Beruflich Dokumente
Kultur Dokumente
!
!
Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine (ISE)
rd
focusing on key new ISE 1.2 features such as ISE integration with 3 party MDM vendors, profiler feed
services, Guest Enhancement and Monitoring and troubleshooting enhancements. In the lab the students
will learn how configure ISE policies to mandate Mobile device compliance with policies defined on the
MobileIron MDM server. A good part of the lab also covers how to write policies using logical profiles and
how to enable ISE to receive automatic updates from the New Feed services. The lab also covers the
new Guest UI available in ISE 1.2. The last section covers day-to-day operations, which allows the
student to use the new tools such as the Search and Session trace that provide better visibility and
troubleshooting.!
Lab participants should be able to complete the lab within the allotted time of 4 hours.
Lab Exercises
This lab guide includes the following exercises:
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 1 of 87
Lab Topology
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 2 of 87
Name/Hostname
IP Address
3k-access.demo.local
10.1.100.1
3k-data.demo.local
10.1.129.3
wlc.demo.local
10.1.100.61
ap.demo.local
10.1.90.x/24 (DHCP)
ASA (5515-X)
asa.demo.local
10.1.100.2
ISE Appliance
ise-1.demo.local
10.1.100.21
ise-feedserver.demo.local
10.1.100.41
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
NTP Server
ntp.demo.local
128.107.212.175
MobileIron
mobileiron.demo.local
10.1.100.15
mail.demo.local
10.1.100.40
LOB Web
lob-web.demo.local
10.1.129.12
portal.demo.local, updates.demo.local
10.1.129.8
business.demo.local
10.1.129.9
it.demo.local
10.1.129.10
records.demo.local
10.1.129.11
LOB DB
lob-db.demo.local
10.1.129.20
admin.demo.local
10.1.100.6
ftp.demo.local
Windows 7 Client PC
w7pc-guest.demo.local
10.1.50.x/24 (DHCP)
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
20
MACHINE
10.1.20.0/24
IC-ASA-ACCESS
10.1.29.0/24
30
QUARANTINE
10.1.30.0/24
40
VOICE
10.1.40.0/24
Voice VLAN
(29)
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 3 of 87
!
VLAN
Note:
VLAN Name
IP Subnet
Description
50
GUEST
10.1.50.0/24
90
AP
10.1.90.0/24
Wireless AP VLAN
100
Management
10.1.100.0/24
129
WEB
10.1.129.0/24
130
DB
10.1.130.0/24
Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Access To
Account (username/password)
admin / ISEisC00L
admin /
ISEisC00L
admin /
ISEisC00L
ASA (5515-X)
admin /
ISEisC00L
ISE Appliances
admin /
ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin /
ISEisC00L
Web Servers
admin /
ISEisC00L
admin /
ISEisC00L
Windows 7 Client
W7PC-guest\admin /
DEMO\admin /
(Domain = DEMO)
DEMO\employee1 /
ISEisC00L
ISEisC00L
ISEisC00L
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Note:
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 4 of 87
Connect to a POD
Step 1
Note: All lab configurations can be performed from the Admin client PC.
Step 2
Step 3
You have the ability to power on, power off, or open the console (view) the VMs. Place the
mouse cursor over VM name in the left-hand pane and right-click to view the available options.
Step 4
Step 5
Step 6
For this lab ensure that the following VMs are up and running:
p##_ad
p##_ise-1-12update
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 5 of 87
!
p##_lob-web
p##_mail
p##_mobileiron
p##_w7pc-guest
p##_w7pc-MnT
## denotes the pod number that you are assigned to. E.g., For POD 2, p##_ad would be
p02_ad. The VM w7pc-guest may be powered on manually during the exercises.
b. Select the device that youd like to log into and double click on it.
c.
If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 6 of 87
!
Note: Failure of lob-db to respond to ping is fine for this lab, as this VM is not used in this lab.
Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reboot of ise-1 or a reset the VM.
Step 3
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 7 of 87
!
a. Disable suppression globally
i. Go to Administration > System >
Settings, expand on Protocols, and
select RADIUS.
ii. Clear the checkboxes Suppress
Anomalous Clients and Suppress
Repeated Successful
Authentications.
iii. Click Save when done.
b. (For reference only) Disable suppression per collection filter
i. Go to Administration > System > Logging, expand on Collection Filters, and click on
Add for a new filter.
ii. Select an attribute from the drop-down menu.
iii. Enter a value to match the attribute in (ii).
iv. Select Disable Suppression from the drop-down menu.
v. Click Submit.
WLC Configuration
Load WLC configuration for the lab
Step 1
Configuration
(unchecked)
FTP
10.1.100.6
/
p##-wlc-4hr.txt
ftp
ftp
21
Note: The ## in p##-wlc-4hr.txt is to be replaced with the assigned pod number; e.g. p12-wlc-4hr.txt for pod 12.
c.
Click on the button Download to start the file transfer. The following message will pop-up
after the clicking the Download button.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 8 of 87
Click OK.
d. Wait for transfer to finish and reset to complete.
Note: WLC will reset after downloading configuration from an external file server. During the reset, use ping t wlc to monitor.
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
Note: When interacting with the iPad VNC session, US keyboard is preferred.
Note: US keyboard is also needed for the RDP session unless additional language packs installed to provide keyboard mappings.
This is only for the RDP sessions.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 9 of 87
Mobile enhanced portal new look and feel for guest & sponsor portal, enhanced for more device
screens
Pre-Activated Guest a new type of account for users entering the network first via an 802.1X or
VPN connection. A normal guest account requires the user to log into the guest portal to activate the
account for login.
Updated time profiles new default 8 hour time profile replaces 1 hour
Change account duration ability to assign a new account duration to guest accounts (useful for
when expired or suspended accounts need to be used again)
Multi-interface portal policy choose what interface and ports the portals run on
Exercise Objective
In this exercise, your goal is to connect to the new portal, create a normal guest account, connect with the
new account while showcasing the need for activated guest and then utilize required password change.
Familiarize with the new sponsor portal using easy (friendly) name
Create a normal guest and try to connect to a 802.1X network showing need for pre-activated
guest
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 10 of 87
Lab Exercise 1.1: Access new portals, work with guest account activation and password change
!
Step 1
Login to the friendly sponsor portal and familiarize with new look & feel
a. Login to the ISE sponsor portal http://sponsor.demo.local as staff1 / ISEisC00L
Note: At the end of the lab we will go through how you configure the portal friendly name.
b. Familiarize with the new look and feel of the portal. It has changed significantly from
previous releases but the options are still the same. You can create single accounts,
import accounts with a CSV, and create multiple random accounts. The options are
shown based on the permissions associated with the sponsor who logs in. For staff1
sponsor, notice that only Create Account is shown.
c.
Notice that we now have a new option for what we can do to the accounts, Change
Account Duration, we will be utilizing this later on to see how it works.
d. The search functionality looks different. Under each of the fields is a search box. Just
type in it and it dynamically searches through the list.
Step 2
Value
John
Smith
<Optional>
<Optional>
Guest
ShortTime12min
Write down the username jsmith and password _________ off to the side so you dont
have to come back to this spot.
Note: We have created a short time so that we can show how a guest expires and is reactivated with a new Account
Duration later on.
Step 3
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 11 of 87
Lab Exercise 1.1: Access new portals, work with guest account activation and password change
!
a. Notice how the account Status says Awaiting Initial Login.
Warning: The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to
configuration and limitations of remotely controlling an interactive device like the iPad in a lab environment please do not
deviate from the exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual
resetting and prevent you from experiencing the full potential of the lab.
Thank you for your cooperation.
Step 4
Step 5
Click vnc-to-ipad shortcut in the taskbar of the Admin PC to start a VNC session to the iPad.
Step 6
It will prompt you to press any key to continue. You will then see the VNC Viewer pop up.
Step 7
Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network n-p##-TS-WPA2e (## refers to your POD number)
a. Enter the username/password obtained when creating the guest account in Step 2.
Note: For the password make sure that you DONOT include the quotes () as part of the password.
b. You should receive Incorrect username or password message. You may need to
accept the Cannot Verify Server Identity before you see the message.
Note: The user is not able to login because they are required to be Active and they are not.
Note: Accept any invalid certificate prompt.
Step 8
Click Dismiss.
Step 9
Step 10
Step 11
Now launch the mobile Safari app, close any tabs, and access Google via the bookmarks.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect to the
Guest page.
New ISE 1.2: Notice how the page is optimized for the mobile device experience.
Step 12
Note: If for some reason you get a login error, Close the browser tab. Go to Settings > Wi-Fi and Forget the Open
Network and turn off wireless on the iPad. Next, go to the WLC and make sure session is gone by going to Monitor >
Clients. There should not be any entries here. If there are, select the entry and Remove it. Go back to the iPad and try
to connect again, try Google again, log back in with new password
Step 14
Try to access Google site again. You should now have access.
Step 15
Clean up iPad and turn off wireless to get ready for next exercise.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 12 of 87
Lab Exercise 1.1: Access new portals, work with guest account activation and password change
!
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and forget the Open network
c.
Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
d. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear
Cookies and Data.
Step 16
Using the admin PC connect to the sponsor portal. Connect to http://sponsor.demo.local and
use credentials staff1 / ISEisC00L
Step 17
Note: Prior to ISE 1.1.1, this is how ISE activates a Guest user so that they could access the network via 802.1X or VPN.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 13 of 87
Exercise Objective
In this exercise, your goal is to create an activated guest and login directly with 802.1X.
Step 1
Step 2
ISE_1.2_Update_Lab_Guide.docx
Value
Bob
Jones
<Optional>
<Optional>
ActivatedGuest
DefaultEightHours
8/21/13 6:47 PM
Page 14 of 87
!
New ISE 1.2: ActivatedGuest as we discussed before is a new option.
Also the Account Duration of DefaultEightHours & DefaultFirstLoginEight (these replace the built-in 1 hour time profiles).
Upgrade from previous release maintains the 1 hour time profiles.
b. Click Submit
c.
Step 3
Step 4
Now connect to the network with 802.1X using this Activated Guest. Go to the iPAD VNC
session and turn ON the wireless.
a. Terminate any existing network connections
i. Forget or turn off auto-login on any existing networks that the iPad automatically
connects to.
ii. Delete any existing client sessions in WLC.
1. On AdminPC, browse to https://wlc.demo.local and login as admin / ISEisC00L
2. Navigate to Monitor > Clients and drill-down each client and click Remove.
d. Click Join.
e. Accept the cert for ise-1.demo.local
f.
Step 5
Open a new browser window to Yahoo. You should be able to access the website.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 15 of 87
!
b. Go to Settings > Wi-Fi and forget the n-p##-TS-WPA2e network.
e. Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
c.
Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies
and Data.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 16 of 87
Exercise Objective
In this exercise, your goal is to learn about session limits for Guest.
Step 1
Step 2
Step 3
Step 4
Now launch the mobile Safari app and access Google via the bookmarks.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect to the
Guest page.
New ISE 1.2: Notice how the page is optimized for the mobile device experience.
Step 5
Login to the Guest Portal using the credentials for bjones / _____ (written down from before)
Step 6
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 17 of 87
!
Note: Notice how the Activated Guest User is required to change password on First Login but doesnt have the AUP
prompt.
Note: If for some reason you get a login error, go to settings > wifi, forget the Open Network , turn off wireless and go to
controller to make sure session is gone, and try to connect again on the ipad, close the browser tab and try Google
again, log back in with new password
Step 7
b. Click on Show Live Sessions. Notice how there is only 1 live session.
Step 8
From the Admin PC, using PUTTY, connect to the 3k-access using the credentials admin /
ISEisC00L
a. Using the CLI command, show ip int brief, ensure that GigabitEthernet0/1 is UP.
b. If it is down, issue the following CLI commands to bring it up :
3k-access#conf t
3k-access(config)#interface GigabitEthernet 0/1
3k-access(config-if)#no shutdown
Step 9
Step 10
Step 11
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 18 of 87
!
If you receive a security warning, accept it.
Note: If at first you are not redirected, wait for a couple of minutes and try another site.
Step 12
Step 13
b. Click Show Live Authentications. Notice from the bottom going up:
i. Switch authenticated MAC address and sends to CWA Portal
ii. User bjones logs in
iii. COA changes access to GuestPermitAccess
iv. After that you see another COA come in, thats the one kicking off the iPad and
moving it back to WLC_CWA
Step 14
Step 15
Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wifi and forget the Open network
c.
Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
d. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear
Cookies and Data.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 19 of 87
Exercise Objective
In this exercise, your goal is to enable an expired guest
Step 1
c.
Select this user and click Change Account Duration. Click OK.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 20 of 87
Lab Exercise 1.5: View the ISE configuration changes needed for the past exercises.
Exercise Objective
In this exercise, your goal is to review the configurations needed for the prior exercises
Mobile Portal
Session limit
Step 1
Step 2
Step 3
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 21 of 87
Lab Exercise 1.5: View the ISE configuration changes needed for the past exercises.
!
Step 4
Step 5
You can also designate a special port and interface for a portal. This is valuable if for
example you want the Guest Portal to run in the DMZ.
b. Notice the Portal FQDNs
This is where you configure the friendly and easy Sponsor and My Devices Portals.
These FQDN would be an alias (CNAME) of ise-1.demo.local in DNS.
Step 6
Navigate to the Language Templates under Guest also and see what you can change
there.
Updated in ISE 1.2 The language templates increased from eleven in ISE 1.1.1 to fifteen in ISE 1.2.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 22 of 87
rd
This lab covers the ISE configuration requirements to enable ISE integration with 3 Party MDM servers.
Mobile Device Management (MDM) software secures monitors, manages and supports mobile devices
deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a
policy server and an inline enforcement point that controls the use of applications (e.g. email) on a mobile
device in the deployed environment. Today Cisco Identity Services Engine (ISE) is the only entity that can
provide granular access to endpoints (based on ACLs, TrustSec SGTs etc). In this integration, ISEenabled network is the enforcement point while the MDM policy server serves as the policy decision
point. ISE expects specific data from MDM servers to provide a complete solution
The following are the high level use cases in this solution.
Device registration- Non registered endpoints accessing the network on-premises will be redirected to
registration page on MDM server for registration based on user role, device type, etc.
Remediation-Non compliant endpoints will be given restricted access based on compliance state
Periodic compliance check Periodically check with MDM server for compliance
Ability for administrator in ISE to issue remote actions on the device through the MDM server (e.g.:
remote wiping of the managed device)
Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full
Wipe, Corporate Wipe and PIN Lock.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 23 of 87
!
MDM Integration use-case overview
1. User associates device to SSID
2. If user device is not registered, user goes through the BYOD on-boarding flow, details listed in
Appendix
3. ISE makes an API call to MDM server
4. This API call returns list of devices for this user and the posture status for the devices Please note
that we can pass MAC address of endpoint device as input parameter.
5. If users device is not in this list, it means device is not registered. ISE will send a change of
authorization to NAD to redirect to ISE, and then the user device will be re-directed to MDM server to
start the registration process. (home page or landing page)
6. ISE will know that this device needs to be provisioned using MDM and will present an appropriate
page to user to proceed to registration.
7. User will be transferred to the MDM where registration will be done. Control will transfer back to ISE
either through automatic redirection by MDM server or by user refreshing their browser again.
8. ISE will query MDM again to gain knowledge of Posture status
9. If the user device is not in compliant to the posture (compliance) policies configured on MDM, they
will be notified that the device is out of compliance and need to be in compliance
10. Once users device becomes compliant, MDM server will update the device state in its internal tables.
11. At this stage user can refresh the browser at which point control would transfer back to ISE.
12. ISE would also poll the MDM server periodically to get compliance information and issue COAs
appropriately.
This section of the guide is divided in to smaller sub-sections for clarity
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 24 of 87
Exercise Objective
In this exercise, your goal is to review ISE for single SSID Wireless BYOD, which includes the completion
of the following tasks in ISE:
Review the Authentication Policy to accept 802.1X authentication from wireless access
devices with EAP-TLS or PEAP(EAP-MSCHAPv2) protocols.
Review the Authorization Policy to allow registration as well as supplicant provisioning and to
grant full access to registered devices.
Step 1
Open a new tab on the web browser and access the ISE administration web interface at
https://ise-1.demo.local using the credentials admin / ISEisC00L
Step 2
Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c.
This network device is preconfigured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
! Authentication Settings
Protocol
Shared Secret
ISE_1.2_Update_Lab_Guide.docx
Value
wlc
10.1.100.61 / 32
WLC
GOLD-Lab
RADIUS
ISEisC00L
8/21/13 6:47 PM
Page 25 of 87
!
Step 3
Value
MSCEP
-
https://ad.demo.local/certsrv/mscep
Note: The SCEP RA URL may start with either http:// or https://. The latter needs AD with a valid certificate and the root-CA
certificate imported into ISE certificate store beforehand.
Note: If this fails, please ask the proctor to check on the ad server VM.
MSCEP is hosted on the Microsoft AD Server in this lab. The Proctor can either stop and start service (NDES) or
reset the AD VM (Power-off & Power-on)
d. Under Administration > System > Certificates, go to Certificate Store, both the CA
and RA (registration authority) certificates of the certificate chain for the SCEP server
should have been automatically retrieved.
Step 4
Go to Administration > Identity Management > External Identity Sources > Certificate
Authentication Profile, verify that the CN_Username profile is already configured as shown
below:
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 26 of 87
!
Step 5
Next go to Administration > Identity Management > Identity Source Sequences and verify
that DOT1X_ID_Sequence is present and is configured as shown:
Step 6
Go to Policy > Policy Elements > Results > Authentication > Allowed Protocols, verify that
the PEAP_o_TLS exists and allow only two
protocols:
a. EAP-TLS
b. PEAP with inner method EAP-MSCHAPv2
Step 7
Go to Policy > Authentication and ensure that the authentication policy is already configured
as below:
Enabled Name
Condition
MAB IF Wired_MAB OR
Wireless_MAB
Protocols
Identity Source
allow
HostLookup_Only and Internal Endpoints
protocols
use
and
use
Default
Rule
(if no
match)
and
use
ISE_1.2_Update_Lab_Guide.docx
allow
Default Network
protocols Access
8/21/13 6:47 PM
Options
Reject
Continue
Drop
DOT1X_ID_Sequence Reject
Reject
Drop
DenyAccess
Reject
Reject
!
Drop
Page 27 of 87
!
Step 8
Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Two
Authorization Profiles (with values as shown below in the tables) that will be used in the
Authorization Policy one for full network access and the other dedicated to supplicant
provisioning are pre-configured.
a. Authorization Profile for allowing Full Network Access
Attribute
Name
Description
Access Type
Common Tasks
! Airespace ACL Name
Value
WLC_FullAccess
-ACCESS_ACCEPT
PERMIT-ALL-TRAFFIC
! Web Redirection
Value
WLC_SupplicantProvisioning
-ACCESS_ACCEPT
Drop-down menu: Native Supplicant Provisioning
ACL: !PERMIT-2-ISE-a-DNS
Attributes Details
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=!PERMIT-2-ISE-a-DNS
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionIdValue&action=nsp
Step 9
Ensure the following two Authorization Policy rules are already configured under Policy >
Authorization as shown below. Also, make sure that the Default policy is set to DenyAccess.
Scroll through the list as needed to see the additional Authorization Policies.
Information Note Only: To insert a new authorization rule, click Edit in the right end of a rule and choose from the drop-down
option menu.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 28 of 87
!
Informational Note Only: To add the first condition with an attribute/value pair, such as Network Access:EapAuthention
EQUALS EAP-TLS, use Create New Condition (Advance Option).
!
Then, pick Add Attribute/Value for more of such conditions in the same rule.
Step 10
Rule Name
Apple iOS
Step 11
Identity
Operating
Groups
Systems
Any
Apple iOS All
Other
Results
Conditions
iOS_WPA2e_TLS
and then copy the name of the Secure SSID e.g. n-p##-TS-WPA2e. If SSID is disabled,
Go to Policy > Policy Elements > Results > Client Provisioning > Resources. Select
iOS_WPA2e_TLS and click on Edit. Modify the SSID n-p##-TS-WPA2e to match your POD.
Attribute
Name
Description
Operating System
Connection Type
SSID
Security
Allowed Protocol
Key Size
Value
iOS_WPA2e_TLS
Apple iOS All
Wireless
n-p##-TS-WPA2e
WPA2 Enterprise
TLS
1024
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 29 of 87
!
Note: Make sure you update the SSID to match your POD. To avoid making any typos, copy the SSID name from the WLC and
paste it on the ISE GUI
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 30 of 87
Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration
Exercise Objective
rd
In this exercise student will add 3 party MDM server in to ISE and then configure ISE authorization
polices to use MDM attributes. The diagram below shows the main steps in configuring MDM Integration.
!
!
Step 1
Note: Certificate for the 3 party MDM server in STEP 1 is already downloaded in ISE; STEP 1 is only to view the Certificate for
the completeness of the configuration.
Go to Administration > System > Certificates > Certificate Store and verify that the MobileIron
Certificate is in Certificate Store as shown below.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 31 of 87
Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration
Step 2
Add MDM Server, Go to Administration > Network Resources > MDM. Click Add, to add the
MDM server. Enter MDM Server details as below with credentials User name: admin
Password: ISEisC00L
Make sure that select the checkbox against Enable for the server to be enabled after adding.
!
Step 3
Click!on!Test!Connection!and!an!info!dialog!box!
will!pop!up.!
!
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 32 of 87
Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration
!
Step 4
Click on Submit. It will test the connectivity again and add the MDM server.!
Also, check the MDM status and ensure it is Active.8
!
!
Step 5
Review the MDM dictionaries. Once the MDM server is added, the supported dictionaries showup on ISE, which could be later used in to ISE Authorization Policies. Go to Policy > Policy
Elements > Dictionaries > System > MDM > Dictionary Attributes and review all the
available attributes.
8
8
8
Step 6
Log on to the WLC <https://wlc.demo.local>. Navigate to Security > Access Control Lists >
Access Control Lists. Verify the ACL named MDM_Quarantine_ACL present on the
Wireless LAN Controller. This ACL was used in policy earlier to redirect clients selected for
BYOD supplicant provisioning, Certificate provisioning and will also be used for MDM
Quarantine.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 33 of 87
Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration
!
The Cisco Identity Services Engine IP address = 10.1.100.21
Internal Corporate Networks = 10.0.0.0, 255.0.0.0 (to redirect) (Allow ISE and MDM Server)
MDM Server = 10.1.100.15
Step 7
!
!
!
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 34 of 87
Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration
!
Step 8
Locate the Authorization policy rule Reg with ISE TLS and select Duplicate Above
Note: Use Duplicate Above/Below to speed up creating rules with similar conditions.
c.
Update the two policy rules (Reg with ISE TLS and its duplicate) as defined below, in turn:
Reg with ISE and MDM comp Once the device is registered with both ISE and MDM, and is in
compliance to MDM policies, it will be granted full access to the network.
Reg with ISE NOT MDM This Authorization Rule is for devices which are registered with ISE but either
not yet with an MDM server or not compliant with MDM policies. Once the device hits this rule, it will be
forwarded to ISE MDM landing page. If not registered with MDM, the Register button is shown. If
already registered but not compliant, it will inform the user about the compliance failure.
Status
Rule Name
Identity Groups
Other Conditions
Permissions
Employee Personal
Device
Default
Any
Wireless_802.1X
AND
Network Access:EapAuthentication
EQUALS EAP-MSCHAPv2
RegisteredDevices Wireless_802.1X
AND
Network Access:EapAuthentication
EQUALS EAP-TLS
AND
CERTIFICATE:Subject Alternative Name
EQUALS Radius:Calling-Station-ID
AND
MDM:MDMServerReachable
EQUALS Reachable
AND
MDM:DeviceRegisterStatus
EQUALS Registered
AND
MDM:DeviceCompliantStatus
EQUALS Compliant
RegisteredDevices Wireless_802.1X
AND
Network Access:EapAuthentication
EQUALS EAP-TLS
AND
CERTIFICATE:Subject Alternative Name
EQUALS Radius:Calling-Station-ID
AND
MDM:MDMServerReachable
EQUALS Reachable
(if no matches)
WLC_SupplicantProvisioning
WLC_FullAccess
MDM_Quarantine
DenyAccess
Do not forget to SAVE all the changes after updating the Authorization Policy rules.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 35 of 87
Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.
Note: Please DO NOT change any policies on the 3 party MDM server as this could leave the iPAD in an unusable state
Exercise Objective
In this exercise, your goal is to familiarize and review configuration of the MobileIron Server for
the corporate policies. This includes completion of the following tasks:
Step 1
Verify admin account privileges for REST API, i.e. account used by ISE to send a REST
API call to MobileIron Server
b. Login with username admin and password ISEisC00L. Once you login, the USER &
DEVICES tab should display.
ISE_1.2_Update_Lab_Guide.docx
9/30/13 5:25 PM
Page 36 of 87
Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.
Step 2
User Management
a. Navigate to USERS & DEVICES > User Management. From there, click the checkbox
before admin user and click on Assign Roles.
Navigate to USERS & DEVICES > User Management. From there, click the checkbox
before employee1 user and click on Assign Roles.
d. Notice that API check box is NOT selected for the user
Step 3
c.
Value
WebEx
Required
IS
WebEx
ALL
WebEx
ISE_1.2_Update_Lab_Guide.docx
9/30/13 4:49 PM
Page 37 of 87
Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.
Step 4
Note: The current version of AnyConnect is not compatible with iPad 1 in the pod, so AnyConnect cannot be enforced here.
Step 5
c.
Note: Below is needed as the current value on the server is set to Yes.
Note: The current version of AnyConnect is not compatible with iPad 1, which used in the pod.
rd
You are now familiar with the basic configurations of 3 -Party MDM server - MobileIron. You will use them in subsequent exercises.
ISE_1.2_Update_Lab_Guide.docx
9/30/13 4:49 PM
Page 38 of 87
Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.
ISE_1.2_Update_Lab_Guide.docx
9/30/13 4:49 PM
Page 39 of 87
Exercise Objective
In this exercise, your goal is to familiarize with and configure the My Devices Portal on ISE. This
includes completion of the following tasks:
Step 1
b. Login with username admin and password ISEisC00L. The ISE Dashboard should
display.
Step 2
Review the options to enable the AUP link, setting the maximum devices, email address
and phone number for Help Desk. The maximum number of devices is set to 5 by default.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 40 of 87
Exercise Objective
!
d. Enter values of your choosing under Help Desk for Email and Phone number.
Step 3
c.
Note: By default, the friendly FQDN is not enabled. Its preconfigured here in interest of time and avoiding a restart of ISE services.
In this setup, mydevices.demo.local is aliased to ise-1.demo.local in DNS.
Step 4
Under Administration > Web Portal Management > Settings > My Devices, verify
the Authentication Source is set to
MyDevices_Portal_Sequence, which is
the default.
Step 5
Note: Please accept/confirm any browser certificate warnings if present, which is mostly due to the browser not trusting the root CA
certificate that signs the SSL server certificate of the ISE.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 41 of 87
Exercise Objective
!
b. Login with AD user/password employee1 / ISEisC00L
Note: This authentication event can be shown in AAA diagnostics reports. It needs to turn ARP (My Devices Portal) to log INFO
messages.
c.
You are now familiar with the look-and-feel of My Devices Portal. This portal will be used in the
subsequent exercises.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 42 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
Connect to the iPad via VNC to test the wireless BYOD feature
Connect the iPad to the corporate SSID and check the onboarding of Apple iPad and
installation of the profiles for the native supplicant for the corporate user
rd
Click on the taskbar short-cut vnc-to-ipad to start a VNC session to the iPad.
Press any key to continue, when prompted and you will then see the VNC Viewer.
Step 2
On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
Step 3
Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies and
Data.
Step 4
Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network n-p##-TS-WPA2e
a. Enter the username/password AD credentials (employee1 / ISEisC00L) and click Join
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 43 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
!
b. Click to Accept the certificate
c.
Step 5
Next click on the blue arrow of the connected network and verify the IP address assigned
Now launch the mobile Safari app and access the website www-int.demo.local.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect to the
self-provisioning page.
Note: If a red error shown and the Register button is grey out, check if a Client Provisioning Policy rule has been created for the
Apple iOS (Policy > Client Provisioning).
Also, run a Supplicant Provisioning Report (Operations > Reports > Endpoints and Users > Supplicant Provisioning > Run)
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 44 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
!
When prompted to install the root CA
certificate, which signed the SSL server
certificate of ISE, click Install.
Step 6
Once back to the self-provisioning page in Safari, enter an optional description and click to
Register the iPad.
Step 8
Verifying Settings > General > Profiles shows two profiles are installed
Notes: iOS_WPA2e_TLS is the name of the supplicant profile created in Step 11 of Exercise 2.1
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 45 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
!
Step 9
Once enrollment is complete, launch the mobile Safari app and access www.google.com, the
iPad will have access as per Corporate policies.
Now access the website www-int.demo.local (Corporate Resource), since the device is not
enrolled with MDM, as per configured policies the device will be redirected to the page hosted
rd
on ISE to register with 3 Party MDM Server. To simplify end-user-experience, link to the
rd
configured 3 party MDM Server will be presented where user can click on the link to get
redirected to install the MDM client.
Click on the link called Step1: Enroll but do NOT click on the Step 2:
Continue button.
rd
Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to a new page on iPAD, click on
to launch the MobileIron Agent.
If you get the Application Reset pop-up, click OK to continue
Step 10
Enter the following values and accept ALL certificates when prompted. If asked for Certificate,
Click Accept since this is the certificate from MobileIron Server to be installed on the iPAD. The
certificate is later used to push MDM profile and Certificates from the MobileIron Server
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 46 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
Attribute
Value
User Name employee1
Server
mobileiron.demo.local
ISEisC00L
Password
c.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 47 of 87
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
e. iPad will prompt that MobileIron server is
installing the certificate name PortalCA
which is not a publically signed certificate.
Click Install Now
Notes: After clicking on Done, STOP and wait for the iPAD to prompt for App Installation. If the
iPAD does not prompt for App Installation please check with the Lab Administrator. This is to test noncompliance state of the iPAD.
!
iPAD is now registered with the MobileIron MDM server but is missing the corporate application therefore is NOT
compliant with ISE as per configured Policies.
Step 11
As part of corporate compliance polices, the device needs to have the corporate applications. In
this LAB, MDM server will be pushing the Webex application onto the iPAD.
ISE_1.2_Update_Lab_Guide.docx
9/30/13 5:09 PM
Page 48 of 87
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
Step 12
Click on Safari to open the browser and access www-int.demo.local then click the Continue
button so ISE can send a COA-Reauth.
Once ISE sends a successful COA, it will refresh the iPAD browser prompting the user to
access the original URL
Step 13
Step 14
Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to a new page on iPAD, click on
to launch the MobileIron Agent.
Note: If the page has no MobileIron, right click once to go back to iPad home screen and right click again to launch search. Enter
MobileIron as the search string to find and launch it.
ISE_1.2_Update_Lab_Guide.docx
9/30/13 5:09 PM
Page 49 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
!
Step 15
c.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 50 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
!
e. This time wait until prompted to install the WebEx Meetings
APP. Please click install
f.
i.
Step 16
Step 17
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 51 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
!
Notes: After clicking on Apps STOP if any of the APP us reported in RED. This means that the MobileIron MDM
Server has NOT received updates from the MobileIron Agent.
To send another update from MobileIron Agent to MobileIron Server
Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse towards your left to
Swipe on Screen, this will take you to a new page on iPAD, click on the MobileIron Agent APP to launch the APP
!
Click Settings then
Force Device Check-in
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Click Check-in
!
!
!
Please note that this might need to be done multiple times depending on if the update from the MobileIron Agent gets to
the MobileIron Server.
Repeat from Step 10 to make sure APPs are in compliance.
Step 18
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 52 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
Step 19
Check the live logs on ISE admin web console to verify that the correct authorization profiles
were applied. Initially, the device will be authorized for WLC_SupplicantProvisioning. Once the
provision is done, another MDM registration process will start where first the user would be
requested to register and then comply with the corporate compliance policies, which would
result in another authentication, and then the WLC_FullAccess profile will be applied.
Note: For detailed troubleshooting, enable DEBUG logging for relevant components -- client, guest and provisioning.
(Admin>System>Logging>Debug Log > Conifg)
Step 20
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 53 of 87
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
!
b. Once the newly installed Wi-Fi profile authenticates the device to the network, this state will
move to Registered.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 54 of 87
Lab Exercise 2.6: Test and Verify the Corporate Wipe function on My Devices Portal
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
From the My Devices Portal initiate the Corporate Wipe action on the device to observe the
Change of Authorization (CoA) occur and restrict access from the device
Refer to Appendix A for the sample WLC configuration. Login to WLC web interface
https://wlc.demo.local as admin/ ISEisC00L to review the WLAN and ACLs used in this
exercise.
a. WLAN: n-p##-TS-WPA2e
b. ACLs: PERMIT-ALL-TRAFFIC and MDM_Quarantine_ACL
Note: The # in n-p##-TS-WPA2e is to be replaced with the assigned pod number; e.g. n-p22-TS -WPA2e for POD 22
Step 2
Review the authorization profile MDM_Quarantine under Policy > Policy Elements > Results
> Authorization > Authorization Profiles.
Access Type = ACCESS_ACCEPT
cisco-av-pair = urlredirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=mdm
cisco-av-pair = url-redirect-acl=MDM_Quarantine_ACL
Step 3
Go to My Devices Portal and click Corporate Wipe for the iPad. The AnyConnect application
will now be removed from the iPad and the device will be blocked from accessing the corporate
network. Note the icon change under the State.
ISE_1.2_Update_Lab_Guide.docx
2013-09-30
Page 55 of 87
Lab Exercise 2.6: Test and Verify the Corporate Wipe function on My Devices Portal
!
Notes: Due to possible Race Condition (CSCui00582), ISE does not send a CoA to the controller after
initiating the Corporate WIPE. Please initiate a CoA from ISE Live Session Logs or toggle Wi-Fi to see the
change in authorization policy rule.
OR
Step 4
From the VNC session to the IPad, switch to the mobile Safari app. Reload the page wwwint.demo.local and the user will see a message
You must enroll your device
Step 5
Under Operations > Authentications, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Corporate-Wiped then a reauthorization matches
the device to the MDM_Quarantine profile
Step 6
Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and forget the network that iPad is connected to.
c.
Go to Settings > Wi-Fi and slide the virtual switch off to disable Wi-Fi.
d. Remove the two profiles installed by the ISE BYOD services on iPad under Settings >
General > Profiles.
e. Go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 56 of 87
Exercise Objective
In this exercise, your goal is to familiarize yourself with endpoint logical profiles, which includes
the completion of the following tasks in ISE:
Step 1
Step 2
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 57 of 87
!
a. Navigate to Policy > Profiling and select Logical Profiles in the left-hand panel.
b. Click Add in the right-hand panel and fill in with the values as shown below:
Attribute
!
8
8
Value
Name
Description
iDevices
Handheld Devices
Policy Assignment
Apple:iDevice8
Apple:iPad8
Apple:iPhone
c.
Click Submit when finished and new logical profile is now listed.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 58 of 87
!
Note: Ignore any other preconfigured logical profiles that may be seen in addition to the one that you created in this step
Step 3
Add the new I-Device endpoint profile in an existing ISE authorization policy
a. Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
Create a new Authorization Profile as below and then click Save.
Attribute
Name
Description
Access Type
Airespace ACL Name
Value
I-Device-Full-Access
Access Accept and Permit All Traffic
ACCESS_ACCEPT
PERMIT-ALL-TRAFFIC
Status
Modify the existing rule Employee_Personal_Device (by clicking on the Edit at the right
hand side corner of the rule) and add the EndPoints condition along with modifying the
Permission select as shown in the example below
Rule Name
Identity
Groups
Employee_Personal_Devices Any
Other Conditions
Wireless_802.1x AND Network
Access:EapAuthentication EQUALS EAPMSCHAPv2
AND
EndPoints:LogicalProfile EQUALS iDevices
Permissions
I-Device-Full-Access
f.
Step 4
Click Save and the Employee_Personal_Device rule should now be the second in the
Authorization Policies.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 59 of 87
!
the AD credentials Employee1 as username and ISEisC00L as password.
Accept the ISE certificate, if prompted.
ii. After selecting the top entry as shown above this will launch another tab in your
browser. Click on details icon to retrieve the detailed report for the
authentication.
c.
You should now have another TAB with the Authentication details and take note of some
of the key and useful information
i. Identity Store being demoAD (used to authentication to the SSID)
ii. Scroll down the report to the NAS IP Address field where indicates that the iPad
connected using the WLC 10.1.10.61 and received the desired Authorization
Profile permissions that we created earlier I-Device-Full-Access
iii. Scroll down in the report to the Other attributes section and verify the following
fields matched with the iPad.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 60 of 87
!
AuthorizationPolicyMatchedRule
Employee_Personal_Device
EndPointMatchedProfile
Apple-iPad
!
!
f.
Expand the session by click on the expand button next to the session.
This shows the details of the whole session shows the CoA triggering the dynamic
authorization of the session.
g. Re-verify from the Show Live Authentication, the latest authentication as you did earlier
to ensure that the iPad is still being assigned correctly and receiving the correct
permissions. Refresh screen if necessary.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 61 of 87
Exercise Description
This exercise will demonstrate how to enable the ISE profiler feed services and make use of the newly
updated policies in an ISE endpoint profiling decision. We will need to force an update because of the
nature of the lab and time permitted by taking steps an administrator should never have to make.
Exercise Objective
In this exercise, your goal is to familiarize yourself with ISE profiler feed services, which includes the
completion of the following tasks in ISE:
Check for email notifications triggered by the update from the feed service.
Step 1
Login into the ISE instance. Use Firefox web browser to access https://ise-1.demo.local using
the credentials admin / ISEisC00L.
Step 2
ISE_1.2_Update_Lab_Guide-partial.docx
8/28/13 2:51 PM
Page 62 of 87
!
Step 3
c.
Check the checkbox against Notify administrator when download occurs and enter
the email address of the Administrator admin@demo.local as shown below.
!
d. Click Save to save the configuration
Step 4
ISE_1.2_Update_Lab_Guide-partial.docx
8/28/13 2:51 PM
Page 63 of 87
!
i. Issue the cli command show application status ise to ensure that ise-1 is up
and running
ii. Issue the cli command terminal length 0 to make the verbose log easier to
navigate
iii. Issue the show logging application ise-psc.log tail to monitor the download
from the feed server.
!
!
Step 5
From the ISE GUI, from Administration > Feed Service > Profiler, click on the Update Now
button which is at the bottom of the page
Step 6
Click on Yes.
Step 7
Switch back to the Putty SSH session and wait for the download to begin and should see log
messages indicating that the download has begun.
ISE_1.2_Update_Lab_Guide-partial.docx
8/28/13 2:51 PM
Page 64 of 87
The key words FEEDMANUALDOWNLOAD indicates that this was initiated by the Update
Now manual option. For the automatic updates, the keyword would be
FEEDAUTODOWNLOAD as below:
Step 8
Query for new OUIs downloaded from the Profile Feed Service.
Note: The report might not contain any data for a few minutes. If the report comes back
empty, jump to step 9 and complete then come back to step 7 in a few minutes and re-run
the report.
a. Once the download starts, navigate to Operations > Reports.
b. Select Deployment Status from the left-hand panel.
c.
ISE_1.2_Update_Lab_Guide-partial.docx
8/28/13 2:51 PM
Page 65 of 87
!
e. Click on Filters and select Object Type. Then, enter OUI (all in capital) as the Object
Type.
f.
Click Run.
g. Pick any row and click on its event cell. Then, click Ok to open it as a report.
ISE_1.2_Update_Lab_Guide-partial.docx
8/28/13 2:51 PM
Page 66 of 87
!
h. Take a note of the Object Name field and the Modified Properties.
!
Note: Make sure you pick a Changed Configuration which shows the Modified Properties.
As per the IEEE, if the OUI name if private, then it will not show the value in the Properties.
Step 9
d. In the Endpoint MAC Address text box, input the Object Name from Step 8.h. and
complete it with any hex digit and colon signs to meet the supported syntax i.e., 01:02:03
(shown below)
ISE_1.2_Update_Lab_Guide-partial.docx
8/28/13 2:51 PM
Page 67 of 87
!
e. Click Submit when done.
f.
Once back to the list view, click on the hyperlink for the newly created endpoint.
!
g. Verify its OUI value matching the modified properties from Step 8.h.
!
!
Step 10
ISE_1.2_Update_Lab_Guide-partial.docx
8/28/13 2:51 PM
Page 68 of 87
In the Global Search, the administrator can search based on device type (eg, ipad,
workstation), username, IP address, MAC address etc. The search result will provide detailed
information about the current status of the endpoint(s). Drilling further down on the result and
you will yield more details about the endpoint including:
#
Authentication details
Accounting details
Posture details
Profiler details
Guest Accounting/Activity
The Session Trace tools ties in with the Search tool function. From the list of results that the
Search tool returns, you can select a particular endpoint and display the complete session
trace for that endpoint. The endpoint is dynamically mapped to the audit-session-id and is
used to trace an entire transaction throughout the system.
The results from the Search and Session Trace can then be exported for troubleshooting or
auditing purposes.
ISE 1.2 has a new Reporting architecture with a face lift for the Reports. Reports are now
organized by catalog, summarized with number of reports under each catalog, and a brief
description.
ISE 1.2 also includes the scheduled reports feature. The administrator can schedule reports
at periodic intervals and have the results directed to an external repository.
3. Alarms enhancements.
o
In ISE 1.2, Alarms are pre-defined and active by default. The user-defined alarms available in
earlier release is removed and replaced with the pre-defined alarms. The alarms are
integrated into the main dashboard display and removed from the global tool-bar.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 69 of 87
Lab Exercise 4.1: Exploring the Global Search and Session Trace tools
!
o
From the Alarm Configuration UI, the admin can enable/disable alarms and/or change the
threshold values for the alarms.
With ISE 1.2, in addition to the Live Authentications log view, there is the new Live Sessions
view
The admin can toggle between the live authentications or live session views
In this lab we will only be covering the Global Search, Session Trace and Scheduled Report features. In
addition, well also cover how-to debug an authentication failure to show how the detailed report
information can be used for troubleshooting.
For covering, all the other features, you can do the full ISE 1.2 Monitoring & Troubleshooting Lab.
This section of the lab guide is divided in to following sub-sections
Lab Exercise 4.1 : Exploring the Global Search and Session Trace tools
Lab Exercise 4.2 : Exploring the new Reports and scheduling Reports
Lab Exercise 4.3 : Troubleshooting a failed authentication
As an administrator, I should be able to search easily to see how many devices of a particular
device type (Apple, ipad, workstations etc.) are currently connected to the network without going
to the Reporting section and generating the detailed reports.
As an admin, I should be able to search on a username and/or MAC address which yield result(s)
that provides the entire trace of the session. I should be able to export all the information into a
log file so that I can efficiently troubleshoot the system.
Exercise Objective
In this exercise, your goal is to explore the Global Search and Session Trace tools, which includes the
completion of the following tasks in ISE:
Search for ipad in the Global Search to see how many devices are connected
Search for a username in the Global Search to yield the result for the username
From the result for the username, run the Session Trace for the user
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 70 of 87
Lab Exercise 4.1: Exploring the Global Search and Session Trace tools
Step 1
If not already logged into ISE server, access the ISE administration web interface at https://ise1.demo.local using the credentials admin / ISEisC00L. At the top right hand corner is located
the Global Search as shown below :
Step 2
In the Search window enter ipad to search for. As you type in the information in the search
window, it starts suggesting the possible answers.
Note: If no suggestions appear, ensure that your session has not timed out.
Step 3
From the Suggestions select apple-ipad and search on it. The search yields similar results
as shown in the following example:
Step 4
The highlighted section in the above shows how many apple-ipad are currently connected,
failed, disconnected and the full total of the devices that connected to the ISE server. The above
screenshot shows all the devices that connected to the ISE server. The icon adjacent to the
result
or
shows if the device is connected or disconnected.
a. Click on the Connected to see the currently connected devices.
b. To export the results, click on the Export button at the bottom of the screen
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 71 of 87
Lab Exercise 4.1: Exploring the Global Search and Session Trace tools
!
Note: The exported results are saved as a zip file. In the zip file is a comma separated CSV
formatted file, which contains all the results for the ipad.
Step 5
Now either search for a username say employee1 or use the above results for Session Trace.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 72 of 87
Lab Exercise 4.1: Exploring the Global Search and Session Trace tools
Step 6
a. The top row shows at a high level, the various actions for that session. Clicking on the
high-level items automatically scrolls you down to the relevant details section. This
screenshot below shows the Authenticated and Authorized section.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 73 of 87
Lab Exercise 4.1: Exploring the Global Search and Session Trace tools
The screenshot below shows the next section i.e, the Re-auth section.
Step 7
For more detailed information about the endpoint, click on the Endpoint Details.
a. The Endpoint Details shows the detailed information about the endpoint from the various
sources - Authentication, Accounting, Profiler etc, as highlighted below
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 74 of 87
Lab Exercise 4.1: Exploring the Global Search and Session Trace tools
!
By click on each of the sections, you can view in-depth all the attributes, various steps
performed for each of these. The information can be exported by clicking on the Export
Results button. The file is saved in a text format which can be viewed by programs like
WordPad or NotePad++etc.
b. A sample view of the Session Trace export looks as below :
!
!
!
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 75 of 87
Lab Exercise 4.2: Exploring the new Reporting GUI and configuring scheduled reporting.
The new Reporting GUI improves the UI usability and performance of the reporting service so
that administrators can efficiently obtain sets of data for operational and security analysis.
As an ISE administrator, I want to send reports, via set schedule, to specific individuals, groups of
ISE administrators, email alias, etc. so that various consumers of ISE-based contextual data can
consume the data appropriate for them without having to log into the system.
Exercise Objective
In this exercise, your goal is to explore the new Reporting GUI and schedule periodic reports.
This includes the completion of the following tasks in ISE:
Step 1
Access the ISE administration web interface at https://ise-1.demo.local using the credentials
admin / ISEisC00L
Step 2
Browse to Operation > Reports. Reports are organized by catalog, summarized with number of
reports under each catalog as seen in the screenshot below:
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 76 of 87
Lab Exercise 4.2: Exploring the new Reporting GUI and configuring scheduled reporting.
!
Step 3
Click on the Auth Services Status Catalog. This expands and shows the list of all the reports in
this catalog. Hovering over each reports shows the high level description of the report.
Step 4
Click on a specific report, say RADIUS Authentications a sample report with static data and the
default query options are shown
Click on Run to generate the Authentication report for the current day.
Step 5
To add Filters, click on the Filter button and select the required items for filtering the report.
Step 6
After generating the report, to Export the results to a repository, click on the Export option
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 77 of 87
Lab Exercise 4.2: Exploring the new Reporting GUI and configuring scheduled reporting.
!
Step 7
After generating the report, to schedule the report on the top right hand corner select the Save
As option and choose the Scheduled Report option
Step 8
When scheduling the report you have the options to choose the following for generating the
scheduled reports.
a. Frequency
b. Date and time
c.
Repository
The admin PC is pre-configured as the ISE FTPServer repository to which you can send the
scheduled report. Schedule a report and check for the generated report on the AdminPC under
the directory C:\inetpub\ftproot\incoming.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 78 of 87
As an ISE administrator, when a user calls and says that authentication has failed, I want to
identify the root cause of failed authentication quickly and easily.
Exercise Objective
In this exercise, your goal is to use the new Search and Session Trace tools to easy the
troubleshooting experience of the administrator. This includes the completion of the following
tasks:
Step 1
Use the Search to search for the user and troubleshoot the issue and identify the root cause.
Step 2
From Admin-PC VMClient, power off the p##-w7pc-guest VM and power on the p##-w7pcMnT VM. Now Login to Windows 7 (p##-w7pc-MnT). You may need to use the menu item VM
> Guest > Send Ctrl+Alt+Del to invoke the Windows login screen.
Login as admin / ISEisC00L
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 79 of 87
Step 3
From the Windows desktop, go to Start Menu > Control Panel > Network and Internet >
Network and Sharing Center > Change adapter settings
and ensure that the Local Area Connection is enabled. If
is disabled then enable the interface
Step 4
Step 5
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 80 of 87
it
Step 6
Note: If the Login prompt does not show up, from the ISE GUI, live session, then
1) Send a CoA with session terminate, when the session already fails over to MAB or
2) Go to the 3k-access switch and do a shutdown and no shutdown on the interface Gig Ethernet0/1 or
3) Do a clear authentication sessions on 3k-access
And, immediately on AnyConnect client, re-select wired_EAP-GTC
Step 7
Click on Trust to accept the certificate. The authentication will fail as expected.
Step 8
From the ISE GUI, in the Live Authentications, youll see the failed authentication and the
Failure Reason should clearly indicate the reason for the authentication failure.
You may see a bunch of failures with anonymous username. This is for the first wired
authentication that is configured on the AnyConnect.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 81 of 87
Once you connect to the wired_EAP-GTC, then the errors will show up as below:
Step 9
Click on the details for the failed authentication. In the Failure reason, you can again see the
reason for the authentication failure.
In the Steps, you can see the sequence of all the authentication steps and when and why it
failed the authentication.
Step 10
For further debugging the issues, you can enable the log to DEBUG mode. On the ISE GUI, go
to Admin>System>Logging>Debug Log Configuration to change the Log levels.
Note: With the introduction of new features in ISE 1.2, youll notice some new Component
names.
For MDM, the following are new components
! End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 82 of 87
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 83 of 87
!
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 84 of 87
!
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 85 of 87
!
config acl rule add MDM_Quarantine_ACL 5
config acl rule destination address MDM_Quarantine_ACL 5 10.0.0.0 255.0.0.0
config acl rule destination port range MDM_Quarantine_ACL 5 0 65535
config acl rule source port range MDM_Quarantine_ACL 5 0 65535
config acl rule direction MDM_Quarantine_ACL 5 in
config acl rule add MDM_Quarantine_ACL 6
config acl rule destination port range MDM_Quarantine_ACL 6 0 65535
config acl rule source port range MDM_Quarantine_ACL 6 0 65535
config acl rule action MDM_Quarantine_ACL 6 permit
config acl rule add MDM_Quarantine_ACL 65
config acl rule destination port range MDM_Quarantine_ACL 65 0 65535
config acl rule source port range MDM_Quarantine_ACL 65 0 65535
config acl counter start
config acl create PERMIT-ALL-TRAFFIC
config acl apply PERMIT-ALL-TRAFFIC
config acl create PERMIT-2-ISE-a-DNS
config acl apply PERMIT-2-ISE-a-DNS
config acl create PERMIT-2-ISE-a-DNS-a-INTERNET
config acl apply PERMIT-2-ISE-a-DNS-a-INTERNET
config acl create BLACKHOLE
config acl apply BLACKHOLE
config acl create MDM_Quarantine_ACL
config acl apply MDM_Quarantine_ACL
config mobility group domain n-pNN-TS
config network rf-network-name n-pNN-TS
config network usertimeout 120
config network fast-ssid-change enable
config network web-auth captive-bypass enable
config network multicast l2mcast disable service-port
config network multicast l2mcast disable virtual
config dhcp proxy disable bootp-broadcast disable
config license boot base
config license agent max-sessions 9
config 802.11a cac voice sip bandwidth 64 sample-interval 20
config 802.11a cac voice sip codec g711 sample-interval 20
config 802.11a channel global off
config 802.11a txpower global 4
config 802.11a cleanair alarm device enable 802.11-nonstd
config 802.11a cleanair alarm device enable jammer
config 802.11a cleanair alarm device enable 802.11-inv
config 802.11a cleanair enable
config radius fallback-test interval 180
config radius fallback-test mode passive
config radius acct add encrypt 11 10.1.100.21 1813 password 1 3516b7676b6e057cc60e6eab4c046415
1b48c2754113392979a8a99cb7bcb4fdcbe0fb4b 16
73599122aad031626b4beca7aac40c8f00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
config radius acct retransmit-timeout 11 30
config radius acct enable 11
config radius auth add encrypt 11 10.1.100.21 1812 password 1 548dafd9b3821b2c2dca6d5bc20709e5
755a8cad807da4a4f7718c0a09ad9ea41c4267dd 16
1d47e852fdaca9e6f95f734047dba5ef00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
config radius auth rfc3576 enable 11
config radius auth retransmit-timeout 11 30
config radius auth enable 11
config nmsp notification interval rssi rfid 2
config certificate generate webadmin
config certificate generate webauth
config wlan aaa-override enable 10
config wlan mfp client enable 10
config wlan aaa-override enable 11
config wlan mfp client enable 11
config wlan mac-filtering enable 10
config wlan security wpa wpa2 ciphers aes disable 10
config wlan security wpa wpa2 disable 10
config wlan security wpa akm 802.1x disable 10
config wlan security wpa disable 10
config wlan security web-auth server-precedence 10 radius
config wlan security ft over-the-ds disable 11
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 86 of 87
!
config wlan security wpa enable 11
config wlan security web-auth server-precedence 11 radius
config wlan broadcast-ssid enable 10
config wlan nac radius enable 10
config wlan interface 10 access
config wlan broadcast-ssid enable 11
config wlan nac radius enable 11
config wlan interface 11 access
config wlan radius_server acct add 10 11
config wlan radius_server auth add 10 11
config wlan create 10 n-pNN-TS-OPEN n-pNN-TS-OPEN
config wlan session-timeout 10 1800
config wlan radius_server acct add 11 11
config wlan radius_server auth add 11 11
config wlan create 11 n-pNN-TS-WPA2e n-pNN-TS-WPA2e
config wlan session-timeout 11 1800
config wlan exclusionlist 10 60
config wlan exclusionlist 11 60
config wlan wmm allow 10
config wlan wmm allow 11
config wlan radio 10 802.11ag
config wlan radio 11 802.11ag
config wlan enable 10
config wlan enable 11
config serial timeout 3600
config time ntp server 1 128.107.212.175
config ap packet-dump truncate 0
config ap packet-dump buffer-size 2048
config ap packet-dump capture-time 10
config mgmtuser add encrypt admin 1 805504344137354e5003ad13325f9323
469e02f8c530760e8ffe4d77c6b5a0316d357540 16
b506763bef0194ab7d1586d9a6b31e1b00000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000 read-write
config cts sxp default password encrypt 1 f411b972950230dab42dae3ba063a435
72331cb4b85a5203d6b36b4057a4ded020183fe1 16
2064f49e024f7fcf1412453adc7fbcc200000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
config cts sxp connection peer 10.1.29.1
config cts sxp enable
config rfid timeout 1200
config rfid status enable
config rfid mobility pango disable
transfer upload path /incoming
transfer upload datatype config
transfer upload serverip 10.1.100.6
transfer upload filename p01-wlc-4hr.txt
transfer upload encrypt password 1 c8fba9f060227ab99126aed7ef3e0440
723aefd4e4faa8fa6bd1b73b5d566ad354773c28 48
142cad12d46f5ca14bc01d589e7775465bb4812a28860f90a4a89569a23f4c0895edeee963b4fb3f7aa270d9657bed64
transfer upload port 21
transfer upload mode ftp
transfer upload username ftp
transfer download path /
transfer download datatype config
transfer download serverip 10.1.100.6
transfer download filename pNN-wlc-4hr.txt
transfer download mode ftp
transfer download encrypt password 1 c8fba9f060227ab99126aed7ef3e0440
723aefd4e4faa8fa6bd1b73b5d566ad354773c28 48
142cad12d46f5ca14bc01d589e7775465bb4812a28860f90a4a89569a23f4c0895edeee963b4fb3f7aa270d9657bed64
transfer download port 21
transfer download username ftp
ISE_1.2_Update_Lab_Guide.docx
8/21/13 6:47 PM
Page 87 of 87