You are on page 1of 87

Lab Overview

!
!

Cisco ISE 1.2 Lab Guide


Developers and Lab Proctors
This lab was created by SAMPG TME teams, with main contributions from Aruna Yerragudi, Jason Kunst,
Paul Carco, Hsing-Tsu Lai and Imran Bashir

Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine (ISE)
rd
focusing on key new ISE 1.2 features such as ISE integration with 3 party MDM vendors, profiler feed
services, Guest Enhancement and Monitoring and troubleshooting enhancements. In the lab the students
will learn how configure ISE policies to mandate Mobile device compliance with policies defined on the
MobileIron MDM server. A good part of the lab also covers how to write policies using logical profiles and
how to enable ISE to receive automatic updates from the New Feed services. The lab also covers the
new Guest UI available in ISE 1.2. The last section covers day-to-day operations, which allows the
student to use the new tools such as the Search and Session trace that provide better visibility and
troubleshooting.!
Lab participants should be able to complete the lab within the allotted time of 4 hours.

Lab Exercises
This lab guide includes the following exercises:

Lab Exercise 1 : ISE Guest Enhancements


rd
Lab Exercise 2 : ISE Integration with 3 Party MDM Server
Lab Exercise 3 : Profiler Enhancements Logical profiles & Feed Services
Lab Exercise 4 : Monitoring and Troubleshooting Enhancements

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 1 of 87

Product Overview: ISE

Product Overview: ISE


The Cisco Secure Access and TrustSec is the Borderless Network access control solution, providing
visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform that
gathers real-time information from the network, users, and devices. ISE then uses this information to
make proactive governance decisions by enforcing policy across the network infrastructure utilizing built
in standard based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users and
devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive
tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own device
(BYOD), through policy-enabled services.

Lab Topology

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 2 of 87

Lab IP and VLANs

Lab IP and VLANs


Internal IP Addresses
Device

Name/Hostname

IP Address

Access Switch (3560X)

3k-access.demo.local

10.1.100.1

Data Center Switch (3560CG)

3k-data.demo.local

10.1.129.3

Wireless LAN Controller (2504)

wlc.demo.local

10.1.100.61

Wireless Access Point (2602i)

ap.demo.local

10.1.90.x/24 (DHCP)

ASA (5515-X)

asa.demo.local

10.1.100.2

ISE Appliance

ise-1.demo.local

10.1.100.21

ISE Feed Server

ise-feedserver.demo.local

10.1.100.41

AD (AD/CS/DNS/DHCP)

ad.demo.local

10.1.100.10

NTP Server

ntp.demo.local

128.107.212.175

MobileIron

mobileiron.demo.local

10.1.100.15

Mail

mail.demo.local

10.1.100.40

LOB Web

lob-web.demo.local

10.1.129.12

portal.demo.local, updates.demo.local

10.1.129.8

business.demo.local

10.1.129.9

it.demo.local

10.1.129.10

records.demo.local

10.1.129.11

LOB DB

lob-db.demo.local

10.1.129.20

Admin (Management) Client

admin.demo.local

10.1.100.6

(also FTP Server)

ftp.demo.local

Windows 7 Client PC

w7pc-guest.demo.local

10.1.50.x/24 (DHCP)

Internal VLANs and IP Subnets


VLAN

VLAN Name

IP Subnet

Description

10

ACCESS

10.1.10.0/24

Authenticated users or access network using ACLs

20

MACHINE

10.1.20.0/24

Microsoft machine-authenticated devices (L3


segmentation)

IC-ASA-ACCESS

10.1.29.0/24

Interconnect subnet between ASA and Access switch

30

QUARANTINE

10.1.30.0/24

Unauthenticated or non-compliant devices (L3


segmentation)

40

VOICE

10.1.40.0/24

Voice VLAN

(29)

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 3 of 87

Connecting to Lab Devices

!
VLAN

Note:

VLAN Name

IP Subnet

Description

50

GUEST

10.1.50.0/24

Network for authenticated and compliant guest users

90

AP

10.1.90.0/24

Wireless AP VLAN

100

Management

10.1.100.0/24

Network services (AAA, AD, DNS, DHCP, etc.)

129

WEB

10.1.129.0/24

Line-of-business Web servers

130

DB

10.1.130.0/24

Line-of-business Database servers

Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.

Accounts and Passwords


!

Access To

Account (username/password)

Access Switch (3560X)

admin / ISEisC00L

Data Center Switch (3560X)

admin /

ISEisC00L

Wireless LAN Controller (2504)

admin /

ISEisC00L

ASA (5515-X)

admin /

ISEisC00L

ISE Appliances

admin /

ISEisC00L

AD (CS/DNS/DHCP/DHCP)

admin /

ISEisC00L

Web Servers

admin /

ISEisC00L

Admin (Management) Client

admin /

ISEisC00L

Windows 7 Client

W7PC-guest\admin /

(Local = W7PC-guest or W7PC-corp)

DEMO\admin /

(Domain = DEMO)

DEMO\employee1 /

ISEisC00L

ISEisC00L
ISEisC00L

Connecting to Lab Devices


Note:

To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components

Note:

Admin PC access is through RDP, therefore you must have an RDP client installed on your computer

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 4 of 87

Connecting to Lab Devices

Connect to a POD
Step 1

Launch the Remote Desktop application on your system


a. Connect to you POD Admin PC using RDP, with the IP address given on page 4.
b. Login as admin / ISEisC00L

Note: All lab configurations can be performed from the Admin client PC.

Connect to ESX Server Virtual Machines


During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Step 1

From the Admin PC, click

the VMware vSphere Client icon on the taskbar

Step 2

Click OK when the VMware vSphere Client starts.

Step 3

You have the ability to power on, power off, or open the console (view) the VMs. Place the
mouse cursor over VM name in the left-hand pane and right-click to view the available options.

Step 4

To access the VM console,


select Open Console from the drop-down.

Step 5

To login to a Windows VM, select


Guest > Send Ctrl+Alt+del from
the VM Console menu:

Step 6

For this lab ensure that the following VMs are up and running:
p##_ad
p##_ise-1-12update

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 5 of 87

Pre-Lab Setup Instructions

!
p##_lob-web
p##_mail
p##_mobileiron
p##_w7pc-guest
p##_w7pc-MnT
## denotes the pod number that you are assigned to. E.g., For POD 2, p##_ad would be
p02_ad. The VM w7pc-guest may be powered on manually during the exercises.

Connect to Lab Device Command-Line Terminal


Step 1

To access the lab switches and ISE servers using SSH:


a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY
shortcut and it shows a list of devices and ISE servers.

b. Select the device that youd like to log into and double click on it.
c.

If prompted, click Yes to cache the server host key and to continue login.

d. Login using the credentials listed in the Accounts and Passwords table.

Pre-Lab Setup Instructions


Basic Connectivity Test
To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script
from the Windows desktop of the Admin client PC:
Verify that ping succeeds for all devices tested by the script.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 6 of 87

Pre-Lab Setup Instructions

!
Note: Failure of lob-db to respond to ping is fine for this lab, as this VM is not used in this lab.

Basic ISE Configuration


Step 1

Access the ISE administrative web interface.


a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/

Note: Accept/Confirm any browser certificate warnings if present.

Login with username admin and password ISEisC00L!


Step 2

Join to the Active Directory.


a. Go to Administration > Identity Management > External Identity Sources.
b. Pick Active Directory from the left-hand-side panel, and select ise-1 in the right-hand-side
connection tab.
c.

Click Join with AD domain admin credentials: admin / ISEisC00L

Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reboot of ise-1 or a reset the VM.

Step 3

Disable log collection suppression


The log suppression is on by default to optimize monitoring data storage. In order to see all log
entries during troubleshooting, it can be disabled either globally or per collection filters. In this
lab, we will disable it globally, as shown in (a) below.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 7 of 87

Pre-Lab Setup Instructions

!
a. Disable suppression globally
i. Go to Administration > System >
Settings, expand on Protocols, and
select RADIUS.
ii. Clear the checkboxes Suppress
Anomalous Clients and Suppress
Repeated Successful
Authentications.
iii. Click Save when done.
b. (For reference only) Disable suppression per collection filter
i. Go to Administration > System > Logging, expand on Collection Filters, and click on
Add for a new filter.
ii. Select an attribute from the drop-down menu.
iii. Enter a value to match the attribute in (ii).
iv. Select Disable Suppression from the drop-down menu.
v. Click Submit.

WLC Configuration
Load WLC configuration for the lab
Step 1

Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L


a. Navigate to the top menu COMMANDS. Then, choose Download File from the left panel.
b. In Download file to Controller page, fill in the form as below:
File Type
Configuration File Encryption
Transfer Mode
Server Details
IP Address
File Path
File Name
Server Login Username
Server Login Password
Server Port Number

Configuration

(unchecked)
FTP
10.1.100.6
/
p##-wlc-4hr.txt
ftp
ftp
21

Note: The ## in p##-wlc-4hr.txt is to be replaced with the assigned pod number; e.g. p12-wlc-4hr.txt for pod 12.

c.

Click on the button Download to start the file transfer. The following message will pop-up
after the clicking the Download button.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 8 of 87

Pre-Lab Setup Instructions

Click OK.
d. Wait for transfer to finish and reset to complete.
Note: WLC will reset after downloading configuration from an external file server. During the reset, use ping t wlc to monitor.

Controlling iPAD via VNC Client


Below are tips for controlling the iPad UI via VNC client:

Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.

Mouse: Mouse pointer mimics touching the iPad screen with one finger.

Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll

Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.

Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
Note: When interacting with the iPad VNC session, US keyboard is preferred.
Note: US keyboard is also needed for the RDP session unless additional language packs installed to provide keyboard mappings.
This is only for the RDP sessions.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 9 of 87

Lab Exercise 1: Whats new in ISE Guest Access Management?

Lab Exercise 1: Whats new in ISE Guest


Access Management?
Exercise Description
This lab covers what is new in ISE Guest Access Management. It covers features introduced in ISE 1.2
The following are newly introduced features and uses:

Friendly sponsor portal portal configuration allows easy portal name

Mobile enhanced portal new look and feel for guest & sponsor portal, enhanced for more device
screens

Forced password change for expired and accounts first logging in

Pre-Activated Guest a new type of account for users entering the network first via an 802.1X or
VPN connection. A normal guest account requires the user to log into the guest portal to activate the
account for login.

Updated time profiles new default 8 hour time profile replaces 1 hour

Change account duration ability to assign a new account duration to guest accounts (useful for
when expired or suspended accounts need to be used again)

Session limits ability to enforce 1 session at a time

Multi-interface portal policy choose what interface and ports the portals run on

Language templates increase in languages from ISE 1.1.1 to ISE 1.2

Lab Exercise 1.1: Access new portals, work with guest


account activation and password change
Exercise Description
This exercise will introduce you to the new enhanced portals and pages for the sponsor and guest access
user. Use the new password expiration on first login. It will also showcase the need for pre-activated
guest for certain scenarios.

Exercise Objective
In this exercise, your goal is to connect to the new portal, create a normal guest account, connect with the
new account while showcasing the need for activated guest and then utilize required password change.

Familiarize with the new sponsor portal using easy (friendly) name

Create a normal guest and try to connect to a 802.1X network showing need for pre-activated
guest

Connect to Open network using Guest Portal to activate the guest

Use password change on first login

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 10 of 87

Lab Exercise 1.1: Access new portals, work with guest account activation and password change

!
Step 1

Login to the friendly sponsor portal and familiarize with new look & feel
a. Login to the ISE sponsor portal http://sponsor.demo.local as staff1 / ISEisC00L
Note: At the end of the lab we will go through how you configure the portal friendly name.

b. Familiarize with the new look and feel of the portal. It has changed significantly from
previous releases but the options are still the same. You can create single accounts,
import accounts with a CSV, and create multiple random accounts. The options are
shown based on the permissions associated with the sponsor who logs in. For staff1
sponsor, notice that only Create Account is shown.

c.

Notice that we now have a new option for what we can do to the accounts, Change
Account Duration, we will be utilizing this later on to see how it works.

d. The search functionality looks different. Under each of the fields is a search box. Just
type in it and it dynamically searches through the list.

Step 2

Create a normal guest account and try to login via 802.1X.


a. Click Create Account and fill in the details as below
Attribute
First Name
Last Name
Email Address
Company
Group Role
Account Duration

Value
John
Smith
<Optional>
<Optional>
Guest
ShortTime12min

Account duration: ShortTime12min, expires 12 min after initial login


b. Click Submit.
c.

Write down the username jsmith and password _________ off to the side so you dont
have to come back to this spot.

Note: We have created a short time so that we can show how a guest expires and is reactivated with a new Account
Duration later on.

Step 3

Click View Guest Accounts

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 11 of 87

Lab Exercise 1.1: Access new portals, work with guest account activation and password change

!
a. Notice how the account Status says Awaiting Initial Login.

Warning: The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to
configuration and limitations of remotely controlling an interactive device like the iPad in a lab environment please do not
deviate from the exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual
resetting and prevent you from experiencing the full potential of the lab.
Thank you for your cooperation.

Step 4

Connect with new guest via 802.1X with the iPad

Step 5

Click vnc-to-ipad shortcut in the taskbar of the Admin PC to start a VNC session to the iPad.

Step 6

It will prompt you to press any key to continue. You will then see the VNC Viewer pop up.

Step 7

Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network n-p##-TS-WPA2e (## refers to your POD number)
a. Enter the username/password obtained when creating the guest account in Step 2.
Note: For the password make sure that you DONOT include the quotes () as part of the password.

b. You should receive Incorrect username or password message. You may need to
accept the Cannot Verify Server Identity before you see the message.
Note: The user is not able to login because they are required to be Active and they are not.
Note: Accept any invalid certificate prompt.

Step 8

Click Dismiss.

Step 9

Connect to the Open network for Guest Portal access.

Step 10

Select and connect to the network n-p##-TS-OPEN

Step 11

Now launch the mobile Safari app, close any tabs, and access Google via the bookmarks.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect to the
Guest page.
New ISE 1.2: Notice how the page is optimized for the mobile device experience.

Step 12

Login to the Guest Portal using the credentials for jsmith


Note: Make sure you change the password after you login. If you change password before logging in, the new and old
passwords will not work.

a. Accept the AUP (Acceptable Use Policy).


Step 13

Go through the password change procedure using a new password: test123


New ISE 1.2: Notice how the user is required to change password on First Login

Note: If for some reason you get a login error, Close the browser tab. Go to Settings > Wi-Fi and Forget the Open
Network and turn off wireless on the iPad. Next, go to the WLC and make sure session is gone by going to Monitor >
Clients. There should not be any entries here. If there are, select the entry and Remove it. Go back to the iPad and try
to connect again, try Google again, log back in with new password

Step 14

Try to access Google site again. You should now have access.

Step 15

Clean up iPad and turn off wireless to get ready for next exercise.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 12 of 87

Lab Exercise 1.1: Access new portals, work with guest account activation and password change

!
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and forget the Open network
c.

Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.

d. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear
Cookies and Data.
Step 16

Using the admin PC connect to the sponsor portal. Connect to http://sponsor.demo.local and
use credentials staff1 / ISEisC00L

Step 17

Look at the Status of user, jsmith, it is now Active.

Note: Prior to ISE 1.1.1, this is how ISE activates a Guest user so that they could access the network via 802.1X or VPN.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 13 of 87

Lab Exercise 1.2: Create an activated Guest

Lab Exercise 1.2: Create an activated Guest


Exercise Description
This exercise will introduce you to the activated guest feature.
Story for activated guest: Customers would like to use a secured network even for their guest, perhaps
a long term contractor needs access to the network and they don't want to have to keep hitting the guest
portal every time. Without activated guest they would still need to hit the guest portal to activate them.
There is also a requirement for them to get access to some of the internal resources (besides wide open
access to the internet). Activated Guest gives them the flexibility to have short term guest with internet
ONLY and then longer term with a more secure method have greater privileges. This is useful for
contractors as they are visiting for extended periods or may come and go. Having them continuously hit
the guest portal every time they come into the network can get frustrating. This way their credentials are
saved with their supplicant for subsequent logins.
This is also needed for VPN access as there is no way to authenticate currently to the guest portal
from outside of the company.

Exercise Objective
In this exercise, your goal is to create an activated guest and login directly with 802.1X.

Step 1

Create an activated guest via the sponsor portal

Login via the iPad using 802.1X

Login to the friendly sponsor portal


Go to the ISE Sponsor Portal at http://sponsor.demo.local with credentials staff1 / ISEisC00L

Step 2

Create an activated guest


a. Click Create Account
Attribute
First Name
Last Name
Email Address
Company
Group Role
Account Duration

ISE_1.2_Update_Lab_Guide.docx

Value
Bob
Jones
<Optional>
<Optional>
ActivatedGuest
DefaultEightHours

8/21/13 6:47 PM

Page 14 of 87

Lab Exercise 1.2: Create an activated Guest

!
New ISE 1.2: ActivatedGuest as we discussed before is a new option.
Also the Account Duration of DefaultEightHours & DefaultFirstLoginEight (these replace the built-in 1 hour time profiles).
Upgrade from previous release maintains the 1 hour time profiles.

b. Click Submit
c.
Step 3

Notate the username bjones and password ____________

Click View Guests.


New ISE 1.2: Notice how the guest is Already Active.

Step 4

Now connect to the network with 802.1X using this Activated Guest. Go to the iPAD VNC
session and turn ON the wireless.
a. Terminate any existing network connections
i. Forget or turn off auto-login on any existing networks that the iPad automatically
connects to.
ii. Delete any existing client sessions in WLC.
1. On AdminPC, browse to https://wlc.demo.local and login as admin / ISEisC00L
2. Navigate to Monitor > Clients and drill-down each client and click Remove.

b. Select and connect to the network n-p##-TS-WPA2e


c.

Enter credentials bjones / ______ (written down from Step 2)

d. Click Join.
e. Accept the cert for ise-1.demo.local

f.
Step 5

Open a new browser window to Yahoo. You should be able to access the website.

Cleanup the iPad


a. Close browser tabs.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 15 of 87

Lab Exercise 1.2: Create an activated Guest

!
b. Go to Settings > Wi-Fi and forget the n-p##-TS-WPA2e network.
e. Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
c.

Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies
and Data.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 16 of 87

Lab Exercise 1.3: Work with session limits

Lab Exercise 1.3: Work with session limits


Exercise Description
This exercise introduces session limits for Guests. In ISE 1.2 the session limits feature has limitations
when used with activated guests who have more than one device.
Activated Guests who are saving their credentials when connecting via 802.1X with more than 1 device
will experience that as one device connects to the network the other device will be kicked off the network.
If you still have a need for both session limits and Activate Guest with multiple devices then our
recommendation is to put long term guests in another identity store outside of Guest.

Exercise Objective
In this exercise, your goal is to learn about session limits for Guest.

Step 1

Show the ISE Authentications and Live Sessions.

Connect via the iPad.

Connect via the Win7 PC

Show how one user connection logs off the other

Setup ISE to view the sessions


a. Connect to the ISE UI via http://ise-1.demo.local using admin / ISEisC00L
b. Go to Operations > Authentications
c.

Choose Add/Remove Columns


i. Uncheck Identity Group, Posture Status, and Server
ii. Scroll to the bottom and Click Save

Step 2

Connect to the iPad via the VNC session

Step 3

Connect to the Open network for Guest Portal access.


a. Turn on the wireless
b. Select and connect to the network n-p##-TS-Open

Step 4

Now launch the mobile Safari app and access Google via the bookmarks.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect to the
Guest page.
New ISE 1.2: Notice how the page is optimized for the mobile device experience.

Step 5

Login to the Guest Portal using the credentials for bjones / _____ (written down from before)

Step 6

Go through the password change using a new password of test123

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 17 of 87

Lab Exercise 1.3: Work with session limits

!
Note: Notice how the Activated Guest User is required to change password on First Login but doesnt have the AUP
prompt.

Note: If for some reason you get a login error, go to settings > wifi, forget the Open Network , turn off wireless and go to
controller to make sure session is gone, and try to connect again on the ipad, close the browser tab and try Google
again, log back in with new password

Step 7

Try to access Google site again. You should have access.


a. Take a look at ISE. Go to Operations > Authentications:
It shows the Guest come in via CWA portal, user bjones logs in and then COA puts it into
GuestPermitAccess

b. Click on Show Live Sessions. Notice how there is only 1 live session.

Step 8

From the Admin PC, using PUTTY, connect to the 3k-access using the credentials admin /
ISEisC00L
a. Using the CLI command, show ip int brief, ensure that GigabitEthernet0/1 is UP.
b. If it is down, issue the following CLI commands to bring it up :
3k-access#conf t
3k-access(config)#interface GigabitEthernet 0/1
3k-access(config-if)#no shutdown

Step 9

Next connect to the w7pc-guest


a. vSphere Client and Power on p##-w7pc-guest
b. Connect to its console
c.

Step 10

Login with credentials : admin / ISEisC00L

Enable the LAN connection under network settings


a. From the Windows desktop, double click the shortcut w7pc-guest Network
Connections
b. Right-click Local Area Connection and select Enable

Step 11

Open Firefox and type in a website to access.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 18 of 87

Lab Exercise 1.3: Work with session limits

!
If you receive a security warning, accept it.
Note: If at first you are not redirected, wait for a couple of minutes and try another site.

Step 12

Login with credentials bjones / test123


New in ISE 1.2: Notice how this portal looks different than the one on the iPad. ISE has optimized pages for different
device OS and screen sizes.

Step 13

Try your original site again.


a. Go back to ISE and notice how the ipad session is now just using the MAC address and
the user is no longer logged in.

b. Click Show Live Authentications. Notice from the bottom going up:
i. Switch authenticated MAC address and sends to CWA Portal
ii. User bjones logs in
iii. COA changes access to GuestPermitAccess

iv. After that you see another COA come in, thats the one kicking off the iPad and
moving it back to WLC_CWA

Step 14

Go back to the iPad and try to access a different site.

Step 15

Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wifi and forget the Open network
c.

Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.

d. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear
Cookies and Data.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 19 of 87

Lab Exercise 1.4: Change Account Duration of an expired guest

Lab Exercise 1.4: Change Account Duration of an expired


guest
Exercise Description
This exercise will introduce you to the ability to enable an expired guest account by Changing the Account
Duration.

Exercise Objective
In this exercise, your goal is to enable an expired guest

Step 1

Connect to sponsor portal

Enable expired user and change the Account Duration

Connect to the sponsor portal


a. Connect to the ISE Sponsor Portal via http://sponsor.demo.local using staff1 /
ISEisC00L
b. The original guest user you created, jsmith, is expired.

c.

Select this user and click Change Account Duration. Click OK.

d. Notice that the user is now Active again.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 20 of 87

Lab Exercise 1.5: View the ISE configuration changes needed for the past exercises.

Lab Exercise 1.5: View the ISE configuration changes


needed for the past exercises.
Exercise Description
This exercise will introduce you to the new configuration options available around Guest Access
Management that were used in the prior labs.

Exercise Objective
In this exercise, your goal is to review the configurations needed for the prior exercises

Require guest users to change password at expiration and first login

Mobile Portal

Session limit

Ability to choose port and interface for each portal

Portal URLs (Friendly Easy Access)

Step 1

Connect to ISE UI at http://ise.demo.local using admin / ISEisC00L

Step 2

Navigate to Administration > Web Portal Management > Settings.


a. Expand Guest
b. Click Multi-Portal Configurations
c. Click Default Guest Portal

Step 3

Configured the following settings under the Operations submenu:


a. Enable Mobile Portal this enables the new enhanced portals for the guest and my
devices portals. Optimized for mobile devices.
b. Require guest users to change password at expiration and first login.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 21 of 87

Lab Exercise 1.5: View the ISE configuration changes needed for the past exercises.

!
Step 4

Click on Portal Policy on the left.


a. Under Login Restrictions select the checkbox for Allow only one guest session per
user to enforce the guest user session limits.

Step 5

Expand General and click Ports


a. Here you are able to configure the ports and Allowed Interfaces used for the different
portals. Ports and interfaces are tied together. Notice how Guest, My Devices, and
Sponsor Portal are running on port 8443. If you uncheck 1 of the allowed interfaces it will
be unchecked for the rest of the portals.
Note: The BlackList Portal Settings use a different port 8444 by default and this would not be affected when you
uncheck the interfaces for Guest.

You can also designate a special port and interface for a portal. This is valuable if for
example you want the Guest Portal to run in the DMZ.
b. Notice the Portal FQDNs
This is where you configure the friendly and easy Sponsor and My Devices Portals.
These FQDN would be an alias (CNAME) of ise-1.demo.local in DNS.

Step 6

Navigate to Sponsor > Language Template.


a. Notice on the right side of the screen the list of languages. Guest and My Devices Portal
also have a similar listing.
b. Click on English. There are many configurable text strings included in the release. Dig
into them for a little bit to understand some of the things included.
c.

Navigate to the Language Templates under Guest also and see what you can change
there.

Updated in ISE 1.2 The language templates increased from eleven in ISE 1.1.1 to fifteen in ISE 1.2.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 22 of 87

Lab Exercise 2: ISE integration with 3rd Party MDM server

Lab Exercise 2: ISE integration with 3rd Party


MDM server
Exercise Description

rd

This lab covers the ISE configuration requirements to enable ISE integration with 3 Party MDM servers.
Mobile Device Management (MDM) software secures monitors, manages and supports mobile devices
deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a
policy server and an inline enforcement point that controls the use of applications (e.g. email) on a mobile
device in the deployed environment. Today Cisco Identity Services Engine (ISE) is the only entity that can
provide granular access to endpoints (based on ACLs, TrustSec SGTs etc). In this integration, ISEenabled network is the enforcement point while the MDM policy server serves as the policy decision
point. ISE expects specific data from MDM servers to provide a complete solution
The following are the high level use cases in this solution.

Device registration- Non registered endpoints accessing the network on-premises will be redirected to
registration page on MDM server for registration based on user role, device type, etc.

Remediation-Non compliant endpoints will be given restricted access based on compliance state

Periodic compliance check Periodically check with MDM server for compliance

Ability for administrator in ISE to issue remote actions on the device through the MDM server (e.g.:
remote wiping of the managed device)

Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full
Wipe, Corporate Wipe and PIN Lock.

Logical Network Topology

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 23 of 87

Lab Exercise 2: ISE integration with 3rd Party MDM server

!
MDM Integration use-case overview
1. User associates device to SSID
2. If user device is not registered, user goes through the BYOD on-boarding flow, details listed in
Appendix
3. ISE makes an API call to MDM server
4. This API call returns list of devices for this user and the posture status for the devices Please note
that we can pass MAC address of endpoint device as input parameter.
5. If users device is not in this list, it means device is not registered. ISE will send a change of
authorization to NAD to redirect to ISE, and then the user device will be re-directed to MDM server to
start the registration process. (home page or landing page)
6. ISE will know that this device needs to be provisioned using MDM and will present an appropriate
page to user to proceed to registration.
7. User will be transferred to the MDM where registration will be done. Control will transfer back to ISE
either through automatic redirection by MDM server or by user refreshing their browser again.
8. ISE will query MDM again to gain knowledge of Posture status
9. If the user device is not in compliant to the posture (compliance) policies configured on MDM, they
will be notified that the device is out of compliance and need to be in compliance
10. Once users device becomes compliant, MDM server will update the device state in its internal tables.
11. At this stage user can refresh the browser at which point control would transfer back to ISE.
12. ISE would also poll the MDM server periodically to get compliance information and issue COAs
appropriately.
This section of the guide is divided in to smaller sub-sections for clarity

Lab Exercise 2.1: ISE BYOD configuration


rd
Lab Exercise 2.2: Configure ISE for 3 Party MDM integration.
rd
Lab Exercise 2.3: Review policy configuration on 3 Party MDM
Lab Exercise 2.4: Review ISE 1.2 My Devices Portal configuration
Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad
Lab Exercise 2.6: Test and Verify the Corporate Wipe feature on My Devices Portal

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 24 of 87

Lab Exercise 2.1: ISE BYOD configuration

Lab Exercise 2.1: ISE BYOD configuration


Exercise Description
This exercise will review ISE configuration for BYOD wireless deployment where only one wireless SSID
is required. Firstly you will confirm SSID settings on the Cisco WLC. Next you will learn how to configure
profiles for the SCEP CA and the Certificate Authentication Profile. Cisco ISE uses Simple Certificate
Enrollment Protocol (SCEP) to support the secure issuance of certificates to network devices in a
scalable manner. The SCEP in this lab is Microsoft Network Device Enrollment Service on Windows
Server 2008 R2 Enterprise. You will also learn how to configure a client provisioning policy on Cisco ISE
to allow the native supplicant provisioning.

Exercise Objective
In this exercise, your goal is to review ISE for single SSID Wireless BYOD, which includes the completion
of the following tasks in ISE:

Familiarize the WLC configuration needed for single SSID

Verify the Network Access Device configuration of the WLC

Review the SCEP CA Profiles and the Certificate Authentication Profile

Review the Identity Source Sequence to authenticate the user against AD

Review the Authentication Policy to accept 802.1X authentication from wireless access
devices with EAP-TLS or PEAP(EAP-MSCHAPv2) protocols.

Review the Authorization Policy to allow registration as well as supplicant provisioning and to
grant full access to registered devices.

Update the Client Provisioning Policy to support native supplicant provisioning

Step 1

Open a new tab on the web browser and access the ISE administration web interface at
https://ise-1.demo.local using the credentials admin / ISEisC00L

Step 2

Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c.

This network device is preconfigured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
! Authentication Settings
Protocol
Shared Secret

ISE_1.2_Update_Lab_Guide.docx

Value
wlc
10.1.100.61 / 32
WLC
GOLD-Lab
RADIUS

ISEisC00L

8/21/13 6:47 PM

Page 25 of 87

Lab Exercise 2.1: ISE BYOD configuration

!
Step 3

Verify the SCEP Profiles.


a. Navigate to Administration > System > Certificates.
b. Go to SCEP RA Profiles. Select the RA Profile named MSCEP and then click Edit to
review the configuration
Attribute
Name
Description
URL

Value
MSCEP
-

https://ad.demo.local/certsrv/mscep

Note: The SCEP RA URL may start with either http:// or https://. The latter needs AD with a valid certificate and the root-CA
certificate imported into ISE certificate store beforehand.

c. Click Test Connectivity to verify the connection to the SCEP server.

Note: If this fails, please ask the proctor to check on the ad server VM.
MSCEP is hosted on the Microsoft AD Server in this lab. The Proctor can either stop and start service (NDES) or
reset the AD VM (Power-off & Power-on)

d. Under Administration > System > Certificates, go to Certificate Store, both the CA
and RA (registration authority) certificates of the certificate chain for the SCEP server
should have been automatically retrieved.

Step 4

Go to Administration > Identity Management > External Identity Sources > Certificate
Authentication Profile, verify that the CN_Username profile is already configured as shown
below:

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 26 of 87

Lab Exercise 2.1: ISE BYOD configuration

!
Step 5

Next go to Administration > Identity Management > Identity Source Sequences and verify
that DOT1X_ID_Sequence is present and is configured as shown:

Step 6

Go to Policy > Policy Elements > Results > Authentication > Allowed Protocols, verify that
the PEAP_o_TLS exists and allow only two
protocols:
a. EAP-TLS
b. PEAP with inner method EAP-MSCHAPv2

Step 7

Go to Policy > Authentication and ensure that the authentication policy is already configured
as below:
Enabled Name
Condition
MAB IF Wired_MAB OR
Wireless_MAB

Protocols
Identity Source
allow
HostLookup_Only and Internal Endpoints
protocols
use

Dot1X IF Wired_802.1X OR allow


PEAP_o_TLS
Wireless_802.1X protocols

and
use

Default
Rule
(if no
match)

and
use

ISE_1.2_Update_Lab_Guide.docx

allow
Default Network
protocols Access

8/21/13 6:47 PM

Options
Reject
Continue
Drop
DOT1X_ID_Sequence Reject
Reject
Drop
DenyAccess
Reject
Reject
!
Drop

Page 27 of 87

Lab Exercise 2.1: ISE BYOD configuration

!
Step 8

Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Two
Authorization Profiles (with values as shown below in the tables) that will be used in the
Authorization Policy one for full network access and the other dedicated to supplicant
provisioning are pre-configured.
a. Authorization Profile for allowing Full Network Access
Attribute
Name
Description
Access Type
Common Tasks
! Airespace ACL Name

Value
WLC_FullAccess
-ACCESS_ACCEPT
PERMIT-ALL-TRAFFIC

Access Type = ACCESS_ACCEPT


Airespace-ACL-Name = PERMIT-ALL-TRAFFIC

b. Authorization Profile for allowing Supplicant Provisioning


Attribute
Name
Description
Access Type
Common Tasks

! Web Redirection

Value
WLC_SupplicantProvisioning
-ACCESS_ACCEPT
Drop-down menu: Native Supplicant Provisioning
ACL: !PERMIT-2-ISE-a-DNS

Attributes Details
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=!PERMIT-2-ISE-a-DNS
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionIdValue&action=nsp

Step 9

Ensure the following two Authorization Policy rules are already configured under Policy >
Authorization as shown below. Also, make sure that the Default policy is set to DenyAccess.
Scroll through the list as needed to see the additional Authorization Policies.

Information Note Only: To insert a new authorization rule, click Edit in the right end of a rule and choose from the drop-down
option menu.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 28 of 87

Lab Exercise 2.1: ISE BYOD configuration

!
Informational Note Only: To add the first condition with an attribute/value pair, such as Network Access:EapAuthention
EQUALS EAP-TLS, use Create New Condition (Advance Option).

!
Then, pick Add Attribute/Value for more of such conditions in the same rule.

Step 10

Review Client Provisioning Policy


Go to Policy > Client Provisioning. The Apple iOS rule shall look like the following:
Status

Rule Name
Apple iOS

Step 11

Identity
Operating
Groups
Systems
Any
Apple iOS All

Other
Results
Conditions
iOS_WPA2e_TLS

Update SSID in the supplicant profile iOS_WPA2e_TLS


Notes: In this step when configuring SSID, please make sure to change the SSID name matching your POD. All the
PODs are configured with SSID of POD1 for replication purposes.
To find SSID for your POD, Go to admin PC, launch a browser and log-in to WLC (https://wlc.demo.local) with
Username = admin and Password = ISEisC00L.
Click

and then copy the name of the Secure SSID e.g. n-p##-TS-WPA2e. If SSID is disabled,

Click on the SSID and Enable it.


DO NOT use OPEN SSID

Go to Policy > Policy Elements > Results > Client Provisioning > Resources. Select
iOS_WPA2e_TLS and click on Edit. Modify the SSID n-p##-TS-WPA2e to match your POD.

Attribute
Name
Description
Operating System
Connection Type
SSID
Security
Allowed Protocol
Key Size

Value
iOS_WPA2e_TLS
Apple iOS All
Wireless
n-p##-TS-WPA2e
WPA2 Enterprise
TLS
1024

Click on Save to save the changes.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 29 of 87

Lab Exercise 2.1: ISE BYOD configuration

!
Note: Make sure you update the SSID to match your POD. To avoid making any typos, copy the SSID name from the WLC and
paste it on the ISE GUI

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 30 of 87

Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration

Lab Exercise 2.2: Configure ISE for 3rd Party MDM


integration
Exercise Description
MDM Servers can be used as a cloud service or installed locally on premises. Once the installation, basic
setup and compliance checks are configured on the MDM server, it can then be added to ISE

Exercise Objective
rd

In this exercise student will add 3 party MDM server in to ISE and then configure ISE authorization
polices to use MDM attributes. The diagram below shows the main steps in configuring MDM Integration.
!

!
Step 1

MDM Server Certificate


rd

Note: Certificate for the 3 party MDM server in STEP 1 is already downloaded in ISE; STEP 1 is only to view the Certificate for
the completeness of the configuration.

Go to Administration > System > Certificates > Certificate Store and verify that the MobileIron
Certificate is in Certificate Store as shown below.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 31 of 87

Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration

Step 2

Add MDM Server, Go to Administration > Network Resources > MDM. Click Add, to add the
MDM server. Enter MDM Server details as below with credentials User name: admin
Password: ISEisC00L
Make sure that select the checkbox against Enable for the server to be enabled after adding.

!
Step 3

Click!on!Test!Connection!and!an!info!dialog!box!
will!pop!up.!
!

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 32 of 87

Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration

!
Step 4

Click on Submit. It will test the connectivity again and add the MDM server.!
Also, check the MDM status and ensure it is Active.8

!
!
Step 5

Review the MDM dictionaries. Once the MDM server is added, the supported dictionaries showup on ISE, which could be later used in to ISE Authorization Policies. Go to Policy > Policy
Elements > Dictionaries > System > MDM > Dictionary Attributes and review all the
available attributes.

8
8

8
Step 6

Log on to the WLC <https://wlc.demo.local>. Navigate to Security > Access Control Lists >
Access Control Lists. Verify the ACL named MDM_Quarantine_ACL present on the
Wireless LAN Controller. This ACL was used in policy earlier to redirect clients selected for
BYOD supplicant provisioning, Certificate provisioning and will also be used for MDM
Quarantine.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 33 of 87

Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration

!
The Cisco Identity Services Engine IP address = 10.1.100.21
Internal Corporate Networks = 10.0.0.0, 255.0.0.0 (to redirect) (Allow ISE and MDM Server)
MDM Server = 10.1.100.15

Explanation of the MDM_Quarantine_ACL is as follows


1.
2.
3.
4.
5.
6.

Allow DNS traffic inbound for name resolution.


Allow all traffic inbound to ISE for Web Portal and supplicant and Certificate provisioning flows
Allow access inbound to MDM server for MDM device registration and compliance checks
Allow ICMP traffic for trouble shooting, it is optional
Deny all traffic inbound to corporate resources. Any 80/tcp access hits will redirect to ISE (As per company policy)
Permit all the rest of traffic, to allow remediation from Internet sites, such as Apple app store.

Step 7

Configure ISE Authorization Policies with MDM conditions


a. Create an Authorization Profile named MDM_Quarantine for endpoints not compliant with
MDM polices. In this case all non-compliant devices will be redirected to ISE and presented
with a message.
b. Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles and
Click on Add to add the MDM_Quarantine as below:

!
!
!

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 34 of 87

Lab Exercise 2.2: Configure ISE for 3rd Party MDM integration

!
Step 8

Update ISE Authorization Policy


a. Go to Policy > Authorization.
b.

Locate the Authorization policy rule Reg with ISE TLS and select Duplicate Above

Note: Use Duplicate Above/Below to speed up creating rules with similar conditions.

c.

Update the two policy rules (Reg with ISE TLS and its duplicate) as defined below, in turn:

Reg with ISE and MDM comp Once the device is registered with both ISE and MDM, and is in
compliance to MDM policies, it will be granted full access to the network.
Reg with ISE NOT MDM This Authorization Rule is for devices which are registered with ISE but either
not yet with an MDM server or not compliant with MDM policies. Once the device hits this rule, it will be
forwarded to ISE MDM landing page. If not registered with MDM, the Register button is shown. If
already registered but not compliant, it will inform the user about the compliance failure.
Status

Rule Name

Identity Groups

Other Conditions

Permissions

Employee Personal
Device

Reg with ISE and


MDM compliant

Reg with ISE not


MDM

Default

Any

Wireless_802.1X
AND
Network Access:EapAuthentication
EQUALS EAP-MSCHAPv2
RegisteredDevices Wireless_802.1X
AND
Network Access:EapAuthentication
EQUALS EAP-TLS
AND
CERTIFICATE:Subject Alternative Name
EQUALS Radius:Calling-Station-ID
AND
MDM:MDMServerReachable
EQUALS Reachable
AND
MDM:DeviceRegisterStatus
EQUALS Registered
AND
MDM:DeviceCompliantStatus
EQUALS Compliant
RegisteredDevices Wireless_802.1X
AND
Network Access:EapAuthentication
EQUALS EAP-TLS
AND
CERTIFICATE:Subject Alternative Name
EQUALS Radius:Calling-Station-ID
AND
MDM:MDMServerReachable
EQUALS Reachable
(if no matches)

WLC_SupplicantProvisioning

WLC_FullAccess

MDM_Quarantine

DenyAccess

Do not forget to SAVE all the changes after updating the Authorization Policy rules.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 35 of 87

Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.

Lab Exercise 2.3: Review policy configuration on 3rd Party


MDM Server.
Exercise Description
This exercise will review MobileIron Policy Configuration for the corporate compliance policies
rd

Note: Please DO NOT change any policies on the 3 party MDM server as this could leave the iPAD in an unusable state

Exercise Objective
In this exercise, your goal is to familiarize and review configuration of the MobileIron Server for
the corporate policies. This includes completion of the following tasks:

Step 1

Verify admin account privileges for REST API, i.e. account used by ISE to send a REST
API call to MobileIron Server

Review the Default Security Policies

Review the iOS APP installation configuration (WebEx)

Access the MobileIron administrative web interface.


a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://mobileiron.demo.local/admin

Note: Accept/Confirm any browser certificate warnings if present.

b. Login with username admin and password ISEisC00L. Once you login, the USER &
DEVICES tab should display.

ISE_1.2_Update_Lab_Guide.docx

9/30/13 5:25 PM

Page 36 of 87

Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.
Step 2

User Management
a. Navigate to USERS & DEVICES > User Management. From there, click the checkbox
before admin user and click on Assign Roles.

b. Notice that API check box is selected for the user


c.

Navigate to USERS & DEVICES > User Management. From there, click the checkbox
before employee1 user and click on Assign Roles.

d. Notice that API check box is NOT selected for the user

Step 3

Application Control Policies on MobileIron Server


a. Navigate to APPS & CONFIGS > App Control

b. Click the Edit button for WebEx

c.

Verify the settings as below


Attribute
Name
Type
App Name
App Search String
Device Platform
Comment

Value
WebEx
Required
IS
WebEx
ALL
WebEx

ISE_1.2_Update_Lab_Guide.docx

9/30/13 4:49 PM

Page 37 of 87

Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.
Step 4

Default Security Policy on MobileIron Server


a. Navigate to POLICIES > All Policies " Default Security
Policy. From there, click the Edit button on the right side
of the screen.
b. Review this Policy for Password, Type, Length, Data
Encryption etc.
c.

Under Access Control, verify WebEx is the only Enabled rule.

Note: The current version of AnyConnect is not compatible with iPad 1 in the pod, so AnyConnect cannot be enforced here.

Update as needed. Then, click

Step 5

Application Distribution Policies on MobileIron Server


a. Navigate to APPS & CONFIGS > App Distribution.
b. From there, click the dropdown button and select iOS

c.

Cisco AnyConnect has already been imported into the


MobileIron server from APP store. Click the Edit button to
review the details.

Note: Below is needed as the current value on the server is set to Yes.
Note: The current version of AnyConnect is not compatible with iPad 1, which used in the pod.

Click on # No for MobileIron VSP not to send an


installation request to the endpoint at the time of
registration and click Save.

d. Cisco WebEx has already been imported into the


MobileIron server from APP store. Click the Edit button
to review the details.
Note: Below is needed as the current value on the server is set to No.

Click on # Yes for MobileIron VSP to send an


installation request to the endpoint at the time of
registration and click Save.

rd

You are now familiar with the basic configurations of 3 -Party MDM server - MobileIron. You will use them in subsequent exercises.

ISE_1.2_Update_Lab_Guide.docx

9/30/13 4:49 PM

Page 38 of 87

Lab Exercise 2.3: Review policy configuration on 3rd Party MDM Server.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.
!

ISE_1.2_Update_Lab_Guide.docx

9/30/13 4:49 PM

Page 39 of 87

Lab Exercise 2.4: Review ISE 1.2 My Devices Portal Configuration

Lab Exercise 2.4: Review ISE 1.2 My Devices Portal


Configuration
Exercise Description
This exercise will review ISE 1.2 MyDevices Portal configuration

Exercise Objective
In this exercise, your goal is to familiarize with and configure the My Devices Portal on ISE. This
includes completion of the following tasks:

Step 1

Verify My Devices Portal enablement

Customize the My Devices Portal

Modify the My Devices Portal authentication to include AD for user authentication

Launch the My Devices Portal and access it using AD user credentials


Access the ISE administrative web interface.
a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/

Note: Accept/Confirm any browser certificate warnings if present.

b. Login with username admin and password ISEisC00L. The ISE Dashboard should
display.
Step 2

My Device Portal Settings


a. Navigate to Administration > Web Portal Management > Settings. From there, go to
My Devices > Portal Configuration.

b. Under the General section, verify ! Enable My Devices Portal is checked


c.

Review the options to enable the AUP link, setting the maximum devices, email address
and phone number for Help Desk. The maximum number of devices is set to 5 by default.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 40 of 87

Exercise Objective

!
d. Enter values of your choosing under Help Desk for Email and Phone number.
Step 3

SSL and URL Settings for My Devices Portal


a. Go to Administration > Web Portal Management > Settings > General > Ports.
b. In My Devices Portal Settings, verify the HTTPS Port and Allowed Interfaces are set
as below:

c.

Scroll down to Portal FQDNs and verify that


i. ! Default My Devices Portal FQDN is checked
ii. The text box is set to mydevices.demo.local

Note: By default, the friendly FQDN is not enabled. Its preconfigured here in interest of time and avoiding a restart of ISE services.
In this setup, mydevices.demo.local is aliased to ise-1.demo.local in DNS.

Step 4

Identity Source Sequence for My Devices


a.

Under Administration > Web Portal Management > Settings > My Devices, verify
the Authentication Source is set to
MyDevices_Portal_Sequence, which is
the default.

b. Go to Administration > Identity Management > Identity Source Sequences. Verify


that the MyDevices_Portal_Sequence has demoAD in the Authentication Search List.

Step 5

Finally, verify My Devices Portal is working with the configured settings.


a. From the web browser, access http://mydevices.demo.local

Note: Please accept/confirm any browser certificate warnings if present, which is mostly due to the browser not trusting the root CA
certificate that signs the SSL server certificate of the ISE.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 41 of 87

Exercise Objective

!
b. Login with AD user/password employee1 / ISEisC00L
Note: This authentication event can be shown in AAA diagnostics reports. It needs to turn ARP (My Devices Portal) to log INFO
messages.

c.

Upon successful login, a


page similar to the right will
display:

There will be options


available to add devices but
do not add any devices at
this time. This will be
performed in later lab
exercises.

You are now familiar with the look-and-feel of My Devices Portal. This portal will be used in the
subsequent exercises.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 42 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

Lab Exercise 2.5: Test and Verify the


onboarding of a non-corporate Apple iPad
Exercise Description
In this exercise you will get the experience of onboarding an Apple iPad onto the network in a
BYOD use case followed by MDM enrollment. From the iPad you will connect over the wireless
network to the single SSID you configured in the earlier exercise. You will use your AD
credentials to let Cisco ISE know that the iPad is a personal device that belongs to you the
employee. When you connect to the network you will verify profile installation for the native
supplicant on the iPad this will be followed by MDM enrollment. Using Cisco ISE live logs you will
monitor the onboarding process and verify successful completion via the My Devices Portal.
Warning: The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to
configuration and limitations of remotely controlling an interactive device like the iPad in a lab environment please do not
deviate from the exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual
resetting and prevent you from experiencing the full potential of the lab.
Thank you for your cooperation.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Step 1

Connect to the iPad via VNC to test the wireless BYOD feature

Connect the iPad to the corporate SSID and check the onboarding of Apple iPad and
installation of the profiles for the native supplicant for the corporate user

Complete device enrollment with 3 party MDM, install corporate application

Check the ISE Live Logs to monitor the process

Check the My Devices Portal to see the device registration

Use My Devices Portal to issue a corporate wipe.

rd

Click on the taskbar short-cut vnc-to-ipad to start a VNC session to the iPad.
Press any key to continue, when prompted and you will then see the VNC Viewer.

Step 2

On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.

Note: If no profiles, you might not see the profiles menu option.

Step 3

Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies and
Data.

Step 4

Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network n-p##-TS-WPA2e
a. Enter the username/password AD credentials (employee1 / ISEisC00L) and click Join

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 43 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

!
b. Click to Accept the certificate

c.

Step 5

Next click on the blue arrow of the connected network and verify the IP address assigned

Now launch the mobile Safari app and access the website www-int.demo.local.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect to the
self-provisioning page.

Note: If a red error shown and the Register button is grey out, check if a Client Provisioning Policy rule has been created for the
Apple iOS (Policy > Client Provisioning).

Also, run a Supplicant Provisioning Report (Operations > Reports > Endpoints and Users > Supplicant Provisioning > Run)

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 44 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

!
When prompted to install the root CA
certificate, which signed the SSL server
certificate of ISE, click Install.

Accept any Warnings to complete this


installation.

Step 6

Once back to the self-provisioning page in Safari, enter an optional description and click to
Register the iPad.

At this time, the ISE Profile Service pops up


and prompts Install.
Step 7

Click Install to start the Apple Over-The-Air


(OTA) enrollment process. This will
automatically generate the key, enroll the
identity certificate, and save the resulting
signed Wi-Fi profile to the iPad.

Note: If errors in installing the profile, do the following:


Verify a SCEP CA profile has been created (Administration >
System > Certificates > SCEP CA Profile)
Verify the CA and RA certificates have been downloaded to the Certificate Store (Administration > System > Certificates >
Certificate Store)
Check the console output of the iPad using the iPhone Configuration Utility (iPCU) from Apple, which is installed on the admin
PC (Start > All Programs > iPhone Configuration Utilities)
To retry this OTA process after an error, remove the client session from wlc web UI (MONITOR > Clients) then repeat Steps 7
~ 9 in this exercise.

Step 8

Verifying Settings > General > Profiles shows two profiles are installed

Notes: iOS_WPA2e_TLS is the name of the supplicant profile created in Step 11 of Exercise 2.1

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 45 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

!
Step 9

Once enrollment is complete, launch the mobile Safari app and access www.google.com, the
iPad will have access as per Corporate policies.
Now access the website www-int.demo.local (Corporate Resource), since the device is not
enrolled with MDM, as per configured policies the device will be redirected to the page hosted
rd
on ISE to register with 3 Party MDM Server. To simplify end-user-experience, link to the
rd
configured 3 party MDM Server will be presented where user can click on the link to get
redirected to install the MDM client.
Click on the link called Step1: Enroll but do NOT click on the Step 2:
Continue button.

Notes: In this lab the 3

rd

party MDM agent is already downloaded so, DO NOT click

Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to a new page on iPAD, click on
to launch the MobileIron Agent.
If you get the Application Reset pop-up, click OK to continue

Step 10

Enter the following values and accept ALL certificates when prompted. If asked for Certificate,
Click Accept since this is the certificate from MobileIron Server to be installed on the iPAD. The
certificate is later used to push MDM profile and Certificates from the MobileIron Server

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 46 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

Attribute
Value
User Name employee1
Server
mobileiron.demo.local
ISEisC00L
Password

a. Click Accept Certificate

b. iPAD will be prompted that its configuration will be


updated, click OK to continue

c.

MobileIron will now push MDM profile on the


iPAD, but before it can push profile, iPAD
needs certificate of the MobileIron server,
therefore MobileIron server will now configure
the iPAD to initiate SCEP request for the
certificate, click install to download the profile
on iPAD

d. iPad will prompt that the profile in unverified (since this


certificate on the MobileIron server is not a publically signed
certificate, Click Install Now

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 47 of 87

Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
e. iPad will prompt that MobileIron server is
installing the certificate name PortalCA
which is not a publically signed certificate.
Click Install Now

Once the profile and Certificates are downloaded on the


iPAD, click Done

Notes: After clicking on Done, STOP and wait for the iPAD to prompt for App Installation. If the
iPAD does not prompt for App Installation please check with the Lab Administrator. This is to test noncompliance state of the iPAD.

!
iPAD is now registered with the MobileIron MDM server but is missing the corporate application therefore is NOT
compliant with ISE as per configured Policies.

Step 11

As part of corporate compliance polices, the device needs to have the corporate applications. In
this LAB, MDM server will be pushing the Webex application onto the iPAD.

Notes: At this time click Cancel for WebEx.!

ISE_1.2_Update_Lab_Guide.docx

9/30/13 5:09 PM

Page 48 of 87

Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
Step 12

Click on Safari to open the browser and access www-int.demo.local then click the Continue
button so ISE can send a COA-Reauth.

Once ISE sends a successful COA, it will refresh the iPAD browser prompting the user to
access the original URL

Step 13

Type the original URL in the address bar www-int.demo.local. iPAD is


non-compliant with the corporate polices as its missing the WebEx
application therefore ISE will redirect the user to the MDM noncompliance page.
The explanation and recommendation text might be different from the
screenshot, depending on the MobileIron VSP server version.

Step 14

Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to a new page on iPAD, click on
to launch the MobileIron Agent.

Note: If the page has no MobileIron, right click once to go back to iPad home screen and right click again to launch search. Enter
MobileIron as the search string to find and launch it.

ISE_1.2_Update_Lab_Guide.docx

9/30/13 5:09 PM

Page 49 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

!
Step 15

Re-Enroll with MDM

a. Click Settings > Check for Updates then


Re-Enroll Device

b. iPAD will now go through the MDM Re-enrollment


process, the user will be prompted to Install the profile
so iPAD can initiate SCEP request to MobileIron server
to get the certificates. Click Install

c.

Click Install Now to accept the warnings

d. Click Install to install the MDM profile on the


iPAD so MobileIron MDM server can manage
the device

Once profile is installed click Done

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 50 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

!
e. This time wait until prompted to install the WebEx Meetings
APP. Please click install

f.

iPAD will request APP Store password for the


cs.ise.gold@gmail.com account, please enter ISEisC00L

g. Please wait for WebEx App installation to complete

h. Once the WebEx application installation is complete,


click on Safari to open the browser and access wwwint.demo.local then click the Continue button so ISE
can send a COA-Reauth.

i.

Step 16

Once ISE sends a successful COA, it will refresh the iPAD


browser prompting the user to access the original URL

Using the Admin PC, Go to MobileIron Server.


Click on USERS & DEVICES
Click on User employee1

Step 17

On the right section of the screen Device Details click on


small arrow before Apps to expand. Make sure all the
APPs are in compliance and NOT in RED

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 51 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

!
Notes: After clicking on Apps STOP if any of the APP us reported in RED. This means that the MobileIron MDM
Server has NOT received updates from the MobileIron Agent.
To send another update from MobileIron Agent to MobileIron Server
Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse towards your left to
Swipe on Screen, this will take you to a new page on iPAD, click on the MobileIron Agent APP to launch the APP

!
Click Settings then
Force Device Check-in

!
!
!
!
!
!
!
!
!
!
!
!
!
!
Click Check-in

!
!
!
Please note that this might need to be done multiple times depending on if the update from the MobileIron Agent gets to
the MobileIron Server.
Repeat from Step 10 to make sure APPs are in compliance.

Step 18

Once the MobileIron Server shows employee1 as


compliant, click on Safari on the iPad to open the
browser and access www-int.demo.local then
click the Continue button so ISE can send a
COA-Reauth.

Once ISE sends a successful COA, it will refresh the iPAD


browser prompting the user to access the original URL

Please type the original URL in the address bar www-int.demo.local

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 52 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

Employee1 will now have


access to the corporate
resources

Step 19

Check the live logs on ISE admin web console to verify that the correct authorization profiles
were applied. Initially, the device will be authorized for WLC_SupplicantProvisioning. Once the
provision is done, another MDM registration process will start where first the user would be
requested to register and then comply with the corporate compliance policies, which would
result in another authentication, and then the WLC_FullAccess profile will be applied.

Note: For detailed troubleshooting, enable DEBUG logging for relevant components -- client, guest and provisioning.
(Admin>System>Logging>Debug Log > Conifg)

Step 20

Go back to the My Devices Portal http://mydevices.demo.local and inspect the endpoint


registration states. Login as employee1 / ISEisC00L if the portal session expires.
a. The initial state of the device is Pending as shown below.

Notes: The transition may take up to 20 minutes due to bug CSCtx94533!

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 53 of 87

Lab Exercise 2.5: Test and Verify the onboarding of a non-corporate Apple iPad

!
b. Once the newly installed Wi-Fi profile authenticates the device to the network, this state will
move to Registered.

More Troubleshooting Tips


Helpful WLC CLI commands:
Debugging client traffic

debug client <mac_address>

Debugging AAA authentication

debug aaa events enable

Debugging 802.1X events

debug dot1x events enable

Bypass captive portal

config network web-auth captive-bypass enable

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.
!

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 54 of 87

Lab Exercise 2.6: Test and Verify the Corporate Wipe function on My Devices Portal

Lab Exercise 2.6: Test and Verify the Corporate


Wipe function on My Devices Portal
Exercise Description
This exercise will show you the device self-management features of Cisco ISE.
You will simulate losing your iPad and performing a Corporate Wipe action on the device.
Corporate Wipe will remove all the corporate data; in this case WebEx was pushed as a
corporate application earlier will be removed. Cisco ISE uses APIs to interact with the MDM
Server in enforcing restrictions on the user self-provisioned device.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Step 1

Review the MDM_Quarantine policy that was created earlier

From the My Devices Portal initiate the Corporate Wipe action on the device to observe the
Change of Authorization (CoA) occur and restrict access from the device
Refer to Appendix A for the sample WLC configuration. Login to WLC web interface
https://wlc.demo.local as admin/ ISEisC00L to review the WLAN and ACLs used in this
exercise.
a. WLAN: n-p##-TS-WPA2e
b. ACLs: PERMIT-ALL-TRAFFIC and MDM_Quarantine_ACL

Note: The # in n-p##-TS-WPA2e is to be replaced with the assigned pod number; e.g. n-p22-TS -WPA2e for POD 22

Step 2

Review the authorization profile MDM_Quarantine under Policy > Policy Elements > Results
> Authorization > Authorization Profiles.
Access Type = ACCESS_ACCEPT
cisco-av-pair = urlredirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=mdm
cisco-av-pair = url-redirect-acl=MDM_Quarantine_ACL

Step 3

Go to My Devices Portal and click Corporate Wipe for the iPad. The AnyConnect application
will now be removed from the iPad and the device will be blocked from accessing the corporate
network. Note the icon change under the State.

ISE_1.2_Update_Lab_Guide.docx

2013-09-30

Page 55 of 87

Lab Exercise 2.6: Test and Verify the Corporate Wipe function on My Devices Portal

!
Notes: Due to possible Race Condition (CSCui00582), ISE does not send a CoA to the controller after
initiating the Corporate WIPE. Please initiate a CoA from ISE Live Session Logs or toggle Wi-Fi to see the
change in authorization policy rule.

OR

Step 4

From the VNC session to the IPad, switch to the mobile Safari app. Reload the page wwwint.demo.local and the user will see a message
You must enroll your device

Step 5

Under Operations > Authentications, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Corporate-Wiped then a reauthorization matches
the device to the MDM_Quarantine profile

Step 6

Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and forget the network that iPad is connected to.
c.

Go to Settings > Wi-Fi and slide the virtual switch off to disable Wi-Fi.

d. Remove the two profiles installed by the ISE BYOD services on iPad under Settings >
General > Profiles.
e. Go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.
!

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 56 of 87

Lab Exercise 3: Profiler Enhancements - Logical profiles & Feed Services

Lab Exercise 3: Profiler Enhancements Logical profiles & Feed Services


Exercise Description
This lab showcases two ISE 1.2 enhancements to the profiler services (1) endpoint logical profiles and
(2) profiler feed services.
This section of the guide is divided in to smaller sub-sections for clarity

Lab Exercise 3.1 : Endpoint Logical Profiles


Lab Exercise 3.2 : Profiler Feed Service

Lab Exercise 3.1: Endpoint Logical Profiles


Exercise Description
This exercise will demonstrate how to create a new Endpoint Logical Profile and how to implement it as
an additional condition of an existing Authorization Policy.
With the ISE 1.2 release we have implemented a method to group profiles into separate containers i.e.,
logical groups. The Logical groups now allow us to create a much cleaner and sleek policy overall. An
example and the use case used in this exercise would be a handheld group that would contain all of the
Apple and Android iDevices. By grouping these iDevices its much easier to add them to an
Authorization Profile where in the past you would need to add each iDevice.

Exercise Objective
In this exercise, your goal is to familiarize yourself with endpoint logical profiles, which includes
the completion of the following tasks in ISE:

Step 1

Create a logical endpoint profile

Use a logical endpoint profile in authorization policy

Login onto ise-1 administrator web portal


Use Firefox web browser to access https://ise-1.demo.local using the credentials admin /
ISEisC00L.

Step 2

Create a logical endpoint profile

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 57 of 87

Lab Exercise 3.1: Endpoint Logical Profiles

!
a. Navigate to Policy > Profiling and select Logical Profiles in the left-hand panel.

b. Click Add in the right-hand panel and fill in with the values as shown below:
Attribute

!
8
8

Value

Name
Description

iDevices
Handheld Devices

Policy Assignment

Apple:iDevice8
Apple:iPad8
Apple:iPhone

Note: Apple-Device is different from Apple-iDevice.

c.

Click Submit when finished and new logical profile is now listed.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 58 of 87

Lab Exercise 3.1: Endpoint Logical Profiles

!
Note: Ignore any other preconfigured logical profiles that may be seen in addition to the one that you created in this step

Step 3

Add the new I-Device endpoint profile in an existing ISE authorization policy
a. Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
Create a new Authorization Profile as below and then click Save.
Attribute
Name
Description
Access Type
Airespace ACL Name

Value
I-Device-Full-Access
Access Accept and Permit All Traffic
ACCESS_ACCEPT
PERMIT-ALL-TRAFFIC

b. Go to Policy > Authorization


c.

Status

Modify the existing rule Employee_Personal_Device (by clicking on the Edit at the right
hand side corner of the rule) and add the EndPoints condition along with modifying the
Permission select as shown in the example below

Rule Name

Identity
Groups

Employee_Personal_Devices Any

Other Conditions
Wireless_802.1x AND Network
Access:EapAuthentication EQUALS EAPMSCHAPv2
AND
EndPoints:LogicalProfile EQUALS iDevices

Permissions
I-Device-Full-Access

d. Click on Save at the bottom to save the changes.


e. Select the Employee_Personal_Device rule and drag it to the top of the list and place
under the existing BlackList rule by grabbing the bar to the left of the rule name.

f.

Step 4

Click Save and the Employee_Personal_Device rule should now be the second in the
Authorization Policies.

Test the modified authorization policy rule


a. Re-associate the iPad to the network if it disconnected.
i. Connect to iPad and navigate to Settings > Wi-Fi
ii. Turn on Wi-Fi
iii. From the network list select the SSID n-p##-TS-WPA2e (## = pod number i.e.,
pod 2 is n-p02-TS-WPA2e)
iv. If already associated click on the SSID to Forget this Network, delete the
existing profiles and toggle the Wi-Fi off/on and then re-associate and login with

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 59 of 87

Lab Exercise 3.1: Endpoint Logical Profiles

!
the AD credentials Employee1 as username and ISEisC00L as password.
Accept the ISE certificate, if prompted.

b. Go to Operations > Authentications.


i. The top entry should be your latest authentication.

ii. After selecting the top entry as shown above this will launch another tab in your
browser. Click on details icon to retrieve the detailed report for the
authentication.

c.

You should now have another TAB with the Authentication details and take note of some
of the key and useful information
i. Identity Store being demoAD (used to authentication to the SSID)
ii. Scroll down the report to the NAS IP Address field where indicates that the iPad
connected using the WLC 10.1.10.61 and received the desired Authorization
Profile permissions that we created earlier I-Device-Full-Access
iii. Scroll down in the report to the Other attributes section and verify the following
fields matched with the iPad.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 60 of 87

Lab Exercise 3.1: Endpoint Logical Profiles

!
AuthorizationPolicyMatchedRule

Employee_Personal_Device

EndPointMatchedProfile

Apple-iPad

d. Click on Show Live Sessions to go to the Live Sessions view


e. Locate the iPad session once again and trigger CoA re-authentication. This is useful
since a Profile and its attributes could change as they are learned. ISE allows you to
make the deliberate action to force the CoA on a currently connected and authorized
endpoint.

!
!
f.

Expand the session by click on the expand button next to the session.

This shows the details of the whole session shows the CoA triggering the dynamic
authorization of the session.
g. Re-verify from the Show Live Authentication, the latest authentication as you did earlier
to ensure that the iPad is still being assigned correctly and receiving the correct
permissions. Refresh screen if necessary.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 61 of 87

Lab Exercise 3.2: Profiler Feed Services

Lab Exercise 3.2: Profiler Feed Services


The newly introduced Profiler feed service is a subscription service, which allows Cisco to deliver Profile
updates to the ISE server. An Advance License allows the administrator to enable the profiler feed
service on either a Primary PAP (Policy Administration Point) or a Standalone PAP. The profile feed
service is disabled by default. Subscriber information can also be configured so that the user submitting a
profile can receive notification of success or failure of a submittal or when a download occurs. A submittal
is made to a portal using HTTPS and notification is via email.
Once the Profiler Feed Service is enabled the feed service policies and OUI updates/downloads occur at
1:00am local time by default. Once downloaded the feed service policies are automatically applied.
Policy updates obtained from the Feed Service cannot be altered. When an OUI update is downloaded
the database is updated with the endpoints affected by the OUI changes.

Exercise Description
This exercise will demonstrate how to enable the ISE profiler feed services and make use of the newly
updated policies in an ISE endpoint profiling decision. We will need to force an update because of the
nature of the lab and time permitted by taking steps an administrator should never have to make.

Exercise Objective
In this exercise, your goal is to familiarize yourself with ISE profiler feed services, which includes the
completion of the following tasks in ISE:

Enable ISE profiler feed services

Use a new OUI update in an endpoint

Run a report to verify the updates occurred

Check for email notifications triggered by the update from the feed service.

Step 1

Login into the ISE instance. Use Firefox web browser to access https://ise-1.demo.local using
the credentials admin / ISEisC00L.

Step 2

Add SMTP server info


a. Navigate to Administration > System > Settings
b. Select SMTP Server in the left-hand panel.
c.

Enter mail.demo.local as the SMTP Server value

d. Click Save to save the configuration.

ISE_1.2_Update_Lab_Guide-partial.docx

8/28/13 2:51 PM

Page 62 of 87

Lab Exercise 3.2: Profiler Feed Services

!
Step 3

Enable ISE profiler feed services


Enabling Profiler Feed Service will instruct the ISE to contact CISCO for new and updated
profiles created since the last ISE update
a. Navigate to Administration > Feed Service > Profiler
b. Check the checkbox against Enable Profiler Feed Service. A message shown below
pops-up. Click on OK

c.

Check the checkbox against Notify administrator when download occurs and enter
the email address of the Administrator admin@demo.local as shown below.

!
d. Click Save to save the configuration
Step 4

Check the status of ISE and enable the logging.


a. On the AdminPC, locate the putty ssh client on the desktop and ssh to the ise-1
command-line interface (CLI) using the credentials admin / ISEisC00L.

ISE_1.2_Update_Lab_Guide-partial.docx

8/28/13 2:51 PM

Page 63 of 87

Lab Exercise 3.2: Profiler Feed Services

!
i. Issue the cli command show application status ise to ensure that ise-1 is up
and running
ii. Issue the cli command terminal length 0 to make the verbose log easier to
navigate
iii. Issue the show logging application ise-psc.log tail to monitor the download
from the feed server.

!
!
Step 5

From the ISE GUI, from Administration > Feed Service > Profiler, click on the Update Now
button which is at the bottom of the page

Step 6

The following message pops-up:

Click on Yes.
Step 7

Switch back to the Putty SSH session and wait for the download to begin and should see log
messages indicating that the download has begun.

ISE_1.2_Update_Lab_Guide-partial.docx

8/28/13 2:51 PM

Page 64 of 87

Lab Exercise 3.2: Profiler Feed Services

The key words FEEDMANUALDOWNLOAD indicates that this was initiated by the Update
Now manual option. For the automatic updates, the keyword would be
FEEDAUTODOWNLOAD as below:

Step 8

Query for new OUIs downloaded from the Profile Feed Service.
Note: The report might not contain any data for a few minutes. If the report comes back
empty, jump to step 9 and complete then come back to step 7 in a few minutes and re-run
the report.
a. Once the download starts, navigate to Operations > Reports.
b. Select Deployment Status from the left-hand panel.
c.

Select Change Configuration Audit from the expanded list.

d. Set Time Range to Last 30 Minutes.

ISE_1.2_Update_Lab_Guide-partial.docx

8/28/13 2:51 PM

Page 65 of 87

Lab Exercise 3.2: Profiler Feed Services

!
e. Click on Filters and select Object Type. Then, enter OUI (all in capital) as the Object
Type.
f.

Click Run.

g. Pick any row and click on its event cell. Then, click Ok to open it as a report.

ISE_1.2_Update_Lab_Guide-partial.docx

8/28/13 2:51 PM

Page 66 of 87

Lab Exercise 3.2: Profiler Feed Services

!
h. Take a note of the Object Name field and the Modified Properties.

!
Note: Make sure you pick a Changed Configuration which shows the Modified Properties.
As per the IEEE, if the OUI name if private, then it will not show the value in the Properties.

Step 9

Create a new endpoint to verify the OUI


a. Navigate to Administration > Identity Management > Identities
b. Select Endpoints from the left-hand panel.
c.

Click Add to add a new endpoint.

d. In the Endpoint MAC Address text box, input the Object Name from Step 8.h. and
complete it with any hex digit and colon signs to meet the supported syntax i.e., 01:02:03
(shown below)

ISE_1.2_Update_Lab_Guide-partial.docx

8/28/13 2:51 PM

Page 67 of 87

Lab Exercise 3.2: Profiler Feed Services

!
e. Click Submit when done.
f.

Once back to the list view, click on the hyperlink for the newly created endpoint.

!
g. Verify its OUI value matching the modified properties from Step 8.h.

!
!

Step 10

Check email notification


a. When the feed download finishes, use Firefox web browser to access the webmail
http://mail.demo.local using the credentials admin / ISEisC00L.
b. Examine the emails in the inbox and look for emails with subjects ISE System Message

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide-partial.docx

8/28/13 2:51 PM

Page 68 of 87

Lab Exercise 4: ISE 1.2 Monitoring and Troubleshooting Enhancements

Lab Exercise 4: ISE 1.2 Monitoring and


Troubleshooting Enhancements
Exercise Description
This lab covers the enhancements made to Monitoring and Troubleshooting in the ISE 1.2 release. The
following are some of the major enhancements made in the ISE 1.2 release for better monitoring and
troubleshooting:
1. Powerful Search and Session Trace tools
o

In the Global Search, the administrator can search based on device type (eg, ipad,
workstation), username, IP address, MAC address etc. The search result will provide detailed
information about the current status of the endpoint(s). Drilling further down on the result and
you will yield more details about the endpoint including:
#

Authentication details

Accounting details

Posture details

Profiler details

Client provisioning details

Guest Accounting/Activity

The Session Trace tools ties in with the Search tool function. From the list of results that the
Search tool returns, you can select a particular endpoint and display the complete session
trace for that endpoint. The endpoint is dynamically mapped to the audit-session-id and is
used to trace an entire transaction throughout the system.

The results from the Search and Session Trace can then be exported for troubleshooting or
auditing purposes.

2. New Reporting architecture with scheduled reports


o

ISE 1.2 has a new Reporting architecture with a face lift for the Reports. Reports are now
organized by catalog, summarized with number of reports under each catalog, and a brief
description.

ISE 1.2 also includes the scheduled reports feature. The administrator can schedule reports
at periodic intervals and have the results directed to an external repository.

3. Alarms enhancements.
o

In ISE 1.2, Alarms are pre-defined and active by default. The user-defined alarms available in
earlier release is removed and replaced with the pre-defined alarms. The alarms are
integrated into the main dashboard display and removed from the global tool-bar.

Users can drilldown and see the details of each alarm.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 69 of 87

Lab Exercise 4.1: Exploring the Global Search and Session Trace tools

!
o

From the Alarm Configuration UI, the admin can enable/disable alarms and/or change the
threshold values for the alarms.

4. Introduces the Live Sessions view


o

With ISE 1.2, in addition to the Live Authentications log view, there is the new Live Sessions
view

The admin can toggle between the live authentications or live session views

From the Live Session view, CoA action is available

In this lab we will only be covering the Global Search, Session Trace and Scheduled Report features. In
addition, well also cover how-to debug an authentication failure to show how the detailed report
information can be used for troubleshooting.
For covering, all the other features, you can do the full ISE 1.2 Monitoring & Troubleshooting Lab.
This section of the lab guide is divided in to following sub-sections

Lab Exercise 4.1 : Exploring the Global Search and Session Trace tools
Lab Exercise 4.2 : Exploring the new Reports and scheduling Reports
Lab Exercise 4.3 : Troubleshooting a failed authentication

Lab Exercise 4.1: Exploring the Global Search and Session


Trace tools
Exercise Description
This exercise youll be exploring the ISE 1.2 Global Search and Session Trace tools. The common use
cases are as below:

As an administrator, I should be able to search easily to see how many devices of a particular
device type (Apple, ipad, workstations etc.) are currently connected to the network without going
to the Reporting section and generating the detailed reports.

As an admin, I should be able to search on a username and/or MAC address which yield result(s)
that provides the entire trace of the session. I should be able to export all the information into a
log file so that I can efficiently troubleshoot the system.

Exercise Objective
In this exercise, your goal is to explore the Global Search and Session Trace tools, which includes the
completion of the following tasks in ISE:

Search for ipad in the Global Search to see how many devices are connected

Export the Search results to a file

Search for a username in the Global Search to yield the result for the username

From the result for the username, run the Session Trace for the user

Export the session trace results to a file

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 70 of 87

Lab Exercise 4.1: Exploring the Global Search and Session Trace tools

Step 1

If not already logged into ISE server, access the ISE administration web interface at https://ise1.demo.local using the credentials admin / ISEisC00L. At the top right hand corner is located
the Global Search as shown below :

Step 2

In the Search window enter ipad to search for. As you type in the information in the search
window, it starts suggesting the possible answers.

Note: If no suggestions appear, ensure that your session has not timed out.

Step 3

From the Suggestions select apple-ipad and search on it. The search yields similar results
as shown in the following example:

Step 4

The highlighted section in the above shows how many apple-ipad are currently connected,
failed, disconnected and the full total of the devices that connected to the ISE server. The above
screenshot shows all the devices that connected to the ISE server. The icon adjacent to the
result
or
shows if the device is connected or disconnected.
a. Click on the Connected to see the currently connected devices.
b. To export the results, click on the Export button at the bottom of the screen

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 71 of 87

Lab Exercise 4.1: Exploring the Global Search and Session Trace tools

!
Note: The exported results are saved as a zip file. In the zip file is a comma separated CSV
formatted file, which contains all the results for the ipad.

Step 5

Now either search for a username say employee1 or use the above results for Session Trace.

Click on the arrow

button to get to Session Trace.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 72 of 87

Lab Exercise 4.1: Exploring the Global Search and Session Trace tools

Step 6

The Session Trace will look similar to below :

a. The top row shows at a high level, the various actions for that session. Clicking on the
high-level items automatically scrolls you down to the relevant details section. This
screenshot below shows the Authenticated and Authorized section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 73 of 87

Lab Exercise 4.1: Exploring the Global Search and Session Trace tools

The screenshot below shows the next section i.e, the Re-auth section.

Step 7

For more detailed information about the endpoint, click on the Endpoint Details.

a. The Endpoint Details shows the detailed information about the endpoint from the various
sources - Authentication, Accounting, Profiler etc, as highlighted below

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 74 of 87

Lab Exercise 4.1: Exploring the Global Search and Session Trace tools

!
By click on each of the sections, you can view in-depth all the attributes, various steps
performed for each of these. The information can be exported by clicking on the Export
Results button. The file is saved in a text format which can be viewed by programs like
WordPad or NotePad++etc.
b. A sample view of the Session Trace export looks as below :

!
!
!

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 75 of 87

Lab Exercise 4.2: Exploring the new Reporting GUI and configuring scheduled reporting.

Lab Exercise 4.2: Exploring the new Reporting GUI and


configuring scheduled reporting.
Exercise Description
This exercise youll be exploring the new ISE 1.2 Reporting GUI and also how-to use the scheduled
reports feature. The use cases for this are as below:

The new Reporting GUI improves the UI usability and performance of the reporting service so
that administrators can efficiently obtain sets of data for operational and security analysis.
As an ISE administrator, I want to send reports, via set schedule, to specific individuals, groups of
ISE administrators, email alias, etc. so that various consumers of ISE-based contextual data can
consume the data appropriate for them without having to log into the system.

Exercise Objective
In this exercise, your goal is to explore the new Reporting GUI and schedule periodic reports.
This includes the completion of the following tasks in ISE:

Exploring the new Reporting look and feel

Running a default Report

Adding filters to generate Reports

Scheduling reports to be sent to an external repository

Step 1

Access the ISE administration web interface at https://ise-1.demo.local using the credentials
admin / ISEisC00L

Step 2

Browse to Operation > Reports. Reports are organized by catalog, summarized with number of
reports under each catalog as seen in the screenshot below:

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 76 of 87

Lab Exercise 4.2: Exploring the new Reporting GUI and configuring scheduled reporting.

!
Step 3

Click on the Auth Services Status Catalog. This expands and shows the list of all the reports in
this catalog. Hovering over each reports shows the high level description of the report.

Step 4

Click on a specific report, say RADIUS Authentications a sample report with static data and the
default query options are shown

Click on Run to generate the Authentication report for the current day.
Step 5

To add Filters, click on the Filter button and select the required items for filtering the report.

Step 6

After generating the report, to Export the results to a repository, click on the Export option

Click Export button in the pop-up window.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 77 of 87

Lab Exercise 4.2: Exploring the new Reporting GUI and configuring scheduled reporting.

!
Step 7

After generating the report, to schedule the report on the top right hand corner select the Save
As option and choose the Scheduled Report option

Step 8

When scheduling the report you have the options to choose the following for generating the
scheduled reports.

a. Frequency
b. Date and time
c.

Repository

d. Email addresses for notification

The admin PC is pre-configured as the ISE FTPServer repository to which you can send the
scheduled report. Schedule a report and check for the generated report on the AdminPC under
the directory C:\inetpub\ftproot\incoming.

! End of Exercise: You have successfully completed this exercise.


Proceed to next section.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 78 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

Lab Exercise 4.3: Troubleshooting failed authentications


Exercise Description
This exercise youll be using troubleshooting failed authentication using some new and old tools in
Monitoring and Troubleshooting. The use cases for this are as below:

As an ISE administrator, when a user calls and says that authentication has failed, I want to
identify the root cause of failed authentication quickly and easily.

Exercise Objective
In this exercise, your goal is to use the new Search and Session Trace tools to easy the
troubleshooting experience of the administrator. This includes the completion of the following
tasks:

Step 1

Create a failed authentication

Use the Search to search for the user and troubleshoot the issue and identify the root cause.

From the ISE GUI, go to Operations > Authentications.


From the Live Authentications, click on Add or Remove
Columns and make sure you select Failure Reason. Also,
De-select other columns like Device Port, Posture Status,
Server etc. then scroll down and click Save.

Step 2

From Admin-PC VMClient, power off the p##-w7pc-guest VM and power on the p##-w7pcMnT VM. Now Login to Windows 7 (p##-w7pc-MnT). You may need to use the menu item VM
> Guest > Send Ctrl+Alt+Del to invoke the Windows login screen.
Login as admin / ISEisC00L

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 79 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

Step 3

From the Windows desktop, go to Start Menu > Control Panel > Network and Internet >
Network and Sharing Center > Change adapter settings
and ensure that the Local Area Connection is enabled. If
is disabled then enable the interface

Step 4

From the Windows desktop, navigate to Start Menu and Launch


AnyConnect client or from the Taskbar left hand corner.

Step 5

From the AnyConnect connect


network wired_EAP-GTC.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 80 of 87

it

Lab Exercise 4.3: Troubleshooting failed authentications

Also, click on the

Step 6

icon and select Connect only to current network as shown below

The user will be prompted for a username. Enter testuser as a username.

Note: If the Login prompt does not show up, from the ISE GUI, live session, then
1) Send a CoA with session terminate, when the session already fails over to MAB or
2) Go to the 3k-access switch and do a shutdown and no shutdown on the interface Gig Ethernet0/1 or
3) Do a clear authentication sessions on 3k-access
And, immediately on AnyConnect client, re-select wired_EAP-GTC

Step 7

Youll be prompted to accept the ISE cert.

Click on Trust to accept the certificate. The authentication will fail as expected.

Step 8

From the ISE GUI, in the Live Authentications, youll see the failed authentication and the
Failure Reason should clearly indicate the reason for the authentication failure.
You may see a bunch of failures with anonymous username. This is for the first wired
authentication that is configured on the AnyConnect.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 81 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

Once you connect to the wired_EAP-GTC, then the errors will show up as below:

Step 9

Click on the details for the failed authentication. In the Failure reason, you can again see the
reason for the authentication failure.

In the Steps, you can see the sequence of all the authentication steps and when and why it
failed the authentication.
Step 10

For further debugging the issues, you can enable the log to DEBUG mode. On the ISE GUI, go
to Admin>System>Logging>Debug Log Configuration to change the Log levels.

Note: With the introduction of new features in ISE 1.2, youll notice some new Component
names.
For MDM, the following are new components

For debugging the REST API ERS is a new component

For Setup Wizard, you have the new bootstrap-wizard component

! End of Exercise: You have successfully completed this exercise.

! End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 82 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

Appendix A: WLC Configuration


config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config

location expiry tags 5


interface address management 10.1.100.61 255.255.255.0 10.1.100.1
interface dhcp management primary 10.1.100.10
interface port management 1
interface vlan management 100
interface address virtual 1.1.1.1
interface address dynamic-interface access 10.1.10.2 255.255.255.0 10.1.10.1
interface create access 10
interface port access 1
interface vlan access 10
interface address dynamic-interface guest 10.1.50.2 255.255.255.0 10.1.50.1
interface create guest 50
interface port guest 1
interface vlan guest 50
802.11b 11gsupport enable
802.11b cac voice sip bandwidth 64 sample-interval 20
802.11b cac voice sip codec g711 sample-interval 20
802.11b channel global off
802.11b txpower global 1
802.11b cleanair alarm device enable 802.11-nonstd
802.11b cleanair alarm device enable jammer
802.11b cleanair alarm device enable 802.11-inv
802.11b cleanair enable
802.11b disable network
sysname wlc
database size 2048
country US
snmp community delete public
snmp community delete private
snmp community mode enable ISEisC00L
snmp community ipaddr 10.1.100.0 255.255.255.0 ISEisC00L
snmp community create ISEisC00L
advanced probe limit 2 500
advanced probe-limit 2 500
advanced 802.11a channel add 36
advanced 802.11a channel add 40
advanced 802.11a channel add 44
advanced 802.11a channel add 48
advanced 802.11a channel add 52
advanced 802.11a channel add 56
advanced 802.11a channel add 60
advanced 802.11a channel add 64
advanced 802.11a channel add 149
advanced 802.11a channel add 153
advanced 802.11a channel add 157
advanced 802.11a channel add 161
advanced 802.11a channel noise enable
advanced 802.11a channel device disable
advanced 802.11a channel load disable
advanced 802.11a channel foreign enable
advanced 802.11b channel add 1
advanced 802.11b channel add 6
advanced 802.11b channel add 11
advanced 802.11b channel noise enable
advanced 802.11b channel device disable
advanced 802.11b channel load disable
advanced 802.11b channel foreign enable
mdns service query enable AirPrint
mdns service create AirPrint _ipp._tcp.local. query enable
mdns service query enable AppleTV
mdns service create AppleTV _airplay._tcp.local. query enable
mdns service query enable HP_Photosmart_Printer_1
mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. query enable
mdns service query enable HP_Photosmart_Printer_2
mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. query enable
mdns service query enable Printer
mdns service create Printer _printer._tcp.local. query enable

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 83 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

!
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config

mdns profile service add default-mdns-profile AirPrint


mdns profile service add default-mdns-profile AppleTV
mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
mdns profile service add default-mdns-profile HP_Photosmart_Printer_2
mdns profile service add default-mdns-profile Printer
mdns profile create default-mdns-profile
acl rule add PERMIT-ALL-TRAFFIC 1
acl rule destination port range PERMIT-ALL-TRAFFIC 1 0 65535
acl rule source port range PERMIT-ALL-TRAFFIC 1 0 65535
acl rule action PERMIT-ALL-TRAFFIC 1 permit
acl rule add PERMIT-ALL-TRAFFIC 65
acl rule destination port range PERMIT-ALL-TRAFFIC 65 0 65535
acl rule source port range PERMIT-ALL-TRAFFIC 65 0 65535
acl rule add PERMIT-2-ISE-a-DNS 1
acl rule destination address PERMIT-2-ISE-a-DNS 1 10.1.100.21 255.255.255.255
acl rule destination port range PERMIT-2-ISE-a-DNS 1 0 65535
acl rule source port range PERMIT-2-ISE-a-DNS 1 0 65535
acl rule direction PERMIT-2-ISE-a-DNS 1 in
acl rule action PERMIT-2-ISE-a-DNS 1 permit
acl rule add PERMIT-2-ISE-a-DNS 2
acl rule destination port range PERMIT-2-ISE-a-DNS 2 0 65535
acl rule source address PERMIT-2-ISE-a-DNS 2 10.1.100.21 255.255.255.255
acl rule source port range PERMIT-2-ISE-a-DNS 2 0 65535
acl rule direction PERMIT-2-ISE-a-DNS 2 out
acl rule action PERMIT-2-ISE-a-DNS 2 permit
acl rule add PERMIT-2-ISE-a-DNS 3
acl rule destination address PERMIT-2-ISE-a-DNS 3 10.1.100.10 255.255.255.255
acl rule destination port range PERMIT-2-ISE-a-DNS 3 53 53
acl rule source port range PERMIT-2-ISE-a-DNS 3 0 65535
acl rule direction PERMIT-2-ISE-a-DNS 3 in
acl rule protocol PERMIT-2-ISE-a-DNS 3 17
acl rule action PERMIT-2-ISE-a-DNS 3 permit
acl rule add PERMIT-2-ISE-a-DNS 4
acl rule destination port range PERMIT-2-ISE-a-DNS 4 0 65535
acl rule source address PERMIT-2-ISE-a-DNS 4 10.1.100.10 255.255.255.255
acl rule source port range PERMIT-2-ISE-a-DNS 4 53 53
acl rule direction PERMIT-2-ISE-a-DNS 4 out
acl rule protocol PERMIT-2-ISE-a-DNS 4 17
acl rule action PERMIT-2-ISE-a-DNS 4 permit
acl rule add PERMIT-2-ISE-a-DNS 5
acl rule destination port range PERMIT-2-ISE-a-DNS 5 0 65535
acl rule source port range PERMIT-2-ISE-a-DNS 5 0 65535
acl rule protocol PERMIT-2-ISE-a-DNS 5 1
acl rule action PERMIT-2-ISE-a-DNS 5 permit
acl rule add PERMIT-2-ISE-a-DNS 6
acl rule destination port range PERMIT-2-ISE-a-DNS 6 0 65535
acl rule source port range PERMIT-2-ISE-a-DNS 6 0 65535
acl rule add PERMIT-2-ISE-a-DNS 65
acl rule destination port range PERMIT-2-ISE-a-DNS 65 0 65535
acl rule source port range PERMIT-2-ISE-a-DNS 65 0 65535
acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 1
acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 1 10.1.100.10 255.255.255.255
acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 1 53 53
acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 1 0 65535
acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 1 in
acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 1 17
acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 1 permit
acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 2
acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 2 10.1.100.21 255.255.255.255
acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 2 8443 8443
acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 2 0 65535
acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 2 in
acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 2 6
acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 2 permit
acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 3
acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 3 0 65535
acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 3 0 65535
acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 3 1
acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 3 permit
acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 4

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 84 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

!
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config

acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl

rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule
rule

destination address PERMIT-2-ISE-a-DNS-a-INTERNET 4 10.1.0.0 255.255.0.0


destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 4 0 65535
source port range PERMIT-2-ISE-a-DNS-a-INTERNET 4 0 65535
direction PERMIT-2-ISE-a-DNS-a-INTERNET 4 in
add PERMIT-2-ISE-a-DNS-a-INTERNET 5
destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 5 0 65535
source port range PERMIT-2-ISE-a-DNS-a-INTERNET 5 0 65535
action PERMIT-2-ISE-a-DNS-a-INTERNET 5 permit
add PERMIT-2-ISE-a-DNS-a-INTERNET 65
destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 65 0 65535
source port range PERMIT-2-ISE-a-DNS-a-INTERNET 65 0 65535
add BLACKHOLE 1
destination address BLACKHOLE 1 10.1.100.21 255.255.255.255
destination port range BLACKHOLE 1 8444 8444
source port range BLACKHOLE 1 0 65535
direction BLACKHOLE 1 in
protocol BLACKHOLE 1 6
action BLACKHOLE 1 permit
add BLACKHOLE 2
destination port range BLACKHOLE 2 0 65535
source address BLACKHOLE 2 10.1.100.21 255.255.255.255
source port range BLACKHOLE 2 8444 8444
direction BLACKHOLE 2 out
protocol BLACKHOLE 2 6
action BLACKHOLE 2 permit
add BLACKHOLE 3
destination address BLACKHOLE 3 10.1.100.10 255.255.255.255
destination port range BLACKHOLE 3 53 53
source port range BLACKHOLE 3 0 65535
direction BLACKHOLE 3 in
protocol BLACKHOLE 3 17
action BLACKHOLE 3 permit
add BLACKHOLE 4
destination port range BLACKHOLE 4 0 65535
source address BLACKHOLE 4 10.1.100.10 255.255.255.255
source port range BLACKHOLE 4 53 53
direction BLACKHOLE 4 out
protocol BLACKHOLE 4 17
action BLACKHOLE 4 permit
add BLACKHOLE 5
destination port range BLACKHOLE 5 0 65535
source port range BLACKHOLE 5 0 65535
add BLACKHOLE 65
destination port range BLACKHOLE 65 0 65535
source port range BLACKHOLE 65 0 65535
add MDM_Quarantine_ACL 1
destination address MDM_Quarantine_ACL 1 10.1.100.10 255.255.255.255
destination port range MDM_Quarantine_ACL 1 53 53
source port range MDM_Quarantine_ACL 1 0 65535
direction MDM_Quarantine_ACL 1 in
protocol MDM_Quarantine_ACL 1 17
action MDM_Quarantine_ACL 1 permit
add MDM_Quarantine_ACL 2
destination address MDM_Quarantine_ACL 2 10.1.100.21 255.255.255.255
destination port range MDM_Quarantine_ACL 2 0 65535
source port range MDM_Quarantine_ACL 2 0 65535
direction MDM_Quarantine_ACL 2 in
action MDM_Quarantine_ACL 2 permit
add MDM_Quarantine_ACL 3
destination address MDM_Quarantine_ACL 3 10.1.100.15 255.255.255.255
destination port range MDM_Quarantine_ACL 3 0 65535
source port range MDM_Quarantine_ACL 3 0 65535
direction MDM_Quarantine_ACL 3 in
action MDM_Quarantine_ACL 3 permit
add MDM_Quarantine_ACL 4
destination port range MDM_Quarantine_ACL 4 0 65535
source port range MDM_Quarantine_ACL 4 0 65535
direction MDM_Quarantine_ACL 4 in
protocol MDM_Quarantine_ACL 4 1
action MDM_Quarantine_ACL 4 permit

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 85 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

!
config acl rule add MDM_Quarantine_ACL 5
config acl rule destination address MDM_Quarantine_ACL 5 10.0.0.0 255.0.0.0
config acl rule destination port range MDM_Quarantine_ACL 5 0 65535
config acl rule source port range MDM_Quarantine_ACL 5 0 65535
config acl rule direction MDM_Quarantine_ACL 5 in
config acl rule add MDM_Quarantine_ACL 6
config acl rule destination port range MDM_Quarantine_ACL 6 0 65535
config acl rule source port range MDM_Quarantine_ACL 6 0 65535
config acl rule action MDM_Quarantine_ACL 6 permit
config acl rule add MDM_Quarantine_ACL 65
config acl rule destination port range MDM_Quarantine_ACL 65 0 65535
config acl rule source port range MDM_Quarantine_ACL 65 0 65535
config acl counter start
config acl create PERMIT-ALL-TRAFFIC
config acl apply PERMIT-ALL-TRAFFIC
config acl create PERMIT-2-ISE-a-DNS
config acl apply PERMIT-2-ISE-a-DNS
config acl create PERMIT-2-ISE-a-DNS-a-INTERNET
config acl apply PERMIT-2-ISE-a-DNS-a-INTERNET
config acl create BLACKHOLE
config acl apply BLACKHOLE
config acl create MDM_Quarantine_ACL
config acl apply MDM_Quarantine_ACL
config mobility group domain n-pNN-TS
config network rf-network-name n-pNN-TS
config network usertimeout 120
config network fast-ssid-change enable
config network web-auth captive-bypass enable
config network multicast l2mcast disable service-port
config network multicast l2mcast disable virtual
config dhcp proxy disable bootp-broadcast disable
config license boot base
config license agent max-sessions 9
config 802.11a cac voice sip bandwidth 64 sample-interval 20
config 802.11a cac voice sip codec g711 sample-interval 20
config 802.11a channel global off
config 802.11a txpower global 4
config 802.11a cleanair alarm device enable 802.11-nonstd
config 802.11a cleanair alarm device enable jammer
config 802.11a cleanair alarm device enable 802.11-inv
config 802.11a cleanair enable
config radius fallback-test interval 180
config radius fallback-test mode passive
config radius acct add encrypt 11 10.1.100.21 1813 password 1 3516b7676b6e057cc60e6eab4c046415
1b48c2754113392979a8a99cb7bcb4fdcbe0fb4b 16
73599122aad031626b4beca7aac40c8f00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
config radius acct retransmit-timeout 11 30
config radius acct enable 11
config radius auth add encrypt 11 10.1.100.21 1812 password 1 548dafd9b3821b2c2dca6d5bc20709e5
755a8cad807da4a4f7718c0a09ad9ea41c4267dd 16
1d47e852fdaca9e6f95f734047dba5ef00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
config radius auth rfc3576 enable 11
config radius auth retransmit-timeout 11 30
config radius auth enable 11
config nmsp notification interval rssi rfid 2
config certificate generate webadmin
config certificate generate webauth
config wlan aaa-override enable 10
config wlan mfp client enable 10
config wlan aaa-override enable 11
config wlan mfp client enable 11
config wlan mac-filtering enable 10
config wlan security wpa wpa2 ciphers aes disable 10
config wlan security wpa wpa2 disable 10
config wlan security wpa akm 802.1x disable 10
config wlan security wpa disable 10
config wlan security web-auth server-precedence 10 radius
config wlan security ft over-the-ds disable 11

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 86 of 87

Lab Exercise 4.3: Troubleshooting failed authentications

!
config wlan security wpa enable 11
config wlan security web-auth server-precedence 11 radius
config wlan broadcast-ssid enable 10
config wlan nac radius enable 10
config wlan interface 10 access
config wlan broadcast-ssid enable 11
config wlan nac radius enable 11
config wlan interface 11 access
config wlan radius_server acct add 10 11
config wlan radius_server auth add 10 11
config wlan create 10 n-pNN-TS-OPEN n-pNN-TS-OPEN
config wlan session-timeout 10 1800
config wlan radius_server acct add 11 11
config wlan radius_server auth add 11 11
config wlan create 11 n-pNN-TS-WPA2e n-pNN-TS-WPA2e
config wlan session-timeout 11 1800
config wlan exclusionlist 10 60
config wlan exclusionlist 11 60
config wlan wmm allow 10
config wlan wmm allow 11
config wlan radio 10 802.11ag
config wlan radio 11 802.11ag
config wlan enable 10
config wlan enable 11
config serial timeout 3600
config time ntp server 1 128.107.212.175
config ap packet-dump truncate 0
config ap packet-dump buffer-size 2048
config ap packet-dump capture-time 10
config mgmtuser add encrypt admin 1 805504344137354e5003ad13325f9323
469e02f8c530760e8ffe4d77c6b5a0316d357540 16
b506763bef0194ab7d1586d9a6b31e1b00000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000 read-write
config cts sxp default password encrypt 1 f411b972950230dab42dae3ba063a435
72331cb4b85a5203d6b36b4057a4ded020183fe1 16
2064f49e024f7fcf1412453adc7fbcc200000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
config cts sxp connection peer 10.1.29.1
config cts sxp enable
config rfid timeout 1200
config rfid status enable
config rfid mobility pango disable
transfer upload path /incoming
transfer upload datatype config
transfer upload serverip 10.1.100.6
transfer upload filename p01-wlc-4hr.txt
transfer upload encrypt password 1 c8fba9f060227ab99126aed7ef3e0440
723aefd4e4faa8fa6bd1b73b5d566ad354773c28 48
142cad12d46f5ca14bc01d589e7775465bb4812a28860f90a4a89569a23f4c0895edeee963b4fb3f7aa270d9657bed64
transfer upload port 21
transfer upload mode ftp
transfer upload username ftp
transfer download path /
transfer download datatype config
transfer download serverip 10.1.100.6
transfer download filename pNN-wlc-4hr.txt
transfer download mode ftp
transfer download encrypt password 1 c8fba9f060227ab99126aed7ef3e0440
723aefd4e4faa8fa6bd1b73b5d566ad354773c28 48
142cad12d46f5ca14bc01d589e7775465bb4812a28860f90a4a89569a23f4c0895edeee963b4fb3f7aa270d9657bed64
transfer download port 21
transfer download username ftp

ISE_1.2_Update_Lab_Guide.docx

8/21/13 6:47 PM

Page 87 of 87