FL-SISE24 LG301

Implementing and Configuring Cisco Identity Services Engine Version 2.4 Version 3.0.1 ATTENTION The Information contained in this guide is intended for training purposes only. This guide contains information and activities that, while beneficial for purposes of training in a close, non-production environment, can result in downtime or other severe consequences and therefore are not intended as a reference guide. This guide is not a technical reference and should not, under any circumstances be used in a production environment. Customers should refer to the published specifications applicable to specific products for technical information. The information in this guide is distributed AS IS, and the use of this information or implementation of any recommendations COPYRIGHT © 2018 Fast Lane GmbH. All rights reserved. All other brands and product names are trademarks of their respective owners. No part of this book covered by copyright may be reproduced in any form or by any means (graphic, electronic, or mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system) without prior written permission of the copyright owner. Fast Lane reserves the right to change any products described herein at any time and without notice. Fast Lane assumes no responsibility or liability arising from the use of products or materials described herein, except as expressly agreed to in writing by Fast Lane. The use or purchase of this product or materials does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Fast Lane. The product described in this manual may be protected by one or more patents, foreign patents, or pending applications. II Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane SISE Lab Guide Overview Outline Lab 1-1: Complete Cisco ISE GUI Setup Activity Objective Visual Objective Required Resources Task 1: Verify Cisco ISE setup using CLI Task 2: Initial Login and Initial Message Management Task 3: Disable Profiling Lab 2-1: Integrate Cisco ISE with Active Directory Activity Objective Visual Objective Required Resources Task 1: Configure Active Directory Integration Task 2: Configure LDAP Integration Lab 2-2: Basic Policy Configuration Activity Objective Visual Objective Required Resources Command List Task 1: Adjusting Radius Settings Task 2: Create Network Devices and Network Device Groups Task 3: Create Wired and Wireless Policy Sets Task 4: Create Authentication Policy for the Wired and Wireless Policy Set Task 5: Authorization Policy Configuration for AD Employees and AD Contractors Task 6: Client Access Wired Task 7: Client Access Wireless Task 8: Creating a Global Exception Task 9: Network visibility with Context Visibility Lab 3-1: Configure Guest Access Activity Objective Visual Objective Required Resources Task 1: Guest Settings Task 2: Guest Locations Lab 3-2: Guest Access Operations Activity Objective Visual Objective Required Resources Task 1: Hotspot Portal Operations Task 2: Self-Registration Portal Operations Task 3: Enabling Self-Registration with Sponsor Approval Task 4: Sponsored Guest Logins Task 5: Guest Account Management via the Sponsor Portal Lab 3-3: Create Guest Reports Activity Objective Visual Objective Required Resources Task 1: Running Reports from Cisco ISE Dashboard Lab 4-1: Configuring Profiling Activity Objective Visual Objective Required Resources Command List Task 1: Configuring Profiling in Cisco ISE Task 2: Configure the Feed Service Task 3: Configuring Profiling in Cisco ISE 1 1 1 3 3 3 3 4 6 11 22 22 22 22 23 28 32 32 32 32 33 34 36 46 49 52 58 64 69 71 73 73 73 73 74 76 77 77 77 78 79 94 107 113 126 128 128 128 128 129 132 132 132 132 132 133 138 140 Task 4: NAD Configuration for Profiling Lab 4-2: Customizing the Cisco ISE Profiling Configuration Activity Objective Visual Objective Required Resources Task 1: Examine Endpoint Data Task 2: Create a Logical Profile Task 3: Creating a New Authorization Policy using a Logical Profile Task 4: Create a Custom Profile Policy Task 5: Testing Authorization Policies with Profiling Data Lab 4-3: ISE Profiling Reports Activity Objective Visual Objective Required Resources Task 1: Run Cisco ISE Profiling Reports Task 2: Endpoint Profile Changes Report Task 3: Context Visibility Dashlet Reports Lab 5-1: BYOD Configuration Activity Objective Visual Objective Required Resources Task 1: Portal Provisioning Task 2: Provisioning Configuration Task 3: Policy Configuration Task 4: Employee Tablet Registration Lab 5-2: Device Blacklisting Activity Objective Visual Objective Required Resources Task 1: Blacklist a Device Task 2: Lost Access Verification. Task 3: Endpoint Record Observations Task 4: Un-Blacklist the Device Task 5: Verify Access Capability Task 6: Blacklisting a Stolen Device Lab 6-1: Compliance Activity Objective Visual Objective Required Resources Task 1: Posture Preparation Task 2: Authorization Profiles Task 3: Adjusting Authorization Policy for Compliance Lab 6-2: Configuring Client Provisioning Activity Objective Visual Objective Required Resources Task 1: Client Updates Task 2: Client Resources Task 3: Client Provisioning Policies Lab 6-3: Configuring Posture Policies Activity Objective Visual Objective Required Resources Task 1: Configuring Posture Conditions Task 2: Configuring Posture Remediation Task 3: Configuring Posture Requirements Task 4: Configuring Posture Policies Lab 6-4: Testing and Monitoring Compliance Based Access Activity Objective Visual Objective IV Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 142 144 144 144 144 145 150 151 152 156 160 160 160 160 161 163 164 166 166 166 167 168 172 177 184 191 191 191 191 192 195 196 199 200 201 204 204 204 204 205 209 212 216 216 216 216 217 218 223 224 224 224 224 225 228 231 234 236 236 236 © 2018 Fast Lane Required Resources Command List Task 1: AnyConnect Unified Agent Access Lab 6-5: Compliance Policy Testing Activity Objective Visual Objective Required Resources Task 1: Configure a Faulty Policy Task 2: Use Posture Reports for Troubleshooting Task 3: Using the Posture Troubleshooter Task 4: Policy Correction and Testing (Optional) Lab 7-1: Using Cisco ISE for VPN Access Activity Objective Visual Objective Required Resources Command List Task 1: Lab Preparation Task 2: Testing VPN Client Access (Optional) Lab 7-2: Configuring Cisco AMP for ISE Activity Objective Visual Objective Required Resources Command List Task 1: Configuring the Cisco AMP Cloud Task 2: Configuring Posture Policies and Conditions Task 3: Configuring Posture, AMP and AnyConnect Profiles Task 4: Enabling and Provisoning TC-NAC Services Task 5: Verify Provisioning of AMP for Endpoints (Optional) Lab 8-1: Configure TACACS+ for Cisco ISE for Basic Device Administration Activity Objective Visual Objective Required Resources Task 1: Policy Configuration for AD Employees and AD Contractors Lab 8-2: Configure TACACS+ Command Authorization Activity Objective Visual Objective Required Resources Task 1: Configure Command Sets Task 2: TACACS+ Features (Optional) Lab 8-3: Configuring Backups and Patching Activity Objective Visual Objective Required Resources Task 1: Configuring Backups (Optional) Lab 8-4: Configuring Administrative Access Activity Objective Visual Objective Required Resources Task 1: Administrative Access Task 2: Administrator Access and Authorization Task 3: Testing AD Administrative Access (Optional) Lab 8-5: Review of General Tools Activity Objective Visual Objective Required Resources Task 1: RADIUS Authentication Troubleshooting Task 2: TCPDump (Optional) Lab 8-6: Report Operations Activity Objective Visual Objective 2018 Fast Lane 236 237 238 242 242 242 242 243 244 245 247 249 249 249 249 250 251 258 264 264 264 264 265 266 269 271 274 277 280 280 280 280 281 288 288 288 288 289 292 295 295 295 295 296 300 300 300 300 301 302 305 306 306 306 306 307 308 310 310 310 TOC V Required Resources Task 1: Running Report with Filters Task 2: Saving and Scheduling Reports Task 3: Favorite Reports VI Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 310 311 312 314 © 2018 Fast Lane This guide presents the instructions and other information concerning the lab activities for this course. You can find the solutions in the lab activity Answer Key. This guide includes these activities: Lab 1-1: Complete Cisco ISE GUI Setup Lab 2-1: Integrate Cisco ISE with Active Directory Lab 2-2: Basic Policy Configuration Lab 3-1: Configure Guest Access Lab 3-2: Guest Access Operations Lab 3-3: Guest Reports Lab 4-1: Configuring Profiling Lab 4-2: Customizing the Cisco ISE Profiling Configuration Lab 4-3: ISE Profiling Reports Lab 5-1: BYOD Configuration Lab 5-2: Device Blacklisting Lab 6-1: Compliance Lab 6-2: Configuring Client Provisioning Lab 6-3: Configuring Posture Policies Lab 6-4: Testing and Monitoring Compliance Based Access Lab 6-5: Compliance Policy Testing (Optional) Lab 7-1: Using Cisco ISE for VPN Access (Optional) Lab 7-2: Configuring Cisco AMP for ISE Lab 8-1: Configure TACACS+ for Cisco ISE for Basic Device Administration Lab 8-2: Configure TACACS+ Command Authorization (Optional) Lab 8-3: Configuring Backups and Patching (Optional) Lab 8-4: Configuring Administrative Access (Optional) Lab 8-5: Review of General Tools (Optional) Lab 8-6: Report Operations 2 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Complete this lab activity to practice what you learned in the related module. In this activity, you will complete the GUI portion of the setup for this lab environment. After completing this activity, you will be able to meet these objectives: Log into Cisco ISE and process initial information messages Disable profiling Perform administrative certificate management services for Cisco ISE with a CA The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 (bootstrap) © 2018 Fast Lane Lab Guide 3 In this task, ISE has been partially preconfigured for you. This task will allow you to get console CLI to verify system setup. Activity Procedure Complete these steps: 4 Step 1 Access the Cisco ISE console according to your lab access procedures provided by your instructor Step 2 At the login prompt, enter a username of admin and password of 1234QWer Step 3 You should see the following prompt: ise-1/admin# Step 4 Enter the following command and observe the following output and the status of the services. show application status ise Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 5 Verify NTP synchronization. At the command prompt, type the following command: show ntp Step 6 Observe the following output paying attention to the * at the beginning of the line and the text Step 7 Verify DNS Name Resolution. At the command prompt enter the following command: nslookup ise-1.demo.local Activity Verification You have completed this task when you attain this result: Successfully observed Cisco ISE services status Successfully observed NTP synchronization Successfully performed a nslookup to verify proper name resolution © 2018 Fast Lane Lab Guide 5 In this task, you will perform an initial login to Cisco ISE. During initial login, certain popup messages are presented to the user. You will be observing these messages and selecting options to reduce these messages during logins. Activity Procedure Complete these steps: Step 1 Access your Admin PC. Use the credentials Administrator / 1234QWer Step 2 Open the Firefox web browser and navigate to https://ise-1.demo.local Note 6 You can use the toolbar shortcut as well Step 3 Accept the Your connection is not secure message by expanding Advanced and click Add Exception. Uncheck the Permanently store this exception checkbox at the bottom. Step 4 Click Confirm Security Exception. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 5 Login with the credentials admin / 1234QWer. Step 6 If showing up, for the Visibility Setup Wizard pop-up, click Do not show this again. Step 7 Navigate the various sub-menu options available under the Home screen tab. In later labs, you will be configuring other aspects of ISE and these dashboards will be populated and updated accordingly. Since we have no devices or users who are yet defined, many dashboards are empty. © 2018 Fast Lane Lab Guide 7 Step 8 Note Step 9 8 Navigate to Context Visibility > Endpoints. Again, explore the various submenus available here. Do the same with the Network Devices menu available under Context Visibility. Context Visibility provides the administrator with a more holistic view of the network. It allows for quick sorting and filtering of context information. Administrators can view dashlets to get detailed informational data. These dashboards and dashlets can be customized to meet your needs. By gear to you and customizable options. These options will change depending on which main menu heading you are viewing, Home, or Context Visibility. Take a moment to explore these options. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 10 Back under the Home tab, you can add additional dashboards in two ways. Click gear option beyond this, such as adding additional dashlets to the present view. You can also change the layout of the display and manage dashboards as well. Step 11 Add a new dashboard by using either method that is mentioned above. Name it MYTEST and click Apply when done. Then select 2 or 3 dashlet parameters of your choice to be included with that dashboard. Then click Save. You can then view this new dashboard once complete and it will appear as a sub-menu option. Step 12 By clicking the gear icon on the right, notice that you can rename this dashboard, and add additional dashlets. If you click Add Dashlets, you will see that you can configure the dashboard to display what is important to you, for your environment. Click Close to exit. Step 13 Now, go ahead and delete this Dashboard by clicking the X next to the MYTEST name and click OK on the pop-up warning window to delete the dashboard. You will be adding dashboards in later labs that will be more relevant to the task being performed. © 2018 Fast Lane Lab Guide 9 Step 14 Similarly, by navigating to the Context Visibility page and clicking the gear icon on the right, you are presented with options to create new views, or directly jump to a preexisting dashboard. Again, you will be customizing these pages in later labs where appropriate. Step 15 Next, navigate to the other menu options available just to familiarize yourself with GUI navigation. You will be accessing most of the configuration options available in much more detail throughout the entire course. The Operations tab will allow you to view live logs and live sessions for things such as RADIUS and TACACS+ sessions. The Policy tab is where you will perform authentication and authorization configurations, as well as profiling, provisioning, and posture. Take the time to view the default polices that come with ISE for authentication, authorization, profiling, and provisioning. You will be modifying some of these and adding new policy configurations in later labs. The Administrations tab is where you will perform system functions, identity management, add network resources, device portals, and other services available on Cisco ISE. There is a new menu option available with ISE version 2.1 that is called Work Centers. The Work Centers provide guided workflow process for configuring various ISE services. Work Centers also provide direct links to specific configuration pages. Take some time to click the various sub menu options, and pay particular notice to the overview pages. These help guide you through the ISE workflow process. For example, choose BYOD, or Guest Access, or Network Access. Activity Verification You have completed this task when you attain these results: You have successfully logged in the Cisco ISE using the credentials provided during the first lab. You have processed the initial messages that are shown to the user upon login Familiarized yourself with the Cisco ISE user interface 10 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this test, you will disable profiling which is enabled by default during the Cisco ISE installation process. You will be enabling profiling in a later lab. Activity Procedure Complete these steps: Step 1 Navigate to Administration > System > Deployment. Step 2 Click the ise-1 hostname hyperlink. Step 3 Uncheck the Enable Profiling Service checkbox. Verify with the following screenshot. Step 4 Scroll down and click Save. © 2018 Fast Lane Lab Guide 11 Step 5 Note Step 6 Note After a minute, you will see the following message. Click OK or let it restart automatically. System services are being reconfigured and restarted. The message will auto close and the browser will automatically log you out if you do not click the OK button. After a few minutes, log back in to the ISE Admin Portal. You may check the status of the service restart via the console or CLI using the command show application status ise. Once the Application Server is running, you will be able to log in. If you check before the service is reconfigured, you may see the service admini 12 Message. Step 7 Once logged in, click the gear in the upper right of the window and verify that Session is the only Policy Service (Identity Mapping,Session) service running. Step 8 Click Server Information. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Note Step 9 If you see (ALL) instead of (Session), perform steps 1 through 7 again paying attention to step 5. Click OK of the notification to close it. Activity Verification You have completed this task when you attain this result: You have disabled profiling in Cisco ISE © 2018 Fast Lane Lab Guide 13 Task 4: Certificate Enrollment In this task, you will enroll Cisco ISE with the certificate authority in your pod. Activity Procedure Complete these steps: Download CA certificate Step 1 In the web browser on the admin PC, open a new tab and navigate to http://ad1.demo.local/certsrv. Step 2 When prompted use the credentials administrator / 1234QWer. Step 3 Click the link Download a CA certificate, certificate chain, or CRL. Step 4 Click the Download CA certificate link. Step 5 Click OK to save the file. Note If using Firefox, you may have to click the install this CA certificate link at the top in order to install the CA certificate in the browser. This must be performed due to the fact that Firefox uses a separate certificate store from the operating system. Select Trust this CA to identify websites and click OK. Install CA certificate Step 6 In the Cisco ISE admin portal tab, navigate to Administration > System > Certificates. Step 7 Then select Trusted Certificates under Certificate Management. Step 8 Click the Import button in the right-hand pane. Step 9 Click the button and navigate to your Downloads folder. (C:\Users\Administrator\Downloads). Step 10 Select the file certnew.cer and then select the Open button. Note 14 You may or may not see the.cer extension depending upon your Windows Explorer configuration. Step 11 In the Friendly Name field enter demo.local CA Certificate. Step 12 Select the following three options as indicated in the screenshot. Step 13 In the Description field enter, CA cert from ad1.demo.local. Step 14 Click Submit at the bottom. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Generate Certificate Signing Request Step 15 In the left pane, select Certificate Signing Requests under Certificate Management. Step 16 Click the button at the top of the right pane, Generate Certificate Signing Requests (CSR). Step 17 Perform the following procedure to generate your CSR. Certificate Signing Request Procedure Step Action Notes 1. Verify Usage is set to Admin 2. Check Allow Wildcard Certificates Click the information (i) to read important wildcard certificate configuration information. 3. In the Subject area, use the following: $FQDN$ should be a preexisting entry. There is no need to modify it. 4. In the Subject Alternative Name area, configure the following: Click the plus(+) sign to add additional SAN entries. The aaa name is a CNAME record. The ise name is a CNAE record. Adding the IP address as both a DNS Name and IP Address addresses a compatibility issue with Microsoft Windows Clients. © 2018 Fast Lane 5. Verify the Key Type is RSA 6. Verify the Key Length is 2048 7. Verify the Digest to Sign with is SHA-256 8. Verify your settings with the screenshot below 9. Click Generate Lab Guide 15 16 Step 18 You will receive a confirmation pop-up window notifying you that you have successfully generated your CSR. Step 19 Click the Export button. Step 20 Save the file. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Process CSR with CA Step 21 In the left pane, click Certificate Signing Requests again. Step 22 In the right pane select the check box to the left of the previously processed CSR. Step 23 Click the View button in the toolbar. Step 24 Observe the CSR Details. Step 25 Click the tab CSR Contents and observe the text of the certificate request. Step 26 Highlight (Ctrl-A) and copy the complete contents to the clipboard (Right-click and selecting Copy or pressing Ctrl-C will both work). Step 27 Click Close. Step 28 Return to the tab for the Microsoft Active Directory Certificate Services page. (http://ad1.demo.local/certsrv with username administrator, password 1234QWer) Step 29 Click the Home link in the upper right-hand corner. Step 30 Click the Request a certificate link. Step 31 Click the advanced certificate request link. Step 32 Right-click and paste the contents into the Saved Requests field. © 2018 Fast Lane Lab Guide 17 Step 33 From the Certificate Template drop-down select Web Server. Step 34 Click the Submit> button. Step 35 Select Base 64 encoded. Step 36 Click Download certificate. Step 37 Click OK to save the file. Step 38 Open the Downloads folder and rename the certnew(1).cer certificate into ise-1 Admin Cert.cer Install (Bind) CA signed certificate Step 39 Return to the Cisco ISE browser tab. Step 40 In the Certificate Management > Certificate Signing Requests page, select the check box to the left of the previously processed CSR. Step 41 The small toolbar above, click the Bind Certificate button. Step 42 Click Browse and navigate to the Downloads folder again if necessary. Step 43 Select the file ise-1 Admin Cert.cer. Step 44 Click Open. Step 45 In the Friendly Name field enter ise-1 Admin Cert. Step 46 Select Admin, to assign the certificate to the Admin role. Step 47 Click Submit. Step 48 The system will log you out and restart services. Step 49 Log back in after a few minutes. Note You may check the status of the service restart via the console or CLI using the command show application status ise. Once the Application Server is running, you will be able to log in. Certificate Verification Step 50 18 In your browser URL bar, click the lock icon to the left of https://. Observe the following field which indicates a trusted CA signed certificate. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 51 Click on the right side arrow and then More Information. Step 52 Click View Certificate. Step 53 Observe the Issued By is the root-CA for your pod. © 2018 Fast Lane Lab Guide 19 Step 54 Click the Details tab and scroll down to Certificate > Extensions > Certificate Subject Alt Name and observe your wildcard configuration. Step 55 Close all of the pop-up windows. Modify Certificate Usage You will be adding other usages to the certificate you just installed. Since ISE 1.3, multiple certificates can be utilized for different purposes. The system creates a self-signed certificate as assigns all functions to that certificate. You will bring those roles over to the CA signed certificate you installed in the previous section. 20 Step 56 Return to Administration > System > Certificates. Step 57 In the left pane, select System Certificates. Step 58 Select the ise-1 Admin Cert from the list. Step 59 Click Edit in the toolbar. Step 60 In the Usage area, select EAP Authentication. Step 61 Click OK on the warning. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 62 Select Portal and add a new Portal Group Tag by entering ISE Lab CGT. Step 63 Scroll down and click Save. Step 64 Verify your results with the following screenshot. Activity Verification You have completed this task when you attain this result: You have successfully installed the CA certificate on Cisco ISE You have successfully enrolled Cisco ISE into your pod CA You have verified the certificate via your web browser You have additionally configured the installed certificate for EAP and Portal usage © 2018 Fast Lane Lab Guide 21 Complete this lab activity to practice what you learned in the related module. In this activity, you will integrate Cisco ISE with Active Directory. After completing this activity, you will be able to meet these objectives: Perform a native immigration of Cisco ISE to Microsoft Active Directory Populate the Cisco ISE dictionary with Active Directory attributes Configure a LDAP integration Populate the Cisco ISE dictionary with LDAP attributes The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 22 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure Cisco ISE to integrate with Microsoft Active Directory. You will then configure active directory group and user attributes for utilization in Cisco ISE in later labs. Activity Procedure Complete these steps: Join Microsoft Active Directory Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management > External Identity Sources and then in the left pane, select Active Directory. Step 2 In the right pane, click Add in the toolbar. Step 3 Enter demo.local in both the Join Point Name and the Active Directory Domain fields. Step 4 Click Submit. Step 5 In the pop-up window asking if you would like to join all ISE nodes to this Active Directory Domain, click Yes. Step 6 In the Join Domain box, use the credentials Administrator / 1234QWer Step 7 Select Specify Organization Unit checkbox. Step 8 Modify the DN value to match the following. Tip Since ISE 1.3 you can optionally specify the location that the ISE computer account(s) will be created instead of using the default Computers container. If used, the OU must be pre-created. ISE will not create an OU structure in Active Directory to match what is entered here. Step 9 Click OK. Step 10 Once the process is Completed, click the Close button. © 2018 Fast Lane Lab Guide 23 Run Diagnostic Tools Step 11 Select the ise-1.demo.local node from the list Step 12 From the toolbar, click Diagnostic Tool. Step 13 Observe the different test names and that some are external, referenced by the join point demo.local, and some are internal, referenced by the join point System. Step 14 Check all Tests and click the button Run Tests now. Note Step 15 Tip 24 The test may take a minute to run. All tests should run with a status of Successful. Compare your output with the following screenshot. Click the toolbar button View Test Details to view a text based output report where data can be copied out for a baseline to compare against in the future. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Note In the case that the N know bug in some version. Tip You may also click any of the Result and Remedy hyperlinks for that test specific output. Step 16 show ntp Scroll down and click Close. Add Active Directory attributes to Cisco ISE dictionary Step 17 In the left pane, click the demo.local entry under Active Directory. Step 18 In the right pane, click the Groups tab. Step 19 Click the +Add button on the toolbar and choose Select Groups from Directory. Step 20 Cisco ISE 1.3 and above has expanded the filter capabilities in selecting groups from Active Directory. Leave the Type Filter as ALL and click the Retrieve button. Step 21 Observe the list and notice there are many groups that likely would not be applicable for utilization in Cisco ISE for policy matching. Step 22 Now change the Type Filter to GLOBAL and click the button. Step 23 The resulting list is now likely more appropriate for policy usage. Select the entire list of groups by checking the box in the header field. Step 24 From that list, deselect the following groups. demo.local/Users/DnsUpdateProxy demo.local/Users/Domain Controllers demo.local/Users/Domain Guests demo.local/Users/Group Policy Creator Owners demo.local/Users/Read-only Domain Controllers Step 25 Click OK. Step 26 Your list should match the following screenshot. © 2018 Fast Lane Lab Guide 25 Step 27 Click Save at the bottom. Step 28 In the right pane, click the Attributes tab. Step 29 Click the +Add button on the toolbar and choose Select Attributes from Directory. Step 30 Enter employee2 in the Sample User or Machine Account text box and click the button. Step 31 Select badPwdCount and userPrincipalName from the list and click OK. Note Step 32 Only set attributes will be shown. If one account does not have an attribute set and a different account does, for example Job Title or Department, it will show those attributes when retrieving attributes from the account with the attribute set. An attribute could be set after this list is pulled, and if that user is queried again the additional attribute will show in the list. Click Save at the bottom. Test Authentication A new feature since ISE 1.3 is the ability to perform various methods of testing user authentication to Active Directory. You will explore this feature in this section. 26 Step 33 In the left pane, click the demo.local entry under Active Directory. Step 34 In the right pane, select the ISE node ise-1.demo.local checkbox. Step 35 Select Test User from the toolbar. Step 36 Change the Authentication Type to Lookup. Step 37 Enter the username employee2. Step 38 Click the Test button. Step 39 Observe the test result in the box below. Observe the Processing Steps in the bottom of the Authentication Result tab. Click the Groups and then Attributes tabs and observe the details therein. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 40 Change the Authentication Type to Kerberos. Step 41 In the Password field enter 1234QWer. Step 42 Click the Test button. Step 43 Observe the test results in the box below. Observe the Processing Steps at the bottom of the Authentication Result tab. Notice that the Authentication Ticket (TGT) requests succeeded and the next two line items indicating Kerberos success. Step 44 Change the Authentication Type to MS-RPC. Step 45 Click the Test button. Step 46 Observe the test results in the box below. Observe the Processing Steps at the bottom of the Authentication Result tab. Step 47 Close the test user authentication pop-up window. Activity Verification You have completed this task when you attain these results: You have successfully joined the Cisco ISE to demo.local. You have successfully added active directory groups and user attributes to Cisco ISE. You have successfully tested user authentication via all three authentication types. © 2018 Fast Lane Lab Guide 27 In this task, you will configure Cisco ISE to integrate with LDAP. You will then configure LDAP group and user attributes for utilization in Cisco ISE in later labs Activity Procedure Complete these steps: Configure LDAP as an External Identity Source 28 Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management > External Identity Sources and then in the left pane, select LDAP. Step 2 In the right pane, click +Add in the toolbar. Step 3 In the Name field enter LDAP_demo_local. Step 4 In the Description field enter demo.local LDAP configuration. Step 5 In the drop-down for Schema, select Active Directory. Step 6 Click the Connection tab. Step 7 In the Hostname/IP field enter ad1.demo.local. Step 8 Select Authenticated Access. Step 9 In the Admin DN field enter cn=administrator,cn=users,dc=demo,dc=local. Step 10 In the password field enter 1234QWer. Step 11 Verify your settings with the screenshot below. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 12 Note Scroll down and click the Test Bind to Server button. This should be successful. Observe the response time for future comparison. Make note of it in this lab guide if needed. Step 13 Now that you have successfully verified in LDAP connection, modify the configuration to perform a secure LDAP (LDAPS) lookup. Change the Port from 389 to 636. Step 14 Enable Secure Authentication. Step 15 In the LDAP Server Root CA certificate drop-down, select demo.local CA Certificate. Step 16 Verify your configuration with the following screenshot. © 2018 Fast Lane Lab Guide 29 Step 17 Note Click the Test Bind to Server button. This should be successful. Observe the response time between the previous clear text LDAP bind in the LDAPS bind. Additional time is required to set up and verify the SSL tunnel before the performing of the LDAP lookup. Keep this in mind when designing and architecting the placement of Cisco ISE in a production environment. Step 18 Click the Directory Organization tab. Step 19 In the Subject Search Base field enter dc=demo,dc=local. Step 20 In the Group Search Base field enter dc=demo,dc=local. Step 21 As you will not be using LDAP for MAC address lookups, leave the search pattern as is. Step 22 Click Submit at the bottom to save this configuration. Add LDAP attributes to Cisco ISE dictionary Note 30 Step 23 Select Groups from the tabs at the top. Step 24 Click the +Add button on the toolbar and choose Select Groups from Directory. Step 25 Accept the default filter (*) and click the Step 26 Select CN=Contractors,OU=Groups,OU=HCC,DC=demo,DC=local from the list. Step 27 Click OK. Step 28 Select Attributes from the tabs at the top. Step 29 Click the +Add button on the toolbar and choose Select Attributes from Directory. Step 30 Enter contractor2@demo.local in the Example Subject text box and click the button. Step 31 From the list of attributes select userPrincipleName. Step 32 Click OK. Step 33 Scroll to the bottom and click Save. button. You have configured your pod Active Directory as an External Identity Source. This configuration will be utilized for authentication in later labs. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Verification You have completed this task when you attain this result: You active directory via LDAP You have successfully modified your configuration of Cisco ISE to authenticate and pull data from your Active Directory server via LDAPS. © 2018 Fast Lane Lab Guide 31 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure a basic access policy for employees and consultants. After completing this activity, you will be able to meet these objectives: Configure Cisco ISE to utilize Policy Sets Configure Cisco ISE Policy Set differentiation filters Configure an Identity Access Restricted global exception policy Configure policies sets for both wired and wireless access Configure a policy for Active Directory employees and consultants Configure a policy for wired access Configure a policy for wireless access The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD vWLC 32 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane The table describes the commands that are used in this activity. Lab Commands Command Description Show the status of connections to AAA servers configured on the switch. Perform a test authentication to the AAA server via the internal switch AAA subsystem. Show authentication information details for Port GigabitEthernet1/0/1. © 2018 Fast Lane Lab Guide 33 In this task, you will adjusting radius settings to prevent dropping client connections, based on failed logins. Activity Procedure Complete these steps: Adjusting RADIUS settings In this section, you will be disabling log suppression. Log suppression is enabled by default to reduce monitoring data storage. By disabling log suppression, you will be able to view repeated successful authentications and anomalous clients. This will provide you with a more functional flow of every authentication and authentication attempt in your lab environment. Note Step 1 Navigate to Administration > System > Settings. Step 2 In the left pane navigate to Protocols > RADIUS. In the right pane uncheck Suppress repeated failed clients and Suppress repeated successful authentications. Click OK to the pop-up notification messages. Step 3 Confirm your settings with the following screenshot. Step 4 Click Save and acknowledge the informational message. Tip 34 This step is traditionally used for troubleshooting. It is not recommended for normal Cisco ISE operations. The Reset To Defaults button is the most convenient way to go back to the original configuration. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Verification You have completed this task when you attain these results: You have successfully enabled Cisco ISE to utilize Policy Sets. You have successfully logged in and observe the policy set configuration. © 2018 Fast Lane Lab Guide 35 In this task, you will create and configure Network Devices for Wired and Wireless Access. Addional you create Network Device Groups and you will assign the NDG to the NADs. Activity Procedure Complete these steps: Create Network Access Devices Step 1 In the Cisco ISE admin portal, navigate to Administration > Network Resources > Network Devices. Step 2 In the right pane click the +Add button from the toolbar. Step 3 Add the following network device using the information in the table below. Network Device 3k-access Attribute Value Name 3k-access Description 3650 access switch IP Address 10.1.100.1 /32 Device Profile Cisco Model Name <blank> Software Version <blank> Network Device Group Location All Locations IPSEC Is IPSEC Device Device Type All Device Types RADIUS Authentication Settings Checked Shared Secret 1234QWer TACACS+ Authentication Settings Unchecked 36 SNMP Settings Unchecked Advanced TrustSec Settings Unchecked Step 4 Click Submit. Step 5 Access your 3k-access switch console. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 6 To save time, your switch has been preconfigured for the appropriate AAA and RADIUS configuration to interoperate with Cisco ISE. Verify communication with the radius server by performing the following command. Your output should resemble the screenshot below with a state of UP. Step 7 Perform a test authentication via the switch CLI. Your test results should be User successfully authenticated. Step 8 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live Logs. Step 9 Click the Details for the sucessful employee authentication. © 2018 Fast Lane Lab Guide 37 38 Step 10 Observe the authentication details in the opened tab. Step 11 In the right column examine the steps to see the specifics. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 12 Note Return to the switch and perform the same test again using the NetBIOS name format for the username. This should also be successful. You could also test the username in UPN format, employee1@demo.local Step 13 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live Logs. Step 14 Click the Details for the successful employee authentication. © 2018 Fast Lane Lab Guide 39 40 Step 15 Observe in the opened tab that the authentication succeeded due to ambiguous credentials. This is due to your lab using the same usernames and passwords for simplicity in both Active Directory domains. Step 16 In the right column examine the steps to see the specifics. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane © 2018 Fast Lane Lab Guide 41 Step 17 Add the following network device using the information in the table below. Network Device vwlc Attribute Value Name vwlc Description Pod vWLC IP Address 10.1.100.61 /32 Device Profile Cisco Model Name <blank> Software Version <blank> Network Device Group Location All Locations IPSEC Is IPSEC Device Device Type All Device Types Radius Authentication Settings Checked Shared Secret 1234QWer TACACS+ Authentication Settings Unchecked SNMP Settings Unchecked Advanced TrustSec Settings Unchecked Step 18 42 Click Submit. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Create and Assign Network Access Device Groups Step 19 Navigate to Administration> Network Resources> Network Device Groups. Step 20 In the top menu Choose group select All Device Types. Step 21 In the menu click +Add and separately create the following network device groups. Select All Device Types as Parent Group for each new group. Network Device Groups Device Types Name Description Wired Wired Access Switches Wireless WLCs VPN VPN Access Devices Step 22 When complete your configuration should match the following screenshot. Step 23 In the top menu Choose group select All Locations. Step 24 In the menu click +Add and separately create the following network device group locations. Select All Locations as Parent Group for each new group. Network Device Groups Name Description HQ Headquarters Branch Branch RnD Lab Research and Development Lab Step 25 © 2018 Fast Lane Locations When complete your configuration should match the following screenshot. Lab Guide 43 Assign Network Device Groups Step 26 Click Network Devices. Step 27 Edit the 3k-access and the wlc network devices with the following information, using the screenshot as an example template. Network Device Device Name Device Type Location 3k-access Wired HQ vwlc Wireless HQ Step 28 44 Network Device Group Configuration Once completed your configuration should match the following screenshot. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Verification You have completed this task when you attain these results: You have configured the 3k-access switch as a network device in Cisco ISE. You have configured the vwlc as a network device in Cisco ISE. You have create different NDG and assign the groups to the network devices. You have successfully performed test authentications via the switch CLI. © 2018 Fast Lane Lab Guide 45 In this task, you will create and configure multiple policy sets, one for wired and one for wireless. For academic purposes, you will have the option to create an additional policy set at the end of this task. This policy set will not contain any policies nor be used in this lab, but instead is being created to give you one additional example of a possible policy set option. Activity Procedure Complete these steps: Policy Set Creation Wired Access Step 1 Navigate to Policy > Policy Sets. Step 2 Click the plus icon (+) in the toolbar to create a new Policy Set. Step 3 Verify that New Policy Set 1 is created above the default policy set. Step 4 Click the words New Policy Set 1 to edit the field. Step 5 Enter Wired_Access as the policy set Name. Step 6 Enter Wired Access in the Description field. Step 7 Click in the Conditions field to create a new condition and treat the following condition: Step 8 Click the words Click to add an attribute to select an attribute for the new condition. Step 9 Click the Symbol Network device. DEVICE:Device Type EQUALS All Device Types#Wired 46 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 10 Select DEVICE:Device Type in the menu. Step 11 Leave the Operator unchanged (Equals). Step 12 Select from the Drop-Down Menu (Choose from list or type) All Device Types#Wired. Step 13 Click Use at the bottom. Step 14 Assign the from the Allowed Protocols Drop-Down Menu Default Network Access. Step 15 Your policy set condition should look like the following screenshot. Step 16 Click Save. Policy Set Creation - Wireless Access Step 17 © 2018 Fast Lane Click the Gear icon on the right side of the Wired_Access policy set and select Duplicate below to create a new policy set for wireless access. Lab Guide 47 Step 18 Configure this policy set according to the following table and compare your results with the following screenshot. Policy Set Name Wireless Access Description Condition(s) Wireless_Access Wireless Access DEVICE:Device Type EQUALS All Device Types#Wireless Allowed Protocols / Server Sequence Default Network Access Step 19 Click Save. Step 20 Your policy sets screen should match the following screenshot. Activity Verification You have completed this task when you attain these results: You have configured two policy sets Wired Access Wireless Access 48 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will create a few default policies to both wired and wireless policy sets. Activity Procedure Complete these steps: authorization rules in the default set. You can only modified rules in the default set. The recommend way is, to configured your own policy sets and rules above the default set. Step 1 Access the ISE admin portal via the Admin PC. Step 2 Navigate to Policy > Policy Set > Wired_Access. Step 3 Click the arrow > on the right side from your Wired_Access sets to change the view. Step 4 Expand the Authentication Policy view. Step 5 Click the + symbol to create a new authentication policy. Step 6 Click the words Authentication Rule 1 and change the name to MAB. Step 7 Click the + symbol to assign a condition to the rule. Step 8 Move (Drag & Drop) the condition Wired_MAB from the Library to the Editor. Step 9 Click the Use button.. Step 10 Change the Identity Source to Internal Endpoints. © 2018 Fast Lane Lab Guide 49 50 Step 11 Click the gear symbol on the right side from the MAB rule. Step 12 Click Insert new row below from the Drop-Down Menu. Step 13 Enter the rule name DOT1X and assign the condition Wired_802.1X. Change the Identity Source to All_User_ID_Stores. Step 14 Change the Identity Source from the Default rule to DenyAccess. Step 15 Your Authentication Policy should be the same as the screenshot below. Step 16 Click the Save button. Step 17 Navigate to Policy > Policy Set > Wireless_Access. Step 18 Click the arrow > on the right side from your Wireless_Access sets to change the view. Step 19 Repeat the steps 5 to 16 but use the following conditions from the library. Authentication Rule Condition from Libary MAB Wireless_MAB DOT1X Wireless_802.1X Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 20 The Authentication Policy should be as the screenshot below. Step 21 Click the Save button. Activity Verification You have completed this task when you attain these results: You have configured authentication rules for MAB and 802.1x in the Wired_Access and Wireless_Access policy set. © 2018 Fast Lane Lab Guide 51 In this task, you will configure Cisco ISE to process domain employees and domain contractors. Activity Procedure Complete these steps: Create Authorization Profiles Step 1 Navigate to Policy > Policy Elements > Results then to Authorization > Downloadable ACLs. Step 2 Click +Add in the right pane toolbar. Step 3 Create a dACL for the employees with the following attributes: Downloadable ACL acl_employee Attribute Value Name acl_employee Description Employee access ACL restricting access to the Quarantine Network. DACL Content Step 4 Click Check DCAL Syntax to verify you entered all ACL statements correctly. Step 5 Click Submit. Step 6 Create another dACL for the contractors using the following attributes: Downloadable ACL acl_contractor Attribute Value Name acl_contractor Description Contractor access ACL restricting access to the Quarantine and AP network. DACL Content Step 7 Click Submit. Step 8 Create another dACL for Domain Computers using the following attributes: Downloadable ACL acl_machine Attribute Value Name acl_machine Description Domain computer ACL that only allows access to DHCP, DNS, and the DC. DACL Content 52 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 9 Click Submit. Step 10 In the left pane click Authorization Profiles. Step 11 Add an Authorization Profile by clicking +Add in the right pane toolbar. Step 12 Create the following Authorization Profile for employees (Wired): Note Leave all other settings at their defaults. Employee Authorization Profile Attribute Name Value Name Wired Employee Access Common Tasks DACL Name acl_employee Step 13 Click Submit. Step 14 Create another profile for the contractors (Wired) using the following attributes: Contractor Authorization Profile Attribute Name Value Name Wired Contractor Access Common Tasks DACL Name acl_contractor Step 15 Click Submit. Step 16 Create another profile for the domain computers (Wired) using the following attributes: Domain Computer Authorization Profile Attribute Name Value Name Wired Domain Computer Access Common Tasks DACL Name acl_machine Step 17 Click Submit. Step 18 Create the following Authorization Profile for employees (Wireless): Employee Authorization Profile Attribute Name Value Name Wireless Employee Access Common Tasks Airespace ACL Name Step 19 © 2018 Fast Lane EMPLOYEE_ACL Click Submit. Lab Guide 53 Step 20 Create another profile for the contractors (Wireless) using the following attributes: Contractor Authorization Profile Attribute Name Value Name Wireless Contractor Access Common Tasks Airespace ACL Name CONTRACTOR_ACL Step 21 Click Submit. Step 22 Create another profile for the domain computers (Wireless) using the following attributes: Domain Computer Authorization Profile Attribute Name Value Name Wireless Domain Computer Access Common Tasks Airespace ACL Name Step 23 MACHINE_ACL Click Submit. Authorization Policy Step 24 Return to the Policy > Policy Sets > Wired_Access > Authorization Policy. Step 25 Add the following policy above the Default policy by clicking on the gear icon on the right. From the menu, select Insert new row above. Step 26 Add the following policy for Employees: Employee Authorization Policy Attribute Value Rule Name Wired AD Employees Conditions demo.local:ExternalGroups Equals (identity groups and other demo.local/HCC/Groups/Employees conditions) Results (Profiles) 54 Wired Employee Access Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 27 While in the condition definition, save the condition to the library by clicking the Save button. Note This will facilitate a more rapid use of this condition in future policies instead of having to build it every time. Step 28 In the Condition Name field enter Demo-Employees and click the green checkmark. Step 29 Click Save at the bottom of the window. Step 30 Click the Use button. Step 31 Add another policy above the built-in Default policy policy by clicking on the gear icon on the right. From the menu, select Insert new row above. Step 32 Add the following policy for Contractors, saving (adding) the condition to the library as Demo-Contractors: Contractor Authorization Policy Attribute Value Rule Name Wired AD Contractors Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/Contractors (identity groups and other conditions) Results (Profiles) Step 33 © 2018 Fast Lane Wired Contractor Access Add another policy above the built-in Default policy by clicking on the gear icon on the right. From the menu, select Insert new row above. Lab Guide 55 Step 34 Add the following policy for Domain Computers, saving (adding) the condition to the library as Demo-Computers: Computers Authorization Policy Attribute Value Rule Name Wired AD Computers Conditions demo.local:ExternalGroups Equals demo.local/Users/Domain Computers (identity groups and other conditions) Results (Profiles) Step 35 Note Step 36 56 Standard > Wired Domain Computer Access Verify your policies with the following screenshot. Rule order is important as rules are processed from top down. Click Save at the bottom. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Policy Rule Process for the Wireless Policy Set Step 37 Navigate to the Policy > Policy Sets > Wireless_Access > Authorization Policy. Step 38 Add the following policy above the Default Policy. Use the following parameters from the table below: Rule Name Conditions (Library) Results (Profiles) Wireless AD Employees Demo-Employee Wireless Employee Access Wireless AD Contractors Demo-Contractors Wireless Contractor Access Wireless AD Computers Demo-Computers Wireless Domain Computer Access Step 39 Scroll down and verify your Authorization Policy rule order is as follows. Wireless_Access Authorization Policy Order Status Rule Name Enabled Wireless AD Employees Enabled Wireless AD Contractors Enabled Wireless AD Computers Enabled Default Step 40 Change, if needed, the permissions from the Default policy to DenyAccess. Step 41 Scroll down and click Save. Activity Verification You have completed this task when you attain these results: Examined the built-in authentication and authorization policies. Created employee, contractor and machine s) Created employee, contractor, and domain computer authorization profiles Created employee, contractor, and domain computer authorization policies saving the conditions to the library. © 2018 Fast Lane Lab Guide 57 In this task, you will be configuring Cisco ISE to provide wired access to clients. Activity Procedure Complete these steps: Step 1 Access your 3k-access switch console. Step 2 Perform the test using the NetBIOS name format for the username. This should now Note You could also test the username in UPN format, employee1@demo.local Test Client Wired Access 58 Step 3 Access your W10PC-Corp. Step 4 Log in with the credentials W10PC-CORP\student / 1234QWer. Step 5 Open up network settings and enable the NIC if not enabled. Step 6 Open Services from Windows Administrative Tools in the Start menu. Step 7 Verify and, if necessary, modify the Wired AutoConfig service to have a startup type of Automatic and then Start the service. Step 8 Click OK. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 9 Close the services console. Step 10 Return to the NIC settings and open the properties for the NIC. Step 11 Click the Authentication tab. Step 12 Configure and verify the settings with the following screenshot. Step 13 Click the button Step 14 Enable the Specify authentication mode and verify the mode is User or computer authentication. Step 15 Click OK. Step 16 Click the Settings button. © 2018 Fast Lane Lab Guide 59 60 Step 17 In the list of Trusted Root Certification Authorities select root CA. Verify all other settings with the screenshot below Step 18 Click the button. And verify that Automatically use my Windows login name and password (and domain if any) is enabled Step 19 Click OK three times to close all the windows. Step 20 Restart the client machine using the Start menu. Step 21 While the PC is restarting access the 3k-access switch and verify that the interface GigabitEthernet 1/0/1 is enabled. In the case that the interface is disabled, enable the interface with a no shutdown command. Step 22 Return to the ISE Admin portal and navigate to Operations > Radius > Live Logs. Step 23 After a minute or so, you should see the local machine login via 802.1X using the machine credentials and be assigned the Domain Computer Access Authorization Profile. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Note The Failed MAB access attempt was when the NIC came up and attempted to access the network before the WiredAutoConfig services came online and sent the 802.1X machine credentials. Step 24 Return to the W10PC-Corp and login using the credentials demo\employee1 / 1234QWer Step 25 Open a command prompt and ping the following addresses. 10.1.30.1 and 10.1.90.1. The first address should fail with a request timeout in the second should succeed according to the dACL which you configured for employee access. Step 26 Access the 3k-access switch console. Step 27 Perform the following command to observe the interface session information paying particular attention to the username and the server policies which should include the acl_employee dACL. © 2018 Fast Lane Lab Guide 61 62 Step 28 Return to the Cisco ISE admin portal and navigate to Operations > Radius > Live Log. Step 29 Observe the new record details for the employee1 access. Step 30 Click the DEMO\employee1 authentication details icon. Observe the details on the steps included in this record. Step 31 Return to the W10PC-Corp and Sign out the employee1 user. Step 32 Log in using the credentials demo\contractor1 / 1234QWer Step 33 Open a command prompt and ping the following addresses. 10.1.30.1 and 10.1.90.1. The first address should fail with a request timeout. In the second should also fail according to the dACL which you configured for contractor access. Step 34 Now attempt to ping 10.1.100.1. This should succeed. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 35 Return to the Cisco ISE admin portal on the Admin PC. Step 36 Observe the new contractor1 authentication success record. Also observe the machine login that occurred between the employee1 logoff and the contractor1 logon. Activity Verification You have completed this task when you attain these results: You have configured the 3k-access switch as a network device in Cisco ISE. You have successfully performed test authentications via the switch CLI. You have successfully configured the W10PC-Corp to authenticate via 802.1X. You have successfully logged in as a both employee1 and contractor1 and observed the dACL restrictions appropriate for each username. You have observed the authentication records in Cisco ISE. © 2018 Fast Lane Lab Guide 63 In this task, you will configure the Cisco WLC as a network device in Cisco ISE, modify the authorization profiles to process wireless access, and test a wireless authentication. Activity Procedure Complete these steps: Step 1 On your Admin PC, open a new tab in your browser and access your pod vWLC. Use the bookmark or https://wlc.demo.local. Step 2 Log in with the Username admin and the password 1234QWer. Step 3 Click WLANs and verify you have three (3) WLANs for your pod. A guest WLAN, a wpa2e WLAN, and a hotspot WLAN. Step 4 Make Note of the 3 WLAN Note and the WLAN numbers as these are the If you do not have these WLANs, notify your instructor. Step 5 Enable each of these WLANs by clicking on the WLAN numbers and changing the Status to Enabled and Applying the configuration. Step 6 Navigate to SECURITY then AAA > RADIUS > Authentication and verify that Cisco ISE has been configured as a RADIUS server. Step 7 Navigate to AAA > RADIUS > Accounting and verify that Cisco ISE has also been configured as a RADIUS server. Step 8 Navigate to WIRELESS a configuration, the AP should be Admin Status Enabled. If not, enable your AP by clicking on the AP Name and under the General tab change Admin Status to Enabled. Then Apply your configuration. 64 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Wireless Access In this section, you will be using your pods wireless device to access the wireless networks that are configured for your specific pod. Note . Step 9 On your W10PC-Corp, log off and login again as W10PC-CORP\student / 1234QWer. Step 10 Access the Android tablet by launching the ANDROID CONTROL via Vysor link on the desktop. Step 11 The connection to the Tablet will automatically open, otherwise click View. Step 12 If the Tablet is locked, you can unlock it with the PIN 1234 Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations in troubleshooting. Tablet Clean up It may be necessary to clean up your Tablet from a previous class. Perform the steps listed below. Step 13 Navigate to Settings > Security select Clear credentials (if not grayed out) Step 14 Confirm the message. © 2018 Fast Lane Lab Guide 65 Wireless Access via Tablet Step 15 Press the home button (middle bottom button) Step 16 Open the Widget/Icon for WLAN Step 17 Enable WLAN if not already enabled, by clicking the slider. Step 18 From the list identify and click your pod WPA SSID (##-wpa2e). Note 66 review your vWLC or notify your instructor. Step 19 Enter employee1@demo.local as Identity and 1234QWer as the password and leave all other parameters at their defaults. Then click Connect. Step 20 The WLAN should now mark as Connected. Step 21 Return to the Admin Portal of Cisco ISE. Step 22 Navigate to Operations > Radius > Live Logs. Step 23 Identify the employee1 access record from the vwlc from the list. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 24 Click icon to see the Authentication Details. Step 25 Identify the following fields to indicate that you matched the correct policy. Step 26 Scroll down to the results section and observe the Airespace ACL you configured before being assigned. Note If you do not see employee exactly as it is in the above screenshot, as UPPERCASE, you will need to modify your authorization profile as ACL names are case-sensitive. Step 27 Navigate to your pod vWLC tab in the browser. Step 28 On the MONITOR page, click Clients in the left pane. Step 29 In the list of clients observe the client MAC address and the username employee1@demo.local. Step 30 Click the MAC address hyperlink. Step 31 In the General tab, scroll down to the Security Information section. Observe both the Radius NAC State as RUN and the IPv4 ACL Name field as the © 2018 Fast Lane Lab Guide 67 assigned ACL name, EMPLOYEE_ACL, which you configured in the Employee Access Authorization Profile. Clean up Now that you have successfully accessed a wireless network, you will disconnect the wireless device. Step 32 Return to your Tablet. Step 33 Via the WLAN icon, turn off WLAN by clicking the slider. Step 34 Return to your Cisco ISE admin portal. Activity Verification You have completed this task when you attain this result: You have verified the vWLC configuration You have added the vWLC to Cisco ISE as a network device You have adjusted RADIUS settings to show every authentication message in Cisco ISE You have access the wireless network view your Tablet You have verified proper authorization profile configuration from ISE to the vWLC. 68 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure a global exception authorization policy which will apply to all policies (globally) and as an exception policy will be processed before all of the policies. Activity Procedure Complete these steps: Step 1 In your policy set navigate to Wired_Access > Authorization Policy - Global Exceptions. Step 2 Click the + button to create a new rule. Step 3 Create the following rule. For this rule scenario you are creating an exception for the demo.local IT staff who are performing an audit of the demo.local network. Tip You could save the demo.local conditions to the library to facilitate a more efficient reuse in the future. Global Exception Policy Attribute Value Rule Name Domain IT Audit Exception Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/IT Staff (identity groups and other conditions) Results (Profiles) PermitAccess Step 4 Click Use and verify your policy against the following screenshot. Step 5 Click the Save button. Step 6 On your W10PC-Corp log in as demo\itadmin / 1234QWer. Step 7 Return to your Cisco ISE admin portal Step 8 Navigate to Operations > Radius > Live Logs and find the itadmin@demo.local authentication. Step 9 Click the authentication details icon. Policy Test © 2018 Fast Lane Lab Guide 69 Step 10 Observe that the Authorization policy name is under Wired_Access and is Domain IT Audit Exception, the name you created as a Global Exception policy name. Step 11 Return to your admin portal and navigate to Policy > Policy Sets. Step 12 Navigate to your Wireless_Access > Authorization Policy Global Exceptions and notice there is an indicator of (1). Step 13 Expand the exceptions policy and observe the global exceptions rule that you created earlier. Activity Verification You have completed this task when you attain these results: You have successfully created a global exception. You have successfully performed a CLI test authentication using a local user account and observe the matching of the employee authorization profile. You have observed the global exception in each of the policy set rules. 70 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane A new feature in Cisco ISE since 2.1 is Context Visibility. This feature allows you to see, and create groups, for ease of visibility into your network environment. Activity Procedure Complete these steps: Step 1 Return to the ISE Admin Portal, and navigate to Context Visibility > Endpoints > Authentication. Notice the Android endpoint can also be seen here. Step 2 By clicking the endpoints MAC address, you can drill down to view further details on the chosen endpoint. By clicking the various tabs, you can view additional details such as Authentication, Threats, and Vulnerabilities, for that endpoint. Step 3 From this screen, click the Network Devices option to view further information on network devices that are seen by ISE. Step 4 On the right side of this screen, clicking on the # of endpoints that are associated with the network device, you can view additional useful information on endpoints that are seen on the network by ISE. © 2018 Fast Lane Lab Guide 71 Activity Verification You have completed this task when you attain these results: You observed network device details via the feature context visibility. 72 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Complete this lab activity to practice what you learned in the related module. In this activity, you will configure the settings in Cisco ISE that are the core components of Guest Access. After completing this activity, you will be able to meet these objectives: Configure Guest Settings for Guest Access in Cisco ISE Configure the Guest Locations the SSID feature in Cisco ISE The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC © 2018 Fast Lane Lab Guide 73 In this task, you will configure the basic settings for guest operations. Activity Procedure Complete these steps: Step 1 On your pod Admin PC in the Cisco ISE admin portal navigate to Work Centers > Guest Access> Settings. Mail Settings Step 2 Expand Guest Email Settings and modify the Default be sponsor@demo.local. email address to Step 3 Click Save. Step 4 Still in the Guest Email Settings, click the helpful Configure SMTP server at: Work Centers > Guest Access > Administration > SMTP Server hyperlink. Step 5 In the SMTP Server settings enter mail.demo.local and click Save. Custom Fields Step 6 Return to Work Centers > Guest Access > Settings and expand Custom Fields. Step 7 Add the following custom field and then click Add. Guest Custom Field Custom field name Data type Person Visiting String Step 8 Tip text Click Save. Guest Username Policy Step 9 Expand Guest Username Policy. Step 10 For lab purposes modify the Minimum username length to 4 and then also modify the Characters Allowed in Randomly Generated Usernames, Minimum alphabetic field to 4 as well. Step 11 Click Save. Guest Password Policy 74 Step 1 Expand Guest Password Policy. Step 2 For lab purposes modify the Minimum password length to 4, and then also modify the Minimum uppercase, to 2. Change the settings for Special to None. Step 3 Click Save. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Guest Purge Policy Step 4 Expand Guest Account Purge Policy. Step 5 In the Time of purge field notice the time is set to 1:00 AM. Due to the fact that Cisco ISE is set up for the UTC time zone, and adjustment needs to be made as corporate policy dictates now that this occur after midnight local time. Here you, the student, have an option, you can choose to configure according to your actual local time zone of your class or you can configure according to the Pacific Time zone. If you are using the Pacific Time zone, enter 11:00 AM. Step 6 Click Save or leave all fields unchanged. Activity Verification You have completed this task when you attain these results: You have configured mail (SMTP) settings for Cisco ISE. You have added a custom field for guest access. You have modified the guest username policy. You have modified the guest password policy. You have adjusted the purge policy time for either the Pacific or your local time zone. © 2018 Fast Lane Lab Guide 75 In this task, you will configure locations. You will configure a few set locations and you will also configure the location of your class. This will be used later to align the access times with your local class time zone. Activity Procedure Complete these steps: Step 1 Navigate to Work Centers > Guest Access > Settings and then select Guest Locations and SSIDs. Step 2 In the Guest Locations area enter the following location and time zone information. Finish by adding your class city and time zone. Tip In the time zone area begin typing to activating filtering. Guest Locations Location name Time Zone New York America/New_York Chicago America/Chicago London Europe/London Dubai Asia/Dubai Sydney Australia/Sydney <YOUR CITY> <YOUR TIME ZONE> guest SSID (##-guest ) from your Step 3 vWLC WLAN. This feature is helpful if for instance your organizational guest network has different SSIDs based on location. For example, Guest-US, Guest-EU, GuestAPAC, etc. Tip Do not navigate away to your vWLC web page as you will lose your Guest Location form data. Step 4 Click Save. Activity Verification You have completed this task when you attain this result: You have configured the Guest Settings according to the task instructions. 76 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane This activity has you exploring multiple Cisco ISE guest access configurations and operations. The lab helps you to really understand how various guest access scenarios work and why you might want to use them in your organization. You will start with configuring Cisco ISE guest access using a hotspot portal. This portal is for organizations who want the simplest method of providing guest access, with less concern for strict control over who uses the service, or tracking who uses the service. Some organizations require a bit more control and awareness concerning who uses guest access. You will learn how to accommodate these scenarios, such as guest access for self-registration, and self-registration with sponsor approval. Finally, you will configure and validate sponsored guest access. In this activity, you will explore multiple Cisco ISE guest access configurations and operations. After completing this activity, you will be able to meet these objectives: Configure Cisco ISE guest access using a hotspot portal Configure Cisco ISE guest access for self-registration Configure Cisco ISE guest access for self-registration with sponsor approval Configure Cisco ISE guest access for sponsored guest access The figure illustrates what you will accomplish in this activity. © 2018 Fast Lane Lab Guide 77 These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 vWLC W10PC-Corp 78 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure Cisco ISE guest access with a hotspot portal. This type of access is appropriate were accepting and AUP only is sufficient to meet network security policy. Activity Procedure Complete these steps: Configuration Step 1 On the Admin PC in the Cisco ISE admin portal navigate to Work Centers > Guest Access. Step 2 Take a moment and read the Guest Access Overview. Note that at the bottom of the overview screen a hyperlink for the reports is included. Do not click this now. Step 3 In the top, click Portals & Components. Step 4 In the left pane, click Guest Portals. Step 5 In the right pane, click the Create button. Step 6 In the pop-up select Hotspot Guest Portal and then click Step 7 In the Portals Settings and Customization window configure the following: Hotspot Portal Settings and Customization Attribute Value Portal Name Demo Description The demo.local Hotspot Hotspot Portal Behavior and Flow Settings Portal Settings HTTPS Port 8443 Allowed interfaces Gigabit Ethernet 0 Certificate group tag ISE Lab CGT Endpoint identity group GuestEndpoints Display language Use browser locale Acceptable Use Policy (AUP) Page Settings Include in AUP page [X] Require an access code [X] Require scrolling to the end of AUP [ ] [ ] [ ] Post 1234 Access Banner Page Settings Included Post Access Banner page VLAN DHCP Release Page Settings Enable VLAN DHCP release Delay to release 1 Delay to CoA 8 Delay to renew 12 Authentication Success Settings Once authenticated, take guest to © 2018 Fast Lane Authentication Success page Lab Guide 79 Support Information Is Settings Included Support Information page [X] Fields to include [ X ] MAC address [ X ] IP address [ X ] Browser user agent [ ] Policy server [ X ] Failure could Empty fields 80 Hide field Step 8 Scroll to the top and click Save. Step 9 In the pop-up window, click OK to change the certificate for all the portals on the same port. Step 10 In your Firefox browser, open the tools/guest toolbar hyperlink in a new tab. (Right-click guest). Step 11 Click the link the iseiscool-images.zip link and save the file. Step 12 Click the down arrow in the upper right corner of Firefox the on the folder icon of the file to open the location the file was saved. Step 13 Right-click the file name and select Extract All. Accept the default location and click Extract. Step 14 Return to the ISE admin portal. Step 15 In the customization setting area click Portal Page Customization. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 16 © 2018 Fast Lane Before making any modifications, observe the Preview on the right side of the page. This is the Mobile preview page. Below this preview is the Desktop Preview link. Clicking on it will open up a new browser window. Lab Guide 81 Step 17 Scroll back up to the top and to the right of the Portal Theme select the button. Step 18 Observe the color options that you can modify. Click the color square at the end of the Banner Color line. Play around with the color tool as you see fit. Pick a custom color or enter #8a099b in the hex box. Step 19 Click OK. Step 20 Leave all other colors the default and click OK. Step 21 Images can be uploaded by clicking on the buttons in the Images section. They can also be deleted or reset to default with the X and circled arrow buttons respectively. Step 22 Delete the Banner Image. Step 23 Scroll back to the preview area and click Refresh Preview and observe the purple (or your custom color) banner. Step 24 Upload the following images: Image File Location Logo (Mobile) C:\users\admin\Downloads\iseiscool-images\iseiscool_logo_hotspot.png Logo (Desktop) C:\users\admin\Downloads\iseiscool-images\iseiscool_logo_hotspot.png Banner 82 C:\users\admin\Downloads\iseiscool-images\iseiscool_banner.png Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 25 Remove the Text Elements > Banner title, as the image contains the text in graphical format. Step 26 Click in the Footer Elements box to the right to activate the preview change and review the preview Step 27 Scroll down to the AUP text box. Wherever you see Cisco Systems in the AUP change it to The Demo Shop. Step 28 bold it using the toolbar for the AUP text section. Make any other text modifications you desire. © 2018 Fast Lane Lab Guide 83 84 Step 29 In the Left Pane select Authentication Success. Step 30 Edit both Browser Page Title and the Content Title and modify them to Access Granted. Step 31 Scroll down to Optional Content 2 and add the following text: Use coupon code 130 at checkout for extra savings! Step 32 Using the toolbar, bold and underline 130 then change the font color of 130 to red. Then select the text and change the font size to large. Step 33 Scroll to the right and click Refresh Preview to review your work. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 34 In the left pane, click Support Information. Step 35 Scroll down and in the Support Information Text field; modify the phone number from (xxx)-xxx-xxxx to (555) 555-1234. Step 36 In the left pane, click Messages > Error Messages. Step 37 Observe the error messages and the message text that the users would be shown in the event of an error. Step 38 Each line of the message Text is inline editable. Modify the ui_invalid_access_code_error message text to read: Wrong access code. See the front desk for assistance. Tip Yo Step 39 Scroll to the top and click Save. Step 40 In the left pane, click Acceptable Use Policy and under the preview section click the link Desktop Preview and observe the desktop preview in a new tab. Close the tab when you are done. Step 41 Back in the Admin Portal click Close. Step 42 As indicated below the Guest Portals list in the right pane, you must create an authorization profile. Click the hyperlink to go there now. Your portal will not be Authorized until you create an Authorization Profile referencing this portal and then an Authorization policy that references the related Authorization Profile. Step 43 Click +Add in the right pane toolbar. © 2018 Fast Lane Lab Guide 85 Step 44 Create the following authorization profile: Hotspot Authorization Profile Attribute Name Value Name Hotspot Access Common Tasks Web Redirection Hot Spot ACL: ACL-WEBAUTH-REDIRECT Value: Demo - Hotspot Step 45 Scroll down and click Submit. Step 46 Click +Add in the right pane toolbar. Step 47 Create the following authorization profile for guest access. . Guest Authorization Profile Attribute Name Value Name Guest Access Common Tasks Airespace ACL Name GUEST_ACL Step 48 Scroll down and click Submit. Step 49 Navigate to Policy > Policy Sets and access the Wireless_Access > Authorization Policy policy set. Step 50 Add the following Authorization Policy rule above the Wireless AD Employees rule. Note Make sure your WLAN ID for your ##_hotspot WLAN is correct. Hotspot Authorization Policy Attribute Value Rule Name Hotspot Conditions Airespace:Airespace-Wlan-Id EQUALS 2 (identity groups and other conditions) Results (Profiles) Step 51 Hotspot Access Add another rule above the Hotspot rule you just created with the following parameters. Guest Access Authorization Policy Attribute Value Rule Name Guest Access Conditions IdentityGroup:Name CONTAINS Endpoint Identity (identity groups and other Groups:GuestEndpoints conditions) Results (Profiles) 86 Guest Access Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 52 Verify your configuration with the following screenshot. Step 53 Scroll down and click Save. Step 54 Navigate to Work Centers > Guest Access > Portals & Components and then click Guest Portals. Step 55 Observe that the Demo Hotspot portal is now Authorized compared to the other default portals. Step 56 Click Demo Hotspot to enter the configuration for that portal. Step 57 In the right side, examine the Guest Flow. This diagram is based on the settings you configured on the left. In this simple hotspot flow, the user will need to accept the AUP (1) and then they will have successfully logged on the network (2). You have enabled Support Information and that is represented in the block on the left. © 2018 Fast Lane Lab Guide 87 Step 58 When you test access in the next section, you will observe this flow. Test Access Step 59 On your W10PC-Corp log in as student / 1234QWer. Step 60 Access your Tablet according to your lab specific instructions. Caution Step 61 Use the link WLAN to open the Wlan list. Step 62 Enable WLAN. Step 63 From the list identify your pod ##-wpa2e SSID. The Tablet should automatically connect to this WLAN. Click this WLAN. Step 64 At the bottom, click FORGET in order to clear any previous cached settings or credentials. Step 65 Click the hotspot SSID for your pod. Step 66 Open a browser on the Tablet. Step 67 If you are not automatically redirected to the ISE hotspot portal, try to open a webpage on cisco.com, for example. Step 68 Step 69 88 If you are having difficulty, notify your instructor. Do not attempt to modify configurations in troubleshooting. Your connection . Click Advanced and then click Proceed to ise-1.demo.local (unsafe). Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 70 Step 71 Click in the Access code box and enter an incorrect access code of 5678 and click Accept and observe the result which should match the error message you configured. Hint tablet will be locked and use must unlock the device again (PIN 1234). Use the keyboard on the tablet´, to enter the access code. © 2018 Fast Lane Lab Guide 89 90 Step 72 Click the Contact Support link at the bottom. Observe the Support Information page opens in a new tab. Observe the modification of the help desk phone number. Step 73 Close this tab to return to the AUP page. Step 74 Now enter to correct access code: 1234 and click Accept. Step 75 This is correlates to the AUP, step 1, in the previous flow diagram. Step 76 You should see the customized Access Granted messages with the coupon code that you configured at the bottom. Step 77 This correlates to the Success, step 2, in the previous flow diagram. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 78 Now surf to Cisco.com again. This should succeed. Step 79 Return to the Cisco ISE Admin Portal on the Admin PC. Step 80 Navigate to Operations > Radius > Live Logs and observe the authentication records. Notice the first Hotspot access and then the Identity Group GuestEndpoints and Guest Access Authorization Profile match. Step 81 Note the endpoint MAC address below. Step 82 Navigate to Context Visibility > Endpoints . Step 83 Find the Tablets MAC address and click the Endpoint Profile name or select the checkbox and click Edit in the toolbar. Step 84 Observe the following fields which correlate with the configuration you made earlier. Also notice the device has been statically assigned to the GuestEndpoints Identity Group. Note Observe the new Description feature. You can enter a description and scroll to the bottom and click Save. Tip You may have noticed that the system has effectively profiled the device as an Android Tablet even though we disabled Profiling earlier in the lab. Further details will be covered in detail later in the lecture, but briefly, the Cisco ISE always gathers HTTP headers when a portal is access and the endpoint utilizing the portal is profiled based solely on that data. © 2018 Fast Lane Lab Guide 91 92 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Verification You have completed this task when you attain these results: You have created a guest hotspot portal. You have configured and customized the guest hotspot portal. You have configured a guest and hotspot authorization profile. You have modified the authorization policy for hotspot access and subsequent guest access. You have accessed the hotspot SSID network and processed through the hotspot guest flow. You have observed the authentication process and records in Cisco ISE. © 2018 Fast Lane Lab Guide 93 In this task, you will configure Cisco ISE guest access for guest self-registration. This type of access is appropriate where to start I do connect to the network and create their own parameter limited accounts. Activity Procedure Complete these steps: Configure Guest Type In this section, you will configure a custom guest type that will restrict access to business days and hours. Step 1 In the Cisco ISE Admin portal, navigate to Work Centers > Guest Access > Portals&Components and then select Guest Types. Step 2 In the right pane observe the four default guest types, Contractor, Daily, SocialLogin and Weekly. Step 3 In the right pane click the Create button. Step 4 Configure a guest type according to the following table. Guest Type Attribute Value Guest type name Business Daily Description Business Hours on Business Days Collect Additional Data Person Visiting Required [ ] Tip <leave default> Maximum Access Time Maximum account duration 5 days Default 2 Allow access only on these days [ X ] and times From 5:00 AM To 11:00 PM Days [ ] Sun [ X ] Mon [ X ] Tue [ X ] Wed [ X ] Thu [ X ] Fri [ ] Sat From 7:00 AM To 10:00 PM Days [ X ] Sun [ ] Mon [ ] Tue [ ] Wed [ ] Thu [ X ] Fri [ X ] Sat Login Options 94 Maximum simultaneous logins [X] When guest exceeds limit Disconnect the oldest connection Maximum devices guest can register 2 Store device information in endpoint identity group GuestEndpoints Allow guest to bypass the Guest portal [ ] Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 2 © 2018 Fast Lane Account Expiration Notification Send account expiration notification [X] Email [X] 5 hours Before account expires Use customization from Self Registered Guest Portal (default) Messages Your account at The Demo Shop is going to expiring 5 hours. Copy text from Send test email to me at SMS [ ] Messages Your account at The Demo Shop is going to expire in 5 hours. Copy text from Send test SMS to me at Provider Sponsor Groups All_Accounts (default) , Group_Accounts (default), Own Accounts (default) Step 5 Scroll up and click Save. If you are sending a test SMS message, do so now. Step 6 Click Close. Configure Guest Portal Step 7 Navigate to Work Centers > Guest Access > Portals & Components. Step 8 In the left pane, click Guest Portals. Step 9 In the right pane, click the Create button. Step 10 In the pop-up window, select Self-Registered Guest Portal and then click Step 11 In the Portals Settings and Customization window configure the following: Self-Registration Portal Settings and Customization Attribute Value Portal Name Demo-Self-Reg Description The Demo Self-Registration Portal Portal Behavior and Flow Settings Portal Settings HTTPS Port 8443 Allowed interfaces Gigabit Ethernet 0 Certificate group tag ISE Lab CGT Authentication method Guest_Portal_Sequence Employees using this portal as guest inherent login options from Weekly (default) Display language Use browser locale Login Page Settings © 2018 Fast Lane Lab Guide 95 Require an access code [ ] Maximum failed login attempts before rate limiting 5 Time between login attempts when rate limiting 2 Include in AUP page [X] Require acceptance on page [X] Allow guest to create their own accounts [X] Allow social login [ ] Allow guest to change password after login [ ] Registration Form Settings Assign to guest type Business Daily Account valid for 1 Require a registration code [ ] Fields to include Required [ X ] User name [ ] [ X ] First name [X] [ X ] Last name [X] [ X ] Email address [ ] [ X ] Phone number [ ] [ X ] Company [ ] [ X ] Location [X] Guest can choose from these locations to set their time zone San Jose SMS Service Provider [ ] Guest can choose from these SMS providers Days <SELECT YOUR LOCATION FROM THE LIST> [ ] [ ] Global Default [ ] T Mobile [ ] ATT [ ] Verizon [ ] ClickatellViaSMTP [ ] Orange [ ] In mobile [ ] TheRingRingCompany [ ] Sprint Person being visited [X] [X ] Reason for visit [X] [X] Custom Fields Include in AUP Require acceptance 96 [ ] [X] on page [ ] Only allow guests with an email address from [ ] Do not allow guests with an email address from [ X ] example.com Require guest to be approved [ ] After registration submission, direct guest to Self-registration Success page Send Credential Notification Automatically Using [ X ] Email [ ] SMS Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Self-Registration Success Settings Include this information on the Self-Registration Success page [ X ] User name [ X ] Password [ X ] First name [ X ] Last name [ X ] Email address [ X ] Phone number [ X ] Company [ X ] Location [ ] SMS Service Provider [ X ] Person being visited [ X ] Reason for visit Allow guest to send information to solve using [ X ] Print [ X ] Email [ ] SMS Include in AUP [X] Require acceptance [X] Require scrolling to end of the AUP [ ] Allow guest to log in directly from the SelfRegistration Success Page on page [X] Acceptable Use Policy (AUP) Page Settings Include in AUP page [X] Use different AUP for employees [ ] Skip AUP for employees [X] Require scrolling to end of AUP [ ] Show AUP Every 1 days Guest Change Password Settings Require guest to change password at first login [ ] Guest Device Registration Settings Automatically register Guest devices [X] Allow guest register devices [X] BYOD Settings Allow employees to use personal devices on the network [ ] Endpoint identity group RegisteredDevices Allow employees to choose to guest access only [ ] Display Device ID field during restriction [ ] After successful device configuration take employee to Success page Guest Device Compliance Settings Require guest device compliance [ ] Post-Login Banner Page Settings Included Post Login Banner page [ ] VLAN DHCP Release Page Settings © 2018 Fast Lane Lab Guide 97 Enable VLAN DHCP release [ ] Delay to release 1 Delay to CoA 8 Delay to renew 12 Authentication Success Settings Once authenticated, take guest to Authentication Success page Support Information Is Settings Included Support Information page [X] Fields to include [ X ] MAC address [ X ] IP address [ X ] Browser user agent [ X ] Policy server [ X ] Failure could Empty fields 98 Hide field Step 12 Scroll up and click Save. Step 13 Examine the Guest Flow and when you are comfortable in your understanding of the flow continue to the next step. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 14 Click Portal Page Customization. Step 15 Examine the customization options. They are similar to the Hotspot portal customizations with the option to customize the additional pages in this selfregistration flow. For time sake you will only add a footer and modify one other field. Add the following text to the Footer Elements: All access is logged. Tip Remember if adding support information to the guest flow as an option, modify the Support information text phone number from all Xs to an actual number. Note You will not be modifying the AUP to change the company name from Cisco Systems to The Demo Shop due to time constraints. Step 16 Scroll down in on the right side, click Refresh Preview. Step 17 Observe the footer you created. Step 18 Change to a different page by clicking on the boxes to the left and observe the footer is consistent. Step 19 Scroll up and click Save. Step 20 In the left pane, select Notifications and then Print. Step 21 Observe the variables that are used in the text. Step 22 Create a new line at the bottom of the text box. Add the text Location: © 2018 Fast Lane Lab Guide 99 Step 23 In the toolbar, click the Insert Variable icon and observe variables which are available. Select Location name to insert that variable. Step 24 Verify your work with the following screenshot. Step 25 Scroll up and click Save then Close. Step 26 Use the shortcut hyperlink to create and Authorization profile at the bottom of the page. Step 27 Select Hotspot Access and then click Duplicate in the tool bar. Step 28 Modify the authorization profile according to the table below. Self-Registration Authorization Profile Attribute Name Value Name Self-Registration Portal Common Tasks Web Redirection 100 Centralized Web Auth Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane ACL: ACL-WEBAUTH-REDIRECT Value: Demo-Self-Reg Display Certificates Renewal Message [X] Static IP/Host name [ ] Supress Profiler CoA for endpoints in Logical Profile [ ] Step 29 Scroll down and click Submit. Step 30 Navigate to Policy > Policy Sets and access the Wireless_Access policy set. Step 31 Expand the Authorization Policy. Step 32 At the end of the line for the Hotspot rule, click the gear icon and select Insert new row Above Step 33 Create the new rule to match the following Authorization Policy rule. Self-Registration Authorization Policy Attribute Value Rule Name Self-Registration Conditions (identity groups and other conditions) Airespace:Airespace-Wlan-Id EQUALS 3 Results (Profiles) Self-Registration Portal Step 34 Click Use at the end of the line. Step 35 Disable the Hotspot rule. Step 36 Verify your configuration with the following screenshot. © 2018 Fast Lane Lab Guide 101 Step 37 Scroll down and click Save. Test Access Step 38 Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations in troubleshooting. Step 39 Navigate to WLAN. Step 40 From the list identify your hotspot SSID you used previously. Step 41 At the bottom, click FORGET in order to clear any previous cached settings or credentials. Step 42 Turn off Wi-Fi. Step 43 Return to the Cisco ISE admin portal. Step 44 Navigate to Context Visibility > Endpoints. Step 45 Select the Tablet and then Delete it using the toolbar. Confirm Yes to delete. Note 102 On your W10PC-Corp access your Tablet according to your lab specific instructions. You may have to manually clear the client from the WLC (Naviagte to WLC GUI > Monitor > Clients Click on the client to be cleared > Remove) if you perform these steps quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal disruptions and roams. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 46 Access the Tablet and enable the Wi-Fi. Step 47 Access the Guest SSID for your pod. Step 48 Open a browser and try to browse to cisco.com. Step 49 You are automatically redirected to the ISE hotspot portal. Step 50 Use your mouse to scroll down to the bottom and click Or register for guest access. © 2018 Fast Lane Lab Guide 103 Step 51 Create an account using the following information. Create Guest Account Attribute Value Username First name John Last name Watson Email address guest@ffmlab.com Phone number 104 Company Holmes Investigations Location <SELECT YOUR LOCATION> Person being visited (email) admin@demo.local Reason for visit Consultation Person visiting Mycroft Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 52 Click Register. Step 53 Observe your account details. Step 54 Observe the details. Step 55 Click I agree to the terms and then Sign On. Step 56 Accept the AUP. Step 57 In the Device Registration window Click No, skip registration. Step 58 Now try to access Cisco.com. This should succeed. Step 59 Return to the Cisco ISE Admin Portal on the Admin PC. Step 60 Navigate to Operations > Radius > Live Log and observe the authentication records. Notice the first Self-Registration Portal access was based on the MAC address and then the records switch to using the username identity with the Guest Access Authorization Profile match. Step 61 Navigate to Conext Visibility > Endpoints. Step 62 Find the Tablets MAC address and click it. © 2018 Fast Lane Lab Guide 105 Step 63 Scroll down the Attributes list and observe the following fields which now provide more meaningful information about the endpoint instead of just a MAC address. Activity Verification You have completed this task when you attain these results: You have created a guest self registration portal. You have configured and customized the self registration portal. You have configured a self registration authorization profile You have modified the authorization policy for self registration access You have accessed the open SSID network and processed through the self registration guest flow. You have observed the authentication process and records in Cisco ISE 106 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will enable self-registration with the requirement of obtaining sponsor approval before access is granted to the network. Activity Procedure Complete these steps: Remove Endpoint from Cisco ISE Step 1 On your W10PC-Corp, access your Tablet according to your lab specific instructions. Step 2 Navigate to WLAN. Step 3 Turn off Wi-Fi. Step 4 Return to the Cisco ISE admin portal. Step 5 In Cisco ISE, navigate to Context Visibility > Endpoints. Step 6 Select the Tablet and then delete (Click Trash > Selected) it using the toolbar. Confirm YES to delete. Note You may have to manually clear the client from the WLC if you perform these steps quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal disruptions and roams. Modify Self-Registration portal to require Sponsor Approval Step 7 Navigate to Work Centers > Guest Access > Portals & Components. Step 8 In the left pane, click Guest Portals. Step 9 In the right pane, activate or select the Demo-Self-Reg by left-clicking on the blue area with no text (see screenshot below). The box will turn a darker blue once selected. Step 10 In the toolbar click Duplicate. Step 11 Once the duplication process is complete, click the Demo-Self-Reg_Copy1 portal to edit it. © 2018 Fast Lane Lab Guide 107 Step 12 In the Portals Settings and Customization window modify the following settings only: Self-Registration Portal Settings and Customization Attribute Value Portal Name Demo-Self-Reg-Approval-Required Description The Demo Self-Registration Portal Portal Behavior and Flow Settings Registration From Settings Require guest to be approved [X] Email approval request to sponsor email addresses listed below sponsor@demo.local Step 13 Scroll up and click Save then Close. Step 14 Use the shortcut hyperlink to create and Authorization profile at the bottom of the page. Step 15 Select Self-Registration Portal and then click Duplicate in the tool bar. Step 16 Modify the authorization profile according to the table below. Self-Registration with Approval Authorization Profile Attribute Name Value Name Self-Registration Portal with Approval Common Tasks Web Redirection 108 Centralized Web Auth ACL: ACL-WEBAUTH-REDIRECT Value: Demo-Self-Reg-Approval-Required Display Certificates Renewal Message [X] Static IP/Host name [ ] Supress Profiler CoA for endpoints in Logical Profile [ ] Step 17 Scroll down and click Submit. Step 18 Navigate to Policy > Policy Sets and access the Wireless_Access policy set. Step 19 Expand Authorization Policy. Step 20 At the end of the line for the Self-Registration rule, click the gear icon and select Insert new row above Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 21 Create a new rule to match the following Authorization Policy rule. Self-Registration with Approval Authorization Policy Attribute Value Rule Name Self-Reg with Approval Conditions (identity groups and other conditions) Airespace:Airespace-Wlan-Id EQUALS 3 Results (Profiles) Self-Registration Portal with Approval Step 22 Click Use at the end of the line. Step 23 Disable the Self-Registration rule. Step 24 Verify your configuration with the following screenshot. Step 25 Scroll down and click Save. Test Access Step 26 Caution On your W10PC-Corp access your Tablet according to your lab specific instructions. If you are having difficulty, notify your instructor. Do not attempt to modify configurations in troubleshooting. Step 27 Navigate to WLAN. Step 28 Enable the Wi-Fi. Your Tablet should associate to the ##-guest SSID. Step 29 Open a browser. Step 30 If you are not automatically redirected to the ISE Self-Registration portal, type in cisco.com, for example. Step 31 On the Sponsored Guest Portal Page, use your mouse to scroll down to the bottom and click Or register for guest access. © 2018 Fast Lane Lab Guide 109 Step 32 Create an account using the following information. Create Account Attribute Value Username First name Sherlock Last name Holmes Email address guest@ffmlab.com Phone number 110 Company Holmes Investigations Location <Your Location> Person being visited (email) admin@demo.local Reason for visit To find Watson! Person visiting Mycroft Step 33 Click Register. Step 34 Note that your account is created but there are no credentials. Select the checkbox to agree to the terms and conditions, then click Sign On. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 35 Since you have no credentials, username and password, you are unable to sign in. Step 36 Return to the Cisco ISE admin portal. Step 37 Navigate to Work Centers > Guest Access > Manage Accounts. Step 38 Click the Managed Accounts button. Step 39 The default sponsor portal opens open a new tab. Notice at the top under Pending Accounts the 1 in parentheses (1) indicating an account pending approval. Step 40 Click the tab Pending Accounts and observe the guest account pending approval. Step 41 Select the account and click Approve. Step 42 Enter the email address sponsor@demo.local and click OK to approve the account. Note If the approval p task. Step 43 Click Manage Accounts and click the Sherlock Holmes (sholmes) account to view the username and the password. Step 44 Return to the Tablet and in the browser enter your credentials. It may be necessary to refresh or retry as your portal session may have timed out. Scroll to the bottom of the AUP, click that you accept the AUP, and then click Sign On at the bottom. Note © 2018 Fast Lane If you timed out, just login after clicking Retry. Lab Guide 111 Step 45 In the Device Registration window, click No, skip registration. Step 46 Now try to visit Cisco.com. This should succeed. Step 47 Return to the Cisco ISE Admin Portal on the Admin PC. Step 48 Navigate to Operations > Radius > Live Logs and observe the authentication records. Activity Verification You have completed this task when you attain this result: You have created a guest self-registration portal with the requirement of guest accounts having sponsor approval. You have configured a self-registration with approval authorization profile. You have modified the authorization policy for self-registration with approval access. You have access to the open SSID network and process through the self-registration guest flow. You have logged into the sponsor portal and approved the pending account. You have logged in as the guest with the approved account credentials. You have observed the authentication process records in Cisco ISE. 112 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will perform sponsored guest account operations. You will be creating the accounts as a sponsor and then providing and click Approve information to the guest. Activity Procedure Complete these steps: Remove Endpoint from Cisco ISE Step 1 On your W10PC-Corp access your Tablet according to your lab specific instructions. Step 2 Navigate to WLAN. Step 3 Turn off Wi-Fi. Step 4 Return to the Cisco ISE Admin portal. Step 5 Navigate to Context Visibility > Endpoints. Step 6 Select the Tablet and then Delete (click Trash > Selected) it using the toolbar. Confirm YES to delete. Note You may have to manually clear the client from the WLC if you perform these steps quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal disruptions and roams. Configure Guest Portal Step 7 Navigate to Work Centers > Guest Access > Identities and select Identity Source Sequence. Step 8 Select Guest_Portal_Sequence and click the Edit button. Step 9 Adjust the sequence to the following screenshot: © 2018 Fast Lane Lab Guide 113 Step 10 Click the Save button. Step 11 Navigate to Guest Access > Portals & Components. Step 12 In the left pane, click Guest Portals. Step 13 In the right pane, activate or select the Sponsored Guest Portal (default) by leftclicking on the blue area with no text (see screenshot below). The box will turn a darker blue once selected. Step 14 In the toolbar click Duplicate. Step 15 Once the duplication process is complete, click the Sponsored Guest Portal (default)_copy1 portal to edit it. Step 16 In the Portals Settings and Customization window modify the following settings only: Sponsored Portal Settings and Customization Attribute Value Portal Name Demo-Sponsored Description The Demo Sponsored Guest Portal Portal Behavior and Flow Settings Portal Settings HTTPS Port 8443 Allowed interfaces Gigabit Ethernet 0 Certificate group tag ISE Lab CGT Identity source sequence Guest_Portal_Sequence Employees using this portal as guest inherent login options from Weekly (default) Display language Use browser locale Login Page Settings Require an access code [ ] Maximum failed login attempts before rate limiting 5 Time between login attempts when rate limiting 2 Include in AUP page [X] Require acceptance on page [X] Allow guest to create their own accounts [ ] Allow social login [ ] Allow guest to change password after login [X] Acceptable Use Policy (AUP) Page Settings Include in AUP page [X] Use different AUP for employees [ ] Skip AUP for employees [ ] Require scrolling to end of AUP [ ] Show AUP On first login only Guest Change Password Settings Require guest to change password at first login 114 [ ] Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Guest Device Registration Settings Automatically register Guest devices [X] Allow guest register devices [ ] BYOD Settings Allow employees to use personal devices on the network [ ] Endpoint identity group RegisteredDevices Allow employees to choose to guest access only [ ] Display Device ID field during restriction [ ] After successful device configuration take employee to Success page Guest Device Compliance Settings Require guest device compliance [ ] Post-Login Banner Page Settings Included Post Access Banner page [ ] VLAN DHCP Release Page Settings Enable VLAN DHCP release [ ] Delay to release 1 Delay to CoA 8 Delay to renew 12 Authentication Success Settings Once authenticated, take guest to URL http://www.cisco.com/go/ise Support Information Is Settings Included Support Information page [ ] Fields to include [ X ] MAC address [ X ] IP address [ X ] Browser user agent [ X ] Policy server [ X ] Failure could Empty fields © 2018 Fast Lane Hide field Lab Guide 115 116 Step 17 Scroll up and click Save. Step 18 Examine the Guest Flow and when you are comfortable in your understanding of the flow continue to the next step. Step 19 Click the Close button. Step 20 Use the shortcut hyperlink to create and Authorization profile at the bottom of the page. Step 21 Create the authorization profile according to the table below. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Sponsored Portal Authorization Profile Attribute Name Value Name Sponsored Portal Common Tasks Web Redirection Centralized Web Auth ACL: ACL-WEBAUTH-REDIRECT Value: Demo-Sponsored Display Certificates Renewal Message [X] Static IP/Host name [ ] Supress Profiler CoA for endpoints in Logical Profile [ ] Step 22 Scroll down and click Submit. Step 23 Navigate to Policy > Policy Sets and access the Wireless_Access policy set. Step 24 Expand the Authorization Policy. Step 25 At the end of the line for the Hotspot rule, click the gear icon and select Insert new row above. Step 26 Creat a new rule to match the following Authorization Policy rule. Sponsored Portal Authorization Policy Attribute Value Rule Name Sponsored Portal Conditions (identity groups and other conditions) Airespace:Airespace-Wlan-Id EQUALS 3 Results (Profiles) Sponsored Portal Step 27 In the case you did the previous task, disable the Self-Reg with Approval rule. Step 28 Verify your configuration with the following screenshot. Step 29 Scroll down and click Save. © 2018 Fast Lane Lab Guide 117 Sponsor Group Modification 118 Step 30 Navigate to Work Centers > Guest Access > Identities and click then Identity Source Sequence. Step 31 Select Sponsor_Portal_Sequence and click the Edit button. Step 32 Select in the left panel demo.local and move the authentication source to the right panel. Step 33 Click the Save button. Step 34 Return to Work Centers > Guest Access > Portals & Components. Step 35 In the left pane select Sponsor Groups. Step 36 Select the ALL_ACCOUNTS (default) line in an open area (do not click any text) and then click Duplicate in the toolbar above. Step 37 Edit the ALL_ACCOUNTS (default)_copy1 Sponsor Group. Step 38 Click the button above the Sponsor Group Members section. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 39 In the pop-up window, on the Available User Groups side type Employees in the search filter and click Search. Step 40 Select the demo.local Employees group and move it to the Selected User Groups side. Step 41 Click OK. Step 42 Modify the rest of this sponsor group according to the following table. Sponsor Group © 2018 Fast Lane Attribute Value Disable Sponsor Group [ ] Sponsor group name DEMO_ALL Description All Guest Accounts for Local ALL_ACCOUNTS and demo.local Employees Lab Guide 119 Sponsor Group Members ALL_ACCOUNTS (default) demo.local:demo.local/HCC/Groups/Employees This sponsor group and create accounts using these guest types Contractor (default) Daily (default) Weekly (default) Create Guest Types at San Jose <YOUR CLASS LOCATION> Sponsor Permissions Sponsor Can Create Multiple guest accounts assigned to specific guests [ ] (Import) Limit to batch of 200 Multiple guest accounts to be assigned to any guess (Random) [X] Default username prefix d-guest- Allow sponsor to specify a username prefix [ ] Limit to batch of 25 Start date cannot be more than # days into the future [X] Sponsor Can Manage All guest accounts 31 Sponsor Can [X] number) [X] Send SMS notifications with credentials [X] [X] Extend guest accounts [X] Delete [X] Suspend account account [X] Require sponsor to provide a reason Reinstate suspended accounts Approve request from self-registering guests [X] [X] [X] Any pending accounts [X] Only pending accounts assigned to this sponsor [ ] Access Cisco ISE guest accounts using the programmatic interface (Guest REST API) Tip Step 43 [ ] If you are having trouble selecting the Guest Types and/or the Locations, Save and Close your work and open IE and edit this page in IE. When done, Save your work and return to Firefox. Scroll up and click Save. Customize Sponsor Portal Step 44 120 Navigate to Work Centers > Guest Access> Portals & Components then select Sponsor Portals. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 45 Select, not edit, the Sponsor Portal (default) portal. Step 46 Click Duplicate in the toolbar above. Step 47 Edit the Sponsor Portal (default)_copy1 portal. Step 48 Modify the sponsor portal according to the settings below. Sponsor Portal Settings and Customization Attribute Value Portal Name DEMO Sponsor Portal Description DEMO Sponsor Portal Portal Behavior and Flow Settings Portal Settings HTTPS Port 8443 Allowed interfaces Gigabit Ethernet 0 Certificate group tag ISE Lab CGT Fully qualified domain name (all FQDN) sponsor.demo.local Identity source sequence Sponsor_Portal_Sequence Idle timeout 10 Display language Use browser locale SSIDs available to sponsors <Your pod SSID if you configured it> Login Settings Maximum failed login attempts before rate limiting 5 Time between login attempts when rate limiting 2 Include an AUP [ ] Require acceptance Acceptable Use Policy (AUP) Page Settings Include in AUP page Require scrolling to end of AUP Show AUP [ ] [ ] On first login only Sponsor Change Password Settings Allow sponsor to change their own passwords [ ] Post-Login Banner Page Settings Included Post Login Banner page [ ] Support Information Is Settings Included Support Information page [ ] Fields to include [ ] MAC address [ ] IP address [ ] Browser user agent [ ] Policy server [ ] Failure could Empty fields © 2018 Fast Lane Hide field Lab Guide 121 Step 49 Scroll up and click Save and then Close. Test Access Step 50 On your W10PC-Corp access your Tablet according to your lab specific instructions. Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations in troubleshooting. Step 51 Navigate to WLAN Step 52 Access the Tablet and enable the Wi-Fi. Your Tablet should associate to the ##guest SSID. If not, connect to the ##-guest SSID. Step 53 Open a browser. Step 54 If you are not automatically redirected to the ISE guest portal, type cisco.com, for example. Step 55 On the Sponsored Guest Portal Page use your mouse to scroll down to the bottom and notice there is no link Or register for guest access? Step 56 Return to Firefox on the Admin PC. Step 57 Open a new tab. Step 58 Enter the URL https://sponsor.demo.local or use the sponsor bookmark on the bookmark toolbar and press Enter. Note 122 If you get a security error from Firefox, use Internet Explorer for this task. Step 59 Notice that the Sponsor Portal with new logo is shown and that Cisco ISE automatically redirected the URL to port 8443. Step 60 Log in with the domain credentials in UPN format employee1@demo.local / 1234QWer Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 61 Under Create Accounts in the Guest Information section click Random and observe the Username prefix is pre-populated with d-guest- as per the policy you created earlier. Step 62 Return to your Tablet and navigate to WLAN. Step 63 From the list identify your pod ##-guest SSID. Step 64 At the bottom, click FORGET in order to clear any previous cached settings or credentials. Step 65 Click the pod##-wpa2e SSID. Step 66 Enter employee1@demo.local as Identity and 1234QWer as the password and leave all other parameters at their defaults. Then click CONNECT. Step 67 Open a browser and navigate to https://sponsor.demo.local Step 68 Accept any certificate warning and by continuing via Advanced > Proceed to sponsor.demo.local. Step 69 Log in with the domain credentials in UPN format employee1@demo.local / 1234QWer © 2018 Fast Lane Lab Guide 123 Step 70 Observe the Sponsor Portal on the tablet. Step 71 On Create Accounts, click the button. Step 72 Select Weekly as the Guest type and click Next. Step 73 Click Random under Guest Information. Step 74 Use the following information to create two guest accounts. Create Random Accounts Attribute Value Number of accounts 2 Username prefix <LEAVE DEFAULT> d-guest- Group tag Language English - English Duration 1 From Date (yyyy-mm-dd) <ENTER TODAYS DATE> From Time 06:00 To Date (yyyy-mm-dd) <ENTER TOMORROWS DATE> To Time 19:00 Location <SELECT YOUR CLASS LOCATION> Step 75 Click Create. Step 76 Record the created guest account information below. Created Guest Accounts Username 124 Password Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 77 Navigate using your mouse to WLAN Step 78 From the list identify your pod ##-wpa2e SSID. Step 79 At the bottom, click FORGET in order to clear any previous cached settings or credentials. Step 80 Click the ##-guest SSID for your pod. To log back in as a guest. Step 81 Open a browser and try to navigate to cisco.com or trigger the web redirection by browing to 1.1.1.1 -guest- Step 82 employee sponsor. Step 83 Accept the AUP and click Sign On. Step 84 Once logged in you should automatically be redirected to the Cisco ISE product page. Step 85 Return to the Cisco ISE Admin Portal on the Admin PC. Step 86 Navigate to Operations > Radius > Live Logs and observe the authentication records for both the Sponsored Portal access and the Rand Guest account Guest Access. Activity Verification You have completed this task when you attain this result: You have configured a Sponsored guest portal. You have customized for Sponsored guest portal. You have configured an authorization profile for the Sponsored guest portal. You have modified the authorization policy to utilize the Sponsored guest portal. You have created a new Sponsor Group that includes domain employees. You have customized the Sponsor Portal. You have accessed the network as a guest and see the sponsored guest portal. You have logged in and seen the desktop sponsor portal. You have logged in via the Tablet and seen the mobile sponsor portal. You have created random accounts on the mobile sponsor portal. You have logged in as a guest with a randomly generated guest account. You have observed the authentication process records in Cisco ISE. © 2018 Fast Lane Lab Guide 125 In this task, you will perform guest account management via the sponsor portal. You will suspend and then reinstate an account, you will examine guest account properties, reset a guest password, and you will then delete a guest account. Optionally, you will also send guest account details via SMS. Activity Procedure Complete these steps: Step 1 On the Admin PC access your Sponsor Portal Firefox tab. Step 2 Log in with the domain credentials in UPN format employee1@demo.local / 1234QWer if your session is timed out. Step 3 Click the Manage Accounts tab. Step 4 Observe the accounts that you have created during this lab. Notice that one of the random accounts which was sponsored by the employee1 is in the state Created Step 5 Select that account and click Suspend. Step 6 Notice in the pop-up window, you are prompted, Are you sure you want to suspend the selected accounts? And then you are prompted for a reason for suspension as per the policy you have configured in task 4. Second guest did not show up for meeting and Step 7 click OK. Step 8 126 Notice now that the state of an account is Suspended. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 9 Reselect that account and notice the only options now are to Delete, Reinstate, and Print. Step 10 Click Reinstate and click Ok when prompted for confirmation. Step 11 Edit the first random account which has the state Active. Step 12 Enter the Scotland Yard . Step 13 Click Save. Step 14 Confirm your data-entry and click Done. Step 15 On the random account with the state of Created, reset the password. When prompted do not select Print, SMS and Email just click OK. Step 16 Click the account name to view the new password. Then click Done. Step 17 Observe the Time Left on the jwatson account. Step 18 Select the jwatson account and click Extend. Step 19 Notice that the maximum number of days as five. Enter 5 in the box and click OK. Step 20 Observe the extension of the time via the Time Left field. Step 21 Select the random account with the state of Created and Delete the account. Confirm the deletion by clicking OK. G Lestrade and the company Activity Verification You have completed this task when you attain these results: You have suspended, reinstated, edited, reset the password, extended, and deleted guest accounts via the sponsor portal © 2018 Fast Lane Lab Guide 127 Complete this lab activity to practice what you learned in the related module. In this activity, you will run guest reports that are directly available from the Cisco ISE dashboard. After completing this activity, you will be able to meet these objectives: Run guest reports from the Authenticated Guests dashlet Run guest reports from the Authenticated Guests dashlet sparklines The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC 128 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will run reports for guest access from the Cisco ISE dashboard. Activity Procedure Complete these steps: Step 1 On the Admin PC, navigate to the Cisco ISE dashboard by clicking Home. This area shows statistical data, which improves your ability to monitor and troubleshoot your system. Dashboard elements show activity over 24 hours, unless otherwise noted. Step 2 Observe Authenticated Guests in the metrics dashlet area. It shows the number of guests 1 Step 3 You will see some more detailed information about connected endpoints. Following that will be a list of endpoints. You should have a guest user in this list. Click the MAC address of that user. Step 4 Notice the five tabs you can use to get more information about this endpoint, as shown. Leave it on the Attributes tab for now, and scroll down to briefly review the types of information available here. You can scroll down to see some of the following information: (the values that are shown are merely examples...do not worry if yours do not match exactly) EndPointPolicy Android User-Name d-guest-xxxx IdentityGroup GuestEndpoints OperatingSystem PortalName Step 5 © 2018 Fast Lane Demo-Sponsored Click the Authentication tab, scroll down, and peruse all the Authenticationspecific information available. Lab Guide 129 130 Step 6 Move back to the main Cisco ISE Administration page in the browser, and Navigate to Home > Guests. Step 7 You should see that 100 percent of your guests have a status of Connected. Click the circular graphic in the Guest Status area. Step 8 You should see something similar to the example shown. You can see graphics for GUESTS STATUS, GUESTS TYPE, FAILER REASON, AND MORE. Following that, you see the list of devices, along with their MAC addresses. Clicking the MAC address here would bring you to the same informational screen you just looked at. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 9 Navigate to Context Visibility > Endpoints. The page is similar to the Home screen, except that context visibility pages: Retain your current context (browser window) when you filter the displayed data Are more customizable Focus on Endpoint Data Step 10 Click the Guest tab, as shown. Notice how it is similar to the information displayed in the Home screen. However, a new tab did not open up. You stayed in the same tab. Step 11 Click the MAC address of your guest connection. Again, notice how the information is similar to the Home screen, but new tabs do not open up. Activity Verification You have completed this task when you attain these results: You have successfully viewed multiple reports from the Cisco ISE home dashboard page. © 2018 Fast Lane Lab Guide 131 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure the Cisco ISE Profiler service and service settings. After completing this activity, you will be able to meet these objectives: Enable the Profiler Service Enable the use of the Cisco Profiler Feed Service Configure the Cisco ISE NAD definitions for SNMP Profiling Configure global SNMP profiler settings Verify NAD configurations for profiling operations The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 W10PC-Corp vWLC The table describes the commands that are used in this activity. ISE Profiling CLI Commands Command Description Command used to observe the act of Profiler Feed Service actions being written to the log. 132 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will enable and configure profiling in Cisco ISE. Activity Procedure Complete these steps: Verification of Endpoint Data To configure profiling in Cisco ISE, access the Cisco ISE Work Centers to view the necessary steps to prepare, define, and monitor your profiler service configuration. Step 1 © 2018 Fast Lane From the Admin PC, navigate to Work Centers > Profiler > Overview to view the required configuration steps that are needed to enable and configure the profiler service. Lab Guide 133 134 Step 2 In the lab, network devices and active directory configuration were done in previous labs. Also, some preparation is required in this lab environment before enabling the Profiler service. On your Admin PC in the Cisco ISE admin portal navigate to Work Centers > Profiler > Endpoint Classification. Step 3 Observe the endpoint assigned the Android Tablet endpoint profile. Scroll to the right in the device list and observe which fields are present and which are not. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 4 Note © 2018 Fast Lane Select the Android tablet endpoint and click Edit, click Attibutes and observe the attribute list data. Notice that the assigned EndPointSource Radius Probe MatchedPolicy is Android. This is the inherent HTTP profiling which automatically profiles based on basic data received from the OUI and the HTTP data received at any ISE portal. Lab Guide 135 Clean Endpoint data from ISE before Enabling Profiling Step 5 Return to your Tablet. Step 6 From the list identify your Pod##-guest SSID. Step 7 At the bottom right, click FORGET to clear any previous cached settings or credentials Step 8 Return to the Cisco ISE Admin Portal on the Admin PC Step 9 Navigate to Work Centers > Profiler > Endpoint Classification. Step 10 Select the Tablet and then Delete it using the toolbar. Confirm Yes to delete. Enable Profiling Service Step 11 Navigate to Administration > System > Deployment (Or Work Centers > Profiler > Deployment). Step 12 In the right pane select your ISE node to edit it. Step 13 At the bottom under Policy Service, select the Enable Profiling Service. Step 14 In the right pane, observe that the Profiling Configuration became available after selecting the Enable Profiling Service feature. Select the Profiling Configuration. Step 15 Enabled the following probes: DHCP HTTP RADIUS Network Scan (NMAP) SNMPQUERY 136 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 16 Scroll down and click Save. Step 17 Click OK on the pop-up window notifying you of the Policy Service persona change. Step 18 After a few minutes log back into the ISE admin portal using the credentials Admin / 1234QWer. You can check the status from the ISE CLI with the command, show application status ise, and noticing the Application Server status. Activity Verification You have completed this task when you attain these results: You have observed the default profile information of an important You have deleted the endpoint from Cisco ISE. You have enabled the Profiler Service. © 2018 Fast Lane Lab Guide 137 In this task, you will enable and configure notification settings for the Cisco Profiler Feed Service. You will also force a manual update. Activity Procedure Complete these steps: 138 Step 1 In the ISE admin portal, navigate to Administration > Feed Service > Profiler (Or Work Centers > Profiler > Feeds). Step 2 Select the checkbox for Enable Online Subscription Update, if not checked. Step 3 Read the notification and click OK. Step 4 Enable notification when a download occurs and use the email address admin@demo.local Step 5 Scroll down and click Save. Step 6 Test the connection to feed service. Click the button Test Feed Service Connection. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 7 Now click the Update Now button. Step 8 Click Yes on the pop-up. Step 12 You should briefly see a Server Response in the lower right-hand corner that indicates the FeedService was successfully started. Note The update process will take some time. At least 30-45 minutes. Tip You can verify the operation of the Feed Service operations via the ISE console by using the following command: ise-1# show logging | include FEED Tip Lines with FEEDMANUALDOWNLOAD are logs generated from a manual Update Now process. Tip Lines with FEEDAUTOMATICDOWNLOAD are logs generated from the scheduled process. Step 9 Continue to the next task. Activity Verification You have completed this task when you attain this result: You have successfully enabled the Cisco ISE Profiler Feed Service © 2018 Fast Lane Lab Guide 139 In this task, you will modify the NAD definition configuration for profiling in Cisco ISE. Activity Procedure Complete these steps: Configure Cisco ISE NAD configuration for Profiling Step 1 Navigate to Administration > Network Resources> Network Devices (Or Work Centers > Network Access > Network Ressources > Network Devices). Step 2 Click the 3k-access switch to edit the NAD profile. Step 3 Configure the following settings: Attribute Value SNMP Settings Enabled SNMP Version 2c SNMP RO Community Polling Interval 600 Link Trap Query Unchecked MAC Trap Query Unchecked Step 4 Tip 140 At the bottom of the section set the Originating Policy Services Node to ise-1. While not a mandatory step in the lab topology with a single ISE node, the practice of setting the Originating Policy Service Node for SNMP profiling operations to the node closest to the NAD is a best practice and tuning configuration. Especially in a larger or geographically dispersed ISE deployment. Step 5 Scroll down and click Save. Step 6 Return to the list of Network Devices. Step 7 Perform the same modification using the same values to the pod vWLC. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Modify Profiler Configuration Step 8 Navigate to Work Centers > Profiler > Settings in the left pane select Profiler Settings. Step 9 Modify the Profiler Configuration according to the following table: Attribute Value CoA Type Reauth Change custom SNMP community strings Confirm change custom SNMP community strings Step 10 EndPoint Attribute Filter Disabled Enable Anomalous Behaviour Detection Disabled Enable Anomalous Behaviour Enforcement Disabled Enable Custom Attribute for Profiling Enforcement Disabled Click Save. Verify Profiler Exception Action Step 11 Navigate to Work Centers > Profiler > Policy Elements and in the left pane select Exception Actions. Step 12 Click FirstTimeProfile to view the action details. Step 13 Observe that the COA Action is to Force COA. This occurs, when an endpoint s profile for the first time. Note This is the default action for all the Cisco provided exception actions. Activity Verification You have completed this task when you attain these results: You have modified the NAD configuration for SNMP polling. You have observed the default profile configuration and enabled the HTTP probe. You have modified the profiler configuration to enable CoA and modify the default SNMP string to . You have observed the profiler exception actions. © 2018 Fast Lane Lab Guide 141 In this task, you will verify the profiling configuration on your pod WLC and 3k-access switch. Your pods NADs are already preconfigured. Activity Procedure Complete these steps: 142 Step 1 On your Admin PC in Firefox, open a new tab. Step 2 Click the vwlc bookmarking in the toolbar. Step 3 Login with the credentials Admin / 1234QWer. Step 4 Navigate to the WLANs tab. Step 5 Click WLAN ID 1. Step 6 Click the Advanced tab. Step 7 Scroll down to the right-hand side section Radius Client Profiling. Step 8 Verify both DHCP Profiling and HTTP Profiling are enabled. Step 9 Click Apply at the top and click OK to the pop-up message. Step 10 Click the < Back button. Step 11 Verify the same configuration on your other WLANs (2 & 3). Step 12 Return to the ISE Admin Portal tab. Step 13 Access your 3k-access switch. Step 14 Run the following commands to see the preconfigured SNMP configuration. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Note You may notice that the switch is configured for SNMP trap functionality. The switch configuration is used for multiple classes. Some of which use the SNMP trap functionality. Since the switch is preconfigured, if you desire to explore this functionality after your lab is complete, all you would need to do is enable the SNMP trap probe and enable the trap query functionality in your Cisco ISE NAD SNMP definition. Step 15 Run the following command to see the preconfigured ip helper-address configuration for the ACCESS VLAN 10, and GUEST VLAN 50, that send DHCP packets to both the DHCP server, and the ISE node. Step 13 Enable interface GigabitEthernet1/0/2 with a no shutdown command to prepare it for the next Lab. Activity Verification You have completed this task when you attain these results: You have verified the WLC WLAN configurations for DHCP and HTTP profiling. You have verified the 3k-access configuration for SNMP and DHCP profiling. © 2018 Fast Lane Lab Guide 143 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure the Cisco ISE Profiler service to use profiling data to make policy determinations. You will examine profiled endpoint data, create logical profiles, and use that profile as an identity condition for authorization policy. Finally, you will create a custom profiler policy based on observed endpoint data. In this activity, you will configure the Cisco ISE profiler service to use profiling data to make policy determinations. After completing this activity, you will be able to meet these objectives: Examine Endpoint profiled data Create a Logical Profile Utilize a Logical Profile as an Identity condition for authorization policy selection Create a custom profiler policy based on observed endpoint data. The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC 144 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will examine the collective endpoint data since turning profiling on Cisco ISE. Activity Procedure Complete these steps: Step 1 On your Admin PC in the Cisco ISE Admin portal navigate to Work Centers > Profiler > Endpoints Classification (Or Context Visibility > Endpoints). Step 2 Observe the list of endpoints that have been learned since the enabling profiling. You may have more than one page to view, and other pages can be viewed. Use the arrows in the upper right near the Rows, Page column to view more pages. Also, you can sort on any heading in either ascending or descending order. Step 3 Click the endpoint profile for the Cisco-WLC endpoint. Step 4 Observe the indicated attributes for this endpoint and that the EndPointSource is the SNMP Query Probe. If you scroll down, you also observe CDP related attributes as indicated in the second screenshot. © 2018 Fast Lane Lab Guide 145 146 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 5 Return to the Endpoint List. Profile your pod Guest PC Step 6 Access your W7PC-Guest. Step 7 Log in with the credentials Administrator / 1234QWer. Step 8 On the desktop double-click the Win7-Guest PC Network Connections icon or alternately open the Control Panel and select View network status and tasks under the Networking and Internet section. Click Change adapter settings. Step 9 Observe the Win7pc-Guest-wired NIC is disabled. Step 10 Enable the Win7pc-Guest-wired. Step 11 Wait a moment for the NIC to come up. Step 12 Right-click the NIC and choose Status. Step 13 Click the Details button. © 2018 Fast Lane Lab Guide 147 Step 14 Your machine should have an IP address in the 10.1.50.x network. Record the Physical Address (MAC Address) below. Physical Address: 148 Step 15 Close all open dialog boxes. Step 16 Return to your admin PC and on your list of endpoints click the refresh button. Step 17 You should now have at least one Microsoft-Workstation or VMware Device endpoint profile added to your list. Step 18 You should also see the Hostname and IP Address for this record in the list. Step 19 Edit this endpoint profile to observe the endpoint attribute data. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 20 Observe that the attribute list contains much more data than seen before for other endpoints. Pay particular attention to the following list of attributes: EndPointSource IdentityGroup MatchedPolicy NAS-Port-Id OUI Total Certainty Factor client-fqdn dhcp-class-identifier host-name Step 21 Return to the Endpoint List. Step 22 Disable the NIC on the W7PC-guest again. Activity Verification You have completed this task when you attain these results: You have observed the endpoint data that was automatically discovered via your profiler configuration of the previous lab. You have brought online your pod Guest PC and observed the endpoint data associated with its automatic profiling upon coming on to the network. © 2018 Fast Lane Lab Guide 149 In this task, you will create a logical profile that will be utilized in a future authorization policy. Activity Procedure Complete these steps: Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Profiling Policies and then in the left pane select Logical Profiles. Step 2 In the right pane click the +Add button. Step 3 Create the following Logical Profile: Step 4 Attribute Value Name Approved_Smart_Devices Description Devices on the corporate approved Smart Devices list Assigned Polices mark all available Android- Click Submit. Activity Verification You have completed this task when you attain this result: You have created a logical profile for corporate approved smart devices. 150 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will create an authorization policy assigning the previously configure logical profile to a fixed authorization profile. Activity Procedure Complete these steps: Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Policy Sets and enter the Wireless_Access policy set. Step 2 Click the gear icon on the right to insert a new policy above the Guest Access policy. Smart Devices Authorization Policy Attribute Value Rule Name Smart Devices Conditions (identity groups and other conditions EndPoints:LogicalProfile EQUALS Approved_Smart_Devices Results (Profiles) Guest Access Step 3 Scroll down and click Save. Activity Verification You have completed this task when you attain this result: You have configured a Smart Devices authorization policy using the logical profile corporately approved devices. © 2018 Fast Lane Lab Guide 151 In this task, you will create a custom profile policy for your pod vWLC. . Activity Procedure Complete these steps: 152 Step 1 In your Cisco ISE admin portal navigate to Work Centers > Profiler > Endpoints Classification. Step 2 Find the VMWare-Device for your pod vWLC. The IP address is 10.1.100.61. It is possible that you may have a VMWare-Device (Endprofile Cisco-WLC) without an IP address. Try that endpoint. Step 3 Observe the following endpoint attribute data. You will be using this data to create a custom policy to automatically profile your pod vWLC. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 4 Navigate to Work Centers > Profiler > Profiling Policies. Step 5 Click the +Add button in the right pane of Profiling Policies. Step 6 Create the following policy. Verify your configuration with the screenshot before submitting. © 2018 Fast Lane Lab Guide 153 Cisco vWLC Profiling Policy Attribute Value Cisco-vWLC Policy to detect Cisco vWLC 100 VMWare-Device SNMP:sysDescr EQUALS Cisco Controller EQUALS 1.3.6.1.4.1.9.1.1631 AND SNMP:sysObjectID 100 154 Step 7 Click Submit. Step 8 Return to Work Centers > Profiler > Endpoints Classification. Step 9 In your Endpoints list you should now see an endpoint that has been assigned the Cisco-vWLC endpoint profile. It may be necessary to click the refresh button in the upper right of the list. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 10 Edit this endpoint. Step 11 Observe the IdentityGroup has been set to Cisco-vWLC. This can now be utilized in Authorization policies to assign specific authorization profiles if desired. Note Due to time constraints you will not be performing the task of setting an authorization policy using the Identity Group. The process would be similar to when you created a policy using the Logical Profile. Instead of creating a Condition you would utilize Identity Groups selecting the Cisco vWLC Identity Group. Activity Verification You have completed this task when you attain these results: You have identified endpoint profile data that can be utilized to create a profile policy. You have created a custom profile policy utilizing the data. You have observed your custom profile policy being applied to your pod vWLC. © 2018 Fast Lane Lab Guide 155 In this task, you will access the network with your Tablet and makes the previously configured Smart Devices authorization policy. Activity Procedure Complete these steps: 156 Step 1 Access your pod Tablet. Step 2 Navigate to WLAN. Step 3 If you are still connected to any Pod## SSID, select it and click FORGET in order to clear any previous cached settings or credentials. Step 4 Return to the Cisco ISE Admin Portal on the Admin PC. Step 5 Navigate to Work Centers > Profiler > Endpoints Classification. Step 6 Search for the Tablet by typing Android into the Endpoint Profile Search field. Step 7 Select and then Delete (Trash > Selected) the Android using the toolbar. Confirm Yes to delete. Step 8 Go to your pod vWLC tab and remove all clients. (Monitor > Clients) Step 9 Return to your Tablet. Step 10 Click the ##-guest SSID for your pod. Step 11 Open a browser and trigger the webauth by browsing to 1.1.1.1. Step 12 Sign On with the credentials employee1@demo.local / 1234QWer. Step 13 Return to the ISE Admin Portal and navigate to Operations > Radius > Live Log and observe the authentication records. Step 14 Observe that the employee1 login was assigned the Guest Access Authorization Profile. Step 15 Click the authentication details for this record. Step 16 Scroll down to the Other Attributes section and observed the LogicalProfile attribute. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Note If you receive the Device ID instead of the Logical Profile that is a known bug in the ISE 2.4. Step 17 Click Authentication in the top of the Window. Scroll up and observe the Steps section. Look for the following two step entries towards the end, 15048 and 15004. Step 18 Return to the Cisco ISE Admin portal. Step 19 Navigate to Work Centers > Profiler > Endpoints Classification. Step 20 Find and click the Tablet Endpoint Profile name or select the checkbox and click Edit it in the toolbar. Step 21 Observe the LogicalProfile assigned. © 2018 Fast Lane Lab Guide 157 158 Step 22 Click Authentication in the top of the Window. Scroll up and observe the Steps section. Look for the following two step entries towards the end, 15048 and 15004. Step 23 This same information can also be found from the Home tab and selecting Active Endpoints or Authenticated Guests. If time permits, take some time to explore this resource as well by clicking either location, and examining the options, and information available to you. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Discussion The policy you just configured is a hardware-based policy. As you can see from the previous task steps, the employee1 user logging into a smart device was given Guest Access instead of Wireless Employee Access. At this point in time if the smart devices policy was truly an exclusive approved list of devices that was allowed to access the network, you could use the Approved_Smart_Devices logical profile as an additional condition for each wireless authorization policy. By adding this as an additional condition to the employees, contractors, an network. Only successfully profiled hardware that matches the individual or component polices of the Logical Profile would be permitted. Remember also, that policies are evaluated in a top-down order. This policy was purposely placed near the top to exemplify this fact. It is important to always consider context-based attributes or information when creating policies. Due to limited lab time in this five-day class, you will not be configuring your policies as such. In the next steps, you will disable the Smart Devices authorization policy for simplicity and time sake Disable the Logical Profile Authorization Policy Step 24 Navigate to Work Centers > Profiler > Policy Sets and enter the Wireless_Access policy set. Step 25 Disable the Smart Devices authorization policy rule. Step 26 Confirm that your policy is disabled and matches the following screenshot. Step 27 Scroll down and click Save. Activity Verification You have completed this task when you attain these results: You have successfully connected to the network via your pod Tablet and matched authorization policy utilizing the Profiling Logical Profile condition configure earlier in this lab. You have observed a Guest Access authorization profile assigned to an employee based on this rule. You have read the Discussion section of this task. You have disabled the Authorization Policy which utilizes the Profiling Logical Profile condition. © 2018 Fast Lane Lab Guide 159 Complete this lab activity to practice what you learned in the related module. In this activity, you will run reports that focus on profiling data. After completing this activity, you will be able to meet these objectives: Run Profiler Feed Reports Run Endpoint Profile Changes Reports Run Profiled Endpoints Summary Report Run profiling based reports from the Cisco ISE Dashboard The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC 160 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will run reports based on profiling data gathered in previous labs. Activity Procedure Complete these steps: Step 1 In the ISE admin portal, navigate to Work Centers > Profiler > Feeds. Step 2 Verify in the Update Information and Options section that a Latest applied feed occurred. Note Step 3 Note If you have no timestamp indicating a successful update operation, you may have to perform these steps at a later time. Please notify your instructor but your pod does not have a timestamp. Click the Go to Update Report Page link as indicated in the above screenshot. This will automatically run the Change Configuration Audit report from the FeedService administrator. Oops. Something went wrong in the ISE 2.4. Skip the next steps and jump to Task2. Step 4 Observe the details of the Added and Changed configurations. If you see no entrys, click the Update Now from the Feed Service Configuration page again. Step 5 Click one of the Added configuration (if available) event hyperlinks. Step 6 Observe the details paying specific attention to any Object Names and the data in the Modified Properties. Step 7 Close this tab and return to the Change Configuration Audit report tab. Step 8 Click one of the Changed configuration event hyperlinks. © 2018 Fast Lane Lab Guide 161 Step 9 Observe the details for this event. Step 10 Close this tab and then close the Change Configuration Audit report tab. Step 11 Open Thunderbird. Step 12 Navigate to the inbox of the admin@demo.local account and find the ISE System Message: Feed OUI applied update email and open it. Step 13 Note upon the date of your class. This is an indication of further updates since the above screenshot. Step 14 Return to the Inbox and open the ISE System Message: Fee policies applied update email. Step 15 Observe the number of feed policies applied. Note Step 16 Your number of policies may vary depending upon the date of your class. This is an indication of further updates since the above screenshot. Return to the ISE Admin Portal. Activity Verification You have completed this task when you attain these results: You have observed the Feed Service updates and changes. You have observed the email reports generated by the Feed Service. 162 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will run reports that are related to profiled endpoints. Activity Procedure Complete these steps: Step 1 Navigate to Work Centers > Profiler > Reports. Step 2 In the Reports pane navigate to Profiler Reports > Endpoint Profile Changes. Step 3 Filter the report using the Time Range of Last 7 Days. Step 4 Compare the Endpoint Profile (Before) pie chart to the Endpoint Profile (After) pie chart and observe the additional data as a result of enabling profiling. Step 5 Scroll down to view a list of the Endpoint Profile Changes. Step 6 Click a record detail to see which probe ran that caused the change. Step 7 Return to the ISE Admin portal when done. Profiled Endpoints Summary Report Step 8 In the Reports pane navigate to Profiler Reports > Profiled Endpoint Summary. Step 9 Filter the report using the Time Range of Last 7 Days. Step 10 Observe the Details and then the Raw details of a record. Step 11 In the Raw details report page, click one of the Endpoint property hyperlinks and observe the additional level of detail available in the pop-up message. Step 12 Return to the ISE Admin portal when done. Activity Verification You have completed this task when you attain these results: Run Endpoint Profile Changes and Summary reports, and observe the data that is contained in those reports. © 2018 Fast Lane Lab Guide 163 In this task, you will view the metrics available via the Context Visibility feature in the Cisco ISE admin Portal. Activity Procedure Complete these steps: 164 Step 1 Navigate to the Context Visibility > Endpoints > Endpoints Classification tab. Step 2 In the ENDPOINTS dashlet, click the new window icon to detach, and open the dashlet in a new tab, to drill down for further details. Step 3 In the new ENDPOINTS dashlet tab, click the Profile link to observe all profiled endpoints that ISE has seen. Step 4 By hovering your mouse over any individual section of the circle graph, ISE will display the number of devices per that category. Step 5 Similarly, the Home > Summary > Endpoints page will display the same information, and other summary information. Both Context Visibility and Home pages can be customized to meet your needs. You can add new Dashboards, or Dashlets, by clicking the gear icon in the upper right corner of the pane. Step 6 Close all newly opened tabs and return to the ISE Admin portal when done. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Verification You have completed this task when you attain these results: You have run the Profile Feed report. That you have on Endpoint Profile Changes report You have run the Profile Endpoints Summary report. You have observed metric the date on the homepage and run a report from the Profiler Activity dashlet. © 2018 Fast Lane Lab Guide 165 In this activity, you will configure Cisco ISE for BYOD onboarding. You will start by creating e a customized My Device portal. Next, you will how Cisco ISE can dramatically reduce your operational overhead. You will configure a scenario in which certificates are automatically provisioned, via the Cisco ISE internal CA. These certificates will be deployed via a Native Supplicant Provisioning profile, which you will define. You will configure a certificate authentication profile, and this profile will use attributes from internally deployed CA certificates. With all this in place, you will configure Cisco ISE authentication and authorization policies for BYOD access. You will then use this configuration to onboard a mobile BYOD device. In this activity, you will configure Cisco ISE for BYOD on boarding. After completing this activity, you will be able to meet these objectives: Create a customized My Device portal Configure Cisco ISE to provision certificates via the internal CA and deploy those certificates via a Native Supplicant Provisioning profile Configure a certificate authentication profile that utilizes the attributes from the internally deployed CA certificates Configure Cisco ISE authentication and authorization policies for BYOD access Onboard a mobile BYOD device The figure illustrates what you will accomplish in this activity. 166 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC © 2018 Fast Lane Lab Guide 167 In this task, you will create a customized My Devices portal for employee device management. Activity Procedure Complete these steps: Portal Enablement Step 1 Navigate to Work Centers > BYOD > Overview. Take a moment to review the three major phases of BYOD configuration Prepare, Define, Go Live & Monitor. Step 2 Step 3 My Devices Portals via Work Centers > BYOD > Portals & Components > My Devices Portal, or via Administration > Device Portal Management > My Devices. In the right pane click Create. Step 4 Create the following portal. My Devices Portal Settings and Customization Attribute Value Portal Name Demo Description Device Portal for Demo Employees My Devices Portal Behavior and Flow Settings Portal Settings HTTPS Port 8443 Allowed interface Gigabit Ethernet 0 Certificate group tag ISE Lab CGT Fully qualified domain name (all FQDN) mydevices.demo.local Endpoint identity group RegisteredDevices Authentication method MyDevices_Portal_Sequence Idle timeout 10 Display language Use browser locale Login Page Settings Maximum failed login attempts before rate limiting 5 Time between login attempts when rate limiting 2 Include in AUP page [X] Require acceptance on page [X] Acceptable Use Policy (AUP) Page Settings Include in AUP page Require scrolling to end of AUP Show AUP [X] [ ] On first login only Post-Login Banner Page Settings Included Post Login Banner page 168 [X] Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Employee Change Password Settings Allow internal users to change their own passwords [ ] Support Information Is Settings Included Support Information page [X] Fields to include [ X ] MAC address [ X ] IP address [ X ] Browser user agent [ X ] Policy server [ X ] Failure could Empty fields Step 5 Hide field Scroll up and click Save and then Close. Tip Enabling the Support Information feature is an easy way to provide the end user with a place to go to see their MAC address. Consider using some of the instructional or optional fields on the My Devices and Add Devices page or others to provide this information to the end user. Note Later in the lab we will also be using a BYOD portal. For-time sake we will use the Cisco default portal. If you want, you may optionally customize that portal by adding the same images as above and saving the portal. Portal Authentication Modification Step 6 Navigate to Work Centers > BYOD > Identities > Identity Source Sequences. Step 7 Edit the MyDevices_Portal_Sequence Step 8 Move the All-AD-Join_Points to the top of the list in the Authentication Search List Selected box in order to optimize processing since most user accounts who will be using this feature are located in Active Directory Step 9 Scroll down and click Save. Portal Authentication Test Step 10 Return to Work Centers > BYOD > Portals & Components > My Devices Portals and edit the Demo My Devices portal. Step 11 At the top to the right of the Description field click the Portal test URL. © 2018 Fast Lane Lab Guide 169 Note 170 If Firefox returns an error, please access the portal with Internet Explorer Step 12 You should see the My Devices Portal but you previously configured. Step 13 Login with the Active Directory user credentials employee1@demo.local / 1234QWer Step 14 Accept the AUP and click Sign On. Step 15 Then press Continue. Step 16 You have successfully logged into the My Devices Portal using Active Directory credentials. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 17 Return to your Cisco ISE Admin portal. Activity Verification You have completed this task when you attain these results: You have created a custom My Devices portal for Demo employees. You have optimized the portal Authentication sequence processing by configuring it to process AD accounts first. You have reviewed the customized My Devices via a desktop browser. © 2018 Fast Lane Lab Guide 171 In this task, you will configure certificate provisioning using the internal CA functionality Cisco ISE. You will then configure a supplicant provisioning policy utilizing that internal CA provisioning configuration. Cisco ISE comes with a default certificate template which could be used for BYOD. You will use that default certificate template with a few modifications that are specific to this deployment. Note It is important that any time a default template is used, it is modified to fit the specific installation environment. Activity Procedure Complete these steps: Certificate Provisioning Step 1 Note There are some trusted third party CA certificates existing. If you need other CA certifiactes, you can import certificates in these section. Step 2 In the left pane select Certificate Management > Certificate Signing Requests. Step 3 Click Generate Certificate Signing Requests (CSR). Step 4 Select ISE Root CA as the Usage Step 5 Click Replace ISE Root CA Certificate chain. Step 6 Wait until Generation has finished. Note Step 7 172 In your Cisco ISE admin portal, navigate to Administration > System > Certificates and then in the left pane select Certificate Management > Trusted Certificates. Your ISE implies all CA functions and will act as the root CA, Node CA, endpoint sub CA and OSCP responder CA. Observe Root CA certificate and the sub certificates generated. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 8 In your Cisco ISE admin portal, navigate to Work Centers > BYOD > Portals & Components and then in the left pane select Certificates > Certificate Templates. Step 9 Edit the EAP_Authentication_Certificate_Template. Step 10 Modify the template according to the following table. Verify configuration with the subsequent screenshot. Note In this configuration, you will be configuring the OU to be the distinguishing attribute that will store the functional purpose of the certificate inside each certificate that is issued. By performing the step, an Authorization Policy rule could be configured with a condition to match this attribute and then apply the appropriate authorization profile. BYOD EAP Authentication Certificate Template © 2018 Fast Lane Parameter Description Name BYOD_EAP_AUTH_365 Description BYOD certificate template for approved Demo access Organizational Unit (OU) BYOD Organization (O) The Demo Shop City (L) San Jose State (ST) California Country (C) US Subject Alternative Name MAC Address Key Type RSA Key Size 2048 SCEP RA Profile ISE Internal CA Valid Period 365 Lab Guide 173 Step 11 Scroll down and click Save Client Provisioning and Native Supplicant Provisioning Step 12 Navigate to Work Centers > BYOD > Client Provisioning. Step 13 Create a new policy rule in the top of the policy according to the following table. You will be creating a new Native Supplicant Profile (NSP) in line. Perform the instructions after the table for the creation of the NSP. Insert the new rule in the top of the policy. iOS_WPA2_BYOD Client Provisioning Policy Rule 174 Attribute Value Rule Name Android_WPA2_BYOD Identity Groups Any Operating Systems Android Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/Domain Users Results Android_WPA2_TLS_BYOD <See below> Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Inline Native Supplicant Profile Procedure Step Action Notes 1. Expand Results. 2. Click the down selector icon to Choose a Wizard Profile. 3. Click the cog in the toolbar area. 4. Select Create New Profile. 5. Create a Native Supplicant Profile using the following data. Name Android_WPA2_TLS_BYOD Description Pod ## BYOD NSP Operating System Android Connection Type Wireless SSID ##-wpa2e Security WPA2 Enterprise Allowed Protocol TLS Certificate Template BYOD_EAP_AUTH_365 6. It is important that your pod SSID (##-wpa2e) match what is exactly configured for your pod. Having your WLC portal open in a separate tab and performing a copy/paste from there is the most reliable method. Pod 00 is used to make the screenshot generic. Replace 00 with your actual pod number. Click Save. Step 14 Click Save. Step 15 Compare your configuration with the following screenshot. © 2018 Fast Lane Lab Guide 175 Step 16 Scroll down and click Save Activity Verification You have completed this task when you attain these results: You have configured a Certificate Template for BYOD access. You have configured the Client Provisioning rule using an in-line created NSP specific for your pod SSID and assigning the BYOD certificate template. 176 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure the policy components for BYOD access. Activity Procedure Complete these steps: Certificate Authentication Profile Creation Step 1 Navigate to, to Work Centers > BYOD > Ext Id Sources > Certificate Authentication Profile. Step 2 In the right pane, click +Add to create a Certificate Authentication Profile according to the following information. Certificate Authentication Profile Attribute Value Name CN_USERNAME Description Subject contains CN=username Identity Store [not applicable] Use Identity From Subject Common Name Match Client Certificate Against Never Certificate In Identity Store Step 3 Verify your configuration with the following screenshot then click Submit. Identity Source Sequence Creation Step 4 Navigate to Work Centers > BYOD > Identities > Identity Source Sequences. Step 5 Click +Add to create an Identity Source Sequence according to the following information. Identity Source Sequence Attribute Value Identity Source Sequence © 2018 Fast Lane Name DOT1X_X509_Username Description ISS to get username from certificate Lab Guide 177 Attribute Value Certificate Based Authentication Select Certificate Authentication Profile CN_USERNAME Authentication Search List Selected All_AD_Join_Points Internal Users Guest Users Advanced Search List Settings If the selected identity store cannot be access for authentication Step 6 178 Treat as if the user was not found and proceed to the next or in the sequence Verify your configuration with the following screenshot then click Submit. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Allowed Protocols Review Step 7 Navigate to Work Centers > BYOD > Policy Elements > Results > Allowed Protocols, Step 8 In the right pane, click Default Network Access. Observe that EAP-TLS and PEAP with an inner method to EAP-TLS are both allowed. This is sufficient for this access use case (TLS client certificate-based access). Tip - low EAP- flexibility. Enabling this feature by itself weakens the security that is inherent in the expiration process of X.509v3 certificates. However, Cisco ISE has a dictionary condition, CertRenewRequired, which could be used in an Authorization Policy near the top or as a Global Exception policy, which evaluates the expiration of the certificate and if it is expired, can be used to apply an Authorization Profile that redirects to the CWA portal. Hovering your mouse over the (i) icon at the end of the line will pop-up a message indicating this as shown in the following screenshot. Authentication Policy Configuration Step 9 Navigate to Work Centers > BYOD > Policy Sets and then Wireless_Access > Authentication Policy. Step 10 Clone the Dot1X authentication policy rule by clicking on the gear icon at the far right. Select from the menu Duplicate above. © 2018 Fast Lane Lab Guide 179 Step 11 Modify the rule with the following parameters. Authentication Policy Rule Attribute Value Name DOT1X_EAP_TLS Condition Wireless_802.1X AND Network Access:EapAuthentication equals EAP-TLS Use DOT1X_X509_Username Options 180 If authentication failed Reject If user not found Reject If process failed Drop Step 12 Compare your rule with the following screenshot. Step 13 Scroll down and click Save. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Authorization Profile Configuration Step 14 Navigate to Work Centers > BYOD > Policy Elements > Results > Authorization Profiles. Step 15 Create and Save the two following Authorization Profiles. WLC Native Supplicant Provisioning Authorization Profile Attribute Name Value Name WLC_NSP Common Tasks Web Redirection Native Supplicant Provisioning ACL: NSP_ACL Value: BYOD Portal (default) WLC User Access Authorization Profile Attribute Name Value Name WLC_User Access Common Tasks Airespace ACL Name USER_ACL Authorization Policy Configuration Step 16 Navigate to Work Centers > BYOD > Policy Sets and then Wireless_Access > Authorization Policy. Step 17 Insert the two following authorization policy rules in the top of the authorization policy. BYOD NSP Authorization Policy Attribute Value Rule Name BYOD NSP Conditions (identity groups and other conditions) Results (Profiles) © 2018 Fast Lane Network Access:EapAuthentication EQUALS EAP-MSCHAPv2 AND demo.local:ExternalGroups NOT_EQUALS demo.local/Users/Domain Computers WLC_NSP Lab Guide 181 BYOD Access Authorization Policy Attribute Value Rule Name BYOD Access Conditions (identity groups and other conditions) Results (Profiles) Caution 182 Network Access:EapAuthentication EQUALS EAP-TLS AND CERTIFICATE:Subject Alternative Name EQUALS Radius:CallingStation-ID WLC_User Access Be sure to select RADIUS attribute 31 instead of 30. Attribute 31 will give you the MAC address of the endpoint whereas attribute 30 will give you the MAC address of the NAD. Radius:Calling-Station-ID--[31] instead of Radius:Called-Station-ID [30] Step 18 Scroll down and click Save. Step 19 Compare your configuration with the following screenshot. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Verification You have completed this task when you attain these results: You have configured a certificate authentication profile that will use the subject common name as the username. You have configured in identity source sequence that utilizes the certificate authentication profile. You have reviewed the allowed authentication protocols to see that they allow EAPTLS. You have configured authentication policy which matches certificate authentication and uses the source sequence which you have configured. You have configured authorization profiles to provision the certificate using NSP and to permit BYOD access. You have configured two authorization policy rules for NSP and for BYOD access. © 2018 Fast Lane Lab Guide 183 In this task, you will login to the Tablet as an employee to perform the BYOD registration. You will then connect with the provisioned configuration and deployed certificate. Activity Procedure Complete these steps: Endpoint Cleaning from Previous Labs Step 1 Caution 184 Access your Tablet according to your lab specific instructions. If you are having difficulty, notify your instructor. Do not attempt to modify configurations in troubleshooting. Step 2 Navigate using your mouse to WLAN. Step 3 Click the saved/connected SSID(if any applicable) and at the bottom right, click FORGET in order to clear any previous cached settings or credentials. Step 4 Return to the Cisco ISE admin portal. Step 5 Navigate to Work Centers > BYOD > Identities and then in the left pane select Endpoints. Step 6 Select the Tablet, if present and then delete it using the toolbar. Confirm Yes to delete. Step 7 You may have to manually clear the client from the WLC if you perform these steps quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal disruptions and roams. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Tablet Onboarding Step 8 Access the Tablet. Step 9 Access the ##-wpa2e SSID for your pod. Log in using the credentials employee1@demo.local / 1234QWer. Step 10 Open a browser. Step 11 If you are not automatically redirected to the ISE BYOD portal, trigger it by typing 1.1.1.1, for example. Step 12 Process through the BYOD portal process by clicking Start. Step 13 Enter the device name employee1_Tablet in the description My Tablet. Also observe that the Device ID or MAC address is included on the bottom. Step 14 Click Continue. © 2018 Fast Lane Lab Guide 185 Step 15 Note 186 DO NOT CLICK The Cisco Network Setup Assistant has been preinstalled on the Tablet. Step 16 Examine the page. For Android devices a Cisco proprietary application is needed to perform the automatic profile and certificate installation process. Step 17 On the Tablet press the Home button, then in the main view locate and open the Cisco App Network Setup Assistant. Step 18 Click Start inside the Network Setup Assistant and observe the provisioning procedure. Click PROCEED and CONNECT, if prompted. Step 19 If prompted, enter the Tablet PIN 1234. Step 20 When presented with the certificate package for the user, leave all defaults and click OK. Step 21 When presented with the root certificate, leave all defaults and click OK. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 22 After the Cisco Network Setup Assistant downloaded and installed everything successfully, you will be automatically connected to SSID from the configured profile (##-wpa2e) and presented with the following seen left in the screenshot. Step 23 Click Exit, open the browser and verify browsing to the Internet, e.g. cisco.com is working. Step 24 In your Tablet navigate to Settings > Security > Trusted Credentials. Step 25 Under the section USER you should see the root-CA certificate, which you can examine by clicking, seen right in the top screenshot. © 2018 Fast Lane Lab Guide 187 Cisco ISE Admin Portal Verification 188 Step 26 Return to the Cisco ISE Admin Portal on the Admin PC. Step 27 Navigate to Operations > RADIUS > Live Logs and observe the authentication records. Step 28 Enter Android in the quick Filter Endpoint Profile for better verification. Step 29 Observe the following Logs. Step 30 Click the Details icon for the record that was assigned the Authorization Profile WLC_User Access. Step 31 Observe the Overview section and notice the indicated sections below. Step 32 Examine the Steps section and towards the bottom observe the 15048 messages indicating the EAP authentication and the querying of the Subject Common Name and the MAC address as the Radius Calling-Station-ID. Step 33 Close this tab and return to the Cisco ISE admin portal. Step 34 Navigate to Work Centers > BYOD >Identities > Endpoints. Step 35 Find the Tablet MAC address and click the MAC address in this list. Step 36 Find the DeviceRegistrationStatus is Registered and BYODRegistration is Yes indicating the Tablet status is an endpoint. Step 37 If the Device Registration says Pending, this is unfortunately a know bug. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 38 Scroll down to the Subject attribute lines. Observe the certificate details paying particular attention to the Subject Common Name values. Step 39 Return to the Cisco ISE admin portal and navigate to Administration > System > Certificates > Certificate Authority > Issued Certificates. Step 40 Select the endpoint certificate which has been deployed to the employee1 Tablet, click View in the toolbar and examine the details. Note © 2018 Fast Lane Use Google Chrome Browser, if the certificate details are not showing up correctly! Lab Guide 189 Tip If you scroll to the bottom you will see a SHA-1 and MD5 hash fingerprints. This could be useful for helpdesk operator to be able to verify a certificate with the user over the phone, for example. Step 41 Click Close. Activity Verification You have completed this task when you attain this result: You have successfully onboarded your pod Tablet and verified access according to the task steps. 190 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In the previous lab, you learned how to configure a BYOD solution. In this activity, you will learn how to manage that solution. The focus is on how to mark a device lost, and then stolen. You will examine Cisco ISE to see how the endpoint is processed for each of these situations. You will then reinstate a lost or stolen device. You will also process an endpoint for re-enrollment after a certificate has been revoked. In this activity, you will perform the steps to mark a device lost and then stolen. You will examine Cisco ISE to see how the endpoint is processed for each of these situations. After completing this activity, you will be able to meet these objectives: Mark a device as lost Mark a device is stolen Reinstate a lost or stolen device Process and endpoint for reenrollment after a certificate has been revoked The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC © 2018 Fast Lane Lab Guide 191 In this task, you will mark an on- Activity Procedure Complete these steps: Configure a local Exceptions Policy for the Blacklist devices Step 1 Navigate to Policy > Policy Sets > Wireless_Access > Authorization Policy Local Exceptions. Step 2 Click the + symbol to insert a new exception policy. Authorization Policy Local Exceptions Attribute Value Rule Name Blacklist Conditions (identity groups and other conditions IdentityGroup:Name equals Endpoint Identity Group:Blacklist Results (Profiles) Blackhole_Wireless_Access Step 3 Click Save. Updating the Blacklist Portal to use Configured Certificate Group Tag Step 4 Navigate to Administration > Device Portal Management > Blacklist. Step 5 Edit the Blacklist portal (default). Step 6 Change the certificate of the group tag from Default Portal Certificate Group to ISE Lab CGT. Step 7 At the top click Save. Update the Blacklist Authorization profile 192 Step 8 Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Step 9 Edit the Blackhole_Wireless_Access profile. Step 10 Scroll down and change the world redirect ACL from BLACKHOLE to BLACKLIST. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 11 Scroll down and click Save. Marking a Device as Lost Step 12 Open a new tab and navigate to the My Devices Portal either using the yDevices bookmarking in the toolbar or by using the URL https://mydevices.demo.local Step 13 Login with the credentials employee1@demo.local / 1234QWer. Step 14 Click the checkbox to accept to the AUP and then click Sign On. Step 15 Click Continue. Step 16 Observed that the status is Registered, else read the following Note. Note If the device status is still pending, then consider up to 20min for the profiling process. Tip Shutting the WLAN off and on might trigger the registration status from the tablet. Step 17 Manage the device by clicking on the record. Step 18 Click the Lost button. © 2018 Fast Lane Lab Guide 193 Step 19 Click Yes to acknowledge that you want to mark the device is lost. Step 20 Observed that the status is now Lost. Activity Verification You have completed this task when you attain this result: You have marked the employee1 Tablet endpoint as Lost. 194 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Procedure Complete these steps: Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs. Step 2 You should already observe an authentication success record for the employee1 Tablet but has the resulting Blackhole_Wireless_Access authorization profile result. Cisco ISE issued a CoA when the device was marked lost. The device automatically re-authenticated as it normally would and matched the Wireless Black List Default authorization policy rule. Step 3 Return to your Tablet and in a browser navigate to any website ot to 1.1.1.1. You should be redirected to the blacklist portal automatically. Activity Verification You have completed this task when you attain this result: You have been redirected to the blacklist portal on the Tablet. © 2018 Fast Lane Lab Guide 195 Activity Procedure Complete these steps: 196 Step 1 Return to the Cisco ISE admin portal. Step 2 Navigate to Context Visibility > Endpoints. Step 3 Find the Tablet MAC address and observe the record in this list. Step 4 Open the detail view for this endpoint. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 5 In the upper right search bar type employee1@demo.local. Step 6 Select employee1@demo.local from the suggestions box. Step 7 In the search results window, notice Blackhole_Wireless in the text. Click the record to view the details. Step 8 Observe that the current status is Authenticated & Authorized and assigned Blachole_Wireless_Access. © 2018 Fast Lane Lab Guide 197 Step 9 Click Endpoint Details at the top. Step 10 Observe the Identity Group in the Authorization Profile. Step 11 Close the result box by clicking on the X in the upper right-hand corner. Activity Verification You have completed this task when you attain this result: You verified map the endpoint has been marked Lost. 198 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Procedure Complete these steps: Step 1 On the Admin PC access the previously opened My Devices Portal tab. Step 2 It is likely that your session has timed out. Login credentials employee1@demo.local / 1234QWer if necessary. Step 3 Click Accept to the AUP and then click Continue. Step 4 Manage the device by clicking on the record. Step 5 Click Reinstate. Step 6 Click Yes to the pop-up. Step 7 Observe the device status has been returned to Registered. Activity Verification You have completed this task when you attain this result: You have reinstated the employee1 Tablet and observe the status as Registered. © 2018 Fast Lane Lab Guide 199 In this task, you will verify network access after the device was Reinstated. Activity Procedure Complete these steps: Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs. Step 2 You should already observe an authentication success record for the employee1 Tablet but has the resulting WLC_User Access authorization profile result. Cisco ISE issued a CoA when the device was marked Reinstated. The device automatically re-authenticated as it normally would and matched the BYOD Access authorization policy rule. Step 3 Return to the Tablet and in a browser, navigate to cisco.com. You should be up to successfully connect to the webpage. Activity Verification You have completed this task when you attain these results: You have observed the proper authorization profile for the registered BYOD device. You have successfully connected to a webpage. 200 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will mark a device as stolen and observe the endpoint and certificate status. You will then reinstate and then re-onboard device. You will not go through the process of testing access while marked as stolen in the interest of brevity as you have already tested blacklisted access a previous task. Activity Procedure Complete these steps: Marking a Device as Stolen Step 1 Return to the Admin PC and to the My Devices Portal. Step 2 It is likely that your session has timed out. Login credentials employee1@demo.local / 1234QWer if necessary. Step 3 Click Accept to the AUP and then click Continue. Step 4 Manage the device by clicking on the record. Step 5 Click the Stolen button. Step 6 Click Yes to acknowledge that you want to mark the device is still. Step 7 Observed that the status is now Stolen. Examining Endpoint Status and Record Step 8 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS > Live Logs. Step 9 You should see a denied access record for the Tablet. Examine Certificate Status Step 10 Click the authentication record detail icon. Step 11 In the Authentication Detail section observe the following fields indicating that the certificate has been revoked. © 2018 Fast Lane Lab Guide 201 Step 12 Return to the Cisco ISE admin portal and navigate to Administration > System > Certificates > Certificate Authority > Issued Certificates. Step 13 Use Google Chrome Browser, if the certificate details are not showing up correctly! Step 14 In the list of certificates observed that the status is now Revoked for the Tablet certificate. Step 15 View the certificate details and observe the certificate status is revoked with a red X icon. Step 16 Close the certificate detail. Reinstating Device 202 Step 17 Return to the My Devices Portal. Step 18 Notice in the toolbar there is no toolbar button to reinstate or un-revoke a certificate. Step 19 Click the Reinstate button. Step 20 Click Yes. Step 21 Observe the device status is now Not Registered. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Re-Onboarding Device Step 22 Return to your Tablet and observe your ##-wpa2e WLAN SSID. Step 23 You should notice that it is not possible to join the ##-wpa2e WLAN. Step 24 Select the WLAN and at the bottom right, click FORGET. Step 25 Navigate to Settings > Security > Clear credentials Step 26 Click Clear credentials and Remove all the contents by clicking OK. Step 27 Return to the WLAN list and attempt to join the ##-wpa2e WLAN. This should succeed by prompting you for credentials. Step 28 Enter the credentials employee1@demo.local / 1234QWer. Step 29 Open a browser and trigger a redirection to the ISE portal. Step 30 Go through the process of on boarding process before. Reference to previous lab steps if necessary. Step 31 Once complete navigate to cisco.com. This should succeed. Step 32 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS > Live Logs. Step 33 The employee1 Tablet should have been applied the WLC_User_Access authorization profile. To the right the device should also be in the Identity Group RegisteredDevices. Activity Verification You have completed this task when you attain these results: You have successfully marked the device a stolen. You have observed the device certificate authentication failure. You have examined the certificate status and observed it has revoked. You have reinstated the device via the My Devices Portal. You have deleted the certificate profile and reenrolled the Tablet. You have observed a successful BYOD certificate authentication. © 2018 Fast Lane Lab Guide 203 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure Cisco ISE settings and polices for compliance based access. After completing this activity, you will be able to meet these objectives: Configure Cisco ISE Posture Settings Configure Authorization Profile components for compliance based access Configure Authorization Policy rules for compliance based access The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC 204 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure Cisco ISE posture update settings that will be used later for compliance to check posture compliance of clients. Activity Procedure Complete these steps: Posture Updates You will perform a manual posture update in this section. Step 1 Navigate to Work Centers > Posture > Settings > Software Updates > Posture Updates. Step 2 Click the Automatically check for updates starting from initial delay check box to enable auto updates. After the initial download, this will perform an incremental update automatically from Cisco. Note By default, posture updates are configured to be retrieved from the web and automatic checking is disabled. Posture updates include a set of predefined checks, rules, and support list for antivirus and anti-spyware for both Windows and Macintosh operating systems. When you perform your initial update process usually takes approximately 20 minutes. Step 3 Click Save. Step 4 Click Update Now to start the initial posture update process. As mentioned above this process can take approximately 15 minutes. Note Step 5 © 2018 Fast Lane You can safely navigate away from this page and continue on to the next steps while this process works in the background. Observe the Update Information section below to view the status on updates. The following fields are useful in determining proper functioning, Last successful update on and Last update status since ISE was started. Lab Guide 205 Posture General Settings Step 6 Navigate to Work Centers > Posture > Settings > Posture General Settings. The settings on this page are used when there is no profile under the client provisioning policy. You will be configuring the client provisioning policy later in the lab. However, it is a good practice to set a baseline configuration here in the event that a policy is misconfigured or absent in the future. Step 7 Change the Remediation Timer field from 4 minutes to 20 minutes to allow for patching or other required remediation steps to be performed by the end-user. Step 8 Change the Default Posture Status setting from NonCompliant to Compliant. Step 9 Enable the Automatically Close Login Success Screen After setting and change the value from 0 to 3 seconds. Step 10 Click Save. Note Leaving the value at 0 would configure the client to not display login success screen. This may be optimal in some organizations. Posture Lease The default configuration as indicated in this section is to perform a posture assessment every time a user connects to the network. By enabling the second option, the system is considered to be compliant for the configured number of days (range 1 365) and will be checked at the configured interval. 206 Note No configuration change will be performed at this time. Note Posture leases are only applicable to Cisco AnyConnect Unified Agent access. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Portal Modification Step 11 Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals and edit the Demo-Sponsored portal. Step 12 Scroll down to the Guest Device Compliance Settings section and enable Require guest device compliance. Step 13 Scroll up and click Save, then click Close. Step 14 Navigate to Administration > Device Portal Management > Settings. Step 15 Configure the Retry URL as http://www.cisco.com/go/ise Step 16 Click Save. © 2018 Fast Lane Lab Guide 207 Activity Verification You have completed this task when you attain these results: You have configured Cisco ISE to retrieve posture update configurations from Cisco online. You have configured general posture settings for global posture processing. You have reviewed posture lease settings. You have modified the Demo Self-Reg portal to require guest compliance. 208 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure a simple compliance policy check. Activity Procedure Complete these steps: Create Downloadable ACLs for Compliance Step 1 Navigate to Work Centers > Posture > Policy Elements and then Downloadable ACLs. Step 2 Create the following AD Login Access dACL. Tip You can copy-and-paste the DACL content from http://tools.demo.local/cp/DACL_AD_LOGIN_ACCESS.txt Downloadable ACL ACL_AD_LOGIN Attribute Value Name acl_ad_login Description Permit access to AD login services and deny everything else. DACL Content © 2018 Fast Lane Lab Guide 209 Step 3 Create the following Posture Remediation dACL. Tip You can copy-and-paste the DACL content from http://tools.demo.local/cp/DACL_POSTURE_REMEDIATION.txt Downloadable ACL ACL_POSTURE_REMEDIATION Attribute Value Name acl_posture_remediation Description Permit access to posture services and remediation and deny everything else. DACL Content Step 4 Create the following Internet only dACL. Tip Copy-and-paste the DACL content from http://tools.demo.local/cp/DACL_GUEST_INTERNET.txt Downloadable ACL ACL_INTERNET_ONLY Attribute Value Name acl_internet_only Description Permit DHCP/DNS, Deny Internal, Permit everything else. DACL Content Step 5 210 A URL redirect ACL needs to pre-exist on a switch and cannot be a dACL. Your 3k-access switch is preconfigured with the ACL that you will use. It is named ISE-URL-REDIRECT. The contents of that ACL are included below for a time saving convenience. Note If you desire, you may open an SSH session via PuTTY and verify by issuing a . Note You will be referencing the name of the URL in authorization profiles. Spelling must match exactly. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Create Authorization Profiles for Compliance Step 6 Navigate to Work Centers > Posture > Policy Elements and then Authorization Profiles. Step 7 By clicking +Add in the right pane, create each of the following authorization profiles. Posture Remediation - Authorization Profile Attribute Name Value Name Posture Remediation Common Tasks DACL Name acl_posture_remediation Web Redirection Client Provisioning (Posture) ACL: ISE-URL-REDIRECT Value: Client Provisioning Portal (default) CWA Posture Remediation - Authorization Profile Attribute Name Value Name CWA Posture Remediation Common Tasks DACL Name acl_posture_remediation Web Redirection Centralized Web Auth ACL: ISE-URL-REDIRECT Value: Demo-Sponsored Internet Only - Authorization Profile Attribute Name Value Name Internet Only Common Tasks DACL Name Step 8 acl_internet_only Modify the Wired Domain Computer Access authorization profile to use the newer port restrictive dACL for AD Login, acl_ad_login and then click Save. Activity Verification You have completed this task when you attain this result: You have configured dACLs for utilization in compliance based access. You have configured Authorization profiles to be utilized during different stages of compliance based processing. © 2018 Fast Lane Lab Guide 211 In this task, you will adjust the authorization policy for compliance checking. Activity Procedure Complete these steps: Policy Set Evaluation Step 1 Navigate to Work Centers > Posture > Policy Sets and then to Wired_Access > Authorization Policy. Examine the authorization policy rules and notice that right now things are pretty clean. You have profiled IP phones, two rules for employees or contractors, a rule for domain computer authentication, and a default deny rule at the end. Having created all of the guest access rules under the wireless access policy has allowed the wired policy to stay clean. By using the condition function of policy sets to wired access into two different parts in a similar way that we split our overall access into wired and wireless policy sets. In the following section you will go to the process of creating a separate policy set for wired MAB access. This will allow you to consolidate all of your policies that would apply to wired map access in a central location without having to evaluate whether policy would apply to an 802.1X session or a MAB session. You will also modify the existing Wired_Access to apply to 802.1X sessions. Policy Set Modification Step 2 Click in the top Policy Sets to go back to the Policy Set overview. Step 3 Click the + symbol on the left side to create a new Policy Set in the top of your policy sets. Note Policy sets are evaluated like Access control lists, top down. Like ACLs, the order of your rules can determine if your policy functions as expected. Policy Set Name Wired_MAB_Access Description Wired_MAB_Access Wired MAB Device Access 212 Condition(s) Allowed Protocols / Server Sequence [ Drag & Drop Condition from Library ] Default Network Access Compound Condition > Wired_MAB Step 4 Click Use and verify your policy set with the following screenshot. Step 5 Click Save at the bottom or top. Step 6 Modify the Wired_Access policy set according to the table below. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Policy Set Name Wired_8021X_Access Desciption Condition(s) Wired_8021X_Access Wired 802.1X Device Access DEVICE:Device Type EQUALS All Device Types#Wired Allowed Protocols / Server Sequence Default Network Access AND Compound Condition > Wired_802.1X [ Drag & Drop Condition from Library ] Note While in this specific lab environment and configuration, it is not necessary to build a compound condition of device type wired and Wired_802.1X, the purpose for doing so is to illustrate the flexibility and capability of the policy set condition aspect of Cisco ISE. Tip Applying this logic, it would be possible to create a condition matching a specific device location and access method, wired or wireless, etc. and access type, MAB or 802.1X, to create and maintain organized policy sets. Step 7 Click Done and verify your modification with the following screenshot. Step 8 Click Save. Wired MAB Policy Set Modification Step 9 Select the Wired_MAB_Access policy set. Step 10 Edit the Default Authentication policy rule to Continue if the user is not found and select as Identity Source All_User_ID_Stores. © 2018 Fast Lane Lab Guide 213 Step 11 Add the following Authorization policy rule above the Default rule. Guest Internet - Authorization Policy Attribute Value Rule Name Guest Internet Conditions (identity groups and other conditions) NetworkAccess:UseCase EQUALS Guest Flow Results (Profiles) Internet Only Step 12 Modify the Default rule to use the authorization profile CWA Posture Remediation. Step 13 Verify your policy with the following screenshot. Step 14 Scroll down and click Save. Caution In a production environment it would be important to copy and create policy rules to facilitate profiled devices which would access the network by way of MAB. For the sake of time and due to the simplicity of this lab environment you will not be creating or configuring such rules. Wired 802.1X Policy Set Modification 214 Step 15 Select the Wired_8021X_Access policy set. Step 16 Edit the Wired AD Employees authorization policy rule. Step 17 Open the Conditions section. Step 18 Add a new Attribute/Value. Step 19 Configure the following condition: Session:PostureStatus EQUALS Compliant. Step 20 Verify the operand that is set to AND. Step 21 Click Use at the bottom. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Tip Saving the posture status condition to the library for reuse with a simplified name would make reading policy conditions in their final state easier than reading and attribute value statement. Step 22 Edit the Wired AD Contractors rule by adding the condition Session:PostureStatus EQUALS Compliant and verifying the operand is AND. Step 23 Click Use at the end of the line. Step 24 Add the following authorization policy rule above the Default rule. AD Posture Assessment - Authorization Policy Attribute Value Rule Name AD Posture Assessment Conditions (identity groups and other conditions) Results (Profiles) demo.local:ExternalGroups Equals demo.local/Users/Domain Users AND Session:PostureStatus NOT_EQUALS Compliant Posture Remediation Step 25 Click Use at the bottom. Step 26 Verify your configuration with the following screenshot. Step 27 Scroll down and click Save. Activity Verification You have completed this task when you attain this result: You have modified the Wired_Access Policy Set to process access based on compliance status. © 2018 Fast Lane Lab Guide 215 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure Cisco ISE to provision Cisco posture agents. You will configure client provisioning settings for updates from Cisco online. You will configure client resources for utilization in compliance-based access. Finally, you will configure client provisioning policies for the utilization of posture agents. In this activity, you will configure Cisco ISE to provision Cisco posture agents. After completing this activity, you will be able to meet these objectives: Configure Client Provisioning settings for updates from Cisco online. Configure Client Resources for utilization in compliance based access. Configure Client Provisioning policies for the utilization of posture agents The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC 216 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will review client provisioning settings and then perform a posture component update. Activity Procedure Complete these steps: Client Provisioning Settings Step 1 Navigate to Work Centers > Posture > Settings then to Software Updates > Client Provisioning. This page can all be accessed via Administration > System > Settings and then Client Provisioning. Step 2 Observe the default configuration that client provisioning is enabled by default. Activity Verification You have completed this task when you attain these results: You have reviewed the Client Provisioning settings. You have configured Cisco ISE to perform automatic posture updates; and initiated a manual update. © 2018 Fast Lane Lab Guide 217 In this task, you will configure Cisco ISE for utilization of Cisco posture agents (Cisco NAC Agent, Cisco NAC WebAgent, and Cisco AnyConnect Unified Client). Activity Procedure Complete these steps: Downloading Resources to your PC Step 1 In your Firefox browser, open a new tab and use your bookmark toolbar to navigate to tools > cp. (http://tools.demo.local/cp) Step 2 Download the following files. These files will be placed in your profile Downloads folder. anyconnect-win-4.5.04029.0-webdeploy-k9.pkg anyconnect-VPN-disable.xml anyconnect-NAM-EAP-FAST.xml Step 3 Return to the Cisco ISE Admin portal. Step 4 Navigate to Work Centers > Posture then to Client Provisioning > Resources. Step 5 In the right pane, click +Add and from the menu select Agent resources from Cisco Site. Step 6 After a moment, the list should populate. Select the following list of items. AnyConnectComplianceModuleWindows 4.3.50.0 or latest 4.3.xxxxx.x ComplianceModule 3.6.11017.2 or latest 3.6.xxxxx.x CiscoTemporalAgentWindows 4.5.02036 Step 7 Click Save to start the download process. Step 8 The Download will take several minutes. Adding resources to Cisco ISE 218 Step 9 Navigate to Work Centers > Posture then to Client Provisioning > Resources. Step 10 In the right pane, click +Add and from the menu select Agent resources from local Disk. Step 11 Select the category of Cisco Provided Packages. Step 12 Click Browse and navigate to your Downloads folder and select anyconnect-win-4.5.4029.0-webdeploy-k9.pkg and click Open. Step 13 Click Submit Step 14 Click Confirm when prompted to confirm the hash. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 15 Perform the same operation for the following files. Fill out the form according to the tables below. acNAMProfile - Customer Created Agent Resource Package Attribute Value Category Customer Created Packages Type AnyConnect Profile Name acNAMProfile Description AnyConnect NAM EAP-FAST Config File C:\Users\Administrator\Downloads\ anyconnect-NAM-EAP-FAST.xml Note The following profile is optional and cosmetic in nature. It is intended to hide the VPN tile of the AnyConnect client. acVPNdisableProfile - Customer Created Agent Resource Package © 2018 Fast Lane Attribute Value Category Customer Created Packages Type AnyConnect Profile Name acVPNdisableProfile Description Profile to disable the VPN tile in AnyConnect File C:\Users\Administrator\Downloads\ anyconnect-VPN-disable.xml Lab Guide 219 Configure AnyConnect Agent Profile Step 16 In the right pane, click +Add and from the menu select NAC Agent or AnyConnect Posture Profile. Step 17 Select AnyConnect from the dropdown box. Step 18 Create the following profile. AnyConnect Posture Agent Profile Settings Attribute Value AnyConnect *Name acWinPostureProfile Description AnyConnect Windows Posture Profile Agent behavior Enable debug log No Operate on non-802.1X wireless No Enable signature check No Log file size 5 MB Remediation timer 20 mins IP Address Change Enable agent IP refresh Yes VLAN detection interval 0 secs Ping or ARP Ping Maximum timeout for ping 1 secs DHCP renew delay 1 secs DHCP release delay 4 secs Network transition delay 3 secs Posture Protocol PRA retransmission time 120 secs Discovery host tools.demo.local * Server name rules *.demo.local Note Step 19 220 The discovery host needs to be something that will resolve via DNS to generate traffic (packets) to hit the url-redirect. That traffic will then be redirected to the supporting ISE node running the Policy Services persona. Scroll down and click Submit. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Create the AnyConnect Configuration File. Step 20 In the right pane, click +Add and from the menu select AnyConnect Configuration. Step 21 Create the following configuration. acConfigWin - AnyConnect Configuration Attribute Value * Select AnyConnect Package AnyConnectDesktopWindows 4.5.4029.0 * Configuration Name acConfigWin Description AnyConnect agent config for Windows * Compliance Module Anyconnect-win-compliance-4.3.50.0 or latest 4.3.* AnyConnect Module Selection ISE Posture [X ] VPN [ Network Access Manager [X ] Web Security [ ] AMP Enabler [ ] ASA Posture [ ] Network Visibility [ ] Umbrella Roaming Security [ ] Start Before Login [ ] Diagnostic and Reporting Tool [X ] ] Profile Selection ISE Posture acWinPostureProfile VPN acVPNdisableProfile Network Access Manager acNAMProfile Web Security Customer Feedback Customization Bundle Localization Bundle Deferred Update Allowed for AnyConnect Software No Minimum Version Required for AnyConnect Software 0.0.0 Allowed for Compliance Module No Minimum Version Required for Compliance Module 0.0.0.0 Prompt Auto Dismiss Timeout None Prompt Auto Dismiss Default Response Update Installation Options Uninstall Cisco NAC Agent © 2018 Fast Lane [ ] Lab Guide 221 Step 22 Scroll down and click Submit. Activity Verification You have completed this task when you attain these results: You have configured Cisco ISE to utilize the Cisco NAC Agent and created an associated NAC Agent posture profile. You have configured Cisco ISE to utilize the Cisco AnyConnect Unified Client and created an associated profile and AnyConnect configuration. 222 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure Cisco ISE to provision Cisco posture agents in order to enforce compliance base access. Activity Procedure Complete these steps: Configuring Client Provisioning Policies. Step 1 Navigate to Work Centers > Posture > Client Provisioning and then Client Provisioning Policy. Step 2 Add two new rules below Android_WPA2_BYOD according to the following tables. AC Employee Win All - Client Provisioning Policy Rule Attribute Value Rule Status Enable Rule Name AC Employee Win All Identity Groups Any Operating Systems Windows All Other Conditions demo.local:External Groups EQUALS demo.local/HCC/Groups/Employees Results Agent: Step 3 acConfigWin Verify your configuration with the following screenshot then click Save. Activity Verification You have completed this task when you attain this result: You have configured client provisioning policies for Cisco AnyConnect, Cisco NAC Agent, and Cisco NAC WebAgent. © 2018 Fast Lane Lab Guide 223 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure some simple Cisco ISE posture policies to provide for a functional orientation to posture policies. After completing this activity, you will be able to meet these objectives: Configure posture conditions Configure posture mediations Configure posture requirements Configure posture policies The figure illustrates what you will accomplish in this activity. Admin PC ISE-1 AD1 W10PC-Corp vWLC 224 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure some simple file conditions as well as antivirus compound conditions for both installation and definition age. Activity Procedure Complete these steps: Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions > File. Step 2 In the right pane, click +Add and create the following three File Conditions. Caution Be aware of the case of the file name PUTTY. The Cisco NAC Agent file evaluation is case sensitive but the Cisco AnyConnect is not. Caution The operator is Later than, not Later than or Equal to. This is a common error in configuration File Condition PuTTY_Version Attribute Value Name PuTTY_Version Description Check for an acceptable PuTTY Version Operating System File Type FileVersion File Path ABSOLUTE_PATH c:\tools\PUTTY.EXE Operator File Version File Condition 0.61 Bad_File Attribute Value Name Bad_File Description Check for a Bad file Operating System © 2018 Fast Lane File Type FileExistence File Path ABSOLUTE_PATH Operator DoesNotExist C:\test\virus.txt Lab Guide 225 File Condition Good_File Attribute Value Name Good_File Description Check for a Good file Operating System Windows All File Type FileExistence File Path ABSOLUTE_PATH C:\test\good.txt Operator Exists Step 3 In the left pane, select Anti-Virus. Step 4 In the right pane, click +Add and create the following AV Compound Conditions. Caution Be sure to Submit after each one. AV Compound Condition ClamWin_AV_Installed Attribute Value Name ClamWin_AV_Installed Description Check for ClamWin AV Install Operating System Windows All Vendor ClamWin Check Type [ X ] Installation [ ] Definition Products for Selected Vendor Product Name ClamWin Antivirus ClamWin Free Antivirus AV Compound Condition ClamWin_AV_Current Attribute Value Name ClamWin_AV_Current Description Check for ClamWin AV Definition Operating System Windows All Vendor ClamWin Check Type [ ] Installation Option Allow virus definition file to be [ 7 ] days older than ( X ) current system date [ X ] Definition Products for Selected Vendor Product Name 226 Any Step 5 In the left pane, select Firewall Condition. Step 6 In the right pane, click +Add and create the following Firewall Compound Conditions. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Activity Verification You have completed this task when you attain these results: You have configured three posture file conditions. You have configured an antivirus installation condition. © 2018 Fast Lane Lab Guide 227 In this task, you will configure remediation processes to instruct users on how to handle systems that do not meet compliance requirements. Activity Procedure Complete these steps: Step 1 Navigate to Work Centers > Posture > Policy Elements and then Remediations > File. Step 2 In the right pane, click +Add and create the following File Remediation. File Remediation PuTTY_62 Attribute Value Name PuTTY_62 Description Approved PuTTY version 0.62 Version 0.62 File to Upload Step 3 Click Submit. Step 4 Click +Add again and create the following File Remediation. Note The File to Upload c:\tools\good.txt in the table below does not yet exist on your system. You will be creating it during the process of browsing for a file to upload. Follow the procedure in the second table to create the good.txt file. File Remediation Good_File Attribute Value Name Good_File Description Our corporate good file Version 1.0 File to Upload (See procedure below) Procedure to create good.txt 228 Step Action Notes 1. In the Files to Upload line Click Browse 2. Right-click in an open area See image below 3. Select New from the menu See image below 4. Select Text Document from the submenu See image below 5. Rename the newly created New Text Document.txt to good.txt 6. Click off of the file to complete the file renaming process 7. Right-click on good.txt Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step Action Notes 8. From the menu select Edit 9. In the notepad write the following: good file v1.0 Close the document by clicking on the X in the upper right-hand corner and when prompted click Save. 10. You may alternately perform a File > Save before closing the file. Step 5 Click Submit. Step 6 In the left-hand pane, select Link. Step 7 In the right pane, click +Add and create the following Link Remediation. Link Remediation Attribute Install_ClamWin_AV Value Install_ClamWin_AV Description URL link to install ClamAV package Remediation Type Manual Interval 0 Retry Count 0 URL Step 8 Click Submit. Step 9 In the left-hand pane, select Anti-Virus. Step 10 In the right pane, click +Add and create the following AV Remediation. AV Remediation Attribute Update_ClamWin_AV Value Update_ClamWin_AV Description © 2018 Fast Lane Update ClamWin definitions Lab Guide 229 Attribute Value Operating System Windows Remediation Type Manual Interval 0 Retry Count 0 Vendor ClamWIn Step 11 Step 12 Click Submit. Edit the default AnyAVDefRemediationWin remediation and change the Remediation Type from Automatic to Manual and click Save. Activity Verification You have completed this task when you attain this result: You have configured posture remediation actions for users who systems do not meet compliance requirements. 230 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure posture requirements that utilize the previously configured conditions and remediations. Activity Procedure Complete these steps: Step 1 In the left pane, navigate to Work Centers > Posture > Policy Elements > Requirements. Step 2 Edit the Any_AV_Installation_Win requirement and modify the Remediation Action. Change the Message Text shown to Agent User to the following: An approved Antivirus program was NOT detected on your PC. All users must have a current AV program installed before access is granted to the network. If you would like to install a free version of ClamWin AV, please go to http://tools.demo.local/updates/clamwin-0.99.1-setup.exe Tip You may access the following resource from a separate tab in Firefox to copy/paste message text: http://tools.demo.local/cp/Posture-Requirements-excercise-6.rtf Step 3 Add the following Requirements by using the same method as adding policy rules (Edit down arrow at end of line). Posture Requirement Attribute ClamWin AV Install Win Value ClamWin AV Install Win Operating System Windows All Compliance Module 3.x or earlier Posture Type AnyConnect Conditions User Defined Conditions > Anti-Virus Condition > ClamWin_AV_Installed Remediation Actions Action: Posture Requirement Attribute Install_ClamWin_AV ClamWin AV Current Win Value ClamWin AV Current Win Operating System Windows All Compliance Module 3.x or earlier Posture Type AnyConnect Conditions User Defined Conditions > Anti-Virus Condition > ClamWin_AV-Current Remediation Actions Action: Update_ClamWin_AV Message shown to Agent User: All users must have ClamWin with current signatures. Please click start to update the signatures now. © 2018 Fast Lane Lab Guide 231 Posture Requirement Attribute PuTTY 62 Value PuTTY 62 Operating System Windows All Compliance Module Any version Posture Type AnyConnect Conditions User Defined Conditions > File Condition > PuTTY_Version Remediation Actions Action: PuTTY_62 Message Shown to Agent User: Save this file to C:\tools\ Posture Requirement Attribute Good File Value Good File Operating System Windows All Compliance Module Any version Posture Type AnyConnect Conditions User Defined Conditions > File Condition > Good_File Remediation Actions Action: Good_File Message Shown to Agent User: Right-click and save this file to C:\test\ Create a New Folder if needed. Posture Requirement Attribute Bad File Value Bad File Operating System Windows All Compliance Module Any version Posture Type AnyConnect Conditions User Defined Conditions > File Condition > Bad_File Remediation Actions Action: Message Text Only Message Shown to Agent User: You have a bad file. Go delete the file C:\test\virus.txt 232 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 4 You should have the following requirements at the bottom of your list. Step 5 Scroll down and click Save. Activity Verification You have completed this task when you attain this result: You have configured both the conditions you have previously configured and the remediation actions into posture requirement configurations. © 2018 Fast Lane Lab Guide 233 In this task, you will configure posture policies that will be utilized in client access assessments. You will be adding these policies and a disabled state and enabling them in a later lab. Activity Procedure Complete these steps: Step 1 Navigate to Work Centers > Posture > Posture Policy. Step 2 Create the following rules. Note Posture Policy Status is configured by changing the icon at the beginning of the rule. Note Requirement Status is configured by changing the icon in front of the Requirement Name. Posture Policy File Checks Attribute Value Policy Options - Status Disabled File Checks 234 Identity Groups Any Operating System Windows All Compliance Module Any version Posture Type AnyConnect Other Conditions - Requirements Status Requirement Name Mandatory Good File Mandatory PuTTY 62 Audit Bad File Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Posture Policy AD Win7 Users AV Attribute Value Policy Options - Status Disabled AD Win Users AV Identity Groups Any Operating System Windows All Compliance Module 3.x or earlier Posture Type AnyConnect Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/Domain Users Requirements Status Requirement Name Mandatory ClamWin AV Install Win Mandatory ClamWin AV Current Win Step 3 Verify your configuration with the following screenshots. Order is not important. Step 4 Scroll down and click Save. Activity Verification You have completed this task when you attain this result: You have configured posture policies based on the elements that you have previously configured in previous tasks. © 2018 Fast Lane Lab Guide 235 Complete this lab activity to practice what you learned in the related module. In this activity, you will perform client based access utilizing the previously configured posture compliance configuration. After completing this activity, you will be able to meet these objectives: Perform client access utilizing the Cisco AnyConnect Unified Agent for compliance checking. The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC 236 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane The table describes the commands that are used in this activity. 3650 Switch Commands Command Description Shows the applied session details for the current session(s) on the indicated interface. © 2018 Fast Lane Lab Guide 237 In this task, you will use the Cisco AnyConnect Unified Agent to perform compliance testing and remediation. Activity Procedure Complete these steps: AnyConnect Unified Agent Deployment. 238 Step 1 Return to the W10PC-Corp. Step 2 Log in as student / 1234QWer. Step 3 Open up network settings and enable the NIC if not enabled. Step 4 Open Services from Windows Administrative Tools in the Start menu. Step 5 Verify and, if necessary, modify the Wired AutoConfig service to have a startup type of Automatic and then Start the service. Step 6 Click OK. Step 7 Close the services console. Step 8 Return to the NIC settings and open the properties for the NIC. Step 9 Click the Authentication tab. Step 10 Click the Settings button. Step 11 Uncheck the box to validate the server certificate. Step 12 Click OK. Step 13 Make sure the Step 14 Click OK. Step 15 Restart the client machine using the Start menu and log back in as employee1 / 1234QWer. Step 16 Open Firefox browser. Step 17 Browse to http://www.cisco.com, you should be redirected to the Client Provisioning Portal. Accept any security notices if presented. Step 18 You should be notified that a Device Security Check is required, click Start. Step 19 The process will attempt to detect if the AnyConnect Posture Agent is installed. Once prompted, click + This is my first time here. Step 20 In the instructions click the hyperlink to Click here to download, install AnyConnect. Step 21 Click Save File. Step 22 Click the file in the download dialog box and will be presented the dialog box click Run. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 box is unchecked. © 2018 Fast Lane Step 23 The Cisco Network Setup Assistant should notify you that you are connected to ise-1.demo.local, whose identity has been certified. Click Connect. Step 24 Cisco AnyConnect will install automatically. Step 25 At the end you will be notified that a restart is required. Click Yes. Note If the installation process shows Failed to launch Cisco AnyConnect Secure Mobility Client Downloader and does not promt for a reboot, proceed by logging off and continue only if step 30 is not showing up as described, deinstall Cisco AnyConnect Security Mobility Client, which will include a reboot, and perform the task from Step 20 again. Step 26 Once the system is back up, login again as employee1 / 1234QWer. Step 27 Once logged in, AnyConnect will log on via EAP-FAST and the ISE Posture module will perform a scan. The results will show that the Good File update is required. Click Start to begin remediation. Step 28 Navigate to c:\test\ and click Save. © 2018 Fast Lane Lab Guide 239 240 Step 29 You will be notified that the save operation was successful and given the opportunity to open the folder location where the file was saved. Click Cancel. Step 30 Observe your system is now Complaint. Trigger a reauthentication/rescan by clicking the EAP-FAST profile if needed. Step 31 In the live authentications list observe the authentication process of Pending , and then Compliant after remediation. Step 32 Open Windows Explorer and navigate to C:\test\. Step 33 Right-click and from the menu select New, then Text Document. Name the new file without an extension. Extensions are hidden by default so the .txt will not show in this view. Step 34 Log off and log back on as demo\employee1. Step 35 As the Bad File check is in audit mode only, the system will still be compliant. Step 36 In ISE, navigate to Operations > RADIUS > Live Logs. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 37 Find the most recent logon for the employee1 user but was assigned the Wired Employee Access authorization profile. Step 38 Click on the Posture Status of Compliant hyperlink. This will run a summary report from the endpoint in a new tab. Activity Verification You have completed this task when you attain this result: You have access the network via an employee account and that session has been processed for compliance via the Cisco AnyConnect Unified Agent. You have remediated your compliance requirements based on instructions received via the Cisco AnyConnect Unified Agent. © 2018 Fast Lane Lab Guide 241 Complete this lab activity to practice what you learned in the related module. In this activity, you will examine the effects of a faulty policy and review methods of identifying and troubleshooting such a policy. After completing this activity, you will be able to meet these objectives: Use Posture Reports for troubleshooting Use the Posture Troubleshooter tool The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC 242 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task you will configure a faulty policy in order to generate failure events that will be utilized in future tasks. Activity Procedure Complete these steps: Step 1 On the admin PC, in the Cisco ISE admin portal navigate to Policy > Policy Elements > Conditions and then Posture > File Condition. Step 2 Edit the PuTTY_Version you created earlier. Step 3 Change the file from PUTTY.EXE to PUTTTY.exe (you are adding an extra Step 4 Click Save. Step 5 Navigate to Administration > System > Settings > Posture > General Settings. Step 6 Set the Remediation Timer to 5 minutes to shorten the waiting time for the next task. Step 7 Click the Save button. Step 8 Return to the W10PC-Corp, log off and log back on as employee1 / 1234QWer. Step 9 The PuTTY 62 requirement should fail. Step 10 Do not remediate; wait for the timer to expire and then continue to the next task. Activity Verification You have completed this task when you attain this result: You have configured a faulty policy that has resulted in a failed compliance access attempt © 2018 Fast Lane Lab Guide 243 In this task, you will examine posture reports as a mechanism to troubleshoot compliancebased access failures. Activity Procedure Complete these steps: Step 1 In ISE, navigate to Work Centers > Posture > Reports and then Reports > Posture Reports > Posture Assessment by Endpoint. Step 2 Modify the Time Range from Today to Last 30 Minutes. Step 3 Click on the Details icon for the failed posture assessment. Step 4 Scroll to the bottom of the report and observe the Posture Policy Details. Step 5 Observe that the Failed condition is PuTTY_Version, Step 6 Also observe that the Bad File, which is in Audit enforcement mode, meaning transparent to the user, is not in the Passed column either. This check was skipped because the file checks are done serially one at a time. Activity Verification You have completed this task when you attain this result: You have run a posture report and identified the failing condition. 244 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will examine posture troubleshooter as a mechanism to identify compliancebased access failures. Activity Procedure Complete these steps: Step 1 In ISE, navigate to Work Centers > Posture > Troubleshoot. Step 2 In the form, click the Select button at the end of the Username field. In the next pop-up click Search. From the list of Usernames select employee1 and click Apply. Step 3 Go to the bottom of the form and click Search. Step 4 In the results, click the failed result and click Troubleshoot. © 2018 Fast Lane Lab Guide 245 Step 5 Click Show Results Summary once complete. Step 6 Observe the details of what passed, what failed in another format. Step 7 Click Done. Activity Verification You have completed this task when you attain this result: You have run the posture troubleshooter and identified the failing condition. 246 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will correct the policy you purposely misconfigured being of this lab. You will also observe the result of an audit condition via posture reports. Activity Procedure Complete these steps: Policy Correction Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions > File. Step 2 Edit the PuTTY_Version you modified earlier. Step 3 Change the file from PUTTTY.EXE to PUTTY.exe (you are removing the extra Step 4 Click Save. Testing Policy Correction Step 1 Return to the W10PC-Corp. Step 2 In the AnyConnect drop-down, select EAP-FAST. This will cause a reauthentication and then the posture module will reconnect to ISE and perform another posture check. Your posture check should succeed. Posture Report Verification Step 3 Return to the Cisco ISE admin portal. Step 4 Navigate to Work Centers > Posture > Reports and then Reports > Posture Reports > Posture Assessment by Endpoint. Step 5 Modify the Time Range from Today to Last 30 Minutes. Step 6 Click on the details for the recent passed assessment. © 2018 Fast Lane Lab Guide 247 Step 7 Scroll to the bottom and observe that the only failed condition now is the Audit mode Bad File condition. Tip This is an effective way of analyzing systems upon access to determine the status of a program without notifying the user. Tip One example of using this feature would be to analyze systems for a file or files that are suspicious. An administrator could determine if the files are on any of the systems, and then make decisions on how to proceed. Activity Verification You have completed this task when you attain these results: You have corrected the policy configuration. That you introduced at the beginning of the lab. You have observed the failed condition that is running an audit enforcement mode. 248 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Complete this lab activity to practice what you learned in the related module. In this activity, you will access the network via an AnyConnect VPN connection and compliance checking. After completing this activity, you will be able to meet these objectives: Configure Cisco ISE to process VPN access Configure authorization components and policies to support compliance based VPN access Configure client provisioning for remote Cisco AnyConnect VPN access The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC W10PC-CoA ASAv © 2018 Fast Lane Lab Guide 249 The table describes the commands that are used in this activity. ASAv CLI Commands Command Description Erases startup configuration Copies a file. In this lab you will copy a file to startup-config Restarts or reboots the device. Shows AnyConnect client access details 250 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will modify the ASAv configuration in preparation for the VPN Access. Activity Procedure Complete these steps: ASAv Preparation Step 1 From the Admin PC desktop, open ASDM/IDM Launcher. Step 2 Connection to 10.1.100.4 using the credentials admin / 1234QWer. Step 3 Navigate to the menu selection Tools > File Management. Step 4 Verify that anyconnect-win-4.5.04029.0-webdeploy-k9.pkg is present on the flash. Adding the ASAv as a NAD Step 5 Return to the Cisco ISE Admin portal. Step 6 Navigate the Administration > Network Resources> Network Devices. Step 7 In the right pane, click +Add and create the following Network Device entry. Network Device ASAv Attribute Value Name ASAv Description Pod ASAv IP Address 10.1.100.4 Device Profile Cisco Model Name <blank> Software Version <blank> /32 Network Device Group Location HQ IPSec Is IPSEC Device Device Type VPN RADIUS Authentication Settings Checked Shared Secret 1234QWer SNMP Settings Unchecked Advanced TrustSec Settings Unchecked Step 8 © 2018 Fast Lane Scroll down and click Submit. Lab Guide 251 Policy Set Modification Step 9 Navigate to Policy > Policy Sets. Step 10 Click the gear icon next to the Default Policy Set. Step 11 From the Drop-Down Menu select Insert new row above. Step 12 Create the following Policy Set. Policy Set Name VPN Access Description VPN_Access VPN Access Condition(s) Allowed Protocols DEVICE:Device Type EQUALS All Device Default Network Access Types#VPN Step 13 Click Use. Step 14 Scroll down and click Save. Authorization Profiles and dACLs Step 15 Navigate to Policy > Policy Elements > Results and then to Authorization > Downloadable ACLs. Step 16 Create the two following dACLs: Downloadable ACL acl_vpn_permit Attribute Value Name acl_vpn_permit Description Allow VPN Full Access DACL Content Downloadable ACL acl_vpn_remediate Attribute Value Name acl_vpn_remediate Description Allow Only Remediation Traffic DACL Content 252 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 17 Navigate to Policy > Policy Elements > Results and then to Authorization > Authorization Profiles. Step 18 Create the three following authorization profiles. Submit your changes after each entry. VPN Full Access Authorization Profile Attribute Name Value Name VPN Full Access Common Tasks DACL Name acl_vpn_permit VPN Remediation Access Authorization Profile Attribute Name Value Name VPN Remediation Access Common Tasks DACL Name © 2018 Fast Lane acl_vpn_remediate Lab Guide 253 VPN Posture Authorization Profile Attribute Name Value Name VPN Posture Common Tasks Web Redirection Client Provisioning (Posture) ACL ACL-WEBAUTH-REDIRECT Value Client Provisioning Portal (default) Authentication Policy Step 19 Navigate to Policy > Policy Sets. Step 20 Open the VPN_Access policy set. Step 21 Modify the Default Authentication Policy. Step 22 Change the authentication source to All_AD_Join_Points. Step 23 Add the two following Authorization Rules in order above the Default rule. VPN Compliant Authorization Policy Attribute Value Rule Name VPN Compliant Conditions (identity groups and other conditions) Session:PostureStatus EQUALS Compliant Results (Profiles) VPN Full Access VPN Remediate Authorization Policy 254 Attribute Value Rule Name VPN Remediate Conditions (identity groups and other conditions) Session:PostureStatus EQUALS NonCompliant Results ( Profiles) VPN Remediation Access Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 24 Change the Default rule to VPN Posture. Step 25 Compare your configuration with the following screenshot. It is imperative that the rules are in proper order with the VPN Redirect is the bottom rule. Step 26 Scroll down and click Save. Creating the Client Provisioning Resources for VPN Based Posture Access Step 27 Navigate to Policy > Policy Elements > Results and then Client Provisioning > Resources. Step 28 In the right pane, find the acConfigWin profile that you created earlier and select it. Step 29 In the toolbar click Duplicate. Step 30 Make the following modifications. © 2018 Fast Lane Lab Guide 255 acConfigWin_VPN - AnyConnect Configuration Attribute Value * Select AnyConnect Package AnyConnectDesktopWindows 4.5.4029.0 * Configuration Name acConfigWin_VPN Description AnyConnect agent config for Windows VPN * Compliance Module AnyConnectComplianceModuleWindows 4.3.XXXXX.X AnyConnect Module Selection ISE Posture [X] VPN [X] Network Access Manager [ ] Web Security [ ] ASA Posture [ ] Start Before Login [ ] Diagnostic and Reporting Tool [X] Profile Selection ISE Posture acWinPostureProfile VPN <delete> Network Access Manager <delete> Web Security Customer Feedback Customization Bundle Localization Bundle Deferred Update Allowed AnyConnect Software No Minimum Version Required for AnyConnect Software 0.0.0 Allowed for Compliance Module No Minimum Version Required for Compliance Module 0.0.0.0 Prompt Auto Dismiss Timeout None Prompt Auto Dismiss Default Response Update Installation Options Uninstall Cisco NAC Agent Step 31 256 [ ] Scroll down and click Submit. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Creating the Client Provisioning Policy Step 32 Navigate to Policy > Client Provisioning. Step 33 Create a new policy at the top of the list with the following parameters. AC Employee Win All VPN Client Provisioning Policy Rule Attribute Value Rule Name AC Employee Win All VPN Identity Groups Any Operating Systems Windows All Other Conditions DEVICE:Device Type EQUALS All Devices Types#VPN Results Agent: acConfigWin_VPN Step 34 Click Done. Step 35 Scroll down and click Save. Adjusting Remediation Timer Step 36 Navigate to Administration > System > Settings > Posture > General Settings Step 37 Set the Remediation Timer to 20 minutes, as the Client provisioning packages will take some time to download. Step 38 Click Save. Activity Verification You have completed this task when you attain these results: You have prepared the ASAv for operation with this lab. You have added the ASAv as a NAD. You have created a policy set for VPN access. You have configured authorization policies for VPN access. You have configured Client Provisioning components and policy for VPN based Postured access. © 2018 Fast Lane Lab Guide 257 . Activity Procedure Complete these steps: Step 1 Access your pod W10-CoA PC and login with the credentials student \ 1234QWer Initial VPN Connection Step 2 From the system tray, Open AnyConnect. Step 3 For this lab environment, ensure that connections are allowed to untrusted servers. Click on the cog icon in the lower left corner. Step 4 On the Preferences tab page, uncheck the Block connections to untrusted servers. Step 5 Close this window. Step 6 Connect to the VPN server asav.demo.local. Step 7 At the Security Warning pop-up, click Connect Anyway. Step 8 When prompted for credentials for the ISE_VPN group, use the credentials employee2@demo.local / 1234QWer. Step 9 Connect by clicking OK, then select Connect Anyway. Note Step 10 258 If you are not prompted to connect to the ISE_VPN group, notify your instructor. A certificate warning might be displayed. Click Connect and reconnect to the VPN. Vou will see in the lower right corner that the VPN is Connected. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Examine Cisco ISE Authentication Records Step 11 Return to the Cisco ISE admin portal on the admin PC. Step 12 Navigate to Operations > RADIUS > Live Logs. Step 13 Observe the authentication record details for the employee2@demo.local user who was assigned the VPN Posture authorization profile. © 2018 Fast Lane Lab Guide 259 Observe the following highlighted fields indicating that the host that accessed the network by VPN was profiled. The CiscoAVPair section contains the ACIDex attributes conveyed by AnyConnect and the ASA. In the Results section, you can see the URL-Redirect being applied to this session in its current state. Step 14 260 Access the ASAv via PuTTY and enter the following command to observe the ISE Posture Section at the end. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 15 Return to the W10-CoA PC. Step 16 Open Firefox and browse to http://tools.demo.local - website, click Advanced and then Add Step 17 Step 18 Click Confirm Security Exception. Step 19 After about 20 seconds you will be presented with the Client Provisioning Portal. Reload the page if necessary. Step 20 Click Start. Step 21 The process will attempt to detect if the AnyConnect Posture Agent is installed. Once prompted, click + This is my first time here. Step 22 In the instructions click the hyperlink to Click here to download, install AnyConnect. Step 23 Click Save File. Step 24 After the file downloaded, click the file in the download dialog box and after about 30 seconds you should be presented with the installation prompt. Step 25 Click Run. Step 26 The Cisco Network Setup Assistant should notify you that you are connected to ise-1.demo.local. Click Connect Anyway. Step 27 If a Untrusted Security Certificate message appears, click and click Apply Change int the AnyConnect Downloader window. Select Always trust this server and import the certificate and click Connect Anyway. Step 28 Cisco AnyConnect will download for approximately 20 minutes and install automatically and then reconnect the VPN. © 2018 Fast Lane Lab Guide 261 262 Step 29 After restart, Connect to the VPN as employee2@demo.local / 1234QWer. Step 30 System Scan will run and you will be presented with the Update Required popup. Step 31 The results will show that the Good File update is required. Click Start to begin remediation. Step 32 Navigate to C:\ create the Test folder, enter the folder and then click Save. Step 33 You will be notified that the save operation was successful and given the opportunity to open the folder location where the file was saved. Click Cancel. Step 34 System Scan will evaluate the system and then determine the system is compliant. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 35 On the Admin PC, return to the ASAv CLI in Putty and run the following command again. Observe the Filter Name is the dACL from ISE. Step 36 Return to the Cisco ISE admin portal. Step 37 Navigate to Operations > RADIUS > Live Logs. Step 38 Observer the connection flow and the ultimate result of the Authorization Profile VPN Full Access and the Posture Status of Compliant. Activity Verification You have completed this task when you attain these results: You have successfully performed a Cisco AnyConnect VPN access and had the AnyConnect client be upgraded to support compliance checking. Performed remediation over VPN and reviewed the associated authentication results. © 2018 Fast Lane Lab Guide 263 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure Cisco ISE to provision Cisco posture agents. The AMP Enabler will download the AMP for Endpoints connector, formerly known as FireAMP. The activities in this lab will facilitate the following scenario: Client connects to the network, the AMP_Profile is assigned, and user is redirected to Anyconnect Provisioning Portal. If Anyconnect is not detected on the machine, all configured modules (VPN, AMP, and Posture) are installed. Configuration is pushed for each module along with that profile. Once Anyconnect is installed, posture assessment runs. AMP Enabler module installs FireAMP connector. The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC ISE-1 AD1 W10PC-Corp vWLC W10PC-CoA ASAv 264 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane The table describes the commands that are used in this activity. ASAv CLI Commands Command Description Erases startup configuration Copies a file. In this lab you will copy a file to startup-config Restarts or reboots the device. Shows AnyConnect client access details © 2018 Fast Lane Lab Guide 265 This task requires an AMP for Endpoints administrative login and password. Activity Procedure Complete these steps: ASAv Preparation 266 Step 1 On the Admin-PC, open Firefox. Connect to https://console.eu.amp.cisco.com/ Step 2 In the top left of the window, click the small green lock symbol. Step 3 Click the arrow and then More Information. Step 4 Click View Certificate. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 5 Click the Details tab, and then click Step 6 Save the Certificate to the Desktop accepting the default name. Step 7 Login to AMP for Endpoints. Your Instructor will provide the necessary credentials. Step 8 Navigate to Management > Download Connector. Select Group > Audit and click Show URL. © 2018 Fast Lane Lab Guide 267 Step 9 Click Copy URL. Step 10 On the Desktop of the Admin PC, create a new textfile and insert the URL from clipboard (CRTL + V). REMOVE the https:// at the beginning of the link!! Step 11 Save the file. It should look like the following screenshot. Step 12 In Cisco ISE Gui, navigate to Administration > System > Certificates > Certificate Management > Trusted Certificates Step 13 In the right pane click Import. Step 14 Browse to the Desktop and select the previously added euampciscocom.crt certificate. Step 15 Set FireAMP Cisco Cert as Friendly Name and trust the Certificate for Authentication within ISE as well as Authentication of Cisco Services. Step 16 Click Submit. Activity Verification You have completed this task when you attain these results: Connected to the AMP for Endpoints Portal and made the ISE ready to download the AMP Connector for Windows. 268 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will review client provisioning settings and then perform a posture component update and build a compliance rule. Activity Procedure Complete these steps: ASAv Preparation Step 1 On the Admin-PC, using the Cisco ISE admin interface, navigate to Policy > Policy Elements > Conditions > Posture > File Condition.Review the Bad_File condition. If the file is not present, the PC will be deemed Compliant. Verify your configuration with the screen shot shown. Step 2 Navigate to Policy > Policy Elements > Results > Posture > Requirements. Review the Bad File requirement. Verify with the screenshot shown. Step 3 Navigate to Policy > Posture. Step 4 Edit the File Checks Posture Policy an make the Bad File requirement mandatory. Step 5 Click Done Step 6 Click Save. © 2018 Fast Lane Lab Guide 269 Activity Verification You have completed this task when you attain these results: You have modified a simple file requirement to drive the compliance check on the endpoint. 270 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure Cisco ISE for the download and management of Cisco AnyConnect posture agents, and the AMP Connector. Activity Procedure Complete these steps: ASAv Preparation Step 1 Edit the Posture Policy. Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources. Step 2 Select and edit the acWinPostureProfile posture agent Profile Step 3 Scroll down to the Posture Protocol section of the template, delete the tools.demo.local Discovery host entry and set the Server Name Rules field to *. Save your configuration. Configure an AMP Profile. AMP Profiles contain a pointer to the location of the AMP Connector for Windows Installer (as downloaded earlier from the AMP Cloud to the AD Server). Step 4 Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources. Step 5 Add a new AMP Enabler Profile named AMPwinProfile as shown in the figure below. Step 6 For the Windows Installer URL insert the URL from your previously created textfile on the Desktop. Step 7 Click Check next to the inserted link. File found must show up! © 2018 Fast Lane Lab Guide 271 272 Step 8 Submit your configuration when finished Step 9 Modify the AnyConnect Configuration to tie together the components that must be installed on the endpoint to allow for authorization to access network resources. Step 10 Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources. Step 11 Select and edit the acConfigWin AnyConnect configuration. Step 12 Additional, select the AnyConnect module AMP Enabler. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 13 In Profile Selection, choose the profiles for AMP Enabler (AMPwinProfile). Verify your configuration with the example shown. Step 14 Scroll down and click Save. Activity Verification You have completed this task when you attain these results: You have assigned a Client Provisioning Policy that utilizes an AnyConnect Configuration profile that references: The AnyConnect Compliance Module Profiles defined for AMP additionally. You have configured an Authorization policy that will be used to drive the state of a connecting endpoint to Compliant, and assigned this profile to an authorization rule.(done in previous labs) © 2018 Fast Lane Lab Guide 273 In this task, you will configure Cisco ISE for Threat-Centric NAC. You will configure the AMP Adapter that will be used by ISE to interface with the AMP Cloud. Activity Procedure Complete these steps: ASAv Preparation 274 Step 1 Enable TC-NAC Services under Administration > System > Deployment > Edit Node. Check the Enable Threat Centric NAC Service check box under Policy Service. This selection will add the Threat Centric Menu Options to the ISE GUI under Administration. Save your configuration. Step 2 To configure the AMP Adapter, navigate to Administration > Threat Centric NAC > Third Party Vendors > Add. Add a vendor instance for AMP. Save the instance. Note This process can take several minutes to start up before allowing you to continue. Step 3 Once the required fields are added, the instance status will transition to Ready to Configure. Click this field to begin the AMP adapter configuration. Click Next to bypass the proxy configuration screen. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 4 Select the EU Cloud for the AMP Public Cloud option. Then click Next. Step 5 Click the AMP link under SAS External URL. You will then be required to log in to the AMP for Endpoints account as an administrator. Your instructor will provide your credentials. © 2018 Fast Lane Lab Guide 275 Step 6 Click Allow in the Applications panel to authorize the Streaming Event Export request. Step 7 You will be returned to the Cisco ISE Admin portal, click Finish, and verify the AMP Instance is Connected to the cloud, and is Active. It may take a couple of minutes to connect. Activity Verification You have completed this task when you attain these results: You have enabled and provisioned Threat Centric NAC services. 276 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will verify your configurations. Activity Procedure Complete these steps: Step 1 Access the W10PC-Corp PC Step 2 Restart the PC and then log in as demo\employee1 / 1234QWer. Step 3 Wait for the AnyConnect System Scan to show up the waring about the Bad File found. Step 4 Open windows explorer and delete the virus.txt under C:\test\ you created in an earlier lab. Step 5 Click Start to recheck with the requirements. You should now be compliant. Step 6 Then, the AMP Enabler module should start downloading and installing AMP for Endpoints. See the following screenshots for the procedure: © 2018 Fast Lane Lab Guide 277 Step 7 278 Open a browser and attempt to connect to any website. You should be successful. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 8 In Cisco ISE live log, observe the employee1 on the W10PC-Corp went through the AD Posture Assessment Authorization Profile again and was granted Wired AD Employees finally. Activity Verification You have completed this task when you attain these results: Verified provisioning of AMP for Endpoints on the client PC. © 2018 Fast Lane Lab Guide 279 Complete this lab activity to practice what you learned in the related module. Device administration in ISE involves controlling network administrator access to network devices. Network administrators often have different levels of access to different network equipment, depending on their role. Most organizations prefer to centralize the control and maintenance of this function. The TACACS+ function of Cisco ISE enables this central control. Through TACACS Live Logs and reports, ISE provides centralized monitoring, report administration. In this lab, you will configure ISE for basic Device Administration of IOS devices. You will begin by configuring the policy elements that are required for network device administration.These policy elements will then be used in the basic authentication and authorization policies, which you will create. Of course, each Network Access Device (NAD) must be configured to support TACACS+, and so you must configure the required AAA commands to fulfill this need. You will then log in with different users to validate both your authentication policies, and your authorization policies. You will know that you have granular control of not only who can access your network devices, but also what they can do. The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC AD1 ISE-1 280 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure Cisco ISE to perform backups. Activity Procedure Complete these steps: Configuring Repositories. Step 1 Access the Admin PC and connect to the ISE GUI via https://ise-1.demo.local. Step 2 To enable device administration, navigate to Administration > System > Deployment. Edit the ISE node by clicking on ise-1. Under General Settings, enable the Device Admin Service and Save the settings. Step 3 Navigate to Administration > Network Resources > Network Devices. Step 4 Select and edit the 3k-access switch. © 2018 Fast Lane Lab Guide 281 282 Step 5 Scroll down, enable TACACS Authentication settings with the shared secret 1234QWer. Step 6 Scroll down and click Save. Step 7 To add policy elements, navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles. You will add two different TACACS profiles with different privilege levels. Step 8 Click Add Privilege_Level_1 privilege level is 1, and maximum privilege level is 1. Click Submit. Step 9 Privilege_Level_15 of 1 and maximum privilege level 15. Click Submit. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 10 For policy creation, navigate to Work Centers > Device Administration > Device Admin Policy Sets. You are about to create a new policy set to handle Network Devices that use Cisco IOS software. Step 11 Click the Plus icon or click the gear icon and select Insert new row above to create a new Policy Set above the Default Policy Set. Step 12 Name the new Policy Set Wired_Devices. Step 13 Create a new Condition of Device: Device Type EQUALS All Device Types#Wired. Step 14 Select Default Device Admin from the Drop-Down Menu under Allowed Protocols/Server Sequence. Step 15 Click Save. Step 16 Next, edit the Authentication Policy to use All_AD_Join_Points as the Identity Store. Step 17 Click Done. © 2018 Fast Lane Lab Guide 283 Step 18 Attribute Value Rule Name Employee_Privilege_15 Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/Employees Command Sets Leave at default Shell Profiles Privilege_Level_15 Step 19 284 Next, insert a new authorization policy above the Default authorization policy. Configure this new rule according to the chart below. Click Save. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 20 Now add a policy for contractors. Start by clicking the gear icon at the end of the new employee policy, and choose Insert New Rule Above. Configure this new rule according to the chart below. Attribute Value Rule Name Contractor_Privilege_1 Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/Contractors Command Sets Leave at default Shell Profiles Privilege_Level_1 Step 21 Click Save and check your work against the example below. Step 22 To configure switch, access the 3k-access switch console, and enter the commands that are shown below. You can find a textfile for copy and paste under http://tools.demo.local/cp as tacacs-switch-config.txt © 2018 Fast Lane Lab Guide 285 Step 23 To test various users, return to your Admin PC, and use PUTTY to open a SSH session to 3k-access switch (10.1.100.1) Login using the credentials contractor1 / 1234QWer. This should succeed. Type enable to get higher privilege. When prompted for a password, enter 1234QWer. This authentication fails, according to the policy you created. In ISE, navigate to Operations > TACACS > Live Logs for verification. Open another Putty SSH session to the 3k-access switch (10.1.100.1) and login using employee1 / 1234QWer. This should succeed. Type enable to get higher privilege. When prompted for a password, enter 1234QWer. This authentication succeeds, according to the policy you created. If you like, you can enter the show privilege command to verify your privilege level is 15. 286 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 24 Navigate to Operations > TACACS > Live Logs to see the authentication and authorization Step 25 For the failed contractor entry, click the Details icon, as shown above. You can analyze the details of each session. Some of the more pertinent information includes the Authorization details, as shown below. Activity Verification You have completed this task when you attain these results: You have enabled device administration on the Cisco ISE. You have configured a new Network Device Group (NDG). You have modified a NAD definition in Cisco ISE to accommodate device management. You have added new TACACS+ Profiles to accommodate unique privilege levels. You have created a new device admin policy set that uses differentiates between employee and contractors, assigning the profiles that you created, as appropriate. You successfully tested access control policy with employee and contractor user accounts. © 2018 Fast Lane Lab Guide 287 Complete this lab activity to practice what you learned in the related module. In this exercise, you will configure TACACS+ command authorization and bind these commands to a device administration policy. Privilege-level authorization associates commands with privilege levels, per network device. ISE can then apply the default and maximum privilege level to a user upon log in. Privilege level authorization requires each device be configured with privilege levels and command sets (overriding the default privilege levels). TACACS+ command authorization centralizes the administration of commands to be allowed or denied. When TACACS+ command authorization is enabled, each command that is entered on a device is authorized against the TACACS+ service. You will begin this lab by configuring TACACS Command sets. Then you will modify the authorization policy to use these command sets. You will modify the switch configuration to support command authorization, and then test the various users to check their access levels. The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC AD1 ISE-1 288 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will configure Cisco ISE to control admin access to IOS devices. Activity Procedure Complete these steps: Configuring Repositories. Step 1 Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets. You are about to create two command sets, one with full access, and one with limited access to a specific set of commands. Step 2 Click Add to create a new command set. Configure the name as Permit_All_Commands, and click the checkbox for Permit any command that is not listed below. Step 3 Click Submit. Step 4 Create a new command set named Limited_Access to permit/deny the following commands Permission Command permit ping permit show run* permit show privilege Deny show inter* Note © 2018 Fast Lane Argument Click the Add button to add each command. After entering each command, make sure to click the checkmark at the end of the line to save the command. Lab Guide 289 290 Step 5 Validate your work against the example that is shown below. Step 6 Click Submit. Step 7 Navigate to Work Centers > Device Administration > Device Admin Policy Sets > Wired_Devices. Step 8 Modify the rule named Contractor_Privilege_1. Step 9 Click the into the Command Sets box, and choose Limited_Access. Step 10 Click the down-arrow in the Shell Profiles box, and choose Privilege_Level_15. Note Although the contractors now have access to privilege level 15, they are limited to the commands specified in the assigned command set. Step 11 Modify the rule named Employee_Privilege_15. Step 12 Change the command set to Permit_All_Commands, and leave the Shell Profile to Privilege_Level_15 Step 13 Check your work against the example that is shown below. Step 14 Scroll down and click Save. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 15 To configure the switch, access the 3k-access switch(10.1.100.1) via PuTTY again as employee1 / 1234QWer and the enable password 1234QWer. Enter the following commands to enforce command authorization via TACACS+. Step 16 Close the PuTTY session and open a new PUTTY SSH session to 3k-access. Login using the credentials contractor1 / 1234QWer.This should succeed. Type enable. When prompte 1234QWer Notice that this access now succeeds, because you modified the authorization policy to apply the Privilege_level_15 shell profile. Execute the following commands and observe which commands pass and fail. show privilege show running-config ping 10.1.100.10 show interface (should not succeed) configure terminal (should not succeed) Check the Live Logs to see the information for command passes and failures. Click a Details icon if you would like to see more information about any failures. Step 17 Open another PuTTY SSH session to the 3k-access switch and login using the credentials employee1 / 1234QWer. This action should succeed. Type enable to gain a higher privilege level. Use 1234QWer as the enable password. This action should succeed, as it did in the previous lab. Execute the same commands as per Step 12. You should notice that employee1 can execute all the commands. Step 18 Close all PuTTY sessions. Step 19 Navigate to Operations > TACACS > Live Logs to see the authentication/authorization/command authorization information. You should see Live Logs for the two different users that show the successful and unsuccessful execution of commands. © 2018 Fast Lane Lab Guide 291 This task is focused on two additional TACACS features: 1. Login authentication and enable authorization differentiation: Sometimes an organization will choose to use different identity stores for login and enable. For example, for device login, the organization may choose to use existing Active Directory credentials, minimizing the administrative burden of creating new credentials. For network administrators who need a higher level of access through enable, the organization may want to manage the enable passwords via the ISE internal user database or one-time passwords. This lab uses ISE internal users. These users are pre-configured. 2. CLI Password change: TACACS+ supports inline password changes by the network administrator. The network administrator can invoke this functionality by just hitting return when prompted for a password. Activity Procedure Complete these steps: Configuring Repositories. 292 Step 1 To enable login authentication and authorization differentiation, modify the authentication policy to use different ID stores for login and enable. Navigate to Work Centers > Device Administration > Device Admin Policy Sets > Wired_Devices. Step 2 Select the Wired_Devices Policy Set. Step 3 Observe the Authentication Policy default rule. Step 4 Click the gear icon of the Default Rule and insert a new rule above the default rule. Step 5 Create a new authentication policy rule as defined below. Attribute Value Rule Name Enable_Password Conditions If (Create New Condition) TACACS:Service EQUALS Enable Use Internal Users Step 6 Scroll down and click Save. Step 7 Configure the ISE user employee1 in its local identity database. Navigate to Work Centers > Network Access > Identities > Network Access Users. Step 8 Add a user named employee1 with a Login Password of 1234QWer, and an Enable Password of Cisco123. Step 9 Scroll down and click Submit. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 10 Using PUTTY, open a SSH session to the 3k-access switch. Login using the credentials employee1 / 1234QWer.This should succeed. Type enable and use the 1234QWer password. This process will fail as the enable password is checked against the Internal Users database where the password for employee1 is different. Type enable and use Cisco123 as the password. This process should pass as it matched with the password stored in the Internal Users database. Go to TACACS Live Logs to check the logging records. Step 11 For TACACS+ password change ability, open a new PUTTY SSH session to the 3k-access switch. Log in as employee1 / 1234QWer. When asked for enable password, press Enter. You will be prompted for old password Cisco123, followed by the new password 1234QWer. Step 12 Close this PUTTY session. © 2018 Fast Lane Lab Guide 293 Step 13 Launch another PuTTY SSH session to the 3k-access switch and log in as employee1 / 1234QWer. Try using the old enable password Cisco123. This password should fail. Try the password that was defined in Step 6. This password should now succeed. Step 14 Check the TACACS Live Logs to see the login fail and pass. Activity Verification You have completed this task when you attain these results: You have configured TACACS command sets to differentiate user access. You have modified the authorization policy to use the new command sets. You have configured the switch for command authorization You have tested various users to check their access levels You have validated the ability to change passwords 294 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Complete this lab activity to practice what you learned in the related module. In this activity, you will configure Cisco ISE to for backup and examine the process to patch. After completing this activity, you will be able to meet these objectives: Configure Cisco ISE backups Patch a Cisco ISE instance The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC AD1 ISE-1 © 2018 Fast Lane Lab Guide 295 In this task, you will configure Cisco ISE to perform backups. Activity Procedure Complete these steps: Configuring Repositories. Step 1 In the Cisco ISE admin portal navigate to Administration > System > Maintenance and then Repository. Step 2 In the right-hand pane, click +Add. Step 3 Create the following Repository. Admin_PC - Repository Configuration Attribute Value Repository Configuration Repository Name Admin_PC Protocol FTP Location Server Name 10.1.100.6 Path / Credentials User Name Anonymous Password 1234QWer Step 4 Click Submit. Configuration Database Backup Configuration 296 Step 5 Navigate to Administration > System > Backup & Restore. Step 6 Under Schedule Backup > Configuration Data Backup click Schedule. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 7 Configure the following Backup Configuration Schedule. Backup_CFG Attribute Value Name Backup_CFG Description Configuration Backup Repository Admin_PC Encryption Key 1234QWer Re-Enter Encryption Key 1234QWer Frequency Weekly At Time 12:00AM On Day Sunday Start Date <Tomorrows Date> End Date 01/01/2020 Step 8 © 2018 Fast Lane Schedule Configuration Backup Verify your configuration with the following screenshot and then click Save. Lab Guide 297 Monitoring Database Backup Configuration. Step 9 On the same screen in Backup & Restore, click Schedule under Schedule Backup > Operational Data Backup. Step 10 Configure the following Backup Configuration Schedule. Backup_CFG Attribute Value Name Backup_MnT Description Operations Backup Repository Admin_PC Encryption Key 1234QWer Re-Enter Encryption Key 1234QWer Frequency Daily At Time 02:00AM Start Date <Tomorrows Date> End Date 01/01/2020 Step 11 298 Schedule Configuration Backup Verify your configuration with the following screenshot and then click Save. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Review the Process to Performing an On Demand Backup Step 12 Click the Backup Now button in the upper left corner of this page. Step 13 Examine the form and observe it is a cleaner version of the scheduled backup for without a description and ability to schedule. Also the ability to select Configuration or Operational backup types Step 14 Click Cancel. Note Do not perform a backup at this time. Patching Management Process for Cisco ISE Review Step 15 Navigate to Administration > System > Maintenance and then Maintenance > Patch Management. Step 16 In the right pane, click Install in the toolbar. Step 17 You would then click Browse and browse for the patch file selecting it and then click Open. Note Step 18 Your instructor will notify you if there is a patch file to install and where it is located. You would then click Install. Cisco ISE would then upload the file via the browser and process the patch. All services would be stopped and then restarted. Note Patching is a maintenance window operation. All functional services are stopped and restarted. Activity Verification You have completed this task when you attain these results: You have configured the repository for Cisco ISE. You have configured the configuration database backup You have configured the monitoring database backup You have reviewed the process to patch Cisco ISE. © 2018 Fast Lane Lab Guide 299 Complete this lab activity to practice what you learned in the related module. In this activity, you will configure administrative access settings for Cisco ISE. After completing this activity, you will be able to meet these objectives: Ability to control administrative access to Cisco ISE Configure administered of access and authorization for administrative session The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC AD1 ISE-1 300 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will review and configure administrative access settings. Activity Procedure Complete these steps: Session Settings Step 1 Navigate to Administration > System > Admin Access and then Settings > Session. Step 2 The Session Idle Timeout range is 6 to 100 minutes. Step 3 Click the Session Info tab. Step 4 You should see your current session. Step 5 Open Google Chrome, login to the ISE admin portal and open the Live Logs. Step 6 Return to Firefox and click Refresh in the upper right section above the toolbar. Step 7 Select your session and then attempt to click Invalidate. You are not able to invalidate your own session. Step 8 Select the new session and click Invalidate and confirm you want to invalidate this administrative session by clicking OK. Step 9 Return to Google Chrome and attempt to navigate anywhere in the portal. You will be returned to the login screen. Step 10 Close Google Chrome browser and return to Firefox. Access Settings Step 11 In the left pane navigate to Admin Access > Settings > Access. Step 12 Observe the ability to limit concurrent sessions and configure pre and post login banners for bot GUI and CLI access. Step 13 Click the IP Access tab. Step 14 Select Allow only listed IP addresses to connect. Step 15 In the IP List section click +Add. Step 16 In the pop-up form enter 10.1.100.0 for the IP Address and 24 for the netmask in CIDR format. Step 17 Click OK and click Save. Activity Verification You have completed this task when you attain these results: You have configured administrative access session settings. You have invalidated an administrative session. You have configured IP access restrictions for administrative sessions. © 2018 Fast Lane Lab Guide 301 In this task, you will configure administrative access to the Cisco ISE admin portal. Activity Procedure Complete these steps: Microsoft Active Directory Integration Step 1 Navigate to Administration > System > Admin Access and then Authentication. Step 2 In the right pane, for password access, select the Identity Source AD:demo.local. Step 3 Click Save. Create AD Shadow Account Step 4 In the left pane, navigate to Admin Access > Administrators > Admin Users. Step 5 In the right pane, click +Add and select Create an Admin User. Step 6 For the Name type ITAdmin. Step 7 Delete the contents from the Email field. Step 8 Select the External Box. Step 9 Scroll down and select the Admin Group Super Admin. Step 10 Click Submit. Link External AD Group to Super Admins Step 11 In the left pane, navigate to Admin Access > Administrators > Admin Groups. Step 12 From the list, Edit the Super Admin group. Step 13 Select the External Box. Step 14 In the External Groups drop-down, select demo.local/HCC/Groups/IT Staff. Step 15 Scroll down and click Save. Creating AD Permission Sets Note additional configuration. Step 16 In the left pane, navigate to Admin Access > Administrators > Admin Groups. Step 17 Click +Add in the right pane tool bar. Step 18 Enter the Name AD Staff. Step 19 Configure the type to only be External. Step 20 In the External Groups drop-down, select demo.local/HCC/Groups/Staff. Step 21 Click Submit. Creating an External Group RBAC Policy Data Access 302 Step 22 In the left pane, navigate to Admin Access > Authorization > Permissions > Data Access. Step 23 In the right pane, click +Add. Step 24 Enter the Name AD_Staff_Access. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 25 In the Data Access Privileges, expand Endpoint Identity Groups . Step 26 With Endpoint Identity Groups select, click Full Access on the right. After saving, that will give access to that level and all sub levels below. Step 27 Click Submit. Menu Access Step 28 In the left pane, navigate to Admin Access > Authorization > Permissions > Menu Access. Step 29 In the right pane, click +Add. Step 30 Enter the Name AD_Staff_Menu. Step 31 In the same method that you issues Data Access Privileges, give the following Menu Access Privileges Show access. Home Operations >RADIUS Note Step 32 Select only the items listed above. Do not assign Show privileges to Operations, Administration, only the indicated sub-menu. Click Submit. RBAC Policy Assignment Step 33 In the left pane, navigate to Admin Access > Authorization > Policy. Step 34 Using the Actions button at the left, Insert a new Policy. Step 35 Configure the following policy. AD Staff - RBAC Policy Attribute Value Rule Name AD Staff Policy Admin Groups AD Staff Permissions AD_Staff_Menu Step 36 Verify your configuration with the following screenshot and then scroll down and click Save. Create Shadow Accounts for the AD Admin Group Step 37 In the left pane, navigate to Admin Access > Administrators > Admin Users. Step 38 In the right pane, click +Add and select Create an Admin User. Step 39 For the Name type Admin1. © 2018 Fast Lane Lab Guide 303 Step 40 Clear the Email field. Step 41 Select the External Box. Step 42 Scroll down and select the Admin Group AD Staff. Step 43 Click Submit. Activity Verification You have completed this task when you attain these results: You configure Cisco ISE to authenticate administrative access via Active Directory You have created the shadow account Cisco ISE that is linked to an external Active Directory account. group. You have created a custom Active Directory permissions set. You have called the entire process of creating an external RBAC policy 304 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will test administrative access based on the configuration in your previous task. Activity Procedure Complete these steps: Step 1 To make the process easier by maintaining your existing administrative session in Firefox, open Googel Chrome browser. Step 2 Navigate to the URL https://ise-1.demo.local. Step 3 On the login page, select the Identity Source demo.local. Step 4 Use ITAdmin as the Username with the password 1234QWer. Step 5 Click Login. Step 6 Observed that you have full super admin access to the entire Cisco ISE admin portal. Step 7 In the upper right click Logout. Step 8 Re-login using the credentials Staff1 / 1234QWer. Step 9 Observed that the Cisco ISE admin portal is limited to just Home and Operations > RADIUS. Step 10 Click Logout. Step 11 Close Internet Explorer. Activity Verification You have completed this task when you attain this result: You have successfully logged in to Cisco ISE with Active Directory credentials. You have successfully observed the RBAC restrictions in the Cisco ISE admin portal interface. © 2018 Fast Lane Lab Guide 305 Complete this lab activity to practice what you learned in the related module. In this activity, you will review some of the diagnostic tools available via the Cisco ISE admin portal. After completing this activity, you will be able to meet these objectives: Run the RADIUS Authentication Troubleshooting tool Perform a TCPDump traffic capture on Cisco ISE. The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC AD1 ISE-1 306 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will explore the RADIUS Authentication Troubleshooting tool. Activity Procedure Complete these steps: Step 1 Return to the Cisco ISE admin portal in Firefox. Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General Tools > RADIUS Authentication Troubleshooting. Step 3 Examine the troubleshooting form and the available fields. Step 4 Click the Select button at the end of the NAS IP line. Step 5 In the pop-up, clock Search Step 6 Select 10.1.100.1 from the criteria list and click Apply. Step 7 Change the Authentication Status drop-down to Fail. Step 8 Change the Time Range drop-down to Last7 days. Step 9 Click Search. Step 10 Select any Failure Reason. Step 11 Scroll down and click Troubleshoot. Step 12 When presented, click Show Results Summary. Step 13 Examine the presented data expanding lines in the Troubleshooting Summary if possible. Step 14 At the bottom click Show Progress Details and you are returned to the overview. Step 15 Click Done to close the this troubleshooting session. Activity Verification You have completed this task when you attain this result: You have run the RADIUS Authentication Troubleshooting tool using the selected parameters. © 2018 Fast Lane Lab Guide 307 In this task, you will use the TCPDump functionality in Cisco ISE to capture RADIUS traffic that is seen by the Cisco ISE interface GigabirEthernet0. Activity Procedure Complete these steps: Step 1 Return to the Cisco ISE admin portal in Firefox. Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General Tools > TCP Dump. Step 3 Examine the options and in the Filter field enter port 1812. Note Step 4 Tip 308 There is a bug in verison 2.4 ip host 10.1.100.1. filter Change the Format to Human Readable. You can choose Raw Packet Data, and the data will be in libpcap format. Wireshark is a free application that can open that file type. Step 5 At the top, click Start. Step 6 Generate some RADIUS traffic, by accessing your 3k-access switch via PuTTY. Step 7 Log in to the Switch via SSH using the credentials employee1 / 1234QWer and the enable password 1234QWer. Note The login for the switch depends on the TACACS lab done before! The standard login if not done the TACACS lab would be admin with the password 1234QWer. Note Another way to access the switch is via the RemotelabsClient topology overview by clicking the Switch symbol. This will open a console session privilege level 15. Step 8 Enter configuration mode and shut and not shut interface GigabitEthernet1/0/1 Step 9 Return the Cisco ISE admin portal. You should have some traffic captured as indicated by a file size of something other than 0 bytes. Step 10 Click Stop Step 11 Examine the output details at the bottom. Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 12 Click Download. Step 13 Save the TCPDump.txt file to your Desktop. Step 14 Navigate to your Admin PC desktop and find the TCPDump.txt file. Step 15 Right-click on it and select Open with WordPad. Step 16 Examine the file contents and when done, close the file. Step 17 Return to the Cisco ISE Admin Portal. Activity Verification You have completed this task when you attain this result: You have captured RADIUS traffic at the Cisco ISE GigabitEthernet 0 interface and examined it in human readable form. © 2018 Fast Lane Lab Guide 309 Complete this lab activity to practice what you learned in the related module. In this activity, you will explore some Report operation capabilities in Cisco ISE. After completing this activity, you will be able to meet these objectives: Run a report with Filters Save scheduled Report Designate a Report and save the Report in My Reports The figure illustrates what you will accomplish in this activity. These are the resources and equipment that are required to complete this activity: Admin PC AD1 ISE-1 310 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane In this task, you will run a report with a filter. Activity Procedure Complete these steps: Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users > Top Authorizations by User. Step 2 Click Filters and select Identity from the Dropdown. Click OK. Step 3 In the Identity Store filter, enter *@demo.local to filter out all local and guest authentications. Step 4 Create a a filter with the settings from the screenshot below. Step 5 Click Go. Step 6 Observe the results. Note Do not close or leave this report. You will use it in the ne next task. Activity Verification You have completed this task when you attain this result: You have run a report with a filter. © 2018 Fast Lane Lab Guide 311 In this task, you will schedule the filtered report from the last task to be run weekly. Activity Procedure Complete these steps: Step 1 In the upper right corner of this report, click the Schedule button. Step 2 Fill out the form with the following details. Weekly_Top_AD_Authorizations - Scheduled Report Attribute Value Name Weekly_Top_AD_Authorizations Description Repository Admin_PC Send email Notification Schedule 312 Frequency Weekly At Time 6:00 AM On Day Monday Start Date <Tomorrows Date> End Date <One year Later and select an Monday> Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane Step 3 Click Save. Step 4 In the left pane, navigate down to Scheduled Reports > Scheduled Reports. Step 5 Observe the successfully saved report. Activity Verification You have completed this task when you attain this result: You have saved scheduled report. © 2018 Fast Lane Lab Guide 313 In this task, you will re-run a modified form of the report from the previous task and designate the report as a favorite. The Favorite Report section is the one that opens by default when entering the Reports section. Favoriting a reports makes it faster to execute in the future. Activity Procedure Complete these steps: Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users > Top Authorizations by User. Step 2 Click the plus sign right of the Time Range filter and select Identity from the Dropdown. Step 3 In the Identity filter, enter *@demo.local to filter out all local and guest authentications. Step 4 Select the Time Range of Yesterday. Step 5 Click Go. Step 6 In the upper right, click My Reports. Click the Save button in the new window. Step 7 In the left pane, open the My Reports section on the top. Step 8 Click on Top Authorizations by User and review the Report. Tip If you ever desire to remove a report from My Report list, run the report and in the upper right, select My Reports. Activity Verification You have completed this task when you attain this result: You have run, report and made a My Report entry. 314 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane

FL-SISE24 LG301

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib