Page 1 of 15

Lab 1: ISE Familiarization and Certificate Usage

Lab Overview
In this lab, you will access ISE for the first time. You′ll investigate the CLI of ISE and the Application Deployment Engine Operating System (ADE-OS)
commands. You will also familiarize yourself with the ISE GUI, turn of the profiling service and work with certificates.

Estimated Completion Time

60 minutes

Lab Procedures
• Verify Cisco ISE Setup Using CLI

• Initial GUI Login and Familiarization

• Verify that Profiling is Disabled

• Configure Certificates and Usage

Task 1: Verify Cisco ISE Setup Using CLI

ISE has been partially preconfigured for you. This task will allow you to get familiar with ISE′s console CLI to verify system setup.

1. Access the console of ISE appliance and work with show commands.

1.1. Access the Admin-PC in the topology diagram by clicking on it.

1.2. On the desktop of the Admin-PC, open SecureCRT and use the ISE connection to SSH to the ISE box. The connection will automatically log in as admin
with a password of admin$Pwd.

1.3. Verify the status of the Cisco ISE processes by entering the show application status ise command. Core services will show a state of running while all
others are currently disabled. Subsequent labs will deal with enabling and configuring SXP, Threat Centric NAC, pxGrid, and PassiveID services.

Note: While not used here, the commands application stop ise and application start ise will stop and start all running services shown here. Expect that
stopping and starting services would take upwards of 10 minutes to complete.

ise/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
Database Listener running 3464

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 2 of 15

Database Server running 63 PROCESSES

Application Server running 4257
Profiler Database running 4799
ISE Indexing Engine running 1236
AD Connector running 9089
M&T Session Database running 438
M&T Log Collector running 1479
M&T Log Processor running 1394
Certificate Authority Service running 7024
EST Service running 7141
SXP Engine Service disabled
TC-NAC Docker Service disabled
TC-NAC MongoDB Container disabled
TC-NAC RabbitMQ Container disabled
TC-NAC Core Engine Container disabled
VA Database disabled
VA Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled

1.4. Issue the show inventory command to display hardware details of the appliance.

ise/admin# show inventory

NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"

PID: ISE-VM-K9 , VID: V01 , SN: A9ERQBJJJGD
Total RAM Memory: 8011220 kB
CPU Core Count: 4
CPU 0: Model Info: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
CPU 1: Model Info: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
CPU 2: Model Info: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
CPU 3: Model Info: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
Hard Disk Count(*): 1
Disk 0: Device Name: /dev/sda
Disk 0: Capacity: 214.70 GB
NIC Count: 1
NIC 0: Device Name: eth0:
NIC 0: HW Address: 00:50:56:87:ad:3e
NIC 0: Driver Descr: Intel(R) PRO/1000 Network Driver

(*) Hard Disk Count may be Logical.

What is the Serial Number of the appliance?

What is the size of the Hard Disk Drive?

How much DRAM is allocated to the host?

1.5. Next, issue the show udi command to display quick information regarding the serial number of the appliance. Note that the serial number assigned in
a VM is based upon certain hardware. Reimaging an appliance will still reuse the same serial number value. Each ISE, appliance or VM, will have its
own serial number.

ise/admin# show udi

SPID: ISE-VM-K9
VPID: V01
Serial: A9ERQBJJJGD

1.6. Now, verify the network details on the interface of the ISE appliance by entering the show interface command as seen below.

ise/admin# show interface

GigabitEthernet 0
flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.2.50 netmask 255.255.255.0 broadcast 10.10.2.255
inet6 fe80::250:56ff:fe87:ad3e prefixlen 64 scopeid 0x20<link>
ether 00:50:56:87:ad:3e txqueuelen 1000 (Ethernet)
RX packets 12817 bytes 3004769 (2.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10375 bytes 13489484 (12.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 811658 bytes 1138255185 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 811658 bytes 1138255185 (1.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

1.7. Verify the routing table by executing the show ip route command. The output should display a default next hop going to the 10.10.2.1 address which
is the Layer3-Switch in the topology diagram.

ise/admin# show ip route

Destination Gateway Iface

----------- ------- -----
default 10.10.2.1 eth0

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 3 of 15

10.10.2.0/24 0.0.0.0 eth0

Note: In production, you may require multiple interfaces on ISE due to anchor controllers being in the DMZ. If this is the case, you can manipulate static
routes for web authentication traffic to and from the DMZ interface of ISE.

1.8. Issue the show ntp command to display the current state of the NTP synchronization. The output may indicate that the server is unsynchronized
currently. Refresh the output by using the up arrow button, the output will eventually display a synchronized NTP status as seen below.

Note: The IP address in the third row may differ depending on which pool.ntp.org servers you are syncing with.

ise/admin# show ntp

Configured NTP Servers:
10.10.2.1
192.0.2.1
0.pool.ntp.org

synchronised to NTP server (45.79.111.114) at stratum 3

time correct to within 4025 ms
polling server every 64 s

remote refid st t when poll reach delay offset jitter

==============================================================================
127.127.1.0 .LOCL. 10 l 197 64 10 0.000 0.000 0.000
x10.10.2.1 192.0.2.1 4 u 3 64 17 1.456 400.250 52.748
+192.0.2.1 1.1.1.11 3 u 63 64 7 1.626 -7.443 0.671
*45.79.111.114 216.218.254.202 2 u - 64 17 73.127 2.593 2.536

* Current time source, + Candidate , x False ticker

Warning: Output results may conflict during periods of changing synchronization.

1.9. Issue the show version command to view the version of not just the ISE application but also the Application Deployment Engine Operating System
(ADE-OS) of the appliance itself.

ise/admin# show version

Cisco Application Deployment Engine OS Release: 3.0

ADE-OS Build Version: 3.0.0.202
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2014 by Cisco Systems, Inc.

All rights reserved.
Hostname: ise

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------
Version : 2.1.0.474
Build Date : Wed May 25 04:34:43 2016
Install Date : Fri Jun 10 23:16:12 2016

Cisco Identity Services Engine Patch

---------------------------------------------
Version : 1
Install Date : Fri Oct 21 17:32:39 2016

Cisco Identity Services Engine Patch

---------------------------------------------
Version : 3
Install Date : Fri Jun 02 03:42:13 2017

2. Verify the previously created FTP repository.

Note: As you saw in prior steps, this version of ISE is patched. In order to perform upgrades and apply patches, a repository from which ISE can download
the appropriate files is required.

2.1. Validate ISE configuration by examining the contents of the repository located on the Admin-PC (case sensitive).

ISE/admin# show repository Admin-PC

ise/admin# show repository Admin-PC

ise-patchbundle-2.1.0.474-Patch1-190890.SPA.x86_64.tar.gz
ise-patchbundle-2.1.0.474-Patch3-201683.SPA.x86_64.tar.gz
ise-upgradebundle-2.0.x-to-2.1.0.474.SPA.x86_64.tar.gz

Note: Admin-PC, as referenced in the above configuration, will require that ISE perform a DNS lookup. Admin-PC will resolve to the 10.10.2.10 address. The
files/folders seen reside on the Admin-PC and not locally on ISE. Patch1 can be seen in the repository.

3. Verify that DNS is resolving correctly within the domain.

3.1. Issue the nslookup command for ISE nodes to determine if DNS is currently configured properly within the domain. In production, this is an important
step or else certificate invalid warnings will appear and integration of multiple ISE nodes will fail.

ise/admin# nslookup ise

Trying "ise.gklabs.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4498
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ise.gklabs.com. IN ANY

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 4 of 15

;; ANSWER SECTION:
ise.gklabs.com. 3600 IN A 10.10.2.50

Received 48 bytes from 10.10.1.25#53 in 0 ms

ise/admin# nslookup ise-secondary

Trying "ise-secondary.gklabs.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54797
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ise-secondary.gklabs.com. IN ANY

;; ANSWER SECTION:
ise-secondary.gklabs.com. 3600 IN A 10.10.2.60

Received 58 bytes from 10.10.1.25#53 in 0 ms

4. Verify the running configuration.

Note: ADE-OS is not IOS. You will not do the bulk of the configuration on ise from the CLI. You will demonstrate that the running configuration contains
some rudimentary elements such as hostname, interface configuration, etc., leaving the majority of the configuration to be done at the GUI. In addition, it
should be noted that the user accounts for the CLI and the GUI are actually separate accounts. Even though you will log in to the GUI using the same
credentials, the GUI and CLI users are in fact two separate accounts.

4.1. Issue the show running-configuration command.

ise/admin# show running-config

Generating configuration...
!
hostname ise
!
ip domain-name gklabs.com
!
ipv6 enable
!
interface GigabitEthernet 0
ip address 10.10.2.50 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
ip name-server 10.10.1.25
!
ip default-gateway 10.10.2.1
!
!
clock timezone UTC
!
ntp server 10.10.2.1
ntp server 192.0.2.1
ntp server 0.pool.ntp.org
!
username admin password hash $1$plZQ0AcD$eC3yjsc/BC5rDmb8cbx6m1 role admin
username recovery password hash $1$x5paEZ1l$xzLPSCmcumFaXd.wHqER2/ role admin
!
max-ssh-sessions 5
!
service sshd enable
!
repository Admin-PC
url ftp://10.10.2.10/
user anonymous password hash 1671305531afb69c55e4f917b80b0bf9c96ab21c5fbbdfbd1
04b52565f9ac9791de10835741c30a8
!
password-policy
min-password-length 4
!
logging loglevel 6
!
synflood-limit 30
!
conn-limit 10 port 9060
!
cdp timer 60
cdp holdtime 180
cdp run GigabitEthernet 0
!
icmp echo on

Task 2: Initial GUI Login and Familiarization

In this task, you will use the web console of ISE for the first time and familiarize yourself with the general layout of the GUI.

5. Verify the installation of the Cisco ISE by logging into the web console.

5.1. Launch Firefox from the desktop of the Admin-PC.

5.2. On the bookmark bar within Firefox is a bookmark labeled ISE. You can either click that link or you can manually enter https://10.10.2.50 (don′t forget
this is an HTTPS connection).

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 5 of 15

5.3. Click Advanced, Add Exception and confirm security exception (ISE is currently using a self-signed certificate).

5.4. You should now be at the login page for the ISE. Log in using the admin username and password admin$Pwd.

5.5. If a message appears about launching the Visibility Setup Wizard, click Do not show this again.

5.6. Once the main page loads, you will get familiar with the basics. Click the user icon on the top right.

Note: You may need to resize the browser using the Ctrl - option in order to see the icon.

5.7. Select Server Information and you should see a window appear. Click OK when finished viewing.

Note: This is a quick method for determining the personas that are currently provisioned on the appliance and the role of the appliance.

6. Change the Admin account′s e-mail address and password.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 6 of 15

6.1. Click the gear link on the top right of the screen and select account settings.

6.2. A window will appear indicating user specific information. In the e-mail field, enter admin@gklabs.com.

6.3. Click Save.

7. Next, investigate the Licensing.

7.1. Navigate to Administration > Licensing.

7.2. These licenses were installed in preparation for this class. Notice that the licenses are fully functional (non-eval) permanent Base license, permanent
Device Admin license, and term-based Plus and Apex license.

How many end points do the licenses support? ________________

7.3. Although you cannot see it now, once licenses begin being consumed, you can come back to this page and review the usage and over-usage.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 7 of 15

Note: In the GKLABS environment Traditional Licensing is used. The alternative is Cisco Smart Licensing.

7.4. Normally, you would click the Import License button to add a license into the database on the PAN, but since our labs come pre-loaded, there is no
need to
do so.

8. Work with Dashboards off the Home page.

8.1. Next, click the Home button.

8.2. Navigate the various sub-menu options available under the Home tab. In later labs, you will be configuring other aspects of ISE and these dashboards
will be populated and updated accordingly. Since there are no devices or users yet defined, many dashboards are empty.

8.3. Navigate to Context Visibility > Endpoints. Again, explore the various sub-menus available here. Do the same with the Network Devices available
under Context Visibility.

Note: Context Visibility provides the administrator with a more holistic view of the network. It allows for quick sorting and filtering of context information.
Administrators can view dashlets to get detailed informational data.

8.4. These dashboards and dashlets can be customized to meet your needs. By clicking on the gear icon on the right, you will find some of the options
available to you as well as customizable options. These options will change depending on which main menu heading you are viewing, Home or
Context Visibility. Take a moment to view these options.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 8 of 15

8.5. Back under the Home tab, you can add additional dashboards in two ways. You can click the + symbol to the right of the submenus, or click the gear
icon on the far right of the page. The + symbol will only allow you to create a new dashboard and define its attributes. The gear icon gives you more
option beyond this, such as adding additional dashlets to the present view. You can also change the layout of the display and manage dashboards as
well.

8.6. Add a new test dashboard by using either method mentioned above. Name it My_Dashboard and click Save when done.

8.7. Select two or three dashlets of your choice to be included with that dashboard.

8.8. Then click Save. You can then view this new dashboard once complete and it will appear as a sub-menu option.

8.9. Click the gear icon on the right and notice that you can rename this dashboard and add additional dashlets. If you click Add Dashlets, you will see that
you can configure the dashboard to display what is important to you in your environment.

8.10. Go ahead and delete this Dashboard by clicking the x next to the My_Dashboard name and click OK on the pop-up warning window to delete the
dashboard.

9. Next, take note of the other menu options available just to familiarize yourself with GUI navigation. You will be accessing most of the configuration options
available in much more detail throughout the entire course.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 9 of 15

• The Operations tab will allow you to view live logs and live sessions for things such as RADIUS and TACACS+ sessions.

• The Policy tab is where you will perform authentication and authorization configurations, as well as profiling, provisioning, and posture. Take the time to
view the default polices that come with ISE for authentication, authorization, profiling, and provisioning. You will be modifying some of these and adding
new policy configurations in later labs.

• The Administration tab is where you will perform system functions, identity management, add network resources, device portals, and other services
available on Cisco ISE.

• The Work Centers tab is a new menu option available with ISE version 2.1. This provides guided workflow process for configuring various ISE services.
Work Centers also provide direct links to specific configuration pages. Take some time to click on the various sub menu options, and pay particular notice
to the overview pages. These help guide you through the ISE workflow process. For example, choose the Overview option under the headings for BYOD,
or Guest Access, or Network Access.

Task 3: Verify that Profiling is Disabled

In this task, you will verify that Cisco ISE is set to the primary role. You will also verify that profiling is disabled. You will enable profiling in a later lab.

10. Verify that the role of the server is Primary and that Profiling is disabled.

10.1. Navigate to Administration > System> Deployment.

10.2. Click the ise hostname hyperlink.

10.3. The current role should be Primary and the Profiling Service should be disabled.

Note: The defaults on install are Standalone with Profiler enabled. The above modifications were made in order to avoid the 10-15 minute restart of
services required when making such changes.

11. Disable Anonymous Client Suppression.

11.1. In the ISE GUI, navigate to Administration > System > Settings > Protocols > RADIUS.

11.2. Disable (uncheck) the option to Suppress Anomalous Clients and click OK to the warning.

Note: Although suppressing anomalous clients is a best practice default setting, it can be useful to shut it off when troubleshooting. During lab, you will be
changing endpoint configurations and producing anomalous sessions. Disabling suppression will work better for our lab environment.

11.3. Click Save.

Task 4: Configure Certificates and Usage

By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for EAP, Admin, Portal, and pxGrid services. In a typical enterprise
environment, this certificate is replaced with server certificates that are signed by a trusted CA.

You need to establish system certificates on each deployment node for TLS-enabled authentication protocols such as EAP-TLS, for authenticating the Admin
portal, for browser and REST clients to access the Cisco ISE web portals, and for the pxGrid service.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 10 of 15

In this task, you will enroll Cisco ISE with the CA in your pod. You will download and install a certificate, as well as generate a Certificate Signing Request
(CSR). Finally, you will bind the CA-signed certificate to the CSR, and then verify its validity.

12. Download CA Certificate.

12.1. Using the Firefox web browser on the Admin-PC, open a new tab and click the GK Certs bookmark or navigate to http://10.10.1.25/certsrv.

12.2. If prompted, use the credentials admin/admin$Pwd.

12.3. Click the link Download a CA certificate, certificate chain, or CRL.

12.4. Click the Download CA certificate link.

12.5. Click OK to save the file.

Note: If using Firefox in production, you may have to click the Install this CA certificate link near the top of the page in order to install the CA certificate in
the browser. This must be performed because Firefox uses a separate certificate store from the operating system. Select Trust this CA to verify certificates
for websites, and click OK. In our lab environment, the CA certificate is already installed in Firefox.

12.6. Firefox will save the file (certnew.cer) in the Downloads folder by default.

13. Install CA Certificate.

13.1. In the Cisco ISE Admin portal tab, navigate to Administration > System > Certificates.

13.2. Select Trusted Certificates under Certificate Management.

13.3. Click the Import button in the right-hand pane.

13.4. Click the Browse… button and navigate to your Downloads folder.

Note: If you used Firefox, Firefox will save the file in the Downloads folder by default. Internet Explorer will give you the option to save the file in a
designated location.

13.5. Select the file certnew.cer and then click the Open button.

13.6. In the Friendly Name field, enter GKLABS CA Certificate.

13.7. Under the Trusted For section, select the following options as indicated in the screenshot.

13.8. In the Description field, enter CA Certificate from GKLABS.

13.9. Click Submit at the bottom. You should see the cert show up in Trusted Certificates.

14. Generate Certificate Signing Request.

Now that you have loaded the CA certificate, you need to enroll ISE to obtain its own identity certificate. You need to create a certificate signing request and
enroll it with the CA server.

14.1. In the left-hand pane, select Certificate Signing Requests.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 11 of 15

14.2. Click the button at the top of the right pane, Generate Certificate Signing Requests (CSR).

14.3. Configure the CSR as follows.

Option Description

Usage Admin

Allow Wildcard Certificates check

Subject CN = $FQDN$ (Leaving $FQDN$ uses the FQDN of the selected host in CN.)

OU = Training

O = GKLABS

L = Cary

ST = NC

C = US

SAN DNS Name = *.gklabs.com

DNS Name = ise.gklabs.com

DNS Name = 10.10.2.50

IP Address = 10.10.2.50

Key Length 2048

Digest SHA-256

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 12 of 15

Note: Adding the IP address as both a DNS Name and IP Address resolves a compatibility issue with Microsoft Windows Clients.

14.4. Click Generate; you will receive a confirmation pop-up window notifying you that you have successfully generated your CSR.

14.5. Click the Export button, and select Save File to place it in downloads as iseAdmin.pem.

15. Process the CSR with the CA.

15.1. In the left pane, click Certificate Signing Requests again.

15.2. In the right pane, select the check box to the left of the previously processed CSR.

15.3. Click the View button and select the CSR Contents tab to observe the text of the certificate request. Your contents will not match the example shown.

15.4. Highlight (Ctrl+A) and copy the entire contents to the clipboard (right-click Copy or Ctrl+C, will both work).

15.5. Click Close.

15.6. Return to the tab for the Microsoft Active Directory Certificate Services page.

15.7. Click the Home link in the upper right-hand corner.

15.8. Click the Request a certificate link.

15.9. Click the advanced certificate request link.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 13 of 15

15.10. Right-click and paste the contents into the Saved Requests field.

15.11. From the Certificate Template drop-down, select GK Labs.

15.12. Click the Submit button.

15.13. Select Base 64 encoded.

15.14. Click Download certificate.

15.15. Click OK to save the file. It should be in the downloads folder as certnew(1).cer.

16. Install (Bind) CA signed certificate.

16.1. Return to the ISE browser tab.

16.2. In the Certificate Management > Certificate Signing Requests page, select the check box to the left of the previously processed CSR.

16.3. In the small toolbar above, click the Bind Certificate button.

16.4. Click Browse and navigate to the folder where the file was saved again, if necessary. (Firefox=Downloads, IE=your chosen saved location.)

16.5. Select the file certnew(1).cer.

16.6. Click Open.

16.7. In the Friendly Name filed enter ise Admin Wildcard Cert.

16.8. In the Usage section, select the Admin check box.

16.9. Click Submit.

16.10. The system will log you out and restart services.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 14 of 15

Note: This may take 10 - 15 minutes. You may check the status of the service restart via the CLI using the command show application status ise. Once the
Application Server Service is running, you will be able to log back in.

17. Verify the certificate.

17.1. After logging back into the ISE GUI, in your browser URL bar, click the lock icon to the left of https://. Observe the following field that indicates a
trusted CA signed certificate.

17.2. Click More Information.

17.3. On the Security tab, click View Certificate and observe that Issued By is the root-CA for your pod.

17.4. Click the Details tab and scroll down to Certificate > Extensions > Certificate Subject Alt Name and observe your wildcard configuration.

17.5. Close all pop-up windows.

18. Modify Certificate Usage.

You will be adding other usages to the certificate you just installed. As of ISE 1.3, multiple certificates can be used for different purposes. The system creates
a self-signed certificate and assigns all functions to that certificate. You will bring those roles over to the CA signed certificate you installed in the previous
section.

18.1. Navigate to Administration > System> Certificates.

18.2. In the left pane, select System Certificates.

18.3. Select the ise Admin Wildcard Cert from the list.

18.4. Click Edit in the toolbar.

18.5. In the Usage area, select EAP Authentication and Portal. Accept the pop-up message regarding EAP Authentication.

18.6. Under Portal, add a new Portal group tag by entering GKLABS GT.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017
 Page 15 of 15

18.7. Click Save and verify your results look as follows.

19. View the list of portals that use a certificate′s portal group tag.

19.1. Mouse over the information icon associated with the Self-signed Certificate with the Portal group tag of Default Portal Group. It should appear as
follows:

Note: You should see a listing of Portals and Nodes associated with the Portal group tag. You will use the newly created wildcard certificates to support
portals using the GKLABS GT Portal group tag in upcoming labs.

Lab Complete

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L01.htm 19/09/2017