Instructions2 PDF

ISE Profiling Services Lab Guide
Developers and Lab Proctors

This lab was created by: James Burke
Lab Overview
This lab is designed to help attendees understand how to configure and deploy ISE Profiler. It covers the basic configuration and management for profiling devices in an 802.1X environment. Lab Users should be able to complete the lab within the allotted lab time of (2) hours.
Lab Exercises
This lab guide includes the following exercises: Lab Verification Lab Exercise 1: Enable ISE Probes for Profiling Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes Lab Exercise 3: Verify Profiled Endpoints and Probe attribute information Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints Lab Exercise 5: Verify IP Phone default Policy Lab Exercise 6: Logging and Reporting
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 1
10/20/2011
Product Overview: ISE

The Cisco Identity Services Engine (ISE) is an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security and streamline their service operations. Its unique architecture allows enterprises to gather real time contextual information from network, users, and devices to make proactive governance decisions by tying identity back into various network elements including access switches, wireless controllers, VPN gateways, and datacenter switches. Cisco Identity Services Engine is a key component of the Cisco TrustSec Solution.
TrustSec Lab Topology
10/20/2011
10/20/2011
Internal IP addresses
The table that follows lists the internal IP addresses used by the devices in this setup.
Device Core Switch (Nexus 7k) Name/Ho stn ame 7k-core.demo.local IP Ad dress 10.1.100.1 10.1.250.1 Access Switch (3560X) Data Center Switch (3560X) ISE Appliance ISE Appliance ISE Appliance ISE Appliance AD Serv er (CA/DNS/DHCP) NTP Serv er Public Web Serv er Internal Web Serv er Admin (Management) Client (also F TP Serv er) Windows 7 Client PC 3k-access.demo.local 3k-serv er.demo.local ise-1.demo.local ise-2.demo.local ise-3.demo.local ise-4.demo.local ad.demo.local ntp.demo.local www-ext.demo.local www-int.demo.local admin.demo.local ftp.demo.local win7-pc.demo.local DHCP (10.1.10.x/24) 10.1.250.2 10.1.251.2 10.1.100.21 10.1.100.22 10.1.100.23 10.1.100.24 10.1.100.10
128.107.220.1
10.1.252.10 10.1.252.20 10.1.100.6
Internal VLANs and IP Subnets

The table that follows lists the internal VLANs and corresponding IP subnets used by the devices in this setup.
VL AN Nu mb er 10 20 30 VL AN Name IP Subn et Descrip tion
ACCESS MACHINE QUARANTINE
10.1.10.0/24 10.1.20.0/24 10.1.30.0/24
Network f or authenticated users or access network using ACLs Microsoft machine-authenticated dev ices (L2 segmentation) Unauthenticated or non-compliant dev ices (L2 segmentation) Dedicated Voice VLAN Network f or authenticated and compliant guest users VPN Client VLAN to ASA outside interface ASA inside network to IPEP untrusted interface Dedicated IPEP VLAN for trusted interface
40 50 60 70 80
VOICE GUEST VPN ASA (trusted) IPEP (trusted)
10.1.40.0/24 10.1.50.0/24 10.1.60.0/24 10.1.70.0/24 10.1.80.0/24
10/20/2011
90 100 (250) (251) 252
AP DATACENTER
10.1.90.0/24 10.1.100.0/24 10.1.250.0/24 10.1.251.0/24
Wireless AP connection for LWAAP tunnel Network serv ices (AAA, AD, DNS, DHCP, NTP, etc.) Dedicated interconnect subnet between Core and Access switch. Dedicated interconnect subnet between Core and Data Center switch. Web Serv er network
WEBSVR
10.1.252.0/24
No te:
Dedicated VLANs hav e been preconf igured for optional access policy assignments based on user identity , prof iling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. This lab will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment f or policy enf orcement. By def ault, all client PC access will remain in the ACCESS VLAN 10 and IP phones will be placed in VOICE VLAN 40.
Accounts and Passwords

The table that follows lists the accounts and passwords used in this lab.
Access To Core Switch (Nexus 7k) Access Switch (3560X) Data Center Switch (3560X) ASA (VPN gateway ) ISE Appliances AD Serv er (DNS/DHCP/DHCP) Web Serv ers Admin (Management) Client Windows 7 Client (Local = WIN7-PC) (Domain = DEMO) Accoun t (u sern ame/p asswo rd) admin / C!sco123 admin / cisco123 admin / cisco123 admin / cisco123 admin / def ault1A administrator / cisco123 administrator / cisco123 admin / cisco123 WIN7-PC\administrator / cisco123 WIN7-PC\admin / cisco123 DEMO\admin / cisco123 DEMO\employ ee1 / cisco123
Connecting to Lab Devices

No te: To access the lab, y ou must first connect to the Admin PC. The Admin PC prov ides a launching point f or access to all the other lab components Admin PC access is through RDP, therefore y ou must hav e an RDP client installed on y our computer
No te:
10/20/2011
Connect to a POD
Step 1
Launch the Remote Desktop application on your system. a. In the LabOps student portal, click on the Topology tab b. Click on the Admin PC, then click on the RDP Client option that appears:
c. Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in as DEMO\admin / cisco123 (Domain = DEMO) d. All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines

During the lab exercises, you may need to access and manage the computers running as virtual machines.
Step 1 Step 2
From the Admin client PC, click the VMware vSphere Client icon on the desktop The IP address of your pods ESX server is 10.1.11.X where X = 10+(your pod number) e.g. pod 1 = 10.1.11.11, pod 9 = 10.1.11.19, pod 15 = 10.1.11.25, pod 24 = 10.1.11.34
No te: Step 3
Be careful to only connect to y our pods ESX serv er. If unsure, contact y our class proctor.
Enter student / cisco123 for the username and password:
10/20/2011
Step 4
Click Login.
Step 2
Once logged in, you will see a list of VMs that are available on your ESX server:
Step 5
You have the ability to power on, power off, or open the console (view) these VMs. To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select one of these options:
10/20/2011
Step 6 Step 7
To access the VM console, select Open Console from the drop-down. To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Connect to Lab Device Consoles:

Step 1
To access the consoles of the lab switches and ISE servers using SSH: a. From the Admin client PC, double-click the desired PuTTY shortcut on the Windows desktop. Example:
10/20/2011
You can also use the shortcuts in the Windows Quick Launch toolbar. b. If prompted, click Yes to cache the server host key and to continue login. c. Login using the credentials listed in the Accounts and Passwords table.
Step 2
To access the console for other devices using SSH: a. From the Admin client PC, go to Start and select Menu to open a terminal session using PuTTY. from the Windows Start
b. Refer to the Internal IP Addresses table, and then enter the hostname or IP address of the desired device in the Host Name (or IP address). c. Click Open. d. If prompted, click Yes to cache the server host key and to continue login. e. Login using the credentials listed in the Accounts and Passwords table
Pre-Lab Setup Instructions

Basic Connectivity Test
To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from the Windows desktop of the Admin client PC:
Verify that ping succeeds for all devices tested by script.

No te: The ping test may fail for VMs that hav e not y et completed the boot process.
10/20/2011
Lab Verification: Verify initial lab setup and configuration

Exercise Description
Initial lab setup and pre-configuration verification.
Exercise Objective
Verify the default bootstrap configuration and connectivity.
Lab Exercise Steps

Step 1
Go to the Admin client PC and open a web browser to log into your ISE appliance (https://ise-1.demo.local) with username/password = admin / default1A Verify your network access switch (3k-access) is configured and setup correctly. a. Go to Administration > Network Resources > Network Devices and select 3k-access b. Verify the IP address is 10.1.250.2 c. Verify the authentication settings shared secret being used. Click the Show button and verify cisco123 is the shared secret.
Step 2
10/20/2011
Step 3
Use the desktop shortcut for the PuTTY SSH client to launch a terminal session to the 3kaccess switch (10.1.250.2) using the credentials admin / cisco123 (enabled password cisco123 ). Make sure interface Gi 0/1 4 are administratively shutdown. In this lab we are only concerned about the IP Phone and IP Camera. On the access switch verify MAB is configured on the switch ports for non-authenticating devices. Also verify Multi-Auth authentication is enabled on the switch port. This is needed for the IP Phone to authenticate. Both voice and data domains will authenticate via 802.1X and then fall over to MAB.
interface Gi0/1 switchport access vlan 10 switchport mode access switchport voice vlan 40 ip access-group ACL-ALLOW in authentication host-mode multi-auth authentication open authentication order mab dot1x authentication port-control auto authentication periodic authentication timer reauthenticate server mab d t1 th ti t
Step 4
Step 5
Step 6
Step 7
Verify the change of authorization command is configured on your switch. This is essential for when devices change profiles or the authorization settings change for a device or user. The ISE node will send the new authorization parameters to the switch via this mechanism.
aaa server radius dynamic-author client 10.1.100.21 server-key cisco123
Step 8
Verify the AAA accounting records are enabled.

aaa accounting dot1x default start-stop group radius aaa accounting network default start-stop group radius
10/20/2011
radius-server vsa send accounting radius-server vsa send authentication
Step 9
Verify Radius VSA information is configured for accounting and authentication.
10/20/2011
Lab Exercise 1: Enable ISE, Probes, and Network Device for Profiling
This exercise will enable the profiling probes and NAD communication on your ISE Policy Service node.
Exercise Objective
At the end of this exercise you will learn how to enable the probes for your ISE Policy Service node via the GUI.
Lab Exercise Steps

Step 1 Step 2 Step 3
Log into your ISE device via the admin GUI. Go to Administration > System > Deployment. Click on your ISE node. In General Settings, verify Policy Service is enabled. Verify the Enable Profiling Service is enabled. In the right hand pane click the Profiling Configuration tab. a. Leave Netflow Probe disabled b. Enable DHCP Probe. i. The device interface should be Gi0. (Gi0 is the interface on the ISE appliance) ii. Leave the default UDP port 67. c. Enable DHCPSPAN Probe. i. The device interface should be Gi0 d. Enable HTTP Probe. i. The device interface should be Gi0 e. Enable RADIUS Probe f. Enable DNS Probe i. Keep the defaults g. Enable SNMPQUERY Probe. i. Keep the defaults h. Enable SNMPTRAP Probe. i. Leave Link Trap Query Disabled ii. Enable MAC Trap Query iii. Device Interface should be Gi0 iv. Port 162 leave as default.
Step 4
10/20/2011
10/20/2011
Step 5 Step 6
Click the Save button and make sure your changes were saved successfully. Now go to your pre-configured NAD device on ISE to enable SNMP communication. Administration > Network Resources > Network Devices a. Click on the 3k-access switch b. In the configuration page enable the SNMP Settings section c. Expand the setting and select SNMP version 2c d. Enter ciscoro as the read only community string e. Verify Link Trap Query is enabled. f. Verify MAC Trap Query is enabled.
g. Set the polling interval to 600 seconds (LAB USE ONLY !) h. Leave all other settings the same and click Save.
No te: Y ou can use multiple interf aces to enable the ISE probes. You can also enable ISE Profiling on other Policy Serv ice nodes if y ou hav e the proper licensing in place.
Step 7
Enable the Change of Authorization globally for Profiling. This will allow any status changes of a device to be sent to the access device for an endpoint. a. Go to Administration > System > Settings > Profiling > CoA Type = Reauth
No te:
Use caution when enabling this feature when first profiling y our dev ices. The Change of Authorization will occur for all newly profiled dev ices.
Step 8
To verify the default actions for profiled devices, go to Policy > Policy Elements > Results > Profiling > Exception Actions (Advanced Exception actions will not be covered in this lab.)
10/20/2011
End of Exercise: You have successfully completed this exercise. Proceed to next section.
10/20/2011
Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes
Configure ISE probes
Exercise Objective
In this exercise, your goal is to configure and verify your ISE probes are w orking as advertised.
Lab Exercise Steps

Step 1 Step 2
Console into the 3k-access switch. Enable SNMP on the switch.

snmp-server community ciscoro RO snmp-server community ciscorw RW snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move snmp-server host 10.1.100.21 version 2c ciscoro
Step 3
Turn on SNMP debug by typing debug snmp packet at the exec shell prompt on the access switch. If using remote console (SSH/Telnet), then make sure you also enter terminal monitor on the command line so you will see the output. Verify SNMP communication between the ISE node and the switch. You should see the SNMP requests coming into the switch from ISE-1 similar to that shown below. You should also see responses from the switch for SNMP MIB requests from ISE Profiling Service.
Step 4
10/20/2011
3k-access# debug snmp packet *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Get-bulk request, reqid 2133241990, nonrptr 0, maxreps 10 system = NULL TYPE/VALUE9 13:50:25.758: SNMP: Response, reqid 2133241990, errstat 0, erridx 0 system.1.0 = Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2) system.2.0 = products.797 sysUpTime.0 = 428342588 system.4.0 = system.5.0 = 3k-access.demo.local system.6.0 = system.7.0 = 6 system.8.0 = 0 sysOREntry.2.1 = cisco.7.129
Step 5
Turn off the SNMP debug by typing no debug all from exec mode prompt on the switch command line interface. Bring up switchport Gi 0/2 by entering the command no shutdown under the interface in configuration mode. Verify RADIUS packets are being sent to ISE by entering debug radius authentication from exec mode on the access switch. These will be sent when a MAC Authentication Bypass (MAB) session is initiated for clientless devices. This information will be received by the Profiler Radius Probe and used in profiling endpoints. You will see the following output. MAB will take some time to initiate after the DOT1X authentication requests time out.
Step 6
Step 7
Step 8
10/20/2011
*Apr 20 14:40:45.339: %AUTHMGR-5-START: Starting 'mab' for client (001e.e599.fc5b) on Interface Gi0/2 AuditSessionID 0A0164010000000F04A3DB09 *Apr 20 14:40:45.339: AAA/AUTHEN/8021X (00000011): Pick method list 'default' *Apr 20 14:40:45.339: RADIUS/ENCODE(00000011):Orig. component type = DOT1X *Apr 20 14:40:45.339: RADIUS(00000011): Config NAS IP: 0.0.0.0 *Apr 20 14:40:45.339: Getting session id for DOT1X(000 *Apr 20 14:40:45.339: RADIUS/ENCODE(00000011): acct_session_id: 16 *Apr 20 14:40:45.339: RADIUS/ENCODE: Best Local IP-Address 10.1.250.2 for RadiusServer 10.1.100.21 *Apr 20 14:40:45.339: RADIUS(00000011): Send Access-Request to 10.1.100.21:1812 id 1645/56, len 206 *Apr 20 14:40:45.339: RADIUS: 24 5A 60 * Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.339: RADIUS: * Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.348: RADIUS: * Apr 20 14:40:45.348: RADIUS: authenticator B7 9E 45 1D 55 C4 2F C2 - 4D 15 7F 5C B4
User-Name User-Password Service-Type Framed-MTU Called-Station-Id Calling-Station-Id
[1] [2] [6] [12] [30] [31]
14 18 6 6 19 19 18
"001ee599fc5b" * Call Check 1500 "1C-17-D3-43-73-83" "00-1E-E5-99-FC-5B " 3 4F 1C 47 96 7D FA B2 [10]
*Apr 20 14:40:45.348: RADIUS: Message-Authenticato[80] 40 F3 6D 62 B5 84 D3 [ OG}@mb] *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: id=0A0164010000000F04A3DB09" *Apr 20 14:40:45.348: RADIUS: [15] * Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: EAP-Key-Name Vendor, Cisco Cisco AVpair
[102] 2 [26] [1] 49 43
"audit-session-
NAS-Port-Type
[61]
Ethernet
NAS-Port NAS-Port-Id NAS-IP-Address
[5] [87] [4]
6 17 6
50002 "GigabitEthernet0/2" 10.1.250.2
*Apr 20 14:40:45.348: RADIUS(00000011): Started 5 sec timeout *Apr 20 14:40:45.599: RADIUS: Accept, len 157 Received from id 1645/56 10.1.100.21:1812, Access-
10/20/2011
Step 9
Turn off the Radius debug when finished by typing no debug all on the command line.
Step 10 Configure an additional IP helper address to the ISE appliance on Interface Vlan10 (Access) and
Interface Vlan40 (Voice) for DHCP information to be sent to the ISE DHCP probe (ex.):
interface Vlan10 ip address 10.1.10.1 255.255.255.0 ip helper-address 10.1.100.10 ip helper-address 10.1.100.21
Step 11 Do a shut/no shut on the interfaces Gi 0/1 8. This will retrigger DHCP requests and send
DHCP requests to ISE

Step 12 Go to the Windows 7 PC and reboot it. Go to Start > Shutdown > Restart. This is needed due
to the VM and IP phone not detecting link state.
10/20/2011
Lab Exercise 3: Verify Profiled Endpoints and Probe information

You will verify and endpoints and the received information collected by each probe.
Exercise Objective
In this exercise, your goal is to correctly identify newly profiled endpoints and their unique attributes collected on the network.
Lab Exercise Steps

Step 1
Go to the ISE-1 Home page and see if there are any Profiled Endpoints. Look at the Profiled Endpoints to see if you have endpoints being profiled.
Step 2 Step 3
Go to Administration > Identity Management > Identities > Endpoints You should now see MAC addresses show up in the Endpoints View
10/20/2011
Step 4
Click on one of the endpoints to verify attribute data received by the probes. The latest information received by a certain Probe will be listed as: EndPointSource = (ex. SNMPTrap Probe)
10/20/2011
Step 5
Go back to Endpoints and click on the Microsoft-Workstation a. You can verify the DNS probe is working by locating the host-name attribute. DNS was setup in the Bootstrap Lab 1. b. You can also verify the DHCP Probe is working by locating the dhcp-class-identifier which was sent by the DHCP request of the Windows Client.
10/20/2011
10/20/2011
Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints
In this exercise, your goal is to create Profile and Authorization Policies.
Exercise Objective
In this exercise, your goal is to verify your Profiles and Authorization Policies for your Profiled Endpoints by validating the authentication session and its policy.
Lab Exercise Steps

Step 1
We now want to create our own Profile based on more specific information than the generic Cisco-Device profile that some of these endpoints are being profiled into. Go to Administration > Identity Management > Identities > Endpoints a. You should now see a few Endpoints profiled as Cisco-Device b. Click on the MAC address that is connected to port Gi 0/2 c. Under the attributes details look for some information that is interesting based on device type. You should see this under the cdp information collected from the SNMP Probe. d. Write down the cdp Platform information. For example, CIVS-IPC-4500 e. Also note the MAC OUI information = Cisco Systems Example output below:
Formatted: Font: (Def ault) Arial, 10 pt
Step 2
Step 3
Go to Policy > Policy Elements > Conditions > Profiling to create a matching rule for the device attribute information to be used in a Profiling Policy.
10/20/2011
Step 4
Under Profiling Conditions click Create . a. Name = cdpIPCAMERA b. Type = SNMP c. Attribute Name = cdpCachePlatform d. Operator = Contains e. Attribute Value = CIVS-IPC
Step 5
Click Submit.
No te: Step 6 Step 7
Cisco OUI Conditions are already created.
Now go to Policy > Profiling > Profiling Policies Click Create . a. Name the Policy = MY_IP_Cameras b. Policy Enabled = Checked
10/20/2011
c. Minimum Certainty Factor = 25 d. Exception Action = None e. Create Matching Identity Group = Enabled (This will be used later in our Authorization Policy) f. Parent Policy = None
g. Rules: i. ii. If Condition Cisco-DeviceRule1Check1 Then Certainty Factor Increases 10 If Condition cdpIPCAMERA Then Certainty Factor Increases 25
Step 8 Step 9
Click Submit. Go to Administration > Identity Management > Groups > Endpoint Identity Groups and verify the new Identity Group = MY_IP_Cameras
10/20/2011
Step 10 Go to Policy > Authorization Step 11 Create a new Authorization Policy
a. Rule Name = Profiled IP_Cameras b. Identity Groups = MY_IP_Cameras c. Other Conditions = None d. Permissions = PermitAccess
10/20/2011
Step 12 Click Save. Step 13 Verify you have a default Authentication rule for MAB. This is crucial in making sure the MAB
authentication is matched and you are using the Internal Endpoints as the Identity store. Profiler Endpoints are stored in this Identity Store. a. Go to Policy > Authentication:
Formatted: Font: (Def ault) Arial, 10 pt
b. The MAB authentication rule states: If a Wired_MAB [Radius:Service-Type=10(Call Check) and Radius:NAS-PortType=15(Ethernet)] request is matched and has the allowed Protocols defined in the Default Network Access policy, then use Internal Endpoints as the Identity Store.
10/20/2011
Step 14 Go to the 3k-access switch and bounce interface Gi0/2 by using shut / no shut Step 15 Verify the MAB request was successful and the device was Authorized under the Profiled IP
_Cameras Authorization Policy. a. Go to Monitor > Authentications
Step 16 Click on the details icon to get more detailed information. There are details worth pointing out
based on the configurations: a. Authentication Method = MAB b. Username = MAC address of your device c. NAS Port ID = What port the device is connected d. Service Type = Call Check e. Identity Store = Internal Endpoints f. Identity Group Profiled:MY_IP_Cameras
g. Authorization Policy Matched Rule = Profiled IP Cameras
10/20/2011
10/20/2011
Lab Exercise 5: Verify the IP Phone default Policy

Verify the IP phone is authorized and active.
Exercise Objective
In this exercise, your goal is to verify the IP Phone has been successfully authenticated and authorized by ISE. With ISE there is a pre-configured Authorization Policy for Cisco IP Phones for convenience.
Lab Exercise Steps

Step 1 On the 3k-access switch, shutdown the port Gi0/1 using the shutdown command. Step 2 Use no shutdown to bounce the link for a new MAB request.
*Apr 22 15:00:14.654: %AUTHMGR-5-START: Starting 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:14.914: %MAB-5-SUCCESS: Authentication successful for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:14.914: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:15.954: %AUTHMGR-5-SUCCESS : Authorization succeeded for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0
Step 3 Step 4
Verify the Authentication and Authorization was successful on the switch. On the 3k-acce ss switch, enter the command show authentication sessions interface Gi0/1 .
10/20/2011
3k-access # sh authentication sessions int Gi0/1 Interface: MAC Address: IP Address: User-Name: Status: Domain: GigabitEthernet0/1 1c17.d341.d18b Unknown 1C-17-D3-41-D1-8B
Authz Success VOICE Should Secure Unsecure multi-auth both
Security Policy: Security Status: Oper host mode: Oper control dir: Authorized By: ACS ACL:
Authentication Server
xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051 N/A
Session timeout: Idle timeout:
N/A 0A0164010000002A24BB3A47
Common Session ID: Acct Session ID: Handle:
0x0000002B
0x1D00002A
Runnable methods list: Method dot1x State Failed over
Step 5
Log into ISE GUI and verify the Authentication. Go to Monitor > Authentications .
10/20/2011
Step 6 Click on the MAC address for the IP Phone connect to Gi0/1:
Step 7 Look into the details of the authentication and authentication result to verify the details of the
default permissions.
Step 8 Notice the cisco-av -pair=device-traffic-class=voice which tells the switch this MAC
belongs to the voice vlan.
10/20/2011
No te:
The IP Phone Authorization Profile details can be f ound here: Policy > Policy Elements > Results > Authorization Profiles > Cisco_IP_Phones
10/20/2011
Lab Exercise 6: Profiler Logging and Reporting

Understand Profilers logging and reporting capabilities.
Exercise Objective
In this exercise you enable debug logging and generate a Profiled endpoint report.
Lab Exercise Steps

Step 1 You can create different Endpoint reports from Profiling. a. b. c.
Go to Monitor > Reports > Catalog > Endpoint Click on the Endpoint Profiler Summary You can run a report from the last 30 minutes to the last 30 Days
Step 2
You will get the output of the endpoints logged for the day and the Policy the endpoint has been profiled into.
10/20/2011
Step 3
You can enable Profiler Log collection to Debug for advanced troubleshooting
a. b. c. d. e. f.
Go to Administration > System > Logging > Debug Log Configuration Select ise-1 from right pane Scroll down the list and click on the Profiler radial button. Click on current log setting to display a drop-down list. Set the Log setting to DEBUG. Click Save.
Step 4
To display the debug logs go to Monitor > Troubleshoot > Download Logs > ISE-1 Under the Debug log type select profiler.log
10/20/2011
Appendix: Additional Resources

SNMP Attributes MAC Notification: MacStatus Vlan MACAddress dot1dBasePort MoveFromPort (for mac move notifcation) MoveToPort (for mac move notifcation) Timestamp Link Notification: ifIndex ifAdminStatus ifOperStatus ifD escr ifType ifSpeed ifPhysAddress Switch Information mib walk: Switch IP Address/Subnet Switch D escription if available sysUpTime sysContact sysName sysLocation Switch ifIndex All portIfIndex Configured Vlan information (VLAN state, name, port, ifIndex)
10/20/2011
CD P Information cdpCacheVersion cdpCacheNativeVLAN cdpCacheD evicePort MACAddress cdpCacheLastChange cdpCacheAddressType cdpCacheD eviceId cdpCacheAddress cdpCachePlatform cdpCacheCapabilities cdpCacheD uplex CISCO-AUTH -FRAMEWORK-MIB cafSessionAuthorizedBy cafSessionAuthUserName cafSessionAuthVlan cafSessionClientMacAddress cafSessionDomain cafSessionStatus VlanName
DHCP Attributes Any attribute parsed out of the DH CP traffic will be mapped into an endpoint attribute. For a list of possible attributes see: http://www.iana.org/assignments/bootp-dhcp-parameters/
HTTP User Agent The browser user agent as well as any http attributes present will be captured and added to the endpoint to add to the profiling capability. For a full list of possible attributes see: http://www.rfc-editor.org/rfc/rfc2616.txt
10/20/2011
DNS Probe Upon endpoint creation, a DNS lookup will try to determine the endpoint name FQDN. A new attribute will be added to the endpoint FQDN. Reverse DNS lookup will be done only when an endpoint detected by the DH CP, Radius and SNMP probes contains following attributes. This means that, for DNS lookup, at least one of the following probes need to started along with DNS probe. DH CP IP H elper, DH CP Span dhcp-requested-address Radius Probe Framed-IP-Address SNMP Probe cdpCacheAddress H TTP Probe Source IP Radius Attributes We will be collecting and assigning to endpoints Radius attributes from both the request and the response. For a list of Radius attributes, see the RFCs defined at http://en.wikipedia.org/wiki/RAD IUS.
Netflow Attributes We will be collecting any an all attributes sent through Netflow. Please consult http://www.faqs.org/rfcs/rfc3954.html for details on netflow attributes. H ere is a sample: IN_BYTES IN_PKTS FLOWS PROTOCOL TOS TCP_FLAGS L4_SRC_PORT IPV4_SRC_AD D R SRC_MASK L4_D ST_PORT IPV4_D ST_AD D R D ST_MASK IPV4_NEXT_H OP LAST_SWITCH ED FIRST_SWITCH ED OUT_BYTES OUT_PKTS IPV6_SRC_AD D R IPV6_D ST_AD D R IPV6_SRC_MASK IPV6_D ST_MASK IPV6_FLOW_LABEL ICMP_TYPE D ST_TOS SRC_MAC D ST_MAC SRC_VL AN D ST_VLAN
10/20/2011
IP_PROTOCOL_VERSION D IRECTION
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
10/20/2011

Instructions2 PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Instructions2 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

ISE Profiling Services Lab Guide

Developers and Lab Proctors

Product Overview: ISE

TrustSec Lab Topology

Internal VLANs and IP Subnets

ACCESS MACHINE QUARANTINE

10.1.10.0/24 10.1.20.0/24 10.1.30.0/24

VOICE GUEST VPN ASA (trusted) IPEP (trusted)

10.1.40.0/24 10.1.50.0/24 10.1.60.0/24 10.1.70.0/24 10.1.80.0/24

90 100 (250) (251) 252

10.1.90.0/24 10.1.100.0/24 10.1.250.0/24 10.1.251.0/24

Accounts and Passwords

Connecting to Lab Devices

Connect to ESX Server Virtual Machines

Enter student / cisco123 for the username and password:

Connect to Lab Device Consoles:

Pre-Lab Setup Instructions

Verify that ping succeeds for all devices tested by script.

Lab Verification: Verify initial lab setup and configuration

Lab Exercise Steps

Verify the AAA accounting records are enabled.

radius-server vsa send accounting radius-server vsa send authentication

Verify Radius VSA information is configured for accounting and authentication.

Lab Exercise Steps

Lab Exercise Steps

Console into the 3k-access switch. Enable SNMP on the switch.

User-Name User-Password Service-Type Framed-MTU Called-Station-Id Calling-Station-Id

[1] [2] [6] [12] [30] [31]

"001ee599fc5b" * Call Check 1500 "1C-17-D3-43-73-83" "00-1E-E5-99-FC-5B " 3 4F 1C 47 96 7D FA B2 [10]

[102] 2 [26] [1] 49 43

NAS-Port NAS-Port-Id NAS-IP-Address

[5] [87] [4]

50002 "GigabitEthernet0/2" 10.1.250.2

interface Vlan10 ip address 10.1.10.1 255.255.255.0 ip helper-address 10.1.100.10 ip helper-address 10.1.100.21

DHCP requests to ISE

to the VM and IP phone not detecting link state.

Lab Exercise 3: Verify Profiled Endpoints and Probe information

Lab Exercise Steps

Lab Exercise Steps

No te: Step 6 Step 7

Cisco OUI Conditions are already created.

Step 10 Go to Policy > Authorization Step 11 Create a new Authorization Policy

_Cameras Authorization Policy. a. Go to Monitor > Authentications

g. Authorization Policy Matched Rule = Profiled IP Cameras

Lab Exercise 5: Verify the IP Phone default Policy

Lab Exercise Steps

Authz Success VOICE Should Secure Unsecure multi-auth both

Session timeout: Idle timeout:

Common Session ID: Acct Session ID: Handle:

Runnable methods list: Method dot1x State Failed over

belongs to the voice vlan.

Lab Exercise 6: Profiler Logging and Reporting

Lab Exercise Steps

Appendix: Additional Resources

Das könnte Ihnen auch gefallen