1
ISE 1.2 Bootstrap Lab Guide
Nexus
Identity Services Engine (ISE) Bootstrapping Lab Guide
Developers This lab was created by: Aruna Yerragudi, Technical Marketing Engineer, Secure Access and
Mobility Product Group, Cisco Systems.
Lab Overview The student will install ISE, and use the Setup Wizard to get the basic configuration needed for
wired user authentication and verify the user authentication. The student will also configure a
wired switch using the CLI commands list generated by the Setup Wizard.
Lab participants should be able to complete the lab within the allotted lab time of 2 hours.
Lab Exercises This lab guide includes the following exercises:
Lab Exercise 1: Installation Verification
Lab Exercise 2: Setup Wizard
Lab Exercise 3: Wired Switch Configuration
Lab Exercise 4: Wired User Authentication Verification
2
ISE 1.2 Bootstrap Lab Guide
Product Overview
The Cisco Secure Access and TrustSec™ is the Borderless Network access control solution,
providing visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform
that gathers real-time information from the network, users, and devices. ISE then uses this
information to make proactive governance decisions by enforcing policy across the network
infrastructure utilizing built in standard based controls. Cisco ISE offers:
• Security: Secures your network by providing real-time visibility into and control over the users
and devices on your network.
• Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
• Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-
intensive tasks and streamlining service delivery.
• Enablement: Allows IT to support a range of new business initiatives, such as bring your own
device (BYOD), through policy-enabled services.
3
ISE 1.2 Bootstrap Lab Guide
Lab Topology
Lab IP and VLANs
Internal IP Addresses
Device Name/Hostname IP Address
Access Switch (3560X) 3k-access.demo.local 10.1.100.1
Data Center Switch (3560CG) 3k-data.demo.local 10.1.129.3
Wireless LAN Controller (2504) wlc.demo.local 10.1.100.61
Wireless Access Point (2602i) ap.demo.local 10.1.90.x/24 (DHCP)
ASA (5515-X) asa.demo.local 10.1.100.2
ISE Appliance ise-1.demo.local 10.1.100.21
4
ISE 1.2 Bootstrap Lab Guide
Internal VLANs and IP Subnets
Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity, profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
ISE Feed Server ise-feedserver.demo.local 10.1.100.41
AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10
NTP Server ntp.demo.local 128.107.212.175
MobileIron mobileiron.demo.local 10.1.100.15
Mail mail.demo.local 10.1.100.40
LOB Web lob-web.demo.local
portal.demo.local, updates.demo.local
business.demo.local
it.demo.local
records.demo.local
10.1.129.12
10.1.129.8
10.1.129.9
10.1.129.10
10.1.129.11
LOB DB lob-db.demo.local 10.1.129.20
Admin (Management) Client
(also FTP Server)
admin.demo.local
ftp.demo.local
10.1.100.6
Windows 7 Client PC w7pc-guest.demo.local 10.1.50.x/24 (DHCP)
VLAN VLAN Name IP Subnet Description
10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs
20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3 segmentation)
(29) IC-ASA-ACCESS 10.1.29.0/24 Interconnect subnet between ASA and Access switch
30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L3 segmentation)
40 VOICE 10.1.40.0/24 Voice VLAN
50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users
90 AP 10.1.90.0/24 Wireless AP VLAN
100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)
129 WEB 10.1.129.0/24 Line-of-business Web servers
130 DB 10.1.130.0/24 Line-of-business Database servers
5
ISE 1.2 Bootstrap Lab Guide
Accounts and Passwords
Connecting to Lab Devices
Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for access to all the other lab components
Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD Step 1 In the LabOps student portal, click on the Topology tab. Click on the Admin PC, then click on
the RDP Client option that appears:
Step 2 Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in
as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines Step 1 During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Access To Account (username/password)
Access Switch (3560X) admin / ISEisC00L
Data Center Switch (3560X) admin / ISEisC00L
Wireless LAN Controller (2504) admin / ISEisC00L
ASA (5515-X) admin / ISEisC00L
ISE Appliances admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP) admin / ISEisC00L
Web Servers admin / ISEisC00L
Admin (Management) Client admin / ISEisC00L
Windows 7 Client
(Local = W7PC-guest )
(Domain = DEMO)
W7PC-1\admin / ISEisC00L
DEMO\admin / ISEisC00L
DEMO\employee1 / ISEisC00L
6
ISE 1.2 Bootstrap Lab Guide
Step 1 From the Admin client PC, click the VMware vSphere Client icon on the taskbar
Step 2 Click OK when the VMware vSphere Client starts.
Step 3 Once logged in, you will see a list of VMs that are available on your ESX server.
Note: p##_admin VM may not be visible when you login as the student.
Step 4 This Lab uses the following VMs :
p##_ad
p##_ise-1-bootstrap
p##_lob-web
p##_w7pc-guest
Note: ## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be p02_ad.
Step 5 You have the ability to power on, power off, or open the console (view) these VMs.
Note: This is for information purpose only. All the required VMs are already turned on. So, DONOT turn on any other
VMs.
To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select
one of these options:
Step 6 To access the VM console, select Open Console from the drop-down.
Step 7 To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Step 2
Step 3
7
ISE 1.2 Bootstrap Lab Guide
Connect to Lab Device Consoles
Step 1 To access the lab switches and ISE servers using SSH:
a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY
shortcut and it shows a list of devices and ISE servers.
b. Select the device that you’d like to log into and double click on it.
c. If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
8
ISE 1.2 Bootstrap Lab Guide
Pre-Lab Setup Instructions
Basic Connectivity Test Step 1 To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from
the Windows desktop of the Admin client PC:
Step 2 Verify that ping succeeds for all devices tested by the script.
Note: The ping test may fail for VMs that have not yet completed the boot process.
9
ISE 1.2 Bootstrap Lab Guide
Lab Exercise 1: Basic Installation Check
Exercise Description While ISE comes preinstalled when ordered on a physical appliance, there are times when a
physical appliance may need to be reinstalled (aka reimaging). For virtual machine environments,
ISE will need to be freshly installed into the virtual machine. Installation of ISE consists of
booting from the ISE ISO image
starting the installation process which installs the operating system and ISE application.
the installation pauses and a ‘setup’ dialog must be completed before the installation
resumes and completes.
For installation steps and the Configuring Cisco ISE refer to
http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1114266
Exercise Objective In this exercise, you will
log in to ISE and perform basic installation checks
Lab Exercise Steps Step 1 Log in to the virtual machine console of the VM named p##_ise-1-bootstrap. You should see
the following prompt:
ise-1 login:
Step 2 Login using the credentials admin/ISEisC00L.
Note: You can use the VM console interface to access the ISE CLI, or you may SSH to ISE. On a physical appliance, the serial port or the keyboard and video may be used to access the ISE CLI.
Step 3 Enter ‘show run’ to confirm the setup settings you entered, and also to see other settings and
their default values.
Step 4 Use these commands to answer the following questions:
Command
show version
show inventory
show application status ise
What is the name of the operating system?
What is the full version number of the operating system?
What is the full version number of ISE?
10
ISE 1.2 Bootstrap Lab Guide
What is the ISE product ID (PID)?
What is the ISE serial number (SN)?
How much RAM does this VM have?
How many CPUs?
What is the disk capacity?
How many NICs does it have?
What are the ISE processes?
Step 5 Confirm that time synchronization is working
a. Immediately after the primary NTP server is configured, you will see that ISE is in an
unsynchronized state:
ise-1/admin# show ntp
Configured NTP Servers:
ntp.demo.local
unsynchronised
polling server every 64 s
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 17 64 377 0.000 0.000 0.001
*128.107.212.175 10.81.254.131 2 u 12 64 377 0.732 -9.929 3.790
* Current time source, + Candidate
Warning: Output results may conflict during periods of changing synchronization.
After a few minutes, ISE should synchronize with the primary NTP server. The asterisk indicates
which time server it has synchronized with:
ise-1/admin# sh ntp
Configured NTP Servers:
ntp.demo.local
synchronised to NTP server (128.107.212.175) at stratum 3
time correct to within 82 ms
polling server every 1024 s
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 25 64 377 0.000 0.000 0.001
*128.107.212.175 10.81.254.131 2 u 686 1024 377 1.004 0.876 1.182
* Current time source, + Candidate
Warning: Output results may conflict during periods of changing synchronization.
11
ISE 1.2 Bootstrap Lab Guide
If you see that ISE has synchronized to the local machine as shown below, that should be a
warning sign that NTP time synchronization is not working:
ise-pap-1/admin# show ntp
Primary NTP : ntp.demo.local
synchronised to local net at stratum 11
time correct to within 10 ms
polling server every 1024 s
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 10 l 5 64 377 0.000 0.000 0.001
128.107.212.175 .LOCL. 4 u 1026 1024 377 0.478 -866.81 60.476
Warning: Output results may conflict during periods of changing synchronization.
Note: Synchronization with the NTP server may not be immediate. You may need to wait 10-15 minutes for ISE to select the NTP server over the local clock – please be patient
12
ISE 1.2 Bootstrap Lab Guide
Lab Exercise 2: Setup Wizard
Exercise Description This exercise walks you through the various steps of the Setup Wizard allowing the ability to
select wired, wireless networks, user and/or guest access, enabling profiling, posture, BYOD,
entering the Network Device details, allowing you to pick either Active Directory or the ISE
Internal database for the user information and the subnets that need to be protected from the
guest access.
Exercise Objective In this exercise, your goal is to:
familiarize yourself with the Setup Wizard
use the Setup Wizard to configure the wired user authentication
Lab Exercise Steps Step 1 Start a web session with ISE. From the Admin PC,
a. Open a Firefox browser window and browse to http://ise-1.demo.local
b. The session will be redirected to the secure login page, https://ise-1.demo.local/admin
c. You will be asked to confirm a security exception – confirm the security exception
i. What is the security exception?
ii. Examine the web site’s certificate – who is the certificate issuer?
Step 2 Login using the ISE credentials admin/ISEisC00L
Step 3 When logging in for the first time, the ISE is installed with the Eval License. The below message
will pop-up.
Check the box against the Do no show this message again and Click on OK.
Note: The above window will not appear in the lab as the ISE image has been installed with a 5 year license.
13
ISE 1.2 Bootstrap Lab Guide
Step 4 When logging in for the first time, the Setup Assistant Wizard pops up as shown below:
a. Choose the check box against “Don’t ask me again” if you do not wish to see this for
further logins and click on Yes to launch the Setup Assistant.
b. If you’ve selected No for the Setup Assistant Wizard and would like to re-launch it, the
Setup Assistant Wizard can be launched from the top right hand corner. Select the “Run
setup assistant” option.
Step 5 The first screen on the Setup Assistant gathers the basic details about the type of deployment.
For this lab, select the options as shown below:
14
ISE 1.2 Bootstrap Lab Guide
a. Since, we will not using IP phone, uncheck the box again Cisco Unified IP Phones
b. Click on Next to go to the Configure Network Access Service.
Step 6 In the Configure Network Access Service, we’ll be selecting the various options and
specifying the required information for each option.
a. For Do you want to authenticate users using Cisco ISE?, select Yes.
b. Select the checkbox against Join the Active Directory domain and enter the following
i. Domain: demo.local
ii. Administrator Name: admin
iii. Administrator Password: ISEisC00L
c. Click on Join Active Directory domain to join into the AD.
d. Once the join succeeds, the option for Select an AD group shows. Scroll down and
select the group as shown below
Step 7 Next proceed to selecting the other options. Since we are using the Setup Wizard to do the
Wired User Authentication, we’ll be skipping over some of the options.
15
ISE 1.2 Bootstrap Lab Guide
a. Skip the question for Posture.
b. Select Yes for Do you want to enable endpoint profiling?
i. For the SNMP string enter ISEisC00L
c. Leave all the other options at the default No.
Click on Next to go the Network Devices section.
Step 8 At this point you should be in the Select Network Devices section. Enter the information for the
Network Device under test as shown below.
a. Click on the checkbox against the Cisco Catalyst 3560 Series Switches
b. For the other details, enter the information as below :
i. Device Name: 3K-Access
ii. Device IP Address: 10.1.100.1/32
iii. Employee VLAN Id: 10
iv. Employee Switched VLAN Interface: 10.1.10.1/24
v. DHCP Server IP address: 10.1.100.10
16
ISE 1.2 Bootstrap Lab Guide
vi. Default Gateway IP address: 10.1.29.1
vii. Uplink IP Address: 10.1.29.2/24
c. For RADIUS Shared Secret enter ISEisC00L
d. Click on Next to go the next section.
Step 9 In this section – Review and Confirm You Choices, you can review all the choices selected in
the previous screens.
17
ISE 1.2 Bootstrap Lab Guide
If there are any corrections to be made, click on the Previous to change the settings.
If all the information is correct, click on Confirm Configuration Settings.
Step 10 At this point ISE will start generating the ISE and switch configurations. You’ll see a progress
screen as shown below.
Step 11 After all the configurations are generated, you’ll see the following:
Goti
a. The following tabs are shown:
i. Review your selection
ii. Network Device Configuration
iii. ISE Configurations.
b. Go to the Network Device Configuration tab and copy and paste the switch
configuration to the notepad on the Admin PC. We’ll use some of these commands to
configure the switch in Lab Exercise 3.
c. Go to ISE Configuration tab to verify the various ISE Configs that were auto generated.
d. Click on Exit to exit the Setup Wizard.
18
ISE 1.2 Bootstrap Lab Guide
e. Next, go to Administration > Identity Management > External Identity Sources >
Active Directory and verify the AD configuration.
f. Go to Policy > Authentication to see the Authentication policies that were generated. All
the policies generated using the Setup Wizard will have the prefix AutoGen
g. Go to Policy > Authorization to verify the Authorization rules and policies that were auto
generated using the Setup Wizard.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
19
ISE 1.2 Bootstrap Lab Guide
Lab Exercise 3: Wired Switch Configuration
Exercise Description There are numerous lines of IOS configuration that are required for the TrustSec identity
functionality. This exercise walks you through the key TrustSec elements of a baseline IOS
configuration which were generated by the ISE Setup Wizard
Exercise Objective In this exercise, your goal is to review and understand the IOS baseline configurations described
in this exercise.
The switch is already configured with the VLAN and the routing configurations. So, we’ll only be
configuring the missing commands.
Note: Some of the CLI commands may already be pre-configured. Verify and configure only the missing CLI configs.
Lab Exercise Steps Step 1 Login to the 3k-access switch from the Admin PC desktop using the PUTTY, credentials
admin/ISEisC00L.
Step 2 For this entire exercise use the Switch commands that were generated by the ISE Setup Wizard
in Step 11.b from Lab Exercise 2.
Step 3 From the section titled ! AAA Configuration in the switch commands, configure the AAA
settings
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
Step 4 Enable RADIUS Change of Authorization (CoA)
aaa server radius dynamic-author
client 10.1.100.21 server-key ISEisC00L
20
ISE 1.2 Bootstrap Lab Guide
aaa session-id common
Step 5 Configure the CLI commands for device discovery
ip dhcp snooping
ip device tracking
Step 6 Enable 802.1X authentication globally on the switch
dot1x system-auth-control
Step 7 Configure the RADIUS settings
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.1.100.21 auth-port 1812 acct-port 1813 key
ISEisC00L
radius-server vsa send accounting
radius-server vsa send authentication
Step 8 The VLAN configuration should already be pre-configured on the switch. So, skip the VLAN
configuration commands
Step 9 Enable IOS http servers for web auth
ip http server
ip http secure-server
Step 10 The routing configurations are already configured on the switch. DO NOT make any changes to
the routing configuration
Step 11 The following logging commands are for troubleshooting and POC only and not for production
networks.
logging host 10.1.100.21 transport udp port 20514
logging origin-id ip
logging source-interface Vlan100
Step 12 Configure Ingress Port ACLs
21
ISE 1.2 Bootstrap Lab Guide
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.100.21 eq 443
permit tcp any host 10.1.100.21 eq www
permit tcp any host 10.1.100.21 eq 8905
permit tcp any host 10.1.100.21 eq 8909
permit udp any host 10.1.100.21 eq 8905
permit udp any host 10.1.100.21 eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
Step 13 Enable command for Profiling
access-list 20 remark ISE Profiling SNMP probe access
access-list 20 permit 10.1.100.21
snmp-server community ISEisC00L RW
snmp-server host 10.1.100.21 version 2c ISEisC00L
Step 14 Now, configure the interface level commands which include the basic identity settings on the
switch ports and the identity mode. Go to the GigInterface0/1 to configure all the interface
settings
switchport access vlan 10
switchport mode access
ip access-group ACL-DEFAULT in
22
ISE 1.2 Bootstrap Lab Guide
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Ensure that the port is not in shutdown state. If so, issue the CLI command no shutdown.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
23
ISE 1.2 Bootstrap Lab Guide
Lab Exercise 4: Wired User Authentication
Verification
Exercise Description After configuring the required policies on the ISE and doing the switch configuration, the last step
to is to verify that the defined policies can be used for Wired Users.
Exercise Objective In this exercise, your goal is to verify the Wired User Authentication and understand the
authorization profiles that the authentication matched with.
Lab Exercise Steps Step 1 Open and login to the VMware vSphere Client on the desktop of your lab console
Step 2 If the p##_w7-pc-guest VM is not turned on already, start it by right-clicking on the VM and
selecting Power > Power On
Step 3 Right-click on p##_w7-pc-guest VM and select Open Console.
Step 4 Login to your Windows 7 Enterprise endpoint with the credentials admin/ISEisC00L. You may
need to use the menu item (top left of vsphere client) VM > Guest > Send Ctrl+Alt+Del to
invoke the Windows login screen
Step 5 From the Windows desktop, click Start and type services.msc Scroll down until you see the
Wired AutoConfig (not WLAN AutoConfig) service.
Step 6 Right-Click Wired AutoConfig and select Properties.
24
ISE 1.2 Bootstrap Lab Guide
Step 7 Choose Startup type: Automatic
Step 8 Start the service and select OK.
Step 9 From the Windows desktop, go to Start Menu > Control Panel > Network and Internet >
Network and Sharing Center
Step 10 Select Change Adapter Settings from the left column.
Step 11 Right-click on the network adapter called w7-pc-guest-wired and select Enable
Step 12 Right-click again on the network adapter named w7-pc-guest-wired and select Properties
from the menu.
Step 13 Click the Authentication tab (this was enabled by starting the Wired AutoConfig service) and
verify the settings:
Step 14 Select Settings next to Microsoft: Protected EAP (PEAP) and uncheck Validate Server
Certificate.
25
ISE 1.2 Bootstrap Lab Guide
Step 15 For Select Authentication Method choose Secured password (EAP-MSCHAP v2) then
select Configure
Step 16 Uncheck "Automatically use my Windows logon name and password" to prevent
username/password caching and allow you to easily test many different users and groups.
Step 17 Select OK
Step 18 Select Additional Settings
Step 19 Enable Specify authentication mode and choose User authentication
26
ISE 1.2 Bootstrap Lab Guide
Step 20 Select OK and OK again to save and exit settings. The endpoint should now be ready to
handle 802.1X user authentication.
Step 21 You should see a message popup on the Windows 7 Endpoint: “Additional information is
needed to connect to this network”. Click on the message to view the 802.1X user
authentication dialog.
Note: If you wait too long to respond, the message may disappear. If so, disable and enable the interface to get the pop-up back.
Step 22 Enter the credentials for the user account employee1/ISEisC00L
Note: Microsoft Windows does not provide any feedback for a Passed Authentication but it will re-prompt you for a failed authentication.
27
ISE 1.2 Bootstrap Lab Guide
Step 23 Verify your authentication passed in ISE under Operation > Authentications. You should the
authentication information in the live logs similar to below :
Verify that the authorization profile used matches the profile defined using the Setup Wizard.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
Top Related