Lab Guide ISE 1 2 Profiling

Lab Overview
Cisco ISE 1.2 Profiling

Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine (ISE)
focusing on new key profiling features in ISE 1.2. The ISE profiling lab covers how to write policies using
logical profiles, how to enable ISE to receive automatic updates from the new feed services and the how
to enable profiling probes for wired and wireless devices. The last section covers day-to-day operations,
which allows the student to use the new tools such as the Search and Session trace that provide better
visibility and troubleshooting.
Lab participants should be able to complete the lab within the allotted time of 4 hours.
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 2-1: Enable ISE Probes, Verify Profiled Endpoints and Probe information
Lab Exercise 2-2: Enable Device Sensor and SNMP Query Profiles
Lab Exercise 2-3: Create Profiles and Authorization Policies using Logical Profiles
Lab Exercise 2-4: Profile Feed Service configuration with logging and reporting
ISE 1.2 Profiling Lab.docx Version 1.0.1
Page 1 of 39
Product Overview: ISE
Product Overview: ISE

The Cisco Identity Services Engine (ISE) is an identity and access control policy platform that enables
enterprises to enforce compliance, enhance infrastructure security and streamline their service
operations. Its unique architecture allows enterprises to gather real-time contextual information from
network, users and devices to make proactive governance decisions by tying identity back into various
network elements including access switches, wireless controllers, VPN gateways, and datacenter
switches. Cisco Identity Services Engine is a key component of the Cisco Secure Access Solution.
Cisco ISE allows enterprise users (employees) who wish to adopt the capabilities of their personal
feature-rich smart devices to connect these devices onto an Enterprise network, self-provision and selfmanage their devices in a BYOD environment.
Secure Access Lab Topology
Page 2 of 39
Secure Access Lab IP Addresses and VLANs

Internal IP Addresses
Device
Name/Hostname
IP Address
Access Switch (3560X)
3k-access.demo.local
10.1.100.1
Data Center Switch (3560CG)
3k-data.demo.local
10.1.129.3
Wireless LAN Controller (2504)
wlc.demo.local
10.1.100.61
Wireless Access Point (2602i)
ap.demo.local
10.1.90.x/24 (DHCP)
ASA (5515-X)
asa.demo.local
10.1.100.2
ISE Appliance
ise-1.demo.local
10.1.100.21
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
NTP Server
ntp.demo.local
128.107.212.175
LOB Web
lob-web.demo.local
10.1.129.12
LOB DB
lob-db.demo.local
10.1.129.20
Admin (Management) Client
admin.demo.local
10.1.100.6
(also FTP Server)
ftp.demo.local
Windows 7 Client PC
w7pc-1.demo.local
10.1.50.x/24 (DHCP)
Internal VLANs and IP Subnets

VLAN
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
Authenticated users or access network using ACLs
20
MACHINE
10.1.20.0/24
Microsoft machine-authenticated devices (L3 segmentation)
10.1.29.0/24
Interconnect subnet between ASA and Access switch
(29)
Note:
30
QUARANTINE
10.1.30.0/24
Unauthenticated or non-compliant devices (L3 segmentation)
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
Network for authenticated and compliant guest users
90
AP
10.1.90.0/24
Wireless AP VLAN
100
Management
10.1.100.0/24
Network services (AAA, AD, DNS, DHCP, etc.)
129
WEB
10.1.129.0/24
Line-of-business Web servers
130
DB
10.1.130.0/24
Line-of-business Database servers
Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Page 3 of 39
Accounts and Passwords

Access To
Account (username/password)
Access Switch (3560X)
admin / ISEisC00L
Data Center Switch (3560X)
admin / ISEisC00L
Wireless LAN Controller (2504)
admin / ISEisC00L
ASA (5515-X)
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Servers
admin / ISEisC00L
Admin (Management) Client
admin / ISEisC00L
Windows 7 Client
W7PC-1\admin / ISEisC00L
(Local = W7PC-1 or W7PC-2)
DEMO\admin / ISEisC00L
(Domain = DEMO)
DEMO\employee1 / ISEisC00L
Page 4 of 39
Pre-Lab Setup Instructions

Note:
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components.
Note:
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer.
Connecting to Lab Devices

Step 1
Launch the Remote Desktop application on your system.

a. Connect to your assigned pods Admin PC using Remote Desktop Protocol (RDP) with
the IP Address and password provided by your instructor.
b. Click Connect on the following warning:
c.
Note:
Login using the following credentials
admin / ISEisC00L
All lab configurations can be performed from the Admin PC.
Connect to ESX Server Virtual Machines

During the lab exercises, you may need to access and manage the computers running as
virtual machines.
Step 1
From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2
Click OK on the VMware vSphere Client warning.
Step 3
Once logged in, you will see a list of VMs that are available on your ESX server:
Page 5 of 39
Step 4
You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options:
Step 5
To access the VM console, select Open Console from the drop-down.
Step 6
To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Step 7
For this lab ensure that the following VMs are up and running:
Page 6 of 39

p##_ad
p##_ise-1-base
p##_lob-db
p##_lob-web
p##_mail
p##_w7pc-corp
p##_w7pc-guest
## refers to the pod number that you are assigned by your instructor. For example, POD 2,
p##_ad would be p02_ad. Additional VmWare images will be powered up if needed through out
the lab exercises.
Connect to Lab Device Consoles

Step 1
To access the lab switches and ISE servers using SSH:

a. From the Admin client PC, locate the PUTTY shortcut on the desktop or taskbar. Click on
the PuTTY shortcut and it shows a list of devices and ISE servers for access.

b. Select the device that youd like to log into and double click on it.
c.
If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
Basic Connectivity Test

To perform a basic connectivity test for the primary lab devices, run the
pingtest.bat script from the Windows desktop of the Admin client PC:
Verify that ping succeeds for all devices tested by script and then close
the pingtest window when completed.
Note:
The ping test may fail for VMs that have not yet completed the boot process otherwise inform the instructor if
you have problems pinging devices required during the lab such as the Cisco switch, WLC, ISE server, etc.
Page 7 of 39
Lab Setup Verification

Exercise Description
To verify the initial access switch lab setup and ISE network access device pre-configuration.
Exercise Objective
Login to the Identity Service Engine admin portal, join AD domain, load WLC configuration and
verify the configuration of the Cisco 3560-X access switch network device configuration. Also
verify from the CLI of the Cisco 3560-X access that the radius and interface configurations are
properly configured.
Rejoin ISE to AD Domain

Step 1
As part of a previous lab, the ISE appliance was joined to the Windows AD domain demo.local.
To prevent issues after lab pod initialization, the ISE appliance was deliberately removed from
the domain using the Leave function. To complete this lab, it will be necessary to rejoin the ISE
appliance to the AD domain. Access the ISE admin interface to rejoin the Windows AD domain.
a. Go to the Admin client PC and launch the Mozilla Firefox web browser. Enter the
following URL in the address field:
https://ise-1.demo.local
b. Login with username admin and password ISEisC00L
(Accept/Confirm any browser certificate warnings if present)
The ISE Home Dashboard page should display. Navigate the interface using the multilevel menus.
Step 2
Step 3
Go to Administration > Identity Management > External Identity Stores and select Active
Directory from the left-hand pane then verify the connection status as not joined to Domain.
Select ise-1 and click Join at the bottom of the configuration page:
Page 8 of 39

Step 4
Enter the credentials admin / ISEisC00L when prompted to allow the AD operation, and then
click OK.

Step 5
After a few moments, a message should appear to indicate that the node has successfully
joined the domain and the status will be completed the click Close
Step 6
You should now see the status as Connected to: ad.demo.local as shown in the example
below.
Step 7
Select the Groups tab at the top of the AD Server configuration page.
Step 8
Since AD groups were retrieved during the AD Join in a previous lab, the original saved
configuration should still be present. Verify the following groups are displayed at a minimum. If
not, re-add them and re-save the configuration:
demo.local/HCC/Groups/Employees
demo.local/HCC/Groups/Staff
demo.local/Users/Domain Admins
demo.local/Users/Domain Users
Page 9 of 39
WLC Configuration
Step 1
Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L

a. Navigate to the top menu COMMANDS. Then, choose Download File from the left
panel.
b. In Download file to Controller page, fill in the form as below:
File Type
Configuration File Encryption
Transfer Mode
Server Details
IP Address
File Path
File Name
Server Login Username
Server Login Password
Server Port Number
Configuration
(unchecked)
FTP
10.1.100.6
/
p##-wlc-4hr.txt
ftp
ftp
21
Note: The ## in p##-wlc-4hr.txt is to be replaced with your assigned pod; ex: p02-wlc-4hr.txt for pod 2.
c.
Click on the button Download in the right-hand corner to start the file transfer. The
following message pops-up after the clicking the Download button. Click OK.
d. Wait for transfer to finish and reset to complete.
Note: WLC will automatically reset after downloading the updated configuration. You can optionally use ping t
wlc to monitor the WLC see when it finished rebooting.
Verify NAD Configuration

Step 1
Go back to the Admin client PC and return to your ISE browser session. Login again if needed.
https://ise-1.demo.local
Step 2
Login with the username/password admin/ISEisC00L
Step 3
Verify your network access switch (3k-access) is setup and configured correctly
a. Go to Administration > Network Resources > Network Devices and select 3k-access
Page 10 of 39
b. Verify the configuration of the 3k-access switch IP address as shown in the example
below.

Verify the authentication settings shared secret being used. Click the Show button and verify
ISEisC00L is the shared secret.

Step 4
Now from the Admin PC desktop launch the shortcut for the PuTTY SSH client
to start a
terminal session to the 3k-access switch (10.1.100.1) using the credentials admin / ISEisC00L
(enabled password cisco123). Click YES on any Putty security warnings.

Step 6 On the access switch verify the configuration required for interface g0/1 using the show run
interface g0/1 command. It is okay that the interface is currently in shutdown mode. Interface
will be enabled later in the exercises.
Step 5
Page 11 of 39

interface GigabitEthernet0/1
description dot1X/mab clients
switchport access vlan 50
switchport mode access
switchport block unicast
switchport voice vlan 40
shutdown
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
Using the show run aaa command, verify the switch configuration for RADIUS Server
commands including AAA authentication and accounting commands for Dot1x and network. Also
verify the RADIUS Server VSA attributes are enabled.

Step 7

Page 12 of 39

3k-access#sh run aaa
aaa authentication login login-none none
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
username admin privilege 15 password 0 ISEisC00L
!
aaa server radius dynamic-author
client 10.1.100.21 server-key ISEisC00L
!
radius server ise-1
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813
key ISEisC00L
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
aaa new-model
aaa session-id common

3k-access#
Page 13 of 39
Lab Exercise 2-1: Enable ISE, Probes, and Network Device for Profiling
Lab Exercise 2-1: Enable ISE, Probes, and

Network Device for Profiling
This exercise will enable ISE profiling probes and NAD communications on the ISE Policy Service
node.
Exercise Objective
At the end of this exercise you will learn how to enable ISE probes including DHCP, HTTP,
Radius, SNMP Query and Device Sensor on the ISE Policy Service Node (PSN).
Lab Exercise Steps

Step 1
Log into your ISE device via the admin GUI.
Step 2
Go to Administration > System > Deployment.
Step 3
Click OK on the notification warning.

Step 4
Expand the Deployment group and select your ISE node.

Step 5
In General Settings, verify Policy Service and the Enable Profiling Service are enabled.
Page 14 of 39
Step 6
In the right hand pane click the Profiling Configuration tab and enable the following probes.
a. Enable DHCP Probe using the interface GigabitEthernet 0 (default interface) with the
default UDP port 67.
b. Enable HTTP Probe with the default interface.
c.
Enable RADIUS Probe with the default interface.
d. Enable SNMPQUERY Probe with the default parameters.

Step 7
Click the Save button and make sure your changes were saved successfully.
Step 8
From the ISE server under Administration > Network Resources > Network Devices,
configure the SNMP configuration for the 3k-access layer switch.
a. Click on the 3k-access switch and scroll to the SNMP Settings window.
b. Configure the following settings:
i. SNMP box is checked to enable the configuration.
ii. SNMP version 2c
iii. SNMP RO Community ISEisC00L
iv. Change the Polling Interval from the default of 3600 seconds to 600 seconds
v. Verify Link Trap Query is enabled.
vi. Verify MAC Trap Query is enabled.
c.
Click Save button.
Page 15 of 39
Note:
Step 9
The polling interval set to 600 seconds is for LAB use only. You can use multiple interfaces to enable
certain ISE probes, which can help with scaling of the probe traffic to the Policy Service Node(s). You can
also enable ISE Profiling on additional PSNs based on proper licensing.
Enable the global Change of Authorization (CoA) for profiling. This will allow any
authorization/profiling changes of a device to be sent to the NAD for that endpoint.
a. Go to Administration > System > Settings > Profiling
b. Change the CoA Type: to Reauth
c.
Change custom SNMP community strings: to ISEisC00L
d. Confirm changed custom SNMP community strings: to ISEisC00L

e. Verify the EndPoint Attribute Filter: box is NOT checked.
f.
Click the Save button.
Page 16 of 39

Note:
Use caution when enabling this feature for the first time. The Change of Authorization (CoA) will occur
automatically for all new profiled devices endpoints.
Step 10 Verify the default actions for profiled devices. From the ISE web portal go to Policy > Policy
Elements > Results > Profiling > Exception Actions. Here you will see the default Profiler
Actions for AuthorizationChange, EndPointDelete and FirstTimeProfile. If you click on one of the
default profiler names, you will see the CoA Action set to Force COA.

Page 17 of 39

Note: Advanced Exception actions will not be covered in this lab.
Step 11 From the Administration > System > Settings > Protocols > RADIUS disable the options for
Suppress Anomalous Clients and Suppress Repeated Successful authentications by

UNCHECKING the box option for each setting and then clicking the SAVE button.
NOTE: For lab purposes, proof-of-concepts and initial profiling it is recommended to disable
the suppress anomalous clients option to better monitor Operations > Authentications.
End of Exercise: You have successfully completed this exercise.

Proceed to next section.

Page 18 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Lab Exercise 2-2: Enabling SNMP Query, DHCP

and Device Sensor Probes
Configure and verify the SNMP Query and DHCP probes are properly configured on the access
switch. Configure and verify the Device Sensor on the Wired Switch and Wireless LAN
Controller (WLC). Verify Profiled Endpoints.
Exercise Objective
In this exercise you will verify the configure for the SNMP query and DHCP probes and device
sensor feature on the Cisco Wired Switch and Wireless LAN Controller and then verify that DHCP
and CDP and being sent from the wired switch and that DHCP and HTTP data is being sent from
the WLC to the ISE PSN node via Radius Accounting packets.
SNMP and DHCP Probe Configuration

Step 1
From Putty, SSH into the 3k-access switch with the admin/ISEisC00L credentials.
Step 2
Verify the SNMP server configuration on the access switch using the show run | include
snmp-server command.

Step 3
For the DCHP probe configuration, we need to verify that the access layer switch has the
additional IP helper address for the ISE appliance (10.1.100.21) on interface Vlan 50 for DHCP
packet information to be sent to the ISE DHCP probe.
3k-access# sh run interface vlan50

interface Vlan50
description GUEST
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.10
ip helper-address 10.1.100.21
Step 4
From the Vsphere Client, open a console session to the p##_w7pc-guest VmWare image.
Login with the credentials admin/ISEisCooL then start the Control Panel application and select
View network status and tasks under the Network and Internet section. Next click Change
adapter settings and then right click the w7pc-guest-wired interface and enable.
Page 19 of 39
Step 5
Use the getmac command from the windows command prompt and record the mac address of
your windows 7 guest pc operating system below for future reference.
MAC Address:___________________________
Step 6
Enable SNMP debug to verify SNMP data is being sent to the ISE PSN.
config terminal
logging monitor 7
end
terminal monitor
debug snmp packet
Step 7
From the SSH session to the 3k-access, enable the interface g0/1 using the no shutdown
command.
Step 8
Next from a windows command prompt, verify that you have received an IP Address from the
DCHP server using the ipconfig command.
Step 9
Verify SNMP communication between the ISE node and the switch. You should see the SNMP
requests coming into the switch from ISE-1 similar to that shown below. You should also see
responses from the switch from the SNMP MIB requests from ISE Profiling Service.
Page 20 of 39

Step 10 From the ISE admin web portal go to the Administration > Identity Management > Identities
and select the EndPoints identity folder.

Step 11 Click on the Endpoint Profiles based on the mac address you recorded in the step above for the
Windows 7 Guest PC and look at the details of that Endpoint.
Page 21 of 39
Note: Initially your endpoint profile for the Windows 7 Guest PC will be learned from the DHCP Probe
data received by ISE from the access switch. Once the SNMP query runs the endpoint profile data
will be updated as shown in the next example.
Step 12 After about 60 seconds, refresh the endpoint database and re-select your endpoint mac
address. You will eventually see the endpoint profile attributes updated to include the SNMP
query probe data received.
IOS Switch Device Sensor Configuration

Now we will configure the Device Sensor probe for the access switch, replacing the DHCP probe
configuration on VLAN 50 and also remove the SNMP Query configuration for the 3K-Access switch
network access device in the ISE configuration.
Step 1
Step 2
Remove the DCHP IP Helper command from VLAN 50.
conf t
interface Vlan50
no ip helper-address 10.1.100.21
Page 22 of 39
Step 3
From Administration > Network Resources > Network Device and edit the 3k-access switch
configuration.
Step 4
UNCHECK the box for the SNMP Settings configuration and then click the SAVE button.
NOTE: We are disabling the DHCP IP Helper address and the SNMP Query as per best practice when
using Device Sensor feature to keep from getting the same profiling data multiple times. This will also
eliminated extra replication processes for the ISE databases.
Step 5
From the Access switch SSH session, add the following commands to enable the device-sensor
configuration.
device-sensor filter-list cdp list ISE
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-spec cdp include list ISE
!
device-sensor filter-list dhcp list DHCP
option name host-name
option name class-identifier
option name client-identifier
!
device-sensor filter-spec dhcp include list DHCP
!
device-sensor accounting
device-sensor notify all-changes
epm logging
Step 6
From Administration > Identity Management > Identities select the Endpoints folder and then
remove the existing endpoint for the Windows 7 Guest PC VmWare again.
Step 7
Next perform a shutdown/no shutdown on interface g0/1 from the access switch that will then
have radius accounting packets sent to ISE, which will recreate the endpoint profile.
Step 8
Verify the endpoint data was generated from the Device Sensor (Radius Accounting packets) as
per the example below.
Page 23 of 39

Step 9
Now from the Windows 7 system, start a browser session going to www.bing.com. You will see
the ISE policy service node (PSN) URL redirect to the guest service portal. From the redirect
the ISE profiling engine will now get additional data from the HTTP user-agent string.
Step 10 Now go back to the ISE browser session and refresh the endpoint profile for the Windows 7
client to see the dynamic changes made to the endpoint profile.

Step 11 Now we will probe the IP Camera on the interface g0/2 (Vlan 20). Verify the switchport
configuration on the interface.
From Policy > Authorization create a new authorization policy for the IP Camera before the
Guest DOT1X authorization policy.
Rule Name: IP Camera
Conditions (Identity groups and other conditions):
Identity: Any
Select Attribute Conditions: Create New Condition (Advance Option)
Step 12
Page 24 of 39
Expression: Endpoints > Endpoint Policy EQUALS > Cisco Device (folder) > Cisco-IP-Camera
Then: Standard > Permit Access

Now no shutdown the interface g0/2 from the 3k-access switch. Then give the IP Camera
endpoint a few minutes to power-up and initialize. You can verify from the Operations >
Authentications when the endpoint has been profiled.

Step 14 From the Administration > Identities Management > Endpoints, verify the endpoint profile for
the IP Camera.
Step 13
Page 25 of 39
WLC Device Sensor Configuration

Step 1
From your browser, open a session to the Wireless LAN Controller (WLC). https://wlc.demo.local
Step 2
Login with the credentials admin/ISEisC00L.
Step 3
From menu bar click on the WLANs option.
Page 26 of 39
Step 4
Next click on the WLAN ID 11 to be able to modify the WLAN attributes.

Step 5
Next click on the Advanced tab for the n-p##-TS-WPA2 WLAN where ## is your pod number.
Page 27 of 39
Step 6
Scroll down to the Client Profiling section and select DHCP Profiling.
When you select the DHCP Profiling probe you will get a warning message displayed below click
OK.
Step 7
Step 8
Next select the HTTP Profiling and then click APPLY button in the upper-right hand corner.
Step 9
Verify the configuration for the Client Profiling as shown in the example below.
Step 10 From the Admin PC, launch the VNC-to-iPad shortcut.

Step 11 Once the VNC connection launches, click any key to continue.
Step 12 From the Home screen of the VNC connection to the iPad, select the Settings button at the
bottom of the screen.
Page 28 of 39
Controlling iPAD via VNC Client

Below are some tips for controlling the iPad UI via VNC client that will be useful for the entire lab:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Notes: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
When interacting with the iPad VNC session, US keyboard is preferred. If you have a mouse attached to your computer you will find
it easier to navigate the iPad session also.
US keyboard is needed for the RDP session too unless you have additional language packs installed to provide keyboard mappings.
This is only for the RDP sessions
Note: The next steps are to ensure that the iPad device is starting clean for the next part of the lab.
Step 1
Verify that the iPads WiF is disabled.

a. Settings > Wi-Fi > OFF.
Step 2
Remove all existing profiles.

a. Settings > General > Profiles
b. Click any existing profile one at a time and click on the Remove button.
Step 3
Next we will clear out any cached history, cookies and data stored with Safari.
a. Settings > Safari
b. Click Clear History
c. Click Clear Cookies and Data
Now that your Apple iPad is cleanup we can proceed with the rest of the lab. Select the Wi-Fi
menu option and turn on the Wi-Fi.
Step 4
Step 5
From the Choose a Network select n-pXX-TS-WPA2e (where XX is your pod number) SSID.
When prompted enter the credentials for username and password: employee1/ISEisC00L and
click the Join button.
Step 6
Step 7
Next Accept the ise-1.demo.local certificate prompt.
Page 29 of 39
From the ISE administration browser, Administration > Identity Management > Identities >
Endpoints and select the Apple iPad endpoint profile and verify the profile data that was learned.
Step 8

Page 30 of 39
Lab Exercise 2-3: Create Profiles and

Authorization Policies using Logical Profiles
In ISE 1.2 configuration we now have the capability to create Logical Profiles instead of using
Identity groups when creating Authorization Policies. Use Logical Profiles will lighten the
administration process of matching profiling policies and reduce the complexity of using
Authorization Policies.
Exercise Objective
In this exercise you will configure a new Logical Profile for the companys smart devices
including Android, Apple-iDevices, Apple-iPads, Apple-iPhones. One the new logical profile is
configured you will then create a new authorization policy using the logical profile created.
Create New Logical Profile

Step 1
From Policy > Profiling > Logical Profiles click the Add button
Step 2
Build the following logical profile as shown in the example below and save.
Page 31 of 39
Create New Authorization Policy

Step 1 Now we will create the new authorization policy using the Smart Devices logical profile.
Policy > Authorization and create the new rule after the IP-Camera policy.
Rule Name: Smart-Devices

Conditions (Identity groups and other conditions):
Identity: Any
Select Attribute Conditions: Create New Condition (Advance Option)
Expression: Endpoints > LogicalProfile EQUALS > Smart-Devices
Then: Standard > GuestPermitAccess

Step 3 From the Operations > Authentications click on the Show Live Sessions button in the
left-hand corner.
Step 4 Find the session for your iPad (match the identity employee1) and using the CoA Action
dropdown box select Session Reauthentication. This will send a change of authorization to
the WLC forcing a new authentication and authorization process.
Step 5 Go back to the Administration > Identities > Endpoints and select the Apple-iPad
Endpoint Profile and note the changes in the update endpoint profile as shown in the example
below.
Page 32 of 39

Page 33 of 39
Lab Exercise 2-4: Profile Feed Service

In ISE 1.2 we have the capability to receive a feed service from Cisco Systems that will
dynamically change and/or add new profiling policies and OUI updates to the ISE system
without the need to perform upgrades or patches like you had to do in ISE 1.x versions.
Exercise Objective
In this exercise, you will configure the Profiler Feed Service option. You will then run the profile
update feature and see the resulting profile and OUI updates. Next you will run one of the reports
for Profile Feed Service.
Profiler Feed Service Configuration

Step 1
From the vSphere client power on the p##_ISE-FeedService and p##_Mail images.
Step 2
Configure ISE for the SMTP server setttings:

a. Navigate to Administration > System > Settings
b. Select SMTP Server in the left-hand panel.
c.
Enter mail.demo.local as the SMTP Server value
d. Click Save to save the configuration.

Step 3
Select Administration > Feed Service > Profiler.
Check the box to Enable Profiler Feed Service and click the OK button on the following
warning message.
Step 4

Step 5
Leave the default Automatically check updates at at 01:00 UTC.
Step 6
Check the box to notify administrator when download occurs and enter the email address of
admin@demo.local for the administrator email address.
Page 34 of 39

Step 7 Select the box for the Feed Service Subscriber Information and click Accept button on the
pop-up message information.
Step 8 Add the following values for the Feed Service Subscriber Information.
a.
b.
c.
d.
Administrator
Administrator
Administrator
Administrator
first name: Admin

last name: Demo
email: admin@demo.local
Phone: 555-1212
Step 9 Click the SAVE button.

Step 10 From the ISE SSH console setup to log and monitor the ISE feed service as it runs.
a. From the Admin PC, locate the Putty SSH client on the desktop and SSH to the ise-1
command-line interface (CLI) using the credentials admin / ISEisC00L.
b. Issue the cli command show application status ise to ensure that all ISE applications
are running.
c.
Issue the cli command terminal length 0 to make the verbose log easier to navigate.
d. Issue the show logging application ise-psc.log tail | include FEED to monitor the
download from the feed server.
Step 11 From the ISE GUI, from Administration > Feed Service > Profiler, click on the Update Now
button which is at the bottom of the page
Page 35 of 39

Step 12 Click YES on the following pop-up warning:
Step 13 Switch back to the Putty SSH session and wait for the download to begin and should see log
messages indicating that the download has begun.
Step 14 The key words FEEDMANUALDOWNLOAD indicates that this was initiated by the Update Now
manual option. For the automatic updates, the keyword would be FEEDAUTODOWNLOAD as below:

Page 36 of 39
Profiler Feed Service Reporting

Step 1
Run the report for the ISE Profile Feed Service by running a query for the new OUIs
downloaded.
a. Navigate to Operations > Reports.
b. Select Deployment Status from the left-hand panel.
c.
Select Change Configuration Audit from the expanded list.
d. Set Time Range to Last 30 Minutes.

e. Click on Filters and select Object Type. Then, enter OUI (all in capital) as the Object
Type then click Run.

f.
View the report once the report has completed.

Page 37 of 39

g. Pick any row and click on its event cell. Then, click Ok to open it as a report.
h. Take a note of the Object Name field and the Modified Properties.

Step 2
Also run the Operations Audit report from Operations > Reports > Deployment Status
> Operation Audit and click the RUN button.
Page 38 of 39

Step 3
Check email notification

a. When the feed download finishes, use Firefox web browser to access the webmail
http://mail.demo.local using the credentials admin / ISEisC00L.
b. From the inbox and look for emails with subjects ISE System Message and review.
End of Profiler Lab: You have successfully completed all the exercises for
this lab.

Page 39 of 39

Lab Guide ISE 1 2 Profiling

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Lab Guide ISE 1 2 Profiling

Hochgeladen von

Copyright:

Verfügbare Formate

Lab Overview

Cisco ISE 1.2 Profiling

ISE 1.2 Profiling Lab.docx Version 1.0.1

Product Overview: ISE

Product Overview: ISE

Secure Access Lab Topology

ISE 1.2 Profiling Lab.docx Version 1.0.1

Secure Access Lab IP Addresses and VLANs

Secure Access Lab IP Addresses and VLANs

Access Switch (3560X)

Data Center Switch (3560CG)

Wireless LAN Controller (2504)

Wireless Access Point (2602i)

Admin (Management) Client

(also FTP Server)

Internal VLANs and IP Subnets

Authenticated users or access network using ACLs

Microsoft machine-authenticated devices (L3 segmentation)

Interconnect subnet between ASA and Access switch

Unauthenticated or non-compliant devices (L3 segmentation)

Network for authenticated and compliant guest users

Network services (AAA, AD, DNS, DHCP, etc.)

Line-of-business Web servers

Line-of-business Database servers

ISE 1.2 Profiling Lab.docx Version 1.0.1

Secure Access Lab IP Addresses and VLANs

Accounts and Passwords

Access Switch (3560X)

Data Center Switch (3560X)

Wireless LAN Controller (2504)

Admin (Management) Client

(Local = W7PC-1 or W7PC-2)

ISE 1.2 Profiling Lab.docx Version 1.0.1

Pre-Lab Setup Instructions

Pre-Lab Setup Instructions

Connecting to Lab Devices

Launch the Remote Desktop application on your system.

Login using the following credentials

All lab configurations can be performed from the Admin PC.

Connect to ESX Server Virtual Machines

Click OK on the VMware vSphere Client warning.

ISE 1.2 Profiling Lab.docx Version 1.0.1

Pre-Lab Setup Instructions

To access the VM console, select Open Console from the drop-down.

ISE 1.2 Profiling Lab.docx Version 1.0.1

Pre-Lab Setup Instructions

Connect to Lab Device Consoles

To access the lab switches and ISE servers using SSH:

Basic Connectivity Test

ISE 1.2 Profiling Lab.docx Version 1.0.1

Lab Setup Verification

Lab Setup Verification

Rejoin ISE to AD Domain

ISE 1.2 Profiling Lab.docx Version 1.0.1

Lab Setup Verification

ISE 1.2 Profiling Lab.docx Version 1.0.1

Lab Setup Verification

Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L

d. Wait for transfer to finish and reset to complete.

Verify NAD Configuration

Login with the username/password admin/ISEisC00L

ISE 1.2 Profiling Lab.docx Version 1.0.1

Lab Setup Verification

ISE 1.2 Profiling Lab.docx Version 1.0.1