NGB CPOC!
March 1-3, 2011
CPOC ISE Lab
Lab Overview:
IP Subnets
There are four identical and isolated pods. There is no Internet access from any of the
pods during this lab, nor is there connectivity between any of the pods.
ʻinternalʼ: 10.10.10.0/24, DHCP range 10.10.10.100-254
ʻguestʼ: 10.10.11.0/24, DHCP range 10.10.11.100-254
IP Addresses
10.10.10.1 = local 3750 switch/gateway (although this is a flat lab)
# DHCP server for your pod
10.10.10.10 = ISE
10.10.10.11 = Windows 2003 Server / AD
10.10.10.100+ = initial DHCP address of the pod PCs
Devices
User PC
• a Windows 7 PC
• joined to the local cpoc.army.mil domain
• used for 802.1x
• can be used for web and SSH access to ISE
• can be used for telnet access to local switch
• connected to PC port of the IP phone
Management PC
• a Windows XP PC
• not on the Windows domain
• not used for 802.1x
• can be used for web and SSH access to ISE
• can be used for telnet access to local switch
• connected to switch port G1/0/2
IP Phone
• Cisco 7970 phone
• connected to switch port G1/0/1
! 1
�NGB CPOC! March 1-3, 2011
Basic ISE Setup
SSH Login
1: CLI Login
User Input
SSH (use Putty) to 10.10.10.10:
username: admin
password: Cisc01 (C i s c ʻzeroʼ ʻoneʼ)
Lab Discussion
The IP address was applied when ISE was installed. The ʻadminʼ username/password
was created when ISE was installed. Do not lose this initial login when you install ISE.
Once you login to the CLI, you can create additional CLI users. CLI users do not have
login rights to the web interface, and web users do not have access to the CLI - they are
mutually exclusive. CLI users can either be normal ʻuserʼ (read-only) or ʻadminʼ (full
administrative privileges).
2: Familiarization with the CLI Interface
User Input
The SSH connection to ISE is similar to a console connection to the server. You are
presented with an IOS-lite interface. Here is a list of available CLI commands:
NGB-ISE/admin# ?
Exec commands:
application Application Install and Administration
backup Backup system
backup-logs Backup system and application logs
clock Set the system clock
configure Enter configuration mode
copy Copy commands
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on local filesystem
exit Exit from the EXEC
forceout Force Logout all the sessions of a specific system user
halt Shutdown the system
mkdir Create new directory
nslookup DNS lookup for an IP address or hostname
patch Install System or Application Patch
pep PEP Configuration
ping Ping a remote ip address
ping6 Ping a remote ipv6 address
reload Reboot the system
restore Restore system
! 2
�NGB CPOC! March 1-3, 2011
rmdir Remove existing directory
show Show running system information
ssh SSH to a remote ip address
tech TAC commands
telnet Telnet to a remote ip address
terminal Set terminal line parameters
traceroute Trace the route to a remote ip address
undebug Disable debugging functions (see also 'debug')
write Write running system information
NGB-ISE/admin#
Lab Discussion
There are certain tasks that can only be done at the CLI, such as:
system shutdown - halt
change basic network attributes - configure
configuration file management - copy, backup, restore, write
Do not modify any of the network settings in an active ISE. Such changes cause the
ISE engine to be reset. If you need to modify network settings, find a period of low
network volume or schedule an outage window.
User Input
Verify that all ISE components are operational:
NGB-ISE/admin# show application status ise
ISE Database listener is running, PID: 3077
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 3391
ISE M&T Session Database is running, PID: 2866
ISE M&T Log Collector is running, PID: 3434
ISE M&T Log Processor is running, PID: 3486
ISE M&T Alert Process is running, PID: 3412
NGB-ISE/admin#
ISE consists of a number of databases and servers. The show application status
ise command displays the various applications. Each must be ʻrunningʼ for ISE to be
fully operational. When first booted, the ISE Application Server historically takes the
longest to become operational (running). You typically have network connectivity to ISE
before ISE is fully functional.
! 3
�NGB CPOC! March 1-3, 2011
3: Create New CLI Users
User Input
Configure two new users for ISE CLI access (hint - config mode). Create one normal
ʻuserʼ and one ʻadminʼ user. The default password policy requires one capital letter, one
lower-case letter, one number, a minimum of six total characters and cannot contain
either the user name or any form of ʻciscoʼ. Attempt to login with each of these new
users and compare the privilege differences.
4: Modify the Password Policy
User Input
Attempt to modify the CLI password policy (hint - config mode). Verify that your new
password restrictions (or freedoms) actually work.
5: Explore the CLI
User Input
Explore some of the commands available in the CLI. Donʼt get too aggressive in your
desire to configure features. Just try to gain an understanding of what can be done at
the CLI.
Lab Discussion
Most network security tasks can only be done via the web interface.
! 4
�NGB CPOC! March 1-3, 2011
Basic ISE Setup
Web Login
1: Web Login
Firefox is the preferred browser. Your mileage may vary with other choices.
Point the browser to https://10.10.10.10. The browser should redirect to https://
10.10.10.10/admin and present you with the login screen:
Username: admin
Password: default1A (d e f a u l t ʻoneʼ ʻcapital-Aʼ)
Lab Discussion
This username/password (admin) is a default for ISE. In a production network, you
should either disable this account or change the password once you gain access to the
web interface. Do not modify the ʻadminʼ account during this lab. Once you login to the
web interface, you can create additional web users. Web users do not have login rights
to the CLI, and CLI users do not have access to the web interface - they are mutually
exclusive.
! 5
�NGB CPOC! March 1-3, 2011
Upon login to the web interface, you are presented with the ISE home screen. It is a
busy screen, so no graphic is provided in this lab (since it will only be an eye chart).
Some snippets of the home screen are shown and described below.
ISE Config Corner
The information bar at the top of each window is identical. In the upper-left corner, you
can return to the Home screen which gives you an overall status of your network, or
advance into the Monitor, Policy or Administration tasks. You can click on any of the
items shown to go into that portion of ISE (new screen), or hover over any of the items
with a drop-down indication to display a menu of the options for that task. These drop-
down menu expansions are called easy-access mega menus.
ISE Assistance Corner
The upper-right corner provides information about this ISE server. Here, you see the
name of your server (NGB-ISE) and the name of the logged-in user (admin). You can
Log Out, send Feedback to Cisco (Internet connection required) or search for
information within the local ISE database. This search capability is helpful to quickly
find a MAC or IP address or a username. ISE Workflows provide scripts to ease the
configuration of different options. Additional Workflows will be added in future releases.
ISE Global Toolbar
Along the bottom of every window is the global toolbar. Here, you can access online
help, and see instant status of alarms. You can also click on any of the alarms to drill
down further into them.
! 6
�NGB CPOC! March 1-3, 2011
2: Create New Web Users
User Input
Create two new ISE web users (hint - Administration > System > Admin Access). Click
on Administrators in the left column. Create (Add) one new administrator and promote
one existing user to have login privileges. Once done, logout of ISE and login using
each of your new accounts. Test to see if any restrictions exist with a super user versus
the other administrator types. A sample screen with new users is shown below.
3: Perform Some Monitoring and Troubleshooting Tasks
User Input
On the Home screen, examine the System Summary dashlet. From there, you can see
the memory, CPU usage and latency for the ISE device. The default display time is 24-
hours. You can adjust this to 60-minutes for finer detail. When you mouse over the bar
chart (spark bars) in each column, you should see corresponding CPU, memory and
latency values. A sample System Summary is shown below.
! 7
�NGB CPOC! March 1-3, 2011
User Input
Update the refresh interval for live events (hint: Monitor > Authentications). From here,
you can adjust the refresh rate, the number of records shown over that interval, and the
amount of time that the records are maintained. A sample Authentications screen is
shown below.
User Input
Create some favorite reports to be examined later in the lab. Start by creating a
RADIUS Failed Authentication Log for today (hint: Monitor > Reports > Catalog > AAA
Protocol. Select the RADIUS Authentication radio button and add that to your favorites.
On the template page that follows, create a name for this new favorite. Also, change
the Authentication Status to Fail, and verify that the Time Range is Today. When done,
add this to your favorites.
Next, create a second favorite for Posture Assessment (hint: Monitor > Reports >
Catalog > Posture. Select the Posture Detail Assessment radio button and add that to
your favorites. On the template page, create a name and add this to your favorites.
When done, both of these reports should appear in your Favorites Reports list (Monitor
> Reports > Favorites). Note that there are already some default favorite reports. A
sample Reports window is shown below.
! 8
�NGB CPOC! March 1-3, 2011
ISE
Local Authentication - RADIUS Validation
In this portion of the lab, you will configure ISE for local authentication. Local
authentication is best used for special (private) user accounts for access into network
devices. It is also a simple way to validate that RADIUS is working between ISE and a
network device. Local authentication would not be used for either user or machine
authentication into the network. Perform the following configurations from your either
your User or Management workstation.
1: Configure Your Switch for AAA
Lab Discussion
Each pod in the lab has its own switch:
Pod 1: Pitchfork
Pod 2: Saw
Pod 3: Shovel
Pod 4: Wrench
User Input
Telnet to your switch and enable AAA:
Enable AAA:
switch(config)# aaa new-model
Authenticate VTY sessions via RADIUS:
switch(config)# aaa authentication login vty group radius
switch(config)# line vty 0 15
switch(config-line)# login authentication vty
Do not authenticate console sessions:
switch(config)# aaa authentication login console none
switch(config)# line console 0
switch(config-line)# login authentication console
2: Create an Internal User Identity Group
User Input
(Administration > Identity Management > Groups)
! 9
�NGB CPOC! March 1-3, 2011
Navigate to the User Identity Groups page. Click on the User Identity Groups option in
the left pane. You see that there are some default Groups already present. Add a new
group that you will use in this lab.
New Group: ______________________________
A sample user identity group is shown below.
3: Create an Internal User
User Input
(Administration > Identity Management > Identities)
Create a new Internal User and add that user to your recently-created User Identity
Group. Click on the Users option in the left pane. Add a new user. You must enter a
Name and Password. ISE does enforce default password requirements - see if you can
figure them out. Add this new user to your new User Group.
New Username/Password: ________________________________________
A sample Identities window is shown below.
! 10
�NGB CPOC! March 1-3, 2011
4: Configure ISE for Default RADIUS Devices
User Input
(Administration > Network Resources > Network Devices)
Enable ISE to answer to any device who sends a RADIUS request that has the shared
secret. Go to the Network Devices page. Click on the Default Device option in the left
pane. Enable this option and enter the RADIUS Shared Secret (cisco321). It is good
practice to use a different “default” RADIUS password than a password used for specific
devices. Submit your changes. A sample screen is shown below.
5: Configure Your Switch for RADIUS
Configure your switch to communicate with ISE using the new default RADIUS secret.
switch(config)# radius-server host 10.10.10.10 auth-port 1812 acct-port 1813
key cisco321
! 11
�NGB CPOC! March 1-3, 2011
6: Test the New Internal User with the Default RADIUS Devices
User Input
From the CLI prompt of your switch, telnet to your switch (telnet to yourself). Since you
have configured RADIUS, you should be prompted for a username/password upon
connection. You can use the new local username/password that you created to login to
your switch.
If you are not prompted for a username/password, then check the RADIUS server
config (IP address and secret). If you cannot login, verify the proper spelling of the new
username/password that you created.
7: Create Some Network Device Groups in ISE
User Input
(Administration > Network Resources > Network Device Group)
Network Device Groups (NDGs) are used to classify network devices in ISE policies.
NDGs are a way to group multiple devices together in user-defined categories that are
later used in authentication and authorization policies.
Navigate to the Network Device Group page. Click on the All Device Types in the left
column. Create four new NDGs. The “add” feature is found by clicking the gear.
Create the following NDGs:
• “Wired-Devices”
• “Wireless-Devices”
• “Routers”
• “Switches”
A sample screen with four new NDGs is shown below.
! 12
�NGB CPOC! March 1-3, 2011
8: Add a Network Device
User Input
(Administration > Network Resources > Network Devices)
Add your local switch to ISE. Navigate to the Network Device page Click on the
Network Devices option in the left pane and Add your switch. You can use any Name
you want, but you must enter the IP address of your switch (use the 10.x.x.x IP
address). You can select one of the NDGs that you recently created. For
Authentication, use RADIUS and use ‘cisco123’ as the shared secret (this is different
than the default shared secret). It is good practice to use a different “default” RADIUS
password than a password used for specific devices. See below for a sample
completed screen.
! 13
�NGB CPOC! March 1-3, 2011
Lab Discussion
While not done in this lab, it is possible to import devices using a CSV file. If you have
existing spreadsheets of network devices, you can move that data into a proper format/
template and import them into ISE. In the Network Devices screen, press the Import
button to generate a template and later read an existing CSV file.
9: Change the RADIUS Configuration in Your Switch
Re-Configure your switch to communicate with ISE using the new RADIUS secret.
switch(config)# radius-server host 10.10.10.10 auth-port 1812 acct-port 1813
key cisco123
10: Test the New Internal User
User Input
From the CLI prompt of your switch, telnet to your switch (telnet to yourself). Since you
have configured RADIUS, you should be prompted for a username/password upon
connection. You can use the new local username/password that you created to login to
your switch.
If you are not prompted for a username/password, then check the RADIUS server
config (IP address and secret). If you cannot login, verify the proper spelling of the new
username/password that you created.
Once you have validated that RADIUS works (the switch can talk to the ISE server),
disable VTY RADIUS authentication.
switch(config)# aaa authentication login vty none
There is no need for continual login authentication to your switch in this lab.
! 14
�NGB CPOC! March 1-3, 2011
802.1x
AD Authentication
This section of the lab will show how to use ISE to perform authentication against a
Windows Active Directory. ISE can perform both machine and user authentication with
AD. Different policies will be created to show how these options can be selected.
1: Ensure that ISE and AD are Time Syncʼd
Lab Discussion
Time synchronization is important when devices join a windows domain. If there is
more than a five minute difference, than a clock skew error occurs. To ensure that ISE
and AD have common time (note that ʻaccurateʼ is different than ʻcommonʼ), synchronize
the ISE clock with the AD server.
User Input
Enable NTP from the ISE console. Point ISE to the AD server.
NGB-ISE/admin(config)# ntp server 10.10.10.11
The ISE clock should synchronize to the AD clock within a few seconds. Examine the
NTP status to verify.
NGB-ISE/admin# show ntp status
Lab Discussion
(Administrations > System > Settings > System Time)
NTP can also be set from the web interface. Browse to the System Time window and
set the appropriate values.
2: Have ISE Join the Domain
User Input
(Administration > Identity Management > External Identity Sources > Active Directory)
ISE must be part of the Windows Domain to perform authentication against AD.
Navigate to the Active Directory page and click the Connection tab. On this page, use
the following information:
! 15
�NGB CPOC! March 1-3, 2011
Domain: cpoc.army.mil
Identity Store Name: <default = AD1, you may change this>
Username: administrator
Password: cisco
If you created a new Identity Store Name, record it here: ____________________
The Identity Store name will be used when creating policies.
When finished, click Join at the bottom of the window. The status should show
CONNECTED. Below is a sample screen.
3: Select AD Groups to Authenticate Against
User Input
In the Active Directory window, select the Groups tab. Click the Add button and then
choose Select Groups from Directory:
• Domain: cpoc.army.mil
• Filter: *
Click Retrieve Groups to read the directory structure of the domain. It may take a
minute or two to retrieve the directory structure (this is typical regardless of the size of
the domain - translation - this may be time to get a snack or visit the restroom). Add
ʻDomain Usersʼ and ʻDomain Machinesʼ to ISE by checking the respective boxes and
clicking OK. Save your configuration before leaving this window. Below is a sample
screen with those two groups added.
! 16
�NGB CPOC! March 1-3, 2011
Lab Discussion
ISE will only retrieve the first 100 entries from the domain. You can trim the search with
the filter field. For example, you can enter ʻCN=Builtin*ʼ in the Filter field to retrieve only
groups that start with the word “Domain”. This filter is very helpful in domains that have
hundreds or thousands of groups.
Lab Discussion
These AD groups will be used later to create policy conditions. If no groups are
selected, then no AD authentications can be performed. The selection of groups here
does not imply that all users within those groups are authenticated via ISE/AD. These
groups must be referenced in policies to be treated as authentication sources.
4: Configure Your Switch for Dot1x
Lab Discussion
The following configurations should be performed from your Management workstation.
These switch configurations will limit the ability of the User workstation until dot1x is fully
configured in the network.
User Input
Telnet to your switch and enable dot1x. AAA was already globally enabled and RADIUS
is already operational.
! 17
�NGB CPOC! March 1-3, 2011
Enable dot1x globally:
switch(config)# aaa authentication dot1x default group radius
switch(config)# aaa authorization network default group radius
switch(config)# aaa authorization auth-proxy default group radius
switch(config)# dot1x system-auth-control
Create the dot1x ACL. This ACL defines the type of traffic that is permitted prior to
dot1x authentication. It is always good practice to create an ACL prior to applying an
ACL.
switch(config)# ip access-list extended acl-default
switch(config-ext-nacl)# remark DHCP
switch(config-ext-nacl)# permit udp any eq bootpc any eq bootps
switch(config-ext-nacl)# remark DNS
switch(config-ext-nacl)# permit udp any any eq domain
switch(config-ext-nacl)# remark ICMP/ping
switch(config-ext-nacl)# permit icmp any any
switch(config-ext-nacl)# remark PXE Boot
switch(config-ext-nacl)# permit udp any any eq tftp
switch(config-ext-nacl)# deny ip any any
Configure the interface for dot1x (this is the interface of your User PC):
switch(config)# interface gigabitEthernet 1/0/1
switch(config-if)# description dot1x port
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 10
switch(config-if)# ip access-group acl-default in
switch(config-if)# authentication host-mode multi-domain
switch(config-if)# authentication open
switch(config-if)# authentication priority dot1x mab
switch(config-if)# authentication event fail action next-method
switch(config-if)# authentication port-control auto
switch(config-if)# mab
Lab Discussion
Now that dot1x is configured on the switch port, you should start to receive
authentication reports in ISE. Take a look at the Monitor tab to see what is happening.
Until ISE is fully configured to use the AD information, any attempt to authentication on
configured network ports will fail.
Your switch should also react to the dot1x configurations. Authentication failures (which
are expected at this point) should show up on the switch console. Enable console
messages on the VTY ports:
switch# terminal monitor
! 18
�NGB CPOC! March 1-3, 2011
5: Create a New Identity Source Sequence
User Input
(Administration > Identity Management > Identity Source Sequences)
ISE uses Identity Source Sequences to determine where to look to validate
authentication requests. By default, only the Internal User database is used.
Create a new Identity Source Sequence (ISS) first by browsing the Identity Source
Sequences Page. Add a new ISS. You can name it anything you want, but you will
need this name when we create policies.
Identity Source Sequence: ______________________________
In the Authentication Source List portion of the window, make sure that AD1 (or
whatever you named your Identity Store earlier) is moved into the Selected column.
Save your work. A sample Create Identity Source Sequences window is shown below.
! 19
�NGB CPOC! March 1-3, 2011
! 20
�NGB CPOC! March 1-3, 2011
6: Examine the Current Policy Elements
(Policy > Policy Elements > Conditions > Authentication > Compound Conditions)
Policy Elements are attributes that are mapped into authentication policies. ISE has a
few default policy elements. It is possible to create more. Take a look at the current
ones by browsing to the Compound Conditions screen. We will use elements from this
screen later in the lab. A sample Compound Conditions screen is shown below.
7: Create an Authentication Policy
(Policy > Authentication)
Create a new Authentication Policy that will use Active Directory as a means of
authentication. Browse to the Authentication Policy window and add a new policy at the
top of the existing list (hint - the Actions drop-down button). Give your new policy a
unique name.
Authentication Policy: ______________________________
Configure the following attributes in this new authentication policy:
• Policy Type: Rule-Based
• Attribute: Select “Wired_802_1X”
• Select Network Access: Select “Default Network Access”
• Set Identity Source: Select the Identity Source Sequence you recently created
Save your work when done. A sample Authentication Policy window is shown below.
! 21
�NGB CPOC! March 1-3, 2011
8: Examine the Current Authorization Profiles
(Policy > Policy Elements > Results > Authorization > Authorization Profiles)
Authorization Profiles define what actions can be taken once authentication has passed.
Examine the default Authentication Profiles. For our lab, the default profiles are
adequate. You can examine the current profiles and create additional ones if you want.
Do not modify the default profiles. A sample Authorization Profiles window is shown
below.
! 22
�NGB CPOC! March 1-3, 2011
9: Create an Authorization Policy
(Policy > Authorization)
Now, you must create an Authorization Policy that permits AD users. Browse to the
Authorization Policy window and create a new rule at the top of the list. Apply the
following attributes:
Name: <your choice>
Identity Groups: <...>
Other Conditions: <none>
Permissions: Permit Access
Now, users and machines who authenticate against AD are permitted access via ISE.
A sample authorization policy is shown below.
** NEED GRAPHIC **
10: Test the New AD User
User Input
Attach a Window 7 PC/laptop to your pod. Connect it to the port that you configured for
dot1x. The initial dot1x configuration will use PEAP (the built-in Windows 7 dot1x
client).
You can verify the dot1x operation both in your switch and in ISE. In your switch, type:
switch# show authentication sessions
And in ISE, you can see authentication successes and failures on the Home page.
! 23
�NGB CPOC! March 1-3, 2011
Profiling
! 24
�NGB CPOC! March 1-3, 2011
Posture Assessment
! 25
