Lab Guide ISE 1 2 Bootstrap

1
Nexus
Identity Services Engine (ISE)

Bootstrapping Lab Guide
Developers
This lab was created by: Aruna Yerragudi, Technical Marketing Engineer, Secure Access and
Mobility Product Group, Cisco Systems.
Lab Overview
The student will install ISE, and use the Setup Wizard to get the basic configuration needed for
wired user authentication and verify the user authentication. The student will also configure a
wired switch using the CLI commands list generated by the Setup Wizard.
Lab participants should be able to complete the lab within the allotted lab time of 2 hours.
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 1: Installation Verification
Lab Exercise 2: Setup Wizard
Lab Exercise 3: Wired Switch Configuration
Lab Exercise 4: Wired User Authentication Verification
ISE 1.2 Bootstrap Lab Guide
Product Overview
The Cisco Secure Access and TrustSec is the Borderless Network access control solution,
providing visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform
that gathers real-time information from the network, users, and devices. ISE then uses this
information to make proactive governance decisions by enforcing policy across the network
infrastructure utilizing built in standard based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users
and devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally laborintensive tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own
device (BYOD), through policy-enabled services.
Lab Topology
Lab IP and VLANs

Internal IP Addresses
Device
Name/Hostname
IP Address
Access Switch (3560X)
3k-access.demo.local
10.1.100.1
Data Center Switch (3560CG)
3k-data.demo.local
10.1.129.3
Wireless LAN Controller (2504)
wlc.demo.local
10.1.100.61
Wireless Access Point (2602i)
ap.demo.local
10.1.90.x/24 (DHCP)
ASA (5515-X)
asa.demo.local
10.1.100.2
ISE Appliance
ise-1.demo.local
10.1.100.21
ISE Feed Server
ise-feedserver.demo.local
10.1.100.41
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
NTP Server
ntp.demo.local
128.107.212.175
MobileIron
mobileiron.demo.local
10.1.100.15
Mail
mail.demo.local
10.1.100.40
LOB Web
lob-web.demo.local
10.1.129.12
portal.demo.local, updates.demo.local
10.1.129.8
business.demo.local
10.1.129.9
it.demo.local
10.1.129.10
records.demo.local
10.1.129.11
LOB DB
lob-db.demo.local
10.1.129.20
Admin (Management) Client
admin.demo.local
10.1.100.6
(also FTP Server)
ftp.demo.local
Windows 7 Client PC
w7pc-guest.demo.local
10.1.50.x/24 (DHCP)
Internal VLANs and IP Subnets

VLAN
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
Authenticated users or access network using ACLs
20
MACHINE
10.1.20.0/24
Microsoft machine-authenticated devices (L3

segmentation)
IC-ASA-ACCESS
10.1.29.0/24
Interconnect subnet between ASA and Access switch
30
QUARANTINE
10.1.30.0/24
Unauthenticated or non-compliant devices (L3

segmentation)
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
Network for authenticated and compliant guest users
90
AP
10.1.90.0/24
Wireless AP VLAN
100
Management
10.1.100.0/24
Network services (AAA, AD, DNS, DHCP, etc.)
129
WEB
10.1.129.0/24
Line-of-business Web servers
130
DB
10.1.130.0/24
Line-of-business Database servers
(29)
Note:
Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Accounts and Passwords

Access To
Account (username/password)
Access Switch (3560X)
admin / ISEisC00L
Data Center Switch (3560X)
admin / ISEisC00L
Wireless LAN Controller (2504)
admin / ISEisC00L
ASA (5515-X)
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Servers
admin / ISEisC00L
Admin (Management) Client
admin / ISEisC00L
Windows 7 Client
W7PC-1\admin / ISEisC00L
(Local = W7PC-guest )
DEMO\admin / ISEisC00L
(Domain = DEMO)
DEMO\employee1 / ISEisC00L
Connecting to Lab Devices

Note:
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Note:
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD
Step 1
In the LabOps student portal, click on the Topology tab. Click on the Admin PC, then click on
the RDP Client option that appears:
Step 2
Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in
as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines

Step 1
During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Step 1
From the Admin client PC, click the VMware vSphere Client icon on the taskbar
Step 2
Click OK when the VMware vSphere Client starts.
Step 3
Once logged in, you will see a list of VMs that are available on your ESX server.
Note: p##_admin VM may not be visible when you login as the student.
Step 4
This Lab uses the following VMs :

p##_ad
p##_ise-1-bootstrap
p##_lob-web
p##_w7pc-guest
Note: ## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be p02_ad.
Step 5
You have the ability to power on, power off, or open the console (view) these VMs.
Note: This is for information purpose only. All the required VMs are already turned on. So, DONOT turn on any other
VMs.
To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select
one of these options:
Step 6
To access the VM console, select Open Console from the drop-down.
Step 7
To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Step 2
Step 3
Connect to Lab Device Consoles

Step 1
To access the lab switches and ISE servers using SSH:

a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY
shortcut and it shows a list of devices and ISE servers.
b. Select the device that youd like to log into and double click on it.
c.
If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
Pre-Lab Setup Instructions

Basic Connectivity Test
Step 1
To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from
the Windows desktop of the Admin client PC:
Step 2
Verify that ping succeeds for all devices tested by the script.
Note:
The ping test may fail for VMs that have not yet completed the boot process.
Lab Exercise 1: Basic Installation Check

Exercise Description
While ISE comes preinstalled when ordered on a physical appliance, there are times when a
physical appliance may need to be reinstalled (aka reimaging). For virtual machine environments,
ISE will need to be freshly installed into the virtual machine. Installation of ISE consists of
booting from the ISE ISO image
starting the installation process which installs the operating system and ISE application.
the installation pauses and a setup dialog must be completed before the installation
resumes and completes.
For installation steps and the Configuring Cisco ISE refer to

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1114266
Exercise Objective
In this exercise, you will
log in to ISE and perform basic installation checks
Lab Exercise Steps

Step 1
Log in to the virtual machine console of the VM named p##_ise-1-bootstrap. You should see
the following prompt:
ise-1 login:
Step 2
Note:
Login using the credentials admin/ISEisC00L.

You can use the VM console interface to access the ISE CLI, or you may SSH to ISE. On a physical
appliance, the serial port or the keyboard and video may be used to access the ISE CLI.
Step 3
Enter show run to confirm the setup settings you entered, and also to see other settings and
their default values.
Step 4
Use these commands to answer the following questions:

Command
show version
show inventory
show application status ise
What is the name of the operating system?
What is the full version number of the operating system?
What is the full version number of ISE?
10
What is the ISE product ID (PID)?

What is the ISE serial number (SN)?
How much RAM does this VM have?
How many CPUs?
What is the disk capacity?
How many NICs does it have?
What are the ISE processes?
Step 5
Confirm that time synchronization is working

a. Immediately after the primary NTP server is configured, you will see that ISE is in an
unsynchronized state:
ise-1/admin# show ntp
Configured NTP Servers:
ntp.demo.local
unsynchronised
polling server every 64 s
remote
refid
st t when poll reach
delay
offset
jitter
==============================================================================
127.127.1.0
.LOCL.
10 l
17
64
377
0.000
0.000
0.001
2 u
12
64
377
0.732
-9.929
3.790
*128.107.212.175 10.81.254.131
* Current time source, + Candidate

Warning: Output results may conflict during periods of changing synchronization.
After a few minutes, ISE should synchronize with the primary NTP server. The asterisk indicates
which time server it has synchronized with:
ise-1/admin# sh ntp
Configured NTP Servers:
ntp.demo.local
synchronised to NTP server (128.107.212.175) at stratum 3
time correct to within 82 ms
remote
refid
delay
offset
jitter
==============================================================================
127.127.1.0
.LOCL.
10 l
*128.107.212.175 10.81.254.131
2 u
64
377
0.000
0.000
0.001
686 1024
25
377
1.004
0.876
1.182
* Current time source, + Candidate

11
If you see that ISE has synchronized to the local machine as shown below, that should be a
warning sign that NTP time synchronization is not working:
ise-pap-1/admin# show ntp
Primary NTP
: ntp.demo.local
synchronised to local net at stratum 11

time correct to within 10 ms
remote
refid
delay
offset
jitter
==============================================================================
*127.127.1.0
.LOCL.
128.107.212.175
.LOCL.
10 l
64
4 u 1026 1024
377
377
0.000
0.478
0.000
-866.81
0.001
60.476
Note:
Synchronization with the NTP server may not be immediate. You may need to wait 10-15 minutes for ISE to
select the NTP server over the local clock please be patient
12
Lab Exercise 2: Setup Wizard

This exercise walks you through the various steps of the Setup Wizard allowing the ability to
select wired, wireless networks, user and/or guest access, enabling profiling, posture, BYOD,
entering the Network Device details, allowing you to pick either Active Directory or the ISE
Internal database for the user information and the subnets that need to be protected from the
guest access.
Exercise Objective
In this exercise, your goal is to:
familiarize yourself with the Setup Wizard
use the Setup Wizard to configure the wired user authentication
Lab Exercise Steps

Step 1
Start a web session with ISE. From the Admin PC,

a. Open a Firefox browser window and browse to http://ise-1.demo.local
b. The session will be redirected to the secure login page, https://ise-1.demo.local/admin
c.
You will be asked to confirm a security exception confirm the security exception
i. What is the security exception?
ii. Examine the web sites certificate who is the certificate issuer?
Step 2
Login using the ISE credentials admin/ISEisC00L
Step 3
When logging in for the first time, the ISE is installed with the Eval License. The below message
will pop-up.
Check the box against the Do no show this message again and Click on OK.
Note:
The above window will not appear in the lab as the ISE image has been installed with a 5 year
license.
13
Step 4
When logging in for the first time, the Setup Assistant Wizard pops up as shown below:
a. Choose the check box against Dont ask me again if you do not wish to see this for
further logins and click on Yes to launch the Setup Assistant.
b. If youve selected No for the Setup Assistant Wizard and would like to re-launch it, the
Setup Assistant Wizard can be launched from the top right hand corner. Select the Run
setup assistant option.
Step 5
The first screen on the Setup Assistant gathers the basic details about the type of deployment.
For this lab, select the options as shown below:
14
a. Since, we will not using IP phone, uncheck the box again Cisco Unified IP Phones
b. Click on Next to go to the Configure Network Access Service.
Step 6
In the Configure Network Access Service, well be selecting the various options and
specifying the required information for each option.
a. For Do you want to authenticate users using Cisco ISE?, select Yes.
b. Select the checkbox against Join the Active Directory domain and enter the following
i. Domain: demo.local
ii. Administrator Name: admin
iii. Administrator Password: ISEisC00L
c.
Click on Join Active Directory domain to join into the AD.
d. Once the join succeeds, the option for Select an AD group shows. Scroll down and
select the group as shown below
Step 7
Next proceed to selecting the other options. Since we are using the Setup Wizard to do the
Wired User Authentication, well be skipping over some of the options.
15
a. Skip the question for Posture.

b. Select Yes for Do you want to enable endpoint profiling?
i. For the SNMP string enter ISEisC00L
c.
Leave all the other options at the default No.
Click on Next to go the Network Devices section.

Step 8
At this point you should be in the Select Network Devices section. Enter the information for the
Network Device under test as shown below.
a. Click on the checkbox against the Cisco Catalyst 3560 Series Switches
b. For the other details, enter the information as below :
i. Device Name: 3K-Access
ii. Device IP Address: 10.1.100.1/32
iii. Employee VLAN Id: 10
iv. Employee Switched VLAN Interface: 10.1.10.1/24
v. DHCP Server IP address: 10.1.100.10
16
vi. Default Gateway IP address: 10.1.29.1

vii. Uplink IP Address: 10.1.29.2/24
c.
For RADIUS Shared Secret enter ISEisC00L
d. Click on Next to go the next section.

Step 9
In this section Review and Confirm You Choices, you can review all the choices selected in
the previous screens.
17
If there are any corrections to be made, click on the Previous to change the settings.
If all the information is correct, click on Confirm Configuration Settings.
Step 10
At this point ISE will start generating the ISE and switch configurations. Youll see a progress
screen as shown below.
Step 11
After all the configurations are generated, youll see the following:
Goti
a. The following tabs are shown:

i. Review your selection
ii. Network Device Configuration
iii. ISE Configurations.
b. Go to the Network Device Configuration tab and copy and paste the switch
configuration to the notepad on the Admin PC. Well use some of these commands to
configure the switch in Lab Exercise 3.
c.
Go to ISE Configuration tab to verify the various ISE Configs that were auto generated.
d. Click on Exit to exit the Setup Wizard.
18
e. Next, go to Administration > Identity Management > External Identity Sources >
Active Directory and verify the AD configuration.
f.
Go to Policy > Authentication to see the Authentication policies that were generated. All
the policies generated using the Setup Wizard will have the prefix AutoGen
g. Go to Policy > Authorization to verify the Authorization rules and policies that were auto
generated using the Setup Wizard.
End of Exercise: You have successfully completed this exercise.

Proceed to next section.
19
Lab Exercise 3: Wired Switch Configuration

There are numerous lines of IOS configuration that are required for the TrustSec identity
functionality. This exercise walks you through the key TrustSec elements of a baseline IOS
configuration which were generated by the ISE Setup Wizard
Exercise Objective
In this exercise, your goal is to review and understand the IOS baseline configurations described
in this exercise.
The switch is already configured with the VLAN and the routing configurations. So, well only be
configuring the missing commands.
Note:
Some of the CLI commands may already be pre-configured. Verify and configure only the missing
CLI configs.
Lab Exercise Steps

Step 1
Login to the 3k-access switch from the Admin PC desktop using the PUTTY, credentials
admin/ISEisC00L.
Step 2
For this entire exercise use the Switch commands that were generated by the ISE Setup Wizard
in Step 11.b from Lab Exercise 2.
Step 3
From the section titled ! AAA Configuration in the switch commands, configure the AAA
settings
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
Step 4
Enable RADIUS Change of Authorization (CoA)

aaa server radius dynamic-author
client 10.1.100.21 server-key ISEisC00L
20
aaa session-id common
Step 5
Configure the CLI commands for device discovery

ip dhcp snooping
ip device tracking
Step 6
Enable 802.1X authentication globally on the switch

dot1x system-auth-control
Step 7
Configure the RADIUS settings

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.1.100.21 auth-port 1812 acct-port 1813 key
ISEisC00L
radius-server vsa send accounting
radius-server vsa send authentication
Step 8
The VLAN configuration should already be pre-configured on the switch. So, skip the VLAN
configuration commands
Step 9
Enable IOS http servers for web auth

ip http server
ip http secure-server
Step 10
The routing configurations are already configured on the switch. DO NOT make any changes to
the routing configuration
Step 11
The following logging commands are for troubleshooting and POC only and not for production
networks.
logging host 10.1.100.21 transport udp port 20514
logging origin-id ip
logging source-interface Vlan100
Step 12
Configure Ingress Port ACLs
21
ip access-list extended ACL-DEFAULT

remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.100.21 eq www
permit udp any host 10.1.100.21 eq 8905
permit udp any host 10.1.100.21 eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
Step 13
Enable command for Profiling

access-list 20 remark ISE Profiling SNMP probe access
access-list 20 permit 10.1.100.21
snmp-server community ISEisC00L RW
snmp-server host 10.1.100.21 version 2c ISEisC00L
Step 14
Now, configure the interface level commands which include the basic identity settings on the
switch ports and the identity mode. Go to the GigInterface0/1 to configure all the interface
settings
switchport access vlan 10
switchport mode access
ip access-group ACL-DEFAULT in
22
authentication event fail action next-method

authentication event server dead action authorize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Ensure that the port is not in shutdown state. If so, issue the CLI command no shutdown.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
23
Lab Exercise 4: Wired User Authentication

Verification
After configuring the required policies on the ISE and doing the switch configuration, the last step
to is to verify that the defined policies can be used for Wired Users.
Exercise Objective
In this exercise, your goal is to verify the Wired User Authentication and understand the
authorization profiles that the authentication matched with.
Lab Exercise Steps

Step 1
Open and login to the VMware vSphere Client on the desktop of your lab console
Step 2
If the p##_w7-pc-guest VM is not turned on already, start it by right-clicking on the VM and

selecting Power > Power On
Step 3
Right-click on p##_w7-pc-guest VM and select Open Console.
Step 4
Login to your Windows 7 Enterprise endpoint with the credentials admin/ISEisC00L. You may
need to use the menu item (top left of vsphere client) VM > Guest > Send Ctrl+Alt+Del to
invoke the Windows login screen
Step 5
From the Windows desktop, click Start and type services.msc Scroll down until you see the
Wired AutoConfig (not WLAN AutoConfig) service.
Step 6
Right-Click Wired AutoConfig and select Properties.
24
Step 7
Choose Startup type: Automatic
Step 8
Start the service and select OK.
Step 9
From the Windows desktop, go to Start Menu > Control Panel > Network and Internet >
Network and Sharing Center
Step 10
Select Change Adapter Settings from the left column.
Step 11
Right-click on the network adapter called w7-pc-guest-wired and select Enable
Step 12
Right-click again on the network adapter named w7-pc-guest-wired and select Properties
from the menu.
Step 13
Click the Authentication tab (this was enabled by starting the Wired AutoConfig service) and
verify the settings:
Step 14
Select Settings next to Microsoft: Protected EAP (PEAP) and uncheck Validate Server
Certificate.
25
Step 15
For Select Authentication Method choose Secured password (EAP-MSCHAP v2) then
select Configure
Step 16
Uncheck "Automatically use my Windows logon name and password" to prevent

username/password caching and allow you to easily test many different users and groups.
Step 17
Select OK
Step 18
Select Additional Settings
Step 19
Enable Specify authentication mode and choose User authentication
26
Step 20
Select OK and OK again to save and exit settings. The endpoint should now be ready to
handle 802.1X user authentication.
Step 21
You should see a message popup on the Windows 7 Endpoint: Additional information is
needed to connect to this network. Click on the message to view the 802.1X user
authentication dialog.
Note:
Step 22
Note:
If you wait too long to respond, the message may disappear. If so, disable and enable the interface to get
the pop-up back.
Enter the credentials for the user account employee1/ISEisC00L

Microsoft Windows does not provide any feedback for a Passed Authentication but it will re-prompt you for a
failed authentication.
27
Step 23
Verify your authentication passed in ISE under Operation > Authentications. You should the
authentication information in the live logs similar to below :
Verify that the authorization profile used matches the profile defined using the Setup Wizard.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.

Lab Guide ISE 1 2 Bootstrap

Uploaded by

Copyright:

Available Formats

Lab Guide ISE 1 2 Bootstrap

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab Guide ISE 1 2 Bootstrap

Uploaded by

Copyright:

Available Formats

1

Identity Services Engine (ISE)

Lab Exercise 1: Installation Verification

Lab Exercise 2: Setup Wizard

Lab Exercise 3: Wired Switch Configuration

Lab Exercise 4: Wired User Authentication Verification

ISE 1.2 Bootstrap Lab Guide

ISE 1.2 Bootstrap Lab Guide

Lab IP and VLANs

Access Switch (3560X)

Data Center Switch (3560CG)

Wireless LAN Controller (2504)

Wireless Access Point (2602i)

ISE 1.2 Bootstrap Lab Guide

ISE Feed Server

Admin (Management) Client

(also FTP Server)

Internal VLANs and IP Subnets

Authenticated users or access network using ACLs

Microsoft machine-authenticated devices (L3

Interconnect subnet between ASA and Access switch

Unauthenticated or non-compliant devices (L3

Network for authenticated and compliant guest users

Network services (AAA, AD, DNS, DHCP, etc.)

Line-of-business Web servers

Line-of-business Database servers

ISE 1.2 Bootstrap Lab Guide

Accounts and Passwords

Access Switch (3560X)

Data Center Switch (3560X)

Wireless LAN Controller (2504)

Admin (Management) Client

Connecting to Lab Devices

Connect to ESX Server Virtual Machines

ISE 1.2 Bootstrap Lab Guide

Click OK when the VMware vSphere Client starts.

This Lab uses the following VMs :

To access the VM console, select Open Console from the drop-down.

ISE 1.2 Bootstrap Lab Guide

Connect to Lab Device Consoles

To access the lab switches and ISE servers using SSH:

ISE 1.2 Bootstrap Lab Guide

Pre-Lab Setup Instructions

ISE 1.2 Bootstrap Lab Guide

Lab Exercise 1: Basic Installation Check

booting from the ISE ISO image

For installation steps and the Configuring Cisco ISE refer to

log in to ISE and perform basic installation checks

Lab Exercise Steps

Login using the credentials admin/ISEisC00L.

Use these commands to answer the following questions:

ISE 1.2 Bootstrap Lab Guide

What is the ISE product ID (PID)?

Confirm that time synchronization is working

st t when poll reach

* Current time source, + Candidate

st t when poll reach

* Current time source, + Candidate

ISE 1.2 Bootstrap Lab Guide

synchronised to local net at stratum 11