TrustSec SXP Lab Book2

Cisco Security TrustSec SXP SGT
dot1x and mab

EVE-NG Lab guide
_____________________________________________
Author Uldis Dzerkals
EVE-NG Pro, 2020
Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________
Content
Content 2
I. Lab nodes, image versions 3
II. ASAv Configuration 4
III. Install NTP and Active Directory Server 7
IV. Configure DNS Server 11
V. Configure AD Corporate users 12
VI. Create AD User Groups 13
VII. Join Win10-PC1 to the AD domain 13
VIII. ISE pre-stage 15
IX. ISE SXP Service 16
X. Active Directory joining to the ISE 16
XI. SW1 and SW2 AAA configuration 19
XII. ASAv10 AAA configuration 20
XIII. Lab devices joining to the ISE 20
XIV. Create authorization Profiles and DACLs 24
XV. Create Source Identity sequence 27
XVI. Create ISE Security groups 28
XVII. Create Policy Set 29
XVIII. Lab Switch Ports configuration DOT1x and MAB 37
XIX. Corporate-PC Dot1x Authentication 38
XX. Contractor Devices Authentication 44
XXI. ISE TrustSec Configuration 48
XXII. ASAv CTS Configuration 52
XXIII. LAN Switches CTS Configuration 53
XXIV. TrustSec SXP SGT verification 56
XXV. ASAv SGT based Access rules 58
XXVI. Final verification 59
2 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

EVE-PRO, 2021
__________________________________________________________________________________
Lab concept: Practical Cisco Security TrustSec SXP SGT ISE 3.0 configuration accordingly given
objectives.
Lab General Tasks:
1. Configure universal Corporate PC Windows 10 workstation with dot1x AD user

authorization. If Employees User (Jenny) login into this PC, it must be assigned in VLAN 20
(DACL) and obtain IP from ASAv10 DHCP pool Employees. If Engineer (John) login in the
same PC, he must be assigned in VLAN 30 (DACL) and obtain IP from ASAv10 DHCP pool
Engineers.
2. Configure Contractors devices with mab host authorization. Contractor devices must assign
in VLAN 40 (DACL) and obtain IP from DHCP pool Contractors.
TrustSec SXP SGT Policies based Tasks
3. Corporate User Employees (Jenny) Must have access to Corporate WEB Server
http://webserver.eve.lab and Internet only.
4. Corporate User Engineers (John) must have access to all resources in the lab. Engineer
network must have access to Contractors network.
5. Contractor User must have access to FTP Server ftp://data.eve.lab and DNS services and
Internet
6. Contractor User must not have access to DMZ network or to Corporate VLANs 20 and 30.
I. Lab nodes, image versions

• Cisco ISE 3.0,
• Switch: i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20190423.bin
• ISP Router: IOL i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin
• DNS/CA/NTP, Windows 2019 x64 Server
• Windows 10 x86, Domain PC

EVE-PRO, 2021
__________________________________________________________________________________
• Management Host: Docker server-gui (Pro Lab)
II. ASAv Configuration

1. Objective: Configure ASAv hostname, exec password and username:
ciscoasa> en
The enable password is not set. Please set it now.
Enter Password: eve1
Repeat Password: eve1
Note: Save your configuration so that the password persists across
reboots
("write memory" or "copy running-config startup-config").
ciscoasa#
ciscoasa(config)# username admin password admin privilege 15
ciscoasa(config)# hostname ASAv10
ASAv10(config)#
2. Objective: Configure ASAv interfaces with following:

interface GigabitEthernet0/0
no shut
nameif outside
security-level 0
ip address dhcp setroute
!
no shut
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.20
vlan 20
nameif employees
security-level 100
ip address 10.1.2.254 255.255.255.0
!
vlan 30
nameif engineers
security-level 100
ip address 10.1.3.254 255.255.255.0
!
vlan 40
nameif contractors
security-level 100
ip address 10.1.4.254 255.255.255.0
!

EVE-PRO, 2021
__________________________________________________________________________________
no shut
nameif dmz
security-level 80
ip address 10.1.1.254 255.255.255.0
3. Objective: Configure ASAv ASDM (optional If you prefer ASA configuration via ASDM):
Note: If you expected to activate ASAv Smart license this step is mandatory to register Cisco smart
license token. Lab itself can be used with Evaluation license which has all features enabled but limited
in throughput speed 100kbps.
Use Mgmt host node, open Firefox browser:
https://10.1.1.254/admin/public/asdm.jnlp
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.1.1.0 255.255.255.0 dmz
4. Objective: Configure ASAv inter and intra traffic permittance:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
5. Objective: Configure ASAv ICMP and HTTP inspection:

policy-map global_policy
class inspection_default
inspect http
inspect icmp
6. Objective: Configure ASAv DNS (optional for Smart Licensing):
Note: If you expected to activate ASAv Smart license this step is mandatory to register Cisco smart
license token. Lab itself can be used with Evaluation license which has all features enabled but limited
in throughput speed 100kbps.
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8 outside
name-server 8.8.4.4 outside
How to register your ASAv using token:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-
config/intro-license-smart.html
7. Objective: Configure ASAv Objects and Object groups:

object network dmz_network
subnet 10.1.1.0 255.255.255.0

EVE-PRO, 2021
__________________________________________________________________________________
object network employees_network

subnet 10.1.2.0 255.255.255.0
object network engineers_network

subnet 10.1.3.0 255.255.255.0
object network contractors_network

subnet 10.1.4.0 255.255.255.0
object network FTP_DATA

host 10.1.4.100
object network DNS_server

host 10.1.1.201
object network ISE

host 10.1.1.200
object network WEB_server

host 10.1.1.100
object-group network Employee_Access

network-object object DNS_server
network-object object WEB_server
object-group protocol TCPUDP

protocol-object udp
protocol-object tcp
8. Objective: Configure ASAv basic access-lists:

access-list dmz_access_in extended permit ip object dmz_network any
access-group dmz_access_in in interface dmz
access-list employees_access_in extended permit ip object

employees_network any
access-group employees_access_in in interface employees
9. Objective: Configure ASAv NAT:

nat (dmz,outside) source dynamic dmz_network interface
nat (employees,outside) source dynamic employees_network interface
nat (engineers,outside) source dynamic engineers_network interface
nat (contractors,outside) source dynamic contractors_network
interface
10. Objective: Configure ASAv DHCP pools for DMZ, Engineers, employees and Contractors:

EVE-PRO, 2021
__________________________________________________________________________________
dhcpd address 10.1.2.10-10.1.2.20 employees

dhcpd dns 10.1.1.201 interface employees
dhcpd enable employees
!
dhcpd address 10.1.3.10-10.1.3.20 engineers
dhcpd dns 10.1.1.201 interface engineers
dhcpd enable engineers
!
dhcpd address 10.1.4.10-10.1.4.20 contractors
dhcpd dns 10.1.1.201 interface contractors
dhcpd enable contractors
!
dhcpd address 10.1.1.20-10.1.1.25 dmz
dhcpd dns 10.1.1.201 interface dmz
dhcpd domain eve.lab interface dmz
dhcpd enable dmz interface
11. Objective: Save ASAv10 configuration:

ASAv10(config)# copy running-config startup-config
Source filename [running-config]?

Cryptochecksum: 845d758d 12e1c255 faf43b0f 68ed092f
9611 bytes copied in 0.100 secs

ASAv10(config)#
III. Install NTP and Active Directory Server

Objective: Configure Windows 2019 network interfaces with following:
1. Set static IP address for Windows 2019 interface Ethernet:

✓ IP Address: 10.1.1.201
✓ Mask: 255.255.255.0
✓ Gateway: 10.1.1.254
✓ DNS Server: 8.8.8.8, 8.8.4.4
Objective: Configure Windows 2019 Time Zone and Time:
✓ Configure the appropriate Time zone and Time on the Windows Server.
Objective: Configure Windows 2019 as NTP server with following:
1. Create firewall NTP inbound rule

✓ Control Panel/Windows Defender Firewall/Advanced settings
✓ Inbound Rules/New rule

EVE-PRO, 2021
__________________________________________________________________________________
✓ Rule type: Port > Next

✓ Protocol and Ports: UDP 123 > Next
✓ Action: Allow the Connection > Next
✓ Profile: check all, domain, private, public > Next
✓ Name: NTP_inbound
2. Configure external NTP server, Internet must be reachable from your server
✓ Open windows CMD (administrator rights!!!)
✓ Enter: External real NTP server:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
/reliable:yes
3. Edit Registry files

✓ Select Start > Run, type regedit, and then select OK
✓ Navigate to the following path in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
✓ Right-click Announce Flags, and then select Modify

✓ Change the type Value as 5 and click on OK.

EVE-PRO, 2021
__________________________________________________________________________________
✓ Navigate to the following path in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
✓ Right-click Type, and then select Modify

✓ Change the type Value as NTP and click on OK.
✓ Enable NTP server. Open Location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpSer
ver
✓ Right-click Enabled, and then select Modify
✓ In Edit DWORD Value, type 1 in the Value data box, and then

EVE-PRO, 2021
__________________________________________________________________________________
4. Restart NTP service

Open windows CMD (administrator rights!!!)
✓ Enter:
net stop w32time && net start w32time
5. Verify NTP
✓ Enter:
w32tm /query /status /verbose this will display last sync status or any
error
w32tm /query /peers this will display NTP external peers

EVE-PRO, 2021
__________________________________________________________________________________
Objective: Configure Windows 2019 server name with following:
✓ Open Server manager

✓ Click Local Server
✓ Click Computer Name
✓ Click Change
✓ Enter Name: ad
✓ Click OK
✓ Click Close and restart Server
Objective: Configure Windows 2019 server Active Directory:
1. Install Active Directory Server role

✓ Open Server manager
✓ Click Add roles and features
✓ Click 3 times Next
✓ Select Active Directory Domain Services, and click Add features
✓ Click 3 times Next, and Install
✓ After installation is completed, Click close
2. Navigate to Server manager, Notifications (Yellow triangle)
✓ Click on Promote this server to a domain controller
✓ Select “Add new forest”
✓ Put domain name “eve.lab”
✓ Click Next
✓ Type 2 times DSRM password (example: Test123)
✓ Click Next 5 times
✓ Click Install
✓ After server is rebooted and if required, change administrator password (example:
ADserver123)
IV. Configure DNS Server

Objective: Configure Windows 2019 as DNS server with following:
1. Navigate to Server manager, Tools/DNS

✓ Expand AD Server one the right
2. Create 4 new Reverse Lookup Zones
✓ Right click on Reverse lookup Zones/New Zone, Next
✓ Leave Primary Zone and click Next
✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click
Next
✓ IPv4 Reverse Lookup Zone, Next
✓ Network ID: 10.1.1, Next, Next
✓ Allow both non-secure and secure dynamic updates, Next
✓ Finish
✓ New Zone, Next
Next

EVE-PRO, 2021
__________________________________________________________________________________

✓ Finish
✓ New Zone, Next
Next
✓ Finish
✓ New Zone, Next
Next
✓ Finish
3. Create new A record for ISE
✓ Navigate to forward lookup zone eve.lab
✓ Create New host (A or AAAA)
✓ Name: ise
✓ IP Address: 10.1.1.200
✓ Enable checkbox Create associated pointer (PTR) record
✓ Add Host
4. Create new A record for WEBserver
✓ Name: webserver
✓ IP Address: 10.1.1.100
✓ Add Host
5. Create new A record for Dataserver FTP
✓ Name: data
✓ IP Address: 10.1.4.100
✓ Add Host
V. Configure AD Corporate users

Objective: Configure Active Directory Corporate Users:
1. Navigate to Server manager, Tools/Active Directory Users and Computers

✓ Right click on Users directory/New/user

EVE-PRO, 2021
__________________________________________________________________________________
✓ First Name: Jenny

✓ Last name: Doe
✓ Username: jennydoe
✓ Click Next
✓ Password (2 times): Silver2021
✓ Uncheck User must change password at next login
✓ Check: User cannot change password and Password never expires
✓ Click Next and Finish
✓ Right click on Users directory/New/user
✓ First Name: John
✓ Last name: Doe
✓ Username: johndoe
✓ Click Next
✓ Password (2 times): Gold2021
✓ Uncheck User must change password at next login
✓ Check: User cannot change password and Password never expires
✓ Click Next and Finish
VI. Create AD User Groups

Objective: Add User Groups to the Active directory:
Note: Your windows hosts must be configured to obtain IP via DHCP. The Lab switch and ISP router is
configured with proper VLANs and DHCP Pools.

✓ Right click on Users directory/New/Group
✓ Name: Employees
✓ Click OK
✓ Right click on Users directory/New/Group
✓ Name: Engineers
✓ Click OK
Objective: Add users into created AD groups
1. Right Click on user John Doe and select: Add to group

✓ Enter the object names to select: Engineers
✓ Click Check name
✓ Click OK
2. Right Click on user Jenny Doe and select: Add to group
✓ Enter the object names to select: Employees
✓ Click Check name
✓ Click OK
VII. Join Win10-PC1 to the AD domain

Objective: Join corporate users to the Active directory:

EVE-PRO, 2021
__________________________________________________________________________________
Note: Your windows hosts must be configured to obtain IP via DHCP. The Lab ASAv10 has configured
DHCP Pools in previous Task.
1. Windows 10 host
✓ Navigate: Start/Settings/About
✓ Navigate: Advanced System Settings, Click
✓ Click Tab: Computer Name
✓ Click: Change
✓ Type Computer Name: Corporate-PC
✓ Select radio button: Domain
✓ Type domain: eve.lab
✓ Click OK
✓ Type your AD server administrator username and password (example:
administrator/Test123)
✓ Click OK
✓ Click Close and restart PC
IMPORTANT, create user accounts on the Win10 Corporate PC before we move forward next Lab
steps
2. Create John Doe engineer account

✓ Select Other user and login with AD credentials: johndoe/Gold2021
3. Create Jenny Doe Engineer account

✓ Select Other user and login with AD credentials: jennydoe/Gold2021
4. Create domain Administrator account
✓ Select Other user and login with AD credentials: login: eve\administrator password:
Test123
Verification: Windows 10 host as Corporate-PC must be joined and domain eve.lab and have full
network/internet access. This host will be used to test 2 different Corporate user access. Engineers
and Employees.

EVE-PRO, 2021
__________________________________________________________________________________
VIII. ISE pre-stage

Objective: Pre-stage ISE
1. Setup ISE settings

✓ Type: setup
✓ Hostname: ise
✓ IP address: 10.1.1.200
✓ Netmask: 255.255.255.0
✓ Default gateway: 10.1.1.254
✓ Default domain: eve.lab
✓ Primary name server: 10.1.1.201
✓ NTP Server: 10.1.1.201
✓ User: admin
✓ Password: Test123
✓ Wait till ise installs and brings up, Services must be in running state

EVE-PRO, 2021
__________________________________________________________________________________
IX. ISE SXP Service

Objective: Activate ISE SXP Serivuce
1. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser

✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a
password: Test123
✓ Navigate to ISE Management
✓ Click Tab Administration/System/Deployment
✓ Select “ise”/Edit
✓ Navigate to “Enable SXP Service”
✓ Select to enable
✓ Press Save
X. Active Directory joining to the ISE

Objective: Join Active Directory as External Identity Source to the ISE
2. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser

✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a
password: Test123
✓ Click Tab Administration/Identity Management/External Identity Sources

EVE-PRO, 2021
__________________________________________________________________________________
✓ Click Active Directory and “+ Add”
✓ Joint point name: ad.eve.lab

✓ Active Directory domain name: eve.lab
✓ Click Submit and Yes for Join
✓ Fill credentials AD User name: administrator, Password: Test123 (AD Server

administrator password)

EVE-PRO, 2021
__________________________________________________________________________________
✓ Click OK, Status must be completed (green)
✓ Click Tab Groups/Select Groups From Directory
✓ Click Retrieve Groups
✓ Select Domain Computers, Engineers and Employees, Click OK

EVE-PRO, 2021
__________________________________________________________________________________
✓ To complete configuration at the bottom of screen click Save
XI. SW1 and SW2 AAA configuration

Objective: Configure lab switch AAA and ISE Radius
✓ Open SW1 and SW2 switches console and configure following:

aaa new-model
dot1x system-auth-control
radius server ISE

address ipv4 10.1.1.200 auth-port 1812 acct-port 1813
key eve1
radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server timeout 2
aaa group server radius ISE-GROUP

server name ISE
ip radius source-interface Vlan10
aaa authentication dot1x default group ISE-GROUP

aaa authorization network default group ISE-GROUP

EVE-PRO, 2021
__________________________________________________________________________________
aaa accounting update periodic 5

aaa accounting dot1x default start-stop group ISE-GROUP
aaa server radius dynamic-author

client 10.1.1.200 server-key eve1
snmp-server community eve1 RO

snmp-server enable traps snmp linkdown linkup
XII. ASAv10 AAA configuration

Objective: Configure lab ASAv10 AAA and ISE Radius
✓ Open ASAv10 console and configure following:

aaa-server ISE-GROUP protocol radius
aaa-server ISE-GROUP (dmz) host 10.1.1.200
key eve1
authentication-port 1812
accounting-port 1813
radius-common-pw eve1
XIII. Lab devices joining to the ISE

1. Objective: Create Device Type Group
✓ Click Tab Administration/Network Resources/Network Devices
✓ Click to tab “Network Device Groups”

✓ Click “+ Add”

EVE-PRO, 2021
__________________________________________________________________________________
✓ Name: LAN Switches

✓ Parent Group: All Device Types
✓ Click Save
2. Objective: Create Location Group

✓ Name: My LAN
✓ Parent Group: All Locations
✓ Click Save

EVE-PRO, 2021
__________________________________________________________________________________
3. Objective: Join SW1 switch to the ISE radius

✓ Click to tab “Network Devices”
✓ Name: SW1
✓ Description: LAB SW1
✓ IP Address: 10.1.1.252
✓ Model Name: IOL
✓ Version: 15.2
✓ Location: My LAN
✓ Device Type: LAN Switches
✓ Select Radius checkbox
✓ Shared Secret: eve1

EVE-PRO, 2021
__________________________________________________________________________________
✓ Enable SNMP Settings

✓ SNMP Version: 2c
✓ SNMP RO Community: eve1
✓ Click Submit
4. Objective: Join SW2 switch to the ISE radius


EVE-PRO, 2021
__________________________________________________________________________________
✓ Name: SW2
✓ Description: LAB SW2
✓ IP Address: 10.1.1.253
✓ Model Name: IOL
✓ Version: 15.2
5. Objective: Join ASAv10 to the ISE radius

✓ Name: ASAv10
✓ Description: LAB ASAv10
✓ IP Address: 10.1.1.254
✓ Model Name: ASAv
✓ Version: 9.14.2
XIV. Create authorization Profiles and DACLs

Objective: Create three (3) DACLs
✓ Click Tab Policy/Policy Elements/Results

✓ Navigate to Authorization/Downloadable ACLs

EVE-PRO, 2021
__________________________________________________________________________________
✓ Navigate to Authorization/Downloadable ACLs

✓ Name: EVE_DHCP_ACL
✓ IP Version: IPv4
✓ Add ACL line
permit udp any eq 68 any eq 67
✓ Check DACL Syntax, must be Valid

✓ Click Save.
✓ Name: PERMIT_AD_ONLY
✓ Add ACL lines
permit udp any eq 68 any eq 67
permit udp any any eq 53
permit ip any host 10.1.1.201

EVE-PRO, 2021
__________________________________________________________________________________

✓ Click Save.
✓ Name: WIRED_PERMIT_ALL
✓ Add ACL line
permit ip any any

✓ Click Save.
Objective: Create Four (4) Authorization Profiles
✓ Navigate to Authorization/Authorization Profiles

✓ Name: Contractor-PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: EVE_DHCP_ACL
✓ Select VLAN: ID/Name: 40

EVE-PRO, 2021
__________________________________________________________________________________
✓ Name: Employees-PROFILE
✓ Select previously created DACL: WIRED_PERMIT_ALL
✓ Name: Engineers-PROFILE
✓ Select previously created DACL: WIRED_PERMIT_ALL
✓ Name: WIRED_AD_ONLY_PROFILE
✓ Select previously created DACL: PERMIT_AD_ONLY
XV. Create Source Identity sequence

Objective: Create Source identity sequence
✓ Click Tab Administration/Identity Management/Groups

✓ Click Tab: Identity Source Sequences
✓ Name: EVE_Sequence
✓ Select Identity sources: ad.eve.lab and Internal Endpoints

EVE-PRO, 2021
__________________________________________________________________________________
✓ Click: Save
XVI. Create ISE Security groups

Objective: Create ISE Security Groups
✓ Navigate to ISE Management/Work Centers/TrustSec/Components

✓ Create new security Groups
✓ Name: Domain_PC
✓ Name: Engineers

EVE-PRO, 2021
__________________________________________________________________________________
XVII. Create Policy Set

1. Objective: Create mab and dot1x Policy
✓ Click Tab Policy/Policy Sets

✓ Name: EVE-POLICY
✓ Click “+” for New conditions
✓ In Conditions Studio “Click to add an attribute”
✓ In Editor “Click Tab Location”

✓ Select Attribute DEVICE:Location

EVE-PRO, 2021
__________________________________________________________________________________
✓ Select equals from list: All Locations/My LAN
✓ Click New to add another attribute
✓ In Editor “Click Tab Network Device”
✓ Select Attribute DEVICE: Device Type

✓ Select equals from list: All Device Types/LAN Switches
✓ Click New to add another attribute

✓ In Editor “Click Tab Port”

EVE-PRO, 2021
__________________________________________________________________________________
✓ Under Dictionary select: Radius

✓ Select Radius/NAT-Port-Type
✓ Select Equal: Ethernet
✓ Click Use
✓ Select Default Network Access for allowed Protocols
2. Objective: Authentication Policy

✓ Click to View Policy “>”
✓ Expand Authentications Policy

✓ For Default rules select Use: EVE_Sequence

EVE-PRO, 2021
__________________________________________________________________________________
3. Objective: Create Corporate PC Authorization Policy

✓ Navigate to Authorization Policy
✓ Expand Authorization Policy
✓ Click “+” To add New rule
✓ Name: AD_PC_RULE
✓ Click “+” For new Condition
✓ Select Tab: Identity Group

✓ Select: ad.eve.lab/ExternalGroups
✓ Select Equal: eve.lab/Users/Domain Computers

✓ Click: Use

EVE-PRO, 2021
__________________________________________________________________________________
✓ Select Profiles: WIRED_AD_ONLY

✓ Select Security Group: Domain_PC
4. Objective: Create Corporate Engineer Authorization Policy

✓ Navigate to AD_PC_RULE/Actions/Insert new rule below
✓ Name: Engineers
✓ Click “+” to add New conditions

✓ Attribute: ad.eve.lab/ExternalGroups
✓ Equals: eve.lab/Users/Engineers
✓ Click Use

EVE-PRO, 2021
__________________________________________________________________________________
✓ Click New for another condition in this rule
✓ Select Tab: Unclassified

✓ Select Dictionary: Network Access
✓ Select Attribute: WasMachineAuthenticated
✓ Equals: True
✓ Click Use
✓ Select Profiles: Engineers-PROFILE

✓ Select Security Group: Engineers

EVE-PRO, 2021
__________________________________________________________________________________
5. Objective: Create Corporate Emploee Authorization Policy

✓ Navigate to Engineers/Actions/Insert new rule below
✓ Name: Employees
✓ Attribute: ad.eve.lab/ExternalGroups
✓ Equals: eve.lab/Users/Employees
✓ Click Use
✓ Click New for another condition in this rule

✓ Select Dictionary: Network Access
✓ Select Attribute: WasMachineAuthenticated
✓ Equals: True
✓ Click Use

EVE-PRO, 2021
__________________________________________________________________________________
✓ Select Profiles: Employees-PROFILE

✓ Select Security Group: Employees
6. Objective: Contractors MAB Authorization Policy

✓ Navigate to Employees/Actions/Insert new rule below
✓ Name: Contractors-MAB
✓ Select Tab Identity Group
✓ Attribute: Name
✓ Equals: Endpoint Identity Groups: Contractors

✓ Click: New to add another condition
✓ Select Condition: Normalized Radius/Radius FlowType

EVE-PRO, 2021
__________________________________________________________________________________
✓ Equals: WiredMAB
✓ Click Use
✓ Select Profiles: Contractor-PROFILE
✓ Select Security Groups: Contractor
Objective: Save Authorization Policy
✓ Click SAVE below
XVIII. Lab Switch Ports configuration DOT1x and MAB

1. Objective: Configure lab SW1 switch ports
✓ Open SW1 switch console and configure following
✓ Remove temporary configured VLAN 10, switchport will assign VLAN dynamically
accordingly configure ISE User Groups profiles
interface Ethernet0/1
description Corporate win10 PC
switchport mode access
no switchport access vlan 10
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
description Contractor Win10 PC

EVE-PRO, 2021
__________________________________________________________________________________
authentication open
mab
2. Objective: Configure lab SW2 switch ports

✓ Open SW2 switch console and configure following:
description Contractor FTP Server
authentication open
mab
XIX. Corporate-PC Dot1x Authentication

1. Objective: Configure Windows 10 PC for Dot1x authentication
✓ Open Windows 10
✓ Navigate To Windows Control Panel, Administrative Tools/Services
✓ Make sure if your Windows has enabled and running Wired Autoconfig Service
✓ If it is not running, then log off Windows and log in to it as Administrator
✓ Login: eve\administrator, Password: Test123
Note: It is domain administrator user which we set previously on Windows Server 2019
✓ Navigate to Start/Settings/Network & Internet

✓ Navigate to Advanced Network Settings/Change Adapter Settings
✓ Right click on ethernet adapter and choose Properties.

EVE-PRO, 2021
__________________________________________________________________________________
Note: On Windows 10, it will ask you Administrator rights, login in PC as administrator
Username: eve\administrator, Password: Test123
✓ Select Tab Authentication

✓ Check Enable IEEE 802.1X authentication
✓ Click Choose a network authentication method Settings

✓ Unselect Verify the Server’s identity by validating the certificate
✓ Click on Select Authentication Method: Configure
✓ Check: When connecting, Automatically use my Windows Logon name and password
and domain if any
✓ Click OK 2 times

EVE-PRO, 2021
__________________________________________________________________________________
✓ Click Additional Settings

✓ Check Specify authentication mode
✓ Choose User or Computer authentication
✓ Reboot Windows 10

EVE-PRO, 2021
__________________________________________________________________________________
✓ Reboot Windows 10
2. Objective: Corporate-PC Windows 10 Verification
Note: after reboot Windows 10 machine, do not login into it, but check results on Switch:
✓ Issue command show access-lists
You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address,
and can communicate with AD server
SW#sh access-lists
Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (per-
user)
1 permit udp any eq bootpc any eq bootps
2 permit udp any any eq domain
3 permit ip any host 10.1.1.201
SW#
✓ Navigate to ISE management/Operations/Live Logs
✓ You must see that Corporate-PC is authenticated but has assigned only to
WIRED_AD_ONLY_PROFILE
3. Objective: Corporate-PC Engineer user (John)

✓ Login in Windows 10 Corporate-PC as, user: johndoe and password: Gold2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all and VLAN 30 is forced on the port for
SW1#show authentication sessions interface e0/1 details
Interface: Ethernet0/1
MAC Address: 5017.00ac.0000
IPv6 Address: Unknown
IPv4 Address: 10.1.3.11
User-Name: EVE\johndoe
Status: Authorized
Domain: DATA

EVE-PRO, 2021
__________________________________________________________________________________
Oper host mode: single-host

Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 263s
Session Uptime: 338s
Common Session ID: 0A0101FC0000001508D1386B
Acct Session ID: 0x00000021
Handle: 0xEC000007
Current Policy: POLICY_Et0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Vlan Group: Vlan: 30
ACS ACL: xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43
SGT Value: 16
Method status list:

Method State
dot1x Authc Success
SW1#
Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (per-
user)
1 permit ip any any
SW#
✓ Navigate to ISE management/Operations/Live Logs again

✓ Now you will see that John Doe user is authorized and assigned to Engineers-PROFILE
and obtained IP from VLAN 30.
4. Objective: Corporate-PC Employee user (Jenny)

✓ Sign out from John Doe.
✓ Login in Windows 10 Corporate-PC as, user: jennydoe and password: Silver2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all and VLAN 20 is forced for the switchport

EVE-PRO, 2021
__________________________________________________________________________________

MAC Address: 5017.00ac.0000
User-Name: EVE\jennydoe
Status: Authorized
Domain: DATA
Common Session ID: 0A0101FC0000001508D1386B
Handle: 0xEC000007
Local Policies:
150)
Server Policies:
ACS ACL: xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43
SGT Value: 4
Method status list:

Method State
dot1x Authc Success
SW#

✓ Now you will see that Jenny Doe user is authorized and assigned to Employees-PROFILE
and obtained IP from VLAN 20.

EVE-PRO, 2021
__________________________________________________________________________________
XX. Contractor Devices Authentication

1. Objective: Configure Contractor Windows 10 PC MAB authentication
✓ Boot Win10-PC2 node (Contractors PC)
You will notice that authentication is failed. Notice MAC address of your Contractors PC
✓ Navigate to ISE management/Context Visibility/Endpoints
✓ Select Win10-PC2 Contractors rejected device, and click edit
✓ Select Contractors rejected device, and click edit

✓ Description: Contractors PC
✓ Static assignment: Windows 10-Workstation
✓ Static group assignment: Contractors
✓ Click save

EVE-PRO, 2021
__________________________________________________________________________________
✓ Issue command show access-lists

✓ You must notice that EVE_DHCP_ACL is in use. Means your Contractor PC has received
IP address from Vlan 40 , and have network access
MAC Address: 5017.00ab.0000
User-Name: 50-17-00-AB-00-00
Status: Authorized
Domain: DATA
Common Session ID: 0A0101FC0000001608E69670
Handle: 0xC1000008
Local Policies:
150)
Server Policies:
ACS ACL: xACSACLx-IP-EVE_DHCP_ACL-5fe79837
SGT Value: 5

EVE-PRO, 2021
__________________________________________________________________________________
Method status list:

Method State
mab Authc Success
SW1#

✓ Now you will see that Contractor PC device is authenticated and assigned to
Contractors-PROFILE and VLAN 40
2. Objective: Configure Contractor Linux FTP Server MAB authentication

✓ Boot FTP Linux node (data.eve.lab docker node)
You will notice that authentication is failed, Notice the MAC address of your FTP server
✓ Navigate to ISE management/Context Visibility/Endpoints
✓ Select Win10-PC2 Contractors rejected device, and click edit
✓ Select Contractors rejected device, and click edit

✓ Description: FTP Contractor Server
✓ Static assignment: Linux-Workstation
✓ Static group assignment: Contractors
✓ Click save

EVE-PRO, 2021
__________________________________________________________________________________
✓ Issue command show access-lists on SW2

✓ You must notice that EVE_DHCP_ACL is in use. Means your Contractor PC has received
IP address from Vlan 40 , and have network access
MAC Address: 500a.0009.0000
User-Name: 50-0A-00-09-00-00
Status: Authorized
Domain: DATA
Session Uptime: 21s
Common Session ID: 0A0101FD0000000E0273196C
Handle: 0xE7000002
Local Policies:
150)

EVE-PRO, 2021
__________________________________________________________________________________
Server Policies:
ACS ACL: xACSACLx-IP-EVE_DHCP_ACL-5fe79837
SGT Value: 5
Method status list:

Method State
mab Authc Success
SW2#

✓ Now you will see that Contractor PC device is authenticated and assigned to
Contractors-PROFILE and VLAN 40
XXI. ISE TrustSec Configuration

1. Objective: Join Lab network devices to SXP domain
✓ Navigate to ISE Management/Work Centers/TrustSec/SXP
✓ Click “+” Add

✓ Name: SW1
✓ IP Address: 10.1.1.252
✓ Peer role: Speaker
✓ SXP Domain: Default
✓ Status Enabled
✓ Password Type: DEFAULT
✓ Version v4
✓ Save

EVE-PRO, 2021
__________________________________________________________________________________

✓ Name: SW2
✓ IP Address: 10.1.1.253
✓ Peer role: Speaker
✓ Status Enabled
✓ Version v4
✓ Save

✓ Name: ASAv10

EVE-PRO, 2021
__________________________________________________________________________________
✓ IP Address: 10.1.1.254
✓ Peer role: Listener
✓ Status Enabled
✓ Version v4
✓ Save
2. Objective: Configure Network devices for TrustSec and CTS PAC

✓ Select ASAv10/edit
✓ Navigate to Advanced TrustSec Settings, Enable it
✓ Enable Use Device ID for TrustSec Identification
✓ Password: eve1

EVE-PRO, 2021
__________________________________________________________________________________
✓ Navigate down to TrustSec Notifications and Updates

✓ Enable Other TrustSec devices to trust this device
✓ Enable Using Send configuration changes to device and CoA
✓ Navigate down to Out Of Band (OOB) TrustSec PAC

✓ Encryption key: evetrust (this key will be required to import PAC to the ASAv10)
✓ Select 1 year time to liv
✓ Generate PAC, File ASAv10.pac will be downloaded to the Mgmnt station download
directory

✓ Select SW1/edit
✓ Navigate down to Advanced TrustSec Settings, Enable it
✓ Password: eve1
✓ Select 1 year time to live

EVE-PRO, 2021
__________________________________________________________________________________
✓ Generate PAC, File SW1.pac will be downloaded to the Mgmnt station download
directory

✓ Select SW2/edit
✓ Navigate down to Advanced TrustSec Settings, Enable it
✓ Password: eve1
✓ Select 1 year time to live
✓ Generate PAC, File SW1.pac will be downloaded to the Mgmnt station download
directory
XXII. ASAv CTS Configuration

Objective: Configure ASAv10 TrustSec CTS with following configuration
✓ Open ASAv10 cli and configure with following

cts server-group ISE-GROUP
cts sxp enable
cts sxp default password eve1
cts sxp default source-ip 10.1.1.254
cts sxp connection peer 10.1.1.200 password default mode local
listener
✓ Mgmt station and copy ASAv10.pac file to tftp folder

EVE-PRO, 2021
__________________________________________________________________________________

ASAv10# cts import-pac tftp://10.1.1.100/ASAv10.pac password
evetrust
!PAC Imported Successfully
ASAv10#
ASAv10#
ASAv10# cts refresh environment-data
ASAv10# Database updated, 20 recs written
ASAv10#
✓ Verify if your ASAv has success SXP connectivity to the ISE

ASAv10# show cts sxp connections
SXP : Enabled
Highest version : 3
Default password : Set
Default local IP : 10.1.1.254
Delete hold down period : 120 secs
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Not Running
Total number of SXP connections: 1
Total number of SXP connections shown: 1
-----------------------------------------------------------
Peer IP : 10.1.1.200
Source IP : 10.1.1.254
Conn status : On
Conn version : 3
Local mode : Listener
Ins number : 3
TCP conn password : Default
Reconciliation timer : Not Running
Delete hold down timer : Not Running
Duration since last state change: 0:00:28:12 (dd:hr:mm:sec)ASAv10#
XXIII. LAN Switches CTS Configuration

Objective: Configure SW1 TrustSec CTS with following configuration
✓ Open SW1 and SW2 cli and configure with following

cts authorization list ISE
cts sxp enable
cts sxp default source-ip 10.1.1.252
cts sxp default password eve1
cts sxp connection peer 10.1.1.200 source 10.1.1.252 password
default mode local speaker

EVE-PRO, 2021
__________________________________________________________________________________
radius server ISE

address ipv4 10.1.1.200 auth-port 1812 acct-port 1813
pac key eve1
✓ Open SW1 cli and configure with following

SW1#cts credentials id SW1 password evetrust
CTS device ID and password have been inserted in the local keystore.
Please make sure that the same ID and password are configured in t
he server database.
SW1#sh cts pac

AID: E3EB17E4E7F395AD7AB10E341640BF8C
PAC-Info:
PAC-type = Cisco Trustsec
I-ID: SW1
A-ID-Info: Identity Services Engine
Credential Lifetime: 05:23:35 EET Apr 6 2021
PAC-Opaque:
000200B00003000100040010E3EB17E4E7F395AD7AB10E341640BF8C000600940003
010010C1CDF52A20B238C8A91CCD365EFFF2000000135FF106A00
0093A80D3AF12451910CDB0E27B1425469F0BC4C385EDF1613E0DC851AA58282888D
E1395173996B9AA0C9460B606C8AE352B50CB5EE49409063D718F8618E92C135E9D
C0A7E2FB18E712B8E0E16350F97064F7BA817C868C272DB1F803132AA8AB9966F3AD
980EDDE1E035E9C1FFAA04C80D6B535F319C
Refresh timer is set for 12w3d
SW1#show cts sxp connections

SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: 10.1.1.252
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 10.1.1.200
Source IP : 10.1.1.252
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Keepalive timer is running

EVE-PRO, 2021
__________________________________________________________________________________
Duration since last state change: 0:00:38:19 (dd:hr:mm:sec)
Total num of SXP Connections = 1
SW1#
SW1#
✓ Open SW2 cli and configure with following

SW2#cts credentials id SW2 password evetrust
CTS device ID and password have been inserted in the local keystore.
Please make sure that the same ID and password are config
ured in the server database.
SW2#show cts pac

PAC-Info:
PAC-type = Cisco Trustsec
I-ID: SW2
A-ID-Info: Identity Services Engine
Credential Lifetime: 09:36:09 GMT Apr 7 2021
PAC-Opaque:
000200B00003000100040010E3EB17E4E7F395AD7AB10E341640BF8C000600940003
0100C4ACF9A6F35AAE51CAC4FBB581ACF03900000013
5FF106A000093A80D3AF12451910CDB0E27B1425469F0BC4FB48A999198367120E15
327D7BF1FC2CFD4804A065BFEB75B6A07587A0E33A2D176914D2B3037C
D04804C6ADC05DAB03247A42C57B934BFF61309B981EDCA1E9C7BC77282DAD519BFF
954A1A0BFE8E8C053E6A2EFACDF36562D916D94C8CE08BEEC4FFBB
Refresh timer is set for 12w4d
SW2#show cts sxp connections

SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: 10.1.1.253
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 10.1.1.200
Source IP : 10.1.1.253
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Speaker

EVE-PRO, 2021
__________________________________________________________________________________
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Keepalive timer is running
Duration since last state change: 0:00:37:26 (dd:hr:mm:sec)
Total num of SXP Connections = 1

SW2#
3. Objective: TrsutSec SXP domain connectivity verification

✓ Navigate to ISE Management/Work Centers/TrustSec/SXP
✓ Status for devices must ON
XXIV. TrustSec SXP SGT verification

1. Objective: Check SGT Policies and mapping on ASAv
✓ Issue command ASAv if Jenny (Employee) was authenticated
ASAv10# show cts sxp sgt-map ipv4 detail
Total number of IP-SGT mappings : 5
Total number of IP-SGT mappings shown: 5
SGT : 5:Contractors
IPv4 : 10.1.4.10
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
SGT : 4:Employees
IPv4 : 10.1.2.11
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
SGT : 5:Contractors
IPv4 : 10.1.4.100
Peer IP : 10.1.1.200
Ins Num : 3

EVE-PRO, 2021
__________________________________________________________________________________
Status : Active
SGT : 2:TrustSec_Devices
IPv4 : 10.1.1.252
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
IPv4 : 10.1.1.253
Peer IP : 10.1.1.200
Ins Num : 3
✓ Issue command ASAv if John (Engineers) was authenticated

ASAv10# show cts sxp sgt-map ipv4 detail
Total number of IP-SGT mappings : 7
Total number of IP-SGT mappings shown: 7
SGT : 5:Contractors
IPv4 : 10.1.4.10
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
SGT : 17:Domain_PC
IPv4 : 10.1.2.11
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
SGT : 16:Engineers
IPv4 : 10.1.3.12
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
SGT : 16:Engineers
IPv4 : 10.1.1.23
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
SGT : 5:Contractors
IPv4 : 10.1.4.100
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
IPv4 : 10.1.1.252
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
IPv4 : 10.1.1.253
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
ASAv10#

EVE-PRO, 2021
__________________________________________________________________________________
2. Objective: ISE SGT Mapping

✓ Navigate to ISE Management/Work Centers/TrustSec/SXP/All SXP Mappings
XXV. ASAv SGT based Access rules
TrustSec SXP SGT Policies based Tasks
1. Corporate User Employees (Jenny) Must have access to Corporate WEB Server
http://webserver.eve.lab and Internet only.
2. Corporate User Engineers (John) must have access to all resources in the lab. Engineer
network must have access to Contractors network.
3. Contractor User must have access to FTP Server ftp://data.eve.lab and DNS services and
Internet
4. Contractor User must not have access to DMZ network or to Corporate VLANs 20 and 30.
1. Objective: Check SGT Policies and mapping on ASAv

access-list employees_access_in extended deny ip security-group name Employees
object employees_network security-group name Contractors object contractors_network
access-list employees_access_in extended permit ip security-group name Employees
any object-group Emploee_Access
access-list employees_access_in extended deny ip security-group name Employees any
object dmz_network
access-list engineers_access_in extended permit ip security-group name Engineers
any any
access-list contractors_access_in extended permit ip security-group name
Contractors any security-group name Contractors any
access-list contractors_access_in extended permit object-group TCPUDP security-
group name Contractors any object DNS_server eq domain
access-list contractors_access_in extended deny ip security-group name Contractors
any security-group name Employees any

EVE-PRO, 2021
__________________________________________________________________________________

any object dmz_network
any security-group name Engineers any
access-list contractors_access_in extended permit ip security-group name
Contractors any any
access-group engineers_access_in in interface engineers

access-group contractors_access_in in interface contractors
XXVI. Final verification

1. Objective: Test Contractor PC access to FTP Server ftp://data.eve.lab
✓ Open in Contractors PC FileZilla, or browser to test FTP access to data.eve.lab
✓ Username: root, password: eve
✓ Connection must be success

EVE-PRO, 2021
__________________________________________________________________________________
2. Objective: Test Contractor PC access to Internet

✓ Open in Contractors PC CMD and test ping www.google.com. Named ping ensure that
access to DNS server is properly configured
Must be success
3. Objective: Test Contractor PC access to Corporate resources

✓ Open in Contractors PC Browser and test access: http://webserver.eve.lab
Access must fail.
✓ Test ping to Engineers or Employee Networks
Access must fail.

EVE-PRO, 2021
__________________________________________________________________________________
4. Objective: Test Corporate PC Engineers SGT user John

✓ Log in Corporate-PC as user johndoe/Gold2021
✓ Open browser and test http://webserver.eve.lab
Must have access to it.
5. Objective: Test Corporate PC Engineers SGT user John to Contractors FTP

✓ Open Filezilla and test ftp access to contractors server data.eve.lab

EVE-PRO, 2021
__________________________________________________________________________________
6. Objective: Test Corporate PC Engineers SGT user John Internet

✓ Open CMD and ping www.google.com
✓ Ping Contractors PC IP

EVE-PRO, 2021
__________________________________________________________________________________
7. Objective: Test Corporate PC Employees SGT user Jenny Access to Corporate web server
✓ Log in Corporate-PC as user jennydoe/Silver2021
✓ Open browser and test http://webserver.eve.lab
8. Objective: Test Corporate PC Employees SGT user Jenny Internet and access to Contractors
✓ Log in Corporate-PC as user jennydoe/Silver2021
✓ Open CMD and ping www.google.com
✓ Ping ftp server data.eve.lab
Internet must be success
FTP access must fail

EVE-PRO, 2021
__________________________________________________________________________________

TrustSec SXP Lab Book2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TrustSec SXP Lab Book2

Uploaded by

Copyright:

Available Formats

Cisco Security TrustSec SXP SGT

dot1x and mab

2 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

1. Configure universal Corporate PC Windows 10 workstation with dot1x AD user

TrustSec SXP SGT Policies based Tasks

I. Lab nodes, image versions

3 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

• Management Host: Docker server-gui (Pro Lab)

II. ASAv Configuration

2. Objective: Configure ASAv interfaces with following:

4 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Use Mgmt host node, open Firefox browser:

4. Objective: Configure ASAv inter and intra traffic permittance:

5. Objective: Configure ASAv ICMP and HTTP inspection:

6. Objective: Configure ASAv DNS (optional for Smart Licensing):

7. Objective: Configure ASAv Objects and Object groups:

5 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

object network employees_network

object network engineers_network

object network contractors_network

object network FTP_DATA

object network DNS_server

object network ISE

object network WEB_server

object-group network Employee_Access

object-group protocol TCPUDP

8. Objective: Configure ASAv basic access-lists:

access-list employees_access_in extended permit ip object

9. Objective: Configure ASAv NAT:

6 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

dhcpd address 10.1.2.10-10.1.2.20 employees

11. Objective: Save ASAv10 configuration:

Source filename [running-config]?

9611 bytes copied in 0.100 secs

III. Install NTP and Active Directory Server

1. Set static IP address for Windows 2019 interface Ethernet:

Objective: Configure Windows 2019 Time Zone and Time:

Objective: Configure Windows 2019 as NTP server with following:

1. Create firewall NTP inbound rule

7 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

✓ Rule type: Port > Next

3. Edit Registry files

✓ Right-click Announce Flags, and then select Modify

8 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

✓ Navigate to the following path in the registry

✓ Right-click Type, and then select Modify

✓ Enable NTP server. Open Location

9 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

4. Restart NTP service

w32tm /query /peers this will display NTP external peers

10 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Objective: Configure Windows 2019 server name with following:

✓ Open Server manager

Objective: Configure Windows 2019 server Active Directory:

1. Install Active Directory Server role

IV. Configure DNS Server

1. Navigate to Server manager, Tools/DNS

11 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

✓ IPv4 Reverse Lookup Zone, Next

V. Configure AD Corporate users

1. Navigate to Server manager, Tools/Active Directory Users and Computers

12 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

✓ First Name: Jenny

VI. Create AD User Groups