Professional Documents
Culture Documents
Lab Overview
In this lab, you will access ISE for the first time. You′ll investigate the CLI of ISE and the Application Deployment Engine Operating System (ADE-OS)
commands. You will also familiarize yourself with the ISE GUI, turn of the profiling service and work with certificates.
Lab Procedures
• Verify Cisco ISE Setup Using CLI
ISE has been partially preconfigured for you. This task will allow you to get familiar with ISE′s console CLI to verify system setup.
1. Access the console of ISE appliance and work with show commands.
1.2. On the desktop of the Admin-PC, open SecureCRT and use the ISE connection to SSH to the ISE box. The connection will automatically log in as admin
with a password of admin$Pwd.
1.3. Verify the status of the Cisco ISE processes by entering the show application status ise command. Core services will show a state of running while all
others are currently disabled. Subsequent labs will deal with enabling and configuring SXP, Threat Centric NAC, pxGrid, and PassiveID services.
Note: While not used here, the commands application stop ise and application start ise will stop and start all running services shown here. Expect that
stopping and starting services would take upwards of 10 minutes to complete.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 2 of 15
1.4. Issue the show inventory command to display hardware details of the appliance.
1.5. Next, issue the show udi command to display quick information regarding the serial number of the appliance. Note that the serial number assigned in
a VM is based upon certain hardware. Reimaging an appliance will still reuse the same serial number value. Each ISE, appliance or VM, will have its
own serial number.
SPID: ISE-VM-K9
VPID: V01
Serial: A9ERQBJJJGD
1.6. Now, verify the network details on the interface of the ISE appliance by entering the show interface command as seen below.
1.7. Verify the routing table by executing the show ip route command. The output should display a default next hop going to the 10.10.2.1 address which
is the Layer3-Switch in the topology diagram.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 3 of 15
Note: In production, you may require multiple interfaces on ISE due to anchor controllers being in the DMZ. If this is the case, you can manipulate static
routes for web authentication traffic to and from the DMZ interface of ISE.
1.8. Issue the show ntp command to display the current state of the NTP synchronization. The output may indicate that the server is unsynchronized
currently. Refresh the output by using the up arrow button, the output will eventually display a synchronized NTP status as seen below.
Note: The IP address in the third row may differ depending on which pool.ntp.org servers you are syncing with.
1.9. Issue the show version command to view the version of not just the ISE application but also the Application Deployment Engine Operating System
(ADE-OS) of the appliance itself.
Note: As you saw in prior steps, this version of ISE is patched. In order to perform upgrades and apply patches, a repository from which ISE can download
the appropriate files is required.
2.1. Validate ISE configuration by examining the contents of the repository located on the Admin-PC (case sensitive).
ise-patchbundle-2.1.0.474-Patch1-190890.SPA.x86_64.tar.gz
ise-patchbundle-2.1.0.474-Patch3-201683.SPA.x86_64.tar.gz
ise-upgradebundle-2.0.x-to-2.1.0.474.SPA.x86_64.tar.gz
Note: Admin-PC, as referenced in the above configuration, will require that ISE perform a DNS lookup. Admin-PC will resolve to the 10.10.2.10 address. The
files/folders seen reside on the Admin-PC and not locally on ISE. Patch1 can be seen in the repository.
3.1. Issue the nslookup command for ISE nodes to determine if DNS is currently configured properly within the domain. In production, this is an important
step or else certificate invalid warnings will appear and integration of multiple ISE nodes will fail.
;; QUESTION SECTION:
;ise.gklabs.com. IN ANY
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 4 of 15
;; ANSWER SECTION:
ise.gklabs.com. 3600 IN A 10.10.2.50
;; QUESTION SECTION:
;ise-secondary.gklabs.com. IN ANY
;; ANSWER SECTION:
ise-secondary.gklabs.com. 3600 IN A 10.10.2.60
Note: ADE-OS is not IOS. You will not do the bulk of the configuration on ise from the CLI. You will demonstrate that the running configuration contains
some rudimentary elements such as hostname, interface configuration, etc., leaving the majority of the configuration to be done at the GUI. In addition, it
should be noted that the user accounts for the CLI and the GUI are actually separate accounts. Even though you will log in to the GUI using the same
credentials, the GUI and CLI users are in fact two separate accounts.
In this task, you will use the web console of ISE for the first time and familiarize yourself with the general layout of the GUI.
5. Verify the installation of the Cisco ISE by logging into the web console.
5.2. On the bookmark bar within Firefox is a bookmark labeled ISE. You can either click that link or you can manually enter https://10.10.2.50 (don′t forget
this is an HTTPS connection).
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 5 of 15
5.3. Click Advanced, Add Exception and confirm security exception (ISE is currently using a self-signed certificate).
5.4. You should now be at the login page for the ISE. Log in using the admin username and password admin$Pwd.
5.5. If a message appears about launching the Visibility Setup Wizard, click Do not show this again.
5.6. Once the main page loads, you will get familiar with the basics. Click the user icon on the top right.
Note: You may need to resize the browser using the Ctrl - option in order to see the icon.
5.7. Select Server Information and you should see a window appear. Click OK when finished viewing.
Note: This is a quick method for determining the personas that are currently provisioned on the appliance and the role of the appliance.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 6 of 15
6.1. Click the gear link on the top right of the screen and select account settings.
6.2. A window will appear indicating user specific information. In the e-mail field, enter admin@gklabs.com.
7.2. These licenses were installed in preparation for this class. Notice that the licenses are fully functional (non-eval) permanent Base license, permanent
Device Admin license, and term-based Plus and Apex license.
7.3. Although you cannot see it now, once licenses begin being consumed, you can come back to this page and review the usage and over-usage.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 7 of 15
Note: In the GKLABS environment Traditional Licensing is used. The alternative is Cisco Smart Licensing.
7.4. Normally, you would click the Import License button to add a license into the database on the PAN, but since our labs come pre-loaded, there is no
need to
do so.
8.2. Navigate the various sub-menu options available under the Home tab. In later labs, you will be configuring other aspects of ISE and these dashboards
will be populated and updated accordingly. Since there are no devices or users yet defined, many dashboards are empty.
8.3. Navigate to Context Visibility > Endpoints. Again, explore the various sub-menus available here. Do the same with the Network Devices available
under Context Visibility.
Note: Context Visibility provides the administrator with a more holistic view of the network. It allows for quick sorting and filtering of context information.
Administrators can view dashlets to get detailed informational data.
8.4. These dashboards and dashlets can be customized to meet your needs. By clicking on the gear icon on the right, you will find some of the options
available to you as well as customizable options. These options will change depending on which main menu heading you are viewing, Home or
Context Visibility. Take a moment to view these options.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 8 of 15
8.5. Back under the Home tab, you can add additional dashboards in two ways. You can click the + symbol to the right of the submenus, or click the gear
icon on the far right of the page. The + symbol will only allow you to create a new dashboard and define its attributes. The gear icon gives you more
option beyond this, such as adding additional dashlets to the present view. You can also change the layout of the display and manage dashboards as
well.
8.6. Add a new test dashboard by using either method mentioned above. Name it My_Dashboard and click Save when done.
8.7. Select two or three dashlets of your choice to be included with that dashboard.
8.8. Then click Save. You can then view this new dashboard once complete and it will appear as a sub-menu option.
8.9. Click the gear icon on the right and notice that you can rename this dashboard and add additional dashlets. If you click Add Dashlets, you will see that
you can configure the dashboard to display what is important to you in your environment.
8.10. Go ahead and delete this Dashboard by clicking the x next to the My_Dashboard name and click OK on the pop-up warning window to delete the
dashboard.
9. Next, take note of the other menu options available just to familiarize yourself with GUI navigation. You will be accessing most of the configuration options
available in much more detail throughout the entire course.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 9 of 15
• The Operations tab will allow you to view live logs and live sessions for things such as RADIUS and TACACS+ sessions.
• The Policy tab is where you will perform authentication and authorization configurations, as well as profiling, provisioning, and posture. Take the time to
view the default polices that come with ISE for authentication, authorization, profiling, and provisioning. You will be modifying some of these and adding
new policy configurations in later labs.
• The Administration tab is where you will perform system functions, identity management, add network resources, device portals, and other services
available on Cisco ISE.
• The Work Centers tab is a new menu option available with ISE version 2.1. This provides guided workflow process for configuring various ISE services.
Work Centers also provide direct links to specific configuration pages. Take some time to click on the various sub menu options, and pay particular notice
to the overview pages. These help guide you through the ISE workflow process. For example, choose the Overview option under the headings for BYOD,
or Guest Access, or Network Access.
In this task, you will verify that Cisco ISE is set to the primary role. You will also verify that profiling is disabled. You will enable profiling in a later lab.
10. Verify that the role of the server is Primary and that Profiling is disabled.
10.3. The current role should be Primary and the Profiling Service should be disabled.
Note: The defaults on install are Standalone with Profiler enabled. The above modifications were made in order to avoid the 10-15 minute restart of
services required when making such changes.
11.1. In the ISE GUI, navigate to Administration > System > Settings > Protocols > RADIUS.
11.2. Disable (uncheck) the option to Suppress Anomalous Clients and click OK to the warning.
Note: Although suppressing anomalous clients is a best practice default setting, it can be useful to shut it off when troubleshooting. During lab, you will be
changing endpoint configurations and producing anomalous sessions. Disabling suppression will work better for our lab environment.
By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for EAP, Admin, Portal, and pxGrid services. In a typical enterprise
environment, this certificate is replaced with server certificates that are signed by a trusted CA.
You need to establish system certificates on each deployment node for TLS-enabled authentication protocols such as EAP-TLS, for authenticating the Admin
portal, for browser and REST clients to access the Cisco ISE web portals, and for the pxGrid service.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 10 of 15
In this task, you will enroll Cisco ISE with the CA in your pod. You will download and install a certificate, as well as generate a Certificate Signing Request
(CSR). Finally, you will bind the CA-signed certificate to the CSR, and then verify its validity.
12.1. Using the Firefox web browser on the Admin-PC, open a new tab and click the GK Certs bookmark or navigate to http://10.10.1.25/certsrv.
Note: If using Firefox in production, you may have to click the Install this CA certificate link near the top of the page in order to install the CA certificate in
the browser. This must be performed because Firefox uses a separate certificate store from the operating system. Select Trust this CA to verify certificates
for websites, and click OK. In our lab environment, the CA certificate is already installed in Firefox.
12.6. Firefox will save the file (certnew.cer) in the Downloads folder by default.
13.1. In the Cisco ISE Admin portal tab, navigate to Administration > System > Certificates.
13.4. Click the Browse… button and navigate to your Downloads folder.
Note: If you used Firefox, Firefox will save the file in the Downloads folder by default. Internet Explorer will give you the option to save the file in a
designated location.
13.5. Select the file certnew.cer and then click the Open button.
13.7. Under the Trusted For section, select the following options as indicated in the screenshot.
13.9. Click Submit at the bottom. You should see the cert show up in Trusted Certificates.
Now that you have loaded the CA certificate, you need to enroll ISE to obtain its own identity certificate. You need to create a certificate signing request and
enroll it with the CA server.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 11 of 15
14.2. Click the button at the top of the right pane, Generate Certificate Signing Requests (CSR).
Option Description
Usage Admin
Subject CN = $FQDN$ (Leaving $FQDN$ uses the FQDN of the selected host in CN.)
OU = Training
O = GKLABS
L = Cary
ST = NC
C = US
IP Address = 10.10.2.50
Digest SHA-256
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 12 of 15
Note: Adding the IP address as both a DNS Name and IP Address resolves a compatibility issue with Microsoft Windows Clients.
14.4. Click Generate; you will receive a confirmation pop-up window notifying you that you have successfully generated your CSR.
14.5. Click the Export button, and select Save File to place it in downloads as iseAdmin.pem.
15.2. In the right pane, select the check box to the left of the previously processed CSR.
15.3. Click the View button and select the CSR Contents tab to observe the text of the certificate request. Your contents will not match the example shown.
15.4. Highlight (Ctrl+A) and copy the entire contents to the clipboard (right-click Copy or Ctrl+C, will both work).
15.6. Return to the tab for the Microsoft Active Directory Certificate Services page.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 13 of 15
15.10. Right-click and paste the contents into the Saved Requests field.
15.15. Click OK to save the file. It should be in the downloads folder as certnew(1).cer.
16.2. In the Certificate Management > Certificate Signing Requests page, select the check box to the left of the previously processed CSR.
16.3. In the small toolbar above, click the Bind Certificate button.
16.4. Click Browse and navigate to the folder where the file was saved again, if necessary. (Firefox=Downloads, IE=your chosen saved location.)
16.7. In the Friendly Name filed enter ise Admin Wildcard Cert.
16.10. The system will log you out and restart services.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 14 of 15
Note: This may take 10 - 15 minutes. You may check the status of the service restart via the CLI using the command show application status ise. Once the
Application Server Service is running, you will be able to log back in.
17.1. After logging back into the ISE GUI, in your browser URL bar, click the lock icon to the left of https://. Observe the following field that indicates a
trusted CA signed certificate.
17.3. On the Security tab, click View Certificate and observe that Issued By is the root-CA for your pod.
17.4. Click the Details tab and scroll down to Certificate > Extensions > Certificate Subject Alt Name and observe your wildcard configuration.
You will be adding other usages to the certificate you just installed. As of ISE 1.3, multiple certificates can be used for different purposes. The system creates
a self-signed certificate and assigns all functions to that certificate. You will bring those roles over to the CA signed certificate you installed in the previous
section.
18.3. Select the ise Admin Wildcard Cert from the list.
18.5. In the Usage area, select EAP Authentication and Portal. Accept the pop-up message regarding EAP Authentication.
18.6. Under Portal, add a new Portal group tag by entering GKLABS GT.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
Page 15 of 15
19. View the list of portals that use a certificate′s portal group tag.
19.1. Mouse over the information icon associated with the Self-signed Certificate with the Portal group tag of Default Portal Group. It should appear as
follows:
Note: You should see a listing of Portals and Nodes associated with the Portal group tag. You will use the newly created wildcard certificates to support
portals using the GKLABS GT Portal group tag in upcoming labs.
Lab Complete
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017