Lab Guide ISE 1 2 Bootstrap

1

ISE 1.2 Bootstrap Lab Guide

Nexus

Identity Services Engine (ISE) Bootstrapping Lab Guide

Developers This lab was created by: Aruna Yerragudi, Technical Marketing Engineer, Secure Access and

Mobility Product Group, Cisco Systems.

Lab Overview The student will install ISE, and use the Setup Wizard to get the basic configuration needed for

wired user authentication and verify the user authentication. The student will also configure a

wired switch using the CLI commands list generated by the Setup Wizard.

Lab participants should be able to complete the lab within the allotted lab time of 2 hours.

Lab Exercises This lab guide includes the following exercises:

Lab Exercise 1: Installation Verification

Lab Exercise 2: Setup Wizard

Lab Exercise 3: Wired Switch Configuration

Lab Exercise 4: Wired User Authentication Verification

2


Product Overview

The Cisco Secure Access and TrustSec™ is the Borderless Network access control solution,

providing visibility into and control over devices and users in the network.

Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform

that gathers real-time information from the network, users, and devices. ISE then uses this

information to make proactive governance decisions by enforcing policy across the network

infrastructure utilizing built in standard based controls. Cisco ISE offers:

• Security: Secures your network by providing real-time visibility into and control over the users

and devices on your network.

• Compliance: Enables effective corporate governance by creating consistent policy across an

infrastructure.

• Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-

intensive tasks and streamlining service delivery.

• Enablement: Allows IT to support a range of new business initiatives, such as bring your own

device (BYOD), through policy-enabled services.

3


Lab Topology

Lab IP and VLANs

Internal IP Addresses

Device Name/Hostname IP Address

Access Switch (3560X) 3k-access.demo.local 10.1.100.1

Data Center Switch (3560CG) 3k-data.demo.local 10.1.129.3

Wireless LAN Controller (2504) wlc.demo.local 10.1.100.61

Wireless Access Point (2602i) ap.demo.local 10.1.90.x/24 (DHCP)

ASA (5515-X) asa.demo.local 10.1.100.2

ISE Appliance ise-1.demo.local 10.1.100.21

4


Internal VLANs and IP Subnets

Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity, profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.

ISE Feed Server ise-feedserver.demo.local 10.1.100.41

AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10

NTP Server ntp.demo.local 128.107.212.175

MobileIron mobileiron.demo.local 10.1.100.15

Mail mail.demo.local 10.1.100.40

LOB Web lob-web.demo.local

portal.demo.local, updates.demo.local

business.demo.local

it.demo.local

records.demo.local

10.1.129.12

10.1.129.8

10.1.129.9

10.1.129.10

10.1.129.11

LOB DB lob-db.demo.local 10.1.129.20

Admin (Management) Client

(also FTP Server)

admin.demo.local

ftp.demo.local

10.1.100.6

Windows 7 Client PC w7pc-guest.demo.local 10.1.50.x/24 (DHCP)

VLAN VLAN Name IP Subnet Description

10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs

20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3 segmentation)

(29) IC-ASA-ACCESS 10.1.29.0/24 Interconnect subnet between ASA and Access switch

30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L3 segmentation)

40 VOICE 10.1.40.0/24 Voice VLAN

50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users

90 AP 10.1.90.0/24 Wireless AP VLAN

100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)

129 WEB 10.1.129.0/24 Line-of-business Web servers

130 DB 10.1.130.0/24 Line-of-business Database servers

5


Accounts and Passwords

Connecting to Lab Devices

Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for access to all the other lab components

Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer

Connect to a POD Step 1 In the LabOps student portal, click on the Topology tab. Click on the Admin PC, then click on

the RDP Client option that appears:

Step 2 Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in

as admin / ISEisC00L

Note: All lab configurations can be performed from the Admin client PC.

Connect to ESX Server Virtual Machines Step 1 During the lab exercises, you may need to access and manage the computers running as virtual

machines.

Access To Account (username/password)

Access Switch (3560X) admin / ISEisC00L

Data Center Switch (3560X) admin / ISEisC00L

Wireless LAN Controller (2504) admin / ISEisC00L

ASA (5515-X) admin / ISEisC00L

ISE Appliances admin / ISEisC00L

AD (CS/DNS/DHCP/DHCP) admin / ISEisC00L

Web Servers admin / ISEisC00L

Admin (Management) Client admin / ISEisC00L

Windows 7 Client

(Local = W7PC-guest )

(Domain = DEMO)

W7PC-1\admin / ISEisC00L

DEMO\admin / ISEisC00L

DEMO\employee1 / ISEisC00L

6


Step 1 From the Admin client PC, click the VMware vSphere Client icon on the taskbar

Step 2 Click OK when the VMware vSphere Client starts.

Step 3 Once logged in, you will see a list of VMs that are available on your ESX server.

Note: p##_admin VM may not be visible when you login as the student.

Step 4 This Lab uses the following VMs :

p##_ad

p##_ise-1-bootstrap

p##_lob-web

p##_w7pc-guest

Note: ## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be p02_ad.

Step 5 You have the ability to power on, power off, or open the console (view) these VMs.

Note: This is for information purpose only. All the required VMs are already turned on. So, DONOT turn on any other

VMs.

To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select

one of these options:

Step 6 To access the VM console, select Open Console from the drop-down.

Step 7 To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:

Step 2

Step 3

7


Connect to Lab Device Consoles

Step 1 To access the lab switches and ISE servers using SSH:

a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY

shortcut and it shows a list of devices and ISE servers.

b. Select the device that you’d like to log into and double click on it.

c. If prompted, click Yes to cache the server host key and to continue login.

d. Login using the credentials listed in the Accounts and Passwords table.

8


Pre-Lab Setup Instructions

Basic Connectivity Test Step 1 To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from

the Windows desktop of the Admin client PC:

Step 2 Verify that ping succeeds for all devices tested by the script.

Note: The ping test may fail for VMs that have not yet completed the boot process.

9


Lab Exercise 1: Basic Installation Check

Exercise Description While ISE comes preinstalled when ordered on a physical appliance, there are times when a

physical appliance may need to be reinstalled (aka reimaging). For virtual machine environments,

ISE will need to be freshly installed into the virtual machine. Installation of ISE consists of

booting from the ISE ISO image

starting the installation process which installs the operating system and ISE application.

the installation pauses and a ‘setup’ dialog must be completed before the installation

resumes and completes.

For installation steps and the Configuring Cisco ISE refer to

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1114266

Exercise Objective In this exercise, you will

log in to ISE and perform basic installation checks

Lab Exercise Steps Step 1 Log in to the virtual machine console of the VM named p##_ise-1-bootstrap. You should see

the following prompt:

ise-1 login:

Step 2 Login using the credentials admin/ISEisC00L.

Note: You can use the VM console interface to access the ISE CLI, or you may SSH to ISE. On a physical appliance, the serial port or the keyboard and video may be used to access the ISE CLI.

Step 3 Enter ‘show run’ to confirm the setup settings you entered, and also to see other settings and

their default values.

Step 4 Use these commands to answer the following questions:

Command

show version

show inventory

show application status ise

What is the name of the operating system?

What is the full version number of the operating system?

What is the full version number of ISE?

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1114266

10


What is the ISE product ID (PID)?

What is the ISE serial number (SN)?

How much RAM does this VM have?

How many CPUs?

What is the disk capacity?

How many NICs does it have?

What are the ISE processes?

Step 5 Confirm that time synchronization is working

a. Immediately after the primary NTP server is configured, you will see that ISE is in an

unsynchronized state:

ise-1/admin# show ntp

Configured NTP Servers:

ntp.demo.local

unsynchronised

polling server every 64 s

remote refid st t when poll reach delay offset jitter

==============================================================================

127.127.1.0 .LOCL. 10 l 17 64 377 0.000 0.000 0.001

*128.107.212.175 10.81.254.131 2 u 12 64 377 0.732 -9.929 3.790

* Current time source, + Candidate

Warning: Output results may conflict during periods of changing synchronization.

After a few minutes, ISE should synchronize with the primary NTP server. The asterisk indicates

which time server it has synchronized with:

ise-1/admin# sh ntp

Configured NTP Servers:

ntp.demo.local

synchronised to NTP server (128.107.212.175) at stratum 3

time correct to within 82 ms



==============================================================================

127.127.1.0 .LOCL. 10 l 25 64 377 0.000 0.000 0.001

*128.107.212.175 10.81.254.131 2 u 686 1024 377 1.004 0.876 1.182

* Current time source, + Candidate


11


If you see that ISE has synchronized to the local machine as shown below, that should be a

warning sign that NTP time synchronization is not working:

ise-pap-1/admin# show ntp

Primary NTP : ntp.demo.local

synchronised to local net at stratum 11

time correct to within 10 ms



==============================================================================

*127.127.1.0 .LOCL. 10 l 5 64 377 0.000 0.000 0.001

128.107.212.175 .LOCL. 4 u 1026 1024 377 0.478 -866.81 60.476


Note: Synchronization with the NTP server may not be immediate. You may need to wait 10-15 minutes for ISE to select the NTP server over the local clock – please be patient

12


Lab Exercise 2: Setup Wizard

Exercise Description This exercise walks you through the various steps of the Setup Wizard allowing the ability to

select wired, wireless networks, user and/or guest access, enabling profiling, posture, BYOD,

entering the Network Device details, allowing you to pick either Active Directory or the ISE

Internal database for the user information and the subnets that need to be protected from the

guest access.

Exercise Objective In this exercise, your goal is to:

familiarize yourself with the Setup Wizard

use the Setup Wizard to configure the wired user authentication

Lab Exercise Steps Step 1 Start a web session with ISE. From the Admin PC,

a. Open a Firefox browser window and browse to http://ise-1.demo.local

b. The session will be redirected to the secure login page, https://ise-1.demo.local/admin

c. You will be asked to confirm a security exception – confirm the security exception

i. What is the security exception?

ii. Examine the web site’s certificate – who is the certificate issuer?

Step 2 Login using the ISE credentials admin/ISEisC00L

Step 3 When logging in for the first time, the ISE is installed with the Eval License. The below message

will pop-up.

Check the box against the Do no show this message again and Click on OK.

Note: The above window will not appear in the lab as the ISE image has been installed with a 5 year license.

http://ise-1.demo.local/

https://ise-1.demo.local/admin

13


Step 4 When logging in for the first time, the Setup Assistant Wizard pops up as shown below:

a. Choose the check box against “Don’t ask me again” if you do not wish to see this for

further logins and click on Yes to launch the Setup Assistant.

b. If you’ve selected No for the Setup Assistant Wizard and would like to re-launch it, the

Setup Assistant Wizard can be launched from the top right hand corner. Select the “Run

setup assistant” option.

Step 5 The first screen on the Setup Assistant gathers the basic details about the type of deployment.

For this lab, select the options as shown below:

14


a. Since, we will not using IP phone, uncheck the box again Cisco Unified IP Phones

b. Click on Next to go to the Configure Network Access Service.

Step 6 In the Configure Network Access Service, we’ll be selecting the various options and

specifying the required information for each option.

a. For Do you want to authenticate users using Cisco ISE?, select Yes.

b. Select the checkbox against Join the Active Directory domain and enter the following

i. Domain: demo.local

ii. Administrator Name: admin

iii. Administrator Password: ISEisC00L

c. Click on Join Active Directory domain to join into the AD.

d. Once the join succeeds, the option for Select an AD group shows. Scroll down and

select the group as shown below

Step 7 Next proceed to selecting the other options. Since we are using the Setup Wizard to do the

Wired User Authentication, we’ll be skipping over some of the options.

15


a. Skip the question for Posture.

b. Select Yes for Do you want to enable endpoint profiling?

i. For the SNMP string enter ISEisC00L

c. Leave all the other options at the default No.

Click on Next to go the Network Devices section.

Step 8 At this point you should be in the Select Network Devices section. Enter the information for the

Network Device under test as shown below.

a. Click on the checkbox against the Cisco Catalyst 3560 Series Switches

b. For the other details, enter the information as below :

i. Device Name: 3K-Access

ii. Device IP Address: 10.1.100.1/32

iii. Employee VLAN Id: 10

iv. Employee Switched VLAN Interface: 10.1.10.1/24

v. DHCP Server IP address: 10.1.100.10

16


vi. Default Gateway IP address: 10.1.29.1

vii. Uplink IP Address: 10.1.29.2/24

c. For RADIUS Shared Secret enter ISEisC00L

d. Click on Next to go the next section.

Step 9 In this section – Review and Confirm You Choices, you can review all the choices selected in

the previous screens.

17


If there are any corrections to be made, click on the Previous to change the settings.

If all the information is correct, click on Confirm Configuration Settings.

Step 10 At this point ISE will start generating the ISE and switch configurations. You’ll see a progress

screen as shown below.

Step 11 After all the configurations are generated, you’ll see the following:

Goti

a. The following tabs are shown:

i. Review your selection

ii. Network Device Configuration

iii. ISE Configurations.

b. Go to the Network Device Configuration tab and copy and paste the switch

configuration to the notepad on the Admin PC. We’ll use some of these commands to

configure the switch in Lab Exercise 3.

c. Go to ISE Configuration tab to verify the various ISE Configs that were auto generated.

d. Click on Exit to exit the Setup Wizard.

18


e. Next, go to Administration > Identity Management > External Identity Sources >

Active Directory and verify the AD configuration.

f. Go to Policy > Authentication to see the Authentication policies that were generated. All

the policies generated using the Setup Wizard will have the prefix AutoGen

g. Go to Policy > Authorization to verify the Authorization rules and policies that were auto

generated using the Setup Wizard.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

19


Lab Exercise 3: Wired Switch Configuration

Exercise Description There are numerous lines of IOS configuration that are required for the TrustSec identity

functionality. This exercise walks you through the key TrustSec elements of a baseline IOS

configuration which were generated by the ISE Setup Wizard

Exercise Objective In this exercise, your goal is to review and understand the IOS baseline configurations described

in this exercise.

The switch is already configured with the VLAN and the routing configurations. So, we’ll only be

configuring the missing commands.

Note: Some of the CLI commands may already be pre-configured. Verify and configure only the missing CLI configs.

Lab Exercise Steps Step 1 Login to the 3k-access switch from the Admin PC desktop using the PUTTY, credentials

admin/ISEisC00L.

Step 2 For this entire exercise use the Switch commands that were generated by the ISE Setup Wizard

in Step 11.b from Lab Exercise 2.

Step 3 From the section titled ! AAA Configuration in the switch commands, configure the AAA

settings

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting delay-start all

aaa accounting auth-proxy default start-stop group radius

aaa accounting dot1x default start-stop group radius

aaa accounting network default start-stop group radius

Step 4 Enable RADIUS Change of Authorization (CoA)

aaa server radius dynamic-author

client 10.1.100.21 server-key ISEisC00L

20


aaa session-id common

Step 5 Configure the CLI commands for device discovery

ip dhcp snooping

ip device tracking

Step 6 Enable 802.1X authentication globally on the switch

dot1x system-auth-control

Step 7 Configure the RADIUS settings

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 10.1.100.21 auth-port 1812 acct-port 1813 key

ISEisC00L

radius-server vsa send accounting

radius-server vsa send authentication

Step 8 The VLAN configuration should already be pre-configured on the switch. So, skip the VLAN

configuration commands

Step 9 Enable IOS http servers for web auth

ip http server

ip http secure-server

Step 10 The routing configurations are already configured on the switch. DO NOT make any changes to

the routing configuration

Step 11 The following logging commands are for troubleshooting and POC only and not for production

networks.

logging host 10.1.100.21 transport udp port 20514

logging origin-id ip

logging source-interface Vlan100

Step 12 Configure Ingress Port ACLs

21


ip access-list extended ACL-DEFAULT

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

permit icmp any any

permit tcp any host 10.1.100.21 eq 8443


permit tcp any host 10.1.100.21 eq www



permit udp any host 10.1.100.21 eq 8905

permit udp any host 10.1.100.21 eq 8909

deny ip any any

ip access-list extended ACL-WEBAUTH-REDIRECT

permit tcp any any eq www

permit tcp any any eq 443

deny ip any any

Step 13 Enable command for Profiling

access-list 20 remark ISE Profiling SNMP probe access

access-list 20 permit 10.1.100.21

snmp-server community ISEisC00L RW

snmp-server host 10.1.100.21 version 2c ISEisC00L

Step 14 Now, configure the interface level commands which include the basic identity settings on the

switch ports and the identity mode. Go to the GigInterface0/1 to configure all the interface

settings

switchport access vlan 10

switchport mode access

ip access-group ACL-DEFAULT in

22


authentication event fail action next-method

authentication event server dead action authorize vlan 10

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 180

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

Ensure that the port is not in shutdown state. If so, issue the CLI command no shutdown.


23


Lab Exercise 4: Wired User Authentication

Verification

Exercise Description After configuring the required policies on the ISE and doing the switch configuration, the last step

to is to verify that the defined policies can be used for Wired Users.

Exercise Objective In this exercise, your goal is to verify the Wired User Authentication and understand the

authorization profiles that the authentication matched with.

Lab Exercise Steps Step 1 Open and login to the VMware vSphere Client on the desktop of your lab console

Step 2 If the p##_w7-pc-guest VM is not turned on already, start it by right-clicking on the VM and

selecting Power > Power On

Step 3 Right-click on p##_w7-pc-guest VM and select Open Console.

Step 4 Login to your Windows 7 Enterprise endpoint with the credentials admin/ISEisC00L. You may

need to use the menu item (top left of vsphere client) VM > Guest > Send Ctrl+Alt+Del to

invoke the Windows login screen

Step 5 From the Windows desktop, click Start and type services.msc Scroll down until you see the

Wired AutoConfig (not WLAN AutoConfig) service.

Step 6 Right-Click Wired AutoConfig and select Properties.

24


Step 7 Choose Startup type: Automatic

Step 8 Start the service and select OK.

Step 9 From the Windows desktop, go to Start Menu > Control Panel > Network and Internet >

Network and Sharing Center

Step 10 Select Change Adapter Settings from the left column.

Step 11 Right-click on the network adapter called w7-pc-guest-wired and select Enable

Step 12 Right-click again on the network adapter named w7-pc-guest-wired and select Properties

from the menu.

Step 13 Click the Authentication tab (this was enabled by starting the Wired AutoConfig service) and

verify the settings:

Step 14 Select Settings next to Microsoft: Protected EAP (PEAP) and uncheck Validate Server

Certificate.

25


Step 15 For Select Authentication Method choose Secured password (EAP-MSCHAP v2) then

select Configure

Step 16 Uncheck "Automatically use my Windows logon name and password" to prevent

username/password caching and allow you to easily test many different users and groups.

Step 17 Select OK

Step 18 Select Additional Settings

Step 19 Enable Specify authentication mode and choose User authentication

26


Step 20 Select OK and OK again to save and exit settings. The endpoint should now be ready to

handle 802.1X user authentication.

Step 21 You should see a message popup on the Windows 7 Endpoint: “Additional information is

needed to connect to this network”. Click on the message to view the 802.1X user

authentication dialog.

Note: If you wait too long to respond, the message may disappear. If so, disable and enable the interface to get the pop-up back.

Step 22 Enter the credentials for the user account employee1/ISEisC00L

Note: Microsoft Windows does not provide any feedback for a Passed Authentication but it will re-prompt you for a failed authentication.

27


Step 23 Verify your authentication passed in ISE under Operation > Authentications. You should the

authentication information in the live logs similar to below :

Verify that the authorization profile used matches the profile defined using the Setup Wizard.


End of Lab: Congratulations! You have successfully completed the lab. Please let your

proctor know you finished and provide any feedback to help improve the lab experience.

Lab Guide ISE 1 2 Bootstrap

Documents

Transcript of Lab Guide ISE 1 2 Bootstrap