Instructions2.pdf

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 1

ISE Profiling Services Lab Guide

Developers and Lab Proctors This lab was created by: James Burke

Lab Overview This lab is designed to help attendees understand how to configure and deploy ISE Profiler. It covers the basic configuration and management for profiling devices in an 802.1X environment. Lab Users should be able to complete the lab within the allotted lab time of (2) hours.

Lab Exercises This lab guide includes the following exercises:

• Lab Verification

• Lab Exercise 1: Enable ISE Probes for Profiling

• Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes

• Lab Exercise 3: Verify Profiled Endpoints and Probe attribute information

• Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints

• Lab Exercise 5: Verify IP Phone default Policy

• Lab Exercise 6: Logging and Reporting


Product Overview: ISE The Cisco Identity Services Engine (ISE) is an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security and streamline their service operations. Its unique architecture allows enterprises to gather real time contextual information from network, users, and devices to make proactive governance decisions by tying identity back into various network elements including access switches, wireless controllers, VPN gateways, and datacenter switches. Cisco Identity Services Engine is a key component of the Cisco TrustSec™ Solution.

TrustSec Lab Topology


Internal IP addresses The table that follows lists the internal IP addresses used by the devices in this setup.

Device Name/Hostname IP Address

Core Switch (Nexus 7k) 7k-core.demo.local 10.1.100.1 10.1.250.1

Access Switch (3560X) 3k-access.demo.local 10.1.250.2

Data Center Switch (3560X) 3k-server.demo.local 10.1.251.2

ISE Appliance ise-1.demo.local 10.1.100.21




AD Server (CA/DNS/DHCP) ad.demo.local 10.1.100.10

NTP Server ntp.demo.local 128.107.220.1

Public Web Server www-ext.demo.local 10.1.252.10

Internal Web Server www-int.demo.local 10.1.252.20

Admin (Management) Client (also FTP Server)

admin.demo.local ftp.demo.local

10.1.100.6

Windows 7 Client PC win7-pc.demo.local DHCP (10.1.10.x/24)

Internal VLANs and IP Subnets The table that follows lists the internal VLANs and corresponding IP subnets used by the devices in this setup.

VL AN Number

VL AN Name IP Subnet Description

10 ACCESS 10.1.10.0/24 Network f or authenticated users or access network using ACLs

20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated dev ices (L2 segmentation)

30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant dev ices (L2 segmentation)

40 VOICE 10.1.40.0/24 Dedicated Voice VLAN

50 GUEST 10.1.50.0/24 Network f or authenticated and compliant guest users

60 VPN 10.1.60.0/24 VPN Client VLAN to ASA outside interface

70 ASA (trusted) 10.1.70.0/24 ASA inside network to IPEP untrusted interface

80 IPEP (trusted) 10.1.80.0/24 Dedicated IPEP VLAN for trusted interface


90 AP 10.1.90.0/24 Wireless AP connection for LWAAP tunnel

100 DATACENTER 10.1.100.0/24 Network serv ices (AAA, AD, DNS, DHCP, NTP, etc.)

(250) 10.1.250.0/24 Dedicated interconnect subnet between Core and Access switch.

(251) 10.1.251.0/24 Dedicated interconnect subnet between Core and Data Center switch.

252 WEBSVR 10.1.252.0/24 Web Serv er network

Note: Dedicated VLANs have been preconf igured for optional access policy assignments based on user identity , prof iling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. This lab will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment f or policy enf orcement. By def ault, all client PC access will remain in the ACCESS VLAN 10 and IP phones will be placed in VOICE VLAN 40.

Accounts and Passwords The table that follows lists the accounts and passwords used in this lab.

Access To Account (username/password)

Core Switch (Nexus 7k) admin / C!sco123

Access Switch (3560X) admin / cisco123

Data Center Switch (3560X) admin / cisco123

ASA (VPN gateway ) admin / cisco123

ISE Appliances admin / def ault1A

AD Server (DNS/DHCP/DHCP) administrator / cisco123

Web Serv ers administrator / cisco123

Admin (Management) Client admin / cisco123

Windows 7 Client (Local = WIN7-PC) (Domain = DEMO)

WIN7-PC\administrator / cisco123 WIN7-PC\admin / cisco123 DEMO\admin / cisco123 DEMO\employee1 / cisco123

Connecting to Lab Devices Note: To access the lab, you must f irst connect to the Admin PC. The Admin PC prov ides a launching point f or

access to all the other lab components

Note: Admin PC access is through RDP, therefore you must hav e an RDP client installed on y our computer


Connect to a POD Step 1 Launch the Remote Desktop application on your system.

a. In the LabOps student portal, click on the Topology tab

b. Click on the Admin PC, then click on the RDP Client option that appears:

c. Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in as DEMO\admin / cisco123 (Domain = DEMO)

d. All lab configurations can be performed from the Admin client PC.

Connect to ESX Server Virtual Machines During the lab exercises, you may need to access and manage the computers running as virtual machines.

Step 1 From the Admin client PC, click the VMware vSphere Client icon on the desktop

Step 2 The IP address of your pod’s ESX server is 10.1.11.X where X = 10+(your pod number)

e.g. pod 1 = 10.1.11.11, pod 9 = 10.1.11.19, pod 15 = 10.1.11.25, pod 24 = 10.1.11.34

Note: Be careful to only connect to your pod’s ESX server. If unsure, contact y our class proctor.

Step 3 Enter student / cisco123 for the username and password:


Step 4 Click Login.

Step 2 Once logged in, you will see a list of VMs that are available on your ESX server:

Step 5 You have the ability to power on, power off, or open the console (view) these VMs. To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select one of these options:


Step 6 To access the VM console, select Open Console from the drop-down.

Step 7 To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:

Connect to Lab Device Consoles:

Step 1 To access the consoles of the lab switches and ISE servers using SSH:

a. From the Admin client PC, double-click the desired PuTTY shortcut on the Windows desktop. Example:


You can also use the shortcuts in the Windows Quick Launch toolbar.

b. If prompted, click Yes to cache the server host key and to continue login.

c. Login using the credentials listed in the Accounts and Passwords table.

Step 2 To access the console for other devices using SSH:

a. From the Admin client PC, go to Start and select from the Windows Start Menu to open a terminal session using PuTTY.

b. Refer to the Internal IP Addresses table, and then enter the hostname or IP address of the desired device in the Host Name (or IP address).

c. Click Open.

d. If prompted, click Yes to cache the server host key and to continue login.

e. Login using the credentials listed in the Accounts and Passwords table

Pre-Lab Setup Instructions Basic Connectivity Test

To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from the Windows desktop of the Admin client PC:

Verify that ping succeeds for all devices tested by script.

Note: The ping test may fail for VMs that have not yet completed the boot process.


Lab Verification: Verify initial lab setup and configuration Exercise Description

Initial lab setup and pre-configuration verification.

Exercise Objective Verify the default bootstrap configuration and connectivity.

Lab Exercise Steps

Step 1 Go to the Admin client PC and open a web browser to log into your ISE appliance (https://ise-1.demo.local) with username/password = admin / default1A

Step 2 Verify your network access switch (3k-access) is configured and setup correctly.

a. Go to Administration > Network Resources > Network Devices and select 3k-access

b. Verify the IP address is 10.1.250.2

c. Verify the authentication settings shared secret being used. Click the Show button and verify “cisco123” is the shared secret.


Step 3 Use the desktop shortcut for the PuTTY SSH client to launch a terminal session to the 3k-access switch (10.1.250.2) using the credentials admin / cisco123 (enabled password cisco123).

Step 4 Make sure interface Gi 0/1 – 4 are administratively shutdown. In this lab we are only concerned about the IP Phone and IP Camera.

Step 5 On the access switch verify MAB is configured on the switch ports for non-authenticating devices.

Step 6 Also verify Multi-Auth authentication is enabled on the switch port. This is needed for the IP Phone to authenticate. Both voice and data domains will authenticate via 802.1X and then fall over to MAB.

Step 7 Verify the change of authorization command is configured on your switch. This is essential for when devices change profiles or the authorization settings change for a device or user. The ISE node will send the new authorization parameters to the switch via this mechanism.

Step 8 Verify the AAA accounting records are enabled.

aaa server radius dynamic-author

client 10.1.100.21 server-key cisco123

aaa accounting dot1x default start-stop group radius

aaa accounting network default start-stop group radius

interface Gi0/1

switchport access vlan 10

switchport mode access

switchport voice vlan 40

ip access-group ACL-ALLOW in

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

d t1 th ti t


Step 9 Verify Radius VSA information is configured for accounting and authentication.

radius-server vsa send accounting

radius-server vsa send authentication


Lab Exercise 1: Enable ISE, Probes, and Network Device for Profiling Exercise Description

This exercise will enable the profiling probes and NAD communication on your ISE Policy Service node.

Exercise Objective At the end of this exercise you will learn how to enable the probes for your ISE Policy Service node via the GUI.

Lab Exercise Steps Step 1 Log into your ISE device via the admin GUI.

Step 2 Go to Administration > System > Deployment. Click on your ISE node.

Step 3 In General Settings, verify Policy Service is enabled. Verify the Enable Profiling Service is enabled.

Step 4 In the right hand pane click the Profiling Configuration tab.

a. Leave Netflow Probe disabled

b. Enable DHCP Probe.

i. The device interface should be Gi0. (Gi0 is the interface on the ISE appliance)

ii. Leave the default UDP port 67.

c. Enable DHCPSPAN Probe.

i. The device interface should be Gi0

d. Enable HTTP Probe.

i. The device interface should be Gi0

e. Enable RADIUS Probe

f. Enable DNS Probe

i. Keep the defaults

g. Enable SNMPQUERY Probe.

i. Keep the defaults

h. Enable SNMPTRAP Probe.

i. Leave Link Trap Query Disabled

ii. Enable MAC Trap Query

iii. Device Interface should be Gi0

iv. Port 162 leave as default.


Step 5 Click the Save button and make sure your changes were saved successfully.

Step 6 Now go to your pre-configured NAD device on ISE to enable SNMP communication. Administration > Network Resources > Network Devices

a. Click on the 3k-access switch

b. In the configuration page enable the SNMP Settings section

c. Expand the setting and select SNMP version 2c

d. Enter ciscoro as the read only community string

e. Verify Link Trap Query is enabled.

f. Verify MAC Trap Query is enabled.

g. Set the polling interval to 600 seconds (LAB USE ONLY !)

h. Leave all other settings the same and click Save.

Note: Y ou can use multiple interf aces to enable the ISE probes. You can also enable ISE Profiling on other Policy Serv ice nodes if you hav e the proper licensing in place.

Step 7 Enable the Change of Authorization globally for Profiling. This will allow any status changes of a device to be sent to the access device for an endpoint.

a. Go to Administration > System > Settings > Profiling > CoA Type = Reauth

Note: Use caution when enabling this feature when f irst profiling y our dev ices. The Change of Authorization will occur for all newly profiled dev ices.

Step 8 To verify the default actions for profiled devices, go to Policy > Policy Elements > Results > Profiling > Exception Actions (Advanced Exception actions will not be covered in this lab.)


End of Exercise: You have successfully completed this exercise. Proceed to next section.


Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes Exercise Description Configure ISE probes

Exercise Objective In this exercise, your goal is to configure and verify your ISE probes are working as advertised.

Lab Exercise Steps Step 1 Console into the 3k-access switch.

Step 2 Enable SNMP on the switch.

Step 3 Turn on SNMP debug by typing debug snmp packet at the exec shell prompt on the access switch. If using remote console (SSH/Telnet), then make sure you also enter terminal monitor on the command line so you will see the output.

Step 4 Verify SNMP communication between the ISE node and the switch. You should see the SNMP requests coming into the switch from ISE-1 similar to that shown below. You should also see responses from the switch for SNMP MIB requests from ISE Profiling Service.

snmp-server community ciscoro RO

snmp-server community ciscorw RW

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification change move

snmp-server host 10.1.100.21 version 2c ciscoro


Step 5 Turn off the SNMP debug by typing no debug all from exec mode prompt on the switch command line interface.

Step 6 Bring up switchport Gi 0/2 by entering the command no shutdown under the interface in configuration mode.

Step 7 Verify RADIUS packets are being sent to ISE by entering debug radius authentication from exec mode on the access switch. These will be sent when a MAC Authentication Bypass (MAB) session is initiated for clientless devices. This information will be received by the Profiler Radius Probe and used in profiling endpoints.

Step 8 You will see the following output. MAB will take some time to initiate after the DOT1X authentication requests time out.

3k-access# debug snmp packet

*Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24




*Apr 19 13:50:25.758: SNMP: Get-bulk request, reqid 2133241990, nonrptr 0, maxreps 10

system = NULL TYPE/VALUE9 13:50:25.758: SNMP: Response, reqid 2133241990, errstat 0, erridx 0

system.1.0 = Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2)

system.2.0 = products.797

sysUpTime.0 = 428342588

system.4.0 =

system.5.0 = 3k-access.demo.local

system.6.0 =

system.7.0 = 6

system.8.0 = 0

sysOREntry.2.1 = cisco.7.129


*Apr 20 14:40:45.339: %AUTHMGR-5-START: Starting 'mab' for client (001e.e599.fc5b) on Interface Gi0/2 AuditSessionID 0A0164010000000F04A3DB09

*Apr 20 14:40:45.339: AAA/AUTHEN/8021X (00000011): Pick method list 'default'

*Apr 20 14:40:45.339: RADIUS/ENCODE(00000011):Orig. component type = DOT1X

*Apr 20 14:40:45.339: RADIUS(00000011): Config NAS IP: 0.0.0.0

*Apr 20 14:40:45.339: Getting session id for DOT1X(000

*Apr 20 14:40:45.339: RADIUS/ENCODE(00000011): acct_session_id: 16

*Apr 20 14:40:45.339: RADIUS/ENCODE: Best Local IP-Address 10.1.250.2 for Radius-Server 10.1.100.21

*Apr 20 14:40:45.339: RADIUS(00000011): Send Access-Request to 10.1.100.21:1812 id 1645/56, len 206

*Apr 20 14:40:45.339: RADIUS: authenticator B7 9E 45 1D 55 C4 2F C2 - 4D 15 7F 5C B4 24 5A 60

*Apr 20 14:40:45.339: RADIUS: User-Name [1] 14 "001ee599fc5b"

*Apr 20 14:40:45.339: RADIUS: User-Password [2] 18 *

*Apr 20 14:40:45.339: RADIUS: Service-Type [6] 6 Call Check [10]

*Apr 20 14:40:45.339: RADIUS: Framed-MTU [12] 6 1500

*Apr 20 14:40:45.348: RADIUS: Called-Station-Id [30] 19 "1C-17-D3-43-73-83"

*Apr 20 14:40:45.348: RADIUS: Calling-Station-Id [31] 19 "00-1E-E5-99-FC-5B"

*Apr 20 14:40:45.348: RADIUS: Message-Authenticato[80] 18 3 4F 1C 47 96 7D FA B2 40 F3 6D 62 B5 84 D3 [ OG}@mb]

*Apr 20 14:40:45.348: RADIUS: EAP-Key-Name [102] 2 *

*Apr 20 14:40:45.348: RADIUS: Vendor, Cisco [26] 49

*Apr 20 14:40:45.348: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0164010000000F04A3DB09"

*Apr 20 14:40:45.348: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Apr 20 14:40:45.348: RADIUS: NAS-Port [5] 6 50002

*Apr 20 14:40:45.348: RADIUS: NAS-Port-Id [87] 17 "GigabitEthernet0/2"

*Apr 20 14:40:45.348: RADIUS: NAS-IP-Address [4] 6 10.1.250.2

*Apr 20 14:40:45.348: RADIUS(00000011): Started 5 sec timeout

*Apr 20 14:40:45.599: RADIUS: Received from id 1645/56 10.1.100.21:1812, Access-Accept, len 157


Step 9 Turn off the Radius debug when finished by typing no debug all on the command line.

Step 10 Configure an additional IP helper address to the ISE appliance on Interface Vlan10 (Access) and Interface Vlan40 (Voice) for DHCP information to be sent to the ISE DHCP probe (ex.):

Step 11 Do a shut/no shut on the interfaces Gi 0/1 – 8. This will retrigger DHCP requests and send DHCP requests to ISE

Step 12 Go to the Windows 7 PC and reboot it. Go to Start > Shutdown > Restart. This is needed due to the VM and IP phone not detecting link state.


interface Vlan10

ip address 10.1.10.1 255.255.255.0

ip helper-address 10.1.100.10

ip helper-address 10.1.100.21


Lab Exercise 3: Verify Profiled Endpoints and Probe information Exercise Description

You will verify and endpoints and the received information collected by each probe.

Exercise Objective In this exercise, your goal is to correctly identify newly profiled endpoints and their unique attributes collected on the network.

Lab Exercise Steps Step 1 Go to the ISE-1 Home page and see if there are any Profiled Endpoints.

Look at the “Profiled Endpoints” to see if you have endpoints being profiled.

Step 2 Go to Administration > Identity Management > Identities > Endpoints

Step 3 You should now see MAC addresses show up in the Endpoints View


Step 4 Click on one of the endpoints to verify attribute data received by the probes.

The latest information received by a certain Probe will be listed as:

EndPointSource = (ex. SNMPTrap Probe)


Step 5 Go back to Endpoints and click on the Microsoft-Workstation

a. You can verify the DNS probe is working by locating the “host-name” attribute. DNS was setup in the Bootstrap Lab 1.

b. You can also verify the DHCP Probe is working by locating the “dhcp-class-identifier” which was sent by the DHCP request of the Windows Client.


Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints Exercise Description

In this exercise, your goal is to create Profile and Authorization Policies.

Exercise Objective In this exercise, your goal is to verify your Profiles and Authorization Policies for your Profiled Endpoints by validating the authentication session and its policy.

Lab Exercise Steps Step 1 We now want to create our own Profile based on more specific information than the generic

“Cisco-Device” profile that some of these endpoints are being profiled into.

Step 2 Go to Administration > Identity Management > Identities > Endpoints

a. You should now see a few Endpoints profiled as “Cisco-Device”

b. Click on the MAC address that is connected to port Gi 0/2

c. Under the attributes details look for some information that is interesting based on device type. You should see this under the cdp information collected from the SNMP Probe.

d. Write down the cdp Platform information. For example, CIVS-IPC-4500

e. Also note the MAC OUI information = Cisco Systems

Example output below:

Step 3 Go to Policy > Policy Elements > Conditions > Profiling to create a matching rule for the device attribute information to be used in a Profiling Policy.

Formatted: Font: (Def ault) Arial, 10 pt


Step 4 Under Profiling Conditions click Create.

a. Name = cdpIPCAMERA

b. Type = SNMP

c. Attribute Name = cdpCachePlatform

d. Operator = Contains

e. Attribute Value = CIVS-IPC

Step 5 Click Submit.

Note: Cisco OUI Conditions are already created.

Step 6 Now go to Policy > Profiling > Profiling Policies

Step 7 Click Create.

a. Name the Policy = MY_IP_Cameras

b. Policy Enabled = Checked


c. Minimum Certainty Factor = 25

d. Exception Action = None

e. Create Matching Identity Group = Enabled (This will be used later in our Authorization Policy)

f. Parent Policy = None

g. Rules:

i. If Condition Cisco-DeviceRule1Check1 Then Certainty Factor Increases 10

ii. If Condition cdpIPCAMERA Then Certainty Factor Increases 25

Step 8 Click Submit.

Step 9 Go to Administration > Identity Management > Groups > Endpoint Identity Groups and verify the new Identity Group = MY_IP_Cameras


Step 10 Go to Policy > Authorization

Step 11 Create a new Authorization Policy

a. Rule Name = Profiled IP_Cameras

b. Identity Groups = MY_IP_Cameras

c. Other Conditions = None

d. Permissions = PermitAccess


Step 12 Click Save.

Step 13 Verify you have a default Authentication rule for MAB. This is crucial in making sure the MAB authentication is matched and you are using the Internal Endpoints as the Identity store. Profiler Endpoints are stored in this Identity Store.

a. Go to Policy > Authentication:

b. The MAB authentication rule states:

If a Wired_MAB [Radius:Service-Type=10(Call Check) and Radius:NAS-Port-Type=15(Ethernet)] request is matched and has the allowed Protocols defined in the Default Network Access policy, then use Internal Endpoints as the Identity Store.

Formatted: Font: (Def ault) Arial, 10 pt


Step 14 Go to the 3k-access switch and bounce interface Gi0/2 by using shut / no shut

Step 15 Verify the MAB request was successful and the device was Authorized under the “Profiled IP _Cameras” Authorization Policy.

a. Go to Monitor > Authentications

Step 16 Click on the details icon to get more detailed information. There are details worth pointing out based on the configurations:

a. Authentication Method = MAB

b. Username = MAC address of your device

c. NAS Port ID = What port the device is connected

d. Service Type = Call Check

e. Identity Store = Internal Endpoints

f. Identity Group – Profiled:MY_IP_Cameras

g. Authorization Policy Matched Rule = Profiled IP Cameras


Lab Exercise 5: Verify the IP Phone default Policy Exercise Description

Verify the IP phone is authorized and active.

Exercise Objective In this exercise, your goal is to verify the IP Phone has been successfully authenticated and authorized by ISE. With ISE there is a pre-configured Authorization Policy for Cisco IP Phones for convenience.

Lab Exercise Steps Step 1 On the 3k-access switch, shutdown the port Gi0/1 using the shutdown command.

Step 2 Use no shutdown to bounce the link for a new MAB request.

Step 3 Verify the Authentication and Authorization was successful on the switch.

Step 4 On the 3k-access switch, enter the command show authentication sessions interface Gi0/1.

*Apr 22 15:00:14.654: %AUTHMGR-5-START: Starting 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0

*Apr 22 15:00:14.914: %MAB-5-SUCCESS: Authentication successful for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0

*Apr 22 15:00:14.914: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0

*Apr 22 15:00:15.954: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0


Step 5 Log into ISE GUI and verify the Authentication. Go to Monitor > Authentications.

3k-access # sh authentication sessions int Gi0/1

Interface: GigabitEthernet0/1

MAC Address: 1c17.d341.d18b

IP Address: Unknown

User-Name: 1C-17-D3-41-D1-8B

Status: Authz Success

Domain: VOICE

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A0164010000002A24BB3A47

Acct Session ID: 0x0000002B

Handle: 0x1D00002A

Runnable methods list:

Method State

dot1x Failed over


Step 6 Click on the MAC address for the IP Phone connect to Gi0/1:

Step 7 Look into the details of the authentication and authentication result to verify the details of the default permissions.

Step 8 Notice the cisco-av -pair=device-traffic-class=voice which tells the switch this MAC belongs to the voice vlan.


Note: The IP Phone Authorization Profile details can be f ound here: Policy > Policy Elements > Results > Authorization Profiles > Cisco_IP_Phones



Lab Exercise 6: Profiler Logging and Reporting Exercise Description

Understand Profilers logging and reporting capabilities.

Exercise Objective In this exercise you enable debug logging and generate a Profiled endpoint report.

Lab Exercise Steps Step 1 You can create different Endpoint reports from Profiling.

a. Go to Monitor > Reports > Catalog > Endpoint

b. Click on the Endpoint Profiler Summary

c. You can run a report from the last 30 minutes to the last 30 Days

Step 2 You will get the output of the endpoints logged for the day and the Policy the endpoint has been profiled into.


Step 3 You can enable Profiler Log collection to Debug for advanced troubleshooting

a. Go to Administration > System > Logging > Debug Log Configuration

b. Select ise-1 from right pane

c. Scroll down the list and click on the Profiler radial button.

d. Click on current log setting to display a drop-down list.

e. Set the Log setting to DEBUG.

f. Click Save.

Step 4 To display the debug logs go to Monitor > Troubleshoot > Download Logs > ISE-1

Under the Debug log type select profiler.log



Appendix: Additional Resources

SNMP Attributes

MAC Notification:

• MacStatus

• Vlan

• MACAddress

• dot1dBasePort

• MoveFromPort (for mac move notifcation)

• MoveToPort (for mac move notifcation)

• Timestamp

Link Notification:

• ifIndex

• ifAdminStatus

• ifOperStatus

• ifDescr

• ifType

• ifSpeed

• ifPhysAddress

Switch Information mib walk:

• Switch IP Address/Subnet

• Switch Description if available

• sysUpTime

• sysContact

• sysName

• sysLocation

• Switch ifIndex

• All portIfIndex

• Configured Vlan information (VLAN state, name, port, ifIndex)


CDP Information

• cdpCacheVersion

• cdpCacheNativeVLAN

• cdpCacheDevicePort

• MACAddress

• cdpCacheLastChange

• cdpCacheAddressType

• cdpCacheDeviceId

• cdpCacheAddress

• cdpCachePlatform

• cdpCacheCapabilities

• cdpCacheDuplex

CISCO-AUTH-FRAMEWORK-MIB

• cafSessionAuthorizedBy

• cafSessionAuthUserName

• cafSessionAuthVlan

• cafSessionClientMacAddress

• cafSessionDomain

• cafSessionStatus

• VlanName

DHCP Attributes Any attribute parsed out of the DHCP traffic will be mapped into an endpoint attribute. For a list of possible attributes see:

http://www.iana.org/assignments/bootp-dhcp-parameters/

HTTP User Agent

The browser user agent as well as any http attributes present will be captured and added to the endpoint to add to the profiling capability. For a full list of possible attributes see:

http://www.rfc-editor.org/rfc/rfc2616.txt

http://www.rfc-editor.org/rfc/rfc2616.txt�


DNS Probe

Upon endpoint creation, a DNS lookup will try to determine the endpoint name FQDN. A new attribute will be added to the endpoint FQDN. Reverse DNS lookup will be done only when an endpoint detected by the DHCP, Radius and SNMP probes contains following attributes. This means that, for DNS lookup, at least one of the following probes need to started along with DNS probe.

• DHCP IP Helper, DHCP Span – “dhcp-requested-address”

• Radius Probe – “Framed-IP-Address”

• SNMP Probe – “cdpCacheAddress”

• HTTP Probe – “Source IP”

Radius Attributes

We will be collecting and assigning to endpoints Radius attributes from both the request and the response. For a list of Radius attributes, see the RFCs defined at http://en.wikipedia.org/wiki/RADIUS.

Netflow Attributes

We will be collecting any an all attributes sent through Netflow. Please consult http://www.faqs.org/rfcs/rfc3954.html for details on netflow attributes. Here is a sample:

• IN_BYTES

• IN_PKTS

• FLOWS

• PROTOCOL

• TOS

• TCP_FLAGS

• L4_SRC_PORT

• IPV4_SRC_ADDR

• SRC_MASK

• L4_DST_PORT

• IPV4_DST_ADDR

• DST_MASK

• IPV4_NEXT_HOP

• LAST_SWITCHED

• FIRST_SWITCHED

• OUT_BYTES

• OUT_PKTS

• IPV6_SRC_ADDR

• IPV6_DST_ADDR

• IPV6_SRC_MASK

• IPV6_DST_MASK

• IPV6_FLOW_LABEL

• ICMP_TYPE

• DST_TOS

• SRC_MAC

• DST_MAC

• SRC_VL AN

• DST_VLAN

http://en.wikipedia.org/wiki/RADIUS�

http://www.faqs.org/rfcs/rfc3954.html�


• IP_PROTOCOL_VERSION

• DIRECTION

End of Lab: Congratulations! You have successfully completed the lab. Please let your proctor know you finished and provide any feedback to help improve the lab experience.

Instructions2.pdf

Documents

Transcript of Instructions2.pdf