice at the top under Pending
Accounts the 1 in parentheses (1) indicating an account pending approval.
Step 40 Click the tab Pending Accounts and observe the guest account pending approval.
Step 41 Select the account and click Approve.
Step 42 Enter the email address sponsor@demo.local and click OK to approve the
account.
Note If the approval popup won’t close when you click OK, please use Internet Explorer for this
task.
Step 43 Click Manage Accounts and click the Sherlock Holmes (sholmes) account to
view the username and the password.
Step 44 Return to the Tablet and in the browser enter your credentials. It may be
necessary to refresh or retry as your portal session may have timed out. Scroll to
the bottom of the AUP, click that you accept the AUP, and then click Sign On at
the bottom.
Note If you timed out, just login after clicking Retry.
Step 45 In the Device Registration window, click No, skip registration.

Step 46 Now try to visit Cisco.com. This should succeed.
records.

 You have created a guest self-registration portal with the requirement of guest accounts
having sponsor approval.
 You have configured a self-registration with approval authorization profile.
 You have modified the authorization policy for self-registration with approval access.
 You have access to the open SSID network and process through the self-registration
guest flow.
 You have logged into the sponsor portal and approved the pending account.
 You have logged in as the guest with the approved account credentials.
 You have observed the authentication process records in Cisco ISE.
Task 4: Sponsored Guest Logins
In this task, you will perform sponsored guest account operations. You will be creating the
accounts as a sponsor and then providing and click Approve information to the guest.
Activity Procedure
Remove Endpoint from Cisco ISE
instructions.
Step 4 Return to the Cisco ISE Admin portal.
Step 6 Select the Tablet and then Delete (click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
Configure Guest Portal

Step 7 Navigate to Work Centers > Guest Access > Identities and select Identity
Source Sequence.
Step 8 Select Guest_Portal_Sequence and click the Edit button.
Step 9 Adjust the sequence to the following screenshot:

Step 11 Navigate to Guest Access > Portals & Components.
Step 13 In the right pane, activate or select the Sponsored Guest Portal (default) by left-
clicking on the blue area with no text (see screenshot below). The box will turn a
darker blue once selected.
Step 15 Once the duplication process is complete, click the Sponsored Guest Portal
(default)_copy1 portal to edit it.
Step 16 In the Portals Settings and Customization window modify the following
settings only:
Sponsored Portal Settings and Customization
Attribute Value
Portal Name Demo-Sponsored
Description The Demo Sponsored Guest Portal
Portal Settings
HTTPS Port 8443
Identity source sequence Guest_Portal_Sequence
Employees using this portal as guest inherent Weekly (default)

login options from
Login Page Settings
Require an access code [ ]
Maximum failed login attempts before rate limiting 5
Allow guest to create their own accounts [ ]
Allow social login [ ]
Allow guest to change password after login [X]
Use different AUP for employees [ ]
Skip AUP for employees [ ]
Show AUP On first login only
Guest Change Password Settings
Require guest to change password at first login [ ]
Guest Device Registration Settings
Automatically register Guest devices [X]
Allow guest register devices [ ]
BYOD Settings
Allow employees to use personal devices on the [ ]

network
Allow employees to choose to guest access only [ ]
Display Device ID field during restriction [ ]
After successful device configuration take Success page

employee to
Guest Device Compliance Settings
Require guest device compliance [ ]
Delay to release 1
Delay to CoA 8
Delay to renew 12
Once authenticated, take guest to URL http://www.cisco.com/go/ise
Included Support Information page [ ]

[ X ] IP address
[ X ] Policy server
[ X ] Failure could

Step 18 Examine the Guest Flow and when you are comfortable in your understanding of
the flow continue to the next step.
Step 19 Click the Close button.

the page.
Step 21 Create the authorization profile according to the table below.
Sponsored Portal Authorization Profile
Name Sponsored Portal
Common Tasks

Value: Demo-Sponsored
Display Certificates Renewal [X]

Message
Supress Profiler CoA for [ ]

endpoints in Logical Profile

Step 24 Expand the Authorization Policy.
Step 25 At the end of the line for the Hotspot rule, click the gear icon and select Insert
new row above.
Step 26 Creat a new rule to match the following Authorization Policy rule.
Sponsored Portal Authorization Policy
Attribute Value
Rule Name Sponsored Portal

conditions)
Results (Profiles) Sponsored Portal
Step 27 In the case you did the previous task, disable the Self-Reg with Approval rule.

Sponsor Group Modification
Step 30 Navigate to Work Centers > Guest Access > Identities and click then Identiy
Source Sequence.
Step 31 Select Sponsor_Portal_Sequence and click the Edit button.
Step 32 Select in the left panel demo.local and move the authentication source to the right
panel.
Step 34 Return to Work Centers > Guest Access > Portals & Components.
Step 35 In the left pane select Sponsor Groups.
Step 36 Select the ALL_ACCOUNTS (default) line in an open area (do not click any
text) and then click Duplicate in the toolbar above.
Step 37 Edit the ALL_ACCOUNTS (default)_copy1 Sponsor Group.
Step 38 Click the Members… button above the Sponsor Group Members section.
Step 39 In the pop-up window, on the Available User Groups side type Employees in the
search filter and click Search.
Step 40 Select the demo.local Employees group and move it to the Selected User Groups
side.

Step 41 Click OK.
Step 42 Modify the rest of this sponsor group according to the following table.
Sponsor Group
Attribute Value
Disable Sponsor Group [ ]
Sponsor group name DEMO_ALL
Description All Guest Accounts for Local ALL_ACCOUNTS

and demo.local Employees
Sponsor Group Members ALL_ACCOUNTS (default)

demo.local:demo.local/HCC/Groups/Employees
This sponsor group and create accounts using Contractor (default)

these guest types Daily (default)
Weekly (default)
Create Guest Types at San Jose

<YOUR CLASS LOCATION>
Sponsor Permissions
Sponsor Can Create
Multiple guest accounts assigned to specific guests [ ]

(Import)
Limit to batch of 200
Multiple guest accounts to be assigned to any [X]

guess (Random)
Default username prefix d-guest-
Allow sponsor to specify a username prefix [ ]
Limit to batch of 25
Start date cannot be more than # days into the [X] 31

future
Sponsor Can Manage All guest accounts
Sponsor Can
Update guests’ contact information (email, Phone [X]

number)
View guests’ passwords [X]
Send SMS notifications with guests’ credentials [X]
Reset guests’ account passwords [X]
Extend guest accounts [X]
Delete guests’ account [X]
Suspend guests’ account [X]
Require sponsor to provide a reason [X]
Reinstate suspended guests’ accounts [X]
Approve request from self-registering guests [X]
Any pending accounts [X]
Only pending accounts assigned to this sponsor [ ]
Access Cisco ISE guest accounts using the [ ]

programmatic interface (Guest REST API)
Tip If you are having trouble selecting the Guest Types and/or the Locations, Save and
Close your work and open IE and edit this page in IE. When done, Save your work and
return to Firefox.

Customize Sponsor Portal
Step 44 Navigate to Work Centers > Guest Access> Portals & Components then select
Sponsor Portals.
Step 45 Select, not edit, the Sponsor Portal (default) portal.
Step 46 Click Duplicate in the toolbar above.
Step 47 Edit the Sponsor Portal (default)_copy1 portal.

Step 48 Modify the sponsor portal according to the settings below.
Sponsor Portal Settings and Customization
Attribute Value
Portal Name DEMO Sponsor Portal
Description DEMO Sponsor Portal
Portal Settings
HTTPS Port 8443
Fully qualified domain name (all FQDN) sponsor.demo.local
Identity source sequence Sponsor_Portal_Sequence
Idle timeout 10
SSIDs available to sponsors <Your pod SSID if you configured it>
Login Settings
Maximum failed login attempts before rate 5

limiting
Include an AUP [ ]
Require acceptance
Include in AUP page [ ] as link
Require acceptance [ ]
Include in AUP page [ ]
Sponsor Change Password Settings
Allow sponsor to change their own passwords [ ]
Included Post–Login Banner page [ ]
Included Support Information page [ ]
Fields to include [ ] MAC address

[ ] IP address
[ ] Browser user agent
[ ] Policy server
[ ] Failure could
Step 49 Scroll up and click Save and then Close.

Test Access
instructions.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations in
troubleshooting.
Step 51 Navigate to WLAN

Step 52 Access the Tablet and enable the Wi-Fi. Your Tablet should associate to the ##-
guest SSID. If not, connect to the ##-guest SSID.
Step 54 If you are not automatically redirected to the ISE guest portal, type cisco.com, for
example.
Step 55 On the Sponsored Guest Portal Page use your mouse to scroll down to the bottom
and notice there is no link “Or register for guest access?”.
Step 56 Return to Firefox on the Admin PC.
Step 57 Open a new tab.
Step 58 Enter the URL https://sponsor.demo.local or use the sponsor bookmark on the
bookmark toolbar and press Enter.
Note If you get a security error from Firefox, use Internet Explorer for this task.

Step 59 Notice that the Sponsor Portal with new logo is shown and that Cisco ISE
automatically redirected the URL to port 8443.
Step 60 Log in with the domain credentials in UPN format employee1@demo.local /

1234QWer
Step 61 Under Create Accounts in the Guest Information section click Random and
observe the Username prefix is pre-populated with d-guest- as per the policy
you created earlier.
Step 62 Return to your Tablet and navigate to WLAN.

Step 63 From the list identify your pod ##-guest SSID.
credentials.
Step 65 Click the pod##-wpa2e SSID.
Step 66 Enter employee1@demo.local as Identity and 1234QWer as the password and
leave all other parameters at their defaults. Then click CONNECT.
Step 67 Open a browser and navigate to https://sponsor.demo.local
Step 68 Accept any certificate warning and by continuing via Advanced > Proceed to
sponsor.demo.local.
1234QWer
Step 70 Observe the Sponsor Portal on the tablet.

Step 71 On Create Accounts, click the button.
Step 72 Select Weekly as the Guest type and click Next.
Step 73 Click Random under Guest Information.
Step 74 Use the following information to create two guest accounts.
Create Random Accounts
Attribute Value
Number of accounts 2
Username prefix <LEAVE DEFAULT> d-guest-
Group tag
Language English - English
Duration 2
From Date (yyyy-mm-dd) <ENTER TODAYS DATE>
From Time 06:00
To Date (yyyy-mm-dd) <ENTER TOMORROWS DATE>
To Time 19:00
Location <SELECT YOUR CLASS LOCATION>
Step 75 Click Create.

Step 76 Record the created guest account information below.
Created Guest Accounts
Username Password
d-guest-
d-guest-
Step 77 Navigate using your mouse to WLAN

Step 78 From the list identify your pod ##-wpa2e SSID.
credentials.
Step 80 Click the ##-guest SSID for your pod. To log back in as a guest.
Step 81 Open a browser and try to navigate to cisco.com or trigger the web redirection by
browing to 1.1.1.1
Step 82 Login with one of the “d-guest-“accounts that were created by the
employee sponsor.
Step 83 Accept the AUP and click Sign On.
Step 84 Once logged in you should automatically be redirected to the Cisco ISE
product page.
records for both the Sponsored Portal access and the Rand Guest account Guest
Access.
 You have configured a Sponsored guest portal.
 You have customized for Sponsored guest portal.
 You have configured an authorization profile for the Sponsored guest portal.
 You have modified the authorization policy to utilize the Sponsored guest portal.
 You have created a new Sponsor Group that includes domain employees.
 You have customized the Sponsor Portal.
 You have accessed the network as a guest and see the sponsored guest portal.
 You have logged in and seen the desktop sponsor portal.
 You have logged in via the Tablet and seen the mobile sponsor portal.
 You have created random accounts on the mobile sponsor portal.
 You have logged in as a guest with a randomly generated guest account.
 You have observed the authentication process records in Cisco ISE.

Task 5: Guest Account Management via the Sponsor Portal
In this task, you will perform guest account management via the sponsor portal. You will
suspend and then reinstate an account, you will examine guest account properties, reset a
guest password, and you will then delete a guest account. Optionally, you will also send
guest account details via SMS.
Activity Procedure
Step 1 On the Admin PC access your Sponsor Portal Firefox tab.
1234QWer if your session is timed out.
Step 3 Click the Manage Accounts tab.
Step 4 Observe the accounts that you have created during this lab. Notice that one of the
random accounts which was sponsored by the employee1 is in the state Created
Step 5 Select that account and click Suspend.

Step 6 Notice in the pop-up window, you are prompted, Are you sure you want to
suspend the selected accounts? And then you are prompted for a reason for
suspension as per the policy you have configured in task 4.
Step 7 Enter the following reason, “Second guest did not show up for meeting” and
click OK.
Step 8 Notice now that the state of an account is Suspended.
Step 9 Reselect that account and notice the only options now are to Delete, Reinstate,
and Print.
Step 10 Click Reinstate and click Ok when prompted for confirmation.
Step 11 Edit the first random account which has the state Active.
Step 12 Enter the first name “G” and last name “Lestrade” and the company
“Scotland Yard”.
Step 13 Click Save.
Step 14 Confirm your data-entry and click Done.
Step 15 On the random account with the state of Created, reset the password. When
prompted do not select Print, SMS and Email just click OK.
Step 16 Click the account name to view the new password. Then click Done.
Step 17 Observe the Time Left on the jwatson account.
Step 18 Select the jwatson account and click Extend.
Step 19 Notice that the maximum number of days as five. Enter 5 in the box and click
OK.
Step 20 Observe the extension of the time via the Time Left field.
Step 21 Select the random account with the state of Created and Delete the account.
Confirm the deletion by clicking OK.
 You have suspended, reinstated, edited, reset the password, extended, and deleted guest
accounts via the sponsor portal

Lab 3-3: Create Guest Reports
Activity Objective
In this activity, you will run guest reports that are directly available from the Cisco ISE
dashboard. After completing this activity, you will be able to meet these objectives:
 Run guest reports from the Authenticated Guests dashlet
 Run guest reports from the Authenticated Guests dashlet sparklines
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: Running Reports from Cisco ISE Dashboard
In this task, you will run reports for guest access from the Cisco ISE dashboard.
Activity Procedure
Step 1 On the Admin PC, navigate to the Cisco ISE dashboard by clicking Home. This
area shows statistical data, which improves your ability to monitor and
troubleshoot your system. Dashboard elements show activity over 24 hours,
unless otherwise noted.
Step 2 Observe Authenticated Guests in the metrics dashlet area. It shows the number of
guests currently authenticated. Click the number “1” in this area.
Step 3 You will see some more detailed information about connected endpoints.
Following that will be a list of endpoints. You should have a guest user in this
list. Click the MAC address of that user.
Step 4 Notice the four tabs you can use to get more information about this endpoint, as
shown. Leave it on the Attributes tab for now, and scroll down to briefly review
the types of information available here. You can scroll down to see some of the
following information: (the values that are shown are merely examples...do not
worry if yours do not match exactly)
 EndPointMatchedProfile Android…
 GuestUserName d-guest-xxxx
 IdentityGroup GuestEndpoints
 OperatingSystem Android X.X….
 PortalName Demo-Sponsored
Step 5 Click the Authentication tab, scroll down, and peruse all the Authentication-
specific information available.

Step 6 Move back to the main Cisco ISE Administration page in the browser, and
Navigate to Home > Guests.
Step 7 You should see that 100 percent of your guests have a status of Connected. Click
the circular graphic in the Guest Status area.
Step 8 You should see something similar to the example shown. You can see graphics
for GUESTS STATUS, GUESTS TYPE, FAILER REASON, AND MORE.
Following that, you see the list of devices, along with their MAC addresses.
Clicking the MAC address here would bring you to the same informational screen
you just looked at.
Step 9 Navigate to Context Visibility > Endpoints. The page is similar to the Home
screen, except that context visibility pages:
 Retain your current context (browser window) when you filter the
displayed data
 Are more customizable
 Focus on Endpoint Data
Step 10 Click the Guest tab, as shown. Notice how it is similar to the information
displayed in the Home screen. However, a new tab did not open up. You stayed in
the same tab.
Step 11 Click the MAC address of your guest connection. Again, notice how the
information is similar to the Home screen, but new tabs do not open up.
 You have successfully viewed multiple reports from the Cisco ISE home dashboard
page.

Lab 4-1: Configuring Profiling
Activity Objective
In this activity, you will configure the Cisco ISE Profiler service and service settings. After
 Enable the Profiler Service
 Enable the use of the Cisco Profiler Feed Service
 Configure the Cisco ISE NAD definitions for SNMP Profiling
 Configure global SNMP profiler settings
 Verify NAD configurations for profiling operations
Visual Objective
Required Resources
 Admin PC
 ISE-1
 W10PC-Corp
 vWLC
Command List
ISE Profiling CLI Commands
Command Description
show logging application Command used to observe the act of Profiler Feed
ise.psc.log tail | include FEED Service actions being written to the log.
Task 1: Configuring Profiling in Cisco ISE

In this task, you will enable and configure profiling in Cisco ISE.
Activity Procedure
Verification of Endpoint Data
To configure profiling in Cisco ISE, access the Cisco ISE Work Centers to view the
necessary steps to prepare, define, and monitor your profiler service configuration.
Step 1 From the Admin PC, navigate to Work Centers > Profiler > Overview to view
the required configuration steps that are needed to enable and configure the
profiler service.

Step 2 In the lab, network devices and active directory configuration were done in
previous labs. Also, some preparation is required in this lab environment before
enabling the Profiler service. On your Admin PC in the Cisco ISE admin portal
navigate to Work Centers > Profiler > Endpoint Classification.
Step 3 Observe the endpoint assigned the Android Tablet endpoint profile. Scroll to the
right in the device list and observe which fields are present and which are not.
Step 4 Select the Android tablet endpoint and click Edit, click Other Attibutes and
observe the attribute list data.
Note Notice that the assigned EndPointSource attribute is “Radius Probe” and the
MatchedPolicy is Android. This is the inherent HTTP profiling which automatically
profiles based on basic data received from the OUI and the HTTP data received at any
ISE portal.

Clean Endpoint data from ISE before Enabling Profiling
Step 6 From the list identify your Pod##-guest SSID.
Step 7 At the bottom right, click FORGET to clear any previous cached settings or
credentials
Step 8 Return to the Cisco ISE Admin Portal on the Admin PC
Step 9 Navigate to Work Centers > Profiler > Endpoint Classification.
Step 10 Select the Tablet and then Delete it using the toolbar. Confirm Yes to delete.
Enable Profiling Service
Step 11 Navigate to Administration > System > Deployment (Or Work Centers >
Profiler > Deployment).
Step 12 In the right pane select your ISE node to edit it.
Step 13 At the bottom under Policy Service, select the Enable Profiling Service.
Step 14 In the right pane, observe that the Profiling Configuration became available after
selecting the Enable Profiling Service feature. Select the Profiling
Configuration.
Step 15 Enabled the following probes:
 DHCP
 HTTP
 RADIUS
 Network Scan (NMAP)
 SNMPQUERY
Step 17 Click OK on the pop-up window notifying you of the Policy Service persona
change.
Step 18 After a few minutes log back into the ISE admin portal using the credentials
Admin / 1234QWer. You can check the status from the ISE CLI with the
command, show application status ise, and noticing the Application Server
status.
 You have observed the default profile information of an important
 You have deleted the endpoint from Cisco ISE.
 You have enabled the Profiler Service.

Task 2: Configure the Feed Service
In this task, you will enable and configure notification settings for the Cisco Profiler Feed
Service. You will also force a manual update.
Activity Procedure
Step 1 In the ISE admin portal, navigate to Administration > Feed Service > Profiler
(Or Work Centers > Profiler > Feeds).
Step 2 Select the checkbox for Enable Online Subscription Update, if not checked.
Step 3 Read the notification and click OK.
Step 4 Enable notification when a download occurs and use the email address
admin@demo.local

Step 6 Test the connection to feed service. Click the button Test Feed Service
Connection.
Step 7 Now click the Update Now button.
Step 8 Click Yes on the pop-up.
Step 12 You should briefly see a Server Response in the lower right-hand corner that
indicates the FeedService was successfully started.
Note The update process will take some time. At least 30-45 minutes.
Tip You can verify the operation of the Feed Service operations via the ISE console by using
the following command:
ise-1# show logging | include FEED
Tip
Tip Lines with FEEDMANUALDOWNLOAD are logs generated from a manual Update Now
process.
Tip Lines with FEEDAUTOMATICDOWNLOAD are logs generated from the scheduled
process.
Step 9 Continue to the next task.
 You have successfully enabled the Cisco ISE Profiler Feed Service

Task 3: Configuring Profiling in Cisco ISE
In this task, you will modify the NAD definition configuration for profiling in Cisco ISE.
Activity Procedure
Configure Cisco ISE NAD configuration for Profiling
Step 1 Navigate to Administration > Network Resources> Network Devices (Or
Work Centers > Network Access > Network Ressources > Network Devices).
Step 2 Click the 3k-access switch to edit the NAD profile.
Step 3 Configure the following settings:
Attribute Value
SNMP Settings Enabled
SNMP Version 2c
SNMP RO Community ISEisC00L
Polling Interval 600
Link Trap Query Unchecked
MAC Trap Query Unchecked
Step 4 At the bottom of the section set the Originating Policy Services Node to ise-1.
Tip While not a mandatory step in the lab topology with a single ISE node, the practice of
setting the Originating Policy Service Node for SNMP profiling operations to the node
closest to the NAD is a best practice and tuning configuration. Especially in a larger or
geographically dispersed ISE deployment.

Step 6 Return to the list of Network Devices.
Step 7 Perform the same modification using the same values to the pod vWLC.
Modify Profiler Configuration
Step 8 Navigate to Work Centers > Profiler > Settings in the left pane select Profiler
Settings.
Step 9 Modify the Profiler Configuration according to the following table:
Attribute Value
CoA Type Reauth
Change custom SNMP community strings ISEisC00L
Confirm change custom SNMP community strings ISEisC00L
EndPoint Attribute Filter Disabled

Enable Anomalous Behaviour Detection Disabled
Enable Anomalous Behaviour Enforcement Disabled
Step 10 Click Save.

Verify Profiler Exception Action
Step 11 Navigate to Work Centers > Profiler > Policy Elements and in the left pane
select Exception Actions.
Step 12 Click FirstTimeProfile to view the action details.
Step 13 Observe that the COA Action is to Force COA. This occurs, when an endpoint
profile which is “Unknown” is profile for the first time.
Note This is the default action for all the Cisco provided exception actions.
 You have modified the NAD configuration for SNMP polling.
 You have observed the default profile configuration and enabled the HTTP probe.
 You have modified the profiler configuration to enable CoA and modify the default
SNMP string to ISEisC00L.
 You have observed the profiler exception actions.

Task 4: NAD Configuration for Profiling
In this task, you will verify the profiling configuration on your pod WLC and3k-access
switch. Your pods NADs are already preconfigured.
Activity Procedure
Step 1 On your Admin PC in Firefox, open a new tab.
Step 2 Click the vwlc bookmarking in the toolbar.
Step 3 Login with the credentials Admin / 1234QWer.
Step 4 Navigate to the WLANs tab.
Step 5 Click WLAN ID 1.
Step 6 Click the Advanced tab.
Step 7 Scroll down to the right-hand side section Radius Client Profiling.
Step 8 Verify both DHCP Profiling and HTTP Profiling are enabled.
Step 9 Click Apply at the top and click OK to the pop-up message.
Step 10 Click the < Back button.
Step 11 Verify the same configuration on your other WLANs (2 & 3).
Step 12 Return to the ISE Admin Portal tab.
Step 13 Access your 3k-access switch.
Step 14 Run the following commands to see the preconfigured SNMP configuration.
3k-access# sh run | section snmp-server

snmp-server community ISEisC00L RO
snmp-server enable traps snmp authentication linkdown linkup coldstart
warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.1.100.21 version 2c ISEisC00L mac-notification snmp
3k-access# sh run | section mac

snmp trap mac-notification change added
snmp trap mac-notification change added
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.1.100.21 version 2c ISEisC00L mac-notification snmp
mac address-table notification change interval 0
mac address-table notification change
mac address-table notification mac-move
Note You may notice that the switch is configured for SNMP trap functionality. The switch
configuration is used for multiple classes. Some of which use the SNMP trap
functionality. Since the switch is preconfigured, if you desire to explore this functionality
after your lab is complete, all you would need to do is enable the SNMP trap probe and
enable the trap query functionality in your Cisco ISE NAD SNMP definition.
Step 15 Run the following command to see the preconfigured ip helper-address

configuration for the ACCESS VLAN 10, and GUEST VLAN 50, that send
DHCP packets to both the DHCP server, and the ISE node.
3k-access# show run interface vlan 10
3k-access# show run interface vlan 50
3k-access#sh run interface vlan 10

Building configuration...
Current configuration : 142 bytes

!
interface Vlan10
description ACCESS
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.10
end
3k-access#sh run interface vlan 50

Building configuration...
Current configuration : 141 bytes

!
interface Vlan50
description GUEST
ip address 10.1.50.1 255.255.255.0
end
Step 13 Enable interface GigabitEthernet1/0/2 with a no shutdown command to

prepare it for the next Lab.
 You have verified the WLC WLAN configurations for DHCP and HTTP profiling.
 You have verified the 3k-access configuration for SNMP and DHCP profiling.

Lab 4-2: Customizing the Cisco ISE Profiling
Configuration
In this activity, you will configure the Cisco ISE Profiler service to use profiling data to
make policy determinations. You will examine profiled endpoint data, create logical profiles,
and use that profile as an identity condition for authorization policy. Finally, you will create a
custom profiler policy based on observed endpoint data.
Activity Objective
In this activity, you will configure the Cisco ISE profiler service to use profiling data to
make policy determinations. After completing this activity, you will be able to meet these
objectives:
 Examine Endpoint profiled data
 Create a Logical Profile
 Utilize a Logical Profile as an Identity condition for authorization policy selection
 Create a custom profiler policy based on observed endpoint data.
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: Examine Endpoint Data
In this task, you will examine the collective endpoint data since turning profiling on Cisco
ISE.
Activity Procedure
Step 1 On your Admin PC in the Cisco ISE Admin portal navigate to Work Centers >
Profiler > Endpoints Classification (Or Context Visibility > Endpoints).
Step 2 Observe the list of endpoints that have been learned since the enabling profiling.
You may have more than one page to view, and other pages can be viewed. Use
the arrows in the upper right near the Rows, Page column to view more pages.
Also, you can sort on any heading in either ascending or descending order.
Step 3 Click the endpoint profile for the Cisco-WLC endpoint.

Step 4 Observe the indicated attributes for this endpoint and that the EndPointSource is
the SNMP Query Probe. If you scroll down, you also observe CDP related
attributes as indicated in the second screenshot.

Step 5 Return to the Endpoint List.
Profile your pod Guest PC
Step 6 Access your W7PC-Guest.
Step 7 Log in with the credentials Administrator / 1234QWer.
Step 8 On the desktop double-click the Win7-Guest PC Network Connections icon or
alternately open the Control Panel and select View network status and tasks
under the Networking and Internet section. Click Change adapter settings.
Step 9 Observe the Win7pc-Guest-wired NIC is disabled.
Step 10 Enable the Win7pc-Guest-wired.

Step 11 Wait a moment for the NIC to come up.
Step 12 Right-click the NIC and choose Status.
Step 13 Click the Details button.
Step 14 Your machine should have an IP address in the 10.1.50.x network. Record the
Physical Address (MAC Address) below.
Physical Address:
Step 15 Close all open dialog boxes.

Step 16 Return to your admin PC and on your list of endpoints click the refresh button.
Step 17 You should now have at least one Microsoft-Workstation or VMware Device
endpoint profile added to your list.
Step 18 You should also see the Hostname and IP Address for this record in the list.
Step 19 Edit this endpoint profile to observe the endpoint attribute data.
Step 20 Observe that the attribute list contains much more data than seen before for other
endpoints. Pay particular attention to the following list of attributes:
 EndPointSource
 IdentityGroup
 MatchedPolicy
 NAS-Port-Id
 OUI
 Total Certainty Factor
 client-fqdn
 dhcp-class-identifier
 host-name
Step 21 Return to the Endpoint List.
Step 22 Disable the NIC on the W7PC-guest again.
 You have observed the endpoint data that was automatically discovered via your profiler
configuration of the previous lab.
 You have brought online your pod Guest PC and observed the endpoint data associated
with its automatic profiling upon coming on to the network.

Task 2: Create a Logical Profile
In this task, you will create a logical profile that will be utilized in a future authorization
policy.
Activity Procedure
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Profiling
Policies and then in the left pane select Logical Profiles.
Step 2 In the right pane click the +Add button.
Step 3 Create the following Logical Profile:
Attribute Value
Name Approved_Smart_Devices
Description Devices on the corporate approved Smart Devices list
Assigned Polices mark all available Android-…
 You have created a logical profile for corporate approved smart devices.
Task 3: Creating a New Authorization Policy using a Logical
Profile
In this task, you will create an authorization policy assigning the previously configure
logical profile to a fixed authorization profile.
Activity Procedure
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Policy Sets
and enter the Wireless_Access policy set.
Step 2 Click the gear icon on the right to insert a new policy above the Guest Access
policy.
Smart Devices Authorization Policy
Attribute Value
Rule Name Smart Devices

Conditions EndPoints:LogicalProfile EQUALS Approved_Smart_Devices
conditions
Results (Profiles) Guest Access
 You have configured a Smart Devices authorization policy using the logical profile
corporately approved devices.

Task 4: Create a Custom Profile Policy
In this task, you will create a custom profile policy for your pod vWLC. .
Activity Procedure
Step 1 In your Cisco ISE admin portal navigate to Work Centers > Profiler >
Endpoints Classification.
Step 2 Find the VMWare-Device for your pod vWLC. The IP address is 10.1.100.61. It
is possible that you may have a VMWare-Device (Endprofile Cisco-WLC)
without an IP address. Try that endpoint.
Step 3 Observe the following endpoint attribute data. You will be using this data to
create a custom policy to automatically profile your pod vWLC.
Step 4 Navigate to Work Centers > Profiler > Profiling Policies.
Step 5 Click the +Add button in the right pane of Profiling Policies.
Step 6 Create the following policy. Verify your configuration with the screenshot before
submitting.

Cisco vWLC Profiling Policy
Attribute Value
Name Cisco-vWLC
Description Policy to detect Cisco vWLC
Minimum Certainty 100

Factor
Parent Policy VMWare-Device
Condition SNMP:sysDescr EQUALS Cisco Controller

AND
SNMP:sysObjectID EQUALS 1.3.6.1.4.1.9.1.1631
Certain factor 100

increase value

Step 8 Return to Work Centers > Profiler > Endpoints Classification.
Step 9 In your Endpoints list you should now see an endpoint that has been assigned the
Cisco-vWLC endpoint profile. It may be necessary to click the refresh button in
the upper right of the list.
Step 10 Edit this endpoint.
Step 11 Observe the IdentityGroup has been set to Cisco-vWLC. This can now be
utilized in Authorization policies to assign specific authorization profiles if
desired.
Note Due to time constraints you will not be performing the task of setting an authorization
policy using the Identity Group. The process would be similar to when you created a
policy using the Logical Profile. Instead of creating a Condition you would utilize Identity
Groups selecting the Cisco –vWLC Identity Group.
 You have identified endpoint profile data that can be utilized to create a profile policy.
 You have created a custom profile policy utilizing the data.
 You have observed your custom profile policy being applied to your pod vWLC.

Task 5: Testing Authorization Policies with Profiling Data
In this task, you will access the network with your Tablet and makes the previously
configured Smart Devices authorization policy.
Activity Procedure
Step 1 Access your pod Tablet.
Step 3 If you are still connected to any Pod## SSID, select it and click FORGET in
order to clear any previous cached settings or credentials.
Step 5 Navigate to Work Centers > Profiler > Endpoints Classification.
Step 6 Search for the Tablet by typing Android into the Endpoint Profile Search field.
Step 7 Select and then Delete (Trash > Selected) the Android using the toolbar.
Confirm Yes to delete.
Step 8 Go to your pod vWLC tab and remove all clients. (Monitor > Clients)
Step 10 Click the ##-guest SSID for your pod.
Step 11 Open a browser and trigger the webauth by browsing to 1.1.1.1.
Step 12 Sign On with the credentials employee1@demo.local / 1234QWer.
Step 13 Return to the ISE Admin Portal and navigate to Operations > Radius > Live
Log and observe the authentication records.
Step 14 Observe that the employee1 login was assigned the Guest Access Authorization
Profile.
Step 15 Click the authentication details for this record.
Step 16 Scroll down to the Other Attributes section and observed the LogicalProfile
attribute.
Note If you receive the that is a known bug in the ISE 2.3.
Step 17 Click Authentication in the top of the Window. Scroll up and observe the Steps
section. Look for the following two step entries towards the end, 15048 and
15004.

Step 19 Navigate to Work Centers > Profiler > Endpoints Classification.
Step 20 Find and click the Tablet Endpoint Profile name or select the checkbox and click
Edit it in the toolbar.
Step 21 Observe the LogicalProfile assigned.

Step 22 Click Authentication in the top of the Window. Scroll up and observe the Steps
section. Look for the following two step entries towards the end, 15048 and
15004.
Step 23 This same information can also be found from the Home tab and selecting Active
Endpoints or Authenticated Guests. If time permits, take some time to explore
this resource as well by clicking either location, and examining the options, and
information available to you.
Discussion
The policy you just configured is a hardware-based policy. As you can see from the previous
task steps, the employee1 user logging into a smart device was given Guest Access instead
of Wireless Employee Access. At this point in time if the smart devices policy was truly an
exclusive approved list of devices that was allowed to access the network, you could use the
Approved_Smart_Devices logical profile as an additional condition for each wireless
authorization policy. By adding this as an additional condition to the employees, contractors,
and guests authorization policies, you would be limiting those groups’ ability to access the
network. Only successfully profiled hardware that matches the individual or component
polices of the Logical Profile would be permitted.
Remember also, that policies are evaluated in a top-down order. This policy was purposely
placed near the top to exemplify this fact. It is important to always consider context-based
attributes or information when creating policies.
Due to limited lab time in this five-day class, you will not be configuring your policies as
such. In the next steps, you will disable the Smart Devices authorization policy for
simplicity and time sake
Disable the Logical Profile Authorization Policy
Step 24 Navigate to Work Centers > Profiler > Policy Sets and enter the
Wireless_Access policy set.
Step 25 Disable the Smart Devices authorization policy rule.
Step 26 Confirm that your policy is disabled and matches the following screenshot.
 You have successfully connected to the network via your pod Tablet and matched
authorization policy utilizing the Profiling Logical Profile condition configure earlier
in this lab.
 You have observed a Guest Access authorization profile assigned to an employee based
on this rule.
 You have read the Discussion section of this task.
 You have disabled the Authorization Policy which utilizes the Profiling Logical
Profile condition.

Lab 4-3: ISE Profiling Reports
Activity Objective
In this activity, you will run reports that focus on profiling data. After completing this
 Run Profiler Feed Reports
 Run Endpoint Profile Changes Reports
 Run Profiled Endpoints Summary Report
 Run profiling based reports from the Cisco ISE Dashboard
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: Run Cisco ISE Profiling Reports
In this task, you will run reports based on profiling data gathered in previous labs.
Activity Procedure
Step 1 In the ISE admin portal, navigate to Work Centers > Profiler > Feeds.
Step 2 Verify in the Update Information and Options section that a Latest applied feed
occurred.
Note If you have no timestamp indicating a successful update operation, you may have to
perform these steps at a later time. Please notify your instructor but your pod does not
have a timestamp.
Step 3 Click the Go to Update Report Page link as indicated in the above screenshot.
This will automatically run the Change Configuration Audit report from the
FeedService administrator.
Note If you receive the Error message “Oops. Something is wrong”, that is a known bug in
the ISE 2.3. Skip the next steps and junp to Task2.
Step 4 Observe the details of the Added and Changed configurations. If you see no
entrys, click the Update Now from the Feed Service Configuration page again.
Step 5 Click one of the Added configuration (if available) event hyperlinks.
Step 6 Observe the details paying specific attention to any Object Names and the data in
the Modified Properties.
Step 7 Close this tab and return to the Change Configuration Audit report tab.

Step 8 Click one of the Changed configuration event hyperlinks.
Step 9 Observe the details for this event.
Step 10 Close this tab and then close the Change Configuration Audit report tab.
Step 11 Open Thunderbird.
Step 12 Navigate to the inbox of the admin@demo.local account and find the ISE System
Message: Feed OUI applied update email and open it.
Step 13 Observe the number of OUI’s added and updated.
Note Your number of OUI’s may vary depending upon the date of your class. This is an
indication of further updates since the above screenshot.
Step 14 Return to the Inbox and open the ISE System Message: Fee policies applied
update email.
Step 15 Observe the number of feed policies applied.
Note Your number of policies may vary depending upon the date of your class. This is an
indication of further updates since the above screenshot.
Step 16 Return to the ISE Admin Portal.
 You have observed the Feed Service updates and changes.
 You have observed the email reports generated by the Feed Service.
Task 2: Endpoint Profile Changes Report
In this task, you will run reports that are related to profiled endpoints.
Activity Procedure
Step 1 Navigate to Work Centers > Profiler > Reports.
Step 2 In the Reports pane navigate to Profiler Reports > Endpoint Profile Changes.
Step 3 Filter the report using the Time Range of Last 7 Days.
Step 4 Compare the Endpoint Profile (Before) pie chart to the Endpoint Profile
(After) pie chart and observe the additional data as a result of enabling profiling.
Step 5 Scroll down to view a list of the Endpoint Profile Changes.
Step 6 Click a record detail to see which probe ran that caused the change.
Step 7 Return to the ISE Admin portal when done.
Profiled Endpoints Summary Report
Step 8 In the Reports pane navigate to Profiler Reports > Profiled Endpoint
Summary.
Step 9 Filter the report using the Time Range of Last 7 Days.
Step 10 Observe the Details and then the Raw details of a record.
Step 11 In the Raw details report page, click one of the Endpoint property hyperlinks and
observe the additional level of detail available in the pop-up message.
Step 12 Return to the ISE Admin portal when done.
 Run Endpoint Profile Changes and Summary reports, and observe the data that is
contained in those reports.

Task 3: Context Visibility Dashlet Reports
In this task, you will view the metrics available via the Context Visibility feature in the Cisco
ISE admin Portal.
Activity Procedure
Step 1 Navigate to the Context Visibility > Endpoints > Endpoints Classification tab.
Step 2 In the ENDPOINTS dashlet, click the new window icon to detach, and open the
dashlet in a new tab, to drill down for further details.
Step 3 In the new ENDPOINTS dashlet tab, click the Profile link to observe all profiled
endpoints that ISE has seen.
Step 4 By hovering your mouse over any individual section of the circle graph, ISE will
display the number of devices per that category.
Step 5 Similarly, the Home > Summary > Endpoints page will display the same
information, and other summary information. Both Context Visibility and Home
pages can be customized to meet your needs. You can add new Dashboards, or
Dashlets, by clicking the gear icon in the upper right corner of the pane.
Step 6 Close all newly opened tabs and return to the ISE Admin portal when done.
 You have run the Profile Feed report.
 That you have on Endpoint Profile Changes report
 You have run the Profile Endpoints Summary report.
 You have observed metric – the date on the homepage and run a report from the Profiler
Activity dashlet.

Lab 5-1: BYOD Configuration
In this activity, you will configure Cisco ISE for BYOD onboarding. You will start by
creating e a customized My Device portal. Next, you will how Cisco ISE can dramatically
reduce your operational overhead. You will configure a scenario in which certificates are
automatically provisioned, via the Cisco ISE internal CA. These certificates will be deployed
via a Native Supplicant Provisioning profile, which you will define. You will configure a
certificate authentication profile, and this profile will use attributes from internally deployed
CA certificates. With all this in place, you will configure Cisco ISE authentication and
authorization policies for BYOD access. You will then use this configuration to onboard a
mobile BYOD device.
Activity Objective
In this activity, you will configure Cisco ISE for BYOD on boarding. After completing this
 Create a customized My Device portal
 Configure Cisco ISE to provision certificates via the internal CA and deploy those
certificates via a Native Supplicant Provisioning profile
 Configure a certificate authentication profile that utilizes the attributes from the
internally deployed CA certificates
 Configure Cisco ISE authentication and authorization policies for BYOD access
 Onboard a mobile BYOD device
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC

Task 1: Portal Provisioning
In this task, you will create a customized My Devices portal for employee device
management.
Activity Procedure
Portal Enablement
Step 1 Navigate to Work Centers > BYOD > Overview. Take a moment to review the
three major phases of BYOD configuration – Prepare, Define, Go Live and
Monitor.
Step 2 You have accomplished the “Prepare” phase items in previous labs. So, move on
to the “Define” phase by clicking the link for web portals. Then choose My
Devices Portals in the left column. You could also arrive here via Work Centers
> BYOD > Portals & Components > My Devices Portal, or via
Administration > Device Portal Management > My Devices.
Step 3 In the right pane click Create.
Step 4 Create the following portal.
My Devices Portal Settings and Customization
Attribute Value
Portal Name Demo – My Devices
Description Device Portal for Demo Employees
Portal Settings
HTTPS Port 8443
Allowed interface Gigabit Ethernet 0
Fully qualified domain name (all FQDN) mydevices.demo.local
Authentication method MyDevices_Portal_Sequence
Idle timeout 10
Login Page Settings
Maximum failed login attempts before rate limiting 5
Included Post–Login Banner page [X]
Employee Change Password Settings
Allow internal users to change their own [ ]

passwords

[ X ] IP address
[ X ] Policy server
[ X ] Failure could
Step 5 Scroll up and click Save and then Close.
Tip Enabling the Support Information feature is an easy way to provide the end user with a
place to go to see their MAC address. Consider using some of the instructional or
optional fields on the My Devices and Add Devices page or others to provide this
information to the end user.
Note Later in the lab we will also be using a BYOD portal. For-time sake we will use the Cisco
default portal. If you want, you may optionally customize that portal by adding the same
images as above and saving the portal.
Portal Authentication Modification

Step 6 Navigate to Work Centers > BYOD > Identities > Identity Source Sequences.
Step 7 Edit the MyDevices_Portal_Sequence
Step 8 Move the All-AD-Join_Points to the top of the list in the Authentication Search
List Selected box in order to optimize processing since most user accounts who
will be using this feature are located in Active Directory

Portal Authentication Test
Step 10 Return to Work Centers > BYOD > Portals & Components > My Devices
Portals and edit the Demo – My Devices portal.
Step 11 At the top to the right of the Description field click the Portal test URL.

Note If Firefox returns an error, please access the portal with Internet Explorer
Step 12 You should see the My Devices Portal but you previously configured.
Step 13 Login with the Active Directory user credentials employee1@demo.local /

1234QWer
Step 14 Accept the AUP and click Sign On.
Step 15 Then press Continue.
Step 16 You have successfully logged into the My Devices Portal using Active Directory
credentials.
Step 17 Return to your Cisco ISE Admin portal.
 You have created a custom My Devices portal for Demo employees.
 You have optimized the portal Authentication sequence processing by configuring it to
process AD accounts first.
 You have reviewed the customized My Devices via a desktop browser.

Task 2: Provisioning Configuration
In this task, you will configure certificate provisioning using the internal CA functionality
Cisco ISE. You will then configure a supplicant provisioning policy utilizing that internal
CA provisioning configuration.
Cisco ISE comes with a default certificate template which could be used for BYOD. You
will use that default certificate template with a few modifications that are specific to this
deployment.
Note It is important that any time a default template is used, it is modified to fit the specific
installation environment.
Activity Procedure
Certificate Provisioning
Step 1 In your Cisco ISE admin portal, navigate to Administration > System >
Certificates and then in the left pane select Certificate Management > Trusted
Certificates.
Note There exists some trusted third party CA certificates. If you need other CA certifiactes,
you can import certficates in these section.
Step 2 In the left pane select Certificate Management > Certificate Signing Requests.
Step 3 Click Generate Certificate Signing Requests (CSR).
Step 4 Select ISE Root CA as the Usage
Step 5 Click Replace ISE Root CA Certificate chain.

Step 6 Wait until Generation has finished.
Note Your ISE implies all CA functions and will act as the root CA, Node CA, endpoint sub CA
and OSCP responder CA.
Step 7 Observe Root CA certificate and the sub certificates generated.
Step 8 In your Cisco ISE admin portal, navigate to Work Centers > BYOD > Portals
& Components and then in the left pane select Certificates > Certificate
Templates.
Step 9 Edit the EAP_Authentication_Certificate_Template.
Step 10 Modify the template according to the following table. Verify configuration with
the subsequent screenshot.
Note In this configuration, you will be configuring the OU to be the distinguishing attribute that
will store the functional purpose of the certificate inside each certificate that is issued. By
performing the step, an Authorization Policy rule could be configured with a condition to
match this attribute and then apply the appropriate authorization profile.
BYOD EAP Authentication Certificate Template
Parameter Description
Name BYOD_EAP_AUTH_365
Description BYOD certificate template for approved Demo access
Organizational Unit (OU) BYOD
Organization (O) The Demo Shop
City (L) San Jose
State (ST) California
Country (C) US
Subject Alternative Name MAC Address
Key Type RSA
Key Size 2048
SCEP RA Profile ISE Internal CA
Valid Period 365

Step 11 Scroll down and click Save
Client Provisioning and Native Supplicant Provisioning
Step 12 Navigate to Work Centers > BYOD > Client Provisioning.
Step 13 Create a new policy rule in the top of the policy according to the following table.
You will be creating a new Native Supplicant Profile (NSP) in line. Perform the
instructions after the table for the creation of the NSP. Insert the new rule in the
top of the policy.
iOS_WPA2_BYOD Client Provisioning Policy Rule
Attribute Value
Rule Name Android_WPA2_BYOD
Identity Groups Any
Operating Systems Android
Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/Domain Users
Results Android_WPA2_TLS_BYOD  <See below>
Inline Native Supplicant Profile Procedure
Step Action Notes
1. Expand Results.
2. Click the down selector icon to Choose a Wizard Profile.
3. Click the cog in the toolbar area.
4. Select Create New Profile.
5. Create a Native Supplicant Profile using the following data. It is important that your
 Name Android_WPA2_TLS_BYOD pod SSID (##-wpa2e)
match what is exactly
 Description Pod ## BYOD NSP configured for your pod.
 Operating System Android Having your WLC portal
open in a separate tab and
 Connection Type Wireless performing a copy/paste
 SSID ##-wpa2e from there is the most
 Security WPA2 Enterprise reliable method.
 Allowed Protocol TLS Pod 00 is used to make

the screenshot generic.
 Certificate Template BYOD_EAP_AUTH_365 Replace 00 with your
actual pod number.
6. Click Save.
Step 14 Click Save.

Step 15 Compare your configuration with the following screenshot.

Step 16 Scroll down and click Save
 You have configured a Certificate Template for BYOD access.
 You have configured the Client Provisioning rule using an in-line created NSP specific
for your pod SSID and assigning the BYOD certificate template.
Task 3: Policy Configuration
In this task, you will configure the policy components for BYOD access.
Activity Procedure
Certificate Authentication Profile Creation
Step 1 Navigate to, to Work Centers > BYOD > Ext Id Sources > Certificate
Authentication Profile.
Step 2 In the right pane, click +Add to create a Certificate Authentication Profile
according to the following information.
Certificate Authentication Profile
Attribute Value
Name CN_USERNAME
Description Subject contains CN=username
Identity Store [not applicable]
Use Identity From Subject – Common Name
Match Client Certificate Against Never

Certificate In Identity Store
Step 3 Verify your configuration with the following screenshot then click Submit.
Identity Source Sequence Creation

Step 4 Navigate to Work Centers > BYOD > Identities > Identity Source Sequences.
Step 5 Click +Add to create an Identity Source Sequence according to the following
information.
Identity Source Sequence
Attribute Value
Identity Source Sequence
Name DOT1X_X509_Username
Description ISS to get username from certificate

Attribute Value
Certificate Based Authentication
Select Certificate Authentication Profile  CN_USERNAME
Authentication Search List
Selected All_AD_Join_Points
Internal Users
Guest Users
Advanced Search List Settings
If the selected identity store cannot be  Treat as if the user was not found and proceed to the
access for authentication next or in the sequence
Step 6 Verify your configuration with the following screenshot then click Submit.
Allowed Protocols Review
Step 7 Navigate to Work Centers > BYOD > Policy Elements > Results > Allowed
Protocols,
Step 8 In the right pane, click Default Network Access.
Observe that EAP-TLS and PEAP with an inner method to EAP-TLS are both
allowed. This is sufficient for this access use case (TLS client certificate-based
access).
Tip Take note of the option below both “Allow EAP-TLS” and the “Allow EAP-TLS” under
“Allow PEAP”. The option to “Allow Authentication of expired certificates to allow
certificate renewal in the Authorization Policy”. Using this feature allows for some
flexibility. Enabling this feature by itself weakens the security that is inherent in the
expiration process of X.509v3 certificates. However, Cisco ISE has a dictionary
condition, CertRenewRequired, which could be used in an Authorization Policy near the
top or as a Global Exception policy, which evaluates the expiration of the certificate and if
it is expired, can be used to apply an Authorization Profile that redirects to the CWA
portal. Hovering your mouse over the (i) icon at the end of the line will pop-up a message
indicating this as shown in the following screenshot.
Authentication Policy Configuration

Step 9 Navigate to Work Centers > BYOD > Policy Sets and then Wireless_Access >
Authentication Policy.
Step 10 Clone the Dot1X authentication policy rule by clicking on the gear icon at the
far right. Select from the menu Duplicate above.

Step 11 Modify the rule with the following parameters.
Authentication Policy Rule
Attribute Value
Name DOT1X_EAP_TLS
Condition Wireless_802.1X AND

Network Access:EapAuthentication equals EAP-TLS
Identity Source DOT1X_X509_Username
Options
If authentication failed Reject
If user not found Reject
If process failed Drop
Step 12 Compare your rule with the following screenshot.
Authorization Profile Configuration
Step 14 Navigate to Work Centers > BYOD > Policy Elements > Results >
Authorization Profiles.
Step 15 Create and Save the two following Authorization Profiles.
WLC Native Supplicant Provisioning Authorization Profile
Name WLC_NSP
Common Tasks
Web Redirection Native Supplicant Provisioning

ACL: NSP_ACL
Value: BYOD Portal (default)
WLC User Access Authorization Profile
Name WLC_User Access
Common Tasks
Airespace ACL Name USER_ACL
Authorization Policy Configuration

Step 16 Navigate to Work Centers > BYOD > Policy Sets and then Wireless_Access >
Authorization Policy.
Step 17 Insert the two following authorization policy rules in the top of the authorization
plicy.
BYOD NSP Authorization Policy
Attribute Value
Rule Name BYOD NSP
Network Access:EapAuthentication EQUALS EAP-MSCHAPv2

Conditions
AND
conditions) demo.local:ExternalGroups NOT_EQUALS
demo.local/Users/Domain Computers
Results (Profiles) WLC_NSP

BYOD Access Authorization Policy
Attribute Value
Rule Name BYOD Access
Network Access:EapAuthentication EQUALS EAP-TLS

Conditions
AND
conditions) CERTIFICATE:Subject Alternative Name EQUALS Radius:Calling-
Station-ID
Results (Profiles) WLC_User Access
Caution Be sure to select RADIUS attribute 31 instead of 30. Attribute 31 will give you the MAC
address of the endpoint whereas attribute 30 will give you the MAC address of the NAD.
Radius:Calling-Station-ID--[31] instead of
Radius:Called-Station-ID—[30]

Step 19 Compare your configuration with the following screenshot.
 You have configured a certificate authentication profile that will use the subject
common name as the username.
 You have configured in identity source sequence that utilizes the certificate
authentication profile.
 You have reviewed the allowed authentication protocols to see that they allow EAP-
TLS.
 You have configured authentication policy which matches certificate authentication and
uses the source sequence which you have configured.
 You have configured authorization profiles to provision the certificate using NSP and to
permit BYOD access.
 You have configured two authorization policy rules for NSP and for BYOD access.

Task 4: Employee Tablet Registration
In this task, you will login to the Tablet as an employee to perform the BYOD registration.
You will then connect with the provisioned configuration and deployed certificate.
Activity Procedure
Endpoint Cleaning from Previous Labs
Step 1 Access your Tablet according to your lab specific instructions.
in troubleshooting.
Step 2 Navigate using your mouse to WLAN.

Step 3 Click the saved/connected SSID(if any applicable) and at the bottom right, click
FORGET in order to clear any previous cached settings or credentials.
Step 5 Navigate to Work Centers > BYOD > Identities and then in the left pane select
Endpoints.
Step 6 Select the Tablet, if present and then delete it using the toolbar. Confirm Yes to
delete.
Step 7 You may have to manually clear the client from the WLC if you perform these
steps quickly. As the WLC holds or caches association sessions to handle Wi-Fi
signal disruptions and roams.
Tablet Onboarding
Step 8 Access the Tablet.
Step 9 Access the ##-wpa2e SSID for your pod. Log in using the credentials
employee1@demo.local / 1234QWer.
Step 11 If you are not automatically redirected to the ISE BYOD portal, trigger it by
typing 1.1.1.1, for example.
Step 12 Process through the BYOD portal process by clicking Start.
Step 13 Enter the device name employee1_Tablet in the description My Tablet. Also
observe that the Device ID or MAC address is included on the bottom.
Step 14 Click Continue.

Step 15 DO NOT CLICK ‘Go to Google Play to get the application’.
Note The Cisco Network Setup Assistant has been preinstalled on the Tablet.
Step 16 Examine the page. For Android devices a Cisco proprietary application is needed
to perform the automatic profile and certificate installation process.
Step 17 On the Tablet press the Home button, then in the main view locate and open the
Cisco App Network Setup Assistant.
Step 18 Click Start inside the Network Setup Assistant and observe the provisioning
procedure. Click PROCEED and CONNECT, if prompted.
Step 19 If prompted, enter the Tablet PIN 1234.
Step 20 When presented with the certificate package for the user, leave all defaults and
click OK.
Step 21 When presented with the root certificate, leave all defaults and click OK.
Step 22 After the Cisco Network Setup Assistant downloaded and installed everything
successfully, you will be automatically connected to SSID from the configured
profile (##-wpa2e) and presented with the following seen left in the screenshot.
Step 23 Click Exit, open the browser and verify browsing to the Internet, e.g. cisco.com
is working.
Step 24 In your Tablet navigate to Settings > Security > Trusted Credentials.
Step 25 Under the section USER you should see the root-CA certificate, which you can
examine by clicking, seen right in the top screenshot.

Cisco ISE Admin Portal Verification
Step 27 Navigate to Operations > RADIUS > Live Logs and observe the authentication
records.
Step 28 Enter Android in the quick Filter Endpoint Profile for better verification.
Step 29 Observe the following Logs.
Step 30 Click the Details icon for the record that was assigned the Authorization Profile
WLC_User Access.
Step 31 Observe the Overview section and notice the indicated sections below.
Step 32 Examine the Steps section and towards the bottom observe the 15048 messages
indicating the EAP authentication and the querying of the Subject Common
Name and the MAC address as the Radius Calling-Station-ID.
Step 33 Close this tab and return to the Cisco ISE admin portal.
Step 34 Navigate to Work Centers > BYOD >Identities > Endpoints.
Step 35 Find the Tablet MAC address and click the MAC address in this list.
Step 36 Find the Device Registration is Registered and BYOD Registration is Yes
indicating the Tablet status is an endpoint.
Step 37 If the Device Registration says Pending, this is unfortunately a know bug.
Step 38 Scroll down to the Subject attribute lines. Observe the certificate details paying
particular attention to the Subject Common Name values.
Step 39 Return to the Cisco ISE admin portal and navigate to Administration > System
> Certificates > Certificate Authority > Issued Certificates.
Step 40 Select the endpoint certificate which has been deployed to the employee1 Tablet,
click View in the toolbar and examine the details.
Note Use Google Chrome Browser, if the certificate details are not showing up correctly!

Tip If you scroll to the bottom you will see a SHA-1 and MD5 hash fingerprints. This could be
useful for helpdesk operator to be able to verify a certificate with the user over the phone,
for example.
 You have successfully onboarded your pod Tablet and verified access according to the
task steps.
Lab 5-2: Device Blacklisting
In the previous lab, you learned how to configure a BYOD solution. In this activity, you
will learn how to manage that solution. The focus is on how to mark a device lost, and then
stolen.
You will examine Cisco ISE to see how the endpoint is processed for each of these
situations. You will then reinstate a lost or stolen device. You will also process an endpoint
for re-enrollment after a certificate has been revoked.
Activity Objective
In this activity, you will perform the steps to mark a device lost and then stolen. You will
examine Cisco ISE to see how the endpoint is processed for each of these situations. After
 Mark a device as lost
 Mark a device is stolen
 Reinstate a lost or stolen device
 Process and endpoint for reenrollment after a certificate has been revoked
Visual Objective

Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: Blacklist a Device
In this task, you will mark an on-boarded device as “lost”.
Activity Procedure
Configure a local Exceptions Policy for the Blacklist devices
Step 1 Navigate to Policy > Policy Sets > Wireless_Access > Authorization Policy –
Local Exceptions.
Step 2 In the left pane click the + symbol to insert a new exception policy.
Authorization Policy – Local Exceptions
Attribute Value
Rule Name Blacklist

Conditions IdentityGroup:Name equals Endpoint Identity Group:Blacklist
conditions
Results (Profiles) Blackhole_Wireless_Access
Step 3 Click Save.

Updating the Blacklist Portal to use Configured Certificate Group Tag
Step 4 Navigate to Administration > Device Portal Management > Blacklist.
Step 5 Edit the Blacklist portal (default).
Step 6 Change the certificate of the group tag from Default Portal Certificate Group to
ISE Lab CGT.
Step 7 At the top click Save.
Update the Blacklist Authorization profile
Step 8 Navigate to Policy > Policy Elements > Results > Authorization >
Step 9 Edit the Blackhole_Wireless_Access profile.
Step 10 Scroll down and change the world redirect ACL from BLACKHOLE to
BLACKLIST.

Marking a Device as Lost
Step 12 Open a new tab and navigate to the My Devices Portal either using the
“myDevices” bookmarking in the toolbar or by using the URL
https://mydevices.demo.local
Step 13 Login with the credentials employee1@demo.local / 1234QWer.
Step 14 Click the checkbox to accept to the AUP and then click Sign On.
Step 16 Observed that the status is Registered, else read the following Note.
Note If the device status is still pending, then consider up to 20min for the profiling process.
Tip Shutting the WLAN off and on might trigger the registration status from the tablet.
Step 17 Manage the device by clicking on the record.
Step 18 Click the Lost button.
Step 19 Click Yes to acknowledge that you want to mark the device is lost.
Step 20 Observed that the status is now Lost.
 You have marked the employee1 Tablet endpoint as Lost.

Task 2: Lost Access Verification.
In this task, you will attempt to access the network using a device marked as “lost”.
Activity Procedure
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting Blackhole_Wireless_Access authorization profile
result. Cisco ISE issued a CoA when the device was marked lost. The device
automatically re-authenticated as it normally would and matched the Wireless
Black List Default authorization policy rule.
Step 3 Return to your Tablet and in a browser navigate to any website ot to 1.1.1.1. You
should be redirected to the blacklist portal automatically.
 You have been redirected to the blacklist portal on the Tablet.
Task 3: Endpoint Record Observations
In this task, you will examine the endpoint data record for a “lost” device.
Activity Procedure
Step 3 Find the Tablet MAC address and observe the record in this list.
Step 4 Open the detail view for this endpoint.

Step 5 In the upper right search bar type employee1@demo.local.
Step 6 Select employee1@demo.local from the suggestions box.
Step 7 In the search results window, notice Blackhole_Wireless in the text. Click the
record to view the details.
Step 8 Observe that the current status is Authenticated & Authorized and assigned
Blachole_Wireless_Access.
Step 9 Click Endpoint Details at the top.

Step 10 Observe the Identity Group in the Authorization Profile.
Step 11 Close the result box by clicking on the X in the upper right-hand corner.
 You verified map the endpoint has been marked Lost.
Task 4: Un-Blacklist the Device
In this task, you will go through the process of on blacklisting a device which was “found”.
Activity Procedure
Step 1 On the Admin PC access the previously opened My Devices Portal tab.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 5 Click Reinstate.
Step 6 Click Yes to the pop-up.

Step 7 Observe the device status has been returned to Registered.
 You have reinstated the employee1 Tablet and observe the status as Registered.

Task 5: Verify Access Capability
In this task, you will verify network access after the device was Reinstated.
Activity Procedure
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting WLC_User Access authorization profile result. Cisco
ISE issued a CoA when the device was marked Reinstated. The device
automatically re-authenticated as it normally would and matched the BYOD
Access authorization policy rule.
Step 3 Return to the Tablet and in a browser, navigate to cisco.com. You should be up to
successfully connect to the webpage.
 You have observed the proper authorization profile for the registered BYOD device.
 You have successfully connected to a webpage.
Task 6: Blacklisting a Stolen Device
In this task, you will mark a device as stolen and observe the endpoint and certificate status.
You will then reinstate and then re-onboard device. You will not go through the process of
testing access while marked as stolen in the interest of brevity as you have already tested
blacklisted access a previous task.
Activity Procedure
Marking a Device as Stolen
Step 1 Return to the Admin PC and to the My Devices Portal.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 5 Click the Stolen button.
Step 6 Click Yes to acknowledge that you want to mark the device is still.
Step 7 Observed that the status is now Stolen.
Examining Endpoint Status and Record
Step 8 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS >
Live Logs.
Step 9 You should see a denied access record for the Tablet.
Examine Certificate Status

Step 10 Click the authentication record detail icon.
Step 11 In the Authentication Detail section observe the following fields indicating that
the certificate has been revoked.

Step 12 Return to the Cisco ISE admin portal and navigate to Administration > System
> Certificates > Certificate Authority > Issued Certificates.
Step 13 Use Google Chrome Browser, if the certificate details are not showing up correctly!
Step 14 In the list of certificates observed that the status is now Revoked for the
Tablet certificate.
Step 15 View the certificate details and observe the certificate status is revoked with a
red X icon.
Step 16 Close the certificate detail.

Reinstating Device
Step 17 Return to the My Devices Portal.
Step 18 Notice in the toolbar there is no toolbar button to reinstate or un-revoke a
certificate.
Step 19 Click the Reinstate button.
Step 20 Click Yes.
Step 21 Observe the device status is now Not Registered.
Re-Onboarding Device
Step 22 Return to your Tablet and observe your ##-wpa2e WLAN SSID.
Step 23 You should notice that it is not possible to join the ##-wpa2e WLAN.
Step 24 Select the WLAN and at the bottom right, click FORGET.
Step 25 Navigate to Settings > Security > Clear credentials
Step 26 Click Clear credentials and Remove all the contents by clicking OK.
Step 27 Return to the WLAN list and attempt to join the ##-wpa2e WLAN. This should
succeed by prompting you for credentials.
Step 28 Enter the credentials employee1@demo.local / 1234QWer.
Step 29 Open a browser and trigger a redirection to the ISE portal.
Step 30 Go through the process of on boarding process before. Reference to previous lab
steps if necessary.
Step 31 Once complete navigate to cisco.com. This should succeed.
Live Logs.
Step 33 The employee1 Tablet should have been applied the WLC_User_Access
authorization profile. To the right the device should also be in the Identity Group
RegisteredDevices.
 You have successfully marked the device a stolen.
 You have observed the device certificate authentication failure.
 You have examined the certificate status and observed it has revoked.
 You have reinstated the device via the My Devices Portal.
 You have deleted the certificate profile and reenrolled the Tablet.
 You have observed a successful BYOD certificate authentication.

Lab 6-1: Compliance
Activity Objective
In this activity, you will configure Cisco ISE settings and polices for compliance based
access. After completing this activity, you will be able to meet these objectives:
 Configure Cisco ISE Posture Settings
 Configure Authorization Profile components for compliance based access
 Configure Authorization Policy rules for compliance based access
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: Posture Preparation
In this task, you will configure Cisco ISE posture update settings that will be used later for
compliance to check posture compliance of clients.
Activity Procedure
Posture Updates
You will perform a manual posture update in this section.
Step 1 Navigate to Work Centers > Posture > Settings > Software Updates >
Posture Updates.
Step 2 Click the Automatically check for updates starting from initial delay check
box to enable auto updates. After the initial download, this will perform an
incremental update automatically from Cisco.
Note By default, posture updates are configured to be retrieved from the web and automatic
checking is disabled.
Posture updates include a set of predefined checks, rules, and support list for antivirus
and anti-spyware for both Windows and Macintosh operating systems. When you
perform your initial update process usually takes approximately 20 minutes.
Step 3 Click Save.

Step 4 Click Update Now to start the initial posture update process. As mentioned
above this process can take approximately 15 minutes.
Note You can safely navigate away from this page and continue on to the next steps while this
process works in the background.
Step 5 Observe the Update Information section below to view the status on updates. The
following fields are useful in determining proper functioning, Last successful
update on and Last update status since ISE was started.

Posture General Settings
Step 6 Navigate to Work Centers > Posture > Settings > Posture General Settings.
The settings on this page are used when there is no profile under the client
provisioning policy. You will be configuring the client provisioning policy later
in the lab. However, it is a good practice to set a baseline configuration here in
the event that a policy is misconfigured or absent in the future.
Step 7 Change the Remediation Timer field from 4 minutes to 20 minutes to allow for
patching or other required remediation steps to be performed by the end-user.
Step 8 Enable the Automatically Close Login Success Screen After setting and change
the value from 0 to 3 seconds.
Step 9 Click Save.
Note Leaving the value at 0 would configure the client to not display login success screen.
This may be optimal in some organizations.
Posture Lease
The default configuration as indicated in this section is to perform a posture assessment
every time a user connects to the network. By enabling the second option, the system is
considered to be compliant for the configured number of days (range 1 – 365) and will be
checked at the configured interval.
Note No configuration change will be performed at this time.
Note Posture leases are only applicable to Cisco AnyConnect Unified Agent access.
Portal Modification
Step 10 Navigate to Work Centers > Guest Access > Portals & Components > Guest
Portals and edit the Demo-Sponsored portal.
Step 11 Scroll down to the Guest Device Compliance Settings section and enable
Require guest device compliance.
Step 12 Scroll up and click Save, then click Close.

Step 13 Navigate to Administration > Device Portal Management > Settings.
Step 14 Configure the Retry URL as http://www.cisco.com/go/ise

Step 15 Click Save.
 You have configured Cisco ISE to retrieve posture update configurations from Cisco
online.
 You have configured general posture settings for global posture processing.
 You have reviewed posture lease settings.
 You have modified the Demo Self-Reg portal to require guest compliance.
Task 2: Authorization Profiles
In this task, you will configure a simple compliance policy check.
Activity Procedure
Create Downloadable ACLs for Compliance
Step 1 Navigate to Work Centers > Posture > Policy Elements and then
Downloadable ACLs.
Step 2 Create the following AD Login Access dACL.
Tip You can copy-and-paste the DACL content from

http://tools.demo.local/cp/DACL_AD_LOGIN_ACCESS.txt
Downloadable ACL – ACL_AD_LOGIN
Attribute Value
Name acl_ad_login
Description Permit access to AD login services and deny everything else.

permit icmp any any
permit tcp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq ntp
permit udp any host 10.1.100.10 eq netbios-ns

Step 3 Create the following Posture Remediation dACL.
Tip You can copy-and-paste the DACL content from

http://tools.demo.local/cp/DACL_POSTURE_REMEDIATION.txt
Downloadable ACL – ACL_POSTURE_REMEDIATION
Attribute Value
Name acl_posture_remediation
Description Permit access to posture services and remediation and deny

everything else.

permit icmp any any
Step 4 Create the following Internet only dACL.
Tip Copy-and-paste the DACL content from

http://tools.demo.local/cp/DACL_GUEST_INTERNET.txt
Downloadable ACL – ACL_INTERNET_ONLY
Attribute Value
Name acl_internet_only
Description Permit DHCP/DNS, Deny Internal, Permit everything else.
DACL Content permit udp any any eq domain

permit icmp any any
deny ip any 10.1.0.0 0.0.255.255
permit ip any any
Step 5 A URL redirect ACL needs to pre-exist on a switch and cannot be a dACL. Your
3k-access switch is preconfigured with the ACL that you will use. It is named
ISE-URL-REDIRECT. The contents of that ACL are included below for a time
saving convenience.
Note If you desire, you may open an SSH session via PuTTY and verify by issuing a show
ip access-list ISE-URL-REDIRECT.
deny ip any host 10.1.100.10

permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
Note You will be referencing the name of the URL in authorization profiles. Spelling must
match exactly.
Create Authorization Profiles for Compliance
Step 7 By clicking +Add in the right pane, create each of the following authorization
profiles.
Posture Remediation - Authorization Profile
Name Posture Remediation
Common Tasks
DACL Name acl_posture_remediation
Web Redirection Client Provisioning (Posture)

ACL: ISE-URL-REDIRECT
Value: Client Provisioning Portal (default)
CWA Posture Remediation - Authorization Profile
Name CWA Posture Remediation
Common Tasks
DACL Name acl_posture_remediation

ACL: ISE-URL-REDIRECT
Value: Demo-Sponsored
Internet Only - Authorization Profile
Name Internet Only
Common Tasks
DACL Name acl_internet_only
Step 8 Modify the Wired Domain Computer Access authorization profile to use the
newer port restrictive dACL for AD Login, acl_ad_login and then click Save.
 You have configured dACLs for utilization in compliance based access.
 You have configured Authorization profiles to be utilized during different stages of
compliance based processing.

Task 3: Adjusting Authorization Policy for Compliance
In this task, you will adjust the authorization policy for compliance checking.
Activity Procedure
Policy Set Evaluation
Step 1 Navigate to Work Centers > Posture > Policy Sets and then to Wired_Access >
Authorization Policy.
Examine the authorization policy rules and notice that right now things are pretty
clean. You have profiled IP phones, two rules for employees or contractors, a rule
for domain computer authentication, and a default deny rule at the end. Having
created all of the guest access rules under the wireless access policy has allowed
the wired policy to stay clean. By using the condition function of policy sets to
differentiate policy it’s possible, and in the situation, advantageous to split our
wired access into two different parts in a similar way that we split our overall
access into wired and wireless policy sets.
In the following section you will go to the process of creating a separate policy
set for wired MAB access. This will allow you to consolidate all of your policies
that would apply to wired map access in a central location without having to
evaluate whether policy would apply to an 802.1X session or a MAB session.
You will also modify the existing Wired_Access to apply to 802.1X sessions.
Policy Set Modification
Step 2 Click in the top Policy Sets to go back to the Policy Set overview.
Step 3 Click the + symbol on the left side to create a new Policy Set in the top of your
policy sets.
Note Policy sets are evaluated like Access control lists, top down. Like ACLs, the order of your
rules can determine if your policy functions as expected.
Policy Set – Wired_MAB_Access
Name Description Condition(s)
Wired_MAB_Access Wired MAB Device [ Drag & Drop Condition from Library ]
Access Compound Condition > Wired_MAB
Step 4 Click Use and verify your policy set with the following screenshot.
Step 5 Click Save at the bottom or top.

Step 6 Modify the Wired_Access policy set according to the table below.
Policy Set – Wired_8021X_Access
Name Desciption Condition(s)
Wired_8021X_Access Wired 802.1X DEVICE:Device Type EQUALS All Device Types#Wired

Device Access AND
Compound Condition > Wired_802.1X
[ Drag & Drop Condition from Library ]
Note While in this specific lab environment and configuration, it is not necessary to build a
compound condition of device type wired and Wired_802.1X, the purpose for doing so is
to illustrate the flexibility and capability of the policy set condition aspect of Cisco ISE.
Tip Applying this logic, it would be possible to create a condition matching a specific device
location and access method, wired or wireless, etc. and access type, MAB or 802.1X, to
create and maintain organized policy sets.
Step 7 Click Done and verify your modification with the following screenshot.
Step 8 Click Save.

Wired MAB Policy Set Modification
Step 9 Select the Wired_MAB_Access policy set.
Step 10 Edit the Default Authentication policy rule to Continue if the user is not found
and select as Identity Source All_User_ID_Stores.

Step 11 Add the following Authorization policy rule above the Default rule.
Guest Internet - Authorization Policy
Attribute Value
Rule Name Guest Internet

Conditions NetworkAccess:UseCase EQUALS Guest Flow
conditions)
Results (Profiles) Internet Only
Step 12 Modify the Default rule to use the authorization profile CWA Posture
Remediation.
Step 13 Verify your policy with the following screenshot.
Caution In a production environment it would be important to copy and create policy rules to
facilitate profiled devices which would access the network by way of MAB. For the sake
of time and due to the simplicity of this lab environment you will not be creating or
configuring such rules.
Wired 802.1X Policy Set Modification

Step 15 Select the Wired_8021X_Access policy set.
Step 16 Edit the Wired AD Employees authorization policy rule.
Step 17 Open the Conditions section.
Step 18 Add a new Attribute/Value.
Step 19 Configure the following condition: Session:PostureStatus EQUALS
Compliant.
Step 20 Verify the operand that is set to AND.
Tip Saving the posture status condition to the library for reuse with a simplified name would
make reading policy conditions in their final state easier than reading and attribute value
statement.
Step 22 Edit the Wired AD Contractors rule by adding the condition
Session:PostureStatus EQUALS Compliant and verifying the operand is AND.
Step 24 Add the following authorization policy rule above the Default rule.
AD Posture Assessment - Authorization Policy
Attribute Value
Rule Name AD Posture Assessment
demo.local:ExternalGroups Equals demo.local/Users/Domain

Conditions Users
AND
conditions)
Session:PostureStatus NOT_EQUALS Compliant
Results (Profiles) Posture Remediation

 You have modified the Wired_Access Policy Set to process access based on
compliance status.

Lab 6-2: Configuring Client Provisioning
In this activity, you will configure Cisco ISE to provision Cisco posture agents. You will
configure client provisioning settings for updates from Cisco online. You will configure
client resources for utilization in compliance-based access. Finally, you will configure client
provisioning policies for the utilization of posture agents.
Activity Objective
In this activity, you will configure Cisco ISE to provision Cisco posture agents. After
 Configure Client Provisioning settings for updates from Cisco online.
 Configure Client Resources for utilization in compliance based access.
 Configure Client Provisioning policies for the utilization of posture agents
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: Client Updates
In this task, you will review client provisioning settings and then perform a posture
component update.
Activity Procedure
Client Provisioning Settings
Step 1 Navigate to Work Centers > Posture > Settings then to Software Updates >
Client Provisioning. This page can all be accessed via Administration >
System > Settings and then Client Provisioning.
Step 2 Observe the default configuration that client provisioning is enabled by default.
 You have reviewed the Client Provisioning settings.
 You have configured Cisco ISE to perform automatic posture updates; and initiated a
manual update.

Task 2: Client Resources
In this task, you will configure Cisco ISE for utilization of Cisco posture agents (Cisco NAC
Agent, Cisco NAC WebAgent, and Cisco AnyConnect Unified Client).
Activity Procedure
Downloading Resources to your PC
Step 1 In your Firefox browser, open a new tab and use your bookmark toolbar to
navigate to tools > cp. (http://tools.demo.local/cp)
Step 2 Download the following files. These files will be placed in your profile
Downloads folder.
 anyconnect-win-4.5.04029.0-webdeploy-k9.pkg
 anyconnect-VPN-disable.xml
 anyconnect-NAM-EAP-FAST.xml
Step 4 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 5 In the right pane, click +Add and from the menu select Agent resources from
Cisco Site.
Step 6 After a moment, the list should populate. Select the following list of items.
 AnyConnectComplianceModuleWindows 4.2.1538.0 or latest 4.2.xxxxx.x
 ComplianceModule 3.6.11017.2 or latest 3.6.xxxxx.x
 CiscoTemporalAgentWindows 4.5.02036
Step 7 Click Save to start the download process.
Step 8 The Download will take several minutes.
Adding resources to Cisco ISE
Step 9 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 10 In the right pane, click +Add and from the menu select Agent resources from
local Disk.
Step 11 Select the category of Cisco Provided Packages.
Step 12 Click Browse and navigate to your Downloads folder and select
anyconnect-win-4.5.4029.0-webdeploy-k9.pkg and click Open.
Step 13 Click Submit
Step 14 Click Confirm when prompted to confirm the hash.
Step 15 Perform the same operation for the following files. Fill out the form according to
the tables below.
acNAMProfile - Customer Created Agent Resource Package
Attribute Value
Category Customer Created Packages
Type AnyConnect Profile
Name acNAMProfile
Description AnyConnect NAM EAP-FAST Config
File C:\Users\Administrator\Downloads\ anyconnect-NAM-EAP-FAST.xml
Note The following profile is optional and cosmetic in nature. It is intended to hide the VPN tile
of the AnyConnect client.
acVPNdisableProfile - Customer Created Agent Resource Package
Attribute Value
Category Customer Created Packages
Type AnyConnect Profile
Name acVPNdisableProfile
Description Profile to disable the VPN tile in AnyConnect
File C:\Users\Administrator\Downloads\ anyconnect-VPN-disable.xml

Configure AnyConnect Agent Profile
Step 16 In the right pane, click +Add and from the menu select NAC Agent or
AnyConnect Posture Profile.
Step 17 Select AnyConnect from the dropdown box.
Step 18 Create the following profile.
AnyConnect Posture Agent Profile Settings
Attribute Value
AnyConnect
*Name acWinPostureProfile
Description AnyConnect Windows Posture Profile
Agent behavior
Enable debug log No
Operate on non-802.1X wireless No
Enable signature check No
Log file size 5 MB
Remediation timer 20 mins
IP Address Change
Enable agent IP refresh Yes
VLAN detection interval 0 secs
Ping or ARP Ping
Maximum timeout for ping 1 secs
DHCP renew delay 1 secs
DHCP release delay 4 secs
Network transition delay 3 secs
Posture Protocol
PRA retransmission time 120 secs
Discovery host tools.demo.local
* Server name rules *.demo.local
Note The discovery host needs to be something that will resolve via DNS to generate traffic
(packets) to hit the url-redirect. That traffic will then be redirected to the supporting ISE
node running the Policy Services persona.
Create the AnyConnect Configuration File.
Step 20 In the right pane, click +Add and from the menu select AnyConnect
Configuration.
Step 21 Create the following configuration.
acConfigWin - AnyConnect Configuration
Attribute Value
* Select AnyConnect Package AnyConnectDesktopWindows 4.5.4029.0
* Configuration Name acConfigWin
Description AnyConnect agent config for Windows
* Compliance Module Anyconnect-win-compliance-4.2.1538.0 or latest 4.2.*
AnyConnect Module Selection
ISE Posture [X ]
VPN [ ]
Network Access Manager [X ]
Web Security [ ]
AMP Enabler [ ]
ASA Posture [ ]
Network Visibility [ ]
Umbrella Roaming Security [ ]
Start Before Login [ ]
Diagnostic and Reporting Tool [X ]
Profile Selection
ISE Posture acWinPostureProfile
VPN acVPNdisableProfile
Network Access Manager acNAMProfile
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Allowed AnyConnect Software No
Minimum Version Required for AnyConnect Software 0.0.0
Allowed for Compliance Module No
Minimum Version Required for Compliance Module 0.0.0.0
Prompt Auto Dismiss Timeout None
Prompt Auto Dismiss Default Response Update
Installation Options
Uninstall Cisco NAC Agent [ ]

 You have configured Cisco ISE to utilize the Cisco NAC Agent and created an
associated NAC Agent posture profile.
 You have configured Cisco ISE to utilize the Cisco AnyConnect Unified Client and
created an associated profile and AnyConnect configuration.
Task 3: Client Provisioning Policies
In this task, you will configure Cisco ISE to provision Cisco posture agents in order to
enforce compliance base access.
Activity Procedure
Configuring Client Provisioning Policies.
Step 1 Navigate to Work Centers > Posture > Client Provisioning and then Client
Provisioning Policy.
Step 2 Add two new rules below Android_WPA2_BYOD according to the following
tables.
AC Employee Win All - Client Provisioning Policy Rule
Attribute Value
Rule Status Enable
Rule Name AC Employee Win All
Identity Groups Any
Operating Systems Windows All
Other Conditions demo.local:External Groups EQUALS

demo.local/HCC/Groups/Employees
Results Agent: acConfigWin
Guest Win All - Client Provisioning Policy Rule
Attribute Value
Rule Status Enable
Rule Name Guest Win All
Identity Groups Any
Other Conditions Network Access:UseCase EQUALS Guest Flow
Results Agent: CiscoTemporalAgentWindows 4.5.02036

Profile: acWinPostureProfile
Step 3 Verify your configuration with the following screenshot then click Save.

 You have configured client provisioning policies for Cisco AnyConnect, Cisco NAC
Agent, and Cisco NAC WebAgent.
Lab 6-3: Configuring Posture Policies
Activity Objective
In this activity, you will configure some simple Cisco ISE posture policies to provide for a
functional orientation to posture policies. After completing this activity, you will be able to
meet these objectives:
 Configure posture conditions
 Configure posture mediations
 Configure posture requirements
 Configure posture policies
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC

Task 1: Configuring Posture Conditions
In this task, you will configure some simple file conditions as well as antivirus compound
conditions for both installation and definition age.
Activity Procedure
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 In the right pane, click +Add and create the following three File Conditions.
Caution Be aware of the case of the file name PUTTY. The Cisco NAC Agent file evaluation is
case sensitive but the Cisco AnyConnect is not.
Caution The operator is Later than, not Later than or Equal to. This is a common error in
configuration
File Condition – PuTTY_Version
Attribute Value
Name PuTTY_Version
Description Check for an acceptable PuTTY Version
Operating System Windows All

File Type FileVersion
File Path ABSOLUTE_PATH c:\tools\PUTTY.EXE
Operator Later than

File Version 0.61
File Condition – Bad_File
Attribute Value
Name Bad_File
Description Check for a Bad file

File Type FileExistence
File Path ABSOLUTE_PATH C:\test\virus.txt
Operator DoesNotExist
File Condition – Good_File
Attribute Value
Name Good_File
Description Check for a Good file
File Type FileExistence
File Path ABSOLUTE_PATH C:\test\good.txt
Operator Exists
Step 3 In the left pane, select Anti-Virus.

Step 4 In the right pane, click +Add and create the following AV Compound
Conditions.
Caution Be sure to Submit after each one.
AV Compound Condition – ClamWin_AV_Installed
Attribute Value
Name ClamWin_AV_Installed
Description Check for ClamWin AV Install
Vendor ClamWin
Check Type [ X ] Installation [ ] Definition
Products for Selected Vendor
Product Name  ClamWin Antivirus

 ClamWin Free Antivirus
AV Compound Condition – ClamWin_AV_Current
Attribute Value
Name ClamWin_AV_Current
Description Check for ClamWin AV Definition
Vendor ClamWin
Check Type [ ] Installation [ X ] Definition
Option Allow virus definition file to be [ 7 ] days older than ( X ) current

system date
Product Name  Any
Step 5 In the left pane, select Firewall Condition.

Step 6 In the right pane, click +Add and create the following Firewall Compound
Conditions.

Firewall Compound Condition – Any_FW_Running
Attribute Value
Name Any_FW_Running
Description Check for Firewall is enabled
Compliance Module 4.x or later
Vendor Any
Check Type [ X ] Enable
Wendor  Any
 You have configured three posture file conditions.
 You have configured an antivirus installation condition.
Task 2: Configuring Posture Remediation
In this task, you will configure remediation processes to instruct users on how to handle
systems that do not meet compliance requirements.
Activity Procedure
Remediations > File.
Step 2 In the right pane, click +Add and create the following File Remediation.
File Remediation – PuTTY_62
Attribute Value
Name PuTTY_62
Description Approved PuTTY version 0.62
Version 0.62
File to Upload C:\tools\PUTTY\PUTTY.EXE

Step 4 Click +Add again and create the following File Remediation.
Note The File to Upload—c:\tools\good.txt—in the table below does not yet exist on your
system. You will be creating it during the process of browsing for a file to upload.
Follow the procedure in the second table to create the good.txt file.
File Remediation – Good_File
Attribute Value
Name Good_File
Description Our corporate good file
Version 1.0
File to Upload C:\tools\good.txt (See procedure below)
Procedure to create good.txt
Step Action Notes
1. In the Files to Upload line Click Browse
2. Right-click in an open area See image below
3. Select New from the menu See image below
4. Select Text Document from the submenu See image below
5. Rename the newly created New Text

Document.txt to good
6. Click off of the file to complete the file

renaming process

Step Action Notes
7. Right-click on good.txt
8. From the menu select Edit
9. In the notepad write the following:
good file v1.0
10. Close the document by clicking on the X in You may alternately perform a File > Save
the upper right-hand corner and when before closing the file.
prompted click Save.

Step 6 In the left-hand pane, select Link.
Step 7 In the right pane, click +Add and create the following Link Remediation.
Link Remediation – Install_ClamWin_AV
Attribute Value
Name Install_ClamWin_AV
Description URL link to install ClamAV package
Remediation Type Manual
Interval 0
Retry Count 0
URL http://tools.demo.local/updates/clamwin-0.99.1-
setup.exe
Step 9 In the left-hand pane, select Anti-Virus.
Step 10 In the right pane, click +Add and create the following AV Remediation.
AV Remediation – Update_ClamWin_AV
Attribute Value
Name Update_ClamWin_AV
Description Update ClamWin definitions
Operating System Windows
Remediation Type Manual
Interval 0
Retry Count 0
Vendor ClamWIn
Step 12 Edit the default AnyAVDefRemediationWin remediation and change the
Remediation Type from Automatic to Manual and click Save.
 You have configured posture remediation actions for users who systems do not meet
compliance requirements.

Task 3: Configuring Posture Requirements
In this task, you will configure posture requirements that utilize the previously configured
conditions and remediations.
Activity Procedure
Step 1 In the left pane, navigate to Work Centers > Posture > Policy Elements >
Requirements.
Step 2 Edit the Any_AV_Installation_Win requirement and modify the Remediation
Action. Change the Message Text shown to Agent User to the following:
An approved Antivirus program was NOT detected on your PC. All users must
have a current AV program installed before access is granted to the network. If
you would like to install a free version of ClamWin AV, please go to
http://tools.demo.local/updates/clamwin-0.99.1-setup.exe
Tip You may access the following resource from a separate tab in Firefox to copy/paste
message text:
http://tools.demo.local/cp/Posture-Requirements-excercise-6.rtf
Step 3 Add the following Requirements by using the same method as adding policy rules
(Edit down arrow at end of line).
Posture Requirement – ClamWin AV Install Win
Attribute Value
Name ClamWin AV Install Win
Compliance Module 3.x or earlier
Posture Type AnyConnect
Conditions User Defined Conditions > Anti-Virus Conditions > ClamWin_AV_Installed
Remediation Actions Action: Install_ClamWin_AV
Posture Requirement – ClamWin AV Current Win
Attribute Value
Name ClamWin AV Current Win
Conditions User Defined Conditions > Anti-Virus Conditions > ClamWin_AV-Current
Remediation Actions Action: Update_ClamWin_AV

Message shown to Agent User:
All users must have ClamWin with current signatures. Please click start
to update the signatures now.
Posture Requirement – PuTTY 62
Attribute Value
Name PuTTY 62
Compliance Module Any version
Conditions User Defined Conditions > File Conditions > PuTTY_Version
Remediation Actions Action: PuTTY_62

Message Shown to Agent User:
Save this file to C:\tools\
Posture Requirement – Good File
Attribute Value
Name Good File
Conditions User Defined Conditions > File Conditions > Good_File
Remediation Actions Action: Good_File

Right-click and save this file to C:\test\

Create a New Folder if needed.
Posture Requirement – Bad File
Attribute Value
Name Bad File
Conditions User Defined Conditions > File Conditions > Bad_File
Remediation Actions Action: Message Text Only

You have a bad file. Go delete the file C:\test\virus.txt

Posture Requirement – Firewall
Attribute Value
Name Firewall
Posture Type Temporal Agent
Conditions User Defined Conditions > Firewall Conditions > Any_FW_Running
Remediation Actions Action: Message Text Only

Firewall is disabled. Enable the Windows Firewall and Re-Scan your

system.
Step 4 You should have the following requirements at the bottom of your list.
Step 5 Change Posture Type to Temporal Agent in the rules

Any_AM_Installation_Win and Any_AM_Definition_Win.
 You have configured both the conditions you have previously configured and the
remediation actions into posture requirement configurations.
Task 4: Configuring Posture Policies
In this task, you will configure posture policies that will be utilized in client access
assessments. You will be adding these policies and a disabled state and enabling them in a
later lab.
Activity Procedure
Step 1 Navigate to Work Centers > Posture > Posture Policy.
Step 2 Create the following rules.
Note Posture Policy Status is configured by changing the icon at the beginning of the rule.
Note Requirement Status is configured by changing the icon in front of the Requirement
Name.
Posture Policy – File Checks

Attribute Value
Status Disabled
Name File Checks
Identity Groups Any
Other Conditions -
Requirements Status Requirement Name
Mandatory Good File
Mandatory PuTTY 62
Audit Bad File

Posture Policy – AD Win7 Users AV
Attribute Value
Status Disabled
Name AD Win Users AV
Identity Groups Any
Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/Domain Users
Mandatory ClamWin AV Install Win
Mandatory ClamWin AV Current Win
Posture Policy – Guest Windows AV

Attribute Value
Status Disabled
Name Guest Windows AV
Identity Groups Any
Posture Type Temporal Agent
Other Conditions Network Access:UseCase EQUALS Guest Flow
Mandatory Any_AM_Installation_Win
Optional Any_AM_Definition_Win
Mandatory Firewall
Step 3 Verify your configuration with the following screenshots. Order is not important.
 You have configured posture policies based on the elements that you have previously
configured in previous tasks.
Lab 6-4: Testing and Monitoring Compliance
Based Access
Activity Objective
In this activity, you will perform client based access utilizing the previously configured
posture compliance configuration. After completing this activity, you will be able to meet
these objectives:
 Perform client access utilizing NAC WebAgent for compliance checking.
 Perform client access utilizing the Cisco NAC Agent for compliance checking.
 Perform client access utilizing the Cisco AnyConnect Unified Agent for
compliance checking.
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC

Command List
3650 Switch Commands
Command Description
show authentication sessions interface Shows the applied session details for the
GigabitEthernet 1/0/2 detail current session(s) on the indicated
interface.
Task 1: Web Agent Access
In this task, you will use the Cisco NAC Web agent to perform compliance testing and
remediation.
Activity Procedure
Web Agent Access with No Policies Enabled
Step 1 Access your Win7-Guest PC and login with the credentials administrator /
1234QWer.
Step 2 Using the icon on the desktop, access the Win7-Guest PC Network
Connections.
Step 3 Enable the NIC, if needed.
Step 4 Open up Firefox and browser to cisco.com. You should be redirected to the
Guest Portal.
Note You may have to clear the auth session on interface gi1/0/2 or perform a shut / no shut.
Note Accept the certificate warning.
Step 5 Use one of the accounts that you have created in the sponsor portal during the
guest portal labs. In the case that all accounts are expired, create a new account.
Step 7 Click the checkbox to accept the risk and want to run this application and
click Run.
Step 8 Click +This is what to do next, to start the posture process.
Step 9 Click on the link Click here to download Cisco Temoral Agent.
Note If nothing happens, refresh the webpage.
Step 10 Change to the download directory and double click the executable cisco-win-
4.5.02036-tempagent….exe.
Step 11 Wait a few seconds and click then the Run button.
Step 12 Accept the Certificate is not trusted message, click Connect Anyway.
Step 13 You should see a Network access allowed. Click Quit to close the Cisco
Temportal Agent window.
Step 14 Return to the Cisco ISE admin portal on the Admin PC.
Step 15 Navigate to Operations > RADIUS > Live Logs.
Step 16 Observe the guest PC access flow which first assigns the Authorization Profile
CWA Posture Remediation and then Internet Only with a Posture Status of
Compliant.
Note The following screenshot output is filtered to show only specific information for this task.

Optional Switch Validation
Step 17 Access the 3k-access switch.
Step 18 Perform the following command and observe the highlighted areas on your
output.
3k-access# show authentication sessions interface GigabitEthernet
1/0/2 detail
3k-access#sh authentication sessions interface gigabitEthernet 1/0/2 details
IIF-ID: 0x104508000000067
MAC Address: 0050.5680.0452
User-Name: jmoriarty
Status: Authorized
Domain: DATA
Session timeout: 1800s (server), Remaining: 1420s
Timeout action: Terminate
Common Session ID: 0A01640100000FC052C8B534
Acct Session ID: 0x00000FC1
Handle: 0x1A00000E
Server Policies:
ACS ACL: xACSACLx-IP-acl_internet_only-578cace7
Method status list:

Method State
mab Authc Success
Web Agent Access with Policies Enabled
Step 20 Navigate to Work Centers > Posture > Posture Policy.
Step 21 Enable the Guest Windows AV rule.

Step 23 On the 3k-access perform a shut no shut operation on interface GigabitEthernet
1/0/2.
Step 24 Wait approximately 30 seconds for DHCP to process and then perform the
following command observing the highlighted fields which would correlate with
the “CWA Posture Remediation” authorization profile.
3k-access# show authentication sessions interface GigabitEthernet
1/0/2 detail

3k-access#sh authentication sessions interface gigabitEthernet 1/0/2 details
IIF-ID: 0x1056E800000006F
MAC Address: 002a.6a4c.bff4
User-Name: 00-2A-6A-4C-BF-F4
Status: Authorized
Domain: DATA
Common Session ID: 0A01640100000FC991A79356
Acct Session ID: 0x00000FC9
Handle: 0x8C000016
Server Policies:
URL Redirect: https://ise-
1.demo.local:8443/portal/gateway?sessionId=0A01640100000FC991A79356&portal=198
76a32-42a9-11e6-bf0b-
005056803295&action=cwa&token=b88f2f63dfcfa3134b6933859c4e0c6f
URL Redirect ACL: ISE-URL-REDIRECT
ACS ACL: xACSACLx-IP-acl_posture_remediation-578cacae
Method status list:

Method State
mab Authc Success
Step 25 Return to the Guest PC.

Step 26 Using the icon on the desktop, access the Win7-Guest PC Network
Connections.
Step 27 Clear any existing session by Disabling and then Enable the NIC.
Step 28 Open up Firefox and browser to http://www.cisco.com. You should be redirected
to the Guest Portal.
Step 29 Log in with the guest credentials provided earlier in this task.
Step 30 Run though all the prompts as done before accepting each.
Step 31 Observe in the Cisco Temporal Agent pop-up that the Host is not compliant
with the network security policy.
Step 32 The Security Compliance Summary contains the details and the required steps to
remediate within the time remaining.
Step 33 Click Start and in the Search for Programs and Files text box, type services and
press Enter
Step 34 Check if the Windows Firewall services is disabled. Open the properties and
change the Startup type to Automatic if needed.
Step 35 Click the Apply button and then click the Start button.
Step 36 Click OK and close the Services window.
Step 37 Open the Control Panel and navigate to All Control Panel Items > Action
Center. Click the button Turn on now next to Network Firewall (Important).
Step 38 Click the Re-Scan button at the bottom of the agent.
Step 39 Observe that the Firewall check now passes.
Step 40 Observe the Temporal Agent, after scanning the System, continues with a
warning message, that your AM isn’t up to date. This message is optional so you
have the choice to update the AM or skip the update.
Step 41 Click Skip All.

Step 42 ISE webpage shows Compliant – Network access allowed.
Step 43 Click the Quit button.
Step 44 Your access to cisco.com should be successful.
Live Logs and observe the authentications results.
 You have access the network via guest account and that session has been processed for
compliance via the Cisco NAC Web agent.
 You have remediated your compliance requirements based on instructions received via
the Cisco NAC Web agent.
Task 2: AnyConnect Unified Agent Access
In this task, you will use the Cisco AnyConnect Unified Agent to perform compliance
testing and remediation.
Activity Procedure
AnyConnect Unified Agent Deployment.
Step 1 Return to the W10PC-Corp.
Step 2 Log in as student / 1234QWer.
Step 3 Open up network settings and enable the NIC if not enabled.
Step 4 Open Services from Windows Administrative Tools in the Start menu.
Step 5 Verify and, if necessary, modify the Wired AutoConfig service to have a startup
type of Automatic and then Start the service.
Step 6 Click OK.
Step 7 Close the services console.
Step 8 Return to the NIC settings and open the properties for the NIC.
Step 9 Click the Authentication tab.
Step 10 Click the Settings button.
Step 11 Uncheck the box to validate the server certificate.
Step 12 Click OK.
Step 13 Make sure the “Remember my credentials…” box is unchecked.
Step 14 Click OK.
Step 15 Restart the client machine using the Start menu and log back in as employee1 /
1234QWer.
Step 16 Open Firefox browser.
Step 17 Browse to http://www.cisco.com, you should be redirected to the Client
Provisioning Portal. Accept any security notices if presented.
Step 18 You should be notified that a Device Security Check is required, click Start.
Step 19 The process will attempt to detect if the AnyConnect Posture Agent is installed.
Once prompted, click + This is my first time here.
Step 20 In the instructions click the hyperlink to Click here to download, install
AnyConnect.
Step 21 Click Save File.
Step 22 Click the file in the download dialog box and will be presented the dialog box -
click Run.

Step 23 The Cisco Network Setup Assistant should notify you that you are connected to
ise-1.demo.local, whose identity has been certified. Click Connect.
Step 24 Cisco AnyConnect will install automatically.

Step 25 At the end you will be notified that a restart is required. Click Yes.
Note If the installation process shows Failed to launch Cisco AnyConnect Secure Mobility
Client Downloader and does not promt for a reboot, proceed by logging off and continue
only if step 30 is not showing up as described, deinstall Cisco AnyConnect Security
Mobility Client, which will include a reboot, and perform the task from Step 20 again.
Step 26 Once the system is back up, login again as employee1 / 1234QWer.
Step 27 Once logged in, AnyConnect will log on via EAP-FAST and the ISE Posture
module will perform a scan. The results will show that the Good File update is
required. Click Start to begin remediation.
Step 28 Navigate to c:\test\ and click Save.
Step 29 You will be notified that the save operation was successful and given the
opportunity to open the folder location where the file was saved. Click Cancel.
Step 30 Observe your system is now Complaint. Trigger a reauthentication/rescan by

clicking the EAP-FAST profile if needed.
Step 31 In the live authentications list observe the authentication process of Pending , and
then Compliant after remediation.
Step 32 Open Windows Explorer and navigate to C:\test\.

Step 33 Right-click and from the menu select New, then Text Document. Name the new
file “virus” without an extension. Extensions are hidden by default so the .txt
will not show in this view.
Step 34 Log off and log back on as demo\employee1.
Step 35 As the Bad File check is in audit mode only, the system will still be compliant.
Step 36 In ISE, navigate to Operations > RADIUS > Live Logs.

Step 37 Find the most recent logon for the employee1 user but was assigned the Wired
Employee Access authorization profile.
Step 38 Click on the Posture Status of Compliant hyperlink. This will run a summary
report from the endpoint in a new tab.
 You have access the network via an employee account and that session has been
processed for compliance via the Cisco AnyConnect Unified Agent.
 You have remediated your compliance requirements based on instructions received via
the Cisco AnyConnect Unified Agent.
Lab 6-5: Compliance Policy Testing
Activity Objective
In this activity, you will examine the effects of a faulty policy and review methods of
identifying and troubleshooting such a policy. After completing this activity, you will be
able to meet these objectives:
 Use Posture Reports for troubleshooting
 Use the Posture Troubleshooter tool
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC

Task 1: Configure a Faulty Policy
In this task you will configure a faulty policy in order to generate failure events that will be
utilized in future tasks.
Activity Procedure
Step 1 On the admin PC, in the Cisco ISE admin portal navigate to Policy > Policy
Elements > Conditions and then Posture > File Condition.
Step 2 Edit the PuTTY_Version you created earlier.
Step 3 Change the file from PUTTY.EXE to PUTTTY.exe (you are adding an extra
‘T’) and verify with the screenshot below.
Step 4 Click Save.

Step 5 Navigate to Administration > System > Settings > Posture > General Settings.
Step 6 Set the Remediation Timer to 5 minutes to shorten the waiting time for the next
task.
Step 8 Return to the W10PC-Corp, log off and log back on as employee1 / 1234QWer.
Step 9 The PuTTY 62 requirement should fail.
Step 10 Do not remediate; wait for the timer to expire and then continue to the next
task.
 You have configured a faulty policy that has resulted in a failed compliance access
attempt
Task 2: Use Posture Reports for Troubleshooting
In this task, you will examine posture reports as a mechanism to troubleshoot compliance-
based access failures.
Activity Procedure
Step 1 In ISE, navigate to Work Centers > Posture > Reports and then Reports >
Posture Reports > Posture Assessment by Endpoint.
Step 2 Modify the Time Range from Today to Last 30 Minutes.
Step 3 Click on the Details icon for the failed posture assessment.
Step 4 Scroll to the bottom of the report and observe the Posture Policy Details.
Step 5 Observe that the Failed condition is PuTTY_Version,
Step 6 Also observe that the Bad File, which is in Audit enforcement mode, meaning
transparent to the user, is not in the Passed column either. This check was skipped
because the file checks are done serially one at a time.
 You have run a posture report and identified the failing condition.

Task 3: Using the Posture Troubleshooter
In this task, you will examine posture troubleshooter as a mechanism to identify compliance-
based access failures.
Activity Procedure
Step 1 In ISE, navigate to Work Centers > Posture > Troubleshoot.
Step 2 In the form, click the Select button at the end of the Username field. In the next
pop-up click Search. From the list of Usernames select employee1 and click
Apply.
Step 3 Go to the bottom of the form and click Search.
Step 4 In the results, click the failed result and click Troubleshoot.
Step 5 Click Show Results Summary once complete.
Step 6 Observe the details of what passed, what failed in another format.
Step 7 Click Done.
 You have run the posture troubleshooter and identified the failing condition.

Task 4: Policy Correction and Testing
In this task, you will correct the policy you purposely misconfigured being of this lab. You
will also observe the result of an audit condition via posture reports.
Activity Procedure
Policy Correction
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 Edit the PuTTY_Version you modified earlier.
Step 3 Change the file from PUTTTY.EXE to PUTTY.exe (you are removing the
extra ‘T’).
Step 4 Click Save.

Testing Policy Correction
Step 1 Return to the W10PC-Corp.
Step 2 In the AnyConnect drop-down, select EAP-FAST. This will cause a re-
authentication and then the posture module will reconnect to ISE and perform
another posture check. Your posture check should succeed.
Posture Report Verification
Step 4 Navigate to Work Centers > Posture > Reports and then Reports > Posture
Reports > Posture Assessment by Endpoint.
Step 5 Modify the Time Range from Today to Last 30 Minutes.
Step 6 Click on the details for the recent passed assessment.
Step 7 Scroll to the bottom and observe that the only failed condition now is the Audit
mode Bad File condition.
Tip This is an effective way of analyzing systems upon access to determine the status of a
program without notifying the user.
Tip One example of using this feature would be to analyze systems for a file or files that are
suspicious. An administrator could determine if the files are on any of the systems, and
then make decisions on how to proceed.
 You have corrected the policy configuration. That you introduced at the beginning of
the lab.
 You have observed the failed condition that is running an audit enforcement mode.

(Optional) Lab 6-6: MDM Integration with Cisco
ISE
Activity Objective
In this activity, you will configure Cisco ISE to integrate with a Meraki MDM Cloud. After
 Integrate a MDM into Cisco ISE
 Identify Cisco ISE MDM dictionary attributes
 Configure Cisco ISE to process access based on external MDM Compliance status.
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
Task 1: MDM Integration
In this task, you will perform the steps necessary to create an external MDM into Cisco ISE.
Activity Procedure
Install MDM Certificate
Step 1 Navigate to Administration > System > Certificates > Certificate
Management > Trusted Certificates.
Step 2 Verify there is not a Meraki certificate listed.
Note If there is a Meraki certificate listed, notify your instructor.
Step 3 In Firefox navigate to n192.meraki.com. You might use the prepared bookmark.
Step 4 Click the Lock Icon left from the URL, then click the Arrow on the right side.
Step 5 Click More Information...

Step 7 Navigate to the Details tab.
Step 8 Click Export.
Step 9 Save the X.509 certificate in the Meraki folder located on the Desktop as
“Meraki_Certificate”.
Step 10 Go back to Administration > System > Certificates > Certificate
Management > Trusted Certificates.
Step 11 In the toolbar, click +Import and fill out the form with the following values.
Meraki Certificate Import
Attribute Value
Location C:\Users\Admin\Desktop\Meraki\Meraki_Certificate.crt
Friendly Name Meraki
Trusted For  Trust for authentication within ISE

 Trust for authentication of Cisco Services
Description Meraki Certificate
Add MDM Server
Step 13 Navigate to Administration > Network Resources > External MDM.
Step 14 In the right pane, click +Add.
Step 15 Fill in the details as shown.
Note You will find the hostname, User Name and Password for copy and Paste in the file
Meraki Server details.txt in the folder Desktop\Meraki\
Meraki MDM Settings
Attribute Value
Name Meraki_MDM
Server Type Mobile Device Manager
Authentication Type Basic
Host Name / IP Address n192.meraki.com
Port 443
Username d8b47bcc0de2d646711f2370a57900f3 <copy from textfile>
Password c734ba385614c4812cc08aa3f9069f9d <copy from textfile>
Polling Intervall 15 (ONLY for Lab environment) See Hint in the GUI
Status Enabled
Step 16 Click Test Connection. This should succeed with the following message.

.
Step 17 Click OK.

MDM Portal Adjustment
Step 19 Navigate to Administration > Device Portal Management > Mobile Device
Management.
Step 20 Edit the MDM Portal (default) portal.
Step 21 Verify that the Certificate group tag is set to ISE Lab CGT. If not, assign the
ISE Lab CGT.
Step 22 At the bottom, select the checkbox for Include a Support Information Page.
 You have installed the Meraki certificate in the trusted Store
 You have added your pod Meraki server to Cisco ISE.
 You have adjusted the MDM portal.
Task 2: Configuring Cisco ISE Policy for MDM
In this task, you will configure the necessary policy elements to facilitate MDM on boarding
compliant state access.
Activity Procedure
Authorization Profiles
Step 1 Navigate to Policy > Policy Elements > Results > Authorization >
Step 2 Create and Save the following Authorization Profile.
MDM Quarantine Authorization Profile
Name MDM Quarantine
Common Tasks
Web Redirection MDM Redirect

ACL: MDM_Quarantine_ACL
Value: MDM Portal (default)
MDM Server: Meraki_MDM
Note The MDM_Quarantine_ACL is preconfigured on your pod vWLC.
Authorization Policy Configuration

Step 4 Navigate to Policy > Policy Sets and then Wireless_Access > Authorization
Policy.
Step 5 Edit the BYOD NSP rule.
Step 6 Change the name to Employee Personal Devices.
Step 7 Add the following Authorization Policy rules below the edited Employee
Personal Devices rule.
Tip Using the Duplicate function for rule creation will speed this process quite a bit.
Caution Be sure to select Radius:Calling-Station-ID [31] and not Radius:Called-Station-ID [30]

Reg with ISE NOT MDM - Authorization Policy rule
Attribute Value
Rule Name Reg with ISE NOT MDM
IdentityGroup:Name EQUALS Endpoint Identity

Groups:RegisteredDevices
AND
Wireless_802.1X
Conditions AND
(identity groups and other Network Access:EapAuthentication EQUALS EAP-TLS
conditions) AND
CERTIFICATE:Subject Alternative Name - EMail EQUALS
Radius:Calling-Station-ID- -[31]
AND
MDM:DeviceRegisterStatus EQUALS UnRegistered
Results (Profiles) MDM Quarantine
Reg with ISE AND MDM non_comp - Authorization Policy rule
Attribute Value
Rule Name Reg with ISE AND MDM non_comp

AND
Wireless_802.1X
Conditions AND
conditions) AND
CERTIFICATE:Subject Alternative Name – EMail EQUALS
AND
MDM:DeviceCompliantStatus EQUALS NonCompliant
Results (Profiles) MDM Quarantine
Step 6 Edit the BYOD Access rule.
Step 7 Change the name to Reg with ISE AND MDM comp and add the missing
conditions referring to the following table:
Reg with ISE AND MDM comp - Authorization Policy rule
Attribute Value
Rule Name Reg with ISE AND MDM comp

AND
Wireless_802.1X
Conditions AND
conditions) AND
CERTIFICATE:Subject Alternative Name – EMail EQUALS
AND
MDM:DeviceCompliantStatus EQUALS Compliant
Results (Profiles) WLC_USER Access
Step 8 Review your policy with the following screenshot.
Step 9 Your Wireless_Access Authorization Policy should resemble the following.

Make the necessary adjustments to ensure your policy matches this table.
Enabled rules are in bold.
Tip Due to the complexity and functionality added to the policy by MDM and BYOD, it would
be prudent to add modifiers to the Wireless AD Employees and Wireless AD Contractors
that additionally limits access based on access from a Domain computer. This can be
accomplished by Machine Access Restriction, EAP-Chaining, or Secondary logins.

Wireless Access Authorization Policy Order
Status Rule Name
Enabled Reg with ISE NOT MDM
Enabled Reg with ISE AND MDM non_comp
Enabled Reg with ISE AND MDM comp
Disabled Smart Devices
Enabled Guest Access
Disabled Sponsored Portal
Disabled Self-Reg with Approval
Disabled Self-Registration
Disabled Hotspot
Enabled Wireless AD Employees
Enabled Wireless AD Contractors
Enabled Wireless AD Computers
Enabled Default
 You have configured authorization policy elements to support MDM compliance-based
access
 You have configured authorization policies to support MDM on boarding and
compliance processing.
(Optional) Lab 6-7: MDM Access and
Configuration
Activity Objective
In this activity, you will access the Meraki MDM console and review the configuration.
After completing this activity, you will be able to meet these objectives:
 Access the Meraki MDM web console
 Review the preconfigured MDM policies for your lab
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC

Task 1: MDM Access
In this task, you will access the MDM solution and review the configuration.
Caution Make no changes.
Activity Procedure
Accessing the MDM Web Interface
Step 1 On your Admin PC, open a new tab in Firefox.
Step 2 Navigate to n192.meraki.com
Step 3 Login with the credentials ccnpsec@flane.de / 1234QWer!
Client and device enrollment
Step 4 Navigate to Systems manger > Monitor > Clients, maybe there are some
devices are registered from other lab pods. Verify that your device isn’t register,
you can regonize this based on the mail address. If you have any problems, ask
your instructor.
Step 5 Click Add devices, you are redirected to Systems manager > MDM > Add
devices
Step 6 Select Android from the choice
Step 7 Read the instructions of methods how to enroll an android device.
From the instructions, locate and write down the enrollment code as this is
needed for the enrollment tasks:
Enrollment code: - -
Application Policy Review
Step 8 Navigate to Systems manager > MDM > Apps.
Step 9 Select and Click the AnyConnect App.
Step 10 Verify the application policy with the following table.

App Policy - AnyConnect
Attribute Value
Vendor Cisco Systems, Inc.
Platform Android
Description For Android 4.0+ and later devices. Connect to your network
with AnyConnect…
Attribute Value
Devices > Scope Install on devices with ANY of the following tags:
“recently-added” “Android devices”
Options > Remove with MDM Selected
Step 11 Navigate to Systems manager > Configure > Policies.

Step 12 Select and Click the ISE_Android_MDM policy and verify the configured
entries:

 You have successfully accessed the Meraki web console.
 You have reviewed the Meraki polices that are preconfigured for your lab.
(Optional) Lab 6-8: Client Access with MDM
Activity Objective
In this activity, you will perform client access via your pod Tablet with MDM compliance
checking and remediation. After completing this activity, you will be able to meet these
objectives:
 Perform mobile device access with Cisco ISE redirecting to an external MDM
 Perform mobile device on boarding via Cisco ISE and external MDM
 Remediate your mobile device per the external MDM policies
 Run Cisco ISE MDM reports
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC

Task 1: Preparing the Tablet
In this task, you will clean the Tablet of all previously installed profiles in order to allow for
a new onboarding experience.
Activity Procedure
Acitvate Internet Access for the W10PC-Corp
Step 1 In ISE, navigate to Policy > Policy Sets > Wired_MAB_Access.
Step 2 Edit the Default Authorization policy rule from CWA Posture Remediation to
PermitAccess.
Step 3 Click Done and Save.
Step 4 Access the W10PC-Corp with student / 1234QWer.

Step 5 Verify under Properties > Authentication for your wired NIC, that IEEE
802.1X authentication is not checked. Otherwise uncheck the box and click OK.
Step 6 Open the Start menu and type services.msc
Step 7 From the Services list, select the “Cisco AnyConnect Secure Mobility Agent” and
click Stop in the left pane.
Step 8 Log off / log on again with administrator / 1234QWer.
Step 9 Access the Tablet.
Step 10 Navigate to Settings > Security.
Step 11 Scroll down and click Clear credentials.
Step 12 Confirm the “Attention – Remove all the contents?” – message with OK.
Step 13 Click the HOME button and navigate to WLAN.
Step 14 Verify WLAN is up and you are not joined or connected to any networks –
joined networks are listed on the top.
If you are connected, identify the joined network SSID(‘s) and follow the
following steps:
1. Click the SSID as you would want to connect to it.
2. At the bottom, click FORGET in order to clear any previous cached settings
or credentials.
3. Wait for a few seconds if the tablet reconnects to another saved SSID
whereupon perform step 2 again.
 You provided the W10PC-Corp with Internet access.
 You have removed all Profiles from your pod Tablet and removed cached network
credentials
Task 2: Client Onboarding with MDM Enrollment

In this task, you will onboard the Tablet and then perform a MDM enrollment. You will then
process through MDM compliance tracking using a preinstalled agent. You will then
remediate by installing the required application
Activity Procedure
Tablet Network Access and BYOD Enrollment
Step 1 Join your pod ##-wpa2e network.
Step 2 Login using the credentials employee1@demo.local / 1234QWer.
Step 3 Open a browser and trigger a redirect with browsing to 1.1.1.1, this should
redirect you to the BYOD onboarding portal
Step 4 Process through the BYOD portal process by clicking Start.
Step 5 Enter the Device Name: employee1_Tablet, Description: My Tablet.
Step 6 Click Continue, click the HOME button and open the preinstalled Cisco
Network Setup Assistant.
Step 7 Click Start.
Step 8 PIN is 1234, install all profiles as before accepting all defaults.
Step 9 Click Exit after “Connected to you pod##-wpa2e” is displayed.
Step 10 Open a browser and browse to cisco.com. This should succeed.
MDM Enrollment
Step 11 Now browse to an internal resource http://tools.demo.local/cp. This should
redirect you to the Meraki Security Manager Setup page.
Note The reason you are able to surf to the outside, is because the session state on the WLC
is WEBAUTH_REQD and the applied ACL is MDM_Quarntine_ACL permits all traffic
except specific traffic to the inside network (line 5) to bypass the WEBAUTH_REQD
Redirect URL function.

Step 12 In the Meraki Security Manager Setup page, read the instructions and click
Register.
Step 13 You may be redirected to the GooglePlay Store to install the Meraki Systems
Manager.
Step 14 Do not try to install the app from Google Play as you are not logged in to
Google
Step 15 Click Download the app manually on the Meraki page.
Step 16 Click Download on the bottom to the security message to download the app and
if prompted, to replace an existing file.
Step 17 Open the downloaded AndoidSM.apk, click Next and click INSTALL.
Note If you missed clicking open to open the apk, you will find the file in the downloads folder
on the tablet.
Step 18 Click Done after the app install ended successfully or, if the install seems not to
end, wait about 5 minute.
Step 19 Click the HOME button and navigate to Settings > Security > Device
administrators.
Step 20 Click the Meraki Systems Manager, and in the popup confirm to activate the
app as device administrator by clicking ACTIVATE.
Step 21 Click the HOME button and go back to the tab of Meraki SM Registration by
opening the browser again.

Step 23 Note the enrollment code is being presented. Click Continue.
Step 24 Press the HOME button.
Step 25 Open the new installed app Meraki SM.

Step 26 First you must select the management type. Click the Meraki Icon.
Step 27 Enter the enrollment code(dashes are automatically added)
Step 28 Click Enroll This Device.
Step 29 Via the menu on the top left, select Managed Apps.
Step 30 Click INSTALL to install the AnyConnect app.

Step 31 You are being redirected to the GooglePlay Store – click INSTALL and confirm
by clicking Continue, then Skip the registration warning, then click ACCEPT to
install the Cisco AnyConnect App.
Step 32 Wait minimum 5 minutes to give ISE time to check with Meraki about the
compliance of the device.
Step 33 Check via the Meraki dashboard > Systems manager > Monitor > Clients and
selecting your tablet, that no apps are missing. Otherwise unenroll the device via
the app on the tablet and then enroll it again.
Step 34 Disable and re-enable WLAN on the tablet. You should automatically connect
to your pod ##-wpae2 SSID.
Step 35 Check back to the browser, and retry to navigate to tools.demo.local/cp

Note It can take up to 15 minutes for ISE to check with Meraki about the compliance of the
device!
Step 37 A MDM message indicating a successful enrollment may appear. Sometimes it is

skipped.
Note If you are being redirected to the MDM Enrollment procedure, ISE and MDM registration
and compliance negotiation might not be completed yet. Wait a few minutes and check
ISE authentications for applying the WLC_User Access authorization Profile to the
Android device, indicating compliance with ISE registration and the Meraki policy.
Step 38 You are now being granted access to the internal resources:
Authentication Review
Step 39 Return to the Meraki portal in Firefox on the Admin PC.
Step 40 Navigate to System managers > Monitor > Clients.
Step 41 You should see the Android tablet added.
Step 42 Select and Click the device.

Step 43 Identify the device is fulfilling the Security policy.
Step 44 Scroll down and identify the device has recently installed AnyConnect.

Step 46 Observe the record flow of how the client was assigned the authorization profiles,
WLC_NSP, MDM_Quarantine, and then finally WLC_USER Access.
MDM Reports
Step 47 Navigate to Operations > Reports and then ISE Reports > Endpoints and
Users > External Mobile Device Management.
Step 48 Run the report with a default time range of Today.
Step 49 Observe the device status. Be sure to scroll all the way to the right to view all
report fields.
 You have enrolled your pod Tablet as a BYOD device and performed MDM on
boarding.
 You have processed through MDM compliance checking and perform the required
remediation.
 You have reviewed the authentication records for this access process.
 You have run MDM reports Cisco ISE and observed the device status.

Lab 7-1: Using Cisco ISE for VPN Access
Activity Objective
In this activity, you will access the network via an AnyConnect VPN connection and
compliance checking. After completing this activity, you will be able to meet these
objectives:
 Configure Cisco ISE to process VPN access
 Configure authorization components and policies to support compliance based VPN
access
 Configure client provisioning for remote Cisco AnyConnect VPN access
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
 W10PC-CoA
 ASAv
Command List
ASAv CLI Commands
Command Description
write erase Erases startup configuration
Copy Copies a file. In this lab you will copy a file to startup-config
Reload Restarts or reboots the device.
show vpn-sessiondb detail Shows AnyConnect client access details

anyconnect

Task 1: Lab Preparation
In this task, you will modify the ASAv configuration in preparation for the VPN Access.
Activity Procedure
ASAv Preparation
Step 1 From the Admin PC desktop, open ASDM/IDM Launcher.
Step 2 Connection to 10.1.100.4 using the credentials admin / 1234QWer.
Step 3 Navigate to the menu selection Tools > File Management.
Step 4 Verify that anyconnect-win-4.5.04029.0-webdeploy-k9.pkg is present on the
flash.
Adding the ASAv as a NAD

Step 6 Navigate the Administration > Network Resources> Network Devices.
Step 7 In the right pane, click +Add and create the following Network Device entry.
Network Device – ASAv
Attribute Value
Name ASAv
Description Pod ASAv
IP Address 10.1.100.4 /32
Model Name <blank>
Location HQ
IPSec Is IPSEC Device
Device Type VPN
RADIUS Authentication Settings Checked

Policy Set Modification
Step 10 Click the gear icon next to the Default Policy Set.
Step 11 From the Drop-Down Menu select Insert new row above.
Step 12 Create the following Policy Set.

Policy Set – VPN Access
Name Description Condition(s) Allowed Protocols
VPN_Access VPN Access DEVICE:Device Type EQUALS All Device Default Network Access
Types#VPN
Step 13 Click Use.

Authorization Profiles and dACLs
Step 15 Navigate to Policy > Policy Elements > Results and then to Authorization >
Downloadable ACLs.
Step 16 Create the two following dACLs:
Downloadable ACL – acl_vpn_permit
Attribute Value
Name acl_vpn_permit
Description Allow VPN Full Access
DACL Content permit ip any any
Downloadable ACL – acl_vpn_remediate
Attribute Value
Name acl_vpn_remediate
Description Allow Only Remediation Traffic
DACL Content permit ip any host 10.1.100.21

permit udp any any eq 53
permit icmp any host 10.1.100.1
deny ip any any

Step 17 Navigate to Policy > Policy Elements > Results and then to Authorization >
Step 18 Create the three following authorization profiles. Submit your changes after each
entry.
VPN Full Access Authorization Profile
Name VPN Full Access
Common Tasks
DACL Name acl_vpn_permit
VPN Remediation Access Authorization Profile
Name VPN Remediation Access
Common Tasks
DACL Name acl_vpn_remediate
VPN Posture Authorization Profile
Name VPN Posture
Common Tasks
Web Redirection Client Provisioning (Posture)

ACL ACL-WEBAUTH-REDIRECT
Value Client Provisioning Portal (default)
Authentication Policy
Step 20 In the left pane, click on the VPN_Access policy set.
Step 21 Modify the Authentication Policy.
Step 22 Change the authentication source to All_AD_Join_Points.
Step 23 Add the two following Authorization Rules in order above the Default rule.
VPN Compliant Authorization Policy
Attribute Value
Rule Name VPN Compliant

Conditions Session:PostureStatus EQUALS Compliant
conditions)
Results (Profiles) VPN Full Access
VPN Remediate Authorization Policy
Attribute Value
Rule Name VPN Remediate

Conditions Session:PostureStatus EQUALS NonCompliant
conditions)
Results ( Profiles) VPN Remediation Access

Step 24 Change the Default rule to VPN Posture.
Step 25 Compare your configuration with the following screenshot. It is imperative that
the rules are in proper order with the VPN Redirect is the bottom rule.

Creating the Client Provisioning Resources for VPN Based Posture Access
Step 27 Navigate to Policy > Policy Elements > Results and then Client Provisioning >
Resources.
Step 28 In the right pane, find the acConfigWin profile that you created earlier and select
it.
Step 30 Make the following modifications.
acConfigWin_VPN - AnyConnect Configuration
Attribute Value
* Select AnyConnect Package AnyConnectDesktopWindows 4.5.4029.0
* Configuration Name acConfigWin_VPN
Description AnyConnect agent config for Windows VPN
* Compliance Module AnyConnectComplianceModuleWindows 4.2.XXXXX.X
AnyConnect Module Selection
ISE Posture [X]
VPN [X]
Network Access Manager [ ]
Web Security [ ]
ASA Posture [ ]
Start Before Login [ ]
Diagnostic and Reporting Tool [X]
Profile Selection
ISE Posture acWinPostureProfile
VPN <delete>
Network Access Manager <delete>
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Allowed AnyConnect Software No
Minimum Version Required for AnyConnect Software 0.0.0
Allowed for Compliance Module No
Minimum Version Required for Compliance Module 0.0.0.0
Prompt Auto Dismiss Timeout None
Prompt Auto Dismiss Default Response Update
Installation Options
Uninstall Cisco NAC Agent [ ]

Creating the Client Provisioning Policy
Step 32 Navigate to Policy > Client Provisioning.
Step 33 Create a new policy at the top of the list with the following parameters.
AC Employee Win All VPN Client Provisioning Policy Rule
Attribute Value
Rule Name AC Employee Win All VPN
Identity Groups Any
Other Conditions DEVICE:Device Type EQUALS All Devices Types#VPN
Results Agent: acConfigWin_VPN
Step 34 Click Done.

Adjusting Remediation Timer
Step 36 Navigate to Administration > System > Settings > Posture > General Settings
Step 37 Set the Remediation Timer to 20 minutes, as the Client provisioning packages
will take some time to download.
Step 38 Click Save.
 You have prepared the ASAv for operation with this lab.
 You have added the ASAv as a NAD.
 You have created a policy set for VPN access.
 You have configured authorization profiles are associated dACL’s
 You have configured authorization policies for VPN access.
 You have configured Client Provisioning components and policy for VPN based
Postured access.
Task 2: Testing VPN Client Access
In this task, you will test VPN access using the policies that you’ve configured in task 1.
Activity Procedure
Step 1 Access your pod W10-CoA PC and login with the credentials student \
1234QWer
Initial VPN Connection
Step 2 From the system tray, Open AnyConnect.
Step 3 For this lab environment, ensure that connections are allowed to untrusted
servers. Click on the cog icon in the lower left corner.
Step 4 On the Preferences tab page, uncheck the Block connections to untrusted
servers.
Step 5 Close this window.
Step 6 Connect to the VPN server asav.demo.local.
Step 7 At the Security Warning pop-up, click Connect Anyway.
Step 8 When prompted for credentials for the ISE_VPN group, use the credentials
employee2@demo.local / 1234QWer.
Step 9 Connect by clicking OK, then select Connect Anyway.
Note If you are not prompted to connect to the ISE_VPN group, notify your instructor.
Step 10 After connection, AnyConnect will receive instruction from the ASAv that an
upgrade is available.

Step 11 A certificate warning might be displayed. Click Connect and reconnect to the
VPN. Vou will see in the lower right corner that the VPN is Connected.
Examine Cisco ISE Authentication Records
Step 12 Return to the Cisco ISE admin portal on the admin PC.
Step 14 Observe the authentication record details for the employee2@demo.local user
who was assigned the VPN Posture authorization profile.
Observe the following highlighted fields indicating that the host that accessed the
network by VPN was profiled. The CiscoAVPair section contains the ACIDex
attributes conveyed by AnyConnect and the ASA. In the Results section, you can
see the URL-Redirect being applied to this session in its current state.

Step 15 Access the ASAv via PuTTY and enter the following command to observe the
ISE Posture Section at the end.
ciscoasa# show vpn-sessiondb detail anyconnect
Step 16 Return to the W10-CoA PC.

Step 17 Open Firefox and browse to http://tools.demo.local
Step 18 On the “Your connection is not secure”- website, click Advanced and then Add
Exception…
Step 19 Click Confirm Security Exception.
Step 20 After about 20 seconds you will be presented with the Client Provisioning Portal.
Reload the page if necessary.
Step 21 Click Start.
Step 22 The process will attempt to detect if the AnyConnect Posture Agent is installed.
Once prompted, click + This is my first time here.
Step 23 In the instructions click the hyperlink to Click here to download, install
AnyConnect.
Step 24 Click Save File.
Step 25 After the file downloaded, click the file in the download dialog box and after
about 30 seconds you should be presented with the installation prompt.
Step 26 Click Run.

Step 27 The Cisco Network Setup Assistant should notify you that you are connected to
ise-1.demo.local. Click Connect Anyway.
Step 28 If a Untrusted Security Certificate message appears, click Change Setting…
and click Apply Change int the AnyConnect Downloader window. Select
Always trust this server and import the certificate and click Connect
Anyway.
Step 29 Cisco AnyConnect will download for approximately 20 minutes and install
automatically and then reconnect the VPN.
Step 30 After restart, Connect to the VPN as employee2@demo.local / 1234QWer.
Step 31 System Scan will run and you will be presented with the Update Required pop-
up.
Step 32 The results will show that the Good File update is required. Click Start to begin
remediation.
Step 33 Navigate to C:\ create the Test folder, enter the folder and then click Save.
Step 34 You will be notified that the save operation was successful and given the
opportunity to open the folder location where the file was saved. Click Cancel.
Step 35 System Scan will evaluate the system and then determine the system is
compliant.

Step 36 On the Admin PC, return to the ASAv CLI in Putty and run the following
command again. Observe the Filter Name is the dACL from ISE.
ciscoasa# show vpn-sessiondb detail anyconnect

Step 39 Observer the connection flow and the ultimate result of the Authorization Profile
VPN Full Access and the Posture Status of Compliant.
 You have successfully performed a Cisco AnyConnect VPN access and had the
AnyConnect client be upgraded to support compliance checking.
 Performed remediation over VPN and reviewed the associated authentication results.
Lab 7-2: Configuring Cisco AMP for ISE
Activity Objective
In this activity, you will configure Cisco ISE to provision Cisco posture agents. The AMP
Enabler will download the AMP for Endpoints connector, formerly known as FireAMP.
The activities in this lab will facilitate the following scenario:

 Client connects to the network, the AMP_Profile is assigned, and user is redirected
to Anyconnect Provisioning Portal. If Anyconnect is not detected on the machine,
all configured modules (VPN, AMP, and Posture) are installed. Configuration is
pushed for each module along with that profile.
 Once Anyconnect is installed, posture assessment runs.
 AMP Enabler module installs FireAMP connector.
Visual Objective
Required Resources
 Admin PC
 ISE-1
 AD1
 W10PC-Corp
 vWLC
 W10PC-CoA
 ASAv

Command List
ASAv CLI Commands
Command Description
write erase Erases startup configuration
copy Copies a file. In this lab you will copy a file to startup-config
reload Restarts or reboots the device.
show vpn-sessiondb detail Shows AnyConnect client access details

anyconnect
Task 1: Configuring the Cisco AMP Cloud
This task requires an AMP for Endpoints administrative login and password.
Activity Procedure
ASAv Preparation
Step 1 On the Admin-PC, open Firefox. Connect to https://console.eu.amp.cisco.com/
Step 2 In the top left of the window, click the small green lock symbol.
Step 3 Click the arrow and then More Information.

Step 5 Click the Details tab, and then click Export…
Step 6 Save the Certificate to the Desktop accepting the default name.
Step 7 Login to AMP for Endpoints. Your Instructor will provide the necessary
credentials.
Step 8 Navigate to Management > Download Connector. Select Group > Audit and
click Show URL.
Step 9 Click Copy URL.
Step 10 On the Desktop of the Admin PC, create a new textfile and insert the URL from
clipboard (CRTL + V). REMOVE the “https://” at the beginning of the link!!
Step 11 Save the file. It should look like the following screenshot.
Step 12 In Cisco ISE Gui, navigate to Administration > System > Certificates >
Certificate Management > Trusted Certificates
Step 13 In the right pane click Import.
Step 14 Browse to the Desktop and select the previously added euampciscocom.crt
certificate.
Step 15 Set FireAMP Cisco Cert as Friendly Name and trust the Certificate for
Authentication within ISE as well as Authentication of Cisco Services.
 Connected to the AMP for Endpoints Portal and made the ISE ready to download the
AMP Connector for Windows.

Task 2: Configuring Posture Policies and Conditions
In this task, you will review client provisioning settings and then perform a posture
component update and build a compliance rule.
Activity Procedure
ASAv Preparation
Step 1 On the Admin-PC, using the Cisco ISE admin interface, navigate to Policy >
Policy Elements > Conditions > Posture > File Condition.Review the
Bad_File condition. If the file is not present, the PC will be deemed Compliant.
Verify your configuration with the screen shot shown.
Step 2 Navigate to Policy > Policy Elements > Results > Posture > Requirements.
Review the Bad File requirement. Verify with the screenshot shown.
Step 3 Navigate to Policy > Posture.

Step 4 Edit the File Checks Posture Policy an make the Bad File requirement
mandatory.
Step 5 Click Done
Step 6 Click Save.
 You have modified a simple file requirement to drive the compliance check on the
endpoint.

Task 3: Configuring Posture, AMP and AnyConnect Profiles
In this task, you will configure Cisco ISE for the download and management of Cisco
AnyConnect posture agents, and the AMP Connector.
Activity Procedure
ASAv Preparation
Step 1 Edit the Posture Policy. Navigate to Policy > Policy Elements > Results >
Client Provisioning > Resources.
Step 2 Select and edit the acWinPostureProfile posture agent Profile
Step 3 Scroll down to the Posture Protocol section of the template, delete the
“tools.demo.local” as Discovery host entry and set the Server Name Rules field
to *. Save your configuration.
Configure an AMP Profile. AMP Profiles contain a pointer to the location of the AMP
Connector for Windows Installer (as downloaded earlier from the AMP Cloud to the AD
Server).
Step 4 Navigate to Policy > Policy Elements > Results > Client Provisioning >
Resources.
Step 5 Add a new AMP Enabler Profile named AMPwinProfile as shown in the figure
below.
Step 6 For the Windows Installer URL insert the URL from your previously created
textfile on the Desktop.
Step 7 Click Check next to the inserted link. File found must show up!
Step 8 Submit your configuration when finished
Step 9 Modify the AnyConnect Configuration to tie together the components that must
be installed on the endpoint to allow for authorization to access network
resources.
Step 10 Navigate to Policy > Policy Elements > Results > Client Provisioning >
Resources.
Step 11 Select and edit the acConfigWin AnyConnect configuration.
Step 12 Additional, select the AnyConnect module AMP Enabler.

Step 13 In Profile Selection, choose the profiles for AMP Enabler (AMPwinProfile).
Verify your configuration with the example shown.
 You have assigned a Client Provisioning Policy that utilizes an AnyConnect
Configuration profile that references:
− The AnyConnect Compliance Module
− Profiles defined for AMP additionally.
 You have configured an Authorization policy that will be used to drive the state of
a connecting endpoint to Compliant, and assigned this profile to an authorization
rule.(done in previous labs)
Task 4: Enabling and Provisoning TC-NAC Services
In this task, you will configure Cisco ISE for Threat-Centric NAC. You will configure the
AMP Adapter that will be used by ISE to interface with the AMP Cloud.
Activity Procedure
ASAv Preparation
Step 1 Enable TC-NAC Services under Administration > System > Deployment >
Edit Node. Check the Enable Threat Centric NAC Service check box under
Policy Service. This selection will add the Threat Centric Menu Options to the
ISE GUI under Administration. Save your configuration.
Step 2 To configure the AMP Adapter, navigate to Administration > Threat Centric
NAC > Third Party Vendors > Add. Add a vendor instance for AMP. Save the
instance.
Note This process can take several minutes to start up before allowing you to continue.
Step 3 Once the required fields are added, the instance status will transition to Ready to
Configure. Click this field to begin the AMP adapter configuration. Click Next
to bypass the proxy configuration screen.

Step 4 Select the EU Cloud for the AMP Public Cloud option. Then click Next.
Step 5 Click the AMP link under SAS External URL. You will then be required to log
in to the AMP for Endpoints account as an administrator. Your instructor will
provide your credentials.
Step 6 Click Allow in the Applications panel to authorize the Streaming Event Export
request.
Step 7 You will be returned to the Cisco ISE Admin portal, click Finish, and verify the
AMP Instance is Connected to the cloud, and is Active. It may take a couple of
minutes to connect.
 You have enabled and provisioned Threat Centric NAC services.

Task 5: Verify Provisioning of AMP for Endpoints (Optional)
In this task, you will verify your configurations.
Activity Procedure
Step 1 Access the W10PC-Corp PC
Step 2 Restart the PC and then log in as demo\employee1 / 1234QWer.
Step 3 Wait for the AnyConnect System Scan to show up the waring about the Bad File
found.
Step 4 Open windows explorer and delete the virus.txt under C:\test\ you created in an
earlier lab.
Step 5 Click Start to recheck with the requirements. You should now be compliant.
Step 6 Then, the AMP Enabler module should start downloading and installing AMP
for Endpoints. See the following screenshots for the procedure:
Step 7 Open a browser and attempt to connect to any website. You should be successful.
Step 8 In Cisco ISE live log, observe the employee1 on the W10PC-Corp went through
the AD Posture Assessment Authorization Profile again and was granted Wired
AD Employees finally.
 Verified provisioning of AMP for Endpoints on the client PC.
Lab 8-1: Cisco ISE Integrated Solutions with APIs
This lab covers integration between Cisco Web Security Appliance (WSA) and Cisco
Platform Exchange
Grid (pxGrid). In this lab, you will generate Certificate Signing Requests (CSR) on all the
digital certificates that are required for ISE, pxGrid, and HTTPS proxy. You will also
perform configuration tasks on the Cisco Web Security Appliance (WSA) and register the
WSA as a pxGrid client to Cisco ISE. Also, you will download the Security Group Tag
(SGT) information. You will create a decryption policy and a web access policy.
Activity Objective
In this activity, you will configure Cisco ISE to for backup and examine the process to
patch. After completing this activity, you will be able to meet these objectives:
 Configure Cisco ISE backups
 Patch a Cisco ISE instance
Visual Objective
Required Resources
 Admin PC
 AD1
 ISE-1
 WSA

Task 1: Configuring Cisco ISE System Certificates for REST
and pxGrid
A Cisco ISE deployment needs system certificates without wildcards in the subject or the
subject alternative name (SAN) to support REST API and pxGrid. In this exercise, you will
generate a Certificate Signing Request and obtain a certificate that is signed by an enterprise
CA. Since both the pxGrid controller and clients in ISE, and the pxGrid client in WSA, are
maintaining their own trust stores, there is no need to obtain certificates that are signed by a
well-known CA.
Activity Procedure
Configuring Repositories.
Step 1 From Admin PC, log in to ISE using admin / 1234QWer.
Step 2 Inspect the existing system certificate. Navigate to Administration > System >
Certificates > System Certificates. Select ise-1 Admin Cert and then Edit.
Note The certificate has a wildcard SAN – DNS: *.demo.local. Wildcard certficates cannot be
used for pxGrid and REST API operations.
Step 3 Navigate to Certificate Signing Requests from the left Certificate

Management panel and click Generate Certificate Signing Requests (CSR).
Step 4 Click Generate.
Step 5 Click OK on Successfully generate CSR(s) pop-up to close it.
Step 6 Select ise-1#pxGrid > View > CSR Contents.
Step 7 Select all (Ctrl + A) and copy (Ctrl + C) everything in between starting from -----
BEGIN CERTIFICATE REQUEST---- to the end of -----END
CERTIFICATE REQUEST----- .
Step 8 Click Close.
Step 9 Using Firefox, Go to http://ad1.demo.local/certsrv and login as administrator /
1234QWer.
Step 10 Select Request a certificate > Advanced Certificate Request, and paste (Ctrl +
V) the copied text from the previous into the text box for Base-64-encoded
certificate request.
Step 11 Select the pxGrid certifiacte template and click Submit.

Step 12 Select Base 64 encoded and then click Download certificate.
Step 13 Choose Save. To ease identification later, after download, rename the downloaded file to
ise-pxgrid.cer.
Step 14 Close the browser tab for the AD Certificate Services.
Step 15 Return the the Cisco ISE Admin UI, select Bind Certificate > Browse > select the ise-
pxgrid.cer from te downloads folder.
Step 16 Input Friendly Name: ise-pxGrid and select to Validate Certificate Extensions, leave
usage pxGrid checked.

 Generated the ISE CSR and sent the request to the MS CA server.
 Used the precustomized Webserver V2 template to sign the certificate at the CA
server.
 Bound the certificate to the ISE CSR and used it for ISE pxGrid and admin
operations.
Task 2: Preparing the Cisco WSA
The Cisco WSA needs to be configured for network and Cisco ISE operation. The System
Wizard from the WSA will be used to configure these parameters. The HTTPS proxy will
be enabled for website decryption to deny employees from accessing Facebook. WCCPv2
will also be configured.
Activity Procedure
Step 1 From the Admin PC, using Firefox, browse to the WSA admin portal at
http://10.1.100.30:8080.
Step 2 Accept the Security warning by clicking Advanced > Add Exception and then
Confirm Security Exception.
Step 3 Log in with the default credentials admin / ironport.
Step 4 Navigate to System Administration > System Setup > System Setup Wizard >
System Settings. Set the Default System Hostname to wsa.demo.local and
update the NTP server to ntp.demo.local, as time.sco.cisco.com is not reachable
from this lab network. Leave the rest of the settings at their defaults: (hostname,
DNS server, timezone, application mode of operation).
Step 5 Click Next.

Step 6 For the Network Context, leave all settings at their defaults. Then click Next.
Step 7 For the Network Interfaces and Wiring, leave all settings at their defaults. Then
click Next.
Step 8 For the Layer 4 Traffic Monitoring Wiring, leave all settings at their defaults.
Then click Next.

Step 9 For the IPv4 Routes for Management and Data Traffic, leave all settings at
their defaults. Then click Next.
Step 10 For the Transparent Connection Settings, leave all settings at their defaults.
Then click Next.
Step 11 Modify the administrative settings
Change the following administrative settings:
 Change the Administrator Passphrase to !234QWer
 Under Email system alerts to: Enter: admin@demo.local.
 AutoSupport: uncheck.
 Network Participation: uncheck.
 Click Next.
Step 12 For the Security Settings, leave all settings at their defaults. Then click Next.
Step 13 Review your configuration and then click Install This Configuration.
Step 14 Log in to the WSA with the new admin password !234QWer.
Step 15 Navigate to Security Services > Proxy Settings > HTTPS Proxy.
Step 16 Click Enable and Edit Settings… > HTTPS Proxy License Agreement. Then
click Accept.
Step 17 Under HTTPS Proxy Settings > Enable HTTPS Proxy > Root Certificate for
Signing, Select Use Generated Certificate and Key.
Step 18 Click Generate New Certificate and Key, use the parameters from the figure
below. Then click Generate.

Step 19 In the Decryption Options window, Enable the option for Decrypt for
Application Detection.
Step 21 Confirm Enable, then click Continue.

Step 22 Click Commit Changes, and then Commit Changes again. Verify with the
following figure once the HTTPS proxy has been enabled.
Step 23 On the HTTPS Proxy Settings page, Click Edit Settings.

Step 24 Click Download Certificate Signing Request for the generated Certificate and
Key.
Step 25 Click Open with and select Wordpad and click OK.
Step 26 At the end of the .pem-file, copy (CRTL+C) everything in between starting from
-----BEGIN CERTIFICATE REQUEST---- to the end of -----END
CERTIFICATE REQUEST-----, like the following figure shows.
Step 27 Open a new browser tab and go to Microsoft Active Directory Services
(http://ad1.demo.local/certsrv) and login as administrator / 1234QWer.
Step 28 Click Request a certificate > advanced request, and paste the copied
information into the text box for Base-64-encoded certificate request.
Step 29 Select Certificate Template Subordinate Certificate Authority as the WSA
HTTPS proxy will generate certificates for various sites to decrypt the
connections.
Step 31 Select Base 64 encoded and then Download Certificate.
Step 32 Rename the downloaded certnew(1).cer to WSA_HTTPS_proxy.cer.
Step 33 Open the certificate, go to details, and confirm SubCA being the certificate
template.

Step 34 Navigate back to the Home page of http://ad.demo.local/certsrv/
Step 35 Click Download a CA certificate, certificate chain, or CRL.
Step 36 Select Encoding method: Base 64.
Step 37 Click Download CA certificate.
Step 38 Click OK to Save the file.
Step 39 Rename certnew(1).cer to root-CA.cer.
Step 40 In WSA admin portal, navigate to Network > Certificate Management.
Step 41 Under Certificate Management > Trust Root Certificates, click Manage
Trusted Root Certificates.
Step 42 Under Custom Trusted Root Certificates, Select Import.
Step 43 Browse to the folder downloads and select root-CA.cer.
Step 45 Under Success page, click Submit again.
Step 46 Navigate to Security Services > HTTPS Proxy.

Step 47 Click Edit Settings.
Step 48 Under Signed certificate: for the Generated Certificate and Key, click Browse….
Step 49 Select WSA _HTTPS_proxy.cer > Upload File (you will see a success at the
top of the page).
Step 50 Click Submit at the bottom of the page (new Success at the top of the page).
Step 51 Select Commit Changes > Commit Changes.
Step 52 Navigate to Network > Transparent Redirection.
Step 53 Click Edit Device… . From the Type drop-down menu, select WCCP v2
Router. Then click Submit.
Step 54 Under WCCP v2 Services, choose Add Service.

Use the following parameters:
 Service Profile Name: wccp90
 Dymanic Service ID: 90
 Port Numbers: 80,443
 Router IP Address: 10.1.100.1
Step 56 Select Commit Changes and Commit Changes again.

Step 57 You should see that your changes have been committed.

Step 58 Access the 3k-access console CLI and if prompted, login as admin / 1234QWer.
Step 59 From the console prompt, enter the command: terminal monitor.
Step 60 Configure 3k-access switch for WCCP.
configure terminal
! create redirect ACL for WCCP
ip access-list extended wccp-redirect
deny ip any 10.0.0.0 0.255.255.255
permit tcp 10.0.0.0 0.255.255.255 any eq www
permit tcp 10.0.0.0 0.255.255.255 any eq 443
!
! enable wccp with service-id 90, matched WSA config
ip wccp 90 redirect-list wccp-redirect
!
! apply wccp to the client VLAN 10 and VLAN 50
interface Vlan10
ip wccp 90 redirect in
!
! interface Vlan50
ip wccp 90 redirect in
!
end
Note “%WCCP-5-SERVICEFOUND: Service 90 acquired on WCCP client 10.1.100.30” shows

on the switch terminal in about 10 seconds after applying the configuration.
 Run WSA Setup Wizard and change admin credentials
 Enable HTTPS proxy, and generate CSR request for a signed-CA cert
 Enable “Decrypt for Website Application”
 Configure WCCPv2
 Configure 3k-access switch for WCCPv2
Task 3: Configuring Security Groups, Authorization Policy,
and Enabling pxGrid on ISE
Cisco TrustSec Security Groups can be used to enforce network access. Two Security Groups
(Employees and Guests) will be used and assigned to ISE authorization rules. They will
differentiate between 802.1X authenticated employees and unauthenticated guests.
In the later exercises, the WSA will subscribe to the TrustsecMetaData pxGrid capability and
download the SGT information. WSA identification profiles, and web security access
policies, will be created to deny Facebook access for users who are tagged as Employees. It
will also allow nonrestricted Internet access for those users who are tagged as Guests.
ISE will also be configured for pxGrid operation.
Activity Procedure
Step 1 If needed, log back in to ISE as admin / 1234QWer.
Step 2 Navigate to Work Centers > TrustSec > Components > Security Groups.
Step 3 The right-hand pane shows a list of built-in entries. You will use two security
groups from the list, Employees and Guests.
Step 4 Navigate to Policy > Policy Set.
Step 5 In the Wired_8021X_Access policy set, edit the Wired AD Employees
authorization Policy. Delete the Session:PostureStatus condition and add the
Security Group Employees as Permission.
Step 6 Click Save when finished.

Step 7 In the Wired_MAB_Access policy set, edit the Guest Internet authorization
policy and add the security group Guests.

Step 8 Click Save when finished.
Step 9 Navigate to Administration > System > Certificates > System Certificates.
You should see that the ise-pxGrid certificate is used for pxGrid.
Step 10 Navigate to Administration > System > Deployment.

Step 11 Select and edit the ise-1 node. Scroll down and enable the pxGrid service.
Step 12 Click Save.
Step 13 Navigate to Administration > pxGrid Services and verify it shows Connected
to pxGrid at the lower left corner. The admin persona should also show as a
registered client.
Note It takes up to 10 minutes to see Connected to pxGrid. You may monitor the progress via
the ISE admin CLI using the command show application status ise, and by clicking
various psgrid debug logs.
Step 14 Click Settings tab and enable Automatically approve new accounts and click
Save. Answer Yes in the pop-up info dialog Are you sure you want to save
settings.
 Reviewed two existing Security Groups: Guests and Employees.
 Created an authorization policy for each security group to assign users and hosts
to the SGTs.
 Enabled the ISE node for pxGrid operation.
Task 4: Enabling pxGrid on WSA
Cisco pxGrid requires that a pxGrid client, such as WSA, to present a client digital certificate
to secure connections to the ISE pxGrid controller. It is best practice to use an enterprise CA
to sign certificates for both the pxGrid client and the ISE pxGrid node. In previous section,
ISE pxGrid controller has been configured with a CA-signed pxGrid certificate. Please note
that pxGrid certificates use a customized template containing an EKU for both client
authentication, and server authentication.
Activity Procedure
Step 1 If needed, reopen the WSA URL, https://10.1.100.30:8443.
Step 2 Go to System Administration > Log Subscriptions.
Step 3 Click accesslogs. Under Custom Fields (optional), add %m.

Step 5 Click Commit Changes > Commit Changes.
Step 6 Navigate to Network > Identification Services > Identity Service Engine >
Enable and Edit Settings.
Enter ISE Server: ise-1.demo.local.
Delete “admin” under Secondary ISE pxGrid Node (optional), if present.
Step 7 Scroll down and under WSA Client Certificate, Select Use Generated
Certificate and Key.
Step 8 Click Generate New Certificate and Key.
Step 9 Under Generate Certificate and key, enter the following:
 Common Name: wsa.demo.local
 Organization: Demo
 Organization Unit: IT
 Country: US
 Duration before expiration: 1 month

Step 10 Click Generate.
Step 11 Scroll down again and click Submit.

Step 13 Click Edit Settings.
Step 14 Under WSA Client Certificate, Use Generated Certificate and Key, Click
Download Certificate Signing Request.
Step 15 Download and save the file. You should see WSA_ISE_csr.pem.
Step 16 Open the file with WordPad, and highlight and copy everything in between
starting from -----BEGIN CERTIFICATE REQUEST---- to the end of -----
END CERTIFICATE REQUEST---- .
Step 17 In Firefox, go to http://ad1.demo.local/certsrv , which is the Microsoft Active
Directory Certificate Services.
Step 18 Click Request Certificate and then Advanced Certificate Request.
Step 19 Paste into the Base-64 encoded certificate request. Select Certificate Template
> pxGrid.
Step 21 Select Base 64 encoded format and Download Certificate.
Step 22 Save the file.
Step 23 Rename the certnew(1).cer to WSA_pxgrid.cer.
Step 24 Open the certificate, click Details, and verify that the Enhanced Key Usage
shows: Client Authentication and Server Authentication.
Step 25 Click OK when finished with the verification.
Step 26 Go back to the WSA and Under WSA Client Certificate > Use Generated
Certificate and Key > Signed certificate, Browse and open the new signed
certificate WSA_pxgrid.cer.
Step 27 Click Upload file.
Step 28 Under ISE pxGrid Node Certificate, click Browse…, select the root-CA.cer >
Open. Click Upload File.
Step 29 Under Primary ISE Monitoring Node Admin Certificate, click Browse…, select
the root-CA.cer > Open > Upload Files.
Step 30 Delete “admin” under Secondary ISE pxGrid Node (optional), if present.
Otherwise the Test will fail.
Step 31 Scroll to the bottom and under Test Communication with ISE Server, choose
Start Test. You should see that all tests completed successfully.
Note If the connection to the ISE pxGrid server timed out, check ISE pxGrid Services page to
see whether it is waiting for approval on the pxGrid client registration.

Step 33 Select Commit Changes > Commit Changes.
Step 34 Log in to ISE as admin / 1234QWer.
Step 35 Navigate to Administration > pxGrid Services. Verify that the WSA has
registered as a pxGrid client, and has subscribed to the SessionDirectory and
TrustSecMetadata Capabilities.
Note This may take a moment to show. Click Refresh to monitor the progress.
 Created ISE customized accesslogs.
 Generated the WSA CSR certificate request for CA-signed cert to be used as
pxGrid client.
 Registered WSA to ISE pxGrid node and subscribed to Session and
TrustsecMetadata Capability.
Task 5: WSA Identity and Access Policies (Optional)
The WSA will use the Identification profiles to identify users who are authenticated with ISE
and associate them to the Security Group Tags (SGT). The WSA access policies then
determine the corporate web security profiles based on these SGTs. In this exercise, an
identification profile will be created for ISE. A WSA access policy will be created to deny
802.1X authenticated users who are tagged as Employees from accessing Facebook.
Activity Procedure
Step 1 If needed, reopen the WSA URL, http://10.1.100.30:8080.
Step 2 Navigate to Web Security Manager > Authentication > Identification
Profiles.
Step 3 Click Add Identification Profile….
Perform the following changes:
 Client / User Identification Profile Settings Name: ID by ISE.
 User Authentication Methods > Identification and Notification, select
Transparently identify users with ISE.
 Fallback to Authentication Realm or Guest Privileges: select Block
Transactions.
Step 4 Under Membership Definition, leave all defaults.


Step 6 Navigate to Web Security Manager > Web Policies > Access Policies.
Step 7 Click Add Policy.
Make the following configuration changes:
 Policy Settings > Policy Name: ISE Corp Access
 Policy Member Definition > Identification Profiles and Users > Select
One or More Identification Profiles.
 Identification Profile: select ID by ISE.
 Authorized Users and Groups: select Selected Groups and Users.
 ISE Secure Group Tags: click No tags entered.
Step 8 In the next window, under Secure Group Tags > Secure Group Tag Search,
Check Employees.
Step 9 Click Add. You should see that Employees have been included in the Authorized
Secure Group Tags policy.
Step 10 Scroll down and click Done.
Step 11 Click Submit. You should see the following:
Step 12 Click (global policy) in the URL Filtering section for ISE Corp Access to
override the default URL Filtering for ISE Corp Access.
Step 13 Under Predefined URL Category Filtering, select Social Networking for
Block

Step 14 Click Submit when finished.
Step 15 Click (global policy) in the Applications section for ISE Corp Access to
override the default Applications policy for ISE Corp Access.
Step 16 Under Edit Application Settings, select Define Applications and Custom
Settings from the drop-down.
Step 17 Under Application Settings, scroll to Facebook. Select Edit all, then Select
Block.
Step 18 Click Apply and then Submit. You should then see the following:
 Created an Identification Policy Profile for ISE.
 Created a Web Access policy to deny users who are tagged as Employees from
Facebook access, and added a URL Filtering- Block Social Network, and an
Applications- Block Facebook policy.

Task 6: Testing Corporate PC (Optional)
Organizations may have certain corporate security policies that they must observe. Among
them would be for corporate employees not to use social applications such as Facebook.
Activity Procedure
Step 1 On the Admin PC, access the 3k-access switch. If prompted, enter credentials
admin / 1234QWer.
Step 2 Enter the following configuration commands.
terminal monitor
Step 3 Connect to the W10PC-Corp.

Step 4 Restart the PC and log back in as demo\employee1 / 1234QWer.
Step 5 On the switch enter the command: show authentication sessions interface
g1/0/1 details.
Verify that the user has successfully logged on and has authenticated via 802.1X.
The session has an SGT value of 4.
3k-access# show authen sessions interface gig 1/0/1 details
IIF-ID: 0x107F88000000071
MAC Address: 6805.ca00.9e5a
User-Name: employee1
Status: Authorized
Domain: DATA
Common Session ID: 0A010A0100000FD5085F4EE0
Acct Session ID: 0x00000FE3
Handle: 0x51000018
Server Policies:
ACS ACL: xACSACLx-IP-acl_employee-587e4b26
SGT Value: 4
Method status list:

Method State
dot1x Authc Success
Step 6 On the W10PC-Corp, open Internet Explorer (Firefox will not work due to
HSTS).
Step 7 In IE, open the webpage https://www.facebook.com. As IE cannot validate the
WSA certificate you will be prompted with a security warning. Read the
following note:
Note In a real enterprise environment you would add the WSA_HTTPS_proxy certificate to a
trusted certificate store in the domain PKI, which will be enrolled to the domain
computers certificate store, which is used by IE for validation. The WSA certificate would
then be trusted as a CA and the https-website would open with a certificate issued by the
WSA. For Firefox you would need to enroll the certificate manually into the certificate
store of Firefox to be trusted as CA.
Step 8 Click Continue to this website to trust the wsa-https certificate for the session.
Step 9 You will see a message “This Page Cannot Be Displayed”.
Step 10 Also note that the site certificate is wildcard and issued by WSA HTTPS Proxy:
Click on Certificate Report right next to the address field and in the popup click
View certificates.

Step 11 Observe the wildcard certificate issued by WSA HTTPS Proxy.
Step 12 From the Admin PC, use PuTTY to open a SSH connection to the WSA
(10.1.100.30). Log in as admin with the password !234QWer.
Issue in turn the commands: ”isedata”, “cache”, “show”. Note the IP-Name-SGT
mapping.
Step 13 Log in to the WSA admin web portal at http://10.1.100.30:8080.
Step 14 Navigate to System Administration > Policy Trace.
Step 15 Select ISE as Authentication / Identification.
Step 16 Enter the URL https://www.facebook.com and Client IP address <W10PC-
Corp’s IP address>.
Step 17 Click Find Policy Match. A sample result is shown here:

Step 18 Navigate to Reporting > Users and click on any employee1 hyperlink.
Step 19 Scroll to the end of the page and note the matched policy ISE Corp Access and
its Blocked Transactions under the section Policies matched.
 Performed no shut on the switch access and monitored the results.
 Performed a Login as employee and accessed Facebook.
 Checked the certificate to verify that Facebook was blocked.
Lab 9-1: Configure TACACS+ for Cisco ISE for
Basic Device Administration
Activity Objective
Device administration in ISE involves controlling network administrator access to network
devices. Network administrators often have different levels of access to different network
equipment, depending on their role. Most organizations prefer to centralize the control and
maintenance of this function. The TACACS+ function of Cisco ISE enables this central
control. Through TACACS Live Logs and reports, ISE provides centralized monitoring,
reporting, and troubleshooting of an organization’s network administration. In this lab, you
will configure ISE for basic Device Administration of IOS devices.
You will begin by configuring the policy elements that are required for network device
administration.These policy elements will then be used in the basic authentication and
authorization policies, which you will create. Of course, each Network Access Device
(NAD) must be configured to support TACACS+, and so you must configure the required
AAA commands to fulfill this need. You will then log in with different users to validate both
your authentication policies, and your authorization policies. You will know that you have
granular control of not only who can access your network devices, but also what they can do.
Visual Objective
Required Resources
 Admin PC
 AD1
 ISE-1

Task 1: Policy Configuration for AD Employees and AD
Contractors
In this task, you will configure Cisco ISE to perform backups.
Activity Procedure
Step 1 Access the Admin PC and connect to the ISE GUI via https://ise-1.demo.local.
Step 2 To enable device administration, navigate to Administration > System >
Deployment. Edit the ISE node by clicking on ise-1. Under General Settings,
enable the Device Admin Service and Save the settings.
Step 3 Navigate to Administration > Network Resources > Network Devices.
Step 4 Select and edit the 3k-access switch.
Step 5 Scroll down, enable TACACS Authentication settings with the shared secret
1234QWer.

Step 7 To add policy elements, navigate to Work Centers > Device Administration >
Policy Elements > Results > TACACS Profiles. You will add two different
TACACS profiles with different privilege levels.
Step 8 Click Add to create a new profile named “Privilege_Level_1” where the default
privilege level is 1, and maximum privilege level is 1. Click Submit.
Step 9 Add a second profile named “Privilege_Level_15”, with a default privilege level
of 1 and maximum privilege level 15. Click Submit.

Step 10 For policy creation, navigate to Work Centers > Device Administration >
Device Admin Policy Sets. You are about to create a new policy set to handle
Network Devices that use Cisco IOS software.
Step 11 Click the Plus icon or click the gear icon and select Insert new row above to
create a new Policy Set above the Default Policy Set.
Step 12 Name the new Policy Set Wired_Devices.

Step 13 Create a new Condition of Device: Device Type EQUALS All Device
Types#Wired.
Step 14 Select Default Device Admin from the Drop-Down Menu under Allowed
Protocols/Server Sequence.
Step 15 Click Save.
Step 16 Next, edit the Authentication Policy to use All_AD_Join_Points as the Identity
Store.
Step 17 Click Done.
Step 18 Next, insert a new authorization policy above the Default authorization policy.
Configure this new rule according to the chart below.
Attribute Value
Rule Name Employee_Privilege_15

demo.local/HCC/Groups/Employees
Command Sets Leave at default
Shell Profiles Privilege_Level_15
Step 19 Click Save.

Step 20 Now add a policy for contractors. Start by clicking the gear icon at the end of the
new employee policy, and choose Insert New Rule Above. Configure this new
rule according to the chart below.
Attribute Value
Rule Name Contractor_Privilege_1

demo.local/HCC/Groups/Contractors
Command Sets Leave at default
Shell Profiles Privilege_Level_1
Step 21 Click Save and check your work against the example below.
Step 22 To configure switch, access the 3k-access switch console, and enter the
commands that are shown below. You can find a textfile for copy and paste under
http://tools.demo.local/cp as tacacs-switch-config.txt
conf t
tacacs server ISETAC
address ipv4 10.1.100.21
key 1234QWer
exit
aaa group server tacacs+ myTplusServers
server name ISETAC
exit
aaa authentication login MyTplus group myTplusServers local
aaa authorization exec MyTplus group myTplusServers local
aaa authentication enable default group myTplusServers enable
aaa accounting exec default start-stop group myTplusServers
line vty 0 4
login authentication MyTplus
authorization exec MyTplus
end
wr
Step 23 To test various users, return to your Admin PC, and use PUTTY to open a SSH
session to 3k-access switch (10.1.100.1)
 Login using the credentials contractor1 / 1234QWer. This should
succeed.
 Type enable to get higher privilege. When prompted for a password,
enter 1234QWer. This authentication fails, according to the policy you
created. In ISE, navigate to Opertations > TACACS >Live Logs for
verification.
 Open another Putty SSH session to the 3k-access switch (10.1.100.1) and
login using employee1 / 1234QWer. This should succeed.
 Type enable to get higher privilege. When prompted for a password,
enter 1234QWer. This authentication succeeds, according to the policy
you created.
 If you like, you can enter the show privilege command to verify your
privilege level is 15.

Step 24 Navigate to Operations > TACACS > Live Logs to see the authentication and
authorization
Step 25 For the failed contractor entry, click the Details icon, as shown above. You can
analyze the details of each session. Some of the more pertinent information
includes the Authorization details, as shown below.
 You have enabled device administration on the Cisco ISE.
 You have configured a new Network Device Group (NDG).
 You have modified a NAD definition in Cisco ISE to accommodate device
management.
 You have added new TACACS+ Profiles to accommodate unique privilege levels.
 You have created a new device admin policy set that uses differentiates between
employee and contractors, assigning the profiles that you created, as appropriate.
 You successfully tested access control policy with employee and contractor user
accounts.
Lab 9-2: Configure TACACS+ Command
Authorization
Activity Objective
In this exercise, you will configure TACACS+ command authorization and bind these
commands to a device administration policy. Privilege-level authorization associates
commands with privilege levels, per network device. ISE can then apply the default and
maximum privilege level to a user upon log in. Privilege level authorization requires each
device be configured with privilege levels and command sets (overriding the default privilege
levels). TACACS+ command authorization centralizes the administration of commands to be
allowed or denied. When TACACS+ command authorization is enabled, each command that
is entered on a device is authorized against the TACACS+ service.
You will begin this lab by configuring TACACS Command sets. Then you will modify the
authorization policy to use these command sets. You will modify the switch configuration to
support command authorization, and then test the various users to check their access levels.
Visual Objective
Required Resources
 Admin PC
 AD1
 ISE-1

Task 1: Configure Command Sets
In this task, you will configure Cisco ISE to control admin access to IOS devices.
Activity Procedure
Step 1 Navigate to Work Centers > Device Administration > Policy Elements >
Results > TACACS Command Sets. You are about to create two command sets,
one with full access, and one with limited access to a specific set of commands.
Step 2 Click Add to create a new command set. Configure the name as
Permit_All_Commands, and click the checkbox for Permit any command that
is not listed below.

Step 4 Create a new command set named Limited_Access to permit/deny the following
commands
Permission Command Argument
permit ping
permit show run*
permit show privilege
Deny show inter*
Note Click the Add button to add each command. After entering each command, make sure to
click the checkmark at the end of the line to save the command.
Step 5 Validate your work against the example that is shown below.
Step 7 Navigate to Work Centers > Device Administration > Device Admin Policy
Sets > Wired_Devices.
Step 8 Modify the rule named Contractor_Privilege_1.
Step 9 Click the into the Command Sets box, and choose Limited_Access.
Step 10 Click the down-arrow in the Shell Profiles box, and choose Privilege_Level_15.
Note Although the contractors now have access to privilege level 15, they are limited to the
commands specified in the assigned command set.
Step 11 Modify the rule named Employee_Privilege_15.

Step 12 Change the command set to Permit_All_Commands, and leave the Shell Profile
to Privilege_Level_15
Step 13 Check your work against the example that is shown below.

Step 15 To configure the switch, access the 3k-access switch(10.1.100.1) via PuTTY
again as employee1 / 1234QWer and the enable password 1234QWer.
Enter the following commands to enforce command authorization via TACACS+.
conf t
aaa authorization commands 1 MyTplus group myTplusServers if-authenticated
aaa authorization commands 15 MyTplus group myTplusServers if-authenticated
line vty 0 4
authorization commands 1 MyTplus
authorization commands 15 MyTplus
end
wr
Step 16 Close the PuTTY session and open a new PUTTY SSH session to 3k-access.
 Login using the credentials contractor1 / 1234QWer.This should
succeed.
 Type enable. When prompted, enter the password “1234QWer”.
 Notice that this access now succeeds, because you modified the
authorization policy to apply the Privilege_level_15 shell profile.
 Execute the following commands and observe which commands pass and
fail.
o show privilege
o show running-config
o ping 10.1.100.10
o show interface (should not succeed)
o configure terminal (should not succeed)
Check the Live Logs to see the information for command passes and failures.
Click a Details icon if you would like to see more information about any failures.
Step 17 Open another PuTTY SSH session to the 3k-access switch and login using the
credentials employee1 / 1234QWer. This action should succeed.
 Type enable to gain a higher privilege level. Use 1234QWer as the
enable password. This action should succeed, as it did in the previous lab.
 Execute the same commands as per Step 12. You should notice that
employee1 can execute all the commands.
Step 18 Close all PuTTY sessions.

Step 19 Navigate to Operations > TACACS > Live Logs to see the
authentication/authorization/command authorization information. You should see
Live Logs for the two different users that show the successful and unsuccessful
execution of commands.
Task 2: TACACS+ Features
This task is focused on two additional TACACS features:
1. Login authentication and enable authorization differentiation: Sometimes an
organization will choose to use different identity stores for login and enable. For
example, for device login, the organization may choose to use existing Active
Directory credentials, minimizing the administrative burden of creating new
credentials. For network administrators who need a higher level of access through
enable, the organization may want to manage the enable passwords via the ISE
internal user database or one-time passwords. This lab uses ISE internal users. These
users are pre-configured.
2. CLI Password change: TACACS+ supports inline password changes by the network
administrator. The network administrator can invoke this functionality by just hitting
return when prompted for a password.
Activity Procedure
Step 1 To enable login authentication and authorization differentiation, modify the
authentication policy to use different ID stores for login and enable. Navigate to
Work Centers > Device Administration > Device Admin Policy Sets >
Wired_Devices.
Step 2 Select the Wired_Devices Policy Set.
Step 3 Observe the Authentication Policy default rule.
Step 4 Click the gear icon of the Default Rule and insert a new rule above the default
rule.
Step 5 Create a new authentication policy rule as defined below.
Attribute Value
Rule Name Enable_Password
Conditions If (Create New Condition) TACACS:Service EQUALS Enable
Use Internal Users

Step 7 Configure the ISE user employee1 in its local identity database. Navigate to
Work Centers > Network Access > Identities > Network Access Users.
Step 8 Add a user named employee1 with a Login Password of 1234QWer, and an
Enable Password of Cisco123.

Step 10 Using PUTTY, open a SSH session to the 3k-access switch.
 Login using the credentials employee1 / 1234QWer.This should
succeed.
 Type enable and use the 1234QWer password. This process will fail as
the enable password is checked against the Internal Users database where
the password for employee1 is different.
 Type enable and use Cisco123 as the password. This process should pass
as it matched with the password stored in the Internal Users database.
 Go to TACACS Live Logs to check the logging records.
Step 11 For TACACS+ password change ability, open a new PUTTY SSH session to the
3k-access switch. Log in as employee1 / 1234QWer. When asked for enable
password, press Enter. You will be prompted for old password Cisco123,
followed by the new password 1234QWer.
Step 12 Close this PUTTY session.
Step 13 Launch another PuTTY SSH session to the 3k-access switch and log in as
employee1 / 1234QWer.
 Try using the old enable password Cisco123. This password should fail.
 Try the password that was defined in Step 6. This password should now
succeed.
Step 14 Check the TACACS Live Logs to see the login fail and pass.
 You have configured TACACS command sets to differentiate user access.
 You have modified the authorization policy to use the new command sets.
 You have configured the switch for command authorization
 You have tested various users to check their access levels
 You have validated the ability to change passwords

(Optional) Lab 9-3: Configuring Backups and
Patching
Activity Objective
In this activity, you will configure Cisco ISE to for backup and examine the process to
patch. After completing this activity, you will be able to meet these objectives:
 Configure Cisco ISE backups
 Patch a Cisco ISE instance
Visual Objective
Required Resources
 Admin PC
 AD1
 ISE-1
Task 1: Configuring Backups
In this task, you will configure Cisco ISE to perform backups.
Activity Procedure
Step 1 In the Cisco ISE admin portal navigate to Administration > System >
Maintenance and then Repository.
Step 2 In the right-hand pane, click +Add.
Step 3 Create the following Repository.
Admin_PC - Repository Configuration
Attribute Value
Repository Configuration
Repository Name Admin_PC
Protocol FTP
Location
Server Name 10.1.100.6
Path /
Credentials
User Name Anonymous
Password 1234QWer

Configuration Database Backup Configuration
Step 5 Navigate to Administration > System > Backup & Restore.
Step 6 Under Schedule Backup > Configuration Data Backup click Schedule.

Step 7 Configure the following Backup Configuration Schedule.
Backup_CFG – Schedule Configuration Backup
Attribute Value
Name Backup_CFG
Description Configuration Backup
Repository Admin_PC
Encryption Key 1234QWer
Re-Enter Encryption Key 1234QWer
Frequency Weekly
At Time 12:00AM
On Day Sunday
Start Date <Tomorrows Date>
End Date 01/01/2020
Step 8 Verify your configuration with the following screenshot and then click Save.
Monitoring Database Backup Configuration.
Step 9 On the same screen in Backup & Restore, click Schedule under Schedule
Backup > Operational Data Backup.
Step 10 Configure the following Backup Configuration Schedule.
Backup_CFG – Schedule Configuration Backup
Attribute Value
Name Backup_MnT
Description Operations Backup
Repository Admin_PC
Encryption Key 1234QWer
Re-Enter Encryption Key 1234QWer
Frequency Daily
At Time 02:00AM
End Date 01/01/2020
Step 11 Verify your configuration with the following screenshot and then click Save.

Review the Process to Performing an On Demand Backup
Step 12 Click the Backup Now button in the upper left corner of this page.
Step 13 Examine the form and observe it is a cleaner version of the scheduled backup for
without a description and ability to schedule. Also the ability to select
Configuration or Operational backup types
Step 14 Click Cancel.
Note Do not perform a backup at this time.
Patching Management Process for Cisco ISE Review

Step 15 Navigate to Administration > System > Maintenance and then Maintenance >
Patch Management.
Step 16 In the right pane, click Install in the toolbar.
Step 17 You would then click Browse and browse for the patch file selecting it and then
click Open.
Note Your instructor will notify you if there is a patch file to install and where it is located.
Step 18 You would then click Install. Cisco ISE would then upload the file via the
browser and process the patch. All services would be stopped and then restarted.
Note Patching is a maintenance window operation. All functional services are stopped and
restarted.
 You have configured the repository for Cisco ISE.
 You have configured the configuration database backup
 You have configured the monitoring database backup
 You have reviewed the process to patch Cisco ISE.
(Optional) Lab 9-4: Configuring Administrative
Access
Activity Objective
In this activity, you will configure administrative access settings for Cisco ISE. After
 Ability to control administrative access to Cisco ISE
 Configure administered of access and authorization for administrative session
Visual Objective
Required Resources
 Admin PC
 AD1
 ISE-1

Task 1: Administrative Access
In this task, you will review and configure administrative access settings.
Activity Procedure
Session Settings
Step 1 Navigate to Administration > System > Admin Access and then Settings >
Session.
Step 2 The Session Idle Timeout range is 6 to 100 minutes.
Step 3 Click the Session Info tab.
Step 4 You should see your current session.
Step 5 Open Google Chrome, login to the ISE admin portal and open the Live Logs.
Step 6 Return to Firefox and click Refresh in the upper right section above the toolbar.
Step 7 Select your session and then attempt to click Invalidate. You are not able to
invalidate your own session.
Step 8 Select the new session and click Invalidate and confirm you want to invalidate
this administrative session by clicking OK.
Step 9 Return to Google Chrome and attempt to navigate anywhere in the portal. You
will be returned to the login screen.
Step 10 Close Google Chrome browser and return to Firefox.
Access Settings
Step 11 In the left pane navigate to Admin Access > Settings > Access.
Step 12 Observe the ability to limit concurrent sessions and configure pre and post login
banners for bot GUI and CLI access.
Step 13 Click the IP Access tab.
Step 14 Select Allow only listed IP addresses to connect.
Step 15 In the IP List section click +Add.
Step 16 In the pop-up form enter 10.1.100.0 for the IP Address and 24 for the netmask in
CIDR format.
Step 17 Click OK and click Save.
 You have configured administrative access session settings.
 You have invalidated an administrative session.
 You have configured IP access restrictions for administrative sessions.
Task 2: Administrator Access and Authorization
In this task, you will configure administrative access to the Cisco ISE admin portal.
Activity Procedure
Microsoft Active Directory Integration
Step 1 Navigate to Administration > System > Admin Access and then
Authentication.
Step 2 In the right pane, for password access, select the Identity Source AD:demo.local.
Step 3 Click Save.
Create AD Shadow Account
Step 4 In the left pane, navigate to Admin Access > Administrators > Admin Users.
Step 5 In the right pane, click +Add and select Create an Admin User.
Step 6 For the Name type ITAdmin.
Step 7 Delete the contents from the Email field.
Step 8 Select the External Box.
Step 9 Scroll down and select the Admin Group Super Admin.
Link External AD Group to Super Admins
Step 11 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 12 From the list, Edit the Super Admin group.
Step 13 Add External to the Type.
Step 14 In the External Groups drop-down, select demo.local/HCC/Groups/IT Staff.
Creating AD Permission Sets
Note It’s possible to create purely external administrative groups. New External groups require
additional configuration.
Step 16 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 17 Click +Add in the right pane tool bar.
Step 18 Enter the Name AD Staff.
Step 19 Configure the type to only be External.
Step 20 In the External Groups drop-down, select demo.local/HCC/Groups/Staff.
Creating an External Group RBAC Policy
Data Access
Step 22 In the left pane, navigate to Admin Access > Authorization > Permissions >
Data Access.

Step 24 Enter the Name AD_Staff_Access.
Step 25 In the Data Access Privileges, expand Endpoint Identity Groups .
Step 26 With Endpoint Identity Groups select, click Full Access on the right. After
saving, that will give access to that level and all sub levels below.
Menu Access
Step 28 In the left pane, navigate to Admin Access > Authorization > Permissions >
Menu Access.
Step 30 Enter the Name AD_Staff_Menu.
Step 31 In the same method that you issues Data Access Privileges, give the following
Menu Access Privileges – Show access.
 Home
 Operations >RADIUS
Note Select only the items listed above. Do not assign Show privileges to Operations,
Administration, only the indicated sub-menu.

RBAC Policy Assignment
Step 33 In the left pane, navigate to Admin Access > Authorization > Policy.
Step 34 Using the Actions button at the right, Insert a new Policy.
Step 35 Configure the following policy.
AD Staff - RBAC Policy
Attribute Value
Rule Name AD Staff Policy
Admin Groups AD Staff
Permissions AD_Staff_Menu
Step 36 Verify your configuration with the following screenshot and then scroll down and
click Save.
Create Shadow Accounts for the AD Admin Group

Step 37 In the left pane, navigate to Admin Access > Administrators > Admin Users.
Step 38 In the right pane, click +Add and select Create an Admin User.
Step 39 For the Name type Admin1.
Step 40 Clear the Email field.
Step 41 Select the External Box.
Step 42 Scroll down and select the Admin Group AD Staff.
 You configure Cisco ISE to authenticate administrative access via Active Directory
 You have created the shadow account Cisco ISE that is linked to an external Active
Directory account.
 You have modified the Super Admin’s account to include a specific Active Directory
group.
 You have created a custom Active Directory permissions set.
 You have called the entire process of creating an external RBAC policy

Task 3: Testing AD Administrative Access
In this task, you will test administrative access based on the configuration in your previous
task.
Activity Procedure
Step 1 To make the process easier by maintaining your existing administrative session in
Firefox, open Googel Chrome browser.
Step 2 Navigate to the URL https://ise-1.demo.local.
Step 3 On the login page, select the Identity Source demo.local.
Step 4 Use ITAdmin as the Username with the password 1234QWer.
Step 5 Click Login.
Step 6 Observed that you have full super admin access to the entire Cisco ISE admin
portal.
Step 7 In the upper right click Logout.
Step 8 Re-login using the credentials Staff1 / 1234QWer.
Step 9 Observed that the Cisco ISE admin portal is limited to just Home and
Operations > RADIUS.
Step 10 Click Logout.

Step 11 Close Internet Explorer.
 You have successfully logged in to Cisco ISE with Active Directory credentials.
 You have successfully observed the RBAC restrictions in the Cisco ISE admin
portal interface.
(Optional) Lab 9-5: Review of General Tools
Activity Objective
In this activity, you will review some of the diagnostic tools available via the Cisco ISE
admin portal. After completing this activity, you will be able to meet these objectives:
 Run the RADIUS Authentication Troubleshooting tool
 Perform a TCPDump traffic capture on Cisco ISE.
Visual Objective
Required Resources
 Admin PC
 AD1
 ISE-1

Task 1: RADIUS Authentication Troubleshooting
In this task, you will explore the RADIUS Authentication Troubleshooting tool.
Activity Procedure
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > RADIUS Authentication Troubleshooting.
Step 3 Examine the troubleshooting form and the available fields.
Step 4 Click the Select button at the end of the NAS IP line.
Step 5 In the pop-up, clock Search
Step 6 Select 10.1.100.1 from the criteria list and click Apply.
Step 7 Change the Authentication Status drop-down to Fail.
Step 8 Change the Time Range drop-down to Last7 days.
Step 9 Click Search.
Step 10 Select any Failure Reason.
Step 11 Scroll down and click Troubleshoot.
Step 12 When presented, click Show Results Summary.
Step 13 Examine the presented data expanding lines in the Troubleshooting Summary if
possible.
Step 14 At the bottom click Show Progress Details and you are returned to the overview.
Step 15 Click Done to close the this troubleshooting session.
 You have run the RADIUS Authentication Troubleshooting tool using the selected
parameters.
Task 2: TCPDump
In this task, you will use the TCPDump functionality in Cisco ISE to capture RADIUS
traffic that is seen by the Cisco ISE interface GigabirEthernet0.
Activity Procedure
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > TCP Dump.
Step 3 Examine the options and in the Filter field enter port 1812.
Note There is a bug in verison 2.3 that the ISE didn’t accept the filter. In this case use as filter
ip host 10.1.100.1.
Step 4 Change the Format to Human Readable.
Tip You can choose Raw Packet Data, and the data will be in libpcap format. Wireshark is a
free application that can open that file type.
Step 5 At the top, click Start.

Step 6 Generate some RADIUS traffic, by accessing your 3k-access switch via PuTTY.
Step 7 Log in to the Switch via SSH using the credentials employee1 / 1234QWer and
the enable password 1234QWer.
Note The login for the switch depends on the TACACS lab done before! The standard login if
not done the TACACS lab would be admin with the password 1234QWer.
Note Another way to access the switch is via the RemotelabsClient topology overview by
clicking the Switch symbol. This will open a console session privilege level 15.
Step 8 Enter configuration mode and shut and not shut interface GigabitEthernet1/0/1
login as: employee1
Using keyboard-interactive authentication.
Password: 1234QWer
3k-access>en
Password: 1234QWer
3k-access#conf t
Enter configuration commands, one per line. End with CNTL/Z.
3k-access(config)# int gi1/0/2
3k-access(config-if)# shut
3k-access(config-if)# no shut
3k-access(config-if)# exit
Step 9 Return the Cisco ISE admin portal. You should have some traffic captured as
indicated by a file size of something other than 0 bytes.
Step 10 Click Stop

Step 11 Examine the output details at the bottom.
Step 12 Click Download.

Step 13 Save the TCPDump.txt file to your Desktop.
Step 14 Navigate to your Admin PC desktop and find the TCPDump.txt file.
Step 15 Right-click on it and select Open with WordPad.
Step 16 Examine the file contents and when done, close the file.
Step 17 Return to the Cisco ISE Admin Portal.
 You have captured RADIUS traffic at the Cisco ISE GigabitEthernet 0 interface and
examined it in human readable form.
(Optional) Lab 9-6: Report Operations
Activity Objective
In this activity, you will explore some Report operation capabilities in Cisco ISE. After
 Run a report with Filters
 Save scheduled Report
 Designate a Report and save the Report in My Reports
Visual Objective
Required Resources
 Admin PC
 AD1
 ISE-1

Task 1: Running Report with Filters
In this task, you will run a report with a filter.
Activity Procedure
Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users >
Top Authorizations by User.
Step 2 Click Filters and select Identity from the Dropdown. Click OK.
Step 3 In the Identity Store filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Create a a filter with the settings from the screenshot below.
Step 5 Click Go.

Step 6 Observe the results.
Note Do not close or leave this report. You will use it in the ne next task.
 You have run a report with a filter.
Task 2: Saving and Scheduling Reports
In this task, you will schedule the filtered report from the last task to be run weekly.
Activity Procedure
Step 1 In the upper right corner of this report, click the Schedule button.
Step 2 Fill out the form with the following details.

Weekly_Top_AD_Authorizations - Scheduled Report
Attribute Value
Name Weekly_Top_AD_Authorizations
Description
Repository Admin_PC
Send email Notification
Schedule
Frequency Weekly
At Time 6:00 AM
On Day Monday
End Date <One year Later and select an Monday>

Step 3 Click Save.
Step 4 In the left pane, navigate down to Scheduled Reports > Scheduled Reports.
Step 5 Observe the successfully saved report.
 You have saved scheduled report.
Task 3: Favorite Reports
In this task, you will re-run a modified form of the report from the previous task and
designate the report as a favorite. The Favorite Report section is the one that opens by
default when entering the Reports section. Favoriting a reports makes it faster to execute in
the future.
Activity Procedure
Step 1 Navigate to Operations > Reports. Then Report Selector> Reports >
Endpoints and Users > Top Authorizations by User.
Step 2 Click the plus sign right of the Time Range filter and select Identity from the
Dropdown.
Step 3 In the Identity filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Select the Time Range of Yesterday.
Step 5 Click Go.

Step 6 In the upper right, click My Reports. Click the Save button in the new window.
Step 7 In the left pane, open the My Reports section on the top.
Step 8 Click on Top Authorizations by User and review the Report.
Tip If you ever desire to remove a report from My Report list, run the report and in the upper
right, select – My Reports.
 You have run and report and made it a My Report entry.

Lab Guide Обучение ISE

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab Guide Обучение ISE

Uploaded by

Copyright:

Available Formats

SISE

Fast Lane Lab Guide

 2018 Fast Lane TOC V

© 2018 Fast Lane Lab Guide 3

Step 3 You should see the following prompt:

ise-1/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID

Wifi Setup Helper Container disabled

ise-1/admin# show ntp

synchronised to NTP server (10.1.100.10) at stratum 4

remote refid st t when poll reach delay offset jitter

* Current time source, + Candidate , x False ticker

Warning: Output results may conflict during periods of changing synchronization.

ise-1/admin# nslookup ise-1.demo.local

Received 50 bytes from 10.1.100.10#53 in 5 ms

© 2018 Fast Lane Lab Guide 5

Note You can use the toolbar shortcut as well

Step 4 Click Confirm Security Exception.

© 2018 Fast Lane Lab Guide 7

© 2018 Fast Lane Lab Guide 9

© 2018 Fast Lane Lab Guide 11

Step 4 Scroll down and click Save.

Step 8 Click Server Information.

© 2018 Fast Lane Lab Guide 13

Step 9 Click OK of the notification to close it.

Step 11 In the Friendly Name field enter demo.local CA Certificate.

Step 13 In the Description field enter, CA cert from ad1.demo.local.

© 2018 Fast Lane Lab Guide 15

Step Action Notes

1. Verify Usage is set to Admin

2. Check Allow Wildcard Certificates Click the information (i) to read

3. In the Subject area, use the following: $FQDN$ should be a preexisting

DNS Name ise.demo.local  The ise name is a CNAE

5. Verify the Key Length is 2048

6. Verify the Digest to Sign with is SHA-256

7. Verify your settings with the screenshot below

Step 19 Click the Export button.

© 2018 Fast Lane Lab Guide 17

Step 23 Click the View button in the toolbar.

© 2018 Fast Lane Lab Guide 19

Step 56 Close all of the pop-up windows.

Step 61 In the Usage area, select EAP Authentication.

© 2018 Fast Lane Lab Guide 21

Step 64 Scroll down and click Save.

© 2018 Fast Lane Lab Guide 23

Step 4 Click Submit.

Step 9 Click OK.

Note The test may take a minute to run.

© 2018 Fast Lane Lab Guide 25

Step 16 Scroll down and click Close.

Step 24 From that list, deselect the following groups.

Step 32 Click Save at the bottom.

© 2018 Fast Lane Lab Guide 27

Step 44 Change the Authentication Type to MS-RPC.

Step 47 Close the test user authentication pop-up window.

© 2018 Fast Lane Lab Guide 29

Step 18 Click the Directory Organization tab.

© 2018 Fast Lane Lab Guide 31

© 2018 Fast Lane Lab Guide 33

show aaa servers Show the status of connections to AAA

show authentication sessions interface Show authentication information details

Adjusting RADIUS settings

Step 1 Navigate to Administration > System > Settings.

Step 4 Click Save and acknowledge the informational message.