ISE Pre ATP Lab Guide Combined

*
Nexus *
Bootstrapping Identity Services

Engine (ISE) Lab Guide
Developers
This lab was created by: Sanjeev Patel, Technical Marketing Engineer, Policy Management
Business Unit, Cisco Systems
Lab Overview
The student will install ISE, and perform some basic configuration tasks to familiarize herself with
the ISE user interfaces, and also to confirm that basic authentication is functioning. The student
will also configure a wired switch in Monitor mode as a configuration baseline for other ISE labs.
Lab participants should be able to complete the lab within the allotted lab time of (1 !) hour(s).
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 1: Installation Setup
Lab Exercise 2: Web UI Familiarization
Lab Exercise 3: Certificate Configuration
Lab Exercise 4: Network Devices
Lab Exercise 5: Understanding ISE Default Access Policy
Lab Exercise 6: Active Directory Integration
!"#$%&'&()(* *** * * * * ***********+*

Lab Exercise 7: Wired Switch Configuration
Product Overview: Identity Services Engine

The Cisco Identity Services Engine (ISE) is an identity and access control policy platform that
enables enterprises to enforce compliance, enhance infrastructure security and streamline their
service operations. Its unique architecture allows enterprises to gather real time contextual
information from network, users, and devices to make proactive governance decisions by tying
identity back into various network elements including access switches, wireless controllers, VPN
gateways, and datacenter switches. Cisco Identity Services Engine is a key component of the
Cisco TrustSec Solution.
Lab Topology and Access

Every one or two students will share one POD. Each POD includes one Admin client PC from
which all lab configurations is performed.
Pod Access Information

The table that follows lists the information required to gain remote access to the lab pods.
Device Admin PC (RDP Access) ESX Server (vSphere Access)
Pods 1-9 128.107.220.1X:2005 10.1.11.1X

DEMO\admin / cisco123 student / cisco123
Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11
Example: POD 10 128.107.220.20:2005 10.1.11.20
Connect to a POD:
Step 1 Launch the Remote Desktop application on your system.
Step 2 Enter the Admin PC address:port for your pod per the table:
*
!"#$%&'&()(* *** * * * * ***********,*
Step 3 Log in as DEMO\admin / cisco123 (Domain = DEMO)
Step 4 All lab configurations can be performed from the Admin client PC.
To access and manage other computers used in this lab, follow the instructions Connect to
ESX Server Virtual Machines.
To access the console of the ISE appliance and other lab infrastructure devices, follow the
instructions Connect to Lab Device Consoles.
Connect to ESX Server Virtual Machines:
Step 1 From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2 Reference the above POD Access Information table to verify the IP Address/Name of the ESX
Server for your pod.
Step 3 Enter student / cisco123 for the username and password:
Step 4 Click Login.
Step 5 Once logged in, you will see a list of VMs that are available on your ESX server:
!"#$%&'&()(* *** * * * * ***********-*

*
Step 5 You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options:
Step 6 To access the VM console, select Open Console from the drop-down.
Step 7 To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
!"#$%&'&()(* *** * * * * ***********.*

*
Connect to Lab Device Consoles:

Step 1 To access the consoles of the lab switches and primary ISE appliance using SSH:
a. From the Admin client PC, double-click the desired PuTTY shortcut on the Windows
desktop. Example:
You can also use the shortcuts in the Windows Quick Launch toolbar.
b. If prompted, click Yes to cache the server host key and to continue login.
c. Login using the credentials listed in the Accounts and Passwords table.
Step 2 To access the console for other devices using SSH:
a. From the Admin client PC, go to Start and select from the Windows Start
Menu to open a terminal session using PuTTY.
b. Refer to the Internal IP Addresses table, and then enter the hostname or IP address of
the desired device in the Host Name (or IP address).
c. Click Open.
d. If prompted, click Yes to cache the server host key and to continue login.
e. Login using the credentials listed in the Accounts and Passwords table.
*
*
!"#$%&'&()(* *** * * * * ***********/*

Lab Topology
This is the topology used for this lab.
!"#$%&'&()(* *** * * * * ***********)*

Internal IP addresses
The table that follows lists the internal IP addresses used by the devices in this setup.
Device Name/Hostname IP Address
Core Switch (Nexus 7k) 7k-core.demo.local 10.1.100.1

10.1.250.1
Access Switch (3560X) 3k-access.demo.local 10.1.250.2
Data Center Switch (3560X) 3k-server.demo.local 10.1.251.2
ISE Appliance ise-1.demo.local 10.1.100.21
AD Server (CA/DNS/DHCP) ad.demo.local 10.1.100.10
NTP Server ntp.demo.local +,01+('1,,(1+

Public Web Server www-ext.demo.local 10.1.252.10
Internal Web Server www-int.demo.local 10.1.252.20
Admin (Management) Client admin.demo.local 10.1.100.6

(also FTP Server) ftp.demo.local
Windows 7 Client PC win7-pc.demo.local DHCP (10.1.10.x/24)
Internal VLANs and IP Subnets

The table that follows lists the internal VLANs and corresponding IP subnets used by the devices
in this setup.
VLAN VLAN Name IP Subnet Description

Number
10 ACCESS 10.1.10.0/24 Network for authenticated users or access network

using ACLs
20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L2

segmentation)
30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L2

segmentation)
40 VOICE 10.1.40.0/24 Dedicated Voice VLAN
50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest

users
60 VPN 10.1.60.0/24 VPN Client VLAN to ASA outside interface
70 ASA (trusted) 10.1.70.0/24 ASA inside network to IPEP untrusted interface
!"#$%&'&()(* *** * * * * ***********'*

80 IPEP (trusted) 10.1.80.0/24 Dedicated IPEP VLAN for trusted interface
90 AP 10.1.90.0/24 Wireless AP connection for LWAAP tunnel
100 DATACENTER 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, NTP, etc.)
(250) 10.1.250.0/24 Dedicated interconnect subnet between Core and

Access switch.

Data Center switch.
252 WEBSVR 10.1.252.0/24 Web Server network
Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. This lab will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement. By
default, all client PC access will remain in the ACCESS VLAN 10 and IP phones will be placed in VOICE
VLAN 40.
Accounts and Passwords

The table that follows lists the accounts and passwords used in this lab.
Access To Account (username/password)
Core Switch (Nexus 7k) admin / C!sco123
Access Switch (3560X) admin / cisco123
Data Center Switch (3560X) admin / cisco123
ASA (VPN gateway) admin / cisco123
ISE Appliances admin / default1A
AD Server (DNS/DHCP/DHCP) administrator / cisco123
Web Servers administrator / cisco123
Admin (Management) Client admin / cisco123
Windows 7 Client WIN7-PC\administrator / cisco123

(Local = WIN7-PC) WIN7-PC\admin / cisco123
(Domain = DEMO) DEMO\admin / cisco123
DEMO\employee1 / cisco123
Pre-Lab Setup Instructions

During the initial delivery of the ISE Labs for the NPI training sessions, the GOLD labs will
operate in a manual fashion. Therefore, it may be necessary to manually perform a few tasks
prior to the start of each lab. The following instructions will prepare your pod for successful
execution of this lab guide.
!"#$%&'&()(* *** * * * * ***********0*

Bootstrap the 3k-access Switch
Step 1 From the Admin client PC, open a console session to the access switch (10.1.250.2) using the
PuTTY shortcut labeled 3k-Access on the Windows desktop. (Credentials admin / cisco123).
Step 2 Copy the lab startup config for this lab to 3k-access per the below table:
Device Lab # - Title Lab starting config file
3k-access Lab 1 Bootstrapping ISE 3k-access-lab1-start.cfg
Lab 2 ISE Profiling Services 3k-access-lab1-end.cfg
Lab 3 ISE Classification 3k-access-lab1-end.cfg
Lab 4 ISE Guest Services 3k-access-lab4-start.cfg
Lab 5 ISE Posture Services 3k-access-lab4-start.cfg
Lab 6 Remote Access VPN using IPEP 3k-access-lab1-start.cfg
Lab 7 ISE Deployment 3k-access-lab1-end.cfg
Lab 8 MACSec at the Edge 3k-access-lab1-end.cfg
Lab 9 Security Group Access TBD
Lab 10 ISE Wireless Access TBD
a. From the 3k-access exec prompt, enter the command:

3k-access# copy ftp://ftp.demo.local/config_file startup-config
where ftp.demo.local is the hostname of the FTP server @ 10.1.100.6 (Admin
client)
where config_file is the name of the lab starting config file from the table
b. Reload the switch. Do NOT save the current running configuration:
3k-access# reload
System configuration has been modified. Save? [yes/no]: no

Proceed with reload? [confirm] <Enter>
Confirm the reload. This will disconnect your remote console session.
c. After a minute, reattempt to access the 3k-access console. Test the login using the
credentials admin / cisco123.
Check Lab ISE Virtual Machines

!234*526*578792:7;*<=7*<9*><97*?$!*8@9AB25*>234@=7;1*#<=C@9>*A42A*A47D*297*E<F797G*<=1*H=5D*
AB9=*<=*A47*8@9AB25*>234@=7;*A42A*297*97IB@97G*C<9*A47*526*D<B*297*A2J@=:1*KB9=*<CC*255*<A479*<=7;1*
?C*A47*<=7L;M*97IB@97G*C<9*D<B9*526*297*25972GD*<=N*97;A29A*A47>1*O;7*A47*PQF297*8$E4797*#5@7=A*
A<*E<F79*<=R<CC*PQ;1*
!"#$%&'&()(* *** * * * * ***********&*

Lab # - Title ISE VMs (X = pod number).
Lab 1 Bootstrapping ISE pX-ise-1-lab1a or pX-ise-1-lab1b*
Lab 2 ISE Profiling Services pX-ise-1-lab2
Lab 3 ISE Classification pX-ise-1-lab2
Lab 4 ISE Guest Services pX-ise-1-lab4
Lab 5 ISE Posture Services pX-ise-1-lab5
Lab 6 Remote Access VPN using IPEP pX-ise-1-lab6

pX-ise-4-lab6
Lab 7 ISE Deployment pX-ise-1-lab2

pX-ise-2-lab7
pX-ise-3-lab7
Lab 8 MACSec at the Edge pX-ise-1-lab8
Lab 9 Security Group Access pX-ise-1-lab9
Lab 10 ISE Wireless Access pX-ise-1-lab10
Note: Other virtual machines required for this lab such as AD or Windows 7 will be started for you.
Note: * For Lab 1, pX-ise-1-lab1a is required to perform the installation setup in exercise 1. The setup can take
45mins+ to complete. In the interest of time, you can perform the setup on pX-ise-1-lab1a, and then switch
to pX-ise-1-lab1b which has the setup already completed. If you decide to use pX-ise-1-lab1b, ensure you
power down pX-ise-1-lab1a to avoid an ip address conflict. Alternatively, while performing the setup on pX-
ise-1-lab1a, use 10.1.100.254 as its IP address, to avoid a conflict.
Basic Connectivity Test

K<*E79C<9>*2*62;@3*3<==73A@8@AD*A7;A*C<9*A47*E9@>29D*526*G78@37;N*9B=*A47*E@=:A7;A162A*;39@EA*C9<>*
A47*S@=G<F;*G7;JA<E*<C*A47*TG>@=*35@7=A*U#V*
P79@CD*A42A*E@=:*;B3377G;*C<9*255*G78@37;*A7;A7G*6D*;39@EA1**
Note: For Lab 1- Bootstrapping ISE, the ping to ise-1 will fail as ise-1 has not been installed yet.
!"#$%&'&()(* *** * * * * ***********

+(*
Lab Exercise 1: Installation Setup
Exercise Description
While ISE comes preinstalled when ordered on a physical appliance, there are times when a
physical appliance may need to be reinstalled (aka reimaging). For virtual machine environments,
ISE will need to be freshly installed into the virtual machine. Installation of ISE consists of
booting from the ISE ISO image
starting the installation process which installs the operating system and ISE application.
the installation pauses and a setup dialog must be completed before the installation
resumes and completes.
In this exercise you will complete the setup dialog and complete an ISE installation on a virtual
machine.
Exercise Objective
In this exercise, you will
complete the installation setup dialog and ensure that the installation completes
log in to ISE and perform basic installation checks
Lab Exercise Steps

Step 1 Record the start time for this exercise.
Step 2 Log in to the ise-1 virtual machine console. You should see the following prompt:
**********************************************
Please type setup to configure the appliance
**********************************************
localhost login:
Enter setup at the login prompt to start the setup dialog.

Step 3 You will be prompted to enter the following parameters:
Press Ctrl-C to abort setup

Enter hostname[]: ise-1
Enter IP address []: 10.1.100.21
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 10.1.100.1
Enter default DNS domain[]: demo.local
Enter Primary nameserver[]: 10.1.100.10
Add/Edit another nameserver? Y/N : n
Enter Primary NTP server[time.nist.gov]: ntp.demo.local
Add/Edit secondary NTP server? Y/N : n
Enter system timezone[UTC]: <return>
Enter username[admin]: <return>
Enter password: default1A
Enter password again: default1A
Bringing up network interface...
!"#$%&'&()(* *** * * * * ***********

++*
Pinging the gateway...
Pinging the primary nameserver ...
Do not use Ctrl-C from this point on...
Appliance is configured
Installing applications...
Installing ise ...
Generating configuration...
=== Initial Setup for Application: ise ===
Welcome to the ISE initial setup. The purpose of this setup is to

provision the the internal ISE database. This setup is non-interactive,
and will take roughly 15 minutes to complete. Please be patient.
Running database cloning script...

Running database network config assistant tool...
Extracting ISE database content...
Starting ISE database processes...
Restarting ISE database processes...
Creating ISE M&T session directory...
Performing ISE database priming...
Rebooting...
Note: The password policy is not explicitly stated but a password of 'default1A' will work
Note: After completing the setup dialog, it may take roughly 45 minutes before the installation completes
Note: In the interest of time, you may shut down this VM and switch to pX-ise-1-lab1b which has the setup and
installation completed
After the setup dialog is completed, the installation will continue and finish with a reboot. The
installation is complete when you are presented with a login prompt:
ise-1 login:
Note the current time. How long did the setup and final installation process take to complete?
Step 4 Login using the credentials you provided during the setup.
Note: At this point you may continue using the VM console interface to access the ISE CLI, or you may SSH to
ISE. On a physical appliance, the serial port or the keyboard and video may be used to access the ISE CLI.
Step 5 Enter show run to confirm the setup settings you entered, and also to see other settings and
their default values.
Step 6 Use these commands to answer the following questions:
Command
!"#$%&'&()(* *** * * * * ***********

+,*
Show version
Show inventory
Show application status ise
What is the name of the operating system?

What is the full version number of the operating system?
What is the full version number of ISE?
What is the ISE product ID (PID)?
What is the ISE serial number (SN)?
How much RAM does this VM have?
How many CPUs?
What is the disk capacity?
How many NICs does it have?
What are the ISE processes?
Step 7 Configure a repository

An ISE repository is a file storage location that ISE can be used for copying files to and from
ISE. This may be required when patching or upgrading ISE, when backing up or restoring
configuration, or when creating a support bundle.
The different repository types are:
cdrom: (read only)
disk:
ftp:
http: (read only)
https: (read only)
nfs:
sftp:
tftp:
a. Configure an ftp repository on ISE:

ise-1/admin# config t
Enter configuration commands, one per line. End with CNTL/Z.
!"#$%&'&()(* *** * * * * ***********

+-*
ise-1/admin(config)# repository myFTP
ise-1/admin(config-Repository)# url ftp ftp.demo.local/
ise-1/admin(config-Repository)# user anonymous password plain
[email protected]
ise-1/admin(config-Repository)# end
ise-1/admin# copy running-config startup-config
ise-1/admin#
You can confirm that ISE can communicate with the repository using the show repository
command (you should see a directory listing from the ftp server):
ise-1/admin# show repository myFTP
<file list>
ise-1/admin#
Note: In this lab, the FTP server is on the Admin PC. The FTP home directory is C:\Configs
Step 8 Confirm that time synchronization is working

b. Immediately after the primary NTP server is configured, you will see that ISE is in an
unsynchronized state:
ise-pap-1/admin# sho ntp
Primary NTP : ntp.demo.local
unsynchronized
time server re-starting
polling server every 64 s
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 14 64 7 0.000 0.000 0.001
128.107.220.1 CHU_AUDIO(1) 4 u 14 64 7 0.773 0.528 0.431
Warning: Output results may conflict during periods of changing synchronization.
After a few minutes, ISE should synchronize with the primary NTP server. The asterisk indicates
which time server it has synchronized with:
!"#$%&'&()(* *** * * * * ***********

+.*
ise-pap-1/admin# sho ntp
synchronised to NTP server (128.107.220.1) at stratum 5

time correct to within 459 ms

==============================================================================
127.127.1.0 .LOCL. 10 l 48 64 377 0.000 0.000 0.001
*128.107.220.1 CHU_AUDIO(1) 4 u 45 64 377 0.733 1.738 1.010
If you see that ISE has synchronized to the local machine as shown below, that should be a
warning sign that NTP time synchronization is not working:
ise-pap-1/admin# show ntp

synchronised to local net at stratum 11

time correct to within 10 ms

==============================================================================
*127.127.1.0 .LOCL. 10 l 5 64 377 0.000 0.000 0.001
128.107.220.1 .LOCL. 4 u 1026 1024 377 0.478 -866.81 60.476
Note: CSCtl78258, Need linux NTP best practices for virtual environments, has been filed to better tailor the ISE
OS and NTP server environment for virtual environments. These best practices can help to ensure that ISE
does not erroneously synchronize with the local machine.
!"#$%&'&()(* *** * * * * ***********

+/*
Lab Exercise 2: Web UI Familiarization
In this exercise you will log into the ISE web UI and become familiar with its layout and
navigation.
Exercise Objective
In this exercise, your goal is to:
familiarize yourself with the dashboard
familiarize yourself with ISE navigation
familiarize yourself with the ISE Workflows
familiarize yourself with some of the key web UI widgets and features
check the ISE licensing
reset the default ISE web UI admin password
Lab Exercise Steps

Step 1 Start a web session with ISE
a. Open a Firefox browser window and browse to http://ise-1.demo.local
b. The session will be redirected to the secure login page, https://ise-1.demo.local/admin
c. You will be asked to confirm a security exception confirm the security exception
i. What is the security exception?
ii. Examine the web sites certificate who is the certificate issuer?
Step 2 Login using the ISE default web UI credentials
Note: The default web UI credentials are admin/cisco. On first login, you will be prompted to change the default
password. Change it to default1A
Step 3 Familiarize yourself with the ISE homepage:
!"#$%&'&()(* *** * * * * ***********

+)*
*
*
Note: The above screenshot was taken from a production ISE deployment, to show a realistic example of the ISE
dashboard. Your lab ISE dashboard will obviously not reflect the data shown above.
*
a. There are two question mark icons, one in top right corner, the other in the bottom left.
Test their behavior
i. One will provide About information. What is the ISE version youre using?
b. Test the mouse hover behavior:
i. Hover the mouse of the ISE hostname in the top right corner. You should see the
ISE role and system time appear
ii. Hovering the mouse over the graphs on the dashboard, should provide more
graph data
iii. Hovering the mouse over the Alarms area in the bottom right corner should make
an alarm listing area pop up from the bottom of the screen
iv. Hovering over the navigation bar will open up a display of the navigation tree,
allowing direct navigation to a configuration area, rather than having to traverse
each step of the tree:
!"#$%&'&()(* *** * * * * ***********

+'*
* *
!"#$%&'&()(* *** * * * * ***********

+0*
1. Navigate to different areas of the UI
c. Explore the ISE Task Navigator:
d. Select a Task Navigator and explore the steps that are provided:
e. Test the Feedback link

i. Click on the Feedback link to understand how an ISE administrator may provide
feeback on ISE, directly to the product team
Note: During this training and at any time during your future use of ISE, you should use this link to provide
feedback to the ISE product team.
Step 4 Check ISE licensing

a. Navigate to the ISE licensing page, Administration > System > Licensing> Current
Licenses
You should see the preinstalled evaluation license:
How long does the evaluation license last?
What packages are included?
What is the endpoint count that is supported with these packages?
! End of Exercise: You have successfully completed this exercise.

Proceed to next section.
!"#$%&'&()(* *** * * * * ***********

+&*
Lab Exercise 3: Certificate Configuration
To secure communications with ISE, whether the communication is authentication related or for
ISE management, for example for configuration using the ISE web UI, X.509 certificates and
certificate trust chains need to be configured to enable asymmetric encryption. This lab contains a
certificate authority that will act as the trusted root, and also issue certificates.
Exercise Objective
Establish the lab certificate authority as a trusted root CA
Have the CA issue a certificate to ISE and install that certificate
Lab Exercise Steps
Step 1 Download the CAs certificate

a. Open a browser window to http://ad.demo.local/certsrv and login as
administrator/cisco123
b. Click on "Download a CA certificate, certificate chain, or CRL"
c. Click on on "Download CA certificate" and save it
Step 2 Trust the CA in ISE
a. In ISE, go to Administration > System > Certificates > Certificates Authority
Certificates
b. Add the CA certificate as a trusted certificate
Attribute Value
Certificate File C:\Users\admin\Downloads\certnew.cer
Trust for client with EAP-TLS [ ]
ise
Step 3 Create a certificate signing request (CSR)
a. Go to Administration > System > Certificates > Local Certificates, and click
Add
b. Generate a certificate signing request
Attribute Value
Certificate Subject CN=ise-1.demo.local
Key Length 4096
c. Export the CSR from Administration > System > Certificates > Certificate
Signing Requests
!"#$%&'&()(* *** * * * * ***********
,(*
d. Once saved, open the .PEM file with notepad and copy the entire contents to the
clipboard.
Step 4 Submit the CSR to the CA for signing
a. From a browser window, go to http://ad.demo.local/certsrv and login
with administrator / cisco123.
b. Click on Request a certificate, and then Advanced certificate request.
Attribute Value
Base-64-encoded certificate request <Paste contents of .PEM file here>
Certificate Template Web Server
Additional Attributes <leave blank>
Download the certificate as DER encoded

Step 5 Bind the certificate to the signing request
a. In ISE, go to Administration > System > Certificates > Local Certificates and add the
certificate by binding the certificate.
Attribute Value
EAP:Use certificate for EAP protocols that []

use SSL/TLS tunneling
Management Interface: Use certificate to []

authenticate the web server (GUI
Replace Certificate [ ]
Step 6 Confirm that the new ISE certificate is being used

a. Log out of ISE and close all browser windows
b. Reopen the browser and go to the ISE login page. Confirm that the browser is
securing the https session using the new ISE certificate.

!"#$%&'&()(* *** * * * * ***********

,+*
Lab Exercise 4: Network Devices
Any device that initiates RADIUS requests to ISE must have a definition in ISE. These network
devices are defined based on their IP address. ISE network device definitions can specify IP
address ranges thus allowing the definition to represent multiple actual devices.
Beyond what is required for RADIUS communication, ISE network device definitions contain
settings for other ISE/device communication, such as SNMP and SSH.
Another important aspect of network device definition, is appropriately grouping devices so that
this grouping can leveraged in network access policy.
In this exercise you will configure the device definitions required for your lab.
Exercise Objective
?=*A4@;*7W793@;7N*D<B9*:<25*@;*A<V*
#<=C@:B97*2*XT"?O$*35@7=A*A7;A*A<<5*A<*;7=G*?$!*XT"?O$*97IB7;A;*
#<=C@:B97*A47*526*;F@A34N*@=*?$!N*C<9*XT"?O$*
Lab Exercise Steps

Step 1 Create Network Device Groups
a. Under Administration > Network Resources > Network Device Groups >
Group Types > All Device Types, create a device type NDG hierarchy as
follows:
T55*"78@37*
KDE7;*
K7;A*
PUY*
S@97G*
S@9757;;*
i. Select All Device Types

ii. Add a group called Wired. Repeat the process for the other device
groups
Step 2 Send a RADIUS test request
a. Start NTRadPing (you should see a shortcut on the desktop of the Admin PC)
and configure it as follows:
!"#$%&'&()(* *** * * * * ***********

,,*
*
*
b. Send a RADIUS request to ISE by clicking Send in NTRadping. Confirm that it is
received by ISE by monitoring the Live Authentications. What is the Failure
Reason?
Step 9 Configure network devices in ISE
c. Configure NTRadping as a network device in ISE
i. In ISE, under Administration > Network Resources > Network Devices,
configure a new network device:
Attribute Value
Name NTRadping
IP Address 10.1.100.6/32
Network Device Group:Device Type Test
Authentication Settings:Shared Secret cisco123
Send another request form NTRadping. Now what is the failure reason now in Live
Authentications?
d. Configure the wired lab switch as a network device:
Attribute Value
Name 3k-access
IP Address 10.1.250.2/32
Network Device Group:Device Type Wired
!"#$%&'&()(* *** * * * * ***********

,-*
e. Configure the lab wireless controller as a network device
Attribute Value
Name wlc
IP Address 10.1.100.61/32
Network Device Group:Device Type Wireless
f. Configure the lab ASA as a network device
Attribute Value
Name asa
IP Address 10.1.70.1/32
Network Device Group:Device Type VPN

*
!"#$%&'&()(* *** * * * * ***********

,.*
Lab Exercise 5: Understanding ISE Default
Access Policy
Out of the box, ISE comes preconfigured with a default access policy. In this exercise you will
examine the default access policy and understand its behavior.
Exercise Objective
?=*A4@;*7W793@;7N*D<B9*:<25*@;*A<V*
#<=C@:B97*2=*@=A79=25*B;79*
$7=G*2=*2BA47=A@32A@<=*2=G*233<B=A@=:*97IB7;A;*C<9*A4@;*B;79*
P@7F*A47*2337;;*E<5@3@7;*2=G*B;7*A47*97E<9A@=:*A<<5;*A<*7W2>@=7*A47*2BA47=A@32A@<=*C5<F*
Lab Exercise Steps

Step 1 Configure an internal user
a. Go to Administration > Identity Management > Identities > Users and create a user
account.
Note: The user password policy can be modified under Administration > Identity Management > Settings >
User Password Policy
Step 2 Send an authentication request from NTRadPing for this user.

Step 3 Understand the result
a. Use the live authentications to confirm that ISE received the request. Examine the
detailed authentication report. Note the following values:
i. RADIUS Status
ii. Identity Store
iii. Authorization Profiles
iv. Identity Policy Matched Rule
v. Authorization Policy Matched Rule
b. Note the authentication request processing flow in the Steps section of the detailed
authentication report.
c. Compare the Authentication Result of the detailed authentication report with the attribute
dump shown in NTRadPing do they match?
d. Examine the ISE policies and correlate the authentication result with the policy:
i. Examine the ISE authentication policy, Policy > Authentication
ii. Examine the ISE authorization policy, Policy > Authorization
!"#$%&'&()(* *** * * * * ***********

,/*
*

*
!"#$%&'&()(* *** * * * * ***********

,)*
ISE can communicate directly with Active Directory (AD) for user/machine authentication or for
retrieving authorization information user attributes. To communicate with AD, ISE must be joined
to an AD domain. In this exercise you will join ISE to an AD domain, and confirm AD
communication is working correctly.
Exercise Objective
?=*A4@;*7W793@;7N*D<B9*:<25*@;*A<V*
O=G79;A2=G*4<F*A<*Z<@=*?$!*A<*T"*
#<=C@9>*A42A*A47*2BA47=A@32A@<=*2=G*2BA4<9@[2A@<=*CB=3A@<=25@AD*@;*F<9J@=:*
O=G79;A2=G*4<F*A<*<6A2@=*A9<B657;4<<A@=:*@=C<9>2A@<=*
Lab Exercise Steps

Step 1 \<@=*?$!*A<*A47*T"*G<>2@=*
21 ?=*?$!N*:<*A<*!"#$%$&'()'$*%+,+-".%'$'/+0)%)1.#.%'+2,+34'.(%)5+-".%'$'/+6*7(8.&N*2=G*
;7573A*!8'$9.+:$(.8'*(/*
61 !=A79*A47*G<>2@=*=2>7*B=G79*A47*#<==73A@<=*A26V*
!''($;7'.+ <)57.+
"<>2@=*Y2>7* G7><15<325*
?G7=A@AD*$A<97*Y2>7* G7><15<325*
31 ]7C<97*;28@=:*A47*3<=C@:B92A@<=N*35@3J*<=*=.&'+>*%%.8'$*%1*!=A79*A47*C<55<F@=:*?$!*T"*
397G7=A@25;N*7&.(?@8$&8*?AB1*S2@A*B=A@5*A47*A7;A*3<>E57A7;N*2=G*A47=*35@3J*A47*6C*D+
:.')$5."+E*1*3473J6<WV*
!"#$%&'&()(* *** * * * * ***********

,'*
*
^2>@5@29@[7*D<B9;75C*F@A4*A47*5<:*<BAEBA*_*A4@;*>2D*67*B;7CB5*F47=*A9<B657;4<<A@=:1*
G1 #5@3J*<=*6)9.+>*%F$17()'$*%*A<*;287*A4@;*3<=C@:B92A@<=*2=G*A47=*35@3J*G*$%1*!=A79*A47*?$!*
T"*397G7=A@25;N*7&.(?@8$&8*?ABN*@=*A47*E<E*BE*F@=G<F*A42A*2EE729;1*
Note: ISE does not require elevated AD credentials to join AD it just requires a regular user account that has
permissions to join a workstation (default AD permissions allow a user to join up to 10 workstations to AD).
Note: If the AD join fails, try again with full domain credentials (administrator/cisco123) this is just a temporary
workaround for this lab the issue is related to VM cloning and should not normally be seen.
71 ?C*A47*<E792A@<=*F2;*;B337;;CB5N*D<B*;4<B5G*;77*A47*C<55<F@=:*825B7;*<=*A47*#<==73A@<=*
A26N*67*BEG2A7G*2;*C<55<F;V*
!''($;7'.+ <)57.+
`<325*Y<G7*$A2AB;* \<@=7G*A<*"<>2@=V*G7><15<325*
#<==73A@<=*$A2AB;* #HYY!#K!"*
Note: For AD debugging information, debugging may be turned on from Administration > System > Logging >
Debug Log Configuration. Click on the node name, and then enable AD debugging from the Active
Directory Debug tab.
Note: To view the AD debug log, go to Monitor > Troubleshoot > Download Logs. Click on the node, and then
select the ad_agent.log file from the Debug Logs tab.
Step 2 K7;A*A42A*T"*2BA47=A@32A@<=*@;*F<9J@=:*
21 TGG*2*9B57*A<*A47*2BA47=A@32A@<=*E<5@3D*A<*;7=G*97IB7;A;*C9<>*K7;A*G78@37;*A<*T"*
!"#$%&'&()(* *** * * * * ***********
,0*
@1 Y28@:2A7*A<*H*5$8/+,+!7'C.%'$8)'$*%*
@@1 TGG*2*=7F*9B57*A<*A47*TBA47=A@32A@<=*U<5@3DN*A<*67*A47*C@9;A*@=*A47*9B57*A2657*
L4@=AV*B;7*A47*T3A@<=;*G9<E*G<F=MV*
U<EB52A7*A47*9B57*2;*C<55<F;V*
!''($;7'.+ <)57.+
Y2>7* K7;A*TBA47=A@32A@<=;*
@C* "!P?#!V"78@37*KDE7*!IB25;*
T55*"78@37*KDE7;aK7;A*
255<F*E9<A<3<5;* "7C2B5A*Y7AF<9J*T337;;*
B;7* G7><15<325*
@@@1 TGG*A47*@C*3<=G@A@<=*6D*35@3J@=:*A47*#972A7*Y7F*#<=G@A@<=*<EA@<=V*
*
*
@81 #5@3J**<=*A47*9@:4A*299<F*A<*7WE2=G*A47*9B57N*2=G*2GG*A47*@G7=A@AD*;A<97*A<*B;7N*
5@J7*A4@;V*
61 O;7*YKX2GE@=:*A<*;7=G*2=*2BA47=A@32A@<=*97IB7;A*C<9*7&.(A@8$&8*?AB*LA4@;*@;*2=*T"*
B;79M1*#<=C@9>*A42A*A47*2BA47=A@32A@<=*E2;;7;*2;*D<B*F<B5G*7WE73A1*
!"#$%&'&()(* *** * * * * ***********
,&*
Step 3 #<=C@9>*A42A*?$!*32=*IB79D*T"*:9<BE;*2=G*B;79*2AA9@6BA7;*
21 O=G79*!"#$%$&'()'$*%+,+-".%'$'/+0)%)1.#.%'+2,+34'.(%)5+-".%'$'/+6*7(8.&+,*!8'$9.+
:$(.8'*(/N*;7573A*A47*I(*7J&*A261*#5@3J*!""+,+6.5.8'+I(*7J&+K(*#+:$(.8'*(/+,+L.'($.9.+
I(*7J&1*b<B*;4<B5G*;77*A47*T"*:9<BE;*2EE729*@=*A47*F@=G<F1*
61 #5@3J*>)%8.5*2=G*;7573A*A47*!''($;7'.&*A261*#5@3J*!""+,+6.5.8'+!''($;7'.&+K(*#+:$(.8'*(/1*
!=A79*7&.(A*2;*2=*7W2>E57*B;791*#5@3J*<=*L.'($.9.+I(*7J&1*b<B*;4<B5G*;77*B;79,c;*T"*
2AA9@6BA7;*2EE7291*#5@3J*32=375*A<*35<;7*A47*F@=G<F1*

!"#$%&'&()(* *** * * * * ***********

-(*
Lab Exercise 7: Wired Switch Configuration
There are numerous lines of IOS configuration that are required for the TrustSec identity
functionality. This exercise walks you through the key TrustSec elements of a baseline IOS
configuration.
Exercise Objective
In this exercise, your goal is to review and understand the IOS baseline configurations described
in this exercise.
Lab Exercise Steps

Step 1 Login to the 3k-access switch using the shortcut on the Admin PC desktop, credentials
admin/cisco123.
Step 2 Configure AAA settings
switch(config)# aaa new-model
Enables AAA
switch(config)# aaa authentication dot1x default group Creates an 802.1X port-based authentication method list
radius
switch(config)# aaa authorization network default group Required for VLAN/ACL assignment
radius
Enables accounting for 802.1X and MAB

switch(config)# aaa accounting dot1x default start-stop
group radius
Step 3 Configure RADIUS settings

switch(config)# radius-server host ise-1.demo.local auth-port Specifies the ip address and ports of the RADIUS server
1812 acct-port 1813 (ISE)
switch(config)# radius-server key cisco123 Specifies the pre-shared key
switch(config)# radius-server attribute 6 on-for-login-auth Sends the Service-Type attribute in access requests
switch(config)# radius-server attribute 8 include-in-access-req Sends the Framed-IP-Address attribute in access

requests
switch(config)# radius-server attribute 25 access-request Sends the Class attribute in access requests[CHECK]
include
switch(config)# radius-server dead-criteria time 5 tries 3 Wait 3 x 5 seconds before marking RADIUS server as
dead
switch(config)# ip radius source-interface g0/24 Send RADIUS requests from the 7K interface
a. Once the above configuration has been entered, send a test authentication from the
switch:
!"#$%&'&()(* *** * * * * ***********

-+*
switch#test aaa group radius usertest apassword new-code
User rejected
Check ISE to confirm that the request was received by it.

Step 4 Enable 802.1X
switch(config)# dot1x system-auth-control
Globally enables 802.1X port-based authentication
Step 5 Configure basic identity settings on the switch ports

switch(config)# interface range g0/1-3, g0/5 These are the ports with endpoint devices on them
switch(config-if-range)# switchport mode access Places the switch port in access mode. Also required
before any authentication commands can be entered for
port(s)
switch(config-if%92=:7)# authentication port-control auto Enables port-based authentication on the interface

switch(config-if%92=:7)# dot1x pae authenticator Enables 802.1X authentication on the interface
switch(config-if%92=:7)# mab Enables MAC authentication bypass
Step 6 Configure the identity mode

switch(config-if%92=:7)# authentication open Enables pre-authentication open access (non restricted)
switch(config-if-range)# authentication host-mode multi-auth Allows a single IP phone and one or more data clients to
independently authenticate on an authorized port. Each
host, or MAC address, is authenticated individually.
switch(config-if-range)# switchport access vlan 10 Set the access vlan
switch(config-if-range)# switchport voice vlan 40 Set the voice vlan
Step 7 Configure FlexAuth

switch(config-if%92=:7)# authentication order mab dot1x* The switch will perform MAB first, then 802.1X
switch(config-if%92=:7)# authentication priority dot1x mab Even if MAB passes, the switch will still perform 802.1X
if requested by a supplicant*
Step 8 Test Open Mode

a. Enable the current terminal window for monitoring of system messages/debugging
output:
switch# terminal monitor* Copies debug output to the current terminal line
b. Go back to the original terminal window:
switch(config-if%92=:7)# no shutdown* Enable the ports
!"#$%&'&()(* *** * * * * ***********

-,*
switch(config-if%92=:7)# end
Step 9 Prepare for policy enforcement (Low Impact Mode)

switch(config)# radius-server vsa send authentication In order to enable dACLs, you must first configure your
access switch to allow communications using the cisco-av-
pair attribute with the value aaa:event=acl-download. Enter
the command shown here in the global configuration of the
switch. If you fail to add this command, will result in failed
authentication/authorization requests
Configures the ip device tracking table, which is also
switch(config)# ip device tracking
required to use dACLs.
The Downloadable ACL feature enables you to download

device specific authorization policies from the
authentication server. These policies activate after
authentication succeeds for the respective client and the
clients IP address has been populated in the IP device
tracking table. (Downloadable ACL is applied on the port,
once the port is authenticated and the IP device tracking
table has the host IP address entry).
switch(config)# ip dhcp snooping
Enables vendor-specific attributes to be sent in RADIUS

switch(config)# radius-server vsa send accounting
accounting messages
Step 10 Configure Ingress Port ACLs
switch(config)# ip access-list extended ACL-ALLOW Define ACLs that will be used in other labs permit any
ip traffic
permit ip any any
switch(config)# ip access-list extended ACL-DEFAULT Define ACLs that will be used in other labs permit only
remark DHCP BOOTP, DNS, ping, TFTP traffic
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
switch(config)# ip access-list extended ACL-WEBAUTH- Define ACLs that will be used in other labs
REDIRECT
deny ip any host 10.1.100.21
permit ip any any
Step 11 Apply ACL-ALLOW ACL
!"#$%&'&()(* *** * * * * ***********

--*
switch(config)# interface range g0/1-3, g0/5
switch(config-if-range)# ip access-group ACL-ALLOW in Apply the ACL-ALLOW ACL to the access ports
Step 12 Add authentication settings

switch(config-if%92=:7)#*authentication periodic
Enables periodic reauthentication of the client
switch(config-if%92=:7)#*authentication timer
reauthenticate server*
switch(config-if%92=:7)#*end
Step 13 Enable RADIUS Change of Authorization (CoA)

switch(config)# aaa server radius dynamic-author *
client 10.1.100.21 server-key 0 cisco123
Step 14 Enable IOS http servers for web auth

switch(config)# ip http server !"#$%&"'()*&(+!,(&"'%&"-.%*/*
switch(config)# ip http secure-server !"#$%&"'()*&(+!,(&"'%&"-.%*/*
Step 15 Enable optimal reporting and troubleshooting in ISE

switch(config)#*logging origin-id ip
switch(config)#*logging host ise-1.demo.local transport

udp port 20514
switch(config)#*epm logging
Note, on some switch platforms such as the one in this
lab, this command does not persist (it is not NVgened)
switch(config)#*logging source-interface gi0/24
! End of Exercise: You have successfully completed this exercise. Proceed to next section.
!"#$%&'&()(* *** * * * * ***********

-.*
Appendix: Active Directory
Example ISE AD Test Connection output:
Read 1 domain controllers which provide ldap services for domain: demo.local
Created active secured ctx against ad.demo.local for domain:demo.local
Executed with privileges of root
adinfo (CentrifyDC 4.3.0-192)
Host Diagnostics
uname: Linux ise-pap-1 2.6.18-164.el5PAE #1 SMP Tue Aug 18 15:59:11 EDT

2009 i686
OS: Linux
Version: 2.6.18-164.el5PAE
Number of CPUs: 2
IP Diagnostics
Local host name: ise-pap-1
Local IP Address: 10.1.100.21
Not found in DNS!Make sure it is in Reverse Lookup Zone.
FQDN host name:ise-pap-1 (domain missing?)
Domain Diagnostics:
Domain: demo.local
Subnet site: Default-First-Site-Name
DNS query for: _ldap._tcp.demo.local
Found SRV records:
ad.demo.local:389
Testing Active Directory connectivity:
Domain Controller: ad.demo.local
ldap: 389/tcp - good
ldap: 389/udp - good
!"#$%&'&()(* *** * * * * ***********

-/*
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: ad.demo.local:389
Domain controller type: Windows 2008
Domain Name: DEMO.LOCAL
isGlobalCatalogReady: TRUE
domainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
forestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
domainControllerFunctionality: 3 = (DS_BEHAVIOR_WIN2008)
Forest Name: DEMO.LOCAL
DNS query for: _gc._tcp.DEMO.LOCAL
Testing Active Directory connectivity:
Global Catalog: ad.demo.local
gc: 3268/tcp - good
Domain Controller: ad.demo.local:3268
Domain controller type: Windows 2008
Domain Name: DEMO.LOCAL
isGlobalCatalogReady: TRUE
domainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
forestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
domainControllerFunctionality: 3 = (DS_BEHAVIOR_WIN2008)
Forest Name: DEMO.LOCAL
Retrieving zone data from demo.local
Computer Account Diagnostics
Not joined to any domain
!"#$%&'&()(* *** * * * * ***********

-)*
Centrify DirectControl Status
Not joined to any domain
! End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
**
!"#$%&'&()(* *** * * * * ***********

-'*
!"#$%&'()*)+,$"-&.)/-0$123$45)6-
Developers and Lab Proctors

This lab was created by: James Burke
Lab Overview
This lab is designed to help attendees understand how to configure and deploy ISE Profiler. It
covers the basic configuration and management for profiling devices in an 802.1X environment.
Lab Users should be able to complete the lab within the allotted lab time of (2) hours.
Lab Exercises
Lab Verification
Lab Exercise 1: Enable ISE Probes for Profiling
Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes
Lab Exercise 3: Verify Profiled Endpoints and Probe attribute information
Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints
Lab Exercise 5: Verify IP Phone default Policy
Lab Exercise 6: Logging and Reporting

D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'D
$
Product Overview: ISE



Pods 1-9 128.107.220.1X:2005 10.1.11.1X

Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11
Example: POD 10 128.107.220.20:2005 10.1.11.20
Connect to a POD:
D
Step 3 Log in as admin / cisco123 (Domain = DEMO)
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"D
Step 4 Click Login.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDFD
D
these options:
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDGD
D

desktop. Example:
Step 6 You can also use the shortcuts in the Windows Quick Launch toolbar.
c. Click Open.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDHD
Lab Topology
D
D
D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDID
Internal IP Addresses

10.1.250.1
NTP Server ntp.demo.local 128.107.220.1


in this setup.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD@D
Number

using ACLs

segmentation)

segmentation)

users
100 DATACENTER 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)

Access switch.

Data Center switch.
Step 7
focus on the use of downloadbale ACLs (dACLs) rather than VLAN assignment for policy enforcement. By
VLAN 40.

!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDAD

!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD?D

Lab 4 ISE Guest Services 3k-access-lab1-end.cfg
Lab 5 ISE Posture Services 3k-access-lab1-end.cfg
Lab 6 Remote Access VPN using IPEP 3k-access-lab1-start.cfg

Step 8 3k-access# copy ftp://ftp.demo.local/config_file startup-
config
where ftp.demo.local is the FTP server @ 10.1.100.6 (Admin client)
Example download of access switch configuration for Lab 5:

3k-access# copy ftp://ftp.demo.local/3k-access-lab4-start.cfg startup-config
Destination filename [startup-config]? <Enter>
Accessing ftp://ftp.demo.local/3k-access-lab4-start.cfg...
Translating "ftp.demo.local"...domain server (10.1.100.10) [OK]
Loading 3k-access-lab4-start.cfg !
[OK - 8275/4096 bytes]
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'!D
8275 bytes copied in 5.344 secs (1548 bytes/sec)

3k-access# reload

Confirm the reload. This will disconnect your remote console session

To ensure proper functioning of the pods for the start of each new lab, it is necessary to stop
and start specific VMs that may have been used in a previous session. Therefore, it will be
necessary to power OFF, then ON the VMs noted in the steps below.
Step 1 Power OFF the following VMs:

Win7 client PC (pX-win7-pc)
All ISE VMs (pX-ise-#)
(X = pod number, # = lab number)
Step 2 Power ON the following VMs:
Only the ISE VMs listed in the following table per your Lab #.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD''D
Lab # - Title ISE VMs
Lab 1 Bootstrapping ISE pX-ise-1-lab1
Lab 6 Remote Access VPN using Inline pX-ise-1-lab6

Posture Node pX-ise-4-lab6

pX-ise-2-lab7
pX-ise-3-lab7
Note: Other virtual machines required for this lab such as AD and the Admin client will be started for you.

J+DK1*,+*LD6D764-3D3+//13E-2-EMDE14ED,+*DEN1DK*-L6*MD.67D:12-314OD*9/DEN1DK-/0E14E(76ED43*-KED,*+LD
EN1DP-/:+Q4D:14RE+KD+,DEN1DS:L-/D3.-1/ED)=TD
Verify that ping succeeds for all devices tested by script.
Note: The ping test may fail for VMs that have not yet completed the boot process.
D D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'"D
Lab Verification: Verify initial lab setup and
configuration
Initial lab setup and pre-configuration verification.
Exercise Objective
Verify the default bootstrap configuration and connectivity.
Lab Exercise Steps
Step 1 Go to the Admin client PC and open a web browser to log into your ISE appliance
(https://ise-1.demo.local) with username/password = admin / default1A
Step 2 Verify your network access switch (3k-access) is configured and setup correctly.
a. Go to Administration > Network Resources > Network Devices and select 3k-access
b. Verify the IP address is 10.1.250.2
c. Verify the authentication settings shared secret being used. Click the Show button and
verify cisco123 is the shared secret.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'FD
Step 3 Use the desktop shortcut for the PuTTY SSH client to launch a terminal session to the 3k-
access switch (10.1.250.2) using the credentials admin / cisco123 (enabled password
cisco123).
Step 4 Make sure interface Gi 0/1 4 are administratively shutdown.
In this lab we are only concerned about the IP Phone and IP Camera.
Step 5 On the access switch verify MAB is configured on the switch ports for non-authenticating
devices.
Step 6 Also verify Multi-Auth authentication is enabled on the switch port. This is needed for the IP
Phone to authenticate. Both voice and data domains will authenticate via 802.1X and then fall
over to MAB.
interface Gi0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-ALLOW in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator

Step 7 Verify the change of authorization command is configured on your switch. This is essential for
when devices change profiles or the authorization settings change for a device or user. The ISE
node will send the new authorization parameters to the switch via this mechanism.
D
aaa server radius dynamic-author
D
client 10.1.100.21 server-key cisco123
Step 8 Verify the AAA accounting records are enabled.
D aaa accounting dot1x default start-stop group radius

D
aaa accounting network default start-stop group radius
D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'GD
Step 9 Verify Radius VSA information is configured for accounting and authentication.
radius-server vsa send accounting
radius-server vsa send authentication
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'HD
Lab Exercise 1: Enable ISE, Probes, and
Network Device for Profiling
This exercise will enable the profiling probes and NAD communication on your ISE Policy Service
node.
Exercise Objective
At the end of this exercise you will learn how to enable the probes for your ISE Policy Service
node via the GUI.
Lab Exercise Steps

Step 1 Log into your ISE device via the admin GUI.
Step 2 Go to Administration > System > Deployment. Click on your ISE node.
Step 3 In General Settings, verify Policy Service is enabled. Verify the Enable Profiling Service is
enabled.
Step 4 In the right hand pane click the Profiling Configuration tab.
a. Leave Netflow Probe disabled
b. Enable DHCP Probe.
i. The device interface should be Gi0. (Gi0 is the interface on the ISE appliance)
ii. Leave the default UDP port 67.
c. Enable DHCPSPAN Probe.
i. The device interface should be Gi0
d. Enable HTTP Probe.
i. The device interface should be Gi0
e. Enable RADIUS Probe
f. Enable DNS Probe
i. Keep the defaults
g. Enable SNMPQUERY Probe.
i. Keep the defaults
h. Enable SNMPTRAP Probe.
i. Leave Link Trap Query Disabled
ii. Enable MAC Trap Query
iii. Device Interface should be Gi0
iv. Port 162 leave as default.
D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'ID
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD
D DD<6E1D D D D
D DDDDDDDDDDD'@D
Step 5 Click the Save button and make sure your changes were saved successfully.
Step 6 Now go to your pre-configured NAD device on ISE to enable SNMP communication.
Administration > Network Resources > Network Devices
a. Click on the 3k-access switch
b. In the configuration page enable the SNMP Settings section
c. Expand the setting and select SNMP version 2c
d. Enter ciscoro as the read only community string
e. Verify Link Trap Query is enabled.
f. Verify MAC Trap Query is enabled.
g. Set the polling interval to 600 seconds (LAB USE ONLY !)
h. Leave all other settings the same and click Save.
Note: You can use multiple interfaces to enable the ISE probes. You can also enable ISE Profiling on other Policy
Service nodes if you have the proper licensing in place.
Step 7 Enable the Change of Authorization globally for Profiling. This will allow any status changes of a
device to be sent to the access device for an endpoint.
a. Go to Administration > System > Settings > Profiling > CoA Type = Reauth
Note: Use caution when enabling this feature when first profiling your devices. The Change of Authorization will
occur for all newly profiled devices.
Step 8 To verify the default actions for profiled devices, go to Policy > Policy Elements > Results >
Profiling > Exception Actions (Advanced Exception actions will not be covered in this lab.)
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'AD
D $
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD'?D
Lab Exercise 2: Configure and Verify NAD
Communication with ISE Probes
Configure ISE probes
Exercise Objective
In this exercise, your goal is to configure and verify your ISE probes are working as
advertised.
Lab Exercise Steps

Step 1 Console into the 3k-access switch.
Step 2 Enable SNMP on the switch.
DD
snmp-server community ciscoro RO
D
D snmp-server community ciscorw RW
D snmp-server enable traps snmp linkdown linkup

D snmp-server enable traps mac-notification change move
D snmp-server host 10.1.100.21 version 2c ciscoro
D
D
Step 3 Turn on SNMP debug by typing debug snmp packet at the exec shell prompt on the access
switch. If using remote console (SSH/Telnet), then make sure you also enter terminal monitor
on the command line so you will see the output.
Step 4 Verify SNMP communication between the ISE node and the switch. You should see the SNMP
requests coming into the switch from ISE-1 similar to that shown below. You should also see
responses from the switch for SNMP MIB requests from ISE Profiling Service.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"!D
3k-access# debug snmp packet
*Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24
*Apr 19 13:50:25.758: SNMP: Get-bulk request, reqid 2133241990, nonrptr 0,

maxreps 10
system = NULL TYPE/VALUE9 13:50:25.758: SNMP: Response, reqid 2133241990,

errstat 0, erridx 0
system.1.0 = Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M),

Version 12.2(55)SE, RELEASE SOFTWARE (fc2)
system.2.0 = products.797
sysUpTime.0 = 428342588
system.4.0 =
system.5.0 = 3k-access.demo.local
system.6.0 =
system.7.0 = 6
system.8.0 = 0
sysOREntry.2.1 = cisco.7.129
sysOREntry.2.2 = cisco.7.115
D
Step 5 Turn off the SNMP debug by typing no debug all from exec mode prompt on the switch
command line interface.
Step 6 Bring up switchport Gi 0/2 by entering the command no shutdown under the interface in
configuration mode.
Step 7 Verify RADIUS packets are being sent to ISE by entering debug radius authentication from
exec mode on the access switch. These will be sent when a MAC Authentication Bypass (MAB)
session is initiated for clientless devices. This information will be received by the Profiler Radius
Probe and used in profiling endpoints.
Step 8 You will see the following output. MAB will take some time to initiate after the DOT1X
authentication requests time out.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"'D
*Apr 20 14:40:45.339: %AUTHMGR-5-START: Starting 'mab' for client (001e.e599.fc5b) on
Interface Gi0/2 AuditSessionID 0A0164010000000F04A3DB09
*Apr 20 14:40:45.339: AAA/AUTHEN/8021X (00000011): Pick method list 'default'
*Apr 20 14:40:45.339: RADIUS/ENCODE(00000011):Orig. component type = DOT1X
*Apr 20 14:40:45.339: RADIUS(00000011): Config NAS IP: 0.0.0.0
*Apr 20 14:40:45.339: Getting session id for DOT1X(000
*Apr 20 14:40:45.339: RADIUS/ENCODE(00000011): acct_session_id: 16
*Apr 20 14:40:45.339: RADIUS/ENCODE: Best Local IP-Address 10.1.250.2 for Radius-

Server 10.1.100.21
*Apr 20 14:40:45.339: RADIUS(00000011): Send Access-Request to 10.1.100.21:1812 id

1645/56, len 206
*Apr 20 14:40:45.339: RADIUS: authenticator B7 9E 45 1D 55 C4 2F C2 - 4D 15 7F 5C B4

24 5A 60
*Apr 20 14:40:45.339: RADIUS: User-Name [1] 14 "001ee599fc5b"
*Apr 20 14:40:45.339: RADIUS: User-Password [2] 18 *
*Apr 20 14:40:45.339: RADIUS: Service-Type [6] 6 Call Check [10]
*Apr 20 14:40:45.339: RADIUS: Framed-MTU [12] 6 1500
*Apr 20 14:40:45.348: RADIUS: Called-Station-Id [30] 19 "1C-17-D3-43-73-83"
*Apr 20 14:40:45.348: RADIUS: Calling-Station-Id [31] 19 "00-1E-E5-99-FC-5B"
*Apr 20 14:40:45.348: RADIUS: Message-Authenticato[80] 18 3 4F 1C 47 96 7D FA B2

40 F3 6D 62 B5 84 D3 [ OG}@mb]
*Apr 20 14:40:45.348: RADIUS: EAP-Key-Name [102] 2 *
*Apr 20 14:40:45.348: RADIUS: Vendor, Cisco [26] 49
*Apr 20 14:40:45.348: RADIUS: Cisco AVpair [1] 43 "audit-session-

id=0A0164010000000F04A3DB09"
*Apr 20 14:40:45.348: RADIUS: NAS-Port-Type [61] 6 Ethernet

[15]
*Apr 20 14:40:45.348: RADIUS: NAS-Port [5] 6 50002
*Apr 20 14:40:45.348: RADIUS: NAS-Port-Id [87] 17 "GigabitEthernet0/2"
*Apr 20 14:40:45.348: RADIUS: NAS-IP-Address [4] 6 10.1.250.2
*Apr 20 14:40:45.348: RADIUS(00000011): Started 5 sec timeout
*Apr 20 14:40:45.599: RADIUS: Received from id 1645/56 10.1.100.21:1812, Access-

Accept, len 157
*Apr 20 14:40:45.599: RADIUS: authenticator 38 FE F2 6A 02 80 B6 F6 - 6B BC A4 8A C4

D!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
9E 2B C8
D DDDDDDDDDDD""D
*Apr 20 14:40:45.599: RADIUS: User-Name [1] 19 "00-1E-E5-99-FC-5B"
*Apr 20 14:40:45.599: RADIUS: State [24] 40
*Apr 20 14:40:45.599: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41

Step 9 Turn off the Radius debug when finished by typing no debug all on the command line.
Step 10 Configure an additional IP helper address to the ISE appliance on Interface Vlan10 (Access) and
Interface Vlan40 (Voice) for DHCP information to be sent to the ISE DHCP probe (ex.):
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.10
ip helper-address 10.1.100.21
Step 11 Do a shut/no shut on the interfaces Gi 0/1 8. This will retrigger DHCP requests and send
DHCP requests to ISE
Step 12 Go to the Windows 7 PC and reboot it. Go to Start > Shutdown > Restart. This is needed due
to the VM and IP phone not detecting link state.

!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"FD
Lab Exercise 3: Verify Profiled Endpoints and
Probe information
You will verify and endpoints and the received information collected by each probe.
Exercise Objective
In this exercise, your goal is to correctly identify newly profiled endpoints and their unique
attributes collected on the network.
Lab Exercise Steps

Step 1 Go to the ISE-1 Home page and see if there are any Profiled Endpoints.
Look at the Profiled Endpoints to see if you have endpoints being profiled.
D
D
D
D
D
D
D
D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"GD
Step 2 Go to Administration > Identity Management > Identities > Endpoints
Step 3 You should now see MAC addresses show up in the Endpoints View
Step 4 Click on one of the endpoints to verify attribute data received by the probes.
The latest information received by a certain Probe will be listed as:
EndPointSource = (ex. SNMPTrap Probe)
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"HD
Step 5 Go back to Endpoints and click on the Microsoft-Workstation
b. You can verify the DNS probe is working by locating the host-name attribute. DNS was
setup in the Bootstrap Lab 1.
c. You can also verify the DHCP Probe is working by locating the dhcp-class-identifier
which was sent by the DHCP request of the Windows Client

!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"ID
Lab Exercise 4: Create Profiles and
Authorization Policies for Profiled Endpoints
In this exercise, your goal is to create Profile and Authorization Policies.
Exercise Objective
In this exercise, your goal is to verify your Profiles and Authorization Policies for your Profiled
Endpoints by validating the authentication session and its policy.
Lab Exercise Steps

Step 1 We now want to create our own Profile based on more specific information than the generic
Cisco-Device profile that some of these endpoints are being profiled into.
Step 2 Go to Administration > Identity Management > Identities > Endpoints
a. You should now see a few Endpoints profiled as Cisco-Device
b. Click on the MAC address that is connected to port Gi 0/2
c. Under the attributes details look for some information that is interesting based on device
type. You should see this under the cdp information collected from the SNMP Probe.
d. Write down the cdp Platform information. For example, CIVS-IPC-4500
e. Also note the MAC OUI information = Cisco Systems
Example output below:
Step 3 Go to Policy > Policy Elements > Conditions > Profiling to create a matching rule for the
device attribute information to be used in a Profiling Policy.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"@D
Step 4 Under Profiling Conditions click Create.
a. Name = cdpIPCAMERA
b. Type = SNMP
c. Attribute Name = cdpCachePlatform
d. Operator = Contains
e. Attribute Value = CIVS-IPC
Step 5 Click Submit.
Note: Cisco OUI Conditions are already created.
Step 6 Now go to Policy > Profiling > Profiling Policies
Step 7 Click Create.
a. Name the Policy = MY_IP_Cameras
b. Policy Enabled = Checked
c. Minimum Certainty Factor = 10
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"AD
d. Exception Action = None
e. Create Matching Identity Group = Enabled (This will be used later in our Authorization
Policy)
f. Parent Policy = None
g. Rules:
i. If Condition Cisco-DeviceRule1Check1 Then Certainty Factor Increases 10
ii. If Condition cdpIPCAMERA Then Certainty Factor Increases 25
Step 8 Click Submit.
Step 9 Go to Administration > Identity Management > Groups > Endpoint Identity Groups
a. Verify the new Identity Group = MY_IP_Cameras
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDD"?D
Step 10 Go to Policy > Authorization
Step 11 Create a new Authorization Policy
a. Rule Name = Profiled IP_Cameras
b. Identity Groups = MY_IP_Cameras
c. Other Conditions = None
d. Permissions = PermitAccess
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDF!D
Step 12 Click Save.
Step 13 Verify you have a default Authentication rule for MAB. This is crucial in making sure the MAB
authentication is matched and you are using the Internal Endpoints as the Identity store. Profiler
Endpoints are stored in this Identity Store.
a. Go to Policy > Authentication:
b. The MAB authentication rule states:
If a Wired_MAB [Radius:Service-Type=10(Call Check) and Radius:NAS-Port-

Type=15(Ethernet)] request is matched and has the allowed Protocols defined in the
Default Network Access policy, then use Internal Endpoints as the Identity Store.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDF'D
Step 14 Go to the 3k-access switch and bounce interface Gi0/2 by using shut / no shut
Step 15 Verify the MAB request was successful and the device was Authorized under the Profiled IP
_Cameras Authorization Policy.
a. Go to Monitor > Authentications
Step 16 Click on the details icon to get more detailed information. There are details worth pointing out
based on the configurations:
a. Authentication Method = MAB
b. Username = MAC address of your device
c. NAS Port ID = What port the device is connected
d. Service Type = Call Check
e. Identity Store = Internal Endpoints
f. Identity Group Profiled:MY_IP_Cameras
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDF"D
g. Authorization Policy Matched Rule = Profiled IP Cameras

!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDFFD
Lab Exercise 5: Verify the IP Phone default
Policy
Verify the IP phone is authorized and active.
Exercise Objective
In this exercise, your goal is to verify the IP Phone has been successfully authenticated and
authorized by ISE. With ISE there is a pre-configured Authorization Policy for Cisco IP Phones
for convenience.
Lab Exercise Steps

Step 1 On the 3k-access switch, shutdown the port Gi0/1 using the shutdown command.
Step 2 Use no shutdown to bounce the link for a new MAB request.
*Apr 22 15:00:14.654: %AUTHMGR-5-START: Starting 'mab' for client

(1c17.d341.d18b) on Interface Gi0/1 AuditSessionID
0A0164010000001E0F026AA0
*Apr 22 15:00:14.914: %MAB-5-SUCCESS: Authentication successful for

client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID
0A0164010000001E0F026AA0
*Apr 22 15:00:14.914: %AUTHMGR-7-RESULT: Authentication result 'success'

from 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID
0A0164010000001E0F026AA0
*Apr 22 15:00:15.954: %AUTHMGR-5-SUCCESS: Authorization succeeded for

client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID
0A0164010000001E0F026AA0
Step 3 Verify the Authentication and Authorization was successful on the switch.
Step 4 On the 3k-access switch, enter the command show authentication sessions interface
Gi0/1.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDFGD
3k-access # sh authentication sessions int Gi0/1
Interface: GigabitEthernet0/1
MAC Address: 1c17.d341.d18b
IP Address: Unknown
User-Name: 1C-17-D3-41-D1-8B
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0164010000002A24BB3A47
Acct Session ID: 0x0000002B
Handle: 0x1D00002A
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Step 5 Log into ISE GUI and verify the Authentication. Go to Monitor > Authentications
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDFHD
Step 6 Click on the MAC address for the IP Phone connect to Gi0/1
Step 7 Look into the details of the authentication and authentication result to verify the details of the
default permissions.
Step 8 Notice the cisco-av-pair=device-traffic-class=voice which tells the switch this MAC
belongs to the voice vlan.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDFID
D
Note: The IP Phone Authorization Profile details can be found here: Policy > Policy Elements > Results >
Authorization Profiles > Cisco_IP_Phones

!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDF@D
Lab Exercise 6: Profiler Logging and Reporting
Understand Profilers logging and reporting capabilities.
Exercise Objective
In this exercise you enable debug logging and generate a Profiled endpoint report.
Lab Exercise Steps

Step 1 You can create different Endpoint reports from Profiling.
a. Go to Monitor > Reports > Catalog > Endpoint
b. Click on the Endpoint Profiler Summary
c. You can run a report from the last 30 minutes to the last 30 Days
D
D
D
D
D
D
D
D
D
Step 2 You will get the output of the endpoints logged for the day and the Policy the endpoint has been
profiled into.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDFAD
Step 3 You can enable Profiler Log collection to Debug for advanced troubleshooting
a. Go to Administration > System > Logging > Debug Log Configuration
b. Select ise-1 from right pane
c. Scroll down the list and click on the Profiler radial button.
d. Click on current log setting to display a drop-down list.
e. Set the Log setting to DEBUG.
f. Click Save.
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDF?D
Step 4 To display the debug logs go to Monitor > Troubleshoot > Download Logs > ISE-1
Under the Debug log type select profiler.log
$
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDG!D
Appendix: Additional Resources
"78%$9::&)35:-0$
US=DV+E-,-36E-+/TD
U63%E6E94D
W.6/D
US=S::*144D
:+E':X641)+*ED
U+21Y*+L)+*ED;,+*DL63DL+21D/+E-,36E-+/BD
U+21J+)+*ED;,+*DL63DL+21D/+E-,36E-+/BD
J-L14E6LKD
5-/RDV+E-,-36E-+/TD
-,$/:1CD
-,S:L-/%E6E94D
-,ZK1*%E6E94D
-,<143*D
-,JMK1D
-,%K11:D
-,)NM4S::*144D
%Q-E3ND$/,+*L6E-+/DL-7DQ6.RTD
%Q-E3ND$)DS::*144[%97/1ED
%Q-E3ND<143*-KE-+/D-,D626-.67.1D
4M4\KJ-L1D
4M4=+/E63ED
4M4V6L1D
4M45+36E-+/D
%Q-E3ND-,$/:1CD
S..DK+*E$,$/:1CDD
=+/,-09*1:DW.6/D-/,+*L6E-+/D;W5SVD4E6E1OD/6L1ODK+*EOD-,$/:1CBD
D D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDG'D
=<)D$/,+*L6E-+/D
3:K=63N1W1*4-+/D
3:K=63N1V6E-21W5SVD
3:K=63N1<12-31)+*ED
US=S::*144D
3:K=63N1564E=N6/01D
3:K=63N1S::*144JMK1D
3:K=63N1<12-31$:D
3:K=63N1S::*144D
3:K=63N1).6E,+*LD
3:K=63N1=6K67-.-E-14D
3:K=63N1<9K.1CD
D
=$%=Z>S\J]>Y^SU&PZ^_>U$XD
36,%144-+/S9EN+*-`1:XMD
36,%144-+/S9EN\41*V6L1D
36,%144-+/S9ENW.6/D
36,%144-+/=.-1/EU63S::*144D
36,%144-+/<+L6-/D
36,%144-+/%E6E94D
W.6/V6L1D
D
;<=%$9::&)35:-0$
S/MD6EE*-79E1DK6*41:D+9ED+,DEN1D<]=)DE*6,,-3DQ-..D71DL6KK1:D-/E+D6/D1/:K+-/ED6EE*-79E1(DY+*D6D.-4ED+,DK+44-7.1D6EE*-79E14D411TD
NEEKT[[QQQ(-6/6(+*0[644-0/L1/E4[7++EK>:N3K>K6*6L1E1*4[D$
D
<>>%$?0-&$9,-+:$
JN1D7*+Q41*D941*D601/ED64DQ1..D64D6/MDNEEKD6EE*-79E14DK*141/EDQ-..D71D36KE9*1:D6/:D6::1:DE+DEN1D1/:K+-/EDE+D6::DE+DEN1DK*+,-.-/0D
36K67-.-EM(DY+*D6D,9..D.-4ED+,DK+44-7.1D6EE*-79E14D411TD
NEEKT[[QQQ(*,3>1:-E+*(+*0[*,3[*,3"I'I(ECED
D D
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDG"D
;7"$%&'3-$
\K+/D1/:K+-/ED3*16E-+/OD6D<V%D.++R9KDQ-..DE*MDE+D:1E1*L-/1DEN1D1/:K+-/ED/6L1DYa<V(DSD/1QD6EE*-79E1DQ-..D71D6::1:DE+DEN1D
1/:K+-/EDYa<V(D^121*41D<V%D.++R9KDQ-..D71D:+/1D+/.MDQN1/D6/D1/:K+-/ED:1E13E1:D7MDEN1D<]=)OD^6:-94D6/:D%VU)DK*+714D
3+/E6-/4D,+..+Q-/0D6EE*-79E14(DJN-4DL16/4DEN6EOD,+*D<V%D.++R9KOD6ED.164ED+/1D+,DEN1D,+..+Q-/0DK*+714D/11:DE+D4E6*E1:D6.+/0DQ-END
<V%DK*+71(D
<]=)D$)D]1.K1*OD<]=)D%K6/DbDc:N3K>*1d914E1:>6::*144eD
^6:-94D)*+71DbDcY*6L1:>$)>S::*144eD
%VU)D)*+71DbDc3:K=63N1S::*144eD
]JJ)D)*+71DbDc%+9*31D$)eD
@26)50$9::&)35:-0$
P1DQ-..D71D3+..13E-/0D6/:D644-0/-/0DE+D1/:K+-/E4D^6:-94D6EE*-79E14D,*+LD7+ENDEN1D*1d914ED6/:DEN1D*14K+/41(DY+*D6D.-4ED+,D^6:-94D
6EE*-79E14OD411DEN1D^Y=4D:1,-/1:D6EDNEEKT[[1/(Q-R-K1:-6(+*0[Q-R-[^S<$\%(D
D
7-:(*'A$9::&)35:-0$
P1DQ-..D71D3+..13E-/0D6/MD6/D6..D6EE*-79E14D41/EDEN*+90NDV1E,.+Q(D).1641D3+/49.EDNEEKT[[QQQ(,6d4(+*0[*,34[*,3F?HG(NEL.D,+*D
:1E6-.4D+/D/1E,.+QD6EE*-79E14(D]1*1D-4D6D46LK.1TD
$V#XfJ&%D
$V#)_J%D
Y5ZP%D
)^ZJZ=Z5D
JZ%D
J=)#Y5S8%D
5G#%^=#)Z^JD
$)WG#%^=#S<<^D
%^=#US%_D
5G#<%J#)Z^JD
$)WG#<%J#S<<^D
<%J#US%_D
$)WG#V&gJ#]Z)D
5S%J#%P$J=]&<D
Y$^%J#%P$J=]&<D
Z\J#XfJ&%D
Z\J#)_J%D
$)WI#%^=#S<<^D
$)WI#<%J#S<<^D
$)WI#%^=#US%_D
$)WI#<%J#US%_D
$)WI#Y5ZP#5SX&5D
$=U)#Jf)&D
<%J#JZ%D
%^=#US=D
<%J#US=D
%^=#W5SVD
<%J#W5SVD
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDGFD
$)#)^ZJZ=Z5#W&^%$ZVD
<$^&=J$ZVD
D
D DD
!"#$%&#'(!#)*+,-.-/0#%1*2-314#567#89-:1;&<=%>?@A@?!#*12?B(:+3CD DD<6E1D D D D
D DDDDDDDDDDDGGD
D
D
D
D
D
D
D
D
D
Cisco TrustSec
ISE 1.0 Classification Lab Guide

This lab was created by: Thomas Howard, PMBU TME
Lab Overview
./*++,0,-*1,23D,+D1F9DG@2-9++D20D8,009@931,*1,3HD1F9D1IG9+D20D938G2,31+D:J*3*H98E73J*3*H98BD*38D7+9@+D:9JG/2I99+KD
H79+1KD91-(BD23D1F9D391L2@MD*38D*GG/I,3HD8,009@931D391L2@MD*--9++DG2/,-,9+D12D1F9J(DN9DL,//D,8931,0ID1F9DJ*O2@D1IG9+D20D
89A,-9D-*G*5,/,1,9+D*38D7+9@D1IG9+D*38D@9-2JJ93898D*--9++D-231@2/DJ91F28+D02@DF*38/,3HD1F9J(D
PF,+D/*5D,31@287-9+D$%&D391L2@MD*--9++DG2/,-ID12D*GG@2G@,*19/ID*71F931,-*19D*38D*71F2@,Q9D7+9@+D*38D938G2,31+D7+,3HD
RS.KDN95D*38D?!T('UD*71F931,-*1,23DJ91F28+D,3-/78,3HD+1*1,-DRS.D*71F931,-*1,23KDL95D*71F931,-*1,23KD*38D?!T('UD
*71F931,-*1,23(DD
4*5DG*@1,-,G*31+D+F27/8D59D*5/9D12D-2JG/919D1F9D/*5DL,1F,3D1F9D*//21198D/*5D1,J9D20DTDF27@+(D
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'D
Lab Exercises
!"#"$%&"'()*+,)-*.)/'%01%'()22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)3)
-*.)4#"'#5"6)222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)3)
-*.)78"'05("()222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)9)
/'%,:01)4#"'#5"6;)<,"+151=)>"'#50"()7+?5+")@<>7A)22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)9)
-*.)B%&%$%?=)*+,)C00"(()2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)D)
-*.)78"'05(")3;)ECF)C:1G"+150*15%+)222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)33)
-*.)78"'05(")9;)HI923J)C:1G"+150*15%+)2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)93)
-*.)78"'05(")D;)C015#")!5'"01%'=)<+1"?'*15%+)2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)9K)
-*.)78"'05(")L;)M".)C:1G"+150*15%+)222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)DD)
-*.)78"'05(")N;)7+O%'0"P"+1)222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)DQ)
Product Overview: Identity Services Engine (ISE)

The .,+-2D$8931,1ID%9@A,-9+D&3H,39D:$%&BD,+D*3D,8931,1ID*38D*--9++D-231@2/DG2/,-IDG/*102@JD1F*1D93*5/9+D9319@G@,+9+D12D
9302@-9D-2JG/,*3-9KD93F*3-9D,30@*+1@7-17@9D+9-7@,1ID*38D+1@9*J/,39D1F9,@D+9@A,-9D2G9@*1,23+(D$1+D73,V79D*@-F,19-17@9D
*//2L+D9319@G@,+9+D12DH*1F9@D@9*/D1,J9D-2319C17*/D,302@J*1,23D0@2JD391L2@MKD7+9@+KD*38D89A,-9+D12DJ*M9DG@2*-1,A9D
H2A9@3*3-9D89-,+,23+D5ID1I,3HD,8931,1ID5*-MD,312DA*@,27+D391L2@MD9/9J931+D,3-/78,3HD*--9++D+L,1-F9+KDL,@9/9++D
-231@2//9@+KDWXYDH*19L*I+KD*38D8*1*-9319@D+L,1-F9+(D.,+-2D$8931,1ID%9@A,-9+D&3H,39D,+D*DM9ID-2JG23931D20D1F9D.,+-2D
P@7+1%9-ZD%2/71,23(D
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
TD
Every one or two students will share one POD. Each POD includes one Admin client PC from which all lab
configurations is performed.

Pods 1-9 128.107.220.1X:2005 10.1.11.1X

Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11
Example: POD 10 128.107.220.20:2005 10.1.11.20
Connect to a POD:
D
To access and manage other computers used in this lab, follow the instructions Connect to ESX Server
Virtual Machines.
To access the console of the ISE appliance and other lab infrastructure devices, follow the instructions Connect
to Lab Device Consoles.
Step 2 Reference the above POD Access Information table to verify the IP Address/Name of the ESX Server for your
pod.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"D
D
Step 4 Click Login.
Once logged in, you will see a list of VMs that are available on your ESX server:
Step 5 You have the ability to power on, power off, or open the console (view) these VMs. To do so, place the mouse
cursor over VM name in the left-hand pane and right-click to select one of these options:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
[D
D

a. From the Admin client PC, double-click the desired PuTTY shortcut on the Windows desktop. Example:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
\D
a. From the Admin client PC, go to Start and select from the Windows Start Menu to open a
terminal session using PuTTY.
b. Refer to the Internal IP Addresses table, and then enter the hostname or IP address of the desired device
in the Host Name (or IP address).
c. Click Open.
DD
Lab Topology
D
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
]D
Lab Devices, Names, Accounts, and Addresses
The table that follows lists the internal devices, names, accounts and addresses used in this lab.
Device Name/Hostname Accounts IP Address
Core Switch (Nexus 7k) 7k-core.demo.local admin / C!sco123 10.1.100.1
10.1.250.1
Access Switch (3560X) 3k-access.demo.local admin / cisco123 10.1.250.2
Data Center Switch (3560X) 3k-server.demo.local admin / cisco123 10.1.251.2
Wireless LAN Controller (2106) wlc.demo.local admin / cisco123 10.1.100.61
Wireless Access Point (1242) ap.demo.local admin / cisco123 DHCP (10.1.10.x/24)
ISE Appliance (PAP/PDP/MNT) ise-1.demo.local admin / default1A 10.1.100.21
AD Server (DNS/DHCP/DHCP) ad.demo.local administrator / cisco123 10.1.100.10
NTP Server ntp.demo.local - 128.107.220.1
Public Web Server www-ext.demo.local administrator / cisco123 10.1.252.10
Internal Web Server www-int.demo.local administrator / cisco123 10.1.252.20
Admin (Management) Client admin.demo.local admin / cisco123 10.1.100.6
Windows 7 Client PC win7-pc.demo.local WIN7-PC\administrator / cisco123 DHCP (10.1.10.x/24)
D
!"#$%&'($)&"#*)+'!""*,-#.'/0121&3*24*"045'
Group Users Password D
demo.local/Users/Domain Computers - -
demo.local/Users/Domain Users user1, user2 cisco123
demo.local/Users/contractors contractor1, contractor2 cisco123
demo.local/Users/employees employee1, employee2 cisco123
demo.local/Users/staff staff1, staff2 cisco123
demo.local/Users/students student1, student2 cisco123
demo.local/Users/doctors doctor1, doctor2 cisco123
D
D

PF9D1*5/9D1F*1D02//2L+D/,+1+D1F9D,319@3*/DW4SY+D*38D-2@@9+G238,3HD$XD+75391+D7+98D5ID1F9D89A,-9+D,3D1F,+D+917G(D
VLAN Number VLAN Name IP Subnet Description
10 ACCESS 10.1.10.0/24 Network for authenticated users or access network using ACLs
20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L2 segmentation)
30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L2 segmentation)
50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users
80 IPEP (trusted) 10.1.80.0/24 Dedicated Inline Posture node VLAN for trusted interface
90 AP 10.1.90.0/24 Dedicated VLAN for wireless access points
(250) 10.1.250.0/24 Dedicated interconnect subnet between Core and Access switch.
(251) 10.1.251.0/24 Dedicated interconnect subnet between Core and Data Center switch.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
>D
Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity, profiling, or
compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. This lab will focus on the use of
downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement. By default, all client PC access will remain
in the ACCESS VLAN 10 and IP phones will be placed in VOICE VLAN 40.
Assumptions
PF,+D/*5D*++7J9+^D
PF9D+178931DF*+D*D5*+,-D7389@+1*38D20D*--9++D-231@2/D+9-7@,1IDG@,3-,G/9+KDSSSDG@212-2/+D*38D*D0*J,/,*@,1IDL,1FD*D
A*@,91ID20D.,+-2D391L2@MD*--9++D89A,-9+D:L,@98KDL,@9/9++KDWXYBD
PF9D+178931DF*+D-2JG/9198DP@7+1%9-D4*5D_'^D)221+1@*GD$%&D`2@DY91L2@MDW,+,5,/,1ID

During the initial delivery of the ISE Labs for the NPI training sessions, the GOLD labs will operate in a manual fashion.
Therefore, it may be necessary to manually perform a few tasks prior to the start of each lab. The following instructions
will prepare your pod for successful execution of this lab guide.

Step 1 From the Admin client PC, open a console session to the access switch (10.1.250.2) using the PuTTY shortcut
labeled 3k-Access on the Windows desktop. (Credentials admin / cisco123).
Lab 6 Remote Access VPN using Inline 3k-access-lab1-start.cfg

Posture Node
Lab 10 ISE Wireless Access 3k-access-lab1-end.cfg

!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
?D
[OK - 8275/4096 bytes]

3k-access# reload

Step 3 Update the bootstrap config.
a. After a minute, reattempt to access the 3k-access console. When successful, login again using the
b. Take the Win7-PC (Gi0/1) switchport out of shutdown:
3k-access# configure terminal
3k-access(config-if)# interface GigabitEthernet 0/1
3k-access(config-if)# no shutdown

To ensure proper functioning of the pods for the start of each new lab, it is necessary to stop and start
specific VMs that may have been used in a previous session. Therefore, it will be necessary to power OFF,
then ON the VMs noted in the steps below.

!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
=D

pX-ise-4-lab6

pX-ise-2-lab7
pX-ise-3-lab7

To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from the Windows
desktop of the Admin client PC:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'!D
Lab Exercise 1: MAC Authentication
49*@3D*5271D1F9D890*7/1D59F*A,2@D20D1F9D$a%D?!T('UD+1*19DJ*-F,39D*38DF2LD,1D@9/*19+D12DRS.D*71F931,-*1,23D*+D*D0*//5*-MD
J91F28D20D89A,-9D*71F931,-*1,23KD+G9-,0,-*//IDLF93D*71F931,-*1,3HD*H*,3+1D1F9D.,+-2D$8931,1ID%9@A,-9+D&3H,39D:$%&B(D
D
Exercise Objective
$3D1F,+D/*5KDI27DL,//^D
'( b389@+1*38D1F9D890*7/1D*71F931,-*1,23D59F*A,2@D20D$%&D
T( b389@+1*38D1F9D59F*A,2@D20D?!T('UD*38DRS.DS71F931,-*1,23D)IG*++D:RS)BD23D1F9D+L,1-FD
"( S71F931,-*19D*3D$XDGF239KDDL,@9/9++D*--9++DG2,31D*38D21F9@D89A,-9+D7+,3HDRS)D*38D+1*1,-DRS.D*71F2@,Q*1,23D
[( S++,H3D*3D938G2,31D*D+G9-,0,-D*71F2@,Q*1,23DG2/,-ID5*+98D23D*D+1*1,-DH@27GDJ*GG,3HD
\( 49*@3DF2LD12D1@275/9+F221D1F9D+L,1-FG2@1D*71F931,-*1,23D+1*17+D*38D1F9D$%&D*71F931,-*1,23D
Lab Exercise Steps

%1*1,-DRS.D*71F931,-*1,23KD*/+2DM32L3D*+DRS.DS71F931,-*1,23D)IG*++D:RS)BKD7+9+D*DRS.D*88@9++D02@D521FD1F9D
7+9@3*J9D*38DG*++L2@8(DPF,+D,+D1F9DJ2+1D5*+,-D02@JD20D*71F931,-*1,23D,3D89G/2IJ931+D59-*7+9DJ*3ID89A,-9+D82D321D2@D
-*3321D+7GG2@1D?!T('U(D)9-*7+9DRS.D*88@9++9+D*@9D9*+,/ID+G22098KD1F9ID*@9D*D@9/*1,A9/IDL9*MD02@JD20D*71F931,-*1,23D
571D,+D*DH228D0,@+1D+19GD02@D89A,-9D,8931,0,-*1,23(D
'
Verify Default ISE Configuration

Step 1 Access the web interface of the ISE Administrative node. Go to the Admin client PC and launch the Mozilla
Firefox web browser. Enter the following URL in the address field: https://ise-1.demo.local
Step 2 Login with username admin and password default1A
(Accept/Confirm any browser certificate warnings if present)
The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.
Step 3 Navigate to Administration > System > Licensing and select Current Licenses then select ise-1 to view the
installed licenses. You should see a valid Evaluation License installed which allows Base and Advanced
features for up to 100 endpoints. The ISE Base Package license is for endpoint authentication only while the
Advanced Package license is for Profiling and Posture services. This lab will assume the use of the Base
Package license only and call out differences in authentication behavior that may be observed with Profiling
enabled.
Step 4 Verify the current configuration of Profiling probes by navigating to Administration > System > Deployment
then select Deployment, select ise-1 from the list and view the Profiling Configuration tab.
Step 5 All probes should be unchecked. If you have completed the ISE Profiling lab and you are interested in ISE
authentication behavior with profiling functionality, you may enable the desired probes that you want.
Note: Be very careful when deploying a live network using MAB with Profiling enabled! If profiling is enabled, MAC addresses are
added to the Endpoints list upon detection via any probe. If you have not changed the default ISE authorization policy which
permits access, you will allow all devices onto your network as soon as they are profiled!
Step 6 Navigate to Policy > Authentication
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
''D
Step 7 Verify the authentication rules configured in ISE match the table below. These were configured in the Bootstrap
Lab.
MAC addresses sent from the switch using any of the Default Network Access protocols will be evaluated
against existing addresses in the Internal Endpoints database. If they are not found, a RADIUS Access-Reject
response will be returned.
Authentication Rules
Identity
Enabled Name Condition Protocols Options
Source
Test IF Device:Device Type = Device allow Default Network and demo.local Reject
Authentications Type#All Device Types#Test protocols Access use Reject
Drop
MAB IF Wired_MAB allow Default Network and Internal Reject
protocols Access use Endpoints Reject
Drop
Dot1X IF Wired_802_1X allow Default Network and Internal Users Reject
protocols Access use Reject
Drop
Default Rule allow Default Network and Internal Users Reject
(if no match) protocols Access use Reject
Drop
Note: Note: Web Authentication is not RADIUS-based and is automatically handled by the Session Service so there is no need to
create a separate authentication method for Central Web Authentication.
Step 8 Navigate to Policy > Authorization

Step 9 Verify the matching policy is set to First Matched Rule Applies
Step 10 Verify that the ISE Standard authorization policies allow Profiled Cisco IP Phones using the Cisco-IP-Phone
profile and any other device with PermitAccess:
Authorization Policies
Enabled Name Identity Group Conditions Authorization
Profiled Cisco IP Phones IF Cisco-IP-Phone AND - THEN Cisco_IP_Phone
Default IF no matches THEN PermitAccess
D
D
MAC Authentication Bypass (MAB) Behavior

RS.DS71F931,-*1,23D)IG*++D:RS)BD,+D1F9DJ91F28D20D/*+1D@9+2@1D02@D*71F931,-*1,3HD89A,-9+D23D1F9D391L2@MD7+,3HD23/ID
1F9,@DRS.D*88@9++(D`2@D1F,+D@9*+23KD?!T('UD,+D@9-2JJ93898D12D1@ID0,@+1D1F93D,0D1F9D938G2,31D829+D321D@9+G238D12D1F9D
?!T('UD-F*//93H9+DRS)D,+D+1*@198(DD
)ID890*7/1KD938G2,31+D*@9D*71F931,-*198D*H*,3+1D1F9D&38G2,31+D4,+1D/2-*198D*1D!13$-$.#)0#$*-'6'71&-#$#+'80-09&3&-#'6'
71&-#$#$&.'6':-1;*$-#.(D$0D1F9DRS.D*88@9++D829+D321D9C,+1D,3D1F,+D1*5/9D*1D1F9D1,J9D20D*71F931,-*1,23DL,//D59D-23+,89@98D*D
`*,/98DS71F931,-*1,23D02@DRS)(D
Step 11 Navigate to Administration > Identity Management > Identities
Step 12 Select Endpoints and verify which endpoints currently exist in your network. If you want to start with a clean list
of endpoints, simply check all of the endpoints in the list and select Delete to remove them. If profiling is
enabled, detection of an endpoint will add it to the endpoints list enabling MAC authentication.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'TD
Note: You will want to disable all Profiling Probes if you want to observe static MAC authentication behavior without the ISE
Advanced Package license
Step 13 Verify the p#-win7-pc VM is powered OFF. This will greatly simplify the switch console output while debugging
is enabled so you can learn the 802.1X and MAB state machine behavior.
Step 14 Telnet or SSH to your switch
Step 15 Show the GigabitEthernet 0/1 interface configuration:
3k-access# show running-config interface GigabitEthernet 0/1

Building configuration...
Current configuration: 482 bytes

!
interface GigabitEthernet0/1
description IP Phone + PC
ip access-group ACL-ALLOW in
authentication open
authentication priority dot1x mab
mab
spanning-tree portfast
end
Step 16 There are several things to note about this configuration:
authentication open: the switchport is open and bridging all traffic to the assigned VLAN
ip access-group ACL-ALLOW in: all traffic from the endpoint will be bridged through the switchport and
filtered based on the access control entries of ACL-ALLOW
authentication order mab dot1x: the switch will attempt a MAB authentication upon learning the endpoints
MAC address. This is recommended when first deploying TrustSec to monitor network access attempts and
inventory all endpoints. Once you begin to deploy supplicants, this may result in significant additional
authentication traffic on the network depending on your mix of agented and agentless devices.
authentication priority dot1x mab: this option allows an 802.1X-capable endpoint to authenticate even after a
MAB authentication attempt has been made.
Step 17 In exec mode, enable terminal monitoring and enable RADIUS authentication debugging. This will help you see
the details of the RADIUS session including fallback from one authentication method to another.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'"D
3k-access# terminal monitor
3k-access# debug radius authentication
Step 18 Enter config mode and enable GigabitEthernet 0/1 to authenticate your agentless device.
3k-access(config)# interface GigabitEthernet 0/1
Step 19 After you enable the switchport, you will see the IEEE 802.3af inline power being granted to the phone:
*Mar 1 13:48:51.961: %ILPOWER-7-DETECT: Interface Gi0/1: Power Device detected:
IEEE PD
*Mar 1 13:48:51.961: %ILPOWER-5-POWER_GRANTED: Interface Gi0/1: Power granted
Step 20 Shortly after that will be the link up notifications:

Mar 1 06:01:21.132: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed
state to up
state to up
Mar 1 06:01:22.097: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to
up
Mar 1 06:01:23.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/1, changed state to up
Step 21 Since the switchport is configured with authentication order mab dot1x, the switchport will initiate a MAB
authentication request immediately upon endpoint MAC address detection:
Mar 1 06:01:24.185: %AUTHMGR-5-START: Starting 'mab' for client (0022.905a.dfd0) on
Interface Gi0/1 AuditSessionID 0A01FA020000000500DEC226
Step 22 However, ISE does not have this MAC in the Endpoint List so it will fail MAB authentication:
Mar 1 06:01:24.462: %MAB-5-FAIL: Authentication failed for client (0022.905a.dfd0)
on Interface Gi0/1 AuditSessionID 0A01FA020000000500DEC226
Mar 1 06:01:24.471: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'mab' for
client (0022.905a.dfd0) on Interface Gi0/1 AuditSessionID 0A01FA020000000500DEC226
Step 23 Since the authentication order mab dot1x option has been configured, the IOS will attempt an 802.1X
authentication next:
Mar 1 06:01:24.471: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client
(0022.905a.dfd0) on Interface Gi0/1 AuditSessionID 0A01FA020000000500DEC226
Mar 1 06:01:24.471: %AUTHMGR-5-START: Starting 'dot1x' for client (0022.905a.dfd0)
on Interface Gi0/1 AuditSessionID 0A01FA020000000500DEC226
Step 24 After approximately 30 seconds (3 x 10 second timeouts), 802.1X will fail because the endpoint did not respond
to the 802.1X authentication challenges from the switchport authenticator.
Mar 13 06:01:55.506: %DOT1X-5-FAIL: Authentication failed for client
Mar 13 06:01:55.506: %AUTHMGR-7-RESULT: Authentication result 'no-response' from
'dot1x' for client (0022.905a.dfd0) on Interface Gi0/1 AuditSessionID
0A01FA020000000500DEC226
Step 25 The authentication manager will then state that it has exhausted all authentication methods (MAB and 802.1X)
signaling the start of a hold period (30 second default):
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'[D
Mar 13 06:01:55.506: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client
Mar 13 06:01:55.506: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods
for client (0022.905a.dfd0) on Interface Gi0/1 AuditSessionID
0A01FA020000000500DEC226
Mar 13 06:01:55.506: %AUTHMGR-5-FAIL: Authorization failed for client
Step 26 After the hold period expires, the IOS authentication manager will restart the authentication process with MAB.
Step 27 In ISE, navigate to Monitor > Authentications and verify your MAC is or is not found based on its existence in
the Endpoints list. Unless Profiling is enabled, the endpoint should fail authentication due to the error Subject
not found.
NAS Event Failure AuthZ Auth AuthN Identity
S Username MAC IP NAD Server Port Reason Profiles Method Protocol Group
X nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.40.100 3k-access ise-1 Gi0/1 Auth 22056 Subject not found MAB Lookup
X nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth 22056 Subject not found MAB Lookup
Note: The second entry will not be present if the Windows 7 PC client is powered off.
IP Phones
$XDGF239+D*@9D239D20D1F9DJ2+1D-2JJ23D1IG9+D20D938G2,31+D1F*1DJ*ID@9V7,@9DRS.DS71F931,-*1,23D)IG*++D:RS)BD12D*++,H3D
1F9D+G9-,*/DcS;$b%D*11@,5719+D@9V7,@98D02@DJ2A,3HD,1D12D1F9DW2,-9DW4SY(D
Step 28 To authorize the IP phone as a Cisco IP Phone, go to the Endpoints list under Administration > Identity
Management > Identities and select Endpoints
Step 29 Select Create and assign your IP phones MAC address to the Identity Group Cisco-IP-Phone:
MAC Address Policy Assignment Identity Group Assignment
nn:nn:nn:nn:nn:nn Unknown Cisco-IP-Phone
Note: ISE is very picky about how MAC addresses are entered. The format is very restrictive and does not like copy-and-paste
operations. Be sure to manually type using colon separators.
Note: If problems entering the MAC address persist, you should try restarting the ISE application or VM to see if that solves the
problem.
Step 30 You can wait about 60 seconds for the authenticator state machine to reset or you can shutdown/no shutdown
the switchport to trigger the authentication process. In either case, you should now see syslog messages in the
switch console showing a successful authentication:
*Mar 1 14:38:43.775: %AUTHMGR-5-START: Starting 'mab' for client (0022.905a.dfd0)
on Interface Gi0/1 AuditSessionID 0A0164010000000C032407AA
*Mar 1 14:38:44.069: %MAB-5-SUCCESS: Authentication successful for client
(0022.905a.dfd0) on Interface Gi0/1 AuditSessionID 0A0164010000000C032407AA
*Mar 1 14:38:44.069: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab'
for client (0022.905a.dfd0) on Interface Gi0/1 AuditSessionID
0A0164010000000C032407AA
*Mar 1 14:38:45.092: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(0022.905a.dfd0) on Interface Gi0/1 AuditSessionID 0A0164010000000C032407AA
Step 31 You can also see the authorization status within the IOS:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'\D
3k-access# show authentication sessions interface GigabitEthernet 0/1
MAC Address: 0022.905a.dfd0
IP Address: 10.1.40.100
User-Name: 00-22-90-5A-DF-D0
Domain: VOICE
Idle timeout: N/A
Common Session ID: 0A0164010000000C032407AA
Acct Session ID: 0x0000000F
Handle: 0xD600000C

Method State
mab Authc Success
dot1x Not run
Step 32 Looking at the ISE Authentications log will also show you the passed authentication records:
#ACSACL#-IP-PERMIT 3k-access ise-1 Gi0/1 DACL
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.40.100 3k-access ise-1 Gi0/1 Auth Cisco_IP_Phones MAB Lookup Profiled:Cisco-IP-
Phone
D
D
Endpoint Whitelists
PIG,-*//ID1F9@9D*@9DJ*3ID1IG9+D20D89A,-9+D1F*1D*@9D*H931/9++DdD1F9ID82D321DF*A9D?!T('UD+7GG/,-*31D-*G*5,/,1,9+DdD571D+1,//D
J7+1DF*A9D391L2@MD*--9++(DPF,+DJ*ID59D*--2JJ28*198D5ID-@9*1,3HD239D2@DJ2@9DLF,19/,+1+D12D*//2LDM32L3D938G2,31+D2@D
H@27G+D20D938G2,31+D2312D1F9D391L2@M(D
Step 33 Enable the GigabitEthernet0/2 switchport using the no shutdown command
Step 34 Copy the MAC address of the device on that port from the console or from the ISE authentication log
Step 35 Navigate to Administration > Identity Management > Groups > Endpoint Identity Groups
Step 36 Select Create and name the group Whitelist without a parent group
Step 37 Navigate to Administration > Identity Management > Identities and select Endpoints
Step 38 Select Create to add your endpoints MAC address to the Whitelist endpoint group
nn:nn:nn:nn:nn:nn Unknown Whitelist
Step 39 Navigate to Monitor > Authentications to see your endpoint authenticate successfully via MAB based on its
existence in the Endpoints list. It may take a minute for the next MAB authentication to occur or you can always
perform a shut/no-shut of the switchport.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
']D
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.100 3k-access ise-1 Gi0/2 Auth PermitAccess MAB Lookup Whitelist
Step 40 From your switch console, view the authentication status of the switchport in IOS. The endpoint is now
authenticated:
3k-access# show authentication sessions interface GigabitEthernet0/2
MAC Address: 0025.4519.f7c7
IP Address: Unknown
User-Name: 00-25-45-19-F7-C7
Domain: DATA
Vlan Group: N/A
Idle timeout: N/A
Common Session ID: 0A01FA0200000008013E58DD
Acct Session ID: 0x0000000C
Handle: 0x48000008

Method State
mab Authc Success
dot1x Not run
Step 41 Now we must assign a specific authorization. Navigate to Policy > Policy Elements > Results.
Step 42 From the left-hand pane, double-click Authorization to expand its contents, then select Authorization Profiles.
Step 43 From the right-hand pane, select Add to create a new Authorization Profiles for Whitelist endpoints:
Name Whitelist
Access-Type ACCESS_ACCEPT
DACL Name PERMIT_ALL_TRAFFIC
Reauthentication Timer: 3600 Note: type it, do not use the selector
Maintain Connectivity: RADIUS-Request
Note: A reauthentication timeout of 3600 seconds (1 hour) is an unusually short time just for this lab. Typical reauthentication
timeouts would be 8-24 hours or even longer.
Step 44 Scroll to the bottom of page, review the summary of attributes in the Attributes Detail then select Save.
Step 45 Navigate to Policy > Authorization and insert a new authorization rule to match the Whitelist endpoint identity
group and assign it the Whitelist authorization:
Whitelist IF Whitelist AND - THEN Whitelist
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'>D
Step 46 Go to your switch console and shutdown/no shutdown the GigabitEthernet0/2 switchport to trigger a re-
authentication.
Step 47 After the successful authentication, notice the new authorization:
3k-access# show authentication sessions interface GigabitEthernet 0/2
MAC Address: 0025.4519.f7c7
IP Address: Unknown
User-Name: 00-25-45-19-F7-C7
Domain: DATA
Vlan Group: N/A
Session timeout: 3600s (server), Remaining: 3525s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0A01FA020000000F015B85DF
Acct Session ID: 0x00000013
Handle: 0x7A00000F

Method State
mab Authc Success
dot1x Not run
3k-access# show ip access-lists interface GigabitEthernet0/2 in

permit ip host 10.1.10.100 any
Note: The session timer value and remaining time can now be seen since a timeout value was assigned by the Whitelist
authorization profile
Step 48 In ISE, navigate to Monitor > Authentications to view the new authorization status:
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.100 3k-access ise-1 Gi0/2 Auth Whitelist MAB Lookup Whitelist
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.100 3k-access ise-1 Gi0/2 Auth PermitAccess MAB Lookup Whitelist
D
Wireless Access Points

S321F9@D-2JJ23D1IG9D20D391L2@MD89A,-9D@9V7,@,3HDRS)D*71F931,-*1,23D,+DL,@9/9++D*--9++DG2,31+(D.@9*19D*321F9@D$8931,1ID
6@27GD*38DS71F2@,Q*1,23DX@20,/9D02@D1F9+9D938G2,31+(D
Step 49 On the access switch, no shutdown the GigabitEthernet 0/3 switchport with the access point.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'?D
3k-access(config)# int gig 0/3
3k-access (config-if)# no shutdown
Mar 14 18:51:42.112: %ILPOWER-7-DETECT: Interface Gi0/3: Power Device detected: IEEE
PD
Mar 14 18:51:43.052: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to
down
Mar 14 18:51:43.136: %ILPOWER-5-POWER_GRANTED: Interface Gi0/3: Power granted
state to up
state to up
Mar 14 18:51:47.170: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
Mar 14 18:51:48.177: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/3, changed state to up
Step 50 Once the access point has obtained 802.3af power and booted the switch will detect its MAC address and
initiate MAB. However, since there is no entry for the APs MAC address in the ISE Endpoint list, the MAB
authentication will fail. Note that Dot1X failures will also be seen when the AP fails to respond to 802.1X
authentication challenges.
Mar 14 18:52:31.870: %AUTHMGR-5-START: Starting 'mab' for client (c471.fed9.1eb7) on
Interface Gi0/3 AuditSessionID 0A01FA020000003008C69491
Mar 14 18:52:32.080: %MAB-5-FAIL: Authentication failed for client (c471.fed9.1eb7) on
Mar 14 18:52:32.080: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'mab' for
client (c471.fed9.1eb7) on Interface Gi0/3 AuditSessionID 0A01FA020000003008C69491
Mar 14 18:52:32.080: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client
(c471.fed9.1eb7) on Interface Gi0/3 AuditSessionID 0A01FA020000003008C69491
Mar 14 18:52:32.088: %AUTHMGR-5-START: Starting 'dot1x' for client (c471.fed9.1eb7) on
Mar 14 18:53:02.957: %DOT1X-5-FAIL: Authentication failed for client (c471.fed9.1eb7)
on Interface Gi0/3 AuditSessionID 0A01FA020000003008C69491
Mar 14 18:53:02.957: %AUTHMGR-7-RESULT: Authentication result 'no-response' from
'dot1x' for client (c471.fed9.1eb7) on Interface Gi0/3 AuditSessionID
0A01FA020000003008C69491
Mar 14 18:53:02.957: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client
(c471.fed9.1eb7) on Interface Gi0/3 AuditSessionID 0A01FA020000003008C69491
Mar 14 18:53:02.957: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods
for client (c471.fed9.1eb7) on Interface Gi0/3 AuditSessionID 0A01FA020000003008C69491
Mar 14 18:53:02.957: %AUTHMGR-5-FAIL: Authorization failed for client (c471.fed9.1eb7)
on Interface Gi0/3 AuditSessionID 0A01FA020000003008C69491
Step 51 Navigate to Policy > Policy Elements > Results then double-click Authorization to expand its contents. Select
Authorization Profiles
Step 52 Create a new Access_Point authorization profile that will permit the AP and allow all traffic from it:
Attribute Value
Name Access_Point
Note: You may optionally define and apply a new, downloadable ACL that only permits DNS and the CAPWAP protocol.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
'=D
Step 53 Go to Administration > Identity Management > Groups > Endpoint Identity Groups and create a new group
for Access Points called Access-Point:
Attribute Value
Name Access-Point
Description
Parent Whitelist
Step 54 Navigate to Policy > Authorization and insert a new authorization rule to match the Whitelist endpoint identity
group and assign it the Whitelist authorization:

Access Point IF Access-Point AND - THEN Access_Point
Step 55 Add the APs MAC address to the Endpoint List under Administration > Identity Management > Identities >
Endpoints by selecting Create and adding it to the Access-Point identity group:
nn:nn:nn:nn:nn:nn Unknown Access-Point
Step 56 You can wait about 60 seconds for the authenticator state machine to reset or you can shutdown/no shutdown
the switchport to trigger the authentication process. In either case, you should now see log messages in the
switch console showing a successful authentication as well as switchport state from the show authentications
sessions interface GigabitEthernet 0/1 command
Step 57 Looking at the ISE Authentications log will also show you the passed authentication records:
#ACSACL#-IP-PE 3k-access ise-1 Gi0/3 Auth Access_Point MAB Lookup
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.101 3k-access ise-1 Gi0/3 Auth Access_Point MAB Lookup Access-Point
D
Step 58 You are done with MAC Authentication!

D
D
! End of Exercise: You have successfully completed this exercise. Proceed to next
section.
D
D D
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T!D
Lab Exercise 2: 802.1X Authentication
Complete an 802.1X user authentication using a Windows 7 endpoint against the ISE Internal identity source.
Exercise Objective
$3D1F,+D/*5KDI27DL,//^D
'( .@9*19D*D39LD6@27GD,3D1F9D$%&D,319@3*/D,8931,1ID+27@-9D
T( .@9*19D*D39LDb+9@D,3D1F9D$%&D,319@3*/D,8931,1ID+27@-9D
"( S71F931,-*19D*Db+9@DL,1FD*DN,382L+D>D938G2,31D*H*,3+1D1F9D$%&D,319@3*/D,8931,1ID+27@-9D
Lab Exercise Steps

D
Group and User Creation

Step 1 Navigate to Administration > Identity Management > Groups
Step 2 Select User Identity Groups
Step 3 If a user identity group named Test does not exist, select Add and create it then select Save
Attribute Value
Name: Test
Description:
Step 4 Navigate to Administration > Identity Management > Identities
Step 5 Select Users
Step 6 If a test user does not exist, select Add to create it in the ISE internal identity store then select Submit
Attribute Value
Status: Enabled
Name: test-user
Email:
Password: cisco123
First Name:
Last Name:
Description:
Password Change:
User Groups: Test
Step 7 Verify the new local account works by performing a test RADIUS transaction from the switch:
3k-access# test aaa group radius test-user cisco123 new-code
User successfully authenticated
<$-1*=.'>'?,;;4$"0-#'@*-A$9,)0#$*-'
N9DL,//D59D7+,3HDR,-@2+201DN,382L+D>D&319@G@,+9DL,1FD,1+D3*1,A9D?!T('UD+7GG/,-*31D02@D19+1,3HDJ*-F,39D*38D7+9@D
*71F931,-*1,23+(DPF,+D+F2L+DI27DF2LD12D-230,H7@9D1F9D,38,A,87*/D+7GG/,-*31(D
Step 8 Open and login to the VMware vSphere Client on the desktop of your lab console
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T'D
Step 9 Start the p#-win7-pc VM by right-clicking the VM and selecting Power > Power On
Step 10 Right-click on p#-win7-pc VM and select Open Console. You may need to click in the console a couple of
times to wakeup the endpoint.
D
Step 11 Login to your Windows 7 Enterprise endpoint. You may need to use the menu item VM > Guest > Send
Ctrl+Alt+Del to invoke the Windows login screen
D
D
Step 12 From the Windows desktop, either double-click the Services shortcut icon or navigate to Start Menu
> Administrative Tools > Services. Scroll down until you see the Wired AutoConfig (not
WLAN AutoConfig) service.
Step 13 Right-Click Wired AutoConfig and select Properties.
Step 14 Choose Startup type: Automatic
Step 15 Start the service
Step 16 Select OK.
Step 17 Go to Start Menu > Control Panel > Network and Sharing Center
Step 18 Select Change Adapter Settings from the left column.
Step 19 Right-click Local Area Connection and select Properties from the menu.
Step 20 Click the Authentication tab (this was enabled by starting the Wired AutoConfig service) and verify the
settings:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
TTD
D
Step 21 Select Settings next to Microsoft: Protected EAP (PEAP) and uncheck Validate Server Certificate.
D
Step 22 For Select Authentication Method choose Secured password (EAP-MSCHAP v2) then select Configure!
Step 23 Uncheck "Automatically use my Windows logon name and password" to prevent username/password caching
and allow you to easily test many different users and groups.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T"D
D
Step 24 Select OK
Step 25 Select Additional Settings
Step 26 Enable Specify authentication mode and choose User or computer authentication
D
Step 27 Select OK and OK again to save and exit settings. Your endpoint should now be ready to handle both 802.1X
computer authentication (machine authentication) and user authentication.
Step 28 You should see a message popup on the Windows 7 Endpoint: Additional information is needed to connect
to this network. Click on the message to view the 802.1X user authentication dialog.
D
Step 29 Enter the credentials for the local test account that you previously created (test-user/cisco123).
Note: Microsoft Windows does not provide any feedback for a Passed Authentication but it will re-prompt you for a failed
authentication.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T[D
D
Step 30 Verify your authentication passed in ISE under Monitor > Authentications. You should see your authenticated
username in the log.
test-user nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth PermitAccess dot1x PEAP Test
Step 31 Since the win7-pc client is connected behind the IP phone, you can now verify that there are multiple
authentication sessions on the same GigabitEthernet0/1 switchport:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T\D
3k-access# show authentication sessions interface GigabitEthernet0/1
MAC Address: 0010.1888.2104
IP Address: 10.1.10.101
User-Name: test-user
Domain: DATA
Vlan Group: N/A
Idle timeout: N/A
Common Session ID: 0A01FA0200000012016E84C6
Handle: 0x6A000012

Method State
mab Failed over
dot1x Authc Success
----------------------------------------
IP Address: 10.1.40.101
User-Name: 68-BD-AB-A5-96-21
Domain: VOICE
Idle timeout: N/A
Common Session ID: 0A01FA020000000C0157D3F5
Handle: 0x4B00000C

Method State
mab Authc Success
dot1x Not run
Step 32 If you would like to create additional groups and users and re-authenticate for testing purposes, you have
several options:
a. Disable then Enable the Windows 7 Local Area Connection
b. Logout then login to the Windows 7 desktop
c. On your switch, do a shutdown then no shutdown of the respective switchport
section.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T]D
Complete a basic 802.1X user authentication against Active Directory.
Exercise Objective
$3D1F,+D/*5KDI27DL,//^D
'( e2,3D$%&D12D*3DS-1,A9D;,@9-12@ID82J*,3D
T( .@9*19D*3D$8931,1ID%27@-9D%9V793-9D12D-F*,3D,8931,1ID8*1*5*+9+D
"( &3@2//D*D-2JG719@D,312DS-1,A9D;,@9-12@ID
[( S71F931,-*19D*D7+9@D*H*,3+1DS-1,A9D;,@9-12@ID
\( S71F931,-*19D*D-2JG719@D*H*,3+1DS-1,A9D;,@9-12@ID
]( S++,H3D7+9@+D2@D-2JG719@+D12D*D+G9-,0,-D*71F2@,Q*1,23D5*+98D23D1F9,@DH@27GDJ9J59@+F,GD
Lab Exercise Steps
Join ISE to the Active Directory Domain

Step 1 Login to ISE
Step 2 Navigate to Administration > Identity Management > External Identity Sources
Step 3 Choose Active Directory from the Identity Sources list
Step 4 Select the Connection tab and determine if the status is Connected or Disconnected.
Step 5 If Disconnected, this is because of a stale connection from the lab VM replication. You will simply need to
select Leave to unjoin the AD domain.
Note: An account with permissions to leave a domain may be required. Since the account user1 that was used to join domain does
not have this privilege, you may need to use an administrator account (for example, administrator/cisco123) to leave the
domain.
Step 6 To join the domain, verify the following information has been configured:
Attribute Value
Server Connection
Domain Name: demo.local
Identity Store Name: demo.local
Connection Settings
Enable Password Change
Enable Machine Authentication
Enable Machine Access Restrictions
Aging Time (hours) : 6 (default)
Step 7 Select Save Configuration to save this information for the Active Directory domain.
Step 8 Select Join to join the Active Directory domain using the AD credentials user1/cisco123
Note: If the Local Node shows that it is Joined to Domain: demo.local but the Connection Status is DISCONNECTED you will
need to select Leave then Join. This may happen as part of the first lab configuration.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T>D
Step 9 If the domain join is successful, you should see the status message:
Local Node Status: Joined to Domain: demo.local Connection Status: CONNECTED
Step 10 Select the Groups tab and click Add. Select submenu option Select Groups from Directory.
Step 11 Select Retrieve Groups using the default filter (*). The list of AD groups will be listed.
Step 12 Check all of the groups you would like to later apply policy against then select Save Configuration.
The two most important groups to use are the roots for all users and computers: demo.local/Users/Domain
Users and demo.local/Users/Domain Computers . The demo.local domain has some additional sub-groups
created that you may choose to use for later customization of your policy rules depending on your industry.
Group Users Password
demo.local/Users/Domain Computers - -
demo.local/Users/Domain Users user1, user2 cisco123
demo.local/Users/contractors contractor1, contractor2 cisco123
demo.local/Users/employees employee1, employee2 cisco123
demo.local/Users/staff staff1, staff2 cisco123
demo.local/Users/students student1, student2 cisco123
demo.local/Users/doctors doctor1, doctor2 cisco123
Step 13 You may optionally select the Attributes tab and check all of the AD attributes you would like to use in policy
conditions later based on an existing username.
Note: Only check AD attributes that you know you need for your security policy to improve performance and memory during
authentication and authorization.
Step 14 You are done joining ISE to the AD domain.
Identity Source Sequences

NF93DG9@02@J,3HD?!T('UD*71F931,-*1,23+KD,1D,+D20193D39-9++*@ID12D-F*,3DJ7/1,G/9D,8931,1ID+12@9+D,3DG@,2@,1ID2@89@D02@D
*71F931,-*1,3HD-@98931,*/+D0@2JDJ7/1,G/9D,8931,1ID+12@9+(D`2@D1F,+KDL9D-@9*19D*3D$8931,1ID%27@-9D%9V793-9(D
Step 15 Navigate to Administration > Identity Management > Identity Source Sequences
Step 16 Select Add to create a new Identity Source Sequence. Authentication based on this sequence will check the
identity stores in the order listed. Be sure to add Identity sources to appear in the order they should be
attempted.
Attribute Value
Name: AD_InternalUsers
Description:
Authentication Search List: Selected: demo.local
InternalUsers
Step 17 You are done creating Identity Source Sequences.
Update 802.1X Authentication Rule

Step 19 Edit the existing Dot1X authentication rule to check the identity source sequence you created.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T?D
Authentication Rules
Enabled Name Condition Protocols Identity Source Options
Test IF Device:Device Type = Device allow Default and demo.local Reject
Authentications Type#All Device Types#Test protocols Network use Reject
Access Drop
MAB IF Wired_MAB allow Default and Internal Reject
protocols Network use Endpoints Reject
Access Drop
Dot1X IF Wired_802_1X allow Default and AD_InternalUsers Reject
protocols Network use Reject
Access Drop
Default Rule allow Default and Internal Users Reject
(if no match) protocols Network use Reject
Access Drop
Step 20 Save the Authentication Policy change.
Step 21 Re-authenticate the Windows 7 endpoint using a username in the demo.local AD domain such as employee1.
You may use several options to trigger a re-authentication:
a. Disable then Enable the Windows 7 Local Area Connection
b. Logout then login to the Windows 7 desktop
c. On your switch, do a shutdown then no shutdown of the respective switchport
Step 22 Verify the user authentication under Monitor > Authentications.
employee1 nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth PermitAccess dot1x PEAP
Step 23 Select the Details icon next to your successful authentication and review all of the authentication information
available for this transaction
a. Which identity store was the user found in?
b. What was the assigned authorization profile?
c. What protocol was used for the authentication?
Windows Machine Authentication

N,382L+DJ*-F,39D*71F931,-*1,23D,+D7+98D12D*//2LDN,382L+<5*+98D-2JG719@+D12DO2,3D1F9DS-1,A9D;,@9-12@ID82J*,3D02@D
H@27GDG2/,-ID*38D21F9@D7G8*19+D!"#$%"D1F9D7+9@D/2H+D,3(DD
Step 24 Open the win7-pc console
Step 25 Logoff from the Windows 7 endpoint to drop out of User Authenticated mode and back into Machine
Authenticated mode. Go to Start > Logoff.
Step 26 In the ISE Authentications, you should see the session authenticated as a Domain_Computer:
#ACSACL#-IP-ACL-D 3k-access ise-1 Gi0/1 DACL
host/win7-pc.demo.local nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth PermitAcces dot1x PEAP
s
Step 27 If the machine authentication is successful, proceed to next section Custom Authorization Policies. Otherwise
you will need to perform the following steps to unjoin and rejoin the win7-pc to the demo.local domain. This may
happen if the win7-pc VM replication for the lab broke the domain registration with the AD controller.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
T=D
Step 28 On the win7-pc, go to Start > Control Panel > System
Step 29 Select Advanced System Settings and choose the Computer Name tab
Step 30 To unjoin the domain, select the Change! button and make the endpoint a member of the Workgroup:
Workgroup using the AD admins username and password. It will take several seconds for the domain unjoin to
occur.
Step 31 Once again select the Change! button and make the endpoint a member of the Domain:demo.local using the
AD admins username and password. It will take several seconds for the domain join to occur.
DDDDDD D
Step 32 You will need to Restart Windows 7 for the domain join and machine authentication to take effect.
Step 33 After Windows 7 has rebooted, look at the ISE Authentications log to verify the computer was authenticated
using machine credentials (host/win7-pc) onto the network as a domain computer:
host/win7-pc.demo.local nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth PermitAccess dot1x PEAP
Step 34 In the VMware menu for the Windows 7 endpoint, select the menu VM > Guest > Send Ctrl+Alt+Del
Step 35 Login to Windows as user employee1/cisco123.
Step 36 Verify the user authentication in the ISE Authentications log:
DEMO\employee1 nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth PermitAccess dot1x PEAP
Step 37 Logoff from the Windows 7 endpoint and you should see the session authenticated as a Domain_Computer
once again:
host/win7-pc.demo.local nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth PermitAcces dot1x PEAP
s
Step 38 Look at the Authentication Detail for either the user or host and you will see the series of machine and user
authentications.
D
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"!D
Custom Authorization Policies
)21FD1F9D;2J*,3#.2JG719@D*38D;2J*,3#b+9@DF*A9D1F9D+*J9DX9@J,1S--9++DG9@J,++,23D,3D1F9DS71F2@,Q*1,23DG2/,-I(Df27D
L,//D-@9*19D*38D*GG/ID39LD*71F2@,Q*1,23DG9@J,++,23+D02@D9*-FD20D1F9+9D@9+27@-9+(D
Step 39 Go to Policy > Policy Elements > Results > Authorization > Downloadable ACLs
Step 40 Select Add and create the following downloadable ACL (dACL):
Attribute Value
Name: AD_LOGIN_ACCESS
DACL Content: remark demo.local Domain Controller
permit ip any host 10.1.100.10
Note: ISE does not validate the spelling or syntax for downloadable ACLs! It is highly recommended to test each ACL entry by
copying it into the configuration on the intended network access device!
Step 41 Alternatively, if you wanted to allow the Windows endpoint to only access the AD ports necessary for domain
scripts and services, you should update the AD_LOGIN_ACCESS ACL to be:
permit udp any eq bootpc any eq bootps !DHCP
permit udp any any eq domain !DNS
permit icmp any any !ICMP Ping
permit tcp any host 10.1.100.10 eq 88 !Kerberos
permit udp any host 10.1.100.10 eq 88 !Kerberos
permit udp any host 10.1.100.10 eq 123 !NTP
permit tcp any host 10.1.100.10 eq 135 !RPC
permit udp any host 10.1.100.10 eq 137 !NetBIOS-Nameservice
permit tcp any host 10.1.100.10 eq 139 !NetBIOS-SSN
permit tcp any host 10.1.100.10 eq 389 !LDAP
permit udp any host 10.1.100.10 eq 389 !LDAP
permit tcp any host 10.1.100.10 eq 445 !MS-DC/SMB
permit tcp any host 10.1.100.10 eq 636 !LDAP w/ SSL
permit udp any host 10.1.100.10 eq 636 !LDAP w/ SSL
permit tcp any host 10.1.100.10 eq 1025 !non-standard RPC
permit tcp any host 10.1.100.10 eq 1026 !non-standard RPC
Step 42 Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles
Step 43 Select Add and create the following authorization profile for machine-authenticated domain computers:
Note: The ReAuthentication Timers are set low (3600 seconds/1 hour) for the purposes of this lab. In a production environment
these values would typically be 8-24 hours.
Name Domain_Computer
DACL Name AD_LOGIN_ACCESS
Reauthentication Timer: 3600
Step 44 Select Add to create a new Authorization Profiles for Domain_User:

Name Domain_User
Reauthentication Timer: 3600
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"'D
Step 46 Create new Authorization rules for the Domain_Computer and Domain_User scenarios using the new
Authorization Profiles you created.
Profiled Cisco IF Cisco_IP_Phone AND - THEN Cisco_IP_Phone
IP Phones
Access Point IF Access_Point AND - THEN Access_Point
Domain IF Any AND demo.local:External Groups EQUALS THEN Domain_Computer
Computer demo.local/Users/Domain Computers
Domain User IF Any AND demo.local:External Groups EQUALS THEN Domain_User
demo.local/Users/Domain Users
D
Step 47 Go to your Windows 7 endpoint and logoff then login again.
Step 48 Back in ISE, verify the authentications under Monitor > Authentications have the expected Authorization
Profiles.
Machine Access Restrictions (For reference only; do not complete)

%2J9D391L2@MD*8J,3,+1@*12@+DL*31D12D@9V7,@9DJ*-F,39D*71F931,-*1,23D5902@9D7+9@D*71F931,-*1,23KD9009-1,A9/ID@9+1@,-1,3HD
1F9,@D391L2@MD*--9++DA,*D82J*,3D-2JG719@+(DPF,+D1IG9D20D*71F931,-*1,23DG2/,-ID,+D*/+2DM32L3D*+DR*-F,39DS--9++D
c9+1@,-1,23D:RScBD*38D1F,+D+9-1,23DL,//D89J23+1@*19DF2LD12D-230,H7@9D,1D,3D$%&(D
Step 50 Update the Domain_User rule to also require Network Access:WasMachineAuthenticated EQUALS True
Authorization Policy
Profiled Cisco IP IF Cisco_IP_Phone AND - THEN Cisco_IP_Phone
Phones
Domain_Computer IF Any AND demo.local:External Groups EQUALS THEN Domain_Computer
demo.local/Users/Domain Computers
Domain_User IF Any AND demo.local:External Groups EQUALS THEN Domain_User
AND
Network Access:WasMachineAuthenticated
EQUALS True
D
section.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"TD
Lab Exercise 4: Web Authentication
In order to perform web-based authentication, unauthenticated users must be redirected to a web portal that allows the
user to enter their login credentials. This exercise is focused on configuring the default web portal to support these
functions and defining login policies including authentication stores, acceptable use, and credential and time restrictions.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
1. Customize the default Guest Portal for Central Web Authentication (CWA) guest login
2. Specify the identity stores used for web authentication
3. Define Authorization Profiles to support CWA
4. Update the Authentication and Authorization Policy to support CWA
Lab Exercise Steps

D
($.0B4&'#C&'<$-1*=.'>'?,;;4$"0-#'
N95D*71F931,-*1,23D,+D1@*8,1,23*//ID*++2-,*198DL,1FD679+1D391L2@MD*--9++DdD*D12G,-D1F*1DL,//D59D-2A9@98D,3D*321F9@D/*5(D$1D
J*ID*/+2D59D7+98D*+D*DJ91F28D20D/*+1D@9+2@1D02@D7+9@+DLF2+9D?!T('UD+7GG/,-*31D,+D321D,3+1*//98KDJ,+-230,H7@98D2@DO7+1D321DD
L2@M,3HD02@DLF*19A9@D@9*+23(DP2D+,J7/*19D1F,+KDL9DL,//D8,+*5/9D1F9D+7GG/,-*31D,3D1F9DN,382L+D>D938G2,31(D
Step 1 View the Windows 7 desktop by opening the VMware vSphere Client on the desktop of your Admin client.
Right-Click on p#-win7-pc and select Open Console. You may need to click in the console a couple of times
to wakeup the endpoint or use the menu item VM > Guest > Send Ctrl+Alt+Del to invoke the Windows login
screen
Step 2 Navigate to Start Menu > Administrative Tools > Services from the Windows desktop. Scroll down until you
see the Wired AutoConfig (not WLAN AutoConfig) service.
Step 3 Right-Click Wired AutoConfig and select Properties.
Step 4 Choose Startup type: Manual
Step 5 Stop the service if it is running
Step 6 Select OK.
Step 7 The supplicant is now disabled and should not respond to 802.1X challenges from the switch authenticator.
D
@*-A$9,)&'#C&'<&B'!,#C&-#$"0#$*-'D*)#04'
Step 8 Login to the ISE admin interface.
Step 9 Navigate to Administration > Guest Management > Settings
Step 10 Double-click Guest and select Multi-Portal Configurations
Step 11 Edit DefaultGuestPortal:
Set the Identity Store Sequence to AD_InternalUsers
General
Name DefaultGuestPortal
Description default portal
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
""D
General
Allow guest users to change password
Require guest and internal users to change password at expiration
Guest users should download the posture client
Guest users should be allowed to do self service
Guest users should be allowed to do device registration
VLAN DHCP Release
Delay to Release: 1 seconds
Delay to COA: 8 seconds
Delay to Renew: 12 seconds
Acceptable Use Policy ( ) Not Used
(o) First Login and when AUP is changed
( ) EveryLogin
Authentication
Authentication Type ( ) Guest
(o) Central Web Auth
( ) Both
Identity Store Sequence AD_InternalUsers
Step 12 When finished, select Save.
Enable CWA Authorization

Step 13 Navigate to Policy > Authentication and edit the MAB rule to use the options Reject/Continue/Drop. This is
required to prevent any endpoints without 802.1X supplicants or endpoints not listed in the Endpoints list from
being completely denied network access (Reject) because they were not found in an identity store. We want to
provide an alternative method for users to provide their identity and provision network access without involving
the Help Desk.
Authentication Policy
Test IF Device:Device Type = Device allow Default and demo.local Reject
Authentications Type#All Device Types#Test protocols Network use Reject
Access Drop
MAB IF Wired_MAB allow Default and Internal Reject
protocols Network use Endpoints Continue
Access Drop
protocols Network use Reject
Access Drop
Access Drop
Step 14 Save the Authentication policy change.
Step 15 Navigate to Policy > Policy Elements > Results and double-click Authorizatio.
Step 16 Select Add and create the following downloadable ACL (dACL):
Attribute Value
Name: CENTRAL_WEB_AUTH
DACL Content: permit udp any any eq domain
permit icmp any any
permit tcp any any eq 80
permit tcp any host 10.1.100.21 eq 8443
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"[D
Step 17 Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
Name Central_Web_Auth
Description (optional)
DACL Name CENTRAL_WEB_AUTH
Centralized Web Authentication ACL: ACL-WEBAUTH-REDIRECT
Redirect: Default
Note: ACL-WEBAUTH-REDIRECT is an ACL configured on the switch which determines which HTTP/HTTPS destinations will and
will not be redirected. In general, you want to exclude ISE Policy Service nodes from redirection (deny ip any host n.n.n.n) so
the endpoint can access the CWA page while redirecting all other web traffic (permit ip any any).
Step 19 Navigate to Policy > Authorization to update the Authorization Policy for Central_Web_Auth.
Step 20 Edit the Default authorization to your new Central_Web_Auth profile. This will cause any unauthenticated
users who open their web browsers to be redirected to the ISE web authentication portal for authentication.
Profiled Cisco IP Phones IF Cisco_IP_Phone AND - THEN Cisco_IP_Phone
Access Point IF Access-Point AND - THEN Access_Point
Domain_Computer IF Any AND demo.local:External Groups EQUALS THEN Domain_Computer
demo.local/Users/Domain Computers
Domain_User IF Any AND demo.local:External Groups EQUALS THEN Domain_User
AND
Network Access:WasMachineAuthenticated
EQUALS True
Default IF no matches THEN Central_Web_Auth
D
D
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"\D
Web Authentication Enforcement
N,1FD27@D39LDG2/,-ID,3DG/*-9DL9DL,//D@9<*71F931,-*19D27@D938G2,31+D23D6,H*5,1&1F9@391D!E'D12D+99D1F9D*71F2@,Q*1,23D
+1*17+D*38D@9+7/1,3HD59F*A,2@D,3D1F9DN,382L+D>D-/,931(D
Step 21 Login to the access switch console
Step 22 Verify the IOS HTTP server is enabled. If not, enable it. This is required for the IOS to intercept HTTP requests
and redirect them to the ISE centralized portal for web-based authentication.
3k-access(config)# ip http server
3k-access(config)# ip http secure-server
Note: Enabling ip http secure-server will trigger the creation of a default self-signed digital certificate on the switch.
Step 23 Enter config mode for interface GigabitEthernet 0/1 and shutdown/no shutdown the switchport to trigger re-
authentication of the attached endpoints.

3k-access(config-if)# shutdown
Step 24 You should see log messages for success MAB authentications. The IP phone should be authenticated based
on our earlier entry in the Endpoint list. The Windows 7 endpoint will not match the Endpoints list but will now
fall through the Authorization rules and receive the default Central_Web_Auth authorization. Verify this
authorization status in the IOS:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"]D
3k-access# show authentication session interface GigabitEthernet 0/1
IP Address: 10.1.40.100
User-Name: 00-22-90-5A-DF-D0
Domain: VOICE
Idle timeout: N/A
Common Session ID: 0A01640100000005000DD5DC
Handle: 0x80000005

Method State
mab Authc Success
dot1x Not run
----------------------------------------
MAC Address: 0050.56b4.0161
IP Address: 10.1.10.102
User-Name: 00-50-56-B4-01-61
Domain: DATA
Vlan Group: N/A
ACS ACL: xACSACLx-IP-CENTRAL_WEB_AUTH-4d78ffdb
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ise-1.demo.local:8443
/guestportal/gateway?sessionId=0A01640100000004000DD2AE&action=cwa
Idle timeout: N/A
Common Session ID: 0A01640100000004000DD2AE
Handle: 0xC6000004

Method State
mab Authc Success
dot1x Not run
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
">D
Step 25 In the Windows 7 desktop, open a web browser and try to connect to a favorite website. The browser should be
redirected to the ISE Guest Access page asking for a username and password.
D
D
Step 26 Enter a username/password from the demo.local domain such as empoyee1 and click Login.
Step 27 You should be presented with an Acceptable Usage Page.
Check the Accept Terms and Conditions box and click Accept.
D
Step 28 You should see a web page saying Guest Login Successful. Please retry your original URL request. Try your
original URL and you should have full access now.
Step 29 View the ISE Authentications logs to see the individual authentications starting with the MAB followed by the
RADIUS Change of Authorization (CoA) and the final authentication as a Domain_User:

employee1 nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth Domain_User Authorize Any
Only
3k-access ise-1 Gi0/1 Dynamic
Authorization
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.102 3k-access ise-1 Gi0/1 Auth Central_Web_Auth mab Lookup
D
Note: The blank authentication entry is the RADIUS Change of Authorization (RFC-3576) event
section.
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"?D
Lab Exercise 5: Enforcement
Y2LD1F*1DI27DF*A9D+7--9++07//ID,8931,0,98KD*71F931,-*198KD*38D-/*++,0,98D*D+9@,9+D20D89A,-9+D*38D7+9@+DL,1FDRS)D*38D
?!T('UKD$1D,+D1,J9D12D/2-M82L3D890*7/1D391L2@MD*--9++(DPF,+D,+D8239D5ID-F*3H,3HD1F9D890*7/1D*--9++D-231@2/D23D9*-FD
+L,1-FG2@[email protected]<S44aND12DS.4<;&`Sb4PD,3D2@89@D12D*//2LD23/IDJ,3,J*/D391L2@MD+9@A,-9+D731,/D1F9D938G2,31D,+D
G@2G9@/ID-/*++,0,98(DPF,+D9009-1,A9/ID-F*3H9+D1F9D89G/2IJ931D0@2JD*3D2G93<*--9++D+9-7@,1IDJ289/D12D*3D9302@-98D
*71F931,-*1,23DJ289/(D
Exercise Objective
'( .F*3H9D1F9D,3H@9++DS.4+D23D1F9D*--9++D+L,1-FG2@1+D0@2JD*//2L,3HD*//D1@*00,-D12D23/ID*//2LDJ,3,J*/D1@*00,-D5ID
890*7/1(D
Lab Exercise Steps

Step 1 Access the console of your lab switch.
Step 2 Verify the ACLs are defined on the switch:
show ip access-lists
Step 3 Verify the ACL-DEFAULT contents allow only the minimum network services required to classify an endpoint:
Extended IP access list ACL-DEFAULT

10 permit udp any eq bootpc any eq bootps ! DHCP
20 permit udp any any eq domain ! DNS
30 permit icmp any any ! Ping
40 permit udp any any eq tftp ! PXE / TFTP
50 deny ip any any log ! Drop all the rest
Step 4 Enter configuration mode:

configure terminal
Step 5 Update the switchport ACL:

interface range GigabitEthernet0/1-3
ip access-group ACL-DEFAULT in
Step 6 Re-initialize the GigabitEthernet 0/1 switchport to re-authenticate your endpoints

interface GigabitEthernet 0/1
shutdown
no shutdown
Step 7 On the switch console, you should see the Windows 7 endpoint authenticated immediately via MAB and
assigned the Central_Web_Auth authorization as indicated by the application of the redirection URL:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
"=D
Mar 15 14:35:34.735: %AUTHMGR-5-START: Starting 'mab' for client (0010.1888.2104) on
Interface Gi0/1 AuditSessionID 0A01FA02000000350D0272D1
Mar 15 14:35:35.230: %MAB-5-SUCCESS: Authentication successful for client (0010.1888.2104)
on Interface Gi0/1 AuditSessionID 0A01FA02000000350D0272D1
Mar 15 14:35:35.230: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for
client (0010.1888.2104) on Interface Gi0/1 AuditSessionID 0A01FA02000000350D0272D1
Upon DHCP discovery of the Windows 7 endpoint address,
Mar 15 14:35:35.230: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0010.1888.2104| AuditSessionID
0A01FA02000000350D0272D1| AUTHTYPE DOT1X| EVENT APPLY
Mar 15 14:35:35.247: %EPM-6-POLICY_APP_SUCCESS: IP 10.1.10.102| MAC 0010.1888.2104|
AuditSessionID 0A01FA02000000350D0272D1| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect|
POLICY_NAME https://ise-
1.demo.local:8443/guestportal/gateway?sessionId=0A01FA0d2000000350D0272D1&action=cwa|
RESULT SUCCESS
Mar 15 14:35:35.247: %EPM-6-POLICY_APP_SUCCESS: IP 10.1.10.102| MAC 0010.1888.2104|
AuditSessionID 0A01FA02000000350D0272D1| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL|
POLICY_NAME ACL-WEBAUTH-REDIRECT| RESULT SUCCESS
Step 8 You should then begin to see log notifications about packet drops from the Windows 7 endpoint. This indicates
that you are successfully blocking unauthorized access from the unauthenticated endpoint:
Mar 15 14:35:35.398: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied udp 10.1.10.102(56902) -
> 10.1.100.10(389), 1 packet
Mar 15 14:35:39.004: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied udp 10.1.10.102(54905) -
> 10.1.100.10(389), 1 packet
Mar 15 14:35:43.970: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied udp 10.1.10.102(138) ->
10.1.10.255(138), 1 packet
Step 9 Shortly afterwards, the IP phone will have booted and been authenticated into the Voice VLAN by the existing
authorization policy:
Mar 15 14:35:37.235: %AUTHMGR-5-START: Starting 'mab' for client (0022.905a.dfd0) on
Interface Gi0/1 AuditSessionID 0A01FA02000000360D02827B
Mar 15 14:35:37.545: %MAB-5-SUCCESS: Authentication successful for client (0022.905a.dfd0)
on Interface Gi0/1 AuditSessionID 0A01FA02000000360D02827B
Mar 15 14:35:37.545: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for
client (0022.905a.dfd0) on Interface Gi0/1 AuditSessionID 0A01FA02000000360D02827B
Mar 15 14:35:37.545: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.905a.dfd0| AuditSessionID
0A01FA02000000360D02827B| AUTHTYPE DOT1X| EVENT APPLY
Mar 15 14:35:37.545: %EPM-6-POLICY_APP_SUCCESS: IP 10.1.40.101| MAC 0022.905a.dfd0|
AuditSessionID 0A01FA02000000360D02827B| AUTHTYPE DOT1X| POLICY_TYPE Named ACL|
POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051| RESULT SUCCESS
Mar 15 14:35:38.560: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(0022.905a.dfd0) on Interface Gi0/1 AuditSessionID 0A01FA02000000360D02827B
Step 10 Open the console of the win7-pc and authenticate via CWA. When authentication has completed successfully,
you should have full Internet access on the client.
Step 11 On the switch console, you should see new log messages indicating the successful application of the
downloaded ACL. The logs below are for a CWA authentication for a Domain_User authorization:
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
[!D
Step 1 Mar 15 14:37:47.066: %MAB-5-SUCCESS: Authentication successful for client
(0010.1888.2104) on Interface Gi0/1 AuditSessionID 0A01FA02000000350D0272D1
Step 2 Mar 15 14:37:47.066: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab'
for client (0010.1888.2104) on Interface Gi0/1 AuditSessionID
0A01FA02000000350D0272D1
Step 3 Mar 15 14:37:47.066: %EPM-6-POLICY_REQ: IP 10.1.10.102| MAC 0010.1888.2104|
AuditSessionID 0A01FA02000000350D0272D1| AUTHTYPE DOT1X| EVENT APPLY
Step 4 Mar 15 14:37:47.074: %EPM-6-POLICY_APP_SUCCESS: IP 10.1.10.102| MAC 0010.1888.2104|
AuditSessionID 0A01FA02000000350D0272D1| AUTHTYPE DOT1X| POLICY_TYPE Named ACL|
POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051| RESULT SUCCESS
Step 5 Mar 15 14:37:47.300: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(0010.1888.2104) on Interface Gi0/1 AuditSessionID 0A01FA02000000350D0272D1
! End of Lab: Congratulations! You have successfully completed the lab. Please let your proctor know
you finished and provide any feedback to help improve the lab experience.
DD
DD
!"#$%&#'(!#)*+,-#./*++,0,-*1,23#4*5#67,89:&;.%<=>=!!?#@9A?B(82-CD =E'"E''D
['D
@
ISE Guest Services Lab Guide

This lab was created by: Craig Hyps
Lab Overview
This lab is designed to help attendees understand how to deploy Identity Services Engine (ISE)
Guest Services. ISE Guest Services provide full lifecycle management for user access and policy
enforcement for guest users including custom portal creation for sponsors and guests, sponsor
management, guest user creation and time-based access policies with optional posture
assessment. This lab covers the configuration of the sponsor portal and policy, the guest portal
and policy, and the guest access policy. Students will validate ISE Guest Services configuration
by logging in as a sponsor, creating a new guest user, and then testing guest access using the
newly created account and credentials. Lab participants should be able to complete the lab
within the allotted lab time of 2 hours.
Lab Exercises
Lab Exercise 1: Introduction to ISE Guest Services Workflow
Lab Exercise 2: Customize Sponsor Portal and Policies
Lab Exercise 3: Customize Guest Portal and Policies
Lab Exercise 4: Define Sponsor Access Policies
Lab Exercise 5: Navigate the Sponsor Portal and Create Guest Users
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'@
Lab Exercise 6: Define Guest User Access Policies
Lab Exercise 7: Test Guest User Access
Lab Exercise 8: (OPTIONAL) Load a Custom Guest Portal



Pods 1-9 128.107.220.1X:2005 10.1.11.1X

Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11
Example: POD 10 128.107.220.20:2005 10.1.11.20
Connect to a POD:
@
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@A@
Step 4 Click Login.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@B@
@
these options:
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"@
@

desktop. Example:
c. Click Open.
@@
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@C@
Lab Topology
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@D@

10.1.250.1


in this setup.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@;@
Number

using ACLs

segmentation)

segmentation)

users

Access switch.

Data Center switch.
VLAN 40.

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@<@

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@:@


Posture Node


[OK - 8275/4096 bytes]

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'!@
3k-access# reload

a. After a minute, reattempt to access the 3k-access console. When successful, login again
using the credentials admin / cisco123.


!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@''@

pX-ise-4-lab6

pX-ise-2-lab7
pX-ise-3-lab7

To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script
from the Windows desktop of the Admin client PC:
Rejoin ISE to AD Domain

Step 1 As part of a previous lab, the ISE appliance was joined to the Windows AD domain demo.local.
To prevent issues after lab pod initialization, the ISE appliance was deliberately removed from
the domain using the Leave function. To complete this lab, it will be necessary to rejoin the ISE
appliance to the AD domain. Access the ISE admin interface to rejoin the Windows AD domain.
a. Go to the Admin client PC and launch the Mozilla Firefox web browser. Enter the
following URL in the address field:
https://ise-1.demo.local
b. Login with username admin and password default1A
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'A@
The ISE Home Dashboard page should display. Navigate the interface using the multi-
level menus.
Step 2 Go to Administration > Identity Management > External Identity Stores and select Active
Directory from the left-hand pane.
Step 3 Verify the Connection Status as Not Joined to a domain:
Step 4 Click Join at the bottom of the configuration page:
Step 5 Enter the credentials admin / cisco123 when prompted to allow the AD operation, and then
click OK.
Step 6 After a few moments, a message should appear to indicate that the node has successfully left
the domain. Click OK.
Step 7 Click Save Configuration at the bottom of the page.

Step 8 Select the Groups tab at the top of the AD Server configuration page.
Step 9 Since AD groups were retrieved during a join in a previous lab, the original saved configuration
should still be present. Verify the following groups are displayed. If not, re-add them and re-
save the configuration:
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'B@
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'"@
Lab Exercise 1: Introduction to ISE Guest
Services and Configuration Workflow
This exercise reviews the overall workflow for configuring ISE Guest Services including sponsor
setup, guest setup, and configuration of authorization policies for guest access.
Exercise Objective
$E@-F0,@+?+.10,+G@H>*.@I>3J@0,@->@1>KLJ+-+@-F+@M>JJ>N0EI@-3,OP@@
Understand basic ISE Guest Services and configuration workflow@
Lab Exercise Steps

Step 1 Review the diagram below which outlines the main steps in configuring ISE Guest Services.
Step 2 Note that the Guest Services workflow is comprised of two main configuration sections:
%L>E,>.@%+-*L@
)*+,-@%+-*L@
The diagram depicts the logical grouping of configuration tasks under each section. In some
cases, tasks may be applicable to both sponsor and guest configuration.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'C@
Note: The numbers in the diagram indicate the order in which you will complete the tasks in this lab. Although it is
technically possible to complete the Sponsor Setup section before moving on to the Guest Setup section, a
more typical approach would be to complete the general portal and policy configuration for both sponsor and
guest before applying access policies.
Step 3 Understanding Guest Services and Configuration Workflow:

Once Guest Services are configured, network users (typically company employees) will be able
to login to a special web page (the Sponsor Portal) and authenticate to a specified identity store,
such as Microsoft AD or an LDAP server. Based on the sponsors policy assignment, they will
be granted certain privileges to create (sponsor) guest users for access to the company network
with configurable time-based access privileges. Once created, sponsors can choose to notify
the new guests of their credentials and access time periods via print, email, or text messaging
services.
Upon receiving credentials, the new guest (visitor, contractor, partner, etc.) can then login to the
sponsoring companys network during the allowed dates/times (per time profiles) via a
customized web portal (the Guest Portal). Typically the guest user will be automatically
redirected to this page upon login to the wired or wireless network. Upon expiration of their
account per their assigned time profile, they will no longer be able to login or access the
company network.
Step 4 Access the web interface of the ISE Administrative node.
Go to the Admin client PC and launch the Mozilla Firefox web browser. Enter the following URL
in the address field:
The ISE Home Dashboard page should display. Navigate the interface using the multi-level
menus.
Step 6 All guest users created using ISE Guest Services are assigned to an Identity Group.
Authorization policies define the access policy for guests based on this Identity Group. The
default Identity Group for guest users is called Guest. To highlight how Identity Groups play a
role in assigning guest users access privileges, we will create a second Identity Group for guest
users called Contractors.
Go to Administration > Identity Management > Groups and select User Identity Groups.
Click Add from right-hand pane.
Step 7 Enter Contractor as the group name and an optional description, and then click Submit.
@

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'D@
Lab Exercise 2: Customize Sponsor Portal and
Policies
A sponsor portal provides a web-based interface to privileged users (sponsors) within an
organization that allows creation of guest user accounts. This lab exercise covers the required
steps to customize the sponsor portal and to configure general sponsor settings which govern
how sponsors access customized web portals for the creation and management of guest user
accounts.
Exercise Objective
Configure general settings such as network ports and mail services used to access
portals and to send notifications to sponsors and guests.
Customize the sponsor portal including general layout and text fields displayed to the
sponsor.
Lab Exercise Steps

Step 1 Configure General Settings from the ISE admin interface.
a. Review the mail server and notification settings. From the Admin client PC, access the
ISE admin interface and navigate to Administration > System > Settings.
Select SMTP Server from the left-hand pane and review the default mail server and
notification settings. Note that guest notifications can be sourced from the sponsors
email address or a global address such as [email protected].
Note: Email and SMS services will not be used in this lab.
b. Most of the configuration tasks for ISE Guest Services are performed under
Administration > Guest Management. Navigate to Administration > Guest
Management > Settings and click the icon to left of General (or double-click General)
to expand its contents.
c. Configure HTTP and HTTPS ports used for portal access.
Select Ports from the left-hand pane and review the default network ports used for
Sponsor and Guest Portal access. By default, TCP port 8443 will be used for secure
portal access by both sponsors and guests. Do NOT modify these settings.
d. Review the settings for purging expired guest accounts. By default, guest accounts will
be purged every 15 days. You may also purge expired guest accounts on demand using
the Purge Now button.
Step 2 Customize the Sponsor Settings.
Click the icon to left of Sponsor (or double-click Sponsor) in the left-hand pane to expand its
contents.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@';@
Step 3 Customize the Sponsor Portal layout.
Select Portal Customization from the left-hand pane and review the current portal page layout
settings. From here you can select different page colors and images used within the different
pages.
Change Content Background Color from all fs (white) to all ds (dddddd). Click Show Color to
reveal the new background color (light gray). Leave the remaining settings at their default values
and click Save.
Step 4 Language templates allow full modification of the text displayed on sponsor input screens and
guest notifications. To modify the template, select Language Template from the left-hand pane
and then click English from the language template list. Review the list of available templates.
Step 5 Modify the template used for creating guest users one at a time.
Click Configure the Template for Create Single Guest Account and scroll to review the
available fields. Change the following to fields:
Optional Data 1 Field: Reason for Access:
Optional Data 2 Field: Additional Comments:
Leave the remaining fields at their default values and click Save at the bottom of the page.
Step 6 Click on each of the templates for Email, SMS, and Print notifications and note the use of
variables to dynamically populate text with information specific to the guest users account.
Step 7 Specify optional and required fields for guest user account creation.
Click the icon to left of Guest in the left-hand pane to expand its contents. Click Details
Policy. Set the policy as per the following then click Save:
First Name Mandatory
Last Name Mandatory
Company Mandatory
Email Mandatory
Phone Optional
Additional field 1 Mandatory
Additional field 2 Optional
Additional field 3 Unused
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@'<@
Note: The Additional fields 1 5 correspond to the Optional Data fields we just defined within the language
template.
Note: Email and Phone fields should be set to Mandatory for deployments using the email address as the guest
username, or if using email and SMS text messaging for guest notifications.

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@':@
Lab Exercise 3: Customize Guest Portal and
Policies
In order to perform web-based authentication, guest users will need to be redirected to a portal
that allows the user to enter their login credentials and provide optional services like password
changes, device registration, or even self-service account creation. This exercise is focused on
configuring the default guest portal to support these functions and defining login policies including
authentication stores, acceptable use, and credential and time restrictions.
Exercise Objective
Customize the default Guest Portal for guest login and define policies to allow new
guests to change their password, perform self-registration, and require agreement to an
Acceptable Use Policy (AUP) upon login
Specify the identity stores used for guest login
Define username/password requirements and expiry policy
Create time profiles that define access restrictions by date, time, and duration
Lab Exercise Steps

Step 1 Configure Guest Portal settings.
From the Admin client PC, access the ISE admin interface and navigate to Administration >
Guest Management > Settings > Guest.
Step 2 Customize the default Guest Portal.
Select Multi-Portal Configurations under Guest from the left-hand pane and then click
DefaultGuestPortal. Under the General tab, set the following portal values EXACTLY as shown
below and then click Save.
Attribute Value
Allow guest users to change password [ ]
Require guest and internal users to change
[ ]
password at expiration
Guest users should download the posture client [ ] *** Not checked ***
Guest users should be allowed to do self service [ ]
Guest users should be allowed to do device
[ ]
registration
Vlan Dhcp Release [ ]
* Delay to Release (default)
* Delay to Renew (default)
* Delay to COA (default)
( ) Not Used
Guest users should agree to an acceptable use
policy
( ) EveryLogin
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@A!@
Note: Be sure that the attribute "Guest users should download the posture client" option is NOT checked. This
option is required for posture assessment and is not required for this lab. Enabling this option when client
provisioning is not configured for the web authenticated user can cause the guest login to fail.
These selections will allow guests to change their password, perform self-service, and require
acceptance of a default AUP upon login.
Note: Self-service allows any user to generate access credentials without requiring a sponsor to perform this task.
As this is not a sponsored user and any user may create their own account with this policy setting, it is
common to assign self-service guests to an Identity Group with minimal network access privileges such as
Internet_Only.
Step 3 Define the identity store(s) used for guest login.

From the DefaultGuestPortal configuration page, click the Authentication tab. Set the
Authentication Type to Both and set the Identity Store Sequence to AD_InternalUsers.
A) A setting of Guest uses only the internal guest user database which stores sponsor- or self-
service- created guest accounts.
B) A setting of Central Web Auth uses a specified Identity Store Sequence. This option would
be used for portals that service users not created by a sponsor or through self-service. This
option is typically used to web authenticate known users such as company employees.
C) A setting of Both is a combination of A) and B) above where the internal guest user
database is checked first, then the specified sequence.
When finished, click Save.
Step 4 Define Self-Registration and login parameters.
Click Portal Policy from the left-hand pane. Set the policy values as shown below, then click
Save:
Attribute Value
Self-Registration Guest Role Guest
Self-Registration Time Profile DefaultFirstLogin
Maximum Login Failures 5
Device Registration Portal Limit 5
Guest Password Expiration (Days) 1
Step 5 Set the guest username policy.

Click Username Policy from the left-hand pane. Set the policy values as shown below, then
click Save:
Attribute Value
Create username from email address ( )
Create username from first name and last name (o)
Minimum Username Length 8
Username may include the alphabetic characters abcdefghijklmnopq!(default setting)
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@A'@
Attribute Value
Minimum number to include 4
Username may include the numeric characters 0123456789 (default setting)
Username may include the special characters ~_ (default setting)
Minimum number to include@ 0
Note: Leave the character settings at their default values. Only change the number of characters for these items.
Step 6 Set the guest password policy.

Click Password Policy from the left-hand pane. Set the policy values as shown below, then
click Save:
Attribute Value
Username may include the alphabetic characters abcdefghijklmnopq!(default setting)
Username may include the numeric characters 0123456789 (default setting)
Username may include the special characters ~_ (default setting)
Minimum number to include@ 0
Note: Leave the character settings at their default values. Only change the number of characters for these items.
Note: For the lab purposes only, these numbers have been set to lower than typical values with less strength to
facilitate testing.
Step 7 Review and configure time profiles that define allowed login start/stop times and duration for
guest access.
Click Time Profiles from the left-hand pane. Click on each of the three default time profiles and
review the settings:
DefaultFirstLogin Account valid for one hour starting from first login
(no day-of-week or time-of-day restrictions)
DefaultOneHour Account valid for one hour from time of sponsor creation
DefaultStartEnd Account valid per the start/end dates and times set by sponsor
Step 8 Create a new time profile that is valid for eight hours from the time of sponsor creation.
From the Time Profiles configuration page, click Add and set the time profile values as shown
below, then click Submit:
Attribute Value
Name 8HoursFromCreation
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@AA@
Attribute Value
Time Zone for Restrictions America/Los_Angeles
Account Type FromCreation
Duration 8 Hours
Restrictions (default setting no restrictions)
Note: To quickly navigate to the desired time zone value, enter characters contained within the string. For
example, entering the characters los will jump the selection to the first occurrence of a time zone with this
string. In this example, the first matching time zone is America/Los_Angeles.

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@AB@
Lab Exercise 4: Define Sponsor Access
Policies
In order for sponsors to access the sponsor portal, a user identity store must be specified to
determine how sponsors are authenticated. Once authenticated, sponsors will be assigned to a
sponsor group. A sponsor group defines which privileges are available to the sponsor. These
privileges include available menu options, the guests accounts that can be managed, and
network access privileges that can be granted a guest user through role assignment and time
restrictions.
Exercise Objective
Define the Sponsor Authentication Source
Create Sponsor Groups and their associated privileges
Configure Sponsor Group Policies that define the Sponsor Group assigned to a sponsor
based on login credentials and other conditions
Lab Exercise Steps

Step 1 7+M0E+@-F+@$5+E-0-H@%->.+@->@4+@*,+5@M>.@,L>E,>.@3*-F+E-013-0>E(@
3( Q.>K@-F+@R5K0E@1J0+E-@S8G@311+,,@-F+@$%&@35K0E@0E-+.M31+@3E5@E3/0I3-+@->@
!"#$%$&'()'$*%+,+-./&'+0)%)1/#/%'+,+2/''$%1&+T@23*%&*((@+@
4( UE5+.@%L>E,>.@1>E-+E-,G@1J01O@!.'4/%'$5)'$*%+2*.(5/+M.>K@-F+@J+M-9F3E5@L3E+(@
1( %+J+1-@!678%'/(%)9:&/(&+M>.@-F+@$5+E-0-H@%>*.1+@%+V*+E1+(@@WF0,@,+V*+E1+@0,@5+M0E+5@->@
M0.,-@1F+1O@-F+@X0E5>N,@R7@5>K30E@3E5@-F+E@M3JJ431O@->@-F+@$E-+.E3J@U,+.,@53-343,+(@
Step 2 Y+/0+N@5+M3*J-@%L>E,>.@).>*L,@3E5@-F+0.@3,,>[email protected]/0J+I+,@
Z3/0I3-+@->@!"#$%$&'()'$*%+,+-./&'+0)%)1/#/%'+,+23*%&*(+-(*.3&(@@[H@5+M3*J-G@-F+.+@3.+@
-F.++@L.+95+M0E+5@%L>E,>.@).>*L,P@
%L>E,>.RJJR11>*E-,@ %L>E,>.@0E@-F0,@I.>*L@13E@K3E3I+@3JJ@I*+,-@*,+.@
311>*E-,@
%L>E,>.).>*LR11>*E-,@ %L>E,>.@0E@-F0,@I.>*L@13E@K3E3I+@3JJ@I*+,-@*,+.@
311>*E-,@1.+3-+5@4H@,L>E,>.,@0E@-F+@,3K+@
%L>E,>.@).>*L@>EJH@
%L>E,>.).>*L\NER11>*E-,@ %L>E,>.@0E@-F0,@I.>*L@13E@K3E3I+@>EJH@I*+,-@
*,+.@311>*E-,@-F3-@-F+@,L>E,>.@1.+3-+5@
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@A"@
@
]3.0>*,@L.0/0J+I+,@F3/+@4++E@3,,0IE+5@->@+31F@>M@-F+,+@,L>E,>.@I.>*L,@N0-F@
%L>E,>.RJJR11>*E-,@4+0EI@-F+@K>,[email protected]/0J+I+5@3E5@%L>E,>.).>*L\NER11>*E-,@4+0EI@-F+@K>,-@
.+,-.01-+5(@
Step 3 8.+3-+@-F.++@E+N@,L>E,>.@I.>*L,@-F3-@N0JJ@4+@*,+5@->@L.>/05+@50MM+.+E-03-+5@,L>E,>[email protected]/0J+I+,@
M>.@-F+@M>JJ>N0EI@*,+.@.>J+,@N0-F0E@3@1>KL3EHP@!"#"$%&'G@()**+,-.*"''"/)&'G,[email protected])+%%'(@
8J01O@!""@-F+E@+E-+.@-F+@M>JJ>N0EI@/3J*+,@0E@+31F@>M@-F+@1>EM0I*.3-0>E@-34,@M>.@-F+@E+N@%L>E,>.@
).>*L@->@4+@3,,0IE+5@->@!"#"$%&'P@
Attribute Value
General
Name ManagerSponsorGroup
Description Manage All Accounts
Authorization Levels
Allow Login Yes
Create Accounts Yes
Create Bulk Accounts Yes
Create Random Accounts Yes
Import CSV Yes
Send Email Yes
Send SMS Yes
View Guest Password Yes
Allow Printing Guest Details Yes
View/Edit Accounts All Accounts
Suspend/Reinstate Accounts All Accounts
Account Start Time 14 Days
Maximum Duration of Account 30 Days
Guest Roles
Contractor
Guest
Time Profiles
DefaultFirstLogin
DefaultOneHour
Pick:
DefaultStartEnd
8HoursFromCreation
@
XF+E@M0E0,F+5G@1J01O@2.;#$'@->@.+-*.E@->@-F+@J0,-@>M@)*+,-@%L>E,>.@).>*L,(@
Note: After initial submittal, to return to the list of Guest Sponsor Groups from within the Sponsor Group
configuration pages, click the Sponsor Group List link from displayed path above the sponsor configuration
tabs.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@AC@
Step 4 8J01O@!""@-F+E@+E-+.@-F+@M>JJ>N0EI@/3J*+,@0E@+31F@>M@-F+@1>EM0I*.3-0>E@-34,@M>.@-F+@E+N@%L>E,>.@
).>*L@->@4+@3,,0IE+5@->@()**+,-.*"''"/)&'P@
Attribute Value
General
Name LobbyAmbassador
Manage Same Group Accounts
Description
Only
Allow Login Yes
Create Accounts Yes
Create Bulk Accounts No
Create Random Accounts No
Import CSV No
Send Email No
Send SMS No
View/Edit Accounts Group Accounts
Suspend/Reinstate Accounts Group Accounts
Guest Roles
Guest
Time Profiles
DefaultOneHour
Pick: DefaultStartEnd
8HoursFromCreation
@
XF+E@M0E0,F+5G@1J01O@2.;#$'@->@.+-*.E@->@-F+@J0,-@>M@)*+,-@%L>E,>.@).>*L,(@
@
Step 5 8J01O@!""@-F+E@+E-+.@-F+@M>JJ>N0EI@/3J*+,@0E@+31F@>M@-F+@1>EM0I*.3-0>E@-34,@M>.@-F+@E+N@%L>E,>.@
).>*L@->@4+@3,,0IE+5@->@.+I*J3.,0.12)+%%'P@
Attribute Value
General
Name EmployeeSponsorGroup
Description Manage Own Accounts Only
Allow Login Yes
Create Accounts Yes
Create Bulk Accounts No
Create Random Accounts Yes
Import CSV No
Send Email Yes
Send SMS Yes
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@AD@
View/Edit Accounts Own Accounts
Suspend/Reinstate Accounts Own Accounts
Guest Roles
Guest
Time Profiles
DefaultOneHour
Pick: DefaultStartEnd
8HoursFromCreation
@
XF+E@M0E0,F+5G@1J01O@2.;#$'+->@.+-*.E@->@-F+@J0,-@>M@)*+,-@%L>E,>.@).>*L,(@
Note: For each Sponsor Group, be sure to set View Guest Password option to Yes. This will allow you to see both
the guest username and password required to test guest login later in this lab.
Step 6 The Sponsor Group Policy maps individual sponsors to a particular Sponsor Group (thus
granting specific sponsor privileges) based upon the sponsors identity (as determined through
sponsor authentication) and/or other conditions defined in the Sponsor Group Policy. @
In this step, you will configure Sponsor Group Policies that define the Sponsor Group assigned
to a sponsor based on login credentials and other conditions. @
Z3/0I3-+@->@!"#$%$&'()'$*%+,+-./&'+0)%)1/#/%'+,+23*%&*(+-(*.3+<*9$5=(@@R55@E+N@L>J010+,@
>.@K>50MH@-F+@+?0,-0EI@L>J010+,@->@K3-1F@-F+@/3J*+,@0E@-F+@M>JJ>N0EI@-34J+@*,0EI@-F+@
selector at the end of a rule entry to insert or duplicate rules:
Rule Identity
Status Name Groups Other Conditions Sponsor Groups
Manage Any
demo.local:ExternalGroups
All ManagerSponsorGroup
EQUALS demo.local/Users/Domain Admins
Accounts
Manage Any
Group LobbyAmbassador
EQUALS demo.local/Users/staff
Accounts
Manage Any
Own EmployeeSponsorGroup
EQUALS demo.local/Users/employees
Accounts
@
Note: If editing the existing Sponsor Group policies to match the above table, be sure to change the Identity Group
condition to Any for each rule.
Step 7 XF+E@M0E0,F+5G@1J01O@2)>/(@
@
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@A;@
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@A<@
Lab Exercise 5: Navigate the Sponsor Portal
and Create Guest Users
Now that the Sponsor Settings and Portals have been configured, you will now be able to login to
the Sponsor Portal for guest user creation and management options. This lab exercise covers the
procedure for accessing the Sponsor Portal and reviews the methods for creating guest accounts
and their subsequent management.
Exercise Objective
Access the Sponsor Portal using different login credentials and review the options
available per Sponsor Group Policy assignment.
Review and update sponsor preferences
Create a single guest user account
Create multiple random guest accounts

Review the process for creating multiple named accounts
Review the process for bulk import using a file template
View guest accounts and management options
Lab Exercise Steps

Step 1 Access the Sponsor Portal.
From the Admin client PC, open a new Mozilla Firefox browser window or tab. Enter the
https://ise-1.demo.local:8443/sponsorportal
The ISE Sponsor Portal should display.
Step 2 Manage guest accounts as a Lobby Ambassador.
a. Login as a Lobby Ambassador using the AD credentials staff1 / cisco123
This user account is a member of the AD group demo.local/Users/staff. Per our previous
lab exercises, this AD group is mapped to the Sponsor Group named LobbyAmbassador.
b. Navigate the sponsor portal interface.
If you elected to change the background color in the previous lab exercise, you should
see a grey background in the right-hand pane instead of a white background.
Note the limited options available to this sponsor.
c. Customize the sponsor preferences.

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@A:@
From the left-hand pane, go to Sponsor > Settings Customization. Review the default
preferences. Change the default time zone to America/Los_Angeles (located on second
page from the top of list).
Optionally set an email address and whether or not the sponsor should receive email
notifications when guest users are created by this sponsor. Click Save to save changes.
d. From the left-hand pane, go to Account Management > Create Multiple Accounts.
Due to Sponsor Group restrictions for LobbyAmbassador, the sponsor should not be
authorized for this function.
Repeat this step for the Create Random Accounts and Import Accounts options to
verify the sponsor restrictions based on the Sponsor Group settings.
e. Create a single guest user account.
Go to Sponsor > Home in the left-hand pane. Click Create Guest Account from the
right-hand pane and enter the following values for the new guest user:
Attribute Value
First Name Guest
Last Name User1
Email Address [email protected]
Phone Number (optional)
Company Company ABC
Reason for Access (enter reason)
Additional Comments (enter optional comments)
Group Role Guest
Time Profile DefaultOneHour
America/Los_Angeles
Timezone
(second page from top of list)
f. Note the following:
Required fields are denoted by the symbol. If attempt to submit changes with a
mandatory field that is empty, the portal will alert you of the required fields.
Only the single role Guest is available for assignment by this sponsor.
Only specific time profiles are available to this sponsor.
The two Optional Data fields Reason for Access and Additional Comments that
were defined in the language template for Create Single Guest Account.
When finished reviewing fields, click Submit to create the guest user account.
g. Review the output generated for the new guest user account.
Write down the guest user name and credentials here. They will be needed later in this
lab to test guest user access.
Guest Username: _______________________
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@B!@
Guest Password: _______________________
h. Note that the Lobby Ambassador is limited to Print notifications only. Click the View All
Accounts button. Note that new guest user account status is AWAITING INITIAL
LOGIN. To view or edit details for a specific guest, either click the guest Username or
select the entry with the checkbox on the left and then choose one of the available
functions such as Edit, Delete, Reinstate, Suspend, or Print.
i. Logout from the sponsor portal by clicking the Log Out link in the upper right corner of
the Sponsor Portal.
Step 3 Manage guest accounts as an Employee.

a. Login as a regular Employee using the AD credentials employee1 / cisco123
This user account is a member of the AD group demo.local/Users/employees. Per our
previous lab exercise, this AD group is mapped to the Sponsor Group named
EmployeeSponsorGroup.
b. Again navigate the sponsor portal interface and note the options available to this
sponsor. Customize and save sponsor preferences as desired.
c. Random accounts are useful when multiple guest accounts are required and the guest
details are unknown at the time of entry, or for events where network access is required
for a large number of unknown users.
Create multiple random accounts by selecting Create Random Guest Accounts from
either the right-hand pane of the Home page, or else from Account Management >
Create Random Accounts.
Enter the following values for the new random guest users then click Submit:
Attribute Value
Number of Random Accounts to Create 5
Username Prefix random
Group Role Guest
Time Profile DefaultOneHour
Timezone America/Los_Angeles
d. Click View All to review all guest users created by this sponsor. Since the sponsor
employee1 is assigned the privilege to only manage accounts it creates, guest users
created by the Lobby Ambassador are not visible to this sponsor.
e. Logout from the sponsor portal.
Step 4 Manage guest accounts as a Manager.
a. Login as a Manager using the AD credentials admin / cisco123
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@B'@
WF0,@*,+.@311>*E-@0,@3@K+K4+.@>M@-F+@R7@I.>*L@5+K>(J>13J^U,+.,^7>K30E@R5K0E,(@@S+.@
>*.@L.+/0>*,@J34@+?+.10,+,G@-F0,@R7@I.>*L@0,@K3LL+5@->@-F+@%L>E,>.@).>*L@E3K+5@
_3E3I+.%L>E,>.).>*L(
b. Again navigate the sponsor portal interface and note that all options are available to this
sponsor. This sponsor is able to assign guest users to the role Contractor and can apply
any one of the available time profiles. Customize and save sponsor preferences as
desired.
c. Click option Account Management > Create Multiple Accounts (or Create Multiple
Guest Accounts from Home page depending on page location). This option allows a
sponsor to quickly add multiple accounts that share similar access requirements as a
batch.
d. Click option Account Management > Import Accounts (or Import Guest Accounts
from Home page depending on page location). Similar to the Create Multiple Accounts
option, this option allows a sponsor to create many guest users that share similar access
requirements at once by importing a specially formatted template file that contains the
guest info.@
WF+@-+KLJ3-+@M0J+@E3K+5@$#3*('-./&'!55*.%'&?5&>+0,@L.>/05+5@0E@8>KK3@%+L3.3-+5@
]3J*+,@68%]=@M>.K3-@3E5@13E@4+@*L53-+5@*,0EI@,-3E53.5@-+?-G@,L.+35,F++-G@3E5@53-343,+@
0KL>.-^+?L>.-@3LLJ013-0>E,(
Click Download Import File Template, select the option Open with, and then choose
Notepad from the Browse button. Click OK twice. The file headers include the following:
First Name, Last Name, Email Address, Phone Number, Company, Optional Data 1, Optional Data 2
XF+E@M0E0,F+5@.+/0+N0EI@-F+@-+KLJ3-+G@+?0-@Z>-+L35@N0-F>*-@,3/0EI@-F+@M0J+(@@@@@
+( 8J01O@>L-0>E@->@@$/A+-./&'+!55*.%'&+6>.@-./&'+!55*.%'+:&/(+B$&'@5+L+E50EI@>E@L3I+@
J>13-0>E=(@
As a member of the ManagerSponsorGroup, note that this sponsor can view and manage
all guest accounts including accounts created by other sponsors and sponsor groups.@
f. Logout from the sponsor portal.
Step 5 Return to the ISE administrative web interface using the Mozilla Firefox web browser (https://ise-
1.demo.local) using the credentials admin / default1A
Step 6 Go to Administration > Identity Management > Groups and click User Identity Groups from
the left-hand pane.
Step 7 Click on group Guest from the right-hand pane. Note that the Member Users list is empty. This
is because guest users created from the sponsor portal do not appear in the Internal Users list
or as a member of Identity Groups within the ISE Administrative interface. These guest users
can only be managed from within the Guest Services Sponsor Portal by a valid sponsor.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@BA@
@

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@BB@
Lab Exercise 6: Define Guest User Access
Policies
Guest users created through sponsor portals are assigned to a specific Identity Group; the default
is Guest. The Identity Group attribute serves as a key condition in defining access policies for
sponsored guest users. This exercise covers the configuration of Authorization Policies and their
corresponding Authorization Profiles to apply specific network access controls to guest users in
the form of downloadable access control lists (dACLs).
Exercise Objective
Define dACLs that deny guest user access to internal company networks while providing
Internet access.
Configure an Authorization Profile for guest users
Configure an Authorization Policy for authenticated guest users that applies the
appropriate profile and access controls.
Lab Exercise Steps

Step 1 Go to Policy > Authentication and review the current policy that supports web authentication
for guests. ISE supports Central Web Authentication (CWA) for guest users through the MAB
authentication rule. This rule allows the discovered hosts from which guest users access the
network to be authenticated initially via MAB and permit a second authentication of the user
credentials to occur via CWA.
Note: CWA configuration for employees was covered in the Classification and Enforcement lab.
Step 2 Go to Policy > Authorization and review the current rules in the Authorization Policy. The
default rule supports CWA for unknown users including employees and guest users through
URL redirection and application of an access dACL that permits Guest Portal access. You will
need to create a new policy that permits authenticated guest users (members of the Guest
Identity Group) additional network access such as Internet destinations.
Step 3 Define a dACL to be applied to authenticated guest users that permit Internet access while
denying access to internal networks.
Go to Policy > Policy Elements > Results and double-1J01O@!.'4*($C)'$*%+->@+?L3E5@0-,@

1>E-+E-,(@+8J01O@6*A%9*)");9/+!DB&+M.>K@-F+@J+M-9F3E5@L3E+(
Step 4 Click Add from the right-hand pane and enter the following values for a new dACL that permits
Internet-only access in the lab network, then click Submit:
Attribute Value
Name INTERNET_ONLY
Description Access to Internet Only
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@B"@
permit icmp any any
DACL Content permit tcp any host 10.1.100.21 eq 8443
deny ip any 10.1.0.0 0.0.255.255
permit ip any any
Step 5 Create an Authorization Profile for guest users that assigns the INTERNET_ONLY dACL.
From Policy > Policy Elements > Results > Authorization, click !.'4*($C)'$*%+<(*E$9/&+M.>K@
-F+@J+M-9F3E5@L3E+(@@
Step 6 Click Add from the right-hand pane and enter the following values for a new guest Authorization
Policy, then click Submit:
Attribute Value
Name Guest
Description Guest Access to Internet Only
Access Type ACCESS_ACCEPT
Common Tasks
DACL Name INTERNET_ONLY
Advanced Attribute Settings
Radius:Termination-Action Default / 0 (Terminate)
Warning: Due to a defect CSCtl81551 in beta build of software, the Advanced Attribute Settings may not display
after profile is saved. Although the values are saved to database and will be applied to this profile, they
do not display in the Authorization Profile configuration.
The Common Tasks option named ReAuthentication is not a valid option here since it also requires that
the Session-Timeout value be configured. We want guest users to be assigned a Session-Timeout value
per the time profile applied during account creation. Explicitly setting the value in the Authorization Profile
would overwrite that assignment.
Step 7 Add an Authorization Policy rule for users assigned to the Identity Group named Guest and
assign the Authorization Profile named Guest.
Go to Policy > Authorization and insert a new rule above the Default rule. Use the
selector at the end of a rule entry to insert or duplicate rules.
Enter the following values for the new rules named Contractor and Guest:
Identity
Status Rule Name Groups Other Conditions Permissions
Profiled Cisco Cisco-IP-
- Cisco_IP_Phones
Phones Phone
Domain_Computer Any EQUALS demo.local/Users/Domain AD_Login
Computers
Radius:demo.local:ExternalGroups
Employee Any Employee
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@BC@
Identity
Status Rule Name Groups Other Conditions Permissions
Contractor Contractor - Guest
Guest Guest - Guest
Default Central_Web_Auth
Step 8 Click Save at the bottom of the page when finished making policy changes.

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@BD@
Lab Exercise 7: Test Guest User Access
Test guest user access and access policies. Validate successful authentications using the ISE
live Authentications session viewer. Review Guest Services reports.
Exercise Objective
Login as a guest user via web authentication using credentials created using the Sponsor
Portal
Validate or troubleshoot, as necessary, guest user authentications from the ISE lice
Authentications session viewer.
Generate reports related to Guest Services activity and events.
Lab Exercise Steps

Step 1 Login to the network as a guest user.
Go to the Win7-PC client. Login to the Windows desktop using the following local computer
account:
Username: DEMO\employee1
Password: cisco123
Step 2 Open a DOS command prompt and use the ipconfig command to validate that you have an IP
address on the 10.1.10.0/24 network, as shown in the following example:
If the client does not have a valid IP address or has an address in a different subnet, use
ipconfig /release followed by ipconfig /renew to renew the IP address.
Step 3 From the Admin client PC, use the desktop shortcut for the PuTTY SSH client to launch a
terminal session to the 3k-access switch (10.1.250.2) using the credentials admin / cisco123
(enabled password cisco123).
Step 4 To view log messages from the terminal session, enter the terminal monitor command at the
switch exec prompt:
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@B;@
Note: Use the command terminal no monitor if need to disable the monitoring of terminal logging
without exiting the session.
Step 5 Verify the running configuration of the switchport to which the Win7-PC is connected
(GigabitEthernet0/1) per example below:
3k-access# show run int gi0/1

Building configuration...
Current configuration : 482 bytes

!
description IP Phone + PC
authentication open
authentication priority mab dot1x
mab
dot1x timeout tx-period 10
end
Verify the switchport access vlan is set to 10.
Step 6 To simulate a new connection, enter configuration mode (conf t) on the switch and access int
gi0/1. Issue a shut command followed shortly by a no shut command for GigabitEthernet 0/1.
Step 7 Within a few seconds of issuing the no shut command, exit configuration mode using either
CTRL+Z or end command, then use the following exec command to view the current
authorization status of interface GigabitEthernet 0/1:
3k-access# show authentication sessions interface gi0/1
Note: You can also issue exec-level commands from within configuration mode using the do command.
Example:
3k-access(config-if)# do sh auth sess int gi0/1
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@B<@
Step 8 Depending on how soon the above command is entered after activating the interface, you will
likely see one of three different authorization states on the interface.
a. If link has not been established on the port, then the following output can be expected:
3k-access# do sh auth sess int gi0/1
No Auth Manager contexts currently exist
If this is the message received, repeat the command to display one of the other possible
authorization states explained below.
b. Recall from the running switchport configuration that the MAB authentication method
should be attempted first (authentication order mab dot1x). Therefore, once the link is
activated, output similar to the following will appear:

MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Idle timeout: N/A
Common Session ID: 0A01FA020000000E02A11559
Handle: 0x9500000E

Method State
mab Running
dot1x Not run
Note that the Common Session ID is immediately established from the switch and ISE for
each new session. This value is critical in tracking the lifecycle of each session. At this
time, the MAC and IP addresses are unknown and that the initial mab status is Running.
c. Once the MAB process has completed (as indicated by a mab status as Authc Success)
you should see output similar to the following:
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@B:@
Interface: GigabitEthernet0/1 G$%H+<D+2/&&$*%+8%E*F+
MAC Address: 0010.1888.2224 R55.+,,@0EM>@
IP Address: 10.1.10.100
User-Name: 00-10-18-88-22-24 U,+.E3K+`_R8@
Status: Authz Success 7RWR@5>K30E@
Domain: DATA 5R82G@Y+50.+1-@R82@
Security Status: Unsecure UY2@Y+50.+1-@->@8XR@
Oper host mode: multi-auth N^%+,,0>E@$7@
Oper control dir: both UE0V*+@%+,,0>E@$7@
Vlan Group: N/A
ACS ACL: xACSACLx-IP-CENTRAL_WEB_AUTH-4d78ffdb
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ise-1.demo.local:8443
/guestportal/gateway?sessionId=0A01FA020000000E02A11559&action=cwa
Idle timeout: N/A
Handle: 0x9500000E
Method State
mab Authc Success
dot1x Not run
----------------------------------------
8<+<4*%/+2/&&$*%+8%E*F+
MAC Address: 0024.14b2.284f
IP Address: 10.1.40.100 R55.+,,@0EM>@
User-Name: 00-24-14-B2-28-4F U,+.E3K+`_R8@
]\$8&@5>K30E@
Domain: VOICE
Security Policy: Should Secure UE0V*+@3*-Fa@5R82@
Security Status: Unsecure UE0V*+@%+,,0>E@$7@
Idle timeout: N/A
Common Session ID: 0A01FA020000000F02A12567
Handle: 0x3600000F

Method State
mab Authc Success
dot1x Not run
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"!@
Since the switchport is connected to an IP Phone which is also connected to a PC, there
should be two unique sessions and corresponding Session IDs established on the
switchportone for the PC (DATA domain) and one for the IP Phone (VOICE domain).
Verify the MAC and IP of the DATA domain are that of the Win7-PC client.
Note the matching policy applied to the Win7-PC session is that of the Default
Authorization Policy using the Authorization Profile named Central_Web_Auth. This
profile contains the following:
dACL named CENTRAL_WEB_AUTH,

URL Redirect ACL pointing to local switch ACL named ACL-WEBAUTH-REDIRECT
URL Redirect to the CWA portal on ise-1.demo.local (Policy Service role on ISE
appliance) using port 8443.
Note: Critical to proper CWA operation is the Session ID. Be sure this value is populated in the redirect
URL with the same value noted under Common Session ID. This value should also appear in the
browser of the redirected PC client as shown in the next step.
Step 9 From the Win7-PC client, launch a Microsoft IE or Mozilla Firefox web browser. The default
homepage should automatically trigger a redirect to the ISE CWA login screen:
If you expand the contents in the browser address field, you should see the redirect URL
matches that set in the Authorization Profile and that the Session ID matches that seen on the
switch.
Step 10 Do not click Log In at this time. First, enter the guest credentials created earlier and then click
Change Password. You should see a screen similar to the following:
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"'@
Enter your original credentials and a new password of cisco123 and click Log In. You should
be returned to the original login screen.
Step 11 Enter your guest username with password cisco123 and click the Log In button.
Step 12 The Acceptable Use Policy (AUP) should display for first time login. Check the box Accept
terms and conditions and click Accept.@
Step 13 You should now be successfully logged in as per the following screen:
Step 14 Verify network access as a guest user:
a. Verify that you can access the external network by entering http://www.cisco.com into
the browser.
b. Verify that you can NOT access the internal lab network web server http://www-
int.demo.local.
Step 15 From the terminal session with the switch, rerun the command sh auth sess int gi0/1. The
output should be similar to the following sample (VOICE domain info omitted):
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"A@
MAC Address: 0010.1888.2224
IP Address: 10.1.10.100
User-Name: guser101
Domain: DATA
Vlan Group: N/A
ACS ACL: xACSACLx-IP-INTERNET_ONLY-4d7aa7bc
Timeout action: Terminate
Idle timeout: N/A
Handle: 0x9500000E

Method State
mab Authc Success
dot1x Not run
Note the following:
After successful web authentication, the guest is reauthorized into the Guest policy which
downloads the dACL for INTERNET_ONLY access
User-Name field is no longer a MAC address, but is populated with the guest username
as determined through CWA
Session ID persists through the entire lifecycle of this user session from MAB to CWA.
Session timeout is 3600 seconds (1 hour) which is based on the time profile
(DefaultOneHour) set during creation of the guest account.
Timeout action (or Termination Action) is set to Terminate as defined in the Guest
Authorization Profile to ensure that the guest users web auth session is terminated per
the terms of the assigned time profile.
Authorization is based on CWA result, but switchport authentication is based on MAB
(authentication state for method = mab is Authc Success)
Step 16 If your login is unsuccessful!
If receive an Invalid login credential error message upon attempting guest login and the
Monitor > Authentications log reports the error Guest Authentication failed:
86017:Session Cache entry missing, then bounce the access switch port (Gi0/1) using
shut/no shut commands. Also close and restart a new client browser window to ensure
the session ID in use by switch and client are in sync. For reference, this issue is related
to CSCto28988 [Session cache entry not found with failed guest authentications].
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"B@
Ensure you have not checked the box in the Guest Portal configuration to allow posture
agent download (Under Administration > Guest Management > Settings > Guest >
Multi-Portal Configurations > DefaultGuestPortal)
Make sure that guest user was assigned to the Guest identity group and not Contractor.
If excessive time has elapsed (more than one hour) since the guest account was created,
then you may receive an error at login that the account has expired. You can return to
the previous lab exercise on sponsor portals and follow the steps to create a new guest
account. Once completed, note the new credentials and restart the guest login process.
From the ISE admin interface, verify that the correct Authorization Profile is being applied
for CWA and that correct attributes are set including Access Type = ACCESS_ACCEPT
and dACL = INTERNET_ONLY.
From the ISE admin interface, verify the dACL contents for INTERNET_ONLY are
correct; ISE does not currently validate ACL syntax. Errors in the syntax can result in
failure of the endpoint to access network.
Step 17 Review the dACL contents for INTERNET_ONLY on the switch match the ISE configuration;
ISE does not currently validate ACL syntax.
From terminal session with the access switch, enter the command show ip access-lists
interface gi0/1 to view the ACL entries currently deployed on the switchport connecting the IP
phone and PC. The output should look similar to the following:
3k-access# show ip access-lists int gi0/1

permit udp host 10.1.10.100 any eq domain
permit icmp host 10.1.10.100 any
permit tcp host 10.1.10.100 host 10.1.100.21 eq 8443
deny ip host 10.1.10.100 10.1.0.0 0.0.255.255
Note the dACL entry applied for the IP Phone in VLAN 40 (network 10.1.40.0/24). Each
authorized session in a multi-auth configuration can have a unique set of ACL entries per the
specific Authorization Profiles assigned to that endpoint.
Step 18 Go to Monitor > Authentications and look for the entries related to your successful or failed
login to the network. The client PC entries can also be filtered by entering the last byte of the
MAC address in the Calling Station ID, or entering a portion of the Session ID in the Session ID
field. The diagrams below show filtered entries along with expanded views for visibility:
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@""@
1) In the first authentication log (lower entry), the PC passes MAB authentication based on
MAC address lookup in the Internal Endpoints database. The endpoint matches the Default
Authorization Policy rule and assigned the Authorization Profile named Central_Web_Auth.
A URL Redirect to support CWA is applied to the access switch. From the client PCs
perspective, it is redirected to the web authentication portal upon initiating browser traffic
matching the local URL Redirect ACL.
2) The CENTRAL_WEB_AUTH dACL is successfully downloaded to the access switch.
3) Login through CWA triggers dynamic authorization, or Change of Authorization (CoA).
4) As a result of CWA, the guest user is successfully matched to the Authorization Policy rule
and Profile named Guest and the URL redirect is removed
5) The INTERNET_ONLY dACL is successfully downloaded to the access switch to permit
Internet only traffic.
By clicking the Details icon in the log entries, you can see additional details regarding the ID
store used and Identity Group, Authentication Method and policy selection, Authorization Policy
and Profile selected, and RADIUS attributes returned to the network access device (switch)
including dACLs, Session Timeout values, and URL redirects.
Validate that the correct profiles and policies are being properly matched per your configuration.
Step 19 Go to Monitor > Reports > Catalog and select User from the list of reports in the left-hand
pane. Run the following reports:
Guest Accounting
Guest Activity
Guest Sponsor Summary
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"C@
a. Here is an example of the Guest Sponsor Summary report:
Each report contains links to allow you to drill-down for additional information on a
particular item in the report. As an example, clicking the link to the number entry under
the Sponsored Users column for employee1 generates a new report showing the details
of the five guest users created by employee1.
b. Here is an example Guest Sponsor report:
@
Clicking the Detail icon link within the report provides additional information on the
individual guest users.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"D@
c. Here is an example of the Guest Sponsor Detail report for a single guest entry:
Step 20 (OPTIONAL) Test guest user creation using the Self-Service feature.
d. Restart the authentication process for the Win7-PC client.
Open a terminal session to the access switch and simulate a new client connection by
entering configuration mode (enable password = cisco123). And issuing a shut
command followed shortly by a no shut command on interface GigabitEthernet0/1.
e. From the Win7-PC client, wait ~15 seconds and then attempt to access a web site such
as www.cisco.com from the browser. The browser should again be redirected to the
Guest Portal login page.
f. Do not enter any credentials. Simply click the Self Service button. The Self-Service web
portal should display. Enter the following values in the form:
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@";@
Attribute Value
First Name Self
Last Name Service1
Company Company ABC
Reason for Access (enter reason)
Additional Comments (enter optional comments)
Timezone America/Los_Angeles (second page)
Note that a Role and Time Profile are not configured by the end user. These values were
configured in the Portal Policy under Administration > Guest Management > Settings >
Guest and are automatically applied to the self-service guest account.
g. Click Submit. A page will display with the new self-service guest credentials as shown in
the example:
h. Click OK to be returned to the Guest Login page. Enter the new credentials into the page
and click Log In. Upon successful login, accept the AUP and you should now be able to
access the Internet per the Authorization Policy rule named Guest.

!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@"<@
Lab Exercise 8: (OPTIONAL) Load a Custom
Guest Portal
ISE includes a default guest portal for general use by employees and/or guest users. It may be
desirable to offer users customized portals for specific requirements such as location or type of
access, or to provide a custom AUP. This optional lab exercise covers the basic procedure for
loading a customized web portal. Details regarding actual web design or creation are beyond the
scope of this lab.
Exercise Objective
Create a new guest portal
Upload customized web pages into ISE and map them to standard portal page
descriptions
Enable guest portal features and understand the associated web pages required by those
features.
Test the interface of the newly uploaded guest portal.
Lab Exercise Steps

Step 1 Create a new custom guest portal.
From the ISE web admin interface, navigate to Administration > Guest Management >
Settings and double-click Guest to expand its contents.
Select Multi-Portal Configurations from the left-hand pane and then click Add.
Step 2 Note that additional configuration tabs are available in the configuration pane for the custom
portal.
Starting with the General tab, review the default options selected. Next, select the File Mapping
tab and note the items that are grayed out. These correspond to features that have been
disabled from the General tab, thus not requiring an associated web page.
Step 3 Return to the General tab and configure and set the following portal values as shown below:
Attribute Value
Name CustomPortal *** Name must match exactly ***
Description Custom Web Authentication Portal
Allow guest users to change password [ ]
Require guest and internal users to change
[ ]
password at expiration
Guest users should download the posture client [ ] *** Not checked ***
Guest users should be allowed to do self
[ ]
service
Guest users should be allowed to do device
[ ]
registration
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@":@
Attribute Value
Vlan Dhcp Release [ ]
* Delay to Release (default)
* Delay to Renew (default)
* Delay to COA (default)
( ) Not Used
Guest users should agree to an acceptable use
policy
( ) EveryLogin
Note: The custom portal in this exercise must be named CustomPortal (case-sensitive). This is the name used to
create the portal directory structure in the ISE web service and will be referenced by this name in the access
URL. Also, the custom web pages include reference to this pathname so it is critical that the portal name
matches exactly.
Step 4 Upload custom web pages to the new portal.

a. Click the File Uploads tab and click the Upload File button. A popup window will appear
asking you to Upload a new file of type html, jpg, jpeg,gif, or png.
b. Click the Browse button to the right of the File Name field and navigate to the
C:\Configs\Guest Portal Content\CustomPortal directory on the Admin client PC.
c. Starting with the first file in the directory listing, select the file, click Open, and then click
the OK button to upload the file to ISE.
d. Repeat steps a-c for each file in the directory. (Actual upload order does not matter)
Below is the list of files to be uploaded:
Note: Some files will not be specifically mapped but may be referenced by a mapped file, for example, logos and
page backgrounds image files. All files will be loaded into the same directory.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@C!@
Step 5 Map uploaded web pages to ISE portal names. This step defines which function each of the
uploaded web pages will serve in the guest portal.
Click the File Mapping tab and select the filenames for each portal page function as shown in
the table.
Attribute Value
Login file login.html
AUP file aup.html
Change Password file cp.html
Self Registration file self.html
Self Registration Results file selfresult.html
Device Registration file device.html
Guest Success file coasuccess.html
Error Page file error.html
Step 6 Set the authentication source for web authentication.

Click the Authentication tab. Set the Authentication Type to Both and set the Identity Store
Sequence to AD_InternalUsers.
Step 7 When finished, click Save.
Step 8 Test the new customized Guest Portal.
From the Admin client PC, open a new web browser window or tab. In the browser address,
enter the following URL:
https://ise-1.demo.local:8443/guestportal/portals/CustomPortal/portal.jsp
If successful, you should see a web page similar to the following:
You can test actual logins, Change Password, Self-Service, and Device Registration functions
from this portal. Since the login is not associated with a Session ID or other RADIUS
authentication service, login from this portal will not result in any changes to network access.
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@C'@
To use the portal named CustomPortal in an Authorization Profile for CWA, use the following
syntax in the profiles URL Redirect definition:
https://ip:8443/guestportal/gateway?portal=CustomPortal&sessionId=SessionIdValue&action=cwa
To use the portal named CustomPortal for Local Web Authentication (LWA), use the following
syntax for the captive portal URL in the configuration of the access device:
https://<ISE_Policy_Service_Node>:8443/guestportal/portals/CustomPortal/portal.jsp
@@
@@
@@
!"#$%&#'(!#)*+,-#%+./01+,#234#)*05+6&78%9:;<;::#.+/'"=(5>1?@ @@73-+@ @ @ @
@ @@@@@@@@@@@CA@
C
ISE Posture Services Lab Guide

Lab Overview
Posture Services. ISE Posture Services provide assessment and policy enforcement for
endpoints including optional remediation and traffic control for Windows and MacOS clients. This
lab covers the configuration of Posture Services including Client Provisioning, Posture Policy
creation, and configuration of access policies based on endpoint assessment results. Attendees
will use a Windows client to validate assessment, remediation, and access policies. Lab
participants should be able to complete the lab within the allotted lab time of 3 hours.
Lab Exercises
Lab Exercise 1: Introduction to ISE Posture Services and Configuration Workflow

Lab Exercise 2: Configure and Deploy Client Provisioning Services
Lab Exercise 3: Define Authorization Policy for Client Provisioning and Posture
Compliance
Lab Exercise 4: Test and Monitor Client Provisioning Services for Web Agent
Lab Exercise 5: D/+,C4E7CF*E1,*.C:G1/E,C).*01+1*E1EHC%/.012/+CI*.CJK:CKH/E,
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'C
Lab Exercise 6: Configure an AV Posture Policy
Lab Exercise 7: OPTIONAL: Configure a Secure Screen Saver Posture Policy
Lab Exercise 8: Test Posture Assessment and Posture Policies using NAC Agent
Lab Exercise 9: Test Posture Assessment and Posture Policies using Web Agent
Lab Exercise 10: Monitor and Report on Posture Services



Pods 1-9 128.107.220.1X:2005 10.1.11.1X

Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11
Example: POD 10 128.107.220.20:2005 10.1.11.20
Connect to a POD:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@C
C
Step 4 Click Login.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?C
these options:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCLC

desktop. Example:
c. Click Open.
CC
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"C
Lab Topology
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCMC

10.1.250.1

(Remediation Server) updates.demo.local 10.1.252.21


in this setup.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=C
Number

using ACLs

segmentation)

segmentation)

users

Access switch.

Data Center switch.
VLAN 40.

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>C

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC<C


Posture Node


[OK - 8275/4096 bytes]
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'!C
3k-access# reload



Web/Remediation Server (pX-www-int)
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC''C

pX-ise-4-lab6

pX-ise-2-lab7
pX-ise-3-lab7


!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'@C
level menus.
click OK.

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'?C
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'LC
Lab Exercise 1: Introduction to ISE Posture
Services and Configuration Workflow
This exercise reviews the overall workflow for configuring ISE Posture Services including Client
Provisioning, Posture Policy, and Authorization Policy for posture compliant access.
Exercise Objective
Understand basic ISE Posture Services and configuration workflow
Lab Exercise Steps

Step 1 Review the diagram below which outlines the main steps in configuring ISE Posture Services.
Step 2 Note that the Posture Services workflow is comprised of three main configuration sections:
Client Provisioning
Posture Subscription and Policy
Authorization Policy
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'"C
The diagram depicts the logical grouping of configuration tasks under each section.
Note: The numbers in the diagram indicate the order in which you will complete the tasks in this lab. Although in
practice an administrator may choose to complete the Posture Policy section before configuring the
Authorization Policy, in this lab we will first validate Client Provisioning without any specific posture policies
configured before configuring and applying specific posture requirements. Also, since the download of
posture updates (pre-built checks and rules for assessment including Windows and AV/AS) may take a
while to download, that step is moved to the beginning of the lab to ensure the required files are present at
the start of the Posture Policy lab exercise.
Step 3 Understanding Posture Services:

Client Provisioning: In order to perform posture assessment and determine the compliance
state of an endpoint, it is necessary to provision a client, or agent, to the endpoint. ISE Agents
can be persistent whereby the agent is installed and is automatically loaded each time a user
logs in. ISE Agents can also be temporal whereby a Web-based agent is dynamically
downloaded to the user upon each new session and then removed following the posture
assessment process. NAC Agents are also responsible for facilitating remediation and providing
an optional Acceptable Use Policy (AUP) to the end user. Therefore, one of the first steps in the
workflow is to retrieve the agent files from the Cisco website and to create policies that
determine agent and configuration files downloaded to endpoints based on their attributes, for
example, user identity and client OS type.
Posture Policy: Defines the set of requirements for an endpoint to be deemed Compliant
based on file, registry, process, application, Windows, and AV/AS checks and rules. Posture
policy is applied to endpoints based on defined set of conditions such as user identity and client
OS type. An endpoints compliance (posture) status can be one of the following:
Unknown (no data collected to determine posture state)
NonCompliant (posture assessment performed and one or more requirements failed)
Compliant (compliant with all mandatory requirements)
Posture requirements are based on a configurable set of one or more conditions. Simple
Conditions include a single assessment check. Compound Conditions include a logical grouping
of one or more Simple Conditions. Each requirement is associated with a remediation action
that assists endpoint to satisfy the requirement, for example, an AV signature update.
Authorization Policy: Defines the levels of network access and optional services to be
delivered to an endpoint based on posture status. Endpoints that are deemed not compliant
with Posture Policy may be optionally quarantined until the endpoint becomes compliant. During
this phase, a typical Authorization Policy may limit a users network access to posture and
remediation resources only. If remediation by the agent or end user is successful, then the
Authorization Policy can grant privileged network access to the user. Policy is often enforced
using downloadable ACLs (dACLs) or dynamic VLAN assignment. This lab uses dACLs for
endpoint access enforcement.
Step 4 Understanding Lab Configuration Workflow:

In this lab, you will download both persistent (NAC Agent) and temporal (Web Agent) agent files
to ISE and define client provisioning policies that require Employees to download the NAC
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'MC
Agent and Guest users to download the Web Agent. Note: Employees will be authenticated
using 802.1X; Guest users will be authenticated using Central Web Authentication (CWA).
Before configuring posture assessment policies and requirements, we will update the
Authorization policy to apply Authorization Profiles to Employees and Guests that are flagged
not compliant. The Authorization Profile will use a new dACL that we create to limit access to
posture and remediation resources. Employees and Guest users flagged compliant will be
allowed regular network access. Once configured, we can test client provisioning services.
Since no Posture Policy has been configured, these users should be allowed access once the
agent successfully loads and sends its report to ISE.
Once Client Provisioning services have been verified, posture requirements will be configured to
check for Antivirus being installed and signatures up to date. Another requirement will be
configured based on registry checks to verify the client has a screen saver enabled and is set to
require a password to access a desktop once activated.
Testing will be conducted using both NAC Agents for Employees and Web Agents for Guest
Users.

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'=C
Lab Exercise 2: Configure and Deploy Client
Provisioning Services
Client Provisioning allows ISE administrators to centrally configure and deploy client software to
network users such as posture agents and configuration files. This lab exercise covers how to
download client software from Cisco to the ISE appliance and how to configure policies to
automatically deploy the NAC Agent and Web Agent. Creation and deployment of a NAC Agent
profile is also addressed in this exercise.
Exercise Objective
Complete general system settings to support Client Provisioning and Posture Services
Download AV/AS support files for use in posture assessment and policies
Download client agent software to deploy to the lab client
Create a NAC Agent profile to deploy to the lab client

Define a Client Provisioning Policy to deploy agents based on user identity and client OS
The diagram highlights the key tasks covered in this exercise including System Settings,
Download of Dynamic Updates and CPP Packages, Agent Profiles and CPP Policy:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'>C
Lab Exercise Steps
Step 1 Access the admin interface of the ISE Administrative node.
menus.
Step 3 Verify the ISE proxy configuration for software downloads.
Navigate to Administration > System > Settings and select Proxy from the left-hand pane.
For Reference Only: This page defines the web proxy configuration if required for the ISE
Administrative node to download software from the Internet (Cisco).
This lab does not require a proxy for ISE updates. Leave the proxy settings blank.
Step 4 Download pre-built posture checks for AV/AS and Microsoft Windows.
a. Click the icon to the left of Posture in the left-hand pane to expand the contents of the
Posture settings, and then click Updates. The Update Information in the bottom right-
hand pane should be empty since no updates have been downloaded yet.
b. Configure the following values:
Attribute Value
Web (o)
Update Feed URL: !""#$%%&&&'#()*+,-'.-/%+0(%#-0"1)(21#34"('5/67
Proxy Address: -
Proxy Port: -
Automatically check for updates [ ]
starting from initial delay every 2 hours
c. Click the Save button.

d. Click Update Now and acknowledge the warning that the updates may take some time to
complete. If updates fail, verify the update URL value and that www.perfigo.com resolves
to IP Address 10.1.252.21 from the ISE CLI by sending a ping to this domain name.
Note: You may continue with the lab exercise at this time. Please return to this page in approximately fifteen
minutes to verify that the Update Information has been populated with date/time of Last Update and version
info for Cisco conditions and AV/AS support.
Step 5 Configure general settings for agent behavior:

a. Select General Settings from the left-hand pane under the Posture settings. Review the
default values for Remediation Timer, Network Transition Delay, and Default Posture
Status.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC'<C
b. Check (enable) the checkbox to Automatically Close Login Success Screen After and
set time to 2 seconds per the following:
Attribute Value
Remediation Timer 4 (Minutes)
Network Transition Delay 3 (Seconds)
Default Posture Status Compliant
Automatically Close Login Success [ ]
Screen After 2 (Seconds)
c. Click Save.
Note: Values assigned through the agent profile will override these global settings.
Step 6 Configure an Acceptable Use Policy for NAC Agent users.

a. Select Acceptable Use Policy from the left-hand pane under the Posture settings.
b. Click Add from the right-hand pane.
c. Enter the following values for the new AUP policy:
Attribute Value
Configuration Name AUP_Any_User
Configuration Description Simple Acceptable Use Policy
Show AUP to Agent Users [ ]
Use URL for AUP message (o)
Use file for AUP message ( )
AUP URL / AUP File !""#$%%1#34"(0'3(/-'6-.46%89:'!"/6
Select Roles Any
d. Click Submit when finished.
Note: The AUP for web-authenticated users is set under Administration > Guest Management > Settings >
Guest > Multi-Portal Configurations > (Portal Name).
Step 7 Set the location and policy for downloading Client Provisioning updates.
Click Client Provisioning from the left-hand pane and verify the following default values are
set:
Attribute Value
Enable Provisioning Enable
Enable Automatic Download Disable
Update Feed URL http://www.perfigo.com/ise/provisioning-update.xml
Step 8 Download Agent files.

a. Go to Policy > Policy Elements > Results and click the icon to left of Client
Provisioning to expand its contents.
b. Select Resources in the left-hand pane.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@!C
c. From the right-hand pane, click Add then click Agent Resources from Cisco site from
the drop-down list.
d. A popup window similar to the following should display.
e. At a minimum, select the current NAC Agent, Web Agent and Compliance Module
(AV/AS support module) from the list and click Save.
f. Wait until the files are downloaded to the ISE appliance.
CLIENT PROVISIONING FILE REFERENCE:

NAC Agent: Persistent posture agent for Windows client PCs
Mac OS X Agent: Persistent posture agent for Mac OS X client PCs
Web Agent: Temporal posture agent for Windows only PCs.
Compliance Module: OPSWAT module that provides updates to current AV/AS vendor support
for both the NAC Agent and Mac OS X Agent. Not applicable to Web Agent.
Profiles: Agent configuration files for NAC Agent and Mac OS X Agent. Updates locally installed
XML files on client PCs. Not applicable to Web Agent.
Step 9 Create a NAC Agent configuration profile for Windows clients.

From the right-hand pane, click Add then select ISE Posture Agent Profile from the drop-down
list. Enter the following values for the new Agent profile. When finished, click Submit:
Attribute Value Mode
Profile Name ProfileWindows
VLAN detect interval in secs (VlanDetectInterval): (0-900) 5 overwrite
Enable VLAN detect without UI? (EnableVlanDetectWithoutUI) Yes overwrite
Disable Agent exit? (DisableExit) No merge
Allow CRL checks? (AllowCRLChecks) Yes overwrite
Accessibility mode? (AccessibilityMode) No merge
Check signature? (SignatureCheck) No overwrite
Bypass summary screen? (BypassSummaryScreen) Yes merge
MAC exception list (ExceptionMACList) merge
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@'C
Attribute Value Mode
Discovery host (DiscoveryHost) ise-1.demo.local overwrite
Discovery host editable? (DiscoveryHostEditable) Yes overwrite
Server name rules (ServerNameRules) overwrite
Generated MAC (GeneratedMAC) merge
Language info (Locale) Default merge
Posture report filter (PostureReportFilter) displayFailed merge
Log file size in MB (LogFileSize) 5 merge
Detect retries (RetryDetection): Min=0 3 merge
Ping ARP (PingArp): (0-2) 2 merge
Max timeout for ping - in secs (PingMaxTimeout): (1-10) 1 merge
Swiss timeout - in secs (SwissTimeout): Min=1 1 merge
Disable L3 Swiss delay? (DisableL3SwissDelay) No merge
Http discovery timeout - in secs (HttpDiscoveryTimeout): Min=0 30 merge
Http timeout - in secs (HttpTimeout): Min=0 120 merge
Remediation timer - in mins (RemediationTimer): Min=1 4 overwrite
Network Transition Delay - in secs (NetworkTransitionDelay): (2-30) 3 overwrite
Enable auto close login screen? (EnableAutoClose) Yes overwrite
Auto close login screen after - in secs (AutoCloseTimer): Min=0 2 overwrite
Enable MAC agent iprefresh after vlan change? overwrite
No
(EnableAgentIpRefresh)
Dhcp Renew Delay (DhcpRenewDelay): (0-60) 12 overwrite
Dhcp Release Delay (DhcpReleaseDelay): (0-60) 1 overwrite
Note: The merge option updates the current agent profile parameter only if value not already defined; this option
will not update parameters with an existing value. The overwrite option will update a parameter whether
explicitly defined or not.
Step 10 Define Client Provisioning Policy for AD Employees and Guest users.
Go to Policy > Client Provisioning. Add two new Client Provisioning rules per the following
table values, and then click Save:
Note: Click to the right of any rule entry to insert or duplicate entries.
Note: If multiple versions of same file type (NAC Agent/Web Agent/Compliance module) were downloaded to the
Client Provisioning repository, select the most current version available.
Identity Operating Is Upgrade

Rule Name Conditions Results
Groups Systems Mandatory?
Employee_Windows Any Windows All demo.local:ExternalGroups NACAgent 4.9.x.x [ ]
EQUALS demo.local/Users/ + ProfileWindows
employees + Compliance 3.4.x.x
Guest_Windows Guest Windows All - WebAgent 4.9.x.x [ ]
Step 11 Configure web authentication portal to download posture agent per Client Provisioning Policy.
a. Navigate to Administration > Guest Management > Settings and click the icon to left
of Guest (or double-click Guest) to expand its contents.
b. Select Multi-Portal Configurations from the left-hand pane and then select
DefaultGuestPortal.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@@C
c. Under the General tab, enable the option to allow guest users to download agents.
Attribute Value
Guest users should download the posture client [ ]
d. Optionally set the Acceptable Use Policy for guest users as shown below:
Attribute Value
( ) Not Used
Guest users should agree to an acceptable
use policy
( ) EveryLogin
e. Click Save when finished.

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@?C
Lab Exercise 3: Define Authorization Policy for
Client Provisioning and Posture Compliance
The Authorization Policy sets the types of access and services to be granted to endpoints based
on their attributes such as identity, access method, and compliance with posture policies. This
exercise includes modifications to an existing Authorization Policy to ensure that endpoints that
are not posture compliant are quarantined (granted limited access sufficient to provision agent
software and to remediate failed requirements), and that only posture compliant endpoints are
granted privileged network access.
Exercise Objective
Define a Downloadable ACL (dACL) that restricts network access for endpoints whose
compliance state is either Unknown or NonCompliant.
Define a new URL Redirect ACL on the access switch to ensure that general http/https
traffic is redirected to the ISE Policy Service node while allowing access to remediation
servers.
Define new Authorization Profiles for 802.1X and web-authenticated users that apply the
quarantine dACL and Redirect ACL to redirect endpoints to provisioning and posture
services.
Add new rules to the Authorization Policy that leverage the new Authorization Profiles to
quarantine, assess posture, and remediate endpoints that are not posture compliant.
Update existing Authorization Policy rules such that privileged network access is based
on posture compliance.
The diagram highlights the key tasks covered in this exercise including Authorization Profiles,
their component dACLs, and Authorization Policy:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@LC
Lab Exercise Steps
Step 1 Access the admin interface of the ISE Administrative node.
level menus.
Step 2 Define a dACL that restricts network access for endpoints that are not posture compliant.
d. Go to Policy > Policy Elements > Results and click icon to left of Authorization (or
double-click Authorization) to expand its contents.
a. Select Downloadable ACLs from the left-hand pane.
b. Click Add from the right-hand pane under DACL Management and enter the following
values for the new dACL.
Attribute Value
Name POSTURE_REMEDIATION
Permit access to posture and remediation services and deny all
Description
other access. Permit general http and https for redirection only.
DACL Content
permit icmp any any
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@"C
Attribute Value
permit udp any host 10.1.100.21 eq 8905
Note: There is currently NO ACL syntax checking for DACL contents so it is imperative that entries be carefully
reviewed for errors prior to submitting.
The following describes the purpose of individual ACL entries:

Downloadable ACL Entry Description
permit udp any any eq domain Permit DNS for name resolution
permit icmp any any Permit ICMP for initial troubleshooting
permit tcp any host 10.1.100.21 eq 8443 Permit CWA/CPP to ISE Policy Service node
permit tcp any any eq 80 Allow http for redirection to Policy Service node
permit tcp any any eq 443 Allow https for redirection to Policy Service node
permit tcp any host 10.1.100.21 eq 8905 Allow Agent discovery direct to Policy Service node
permit udp any host 10.1.100.21 eq 8905 Allow Agent discovery and keep-alives
permit udp any host 10.1.100.21 eq 8906 Allow Agent discovery and keep-alives
permit tcp any host 10.1.252.21 eq 80 Explicit allow to remediation server
c. Click Submit when completed.
Note: The final access list entry in the POSTURE_REMEDIATION dACL is technically not required since http is
already permitted for any destination in a previous entry. Its inclusion here is simply to emphasize the need
to make sure that access is allowed to remediation servers. It also highlights the need to include an entry in
the URL Redirect ACL to explicitly deny redirection of traffic destined to remediation servers.
Step 3 Define a new URL Redirect ACL on the access switch.
a. From the Admin client PC, use the desktop shortcut for the PuTTY SSH client to
launch a terminal session to the 3k-access switch (10.1.250.2) using the credentials
admin / cisco123 (enabled password cisco123).
b. Enter configuration mode and add the following IP access list named ACL-POSTURE-
REDIRECT if not already present:
3k-access# conf t
3k-access(config)# ip access-list extended ACL-POSTURE-REDIRECT
3k-access(config-ext-nacl)# deny udp any any eq domain
3k-access(config-ext-nacl)# deny udp any host 10.1.100.21 eq 8905
3k-access(config-ext-nacl)# deny udp any host 10.1.100.21 eq 8906
3k-access(config-ext-nacl)# deny tcp any host 10.1.100.21 eq 8443
3k-access(config-ext-nacl)# deny tcp any host 10.1.100.21 eq 8905
3k-access(config-ext-nacl)# deny tcp any host 10.1.252.21 eq www
3k-access(config-ext-nacl)# permit ip any any
3k-access(config-ext-nacl)# end
3k-access# wr mem
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@MC
This ACL will be called by the Authorization Profile and work in conjunction with the
accompanying dACL applied to the switchport interface.
In the example URL Redirect ACL above, the entries marked deny will not redirect the
specified packets. These entries include traffic that is specifically destined to the ISE
Policy Service node for redirection to Central Web Auth and Client Provisioning services,
NAC Agent discovery, and posture assessment. This also includes traffic destined to
remediation servers.
c. Enter the following command at the access switch exec shell prompt to verify the
contents of the new ACL:
3k-access# show ip access-lists
Step 4 Define a new Authorization Profile for 802.1X-authenticated/NAC Agent users named
Posture_Remediation that leverages both the new dACL for port access control and the URL
Redirect ACL for traffic redirection.
a. Return to the ISE admin interface from the Admin client PC.
b. Click Authorization Profiles from the left-hand pane under Policy > Policy Elements >
Results > Authorization.
c. Click Add from the right-hand pane and enter the values for the Authorization Profile as
shown below.
Attribute Value
Name Posture_Remediation
Permit access to posture and remediation services;
Description redirect traffic to client provisioning and posture
services.
DACL Name [ ] POSTURE_REMEDIATION
Posture Discovery [ ] ACL-POSTURE-REDIRECT
d. The resultant Attribute Details should appear at the bottom of the page as the following:
Access Type = ACCESS_ACCEPT

DACL = POSTURE_REMEDIATION
cisco:cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT
cisco:cisco-av-pair=url-redirect =https://ip:8443/guestportal/gateway?sessionId=SessionIdValue@action=cpp
e. Click Submit to apply your changes.
Step 5 Define a new Authorization Profile for web-Authenticated/Web Agent users named
CWA_Posture_Remediation that leverages both the new dACL for port access control and the
URL Redirect ACL for traffic redirection.
a. Click Authorization Profiles from the left-hand pane under Policy > Policy Elements >
b. Click Add from the right-hand pane and enter the values for the Authorization Profile as
shown below.
Attribute Value
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@=C
Attribute Value
Name CWA_Posture_Remediation
Permit access to posture and remediation services;
Description
redirect traffic to central web auth services.
DACL Name [ ] POSTURE_REMEDIATION
Centralized Web Authentication [ ] ACL-POSTURE-REDIRECT
c. The resultant Attribute Details should appear at the bottom of the page as the following:

DACL = POSTURE_REMEDIATION
cisco:cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT
cisco:cisco-av-pair=url-redirect =https://ip:8443/guestportal/gateway?sessionId=SessionIdValue@action=cwa
d. Click Submit to apply your changes.
Note: The difference between the two profiles is the URL Redirect cisco-av-pair attribute. Users that need to be
authenticated using CWA will be initially redirected to the guest portal for web authentication (cwa) and then
automatically redirected to the Client Provisioning Portal (cpp) as needed. Users authenticated through
802.1X will be redirected directly to the Client Provisioning Portal.
Step 6 Update the Authorization Policy to support posture compliance.

a. Go to Policy > Authorization.
NO74,/C,P/C/B1+,1EHCK-,P*.1Q4,1*EC)*G12RCS1,PC,P/CI*GG*S1EHC04G-/+C4+CP1HPG1HP,/7C-+1EHC,P/C
selector at the end of a rule entry to insert or duplicate rules:C
Identity
Status Rule Name Other Conditions Permissions
Groups
Profiled Cisco IP Phones Cisco-IP- - Cisco_IP_Phones
Phone
Domain_Computer Any demo.local:ExternalGroups AD_Login
EQUALS demo.local/Users/Domain
Computers
Employee Any demo.local:ExternalGroups Employee
AND
Session:PostureStatus EQUALS Compliant
Employee_PreCompliant Any demo.local:ExternalGroups Posture_Remediation
AND
Session:PostureStatus NOT EQUALS
Compliant
Contractor Contractor Session:PostureStatus EQUALS Compliant Guest
Guest Guest Session:PostureStatus EQUALS Compliant Guest
Default Any - CWA_Posture_Remediation
b. Click Save to apply your changes.

C
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@>C
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC@<C
Lab Exercise 4: Test and Monitor Client
Provisioning Services for Web Agent
This exercise validates the Client Provisioning and Authorization Policy configuration completed
in the previous lab exercises. Since no Posture Policy has been configured, all users should be
posture compliant. The Web Agent will be tested and monitored in detail in this exercise. In
addition to Web Agent provisioning, this exercise will also validate agent policies such as AUP
and auto-closure of login success screens.
Exercise Objective
Login to the secured lab network from a Windows 7 PC client as a Guest user via Central
Web-based Authentication (CWA) and verify Web Agent provisioning.
Review ISE and switch logs to validate proper operation and application of the
Authorization Policy.
Lab Exercise Steps

Step 1 Log into the Windows 7 PC client as DEMO\employee1 / cisco123, where DEMO is the
Windows domain name.
Step 2 Establish a terminal session with the access switch (10.1.250.2) and simulate a new network
connection from the Win7 Client PC connected behind a Cisco IP phone on port
GigabitEthernet0/1.
admin / cisco123. If not already in privileged mode, enter enable mode using password
cisco123.
b. To view log messages from the terminal session, enter the terminal monitor command
at the switch exec prompt:
c. Enter configuration mode for interface GigabitEthernet 0/1 and enter shut followed
shortly by a no shut command:
3k-access> en
Password: cisco123
3k-access# conf t
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?!C
3k-access(config)# int gi0/1
3k-access(config-if)# shut
3k-access(config-if)# no shut
3k-access(config-if)# end
3k-access#C
d. If logging to terminal is enabled, a series of log messages should appear on the screen
during port shutdown and re-activation. Enter CTRL+Z or end to exit configuration mode.
Step 3 After issuing the no shut command, use the following exec command to view the current
Example:
After approximately 10-15 seconds, the output should appear similar to the following:

IP Address: 10.1.10.101
User-Name: 00-50-56-b4-01-69
Domain: DATA
Vlan Group: N/A
ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-4d816c3a
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://ise-1.demo.local:8443/guestportal/gateway?
sessionId=0A016401000000090728C037&action=cwa
Idle timeout: N/A
Common Session ID: 0A016401000000090728C037
Handle: 0xBA000009

Method State
mab Authc Success
dot1x Not runC
Note: For this exercise, disregard the authorization status info for the IP phone on VLAN 40 and IP address
10.1.40.x (Domain = VOICE).
In the above output, note that the dACL (ACS ACL) = POSTURE-REMEDIATION has been
pushed to the interface along with a named URL Redirect ACL = ACL-POSTURE-REDIRECT
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?'C
that defines the traffic to be redirect to the link specified by URL Redirect. The redirect URL
must include the domain name of the ISE Policy Service node, reference to port 8443, the
current session ID, and reference action to cwa (CWA portal). If any of these items are missing,
then web authentication will fail.
Step 4 Display the current dACL applied to the interface using the command show ip access-lists
interface GigabitEthernet 0/1. The output should appear similar to the following:CC
3k-access(config-if)# do sh ip access int gi0/1

permit tcp host 10.1.10.101 any eq www
permit tcp host 10.1.10.101 any eq 443
permit udp host 10.1.10.101 host 10.1.100.21 eq 8905
permit tcp host 10.1.10.101 host 10.1.252.21 eq www
3k-access(config-if)#C
The following provides descriptions for the individual dACL entries applied to the interface (Host
10.1.40.x is the Cisco IP phone and this entry does not apply to the Win7 client with an address
in the 10.1.10.0/24 subnet in VLAN 10):

permit udp host 10.1.10.101 any eq domain Allow DNS resolution
permit icmp host 10.1.10.101 any Allow ICMP for initial policy testing
permit tcp host 10.1.10.101 host 10.1.100.21 eq 8443 Allow access to CWA/CPP portals
permit tcp host 10.1.10.101 any eq www Allow any http for redirection to CWA/CPP
permit tcp host 10.1.10.101 any eq 443 Allow any https for redirection to CWA/CPP
permit tcp host 10.1.10.101 host 10.1.100.21 eq 8905 Allow agent discovery
permit udp host 10.1.10.101 host 10.1.100.21 eq 8905 Allow agent discovery
permit udp host 10.1.10.101 host 10.1.100.21 eq 8906 Allow agent discovery
permit tcp host 10.1.10.101 host 10.10.100.11 eq www Allow access to remediation server
permit ip host 10.1.40.100 any dACL from separate IP Phone authorization
Step 5 Return to the Win7 PC client and login as a guest user.
a. From the Win7 client, launch a web browser. The page should be redirected to the URL
specified in the URL Redirect output and display the ISE web authentication portal.
b. Click the Self Service button from the login portal and enter the following values into the
form, and then click Submit:
Attribute Value
First Name Guest
Last Name User
Company Company ABC
Optional Data 1 Web Agent test
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?@C
Optional Data 2 (enter optional comments)
Timezone UTC
C
c. Write down the assigned username and password credentials:
Username: _________________________
Password: __________________________
To facilitate login, select and copy the password entry, making sure not to include any
extra characters. Click the OK button.
d. The web authentication login page again displays. Enter your new Username/Password
credentials and click the Log In button.
e. If an AUP was enabled for web authentication, check the box to Accept terms and
conditions and then click Accept.
f. The Agent download page should appear. Click the button Click to install agent.
g. The ISE certificate is self-signed and has not been installed on the client PC. Click Yes if
prompted with any browser certificate warnings. Also, applets may be required to
facilitate download of the Web Agent. Click Yes (or Install) if prompted to install applets
as part of Web Agent download and install process.
h. The Cisco NAC Web Agent window should appear and indicate that posture assessment
is being performed. Since no posture policy has been configured yet, the client will pass
assessment and the agent will indicate Host is compliant with network security policy as
shown below:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC??C
i. Click Continue. A successful login notice will appear. Since we have previously enabled
the global setting to Automatically close login success screen after with a value of 2
seconds, the window should automatically close.
j. The original browser window should display a message at the bottom of page Cisco
Agent finished checking your system.
Reattempt access to the browsers home page via the home icon, or else manually enter
the address of www.cisco.com in the address field. Access to the external website
should now display.
k. When finished, close the web browser session.
Step 6 Verify the session status on the switchport for Guest authorization.
a. Return to the terminal session on the access switch.
b. Repeat the show authentication sessions and the show ip access-lists output for
interface GigabitEthernet0/1. The output should appear similar to that shown below:

IP Address: 10.1.10.101
User-Name: guser601
Domain: DATA
Vlan Group: N/A
ACS ACL: xACSACLx-IP-INTERNET_ONLY-4d4337d4
Timeout action: Terminate
Idle timeout: N/A
Common Session ID: 0A016401000000090728C037
Handle: 0xBA000009

Method State
mab Authc Success
dot1x Not run
3k-access(config-if)# do sh ip access-list int gi0/1

deny ip host 10.1.10.101 10.1.0.0 0.0.255.255
C
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?LC
c. Note that URL redirection is no longer applied and that the dACL (ACS ACL) named
INTERNET_ONLY is applied to the interface.
d. For reference, the following table provides descriptions for the dACL entries:

permit icmp host 10.1.10.101 any Allow ICMP for initial policy testing
permit tcp host 10.1.10.101 host 10.1.100.21 eq 8443 Allow access to CWA/CPP portals
deny ip host 10.1.10.101 10.1.0.0 0.0.255.255 Deny access to all other internal lab networks
permit ip host 10.1.10.101 any Permit access to all other external networks
permit ip host 10.1.40.100 any dACL from separate IP Phone authorization
Step 7 Verify the authentication/authorization phases of the Central Web Auth and Client Provisioning
session from the ISE admin interface.
a. From the Admin client PC, access the admin interface of the ISE Administrative node
(admin / default1A).
b. Go to Monitor > Authentications. View the recent entries associated with the web
authentication session by MAC Address, IP address, interface, or Session ID. It may be
help to filter the log entries by entering a couple bytes of the Session ID or MAC address
(Calling Station ID) into the appropriate column header and hitting Enter. Click the circled
x in the field to clear the filter.
c. Referring to the example authentication log below (split across two screens), you should
see entries similar to the following that match the output received from the switch:
1. Successful MAB authentication of the MAC Address (username

00:50:56:B4:01:69 in example) and Authorization Profile named
CWA_Posture_Remediation applied
2. dACL named POSTURE_REMEDIATION has been successfully downloaded.
3. Dynamic Authorization (CoA) succeeded for session.
4. Successful CWA authentication for Guest User (username guser601 in

example) and Authorization Profile named Guest applied.
5. dACL named INTERNET_ONLY has been successfully downloaded.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?"C
C

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?MC
Lab Exercise 5: Test and Monitor Client
Provisioning Services for NAC Agent
This exercise validates the Client Provisioning and Authorization Policy configuration completed
in the previous lab exercises. Since no Posture Policy has been configured, all users should be
posture compliant. The NAC Agent will be tested and monitored in detail in this exercise. In
addition to NAC Agent provisioning, this exercise will also validate agent policies such as AUP,
auto-closure of login success screens, and agent profile configuration.
Exercise Objective
Login to the secured lab network from a Windows 7 PC client as an Employee via 802.1X
machine authentication and user authentication and verify NAC Agent provisioning.
Review ISE and switch logs to validate proper operation and application of the
Authorization Policy.
Lab Exercise Steps

Step 1 Establish a terminal session with the access switch (10.1.250.2).
Step 3 Configure the Win7-PC client for 802.1X authentication to simulate an Employee:
a. Enable 802.1X wired services on the Win7-PC client:
i. Launch the Services shortcut from the Windows 7 desktop.
ii. Open the Wired AutoConfig service from the list:
iii. Change Startup type: to Automatic and click Apply.
iv. Click Start and ensure that Service status = Started.
v. Click OK and close the Services window.
b. Enable 802.1X authentication on the Win7-PC client:
i. Open the Lab Tools shortcut from the Windows desktop.
ii. Open the Network Connections shortcut from the Lab Tools window.
iii. Right-click on the entry for the Local Area Connection and select Properties. If
prompted by Windows 7 User Account Control (UAC), enter the Domain
Administrator credentials admin / cisco123.
iv. Select the Authentication tab at the top of the Properties window.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?=C
v. Verify that 802.1X authentication is enabled (checked) for Enable IEEE802.1X
authentication as shown below:
vi. Verify that authentication method is set to Microsoft: Protected EAP (PEAP)
and then click Settings to open the PEAP Properties page.
vii. Under Select Authentication Method:, click Configure and verify that the EAP
MSCHAPv2 Properties are set to enable Automatically use my Windows login
name and password (and domain if any) as shown:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?>C
viii. Click OK twice to close the PEAP Properties page and then click Additional
Settings:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC?<C
ix. Verify that the Specify authentication mode setting is enabled (checked) and set
to User or computer authentication as shown:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL!C
x. Click OK twice to save changes and exit the LAN Properties page.
xi. Exit any open windows and restart the PC by going to Start (Start menu) and
selecting Restart:
Warning: Do NOT select Shutdown or Sleep. If PC is shut or powered down, then any changes made to client
will be lost upon restart and you will need to redo changes made from the start of this lab exercise.
Step 4 Verify the authorization status on the switchport before Windows login (802.1X Machine
authentication):
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL'C
Wait until the Win7-PC client has restarted and returned to the CTRL+ALT+DEL screen, then
return to the terminal session of the access switch. Run the show authentication sessions
and the show ip access-lists commands for interface GigabitEthernet0/1.
Upon detection of the PC connection, the switchport will first attempt MAB authentication due to
the switcport configuration (authentication order mab dot1x). MAB authentication may
even complete with the default Authorization Policy rule (Authorization Profile =
CWA_Posture_Remediation) being applied to the interface as shown in the example below:

MAC Address: 0010.1888.2224
IP Address: 10.1.10.101
User-Name: 00-10-18-88-22-24
Domain: DATA
Vlan Group: N/A
URL Redirect: https://ise-1.demo.local:8443/guestportal/gateway?
sessionId=0A01FA02000000711F4E7514&action=cwa
Idle timeout: N/A
Common Session ID: 0A01FA02000000711F4E7514
Handle: 0x0C000071
Method State
mab Not run
dot1x Authc Success

C
Note: Due to actual timing, it is possible that 802.1X authentication may initiate prior to the completion of MAB
processing. Therefore, the above output may not be seen.
Since 802.1X authentication has been given higher priority as per the switchport configuration
(authentication priority dot1x mab), a new authentication will be triggered on the port
once the Win7 supplicant initiates an EAPOL-Start message for 802.1X machine authentication.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL@C
After successful 802.1X machine authentication, the Authorization Policy should match the
Domain_Computer rule (Authorization Profile = AD_Login). The output should appear similar to
that shown below:

MAC Address: 0010.1888.2224
IP Address: 10.1.10.101
User-Name: host/win7-pc.demo.local
Domain: DATA
Vlan Group: N/A
ACS ACL: xACSACLx-IP-AD_LOGIN_ACCESS-4d78ffbf
Idle timeout: N/A
Handle: 0x0C000071

Method State
mab Not run
dot1x Authc Success

permit udp host 10.1.10.101 eq bootpc any eq bootps
permit udp host 10.1.10.101 host 10.1.100.10 eq ntp
permit udp host 10.1.10.101 host 10.1.100.10 eq netbios-ns
C
C
Verify that 802.1X machine authentication (User-Name = host/Win7-PC.demo.local ) has

completed successfully and that the dACL (ACS ACL) named AD_LOGIN_ACCESS is applied
to the interface. The dACL includes entries to support AD login for the Windows domain user.
For reference, the following table provides descriptions for the dACL entries:

permit ip host 10.1.40.100 any IP Phone dACL entry
permit udp host 10.1.10.101 eq bootpc any eq bootps Allow DHCP
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL?C
permit icmp host 10.1.10.101 any Allow ICMP for policy testing
permit tcp host 10.1.10.101 host 10.1.100.10 eq 88 Kerberos
permit udp host 10.1.10.101 host 10.1.100.10 eq 88 Kerberos
permit udp host 10.1.10.101 host 10.1.100.10 eq 123 NTP
permit tcp host 10.1.10.101 host 10.1.100.10 eq 135 EpMap
permit udp host 10.1.10.101 host 10.1.100.10 eq 137 Netbios-ns
permit tcp host 10.1.10.101 host 10.1.100.10 eq 139 Netbios-ssn
permit tcp host 10.1.10.101 host 10.1.100.10 eq 389 LDAP
permit udp host 10.1.10.101 host 10.1.100.10 eq 389 LDAP
permit tcp host 10.1.10.101 host 10.1.100.10 eq 445 MS-DC/SMB
permit tcp host 10.1.10.101 host 10.1.100.10 eq 636 LDAP w/SSL
permit udp host 10.1.10.101 host 10.1.100.10 eq 636 LDAP w/SSL
permit tcp host 10.1.10.101 host 10.1.100.10 eq 1025 MS-AD
permit tcp host 10.1.10.101 host 10.1.100.10 eq 1026 MS-AD
Step 5 Verify the session status of the switchport authorization after Windows login (802.1X User
authentication):
From the Win7-PC client, login to Windows domain as user DEMO\employee1 / cisco123.
Repeat the show authentication sessions and the show ip access-lists output for interface
GigabitEthernet0/1. After successful 802.1X user authentication, the Authorization Policy
should match the Employee_NonCompliant rule (Authorization Profile = Posture_Remedation).
The output should appear similar to that shown below:

MAC Address: 0010.1888.2224
IP Address: 10.1.10.101
User-Name: DEMO\employee1
Domain: DATA
Vlan Group: N/A
URL Redirect: https://ise-1.demo.local:8443/guestportal/ gateway?
sessionId=0A01FA02000000711F4E7514&action=cpp
Idle timeout: N/A
Handle: 0x0C000071
Method State
mab Not run
dot1x Authc Success

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCLLC
C
Verify that 802.1X user authentication (User-Name = DEMO\employee1) has completed

successfully and that the dACL (ACS ACL) named POSTURE-REMEDIATION has been
pushed to the interface.
A named URL Redirect ACL = ACL-POSTURE-REDIRECT has also been applied that defines
the traffic to be redirected to the link specified by URL Redirect. The redirect URL must include
the domain name of the ISE Policy Service node, reference to port 8443, the current session ID,
and reference action to cpp (Client Provisioning Portal). If any of these items are missing, then
web authentication will fail.
Note: The authorization dACL named POSTURE_REMEDIATION is the same one applied during the Web Agent
lab exercise for users in a non-compliant posture state. Please refer to the previous lab exercise for
reference on individual dACL entries.
Step 6 Validate Client Provisioning for the NAC Agent.
a. Launch a web browser. Immediate redirection to the agent provisioning page (CPP)
should occur as shown:
C
b. Click the Click to install agent button to begin NAC Agent installation.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL"C
c. Accept any prompts regarding permissions to install software.
d. Follow the NAC Agent installation prompts and accept the license agreement and default
values to complete the provisioning process. If prompted by Windows UAC, enter
Note: Admin privileges are required to install NAC Agent for the first time. Once installed, upgrades can occur
without escalated privileges. NAC Agents can also be distributed using an MSI installer package.
e. A message should appear in original window indicating Cisco Agent was successfully
installed! Close this window.
f. The Acceptable Use Policy page should display indicating Temporary Network Access.
The AUP was configured in a previous lab step to display for any NAC Agent user and to
point to a URL on an internal web server. Click the link Network Usage Policy Terms
and Conditions to see the hosted AUP:
g. A new web page will open to display the AUP. Close this window when ready to
proceed.
h. Click Accept to agree to the AUP. The login success screen should display indicating
Full Network Access and automatically close after 2 seconds per the NAC Agent profile
configuration named ProfileWindows.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCLMC
i. The client should now have full network access. To validate, open a web browser and
verify that access to www.cisco.com is allowed.
Step 7 Verify the session status of the switchport authorization for a compliant Employee.
a. Repeat the show authentication sessions and the show ip access-lists output for
interface GigabitEthernet0/1. The Authorization Policy should match the Employee rule
(Authorization Profile = Employee) and output should appear similar to that shown below:
3k-access(config-if)#do sh auth sess int gi0/1

MAC Address: 0010.1888.2224
IP Address: 10.1.10.101
User-Name: DEMO\employee1
Domain: DATA
Vlan Group: N/A
Idle timeout: N/A
Handle: 0x0C000071

Method State
mab Not run
dot1x Authc Success
3k-access(config-if)#do show ip access int gi0/1

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL=C
3k-access(config-if)#
b. In the above output, note that the dACL (ACS ACL) = PERMIT_ALL_TRAFFIC has been
successfully downloaded to the interface to grant the compliant Employee full network
access.
Step 8 Verify the authentication/authorization phases of the 802.1X Auth and Client Provisioning
session from the ISE admin interface.
a. Go to Monitor > Authentications. View the recent entries associated with the Employee
session by MAC Address, IP address, Interface, or Session ID. It may be help to filter the
log entries by entering a couple bytes of the Session ID or MAC address (Calling Station
ID) into the appropriate column header and hitting Enter. Click the circled x in the field to
clear the filter.
b. Referring to the example authentication log below (split across two screens), you should
see entries similar to the following that match the output received from the switch, where
1 is the lowest, or first, entry:
1. Successful MAB authentication for the endpoint (User-Name: 00-10-18-88-22-

24); Authorization Profile CWA_Posture_Remediation applied.
3. Successful 802.1X machine authentication of the Domain Computer host/win7-

pc.demo.local using PEAP(EAP-MSCHAPv2); Authorization Profile named
AD_Login applied.
4. dACL named AD_LOGIN_ACCESS has been successfully downloaded.
5. Successful 802.1X user authentication of the Domain User DEMO\employee1;

Authorization Profile named Posture_Remediation applied.
7. Posture reported compliant and dynamic authorization (CoA) succeeded for

session based on posture status change.
8. Authorization Profile named Employee applied; dACL PERMIT_ALL_TRAFFIC

applied.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL>C
C
Step 9 Review the NAC Agent installation.
a. From the Win7-PC client, the NAC Agent tray icon should now be present in the Windows
task tray. Right-click the icon and select About to view NAC Agent and Compliance
Module software versions:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCL<C
b. Click OK to close the window.
c. Right-click the task tray icon again and select Properties to view current Discovery Host
setting and detected AV/AS software as per the following:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"!C
d. Click OK to close the window.
Note: By default, the NAC Agent program files are installed under <Root_Drive>:\Program Files \Cisco\Cisco NAC
Agent. The agent XML-based profiles and configuration files are also located in this directory. By default,
the log and report files are stored under <Root_Drive>:\ProgramData\Cisco\Cisco NAC Agent.

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"'C
Lab Exercise 6: Configure an AV Posture Policy
Posture assessment allows administrators to validate the applications and configurations on user
endpoints through the use of posture agents such as the NAC Agent or Web Agent. Posture
assessment can utilize file, registry, application process, service, Windows and AV/AS checks to
accomplish the task of determining endpoint compliance with Posture Policy. The Posture Policy
defines the set of conditions that must be satisfied for an endpoint to be considered compliant,
and if not, the methods to be used for remediation.
This exercise covers the configuration of a Posture Policy based on Antivirus (AV) conditions.
Exercise Objective
Define AV posture conditions that validate the installation and signature version of
ClamWin AV on an endpoint.
Define AV posture conditions that validate the installation and signature version of any
approved AV on an endpoint.
Define remediation actions for installing and updating AV software.
Configure requirements for AV to be installed and signatures current on an endpoint.
Configure a Posture Policy for Employees to have ClamWin AV installed and current
Configure a Posture Policy for Guest users to have any AV installed and current
The diagram highlights the key tasks covered in this exercise including Simple and Compound
Conditions, Remediation Actions, Posture Requirements, and Posture Policy:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"@C
Lab Exercise Steps
Step 1 If not already completed from earlier lab step, make sure AV/AS and Cisco checks have been
downloaded to the ISE appliance.
Navigate to Administration > System > Settings and click the icon to the left of Posture in
the left-hand pane to expand the contents of the Posture settings, and then click Updates. The
Update Information section in the bottom right-hand pane should show information regarding
update time and versions as shown in sample below. If values are empty, repeat lab steps to
download updates.
Step 2 Define an AV posture condition that validates the installation of ClamWin AV on an endpoint.
This check will be used in posture requirements applied to Employees.
Go to Policy > Policy Elements > Conditions and click the icon to right of Posture. Select
AV Compound Condition from the left-hand pane and then click Add from the right-hand pane
menu. Enter the following values and then click Submit at the bottom of the page:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"?C
Attribute Value
Name ClamWin_AV_Installed
Description Check ClamWin AV is installed
Operating System Windows 7 (All)
Vendor ClamWin *** Note: There is also an entry for ClamAV ***
( o ) Installation
Check Type
( ) Definition
[ ] Allow virus definition files to be
days older than 0 days older than
( ) latest file date
( ) current system date
[ ] ClamWin Antivirus
Products for Selected Vendor
[ ] ClamWin FREE Antivirus
Note: If no AV products appear under Vendor field, then posture updates have not yet been downloaded or
download has not yet completed.
Step 3 Define an AV posture condition that validates the signature version of ClamWin AV on an
endpoint. This check will be used in posture requirements applied to Employees.
Select AV Compound Condition from the left-hand pane and then click Add from the right-
hand pane menu. Enter the following values and then click Submit at the bottom of the page:
Attribute Value
Name ClamWin_AV_Current
Description Check ClamWin AV is current
Operating System Windows 7 (All)
Vendor ClamWin *** Note: There is also an entry for ClamAV ***
( ) Installation
Check Type
( o ) Definition
( o ) latest file date
[ ] ClamWin Antivirus
Products for Selected Vendor
[ ] ClamWin FREE Antivirus
Step 4 Define an AV posture condition that validates the installation of any supported AV on an
endpoint. This check will be used for posture requirements applied to Guest users.
hand pane menu. Enter the following values and then click Submit:
Attribute Value
Name Any_AV_Installed
Description Check Any AV is installed
Operating System Windows All
Vendor ANY
Check Type ( o ) Installation
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"LC
Attribute Value
( ) Definition
( ) latest file date
Products for Selected Vendor [ ] ANY
Step 5 Define an AV posture condition that validates the signature version of any supported AV on an
endpoint. This check will be used for posture requirements applied to Guest users.
hand pane menu. Enter the following values and then click Submit:
Attribute Value
Name Any_AV_Current
Description Check Any AV is current
Vendor ANY
( ) Installation
Check Type
( o ) Definition
( o ) latest file date
Products for Selected Vendor [ ] ANY
Step 6 Define a Posture Remediation Action that installs ClamWin AV on an endpoint.

Go to Policy > Policy Elements > Results and click the icon to left of Posture (or double-
click Posture) in the left-hand pane to expand its contents. Next, expand the contents of
Remediation Actions.
Select Link Remediation and then click Add from the right-hand pane menu. Enter the
following values and then click Submit:
Attribute Value
Name Install_ClamWin_AV
Description Link distribution to ClamWin AV install package
Remediation Type Manual
Retry Count 0
Interval 0
URL http://updates.demo.local/clamwin-0.05.3-setup.exe
Step 7 Define a Posture Remediation Action that updates ClamWin AV on an endpoint.

Select AV/AS Remediation from the left-hand pane and then click Add from the right-hand
pane menu. Enter the following values and then click Submit:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC""C
Attribute Value
Name Update_ClamWin_AV_Definitions
Description Trigger signature updates for ClamWin AV
AV/AS Remediation Type AV Definition Update
Remediation Type Automatic
Interval 2
Retry Count 2
( o ) Windows
Operating System
( ) Mac
AV Vendor Name ClamWin *** Note: There is also an entry for ClamAV ***
Step 8 Define a Posture Remediation Action that updates any supported AV on an endpoint.
Select AV/AS Remediation from the left-hand pane and then click Add from the right-hand
pane menu. Enter the following values and then click Submit:
Attribute Value
Name Update_Any_AV_Definitions
Description Trigger signature updates for Any AV vendor
AV/AS Remediation Type AV Definition Update
Remediation Type Automatic
Interval 2
Retry Count 2
( o ) Windows
Operating System
( ) Mac
AV Vendor Name ANY
Step 9 Define Posture Requirements that will be applied to Employees and Guest users.
Select Requirements from the left-hand pane (under Policy > Policy Elements > Results >
Posture).
Enter the following entries into the table using the selector at the end of a rule
entry to insert or duplicate rules. Click Save when finished:
Remediation Actions
Operating
Name System Conditions Action Message Shown to Agent User
Windows ClamWin_AVInstall_ClamWin_ (optional)
AV_Installed
7 (All) _InstalledAV
Windows ClamWin_AVUpdate_ClamWin (optional)
AV_Current
7 (All) _Current _AV_Definitions
<H3>An approved Antivirus
program was NOT detected on
your PC. All guest users must
Windows Any_AV_Insta Message Text
Guest_AV_Installed have a current AV program
All lled Only
installed before access is granted
to the network. If you would like to
install a free version of ClamAV,
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"MC
Remediation Actions
Operating
Name System Conditions Action Message Shown to Agent User
please click <a href
"here"http://updates.demo.local/cla
mwin-0.95.3-setup.exe</a></H3>
<H2> All Guests must have
Antivirus software installed with
Windows Any_AV_Curr Message Text
Guest_AV_Current current signatures. Please update
All ent Only
your AV software signatures
now.</H2>
Note: If a preconfigured condition does not display under the list of Conditions, be sure you have selected the
appropriate Operating System setting for both the condition as well as requirement rule. Only conditions that
are the same or subset of the OS selected for the rule will display in the Conditions selection list.
Note: A remediation action of Message Text Only provides the message content in the Description field to the user
if requirement fails. This can be used to provide instructions to end user such Help Desk contact numbers,
URL links, or other text to assist in the remediation process. Also note that basic html can be entered into
this field.
Step 10 Configure the Posture Policy to ensure ClamWin AV is installed and current on Employee
computers running Windows 7 and that Any supported AV is installed and current on Guest user
computers.
Go to Policy > Posture and create new policy rules using the values provided in the table, and
then click Save to apply your changes:
Identity Operating
Status Rule Name Other Conditions Requirements
Groups Systems
Employee_Windows_AV Any Windows 7 demo.local:External AV_Installed (Mandatory)
_Installed_and_Current (All) Groups AV_Current (Mandatory)
EQUALS demo.local/
Users/employees
Guest_Windows_AV_Ins Guest Windows - Guest_AV_Installed (Mandatory)
talled_and_Current All Guest_AV_Current (Mandatory)
C
Note: Be sure to set the posture policy rules to DISABLED using the selector on the left hand side of the rule:
You will enable the posture rules individually during testing.
Note: To specify a Posture Requirement as Mandatory, Optional, or Audit, click the icon to the right of the
requirement name and select an option from the drop-down menu:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"=C
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC">C
Lab Exercise 7: OPTIONAL: Configure a Secure
Screen Saver Posture Policy
Posture assessment allows administrators to validate the applications and configurations on user
endpoints through the use of posture agents such as the NAC Agent or Web Agent. Posture
assessment can utilize file, registry, application process, service, Windows and AV/AS checks to
accomplish the task of determining endpoint compliance with Posture Policy. The Posture Policy
defines the set of conditions that must be satisfied for an endpoint to be considered compliant,
and if not, the methods to be used for remediation.
This exercise covers the configuration of a Posture Policy based on registry conditions to validate
a Windows client PC has a secure screen saver configured.
Exercise Objective
Define Registry posture conditions that validate the Windows desktop screen saver
settings to be enabled and secure (require password to unlock computer) with a short
timeout and screen saver selected (not set to None).
Define a Remediation Action to update the registry configuration that controls the screen
saver to policy compliant values.
Configure a Posture Requirement for the screen saver to be enabled and secure.
Configure a Posture Policy to apply the screen saver policy to any Windows user
Lab Exercise Steps

Step 1 Define Registry Conditions that validate the compliance of Windows screen saver settings with
our lab policy.
Go to Policy > Policy Elements > Conditions and click the icon to right of Posture. Select
Registry Condition from the left-hand pane.
Step 2 Create a Registry Condition that checks that the current users screen saver is enabled.
Click Add from the right-hand pane menu. Enter the following values and then click Submit:
Attribute Value
Name ScreenSaver_On
Registry Type RegistryValue
Registry Root Key HKCU
Sub Key Control Panel\Desktop
Value Name ScreenSaveActive
Value Data Type Number
Value Operator equals
Value Data 1
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC"<C
Attribute Value
Step 3 Create a Registry Condition that checks that the current users screen saver is set to a value
other than (None).
Attribute Value
Name ScreenSaver_SCR
Value Name SCRNSAVE.EXE
Value Data Type String
Value Operator ends with
Value Data scr
Step 4 Create a Registry Condition that checks that the current users screen saver is secure
(password set).
Attribute Value
Name ScreenSaver_Secure
Value Name ScreenSaverIsSecure
Value Operator Equals
Value Data 1
Step 5 Create a Registry Condition that checks that the current users screen saver timeout is less than
or equal to 300 seconds (5 minutes).
Attribute Value
Name ScreenSaver_Timeout
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM!C
Attribute Value
Value Name ScreenSaveTimeOut
Value Operator less than or equal to
Value Data 300
Step 6 Create a Compound Condition that includes each of the specific Screen Saver registry checks
as a single condition.
a. Select Compound Condition from the left-hand pane, and then click Add from the right-
hand pane menu. Enter the following values from the table:
Attribute Value
Name ScreenSaver
((ScreenSaver_On & ScreenSaver_Secure) &
Expression
ScreenSaver_SCR) & ScreenSaver_Timeout
Note: Although the Expression content in a Compound Condition can be manually entered, it is recommend that
the Condition List be used to navigate and select the desired checks. This helps to ensure values are
entered correctly. Use the operand buttons [( ) & ! |] to select the correct logical separators.
i. Click the icon to right of Registry Condition in the Condition List section.
ii. Select ScreenSaver_On from the list. Item should appear in open text field.
iii. Click the & symbol button under the open text field. The symbol should be
appended to the content in the open text field.
iv. Complete the condition expression using the following selections:
ScreenSaver_Secure
&
ScreenSaver_SCR
&
ScreenSaver_Timeout
b. Click icon to the right of the expression window to see basic syntax help for creating a
compound condition based on individual checks (simple conditions).
c. Click Validate Expression to have the system verify the basic expression logic and that
expression is composed of valid checks.
d. Click Submit when finished.
Step 7 Define a Posture Remediation Action that updates the screen saver registry keys on a Windows
PC to compliant values.
Navigate to Policy > Policy Elements > Results and expand the contents under Posture, and
then expand Remediation Actions.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM'C
Select Link Remediation from the left-hand pane and then click Add from the right-hand pane
menu. Enter the following values and then click Submit:
Attribute Value
Name Enable_Secure_Screen_Saver
Description Download compliant screen saver registry values
Remediation Type Manual
Retry Count 0
Interval 0
URL http://updates.demo.local/ScreenSaver.reg
Step 8 Define Posture Requirements that will be applied to Employees and Guest users.
Select Requirements from the left-hand pane (under Policy > Policy Elements > Results >
Posture).
Add a Screen Saver requirement into the table using the following values and then click Save:
Operating Remediation Actions

Name System Conditions Action Message Shown to Agnet User
<H3>Company PCs must have a screen
saver enabled and password protected.
Screen_Saver_On Windows Enable_Secure You may manually make changes to
ScreenSaver
_and_Secure All _Screen_Saver these settings or else click the link to
download and run a file that contains
secure screen saver settings</H3>
Step 9 Configure the Posture Policy to ensure a Secure Screen Saver is present on Employee and
Guest user computers running Windows.
Go to Policy > Posture and create new policy rules using the values highlighted in the table,
and then click Save to apply your changes:
Identity Operating
Groups Systems
Employee_ScreenSaver Any Windows demo.local:External Screen_Saver_On_and_Secure
All Groups (Mandatory)
EQUALS demo.local
/Users/employees
Employee_Windows_AV Any Windows 7 demo.local:External AV_Installed (Mandatory)
_Installed_and_Current (All) Groups AV_Current (Mandatory)
EQUALS demo.local
/Users/employees
Guest_ScreenSaver Guest Windows - Screen_Saver_On_and_Secure
All (Mandatory)
Guest_Windows_AV_Ins Guest Windows - Guest_AV_Installed (Mandatory)
talled_and_Current All Guest_AV_Current (Mandatory)
C
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM@C
Note: Be sure to set the posture policy rules to DISABLED using the selector on the left hand side of the rule:
You will enable the posture rules individually during testing

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM?C
Lab Exercise 8: Test Posture Assessment and
Posture Policies using NAC Agent
In the previous lab exercises you have configured and tested Client Provisioning services to
validate policy-based distribution of the NAC Agent to Employees. Posture Policies have also
been configured. This exercise will test the Posture Requirements and Policies for Employees
running the NAC Agent.
Exercise Objective
Login as an Employee via 802.1X authentication and verify proper execution of NAC
Agent discovery, posture, and remediation process.
Test AV Posture Policy using NAC Agent.
OPTIONAL: Test Screen Saver Posture Policy using NAC Agent.
Review switch commands to validate correct application of policies.
Review ISE authentication log monitoring tools to validate correct application of policies.
OPTIONAL: Configure and test Passive Re-Assessment (PRA).
Lab Exercise Steps
AV POSTURE TESTING
Step 1 Delete ClamWin AV signatures on the Win7 PC to ensure that the client AV software is out of
compliance with AV signature updates.
a. Log into the Windows 7 PC client as DEMO\employee1 / cisco123, where DEMO is the
b. From the Win7-PC client, open the Lab Tools shortcut from the Windows desktop and
run (double-click) the Delete_ClamWin_AV_Updates script.
c. A command window should open to execute processing of the script and indicate
Process Complete! when finished. Press any key to continue.
d. Close the Lab Tools window.
e. Logoff Windows using the Start menu:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCMLC
Step 2 Validate the authorization status of the Win7-PC client on the access switch.
a. Establish a terminal session with the access switch (10.1.250.2)
b. Verify the authorization status of the PC switchport using the command show
authentication sessions interface GigabitEthernet 0/1.
c. The DATA domain should show successful 802.1X authentication from machine auth
(User-Name: host/Win7-PC.demo.local) and the current dACL (ACS ACL) should be
AD_LOGIN_ACCESS.
If so, then continue to the next step.
If the current status is not as described above, then perform a shut / no shut on
interface gi0/1. This will clear out any previous session that may have been
established. After about 30 seconds, the port status should indicate that 802.1X
machine authentication has completed successfully and AD login privileges have
been granted.
Step 3 Enable the AV Posture Policy for Employees.
a. From the Admin client PC, access the ISE admin interface and go to Policy > Posture.
b. Enable the Employee_Windows_AV_Installed_and_Current rule by setting its status
as follows:
c. Click Save to apply changes.
Step 4 Test AV Posture Policy for Employees.
a. Log back in to the Windows 7 PC client as DEMO\employee1 / cisco123, where DEMO

is the Windows domain name.
b. The previously installed NAC Agent should automatically launch after Windows login and
begin the posture assessment process. Due to an out-of-compliance condition for the AV
policy, remediation should be initiated. The Remediation Action was set to Automatic so
the message Remediating System should appear at the bottom of the agent window as
shown:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM"C
c. Auto-remediation will trigger the ClamAV client to update its signature definitions and a
notification should be viewable from the Windows task tray upon successful update:
Note: If the ClamWin update process fails!
The remediation server (updates.demo.local) is configured to download current AV signature files upon start
of the pX-www-int VM. If this process fails to complete, then the ClamAV client may fail to download the AV
signature files from the remediation server as shown above. If the above process fails, then go to Policy >
Posture from the ISE admin interface, and change the requirements for the posture rule named
Employee_Windows_AV_Installed_and_Current policy from Mandatory to Optional.
To specify posture requirements as Optional, navigate to the Requirements column of the posture policy rule
and expand the contents of the requirement. Click the icon to the right of the requirement name and
select Optional from the drop-down menu. Repeat for each requirement in the rule.
d. The AUP page should display following successful remediation. Click Accept to accept
the Network Usage Policy Terms and Conditions.
e. A message will appear stating Full Network Access and will auto-close per our NAC
Agent profile settings.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCMMC
Step 5 Validate the authorization status of the Win7-PC client on the access switch.
a. Return to the access switch terminal session.
b. Verify the authorization status of the PC switchport using the command show
authentication sessions interface GigabitEthernet 0/1.
c. The DATA domain should show successful 802.1X authentication from user auth (User-
Name = DEMO\employee1) and the current dACL (ACS ACL) should be
PERMIT_ALL_TRAFFIC.
SCREEN SAVER POSTURE TESTING
Step 6 Prepare the Win7-PC client for testing the full Posture Policy for Employees.
a. Run the Delete_ClamWin_AV_Updates script from the Lab Tools shortcut on the
Windows desktop. This will remove the AV clients current signature definitions.
b. From the Lab Tools shortcut on the Windows desktop, double-click the Personalization
shortcut to open the Control Panels Personalization settings.
c. Select Screen Saver from the Control Panel windows (bottom right corner).
d. Verify that the Windows screen saver settings are disabled:
Screen saver = (None)
Wait = Value > 5 minutes
On resume, display logon screen = <Not checked>
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM=C
e. Click OK to close the Screen Saver Settings and close the Control Panel window.
f. Log off from the Windows 7 PC client.
Step 7 Enable the Screen Saver Posture Policy for Employees.
b. Enable the Employee_ScreenSaver rule by setting its status as follows:
Step 8 Test Screen Saver Posture Policy for Employees.
a. Log back in to the Windows 7 PC client as DEMO\employee1 / cisco123, where DEMO

is the Windows domain name.
b. The NAC Agent should automatically launch after Windows login and begin the posture
assessment process. Since we reverted the AV signatures to a non-compliant state,
automatic AV signature remediation will again need to be performed.
The Remediation Action for the Screen Saver Posture Requirement was set to Manual so
deliberate user input is required to trigger remediation.
Read the instructions (this information was entered into the requirement description
during creation of the Posture Requirement) and click Go To Link:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM>C
c. A window will appear to download the registry fixes from the lab update server. Click
Save File:
d. The file ScreenSaver.reg is downloaded to the Win7-PC client. Double-click the filename
to install the new registry settings:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCCM<C
e. A Windows warning message appears to inform you that the registry will be modified.
Click Yes to apply the changes:
f. Click OK to acknowledge the successful registry update:
g. Close any remaining browser windows opened as part of the remediation process.
h. The AUP page should display following successful remediation. Click Accept to accept
the Network Usage Policy Terms and Conditions.
i. A message will appear stating Full Network Access and will auto-close per our NAC
Agent profile settings.
Step 9 Test the Employee login experience when fully compliant with Posture Policy.
a. Logoff from the Win7-PC and then log back in as user DEMO\employee1.
b. Upon Windows login, the NAC Agent should open and detect that the client PC is fully
compliant with Posture Policy. Only the AUP should require user input. Click Accept to
accept the AUP. The NAC Agent should close and full network access be granted.
Step 10 Verify the Screen Saver policy settings:
a. From the Lab Tools shortcut on the Windows desktop, double-click the Personalization
shortcut to open the Control Panels Personalization settings.
b. Select Screen Saver from the Control Panel windows (bottom right corner).
c. Verify that the Windows screen saver settings are disabled:
Screen saver = Blank
Wait = 5 minutes
On resume, display logon screen = <Checked>
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=!C
d. Click OK to close the Screen Saver Settings and close the Control Panel window.
Step 11 Review the ISE Authentication logs for proper authentication, authorization, and policy
assignment.
a. Access the ISE admin interface from the Admin client PC.
b. Go Monitor > Authentications.
c. Review the entries associated with the Win7-PC client based on IP address. Note the
following progression of entries that indicate proper application of the Authorization Policy
based on authentication and posture compliance state:
Username=host/Win7-PC.demo.local, Authorization Profile=AD_Login
Username=DEMO\employee1, Authorization Profile=Posture_Remediation
Username=Demo\employee1, Authorization Profile=Employee
OPTIONAL: Passive Re-Assessment (PRA) TESTING

Step 12 Configure Posture Policy for PRA.
b. Go to Policy > Posture and update the Posture Policy for Employees with the values
shown below:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC='C
Identity Operating
Groups Systems
Employee_ScreenSaver Any Windows demo.local:ExternalGroups Screen_Saver_On_a
All EQUALS demo.local/Users/empl nd_Secure
oyees (Mandatory)
AND
Session: Agent-Request-Type
EQUALS Periodic Reassessment
Employee_Windows_AV Any Windows 7 demo.local:ExternalGroups AV_Installed
_Installed_and_Current (All) EQUALS demo.local/Users/empl (Mandatory)
oyees AV_Current
(Mandatory)
AND
Session: Agent-Request-Type
EQUALS Initial
Guest_ScreenSaver Guest Windows - Screen_Saver_On_a
All nd_Secure
(Mandatory)
Guest_Windows_AV_Inst Guest Windows - Guest_AV_Installed
alled_and_Current All (Mandatory)
Guest_AV_Current
(Mandatory)
Note: If you have not completed the OPTIONAL Screen Saver posture policy configuration, you can alternatively
test PRA for the AV policy by setting the Session:Agent-Request-Type EQUALS Periodic Reassessment
for the Employee_Windows_AV_Installed_and_Current policy.
Step 13 Configure a PRA policy to enable PRA:
a. Go to Administration > System > Settings and click the icon to the left of Posture in
the left-hand pane to expand the contents of the Posture settings
b. Click Reassessments in the left-hand pane, and then click Add from the menu in the
right-hand pane.
c. Enter the following values for the new PRA policy and click Submit when finished:
Attribute Value
Configuration Name PRA_Any_User
Configuration Description (optional)
Use Reassessment Enforcement? [ ]
Enforcement Type remediate
Interval ;
Grace Time <7
Select Roles Any
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=@C
Note: The standard minimum settings for PRA Interval and Grace Time are 60 and 5 minutes, respectively.
The settings used in this lab are for training purposes only. Specific code changes were necessary
for the ISE appliance in this lab to allow these lower values to be configured.
Step 14 Test PRA from the Windows 7 client PC:

a. Logoff from the Win7-PC and then log back in as user DEMO\employee1.
Note: If login is required to unlock screen, be sure to login first to active login session to unlock desktop, and then
logoff Windows.
b. Upon Windows login, the NAC Agent should open and detect that the client PC is fully
compliant with Posture Policy. Only the AUP should require user input. Click Accept to
accept the AUP. The NAC Agent should close with full network access granted.
c. From the Lab Tools shortcut on the Windows desktop, run the
Delete_ClamWin_AV_Updates script from the Windows desktop to remove the AV
clients signature definitions.
d. Run the RemoveScreenSaver script from the Windows desktop to revert the screen
saver settings to non-compliant values. Click Yes and then OK to accept and
acknowledge the registry changes.
e. Wait up to two minutes for posture reassessment Interval to trigger. The NAC Agent
should open to alert the failure of the Screen Saver policy.
f. Allow the 1 minute Grace Time to expire. The following message will display:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=?C
g. Click OK to close the NAC Agent window.
h. Place your mouse cursor over the Cisco NAC Agent icon in the Windows task tray. The
status should now display Quarantined (changed from Logged-In).
Step 15 Review the switchport authorization status on the access switch.
Return to the access switch terminal session and verify the authorization status of the PC
switchport using the command show authentication sessions interface FastEthernet 0/1.
The current dACL (ACS ACL) should now be POSTURE-REMEDIATION (changed from
PERMIT_ALL_TRAFFIC).
Step 16 Modify the PRA policy for audit only mode.
a. From the ISE admin interface, go to Administration > System > Settings and click the
icon to the left of Posture in the left-hand pane to expand the contents of the Posture
settings
b. Click Reassessments in the left-hand pane, select PRA_Any_User and then click Edit
from the menu in the right-hand pane.
c. Change the PRA policy per the following table and then click Save to apply changes:
Attribute Value
Configuration Name PRA_Any_User
Configuration Description (optional)
Use Reassessment Enforcement? [ ]
Enforcement Type continue
Interval =>
Grace Time ?7
Select Roles Any
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=LC
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC="C
Lab Exercise 9: Test Posture Assessment and
Posture Policies using Web Agent
In the previous lab exercises you have configured and tested Client Provisioning services to
validate policy-based distribution of the Web Agent to Guest users. Posture Policies have also
been configured. This exercise will test the Posture Requirements and Policies for Guest users
running the Web Agent.
Exercise Objective
Login as a Guest user via Central Web Authentication and verify proper execution of the
Web Agent posture and remediation process.
Test AV Posture Policy using Web Agent.
OPTIONAL: Test Screen Saver Posture Policy using Web Agent.
Review switch commands to validate correct application of policies.

Review ISE authentication log monitoring tools to validate correct application of policies.
Lab Exercise Steps
AV POSTURE TESTING
Step 1 Prepare the Win7-PC client for Web Agent posture assessment and policy testing as a Guest
user.
a. Login as DEMO\employee1
b. From the Lab Tools shortcut on the Windows desktop, run the
Delete_ClamWin_AV_Updates script to remove the AV clients signature definitions.
c. Run the RemoveScreenSaver script under Lab Tools to revert the screen saver settings
to non-compliant values. Click Yes and then OK to accept and acknowledge the registry
changes, and then close the Lab Tools window.
d. Uninstall the NAC Agent:
i. Go to Start (Start Menu) > Control Panel > Programs and Features. Select
Cisco NAC Agent from the list and click Uninstall from the menu options.
ii. Click Yes if prompted to confirm the uninstall process.
iii. If prompted, enter the Domain Admin credentials admin / cisco123 to permit the
process as a non-admin user.
iv. When the uninstall process is complete, the program listing for Cisco NAC
Agent will be removed. Exit the Control Panel window.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=MC
e. Disable 802.1X wired services on the Windows 7 client:
i. Launch the Services shortcut from the Windows 7 desktop.
ii. Open the Wired AutoConfig service from the list:
iii. Change Startup type: to Disabled and click Apply.
iv. Click Stop and ensure that Service status = Stopped.
v. Click OK and close the Services window.
Step 2 Exit any open windows and restart the PC by going to Start (Start menu) and selecting Restart:
Warning: Do NOT select Shutdown or Sleep. If PC is shut or powered down, then any changes made to client
will be lost upon restart and you will need to redo changes made from the start of this lab exercise.
Step 3 Verify the authorization status on the switchport:
Wait until the Win7-PC client has restarted and returned to the CTRL+ALT+DEL screen, then
return to the terminal session of the access switch.
To verify the switch authorization status at any point during the Guest login and Web Agent
posture process, use the following switch commands:
show authentication sessions interface GigabitEthernet 0/1
show ip access-lists interface GigabitEthernet 0/1
Step 4 Enable the AV and Screen Saver Posture Policies for Guest users.
b. Enable the Guest_Windows_AV_Installed_and_Current rule.
c. Enable the Guest_Screen_Saver rule.
d. Click Save to apply changes.
Step 5 Create a new self-service Guest user account.

a. From the Win7-PC client, login as user DEMO\employee1 / cisco123
b. Launch the Mozilla Firefox Web browser. The page should be redirected to the ISE Web
authentication portal.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC==C
c. Click the Self Service button from the login portal!
!and enter the following values into the form, and then click Submit:
Attribute Value
First Name Guest
Last Name User
Company Company ABC
Optional Data 1 (enter reason for access)
Timezone UTC
d. Write down the assigned username and password credentials:
Username: _________________________
Password: __________________________
extra characters.
e. Click the OK button to display the Web authentication login page again.
Step 4 Login as a Guest user and run the Web Agent.
a. Enter your new Username/Password credentials and click the Log In button.
b. If an AUP was enabled for Web authentication, check the box to Accept terms and
Conditions and then click Accept.
c. The ISE Agent Downloader page should appear. Click the button Click to install agent
at the bottom of the page.
d. Accept any certificate warnings if prompted.
e. The Cisco NAC Web Agent window should appear and indicate that posture assessment
is being performed.
Step 5 Remediate the non-compliant screen saver policy using the Web Agent.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=>C
a. Both Guest user Posture Policies for AV and Screen Saver should fail as shown below:
b. Click the link Click here to remediate under the failed Screen Saver Requirement
suggestions.
c. A File Download warning will appear. Click Run:
d. Click Allow if presented with a browser security warning:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC=<C
e. A Registry Editor window will appear asking if you wish to continue with the registry
modifications. Click Yes to allow the registry to be modified.
f. Click OK to acknowledge the successful registry update.
Note: If excessive time has passed and the Remediation Timer has expired, you can repeat the Web Agent
posture assessment process by returning to the ISE Agent Downloader page and re-clicking the button
Click to install agent at the bottom of the page.
Step 6 Remediate the non-compliant AV policy.
a. Click the Re-Scan button in the Web Agent window to have posture re-assessed based
on the recent remediation. The Web Agent should be updated as per the following:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>!C
b. As a temporal client for use by any Windows PC including non-admin users, the Web
Agent does not allow for triggered code execution. Therefore, the Guest user must
initiate the remediation.
Right-click on the ClamWin icon in the Windows task tray and click Download Virus
Database Update:
c. The ClamWin AV window will open and show the progress of the signature updates.
Click Close when AV update is complete:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>'C
signature files from the remediation server as shown above. If the above process fails, then go to Policy >
Posture from the ISE admin interface, and change the requirements for the posture rule named
Contractor_Windows_AV_Installed_and_Current policy from Mandatory to Optional.
Step 7 Complete the Web Agent posture process.
a. Click the Re-Scan button in the Web Agent window to have posture re-assessed based
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>@C
b. Click Continue to complete the Web Agent session. The login success screen should
auto-close after two seconds per the configured policy.
c. From the original agent install window, click the browser Home icon, or re-enter
www.cisco.com into the URL address field to verify the Guest user now has Internet
access.
assignment.
b. Go Monitor > Authentications.
c. Review the entries associated with the Win7-PC client based on IP address. Note the
following progression of entries that indicate proper application of the Authorization Policy
based on authentication and posture compliance state:
i. Username=<MAC_Address>, Authorization Profile=CWA_Posture_Reemdiation
ii. Username=<Guest_Username>, Authorization Profile=Guest

!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>?C
Lab Exercise 10: Monitor and Report on
Posture Services
ISE includes both monitoring and reporting utilities to validate and troubleshoot Posture Services.
This exercise reviews some of these tools.
Exercise Objective
Review ISE Authentications log and verify session details related to Posture Services.
Review the ISE Dashboard for high-level posture status and statistics.
Troubleshoot posture events using ISE Diagnostic Tools.
Run ISE reports for Posture Services.
Lab Exercise Steps

assignment.
a. From the ISE admin interface, go to Monitor > Authentications.
b. Review the log entries associated with the Win7-PC client sessions. Click the Details
link to see information regarding how the endpoint was authenticated, identity store used,
Authorization Profile applied including dACLs and other RADIUS attributes assigned.
Step 2 From the ISE admin interface, go to Home (Dashboard). Review the Posture Compliance
dashlet including Compliance pass percentage and Mean-Time-To-Remediate values.
Step 3 Click the upper right corner of the dashlet to expand in a new window:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>LC
Step 4 Click the OS and Reason entries to display additional details.
Step 5 Go to Monitor > Diagnostic Tools. Click the icon to the left of General Tools in the left-
hand pane to expand its contents, and then click Posture Troubleshooting. The Search page
displays.
Step 6 Click Search:
Step 7 Select one of the pass/fail (green/red) entries and then click Troubleshoot at the bottom of the
page:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>"C
A message displays to indicate the status of the request:
Step 8 When processing is complete, a window similar to the following will display:
Click Show Results Summary. The output displays a summary of all the passed and failed
requirements for the posture event along with the condition names and associated remediation
actions:
Step 9 Click Done to return to the Search page. Optionally enter new search criteria and repeat the
steps to troubleshoot passed/failed posture events.
Step 10 Go to Monitor > Reports > Catalog. Select Posture from the left-hand pane:
Step 11 Run the Posture Detail Assessment report and review the contents.
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>MC
Step 12 Click the Details icon for any Failed (Red) posture entry. Review the overall details for the
posture session. Review the requirements which passed and those that failed:
Step 13 Select Posture again from the left-hand pane and run the Posture Trend report as shown:
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>=C
This report provides an overall picture of posture compliance and non-compliance as well as the
number of passes/failures by posture requirement.
CC
!"#$%&#'(!#)*+,-./#%/.012/+#345#6-17/8&9:%;<=>>!?#./0'@A(7*2BC CC94,/C C C C
C CCCCCCCCCCC>>C
+
Nexus +
ISE Deployment Lab Guide
Developers
This lab was created by: Sanjeev Patel, Technical Marketing Engineer, Policy Management
Business Unit, Cisco Systems
Lab Overview
This lab is designed to provide students with exposure to some of the areas encountered when
deploying ISE. The lab provides the student with an opportunity to deploy a redundant ISE node
pair, and then scale the deployment by adding an additional node. The student will practice
backup and restore operations, become familiar with ISE administrative access control
configuration, understand and test bulk import operations, practice monitoring of an ISE
deployment, and finally understand ISE API behavior.
Lab Exercises
This lab guide consists of the following exercises:
Lab Exercise 1: Understanding ISE Deployment Operations

Lab Exercise 2: Backup and Restore
Lab Exercise 3: Administrative Access Control
Lab Exercise 4: Bulk Configuration Provisioning
Lab Exercise 5: Monitoring ISE
Lab Exercise 6: ISE APIs
!"#$%&'&()*+ + + + + +++++++++++,+
Prequisites
It is recommended that you complete the following labs before attempting this one:
Lab 1 - Bootstrapping ISE
Lab 3 - ISE Classification
Product Overview: Identity Services Engine

The Cisco Identity Services Engine (ISE) is an identity and access control policy platform that enables
enterprises to enforce compliance, enhance infrastructure security and streamline their service
operations. Its unique architecture allows enterprises to gather real time contextual information from
network, users, and devices to make proactive governance decisions by tying identity back into various
network elements including access switches, wireless controllers, VPN gateways, and datacenter
switches. Cisco Identity Services Engine is a key component of the Cisco TrustSec Solution.


Pods 1-9 128.107.220.1X:2005 10.1.11.1X

Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11
Example: POD 10 128.107.220.20:2005 10.1.11.20
Connect to a POD:
+
!"#$%&'&()*+ + + + + +++++++++++*+
Step 3 Log in as DEMO\admin / cisco123 (Domain = DEMO)
Step 4 Click Login.
!"#$%&'&()*+ + + + + +++++++++++-+
+
these options:
!"#$%&'&()*+ + + + + +++++++++++.+
+

desktop. Example:
c. Click Open.
+
+
!"#$%&'&()*+ + + + + +++++++++++/+
Lab Topology
!"#$%&'&()*+ + + + + +++++++++++)+
Internal IP addresses

10.1.250.1
NTP Server ntp.demo.local ,*01,('1**(1,



in this setup.

Number

using ACLs

segmentation)

segmentation)

users
80 IPEP (trusted) 10.1.80.0/24 Dedicated IPEP VLAN for trusted interface
!"#$%&'&()*+ + + + + +++++++++++'+

Access switch.

Data Center switch.
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement. By
VLAN 40.


!"#$%&'&()*+ + + + + +++++++++++0+


Posture Node


[OK - 8275/4096 bytes]
!"#$%&'&()*+ + + + + +++++++++++&+
3k-access# reload



+
!"#$%&'&()*+ + + + + +++++++++++,(+

pX-ise-4-lab6

pX-ise-2-lab7
pX-ise-3-lab7
Note: Other virtual machines required for this lab such as AD or Windows 7 will be started for you.

23+4567368+9+:9;<=+=3>>5=?<@<?A+?5;?+736+?B5+46<896A+C9:+D5@<=5;E+6F>+?B5+4<>G?5;?1:9?+;=6<4?+7638+
?B5+H<>D3I;+D5;J?34+37+?B5+KD8<>+=C<5>?+L#M+
Join ise-1 to AD
Step 1 Go to the Admin client PC and launch the Mozilla Firefox web browser. Enter the following
URL in the address field:
a. Login with username admin and password default1A
!"#$%&'&()*+ + + + + +++++++++++,,+
Step 2 Go to Administration > Identity Management > External Identity Sources >
Active Directory
!>?56+?B5+D389<>+>985+F>D56+?B5+#3>>5=?<3>+?9:M+
!""#$%&"'( )*+&'(
"389<>+N985+ D5831C3=9C+
OD5>?<?A+$?365+N985+ D5831C3=9C+
a. Click on Save Configuration to save this configuration and then click Join. Enter the ISE
AD credentials, user1/cisco123, in the pop up window that appears.
:1 P3F+;B3FCD+;55+?B5+73CC3I<>G+@9CF5;+3>+?B5+#3>>5=?<3>+?9:+97?56+?B5+Q3<>+B9;+=384C5?5DM+
!""#$%&"'( )*+&'(
R3=9C+N3D5+$?9?F;+ S3<>5D+?3+"389<>M+D5831C3=9C+
#3>>5=?<3>+$?9?F;+ #TNN!#2!"+
!"#$%&'&()*+ + + + + +++++++++++,*+
Lab Exercise 1: Understanding ISE Deployment
Operations
In this exercise, you will become familiar with ISE node operations that are used to achieve
redundancy and also to scale an ISE deployment.
Exercise Objective
In this exercise, you will:
Understand how to make a redundant dual ISE node deployment
Understand the process for introducing additional ISE nodes with different personas and
roles
Understand how to promote a secondary administration node to a primary
Lab Exercise Steps

Step 1 Review the default ISE roles of ise-1:
a. Log into the ise-1 web UI and go to Administration > System > Deployment >
Deployment
i. What are the default ISE personas?
ii. What is the default role?
Note: You can also confirm the ISE nodes role by hovering the mouse over the hostname at the top, in the banner
section of the web UI.
Note: During ISE 1.0 development, there were updates to ISE terminology. The following table shows the
terminology changes:
Old Terminology New Terminology
Role Persona
Replication Role Role
Policy Administration Point (PAP) Administration
Monitoring And Troubleshooting (MNT Monitoring
!"#$%&'&()*+ + + + + +++++++++++,-+
or M&T)
Policy Decision Point (PDP) Policy Service
Step 2 Add a fully redundant ISE node

a. Make ise-1 the primary by editing it.
b. Register ise-2 as a secondary ISE node

i. Browse to ise-2.demo.local, login with the default ISE web UI credentials
(admin/cisco), and reset the password to default1A
ii. Install ise-2s certificates (see Appendix B for instructions)
Note: Ise-2 registration will fail if ise-1 cannot validate ise-2s certificate. This is done while ise-1 is establishing a
secure connection with ise-2, during registration
iii. Back on ise-1, go to Administration > System > Deployment > Deployment >
Register, and complete Step 1: Specify Node Hostname or IP Address and
Credentials
Attribute Value
Hostname or IP Address ise-2.demo.local
User Name admin
Password default1A
iv. On the next screen, Step 2: Configure Node, accept the defaults:
!"#$%&'&()*+ + + + + +++++++++++,.+
+
v. Registration can take several seconds and you should see a spinner while
registration is happening, followed by a success message indicating that the
registered node is being restarted.
vi. Monitor the replication status of the secondary node from the Deployment Nodes
screen it should change from In-Progress to Complete. You will need to refresh
the page to see any updated status.
Note: You will notice two status columns Replication Status and Sync Status. Replication will only complete after
the Sync Status is SYNC COMPLETED.
c. Each ISE node that requires AD connectivity (i.e. acting in a Policy Services role), needs to
be joined manually to AD
i. Login to the ise-2 web UI
ii. Go to Administration > System > Active Directory Operations
Note: Notice the different navigation structure on the non-primary node
iii. Join ise-2 to AD using AD credentials user1/cisco123
!"#$%&'&()*+ + + + + +++++++++++,/+
Note: Joining to AD and adding an ISE certificate are the two manual steps that need to be performed when
adding an ISE node to a deployment. Additionally, ADE-OS configuration must be done manually as it is not
replicated from the ISE primary.
Step 3 Promote a secondary Administration node to a primary one

a. In the event of a primary Administration node failure, manual promotion of the secondary
Administration node is required. This lab does not simulate the primary Administration node
failure, but it walks you through the promotion process.
i. Log in to ise-2 and navigate to Administration > System > Deployment.
ii. Click on the Promote to Primary button, and then confirm the promotion. You are
automatically logged out of the web UI.
iii. Log back in to ise-2 and hover the mouse over the hostname in the banner to
confirm this nodes new role.
iv. Log out and back in to ise-1 and confirm its new role.
Note: While you may see the new roles displayed, there may be a few minutes delay in presenting the correct
menus. The primary ISE should display the full menu set, whereas the secondary should display a limited
set of menu options. If you dont see the correct menus immediately, log out and in again.
Note: From this point on, ise-2.demo.local is the primary administration node. Therefore you should perform
general web UI configurations from this node from now on.
Step 4 Add an additional Policy Service node to scale the deployment

a. On ise-3, reset the default password and configure its certificates as you did for ise-2
b. From ise-2, the current Primary Administration node, register ise-3.demo.local in a Policy
Service-only role uncheck the Administration and Monitoring checkboxes.
c. Confirm from the ISE dashboard that ise-3 is listed. Hover the mouse over the server icon
to confirm it role.
d. On ise-3, join it to AD
Step 5 Create a node group for the Policy Service nodes
a. Go to Administration > System > Deployment > Deployment, and click on the cog in the
left-hand navigation panel:
b. Create a Node Group as follows:

!"#$%&'&()*+ + + + + +++++++++++,)+
Attribute Value
Node Group Name Region1
Description <blank>
Multicast Address 228.10.11.12
c. Now add the Policy Services nodes you wish to group by going to the nodes edit screen:

+
!"#$%&'&()*+ + + + + +++++++++++,'+
Lab Exercise 2: Backup and Restore
In this exercise you will gain familiarity with ISE backup and restore operations.
Exercise Objective
O>+?B<;+5U56=<;5E+A3F6+G39C+<;+?3M+
L567368+O$!+:9=JF4+9>D+65;?365+37M+
o O$!+=3>7<GF69?<3>+
o V3><?36<>G+D9?9+
Lab Exercise Steps

Step 1 Perform an application backup
a. Confirm that a repository exists by checking Administration > System > Operations >
Repository
i. You should see the myFTP repository
b. Under Administration > System > Operations > Data Management > Administration
Node > Full Backup On Demand, enter a backup name and select a repository. Click
Backup Now.
Note: CSCtj42936 - Need feedback or progress indicator during backup As you will see, there is only a spinner
to indicate backup progress. This bug has been filed to provide more information during the backup process.
Note: You may see the spinner spin endlessly. Instead of waiting for the spinner to stop, open a new browser
session to ISE and check the backup history to confirm backup completion (see next step). This bug,
CSCtk90744 Spinning wheel still appears after backup success msg displayed, will be fixed in the FCS
build.
Note: A full backup may also be initiated from the CLI using the backup command:
ise058b/admin# backup fullbkupCLI repository myftp

% Creating backup with timestamped filename: fullbkupCLI-110205-0024.tar.gpg
Note: The backup may take several minutes to complete
c. Confirm that the backup worked

i. View the backup history under Monitor > Reports > System > Data
Management. You may see a message like this:
ii. You can also check the repository for the backup file
1. C:\Support on the management PC is the repository location
Step 2 Perform an application restore
!"#$%&'&()*+ + + + + +++++++++++,0+
a. An application restore is a restoration of the ISE configuration. It can only be done on the
primary administration node, or on a standalone node. The only situations that would
require such a restoration, are in the event that the primary administration node is lost
and there is no secondary administration node available, or if a rollback of a configuration
is required.
b. At the primary administration node CLI, enter restore <backupfilename> respository
<repository name> application ise
+ise058b/admin# restore fullbkupCLI-110205-0024.tar.gpg repository myftp application ise
Restore may require a restart of application services. Continue? (yes/no) [yes]
? yes
Initiating restore. Please wait...
Note: CSCtk62275 Fail to restore the backup file the restore may fail with a message such as % Backup file
does not match installed application(s). This bug should be fixed in the FCS build.
c. Check the backup restore history for confirmation

Step 3 Perform a backup of the Monitoring node data
a. Start a backup from Administration > System > Operations > Data Management >
Monitoring Node > Full Backup On Demand
Note: After initiating a full monitoring backup, the screen shows a Successfully saved settings message rather
than a backup started message. Refreshing the screen shows the updated backup status under On-Demand
Backup History. The status should change from Running to Completed.
b. Check the backup history log under Monitor > Reports > System > Data Management
> Monitoring Node > Backup History (see note)
Note: Bug id CSCto06398, Monitoring backup and restore history displayed on wrong page, has been filed as the
Monitoring node backup history is displayed under Monitor > Reports > System > Data Management >
Administration Node > Backup History instead of Monitor > Reports > System > Data Management >
Monitoring Node > Backup History
Step 4 Perform a monitoring restore

a. Initiate the restore from Administration > System > Operations > Data Management >
Monitoring Node > Data Restore.
i. Select the backup to restore from the list and then click Restore
Note: During the restore, there is no progress indicator. When the restore is complete, the screen will refresh with
a Restore process finished message.
b. Check the backup restore log under Monitor > Reports > System > Data Management
> Administration Node > Restore History
+
!"#$%&'&()*+ + + + + +++++++++++,&+
!"#$%&'&()*+ + + + + +++++++++++*(+
Lab Exercise 3: Administrative Access Control
In this exercise, you will gain familiarity with the ISE administrative access control functionality.
Exercise Objective
O>+?B<;+5U56=<;5E+A3F6+G39C+<;+?3M+
W98<C<96<X5+A3F6;5C7+I<?B+?B5+O$!+=3>7<GF69?<3>+;=655>;+736+9D8<><;?69?<@5+9==5;;+=3>?63C+
#3>7<GF65+9+O$!+9D8<><;?69?36+I<?B+C<8<?5D+9==5;;+
Lab Exercise Steps

Step 1 Understand the ISE administrative access control configuration pages
a. Go to Administration > System > Admin Access to see the high-level menus for
administrative access control
b. ISE administrators are assigned to an admin group for their permissions
i. Examine ISE administrators under Administration > System > Admin Access
> Administrators
ii. Examine admin groups under Administration > System > Admin Access >
Admin Groups
c. Permissions are assigned to admin groups by way of a policy rule table
i. Examine these policies under Administration > System > Admin Access >
Policies
d. There are two types of permission one based on menu access and the other based on
data access
i. Examine these types of permissions under Administration > System > Admin
Access > Permissions
e. ISE provides global settings around IP access control, password policy and session
timeout
i. Examine these settings under Administration > System > Admin Access >
Settings
Step 2 Create an ISE wireless administrator she can only see and administer wireless devices
a. Create a Data Access permission that only allows access to wireless devices
i. Go to Administration > System > Admin Access > Permissions, click the
arrow to the left of Permissions, and then click on Data Access
ii. Click Add to create a Data Access Permission with the following values:
Attribute Value
Name WirelessDataAccess
Data Access Privileges: All Device Full Access
!"#$%&'&()*+ + + + + +++++++++++*,+
Types > Wireless
Note: Skip the above step 2(a) due to bug CSCto48981, Unable to create data admin access permissions
b. Create a Menu Access permission that only allows access to the Network Devices menu
i. Go to Administration > System > Admin Access > Permissions, click the
arrow to the right of Permissions, and then click on Menu Access
ii. Click Add to create a Menu Access Permission with the following values:
Attribute Value
Name WirelessMenuAccess
Menu Access Privileges: Show

Administration > Network Resources
> Network Devices
c. Create an Admin Group for wireless administrators

i. Go to Administration > System > Admin Access > Admin Groups
ii. Click Add and create an Admin Group with the following values:
Attribute Value
Name WirelessAdmins
d. Create a policy for wireless admins

i. Go to Administration > System > Admin Access > Policies
ii. Insert a rule at the bottom (using the Actions button of the last rule) with the
following values:
Attribute Value
Rule Name WirelessAdminPolicy
if WirelessAdmins
then WirelessMenuAccess/WirelessDataAccess
Note: Omit adding the Wireless Data Access as you had to skip step 2(a)
e. Create a wireless administrator and test her access

i. Go to Administration > System > Admin Access > Administrators
ii. Add an administrator belonging to the Wireless Admins group, log out of ISE, and
then log back in as the wireless administrator. Confirm the menu and data
access restrictions configured above.
!"#$%&'&()*+ + + + + +++++++++++**+
+

!"#$%&'&()*+ + + + + +++++++++++*-+
Lab Exercise 4: Bulk Configuration
Provisioning
This exercise provides exposure to the techniques for implementing bulk configuration
provisioning.
Exercise Objective
O>+?B<;+5U56=<;5E+A3F6+G39C+<;+?3M+
Y;5+?B5+#$Z+85?B3D+736+<8436?<>G+9>D+5U436?<>G+=3>7<GF69?<3>+
Lab Exercise Steps

Step 1 !U436?+=3>7<GF69?<3>+F;<>G+#$Z+5U436?+
Note: In ISE 1.0, CSV import/export is available for ISE Identities (Users, Endpoints), Identity Groups, Network
Devices, Network Device Groups. CSV import/export can only be initiated from the web UI, and not the CLI.
In addition, ISE 1.0 supports LDAP import of endpoints.
91 L<=J+3>5+37+?B5+9:3@5+=3>7<GF69?<3>+9659;E+51G1+F;56;+
<1 N9@<G9?5+?3+?B9?+=3>7<GF69?<3>+9659+9>D+;5C5=?+?B5+5U436?+7F>=?<3>+[=3>7<GF65+9>+
<?58+<7+?B565+<;+>3+=3>7<GF69?<3>+?3+5U436?\+
Note: For users, as an example, the users for export must first be selected before the export button will become
active.
<<1 $9@5+?B5+=3>7<GF69?<3>+5U436?+9>D+5U98<>5+?B5+7<C5+=3>?5>?;+?3+=3>7<68+?B5+
5U436?+I36J5D1+
Step 2 O8436?+=3>7<GF69?<3>+F;<>G+#$Z+<8436?+
91 L<=J+3>5+37+?B5+;F4436?5D+=3>7<GF69?<3>+9659;+736+#$Z+<8436?E+51G1+F;56;+
<1 N9@<G9?5+?3+?B9?+=3>7<GF69?<3>+9659+9>D+=C<=J+?B5+<8436?+34?<3>+
<<1 #C<=J+?B5+,'-'#*"'(*(.'/0+*"'+C<>J+?3+=659?5+9+?584C9?5+#$Z+7<C5+
<<<1 L34FC9?5+?B5+#$Z+7<C5+9>D+?B5>+;5C5=?+?B5+7<C5+<>+?B5+<8436?+D<9C3G+
<@1 #3>7<68+?B9?+A3F+;55+?B5+>5I]F4D9?5D+=3>7<GF69?<3>E+36+7<U+?B5+<8436?+7<C5+
:9;5D+3>+?B5+56636;+A3F+;55+<>+?B5+<8436?+D<9C3G1+

!"#$%&'&()*+ + + + + +++++++++++*.+
Lab Exercise 5: Monitoring ISE
In this exercise you will review the techniques for monitoring an ISE deployment.
Exercise Objective
O>+?B<;+5U56=<;5E+A3F6+G39C+<;+?3M+
Y;5+?B5+73CC3I<>G+?33C;+?3+83><?36+9>+O$!+D54C3A85>?+
o 2B5+O$!+D9;B:396D+
o O$!+9C968;+
o #RO+=3889>D;+
o O$!+65436?<>G+
Lab Exercise Steps
Step 1 For proactive notification of issues, ISE provides alarms to alert on a variety of issues. The
alarm categories are:
Alarm Categories
Passed Authentications
Failed Authentications
Authentication Inactivity
ISE Configuration Changes
ISE System Diagnostics
ISE Process Status
ISE System Health
Authenticated but no Accounting Start
Unknown NAD
External DB Unavailable
RBACL drops
NAD-reported AAA Down
Understand ISE alarm configuration:

a. Check the preconfigured alarms
!"#$%&'&()*+ + + + + +++++++++++*/+
i. Go to Monitor > Alarms > Rules. Note the alarm rules listed. Enable any
disabled alarm rules. The enabled rules in this list are the active alarms. In
addition to these alarms there are ISE built-in alarms for license violations.
b. Check for alerts in the Alarm Inbox, to Monitor > Alarms > Inbox.
i. For example, if the built-in license alarms are triggered, you will see them in the
inbox:
c. Create a new alarm rule:

i. Under Monitor > Alarms > Rules, click Create.
Attribute Value
Name NAD Down
Enabled []
Schedule nonstop
Category NAD-reported AAA Down
AAA Down count greater than 1
in the past 5 Minutes
by a Device IP
Filter: Device IP 10.1.250.2
Severity Critical
Send Duplicate Notifications []
d. Test the alarm:

i. Configure a fictitious RADIUS server on the access switch as follows:
3k-access#terminal monitor
3k-access(config)#username testuser password 0 testpassword
3k-access(config)#radius-server host 10.10.10.10 auth-port 1812 acct-port
1813 test username testuser idle-time 2
3k-access(config)#radius-server deadtime 1
ii. Look for the RADIUS-4-RADIUS_DEAD messages on the switch:

!"#$%&'&()*+ + + + + +++++++++++*)+
*May 7 02:23:12.502: %RADIUS-4-RADIUS_DEAD: RADIUS server
10.10.10.10:1812,1813 is not responding.
iii. Confirm that ISE is receiving these log messages under Monitor > Reports >
Catalog > Network Device > Network Device Log Messages
iv. Confirm that the alarm inbox shows a NAD Down alarm:
Step 6 The following CLI commands can be used to support ISE monitoring. Run them to
become familiar with the outputs.
a. Show application status ise
b. Show ntp
c. Show clock
d. Show inventory
e. Show version
f. Show ports
g. Show memory
h. Show process
Step 7 Examine key ISE reports that can aid in ISE monitoring
a. Run a server health summary report, Monitor > Reports > Catalog > Server Instance >
Server Health Summary. This report provides a correlation of CPU utilization, memory
utilization and RADIUS response latency. Here is an excerpt example from this report:
!"#$%&'&()*+ + + + + +++++++++++*'+
+
! End of Exercise: You have successfully completed this exercise. Proceed to next section.
!"#$%&'&()*+ + + + + +++++++++++*0+
Lab Exercise 6: ISE APIs
In this exercise you will understand the basic behavior and invocation of ISE APIs. This lab is not
a programming exercise. An internet browser is used to invoke the RESTful web APIs.
Exercise Objective
O>+?B<;+5U56=<;5E+A3F6+G39C+<;+?3M+
o O>@3J5+;385+37+?B5+:9;<=+O$!+I5:+KLO;E+?3+G5?+9+;5>;5+37+B3I+O$!+KLO;+I36J+<>+
G5>569C+
Lab Exercise Steps

Step 1 Test the Version API:
a. In a browser, enter the following URI: https://ise-1.demo.local/ise/mnt/api/Version
i. You should be prompted to enter credentials use your ISE administrator
credentials
Note: All ISE APIs require authentication, but the ISE administrative access control is not applied. Therefore any
ISE administrator can invoke the APIs.
Note: The Version API is the only API that can be run against any ISE node. All other APIs must be run against a
Monitoring node. The following error will be seen if the incorrect type of ISE node is used:
-<mnt-request-result>
<http-code>500</http-code>
<cpm-code>34110</cpm-code>
!<description>
Server has encountered error while processing the REST request
</description>
<module-name>MnT</module-name>
!<internal-error-info>
This host is not a MnT node. MnT REST APIs can not be executed on this
node.
</internal-error-info>
<requested-operation>Get All</requested-operation>
<resource-id>N/A</resource-id>
<resource-name>N/A</resource-name>
<resource-type>FailureReasonList</resource-type>
<status>SERVER_ERROR</status>
</mnt-request-result>
ii. In response to the calling of the Version API, you should see the following
response:
-<product name="Cisco Identity Services Engine">
<version>1.0.3.368</version>
<type_of_node>1</type_of_node>
</product>
!"#$%&'&()*+ + + + + +++++++++++*&+
Note: Type of node:
Standalone node = 0
Active Monitoring node = 1
Secondary Monitoring node = 2
Not a Monitoring node = 3
Note: If an incorrect URI is used, the following error should be seen:
XML Parsing Error: no element found

Location: https://ise-1.demo.local/<theIncorrect_URI>
Line Number 1, Column 1:
Step 2 For a one-off download of ISE failure reasons (as displayed under Administration > System >
Monitoring > Failure Reason Editor), invoke the Failure Reasons API:
a. Browse to: https://ise-1.demo.local/ise/mnt/api/FailureReasons
Step 3 Check the current session count:
a. Browse to: https://ise-1.demo.local/ise/mnt/api/Session/ActiveCount
<sessionCount>
<count>0</count>
</sessionCount>
Step 4 List the active sessions

a. First create a session:
i. Change the Dot1X authentication rule to use demo.local (AD) for authentication
(Policy > Authentication)
ii. Enable interface g0/1 on the 3k-access switch
iii. On win7-pc, enable 802.1X (see Appendix A for instructions)
1. When prompted for credentials, use user2/cisco123
iv. Confirm the authentication passed (Monitor > Authentications)
v. Confirm a corresponding session was created (Monitor > Reports > Catalog >
Session Directory > RADIUS Active Sessions)
b. Browse to: https://ise-1.demo.local/ise/mnt/api/Session/ActiveList

<activeSessionList noOfActiveSession="1">
!<activeSession>
<user_name>user2</user_name>
!"#$%&'&()*+ + + + + +++++++++++-(+
<calling_station_id>00:10:18:57:3A:44</calling_station_id>
<nas_ip_address>10.1.250.2</nas_ip_address>
<acct_session_id>00000366</acct_session_id>
<audit_session_id>0A01FA0200000176A3FCBF6E</audit_session_id>
<server>ise-1</server>
</activeSession>
</activeSessionList>
Step 5 Query for additional session details:

a. Query by user name or MAC address:
i. Browse to: https://ise-1.demo.local/ise/mnt/api/Session/UserName/user2
ii. Or https://ise-1.demo.local/ise/mnt/api/Session/MACAddress/00:10:18:57:3A:44
(Use the MAC address from your session query above)
<sessionParameters>
<passed xsi:type="xs:boolean">true</passed>
<failed xsi:type="xs:boolean">false</failed>
<user_name>user2</user_name>
<nas_ip_address>10.1.250.2</nas_ip_address>
<calling_station_id>00:10:18:57:3A:44</calling_station_id>
<nas_port>50001</nas_port>
<network_device_name>3k-access</network_device_name>
<acs_server>ise-1</acs_server>
<authen_protocol>EAP-MSCHAPv2</authen_protocol>
<framed_ip_address>169.254.241.229</framed_ip_address>
!
<network_device_groups>
Device Type#All Device Types#Wired,Location#All Locations
</network_device_groups>
<access_service>RADIUS</access_service>
<auth_acs_timestamp>2011-03-17T23:23:06.841Z</auth_acs_timestamp>
<authentication_method>dot1x</authentication_method>
!
<execution_steps>
11001,11017,15008,15048,15048,15004,11507,12500,12625,11006,11001,11018,12301
,12300,12625,11006,11001,11018,12302,12318,12800,12805,12806,12807,12810,1230
5,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,110
18,12304,12318,12812,12804,12801,12802,12816,12310,12305,11006,11001,11018,12
304,12313,11521,12305,11006,11001,11018,12304,11522,11806,12305,11006,11001,1
1018,12304,11808,15041,15006,15013,24430,24416,24402,22037,11824,12305,11006,
11001,11018,12304,11810,11814,11519,12314,12305,11006,11001,11018,12304,12306
,11503,24423,15036,15004,15016,11002
</execution_steps>
<audit_session_id>0A01FA0200000176A3FCBF6E</audit_session_id>
<nas_port_id>GigabitEthernet0/1</nas_port_id>
<auth_id>1300156207684327</auth_id>
<auth_acsview_timestamp>2011-03-17T23:23:06.843Z</auth_acsview_timestamp>
<message_code>5200</message_code>
<acs_session_id>ise-1/89523529/3578</acs_session_id>
<service_selection_policy>Dot1X</service_selection_policy>
!"#$%&'&()*+ + + + + +++++++++++-,+
<authorization_policy>Default</authorization_policy>
<identity_store>demo.local</identity_store>
!
<response>
{User-Name=user2; State=ReauthSession:0A01FA0200000176A3FCBF6E;
Class=CACS:0A01FA0200000176A3FCBF6E:ise-1/89523529/3578; Termination-
Action=RADIUS-Request; EAP-Key-
Name=19:4d:82:97:d2:3d:83:0d:13:1b:f9:4b:36:26:d1:67:1e:5c:e7:60:17:c1:02:7d:
89:e8:44:24:59:6d:a8:07:ce:4d:82:97:d9:28:89:76:3d:2c:3d:0c:41:e6:ad:e1:eb:a5
:73:35:05:6e:8d:77:19:d4:b2:d4:28:83:d0:09:3b; MS-MPPE-Send-
Key=87:da:d5:e0:16:d0:c4:f6:2c:49:c1:0c:00:b1:a2:9b:7e:47:4e:99:27:cc:b7:9a:2
7:6a:7a:25:60:54:cc:00; MS-MPPE-Recv-
Key=d7:2a:4a:e2:86:2b:20:71:73:da:95:65:bf:5e:73:39:e7:e4:09:28:45:5d:ca:07:c
5:dd:32:cc:17:39:48:62; }
</response>
<service_type>Framed</service_type>
<cisco_av_pair>audit-session-id=0A01FA0200000176A3FCBF6E</cisco_av_pair>
<ad_domain>demo.local</ad_domain>
<acs_username>user2</acs_username>
<radius_username>user2</radius_username>
<selected_identity_store>demo.local</selected_identity_store>
<authentication_identity_store>demo.local</authentication_identity_store>
<identity_policy_matched_rule>Default</identity_policy_matched_rule>
<nas_port_type>Ethernet</nas_port_type>
<selected_azn_profiles>PermitAccess</selected_azn_profiles>
<eap_tunnel>PEAP</eap_tunnel>
!
<other_attributes>
ConfigVersionId=94,DestinationPort=1812,Protocol=Radius,Framed-
MTU=1500,State=37CPMSessionID=0A01FA0200000176A3FCBF6E;29SessionID=ise-
1/89523529/3578;,EAP-Key-
Name=,CPMSessionID=0A01FA0200000176A3FCBF6E,CPMSessionID=0A01FA0200000176A3FC
BF6E,EndPointMACAddress=00-10-18-57-3A-44,Device Type=Device Type#All Device
Types#Wired,Location=Location#All Locations,Model Name=Unknown,Software
Version=Unknown,ExternalGroups=demo.local/Users/Domain
Users,ExternalGroups=demo.local/Builtin/Users,IdentityAccessRestricted=false,
Device IP Address=10.1.250.2,Called-Station-ID=54:75:D0:E3:01:01
</other_attributes>
<response_time>13</response_time>
<destination_ip_address>10.1.100.21</destination_ip_address>
<acct_id>1300156207689346</acct_id>
<acct_acs_timestamp>2011-03-18T17:45:42.162Z</acct_acs_timestamp>
<acct_acsview_timestamp>2011-03-18T17:45:42.283Z</acct_acsview_timestamp>
<acct_session_id>00000366</acct_session_id>
<acct_status_type>Interim-Update</acct_status_type>
<acct_session_time>66157</acct_session_time>
<acct_input_octets>4288874</acct_input_octets>
<acct_output_octets>8891728</acct_output_octets>
<acct_input_packets>30808</acct_input_packets>
<acct_output_packets>110594</acct_output_packets>
<acct_class>CACS:0A01FA0200000176A3FCBF6E:ise-1/89523529/3578</acct_class>
<acct_delay_time>0</acct_delay_time>
<started xsi:type="xs:boolean">false</started>
<stopped xsi:type="xs:boolean">false</stopped>
!"#$%&'&()*+ + + + + +++++++++++-*+
</sessionParameters>
section.
!"#$%&'&()*+ + + + + +++++++++++--+
Appendix A Enabling 802.1X on Windows 7
Step 1 From the Windows desktop, either double-click the Services shortcut icon or dnavigate to Start
Menu > Administrative Tools > Services. Scroll down until you see the Wired AutoConfig
(not WLAN AutoConfig) service.
a. Right-Click Wired AutoConfig and select Properties.
i. Choose Startup type: Automatic
ii. Apply and then Start the service
iii. Select OK.
Step 2 Go to Start Menu > Control Panel > Network and Sharing Center
Step 3 Select Change Adapter Settings from the left column.
Step 4 Right-click Local Area Connection and select Properties from the menu.
Step 5 Click the Authentication tab (this was enabled by starting the Wired AutoConfig service) and
verify the settings:
+
Step 6 Select Settings next to Microsoft: Protected EAP (PEAP) and check Validate Server Certificate,
and trust the ca certificate authority:
!"#$%&'&()*+ + + + + +++++++++++-.+
+
Step 7 For Select Authentication Method choose Secured password (EAP-MSCHAP v2) then
select Configure!
Step 8 Uncheck "Automatically use my Windows logon name and password" to prevent
username/password caching and allow you to easily test many different users and groups.
+
Step 9 Select OK
Step 10 Select Additional Settings
Step 11 Select Specify authentication mode and choose User Authentication
(
!"#$%&'&()*+ + + + + +++++++++++-/+
+
Step 12 Select OK and OK again to save and exit settings. Your endpoint should now be ready to
handle both 802.1X user authentication.
Step 13 You should see a message popup on the Windows 7 Endpoint: Additional information is
needed to connect to this network. Click on the message to view the 802.1X user
authentication dialog.
Note: If you do not see this dialog, disable and enable the network interface.
Note: Microsoft Windows does not provide any feedback for a Passed Authentication but it will re-prompt you for a
failed authentication.
!"#$%&'&()*+ + + + + +++++++++++-)+
Appendix B ISE Certificate Configuration
Step 1 Download the CAs certificate
a. Open a browser window to http://ad.demo.local/certsrv and login as
administrator/cisco123
b. Click on "Download a CA certificate, certificate chain, or CRL"
c. Click on on "Download CA certificate" and save it
Step 2 Trust the CA in ISE
a. In ISE, go to Administration > System > Certificates > Certificates Authority
Certificates
b. Add the CA certificate as a trusted certificate
Attribute Value
Certificate File C:\Users\admin\Downloads\certnew.cer
Trust for client with EAP-TLS [ ]
ise
Step 3 Create a certificate signing request (CSR)
a. Go to Administration > System > Certificates > Local Certificates, and click
Add
b. Generate a certificate signing request
Attribute Value
Certificate Subject CN=ise-2.demo.local
Key Length 4096
c. Export the CSR from Administration > System > Certificates > Certificate
Signing Requests
d. Once saved, open the .PEM file with notepad and copy the entire contents to the
clipboard.
Step 4 Submit the CSR to the CA for signing
a. From a browser window, go to http://ad.demo.local/certsrv and login
with administrator / cisco123.
b. Click on Request a certificate, and then Advanced certificate request.
Attribute Value
Base-64-encoded certificate request <Paste contents of .PEM file here>
Certificate Template Web Server
Additional Attributes <leave blank>
Download the certificate as DER encoded

!"#$%&'&()*+ + + + + +++++++++++-'+
Step 5 Bind the certificate to the signing request
a. In ISE, go to Administration > System > Certificates > Local Certificates and add the
Attribute Value
EAP:Use certificate for EAP protocols that []

use SSL/TLS tunneling
Management Interface: Use certificate to []

authenticate the web server (GUI
Replace Certificate [ ]
Step 6 Confirm that the new ISE certificate is being used

a. Log out of ISE and close all browser windows
b. Reopen the browser and go to the ISE login page. Confirm that the browser is
securing the https session using the new ISE certificate.
++
!"#$%&'&()*+ + + + + +++++++++++-0+
A
ISE Wireless Lab Guide

This lab was created by: Craig Hyps, Thomas Howard, and Fay-Ann Lee
Lab Overview
This lab is designed to help attendees understand how to deploy Identity Services Engine (ISE) in
a wireless environment using the Cisco Wireless LAN Controller (WLC). This lab covers the
configuration of ISE for wireless 802.1X and web authentication to address the common
requirements to support Employee and Guest users. Students will validate ISE configuration for
wireless by connecting to the wireless network from a Windows 7 client PC. Lab participants
should be able to complete the lab within the allotted time of 2 hours.
Lab Exercises
Lab Exercise 1: Configure ISE for Cisco Access Points

Lab Exercise 2: Configure ISE for Wireless Access using 802.1X and Web Authentication
Lab Exercise 3: Configure WLC for Employee Access using 802.1X Authentication
Lab Exercise 4: Test and Verify Wireless Authentication for Employees
Lab Exercise 5: Configure WLC for Guest Access using Web Authentication
Lab Exercise 6: Test and Verify Wireless Authentication for Guests
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!A

TrustSec Lab Topology
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8A


10.1.250.1
Wireless LAN Controller (2106) wlc.demo.local 10.1.100.61
Wireless Access Point (1242) ap.demo,local DHCP (10.1.90.x/24)


in this setup.

Number

using ACLs

segmentation)

segmentation)

users
90 AP 10.1.90.0/24 Dedicated Wireless AP VLAN
A A
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:A

250) 10.1.250.0/24 Dedicated interconnect subnet between Core and
Access switch.

Data Center switch.
default, all client PC access will remain in the ACCESS VLAN 11.

Wireless LAN Controller (2106) admin / cisco123
Wireless Access Point (1242) admin / cisco123

A
Connecting to Lab Devices

Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA<A

Connect to a POD
a. In the LabOps student portal, click on the Topology tab
b. Click on the Admin PC, then click on the RDP Client option that appears:
c. Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as DEMO\admin / cisco123 (Domain = DEMO)
Note: All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines

During the lab exercises, you may need to access and manage the computers running as
virtual machines.
Step 2 The IP address of your pods ESX server is 10.1.11.X where X = 10+(your pod number)
Examples: pod 1 = 10.1.11.11; pod 9 = 10.1.11.19; pod 15 = 10.1.11.25; pod 24 = 10.1.11.34
Note: Be careful to only connect to your pods ESX server. If unsure, contact your class proctor.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAACA

Step 4 Click Login.
these options:

A
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAADA

Connect to Lab Device Consoles
Step 1 To access the consoles of the lab switches and ISE servers using SSH:
desktop. Example:
c. Click Open.

!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAAEA

Lab Exercise 1: Configure ISE for Cisco Access
Points
This lab covers the ISE configuration requirements to support wireless access using Cisco
Wireless LAN Controllers (WLCs). Key components of any wireless solution are the access
points. These devices are often distributed throughout the network and connect to wired access
switches in order to communicate to the WLC for centralized authentication and policy control.
Therefore, it is critical that we configure our access switches and ISE to provide the required
access to authorized access points. This lab exercise reviews the basic ISE configuration steps
to authorize network access to Cisco Wireless Access Points to allow secure WLC connectivity.
Exercise Objective
In this exercise, your goal is to configure ISE to allow secured network access for Cisco Wireless
Access Points including completion of the following tasks:
Enable the ISE endpoint profile for Cisco Access Points
Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points
Review the access switch configuration to authorize an access point using MAC
Authentication Bypass (MAB).
Verify proper authorization of a Cisco Access Point based on ISE policy
Step 1 Access the web interface of the ISE Administrative node.

!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAAFA

menus.
Step 3 Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an
Identity Group called Cisco-Access-Points.
a. Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint
Policies.
b. Verify that the policy is enabled (Policy Enabled checkbox is checked).
c. Enable (check) the option Create Matching Identity Group.
d. Click Save.
Step 4 Define an Authorization Profile for Cisco Access Points.
a. Navigate to Policy > Policy Elements > Results and click the icon to left of
Authorization (or double-click Authorization) to expand its contents.
b. Select Authorization Profiles from the left-hand pane.
c. Click Add from the right-hand pane and enter the values for the Authorization Profile as
shown below:
Attribute Value
Name Cisco_Access_Points
Description Permit access to Cisco Access Points
Common Tasks
DACL Name [ ] PERMIT_ALL_TRAFFIC
VLAN 90 (or 1:90)
The resultant Attribute Details should appear at the bottom of the page as the following:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!"A

C
l Tunnel-Private-Group-ID = 1:90
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
DACL = PERMIT_ALL_TRAFFIC

Step 5 Configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to
endpoints that match the Identity Group named Cisco-Access-Point.
a. Go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones
rule as shown in the policy table below. Use the selector at the end of a
rule entry to insert or duplicate rules.
b. Enter the following values for a new rule named Profiled Cisco Access Points:
Identity
Groups
Phone
Profiled Cisco Access Cisco- - Cisco_Access_Points
Points Access-
Point
Computers
Employee_Compliant Any demo.local:ExternalGroups Employee
AND
AND
Session:PostureStatus NOT EQUALS
Compliant
Contractor_Compliant Contractor Session:PostureStatus EQUALS Compliant Guest
Guest_Compliant Guest Session:PostureStatus EQUALS Compliant Guest
Default Any - Central_Web_Auth
Note: Some entries in the table were created as a result of other ISE lab sessions covering Basic Classification
and Enforcement, Profiling, Guest and Posture Services. Rules related to posture checking and status have
been disabled as they are not used in the current lab exercises, but are available for optional testing at the
conclusion of this lab.
c. Click Save when finished making policy updates.

Step 6 Verify proper authorization of the lab wireless access point.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!!A

admin / cisco123. If not already in privileged mode, enter enable mode using password
cisco123.
b. To view log messages from the terminal session, enter the terminal monitor command
at the switch exec prompt:
c. Review the switchport configuration for interface GigabitEthernet 0/3 using the command
show run interface GigabitEthernet 0/3:
3k-access# sh run int Gi0/3

description Access Point
authentication open
authentication order dot1x mab
authentication priority dot1x mab
mab
The interface is configured with a default port ACL that permits limited network access
prior to authentication such as DHCP and DNS connectivity. Although an access point
may be configured for 802.1X authentication, in this lab MAB will be used to authenticate
the Cisco Wireless Access Point.
d. Enter configuration mode for interface GigabitEthernet 0/3 and enable the port using the
no shutdown command:
3k-access# conf t
3k-access(config)# int gi0/3
3k-access(config-if)# no shut
3k-access#A
e. After issuing the no shut command, use the following exec command to view the current
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!8A

Example:
After a couple minutes, the output should appear similar to the following:

MAC Address: 503d.e546.ce8d
IP Address: 10.1.90.100
User-Name: 50-3D-E5-46-CE-8D
Domain: DATA
Vlan Policy: 90
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4db2381e
Idle timeout: N/A
Common Session ID: 0A01FA02000000283C4EFC04
Handle: 0x8F000028

Method State
dot1x Failed over
mab Authc Success
A
Note: In this lab the Cisco Wireless Access Point receives inline power from the access switch. Therefore, it may
take a minute or two for the access point to complete the bootstrap process and initiate network
communication. Once the access point is fully started, it will attempt to acquire an IP address and discover
the Cisco Wireless LAN Controller. As network information is collected by ISE Profiling Services (SNMP,
DHCP, etc), ISE will perform device classification.
As shown in the above output, once authenticated to the switchport using MAB, the
access point is authorized based on the Profiled Cisco Access Points policy rule. ISE will
apply the permissions in the Cisco_Access_Points profile including VLAN and dACL
assignment.
/' Display the current dACL applied to the interface using the command show ip access-
lists interface GigabitEthernet 0/3. The output should appear similar to the following:AA

A
Step 3 Verify the Cisco Wireless Access Point authentication in the ISE Monitor > Authentications
log:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!:A

Device AuthZ
S Username Endpoint ID IP Address NAD Port Profiles Identity Group Event
#ACSACL#-IP- 3k- Authorize Only DACL
PERMIT_ALL_TRAFFIC access Download
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.100 3k- Gi0/3 Cisco_Access_Points Cisco-Access-Point Auth
access Succeeded
Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port
ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in
the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP
address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The
access list applied to this session reflects the final endpoint IP address using variable substitution of the
any value in the dACLs source IP address.
Later in the lab you will verify the status of the Access Point connection to the Wireless
Controller from the WLC admin interface.

!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!<A

Lab Exercise 2: Configure ISE for Wireless
Access using 802.1X and Web Authentication
This exercise reviews the ISE configuration to authenticate wireless users accessing the network
from a Cisco Wireless LAN Controller. Both 802.1X and Web Authentication will be configured
and applicable authorization policies applied based on user identity. The two main user identities
will be Employee and Guest. Employees will use 802.1X authentication and Guest users will use
web authentication from the WLC.
As 802.1X, Web Authentication, and Guest Services were covered in other lab sessions, details
on their configuration will not be covered in this lab, although items specific to wireless access will
be addressed.
Exercise Objective
In this exercise, your goal is to understand the minor differences required to configure ISE with a
Wireless LAN Controller (WLC) as compared to a wired access switch including completion of the
following tasks in ISE:
Verify the Network Access Device configuration of the WLC
Modify the Authentication Policy to accept 802.1X authentication from wireless access
devices
Modify Authorization Profiles for wireless Employees and Guests

Modify the Authorization Policy for wireless Employees and Guests
Validate the ISE connection to the AD Server to support Employee authentication against
the Windows domain
Step 1 Access the web interface of the ISE Administrative node at https://ise-1.demo.local using the
credentials admin / default1A.
Step 2 Verify that the lab Wireless LAN Controller is properly configured as a Network Access Device in
ISE.
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand pane, select wlc.
c. The WLC was added during the Bootstrap lab. Verify and update the current settings as
shown in the following table:
Attribute Value
Name ise-4
Inline Posture node for ASA
Description
VPN
IP Address 10.1.100.61 / 32
Model Name -
Software Version -
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!CA
Attribute Value
Location All Locations
Device Type Wireless
[ ] Authentication Settings
Protocol RADIUS
Shared Secret cisco123
[ ] SNMP Settings
SNMP Version v2c
SNMP RO Community Ciscoro
Polling Interval 600 (seconds)
Link Trap Query [ ]
MAC Trap Query [ ]
d. Click Save when finished.
Note: Although not required for basic RADIUS authentication, enabling SNMP for the WLC will facilitate wireless
profiling using the SNMP probe.

Step 4 Update the authentication rules to include Wireless_802_1X as a condition for the Dot1X rule.
Test IF RADIUS:Service- allow Default and demo.local Reject
Authentications Type=Login protocols Network use Reject
Access Drop
MAB IF Wired_MAB allow Default and Internal Hosts Reject
protocols Network use Continue
Access Drop
OR protocols Network use Reject
Wireless_802_1X Access Drop
Access Drop
Hint: Under the Dot1X rule, click the plus sign after the IF condition
and use the gear icon to Add Condition From Library.
Be sure to select the OR logical operator. Wireless_802_1X will appear under the list of
Compound Conditions.
Step 5 Click Save to apply the policy change.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!9A

Step 6 Update the Authorization Profile for Employees that access the network from a WLC.
a. Navigate to Policy > Policy Elements > Results and click icon to left of
Authorization (or double-click Authorization) to expand its contents.
b. Click the icon to left of Authorization Profiles (or double-click Authorization Profiles)
to expand its contents.
c. Select Employee from the left-hand pane and update the values for the Authorization
Profile as shown below:
Attribute Value
Name Employee
Description Full Network Access For Employees
Common Tasks
Wireless LAN Controller (WLC) [ ] PERMIT-ALL-TRAFFIC
CAccess Type = ACCESS_ACCEPT

l DACL = PERMIT_ALL_TRAFFIC
i Airespace-ACL-Name = PERMIT-ALL-TRAFFIC
Note: Note that the WLC currently supports named ACLs and not Downloadable ACLs (dACLs). In contrast to
dACLs which are defined on ISE and dynamically downloaded to the access device, named ACLs must be
preconfigured on the access device.
Since each access device type (wired switch and wireless controller) only support specific RADIUS
attributes, only those that apply to the access device will be consumed. Therefore, we are able to apply the
same ACL to each access device through a single Authorization Profile.
In this lab, named ACLs are distinguished from dACLs using hyphens rather than underscores. This is
simply a matter of choice.
d. Click Save to apply your changes.

Step 7 Update the Authorization Profile for Guests that access the network from a WLC.
a. Select the Authorization Profile named Guest and update the values for the Authorization
Profile as shown below.
Attribute Value
Name Guest
Description Guest Access To Internet Only
Common Tasks
DACL Name [ ] INTERNET_ONLY
Wireless LAN Controller (WLC) [ ] INTERNET-ONLY
CAccess Type = ACCESS_ACCEPT

l DACL = INTERNET_ONLY
i Airespace-ACL-Name = INTERNET-ONLY
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!DA

b. Click Save to apply your changes.
Step 8 Navigate to Policy > Authorization and review the Authorization Policy rules for Employee and
Guest.
Identity
Groups
Phone
Profiled Cisco Access Cisco- - Cisco_Access_Points
Points Access-
Point
Computers
Default Any - Central_Web_Auth
Note: Some entries in the table were created as a result of other ISE lab sessions covering Basic Classification
and Enforcement, Profiling, Guest and Posture Services. Rules related to posture checking and status have
been disabled as they are not used in the current lab exercises, but are available for optional testing at the
conclusion of this lab. These entries were omitted from the table shown above to simplify the display.
Step 9 Review the following policy rules:

Employee identity is based on AD group membership and these users are assigned the
Authorization Profile named Employee.
Guest identity is based on assignment to the Identity Group named Guest (via Guest
Services) and these users are assigned the Authorization Profile named Guest.

a. Go to Administration > Identity Management > External Identity Stores and select
Active Directory from the left-hand pane.
b. Verify the Connection Status as Not Joined to a domain:
c. Click Join at the bottom of the configuration page:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!EA

d. Enter the credentials admin / cisco123 when prompted to allow the AD operation, and
then click OK.
e. After a few moments, a message should appear to indicate that the node has
successfully joined the domain. Click OK.
f. Click Save Configuration at the bottom of the page.

g. Select the Groups tab at the top of the AD Server configuration page.
h. Since AD groups were retrieved during a join in a previous lab, the original saved
configuration should still be present. Verify the following groups are displayed. If not, re-
add them and re-save the configuration:

!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA!FA

Lab Exercise 3: Configure WLC for Employee
Access using 802.1X Authentication
Configure the WLC to authenticate Employee users on an Employee SSID using 802.1X.
Exercise Objective
Configure the essential wireless controller functions such as ports, interfaces, management
network settings, and high-level wireless properties
Configure ISE as a RADIUS server for the WLC
Define a wireless ACL for Employee access
Configure a WLAN for Employees using 802.1X authentication
Step 1 Access the WLC admin interface:

a. From the Admin client PC, open a web browser and connect to the Wireless LAN
Controller (WLC) at https://wlc.demo.local
b. Use the administrative username and password admin / cisco123 to login. You will see
the Monitor Summary page giving a status overview of the WLC.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8"A

Step 2 Verify the software version meets minimum requirements to support Change of Authorization
(CoA) with ISE.
Note: Note the minimum WLC software version required to work with ISE is WLC v7.0.114.x. This is required for
RADIUS Change of Authorization (RFC-3576) support.
Step 3 Under the Access Point Summary section, verify that the Cisco Access Point is connected and
status is Up:
Step 4 Click the Detail link to see more information about the connected AP. The MAC address listed
for the connected AP should match the address authorized by interface Gi0/3 on the access
switch.
CONFIGURE WLC CONTROLLER OPTIONS

Step 5 Select Controller > General from the menu to verify the global controller options. Enter the
details below (where # = pod number) and select Apply (upper right corner):
Attribute Value
Name p#-wlc
Default Mobility Domain Name p#-lab
RF Group Name p#-lab
Web Radius Authentication PAP
Step 6 Ignore the warning about Multicast Group Address:
Step 7 Add a new dynamic interface to the WLC to be used for both Employee and Guest access:
a. Select Controller > Interfaces and click New! (upper right corner)
b. Enter the following values and click Apply:
Interface Name: access
VLAN Identifier: 11
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8!A

c. Complete the interface configuration using the values shown below:
Attribute Value
Interface Name access
MAC Address nn:nn:nn:nn:nn:nn
Quarantine (unchecked)
Quarantine Vlan Id 0
Port Number 1
VLAN Identifier 11
IP Address 10.1.11.2
Netmask 255.255.255.0
Gateway 10.1.11.1
Primary DHCP Server 10.1.100.10
Secondary DHCP Server -
ACL Name none
d. Click Apply to save your changes.

e. Click OK if presented with the following notice:
f. The resulting interface table should include the following entries:

Interface Port VLAN IP Address Netmask Gateway DHCP Interface
Name ID Type
access 1 11 10.1.11.2 255.255.255.0 10.1.11.1 10.1.100.10 Dynamic
ap-manager 1 100 10.1.100.62 255.255.255.0 10.1.100.1 10.1.100.10 Static
management 1 100 10.1.100.61 255.255.255.0 10.1.100.1 10.1.100.10 Static
Virtual N/A 1.1.1.1 - - Static
Step 8 Select Controller > Ports and verify that you are using Port 1 and it is UP
Step 9 Select Controller > NTP > Server and verify it has an NTP server configured as shown:
Server Index Server Address Key Index NTP Msg Auth Status
1 128.107.220.1 0 AUTH_DISABLE
Step 10 Select Controller > Advanced > DHCP and disable DHCP Proxy, and then click Apply:
Attribute Value
Enable DHCP Proxy * NOT CHECKED *

DHCP Option 82 Remote Id field format AP-MAC
DHCP Timeout (5-120) 120
Note: Disabling DHCP Proxy is not mandatory, but may be useful in ISE profiling of wireless devices. By disabling
the WLC DHCP proxy, we allow DHCP client requests to pass through the WLC and to reach the default
gateway. Using IP Helper (or DHCP Relay) statements on the default gateway interface can allow
forwarding of DHCP to the real DHCP server. Additional helper/relay statements can be configured to allow
these same packets to be forwarded to the ISE Policy Service node running Profiler Services. The ISE node
will not respond to DHCP requests, but the DHCP probe can parse the attributes to assist in device
classification.
CONFIGURE WLC SECURITY OPTIONS

Step 11 Navigate to Security > AAA > RADIUS > Authentication and configure the following global
RADIUS Authentication Server settings. Click Apply to save changes.
Attribute Value
Call Station ID Type System MAC Address
Use AES Key Wrap (Not checked)
MAC Delimiter Hyphen
Note: This setting is not required for 802.1X authentication as noted in the footnote but may be useful in ISE
profiling of wireless devices even when they connect to non-1X networks configured for RADIUS NAC. By
sending the MAC address of the endpoint versus IP address, RADIUS packets sent to an ISE Policy Service
node configured for Profiling Services will be able to discover this MAC address and collect attributes for
classification purposes.
Note: Full Profiling Services are NOT currently supported for non-1X WLANs since CoA is not supported on these
networks. However, profiling information can be collected for endpoints while connected to non-1X WLAN.
This information can then be used for inventory purposes. It can also be used for new wireless connections
that rely on 802.1X or wireless MAC Filtering via RADIUS lookup for authentication and authorization.
Step 12 Create a new RADIUS Authentication Server entry for ISE by clicking New! Enter the
following values as shown and then click Apply:
Attribute Value
Server Index (Priority) 1
Server IP Address 10.1.100.21
Shared Secret Format ASCII
Key Wrap (Not checked)
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 2 seconds
Network User Enabled
Management Enabled
IPSec (Not checked)
Step 13 Navigate to Security > AAA > RADIUS > Accounting and verify the Global accounting
settings:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8:A

Attribute Value
MAC Delimiter Hyphen
Step 14 Create a new RADIUS Accounting Server entry for ISE by clicking New! Enter the following
values as shown and then click Apply::
Attribute Value
Server Index (Priority) 1
Server IP Address 10.1.100.21
Shared Secret Format ASCII
Port Number 1813
Server Status Enabled
Server Timeout 30 seconds
Network User Enabled
IPSec (Not checked)
Step 15 Navigate to Security > AAA > RADIUS > Fallback and configure the following RADIUS
Fallback settings:
Attribute Value
Fallback Mode Passive
Username
Interval 180
Step 16 Create a new Access Control List to permit full network access for authorized Employees:
a. Navigate to Security > Access Control Lists > Access Control Lists.
b. Check Enable Counters, and then click Apply.
c. Click New! and enter the name PERMIT-ALL-TRAFFIC, then click Apply.
d. Select the name of the new ACL and click Add New Rule.
e. Enter the following values for the new ACL rule and click Apply:
Name Seq Source Destination Proto Src Dst DSCP Direction Action
IP IP col Port Port
PERMIT-ALL-TRAFFIC 1 Any Any Any ANY Any Any Any Permit
Note: PERMIT-ALL-TRAFFIC is the named WLC ACL defined in the ISE Authorization Profile for Employees. The
default rule Action is Deny, so be sure to change the Action value to Permit in the PERMIT-ALL-TRAFFIC
ACL. To return to the edit page for an ACL rule, click the link for the sequence number.
CONFIGURE WLC MANAGEMENT OPTIONS

Step 17 Navigate to Management > SNMP > General and be sure that SNMP Version 2c is enabled as
shown (where # = pod number):
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8<A

Attribute Value
Name p#-wlc
SNMP v2c Mode Enabled
Step 18 Configure a new SNMP community name for ISE access by going to Management > SNMP >
Communities and clicking New! Enter the values as shown:
Attribute Value
Community Name ciscoro
IP Mask 255.255.255.0
Access Mode Read-Only
Status Enable
Note: The Community Name must match the value specified in ISE under the Network Access Device
configuration for the WLC. SNMP is not a requirement but may be useful for ISE profiling of wireless devices
from the Policy Service node using the SNMP Query probe.
CONFIGURE WLAN OPTIONS

Step 19 Navigate to WLANs and delete any existing WLAN profiles
Step 20 Create a WLAN profile for Employees by selecting Create New from the drop-down in upper
right corner and clicking Go:
Note: Prefix your SSID with your pod number (p#-) in order to make it unique from the other lab pod SSIDs!
Step 21 Enter the initial values from table below and then click Apply to complete the entry of remaining
values using the menu tabs to navigate between WLAN configuration screens:
General
Type WLAN
Profile Name p#-employee
SSID p#-employee
ID 1
Status Enabled
Radio Policy All
Interface / Group access
Broadcast SSID Enabled
Security Layer 2
Layer 2 Security WPA+WPA2
WPA Policy (Not checked)
WPA2 Policy Enabled
WPA2 Encryption AES
Auth Key Mgmt 802.1X
Security Layer 3
Layer 3 Security None
Web Policy (Not checked)
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8CA

Security AAA Servers
Authentication Server #1 10.1.100.21, Port:1812
Accounting Server #1 10.1.100.21, Port:1813
Advanced
Allow AAA Override Enabled
NAC State Radius NAC
Note: Enabling Allow AAA Override is critical to allow attributes from the AAA server (ISE) to take precedence over
the local WLC configuration.
Step 22 Select Apply to save then select Apply again to activate the configuration.
Step 23 Select WLANs again to review the current settings:
WLAN ID Type Profile Name WLAN SSID Admin Security Policies
Status
1 WLAN p#-employee p#-employee Enabled [WPA2][Auth(802.1X)]
A
A

Lab Exercise 4: Test and Verify Wireless
Authentication for Employees
This lab exercise reviews the process to connect a Windows 7 client to a wireless SSID
configured for 802.1X authentication using the native supplicant. The student will test login using
the credentials of an Employee user in Microsoft AD and verify privileged access is granted only
after successful authentication.
Exercise Objective
Configure the native supplicant on a Windows 7 client PC for 802.X user authentication.
Associate to an Employee SSID and test 802.1X authentication using the credentials of an
Employee user in the AD domain.
Verify full network access is granted after successful authentication as an Employee.
Step 2 Configure the Win7-PC client wireless adapter for 802.1X user authentication:
a. Open the Lab Tools shortcut from the Windows desktop.
b. Open the Network Connections shortcut from the Lab Tools window.
c. Disable the Wireless Network Connection, if not already disabled. To disable, first
select the entry and right-click to bring up the pop-up menu, and then click Disable.
d. Enable the Wireless Network Connection:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8DA

Note: If youre having problems associating to an SSID unrelated to authentication then it is a good idea to try
disabling then re-enabling the Wireless Network Connection.
Step 3 Verify that you now see the p#-employee SSID by again right-clicking on the Wireless
Network Connection entry and selecting Connect / Disconnect from the pop-up menu:
Step 4 Select Open Network and Sharing Center from the bottom of the Connection menu.
Step 5 Click on Manage Wireless Networks from the left column of the Control Panel Home menu:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8EA

Step 6 Select Add and choose to Manually create a network profile.
Step 7 Enter the Network name as p#-employee (where # is your pod number) and complete the form
as shown:
Attribute Value
Network Name p#-employee
Security Type WPA2-Enterprise
Encryption Type AES
Security Key (blank)
Start this connection
automatically
Connect even if network is (Not checked)
not broadcasting
Step 8 Click Next and close the window.

Step 9 Return the Network Connections window. Right-click on the Wireless Network Connection
entry and then select Connect / Disconnect.
Step 10 Change the 802.1X configuration of the wireless supplicant by selecting the p#-employee SSID,
right-click to bring up the pop-up menu and then select Properties:
Step 11 The Wireless Network Properties page appears:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA8FA

Step 12 Be sure the Security tab is selected and the following supplicant values are set:
Attribute Value
Security Type WPA2-Enterprise
Encryption Type AES
Authentication Method Microsoft Protected EAP (PEAP)
Remember my credentials (Not Checked)
A
Step 13 Under Choose a network authentication method: be sure Microsoft: Protected EAP (PEAP) is
selected and then click the Settings button.
Step 14 Disable (uncheck) Validate server certificate.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:"A

Step 15 From the Protected EAP Properties window, under Select Authentication Method:, make sure
Secure password (EAP-MSCHAP v2) is selected and click Configure.
Step 16 Disable (uncheck) Automatically Use My Windows Login then click OK.
AAAA
Step 4 Click OK again to return to the main Wireless Network Properties page for the p#-employee
SSID.
Step 5 Click the Advanced Settings button and enable the authentication mode for User
Authentication then click OK and OK again to dismiss the property pages.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:!A

Step 6 You should now see a prompt from the Windows operating system asking you to authenticate.
Click anywhere in the popup to enter credentials to authenticate to the p#-employee SSID:
Step 7 Enter credentials from an existing AD account (employee1 / cisco123) to authenticate:
Note: Windows will not tell you if you have authenticated successfully, only re-prompt you if it fails.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:8A

Step 8 Verify the authentication in the ISE Monitor > Authentications log:
Device AuthZ
employee1 nn:nn:nn:nn:nn:nn 10.1.11.100 3k-access Employee Profiled Auth Succeeded
Step 9 Open a web browser on the Windows 7 PC client and verify the authenticated Employee user
can reach an external site such as www.cisco.com
Step 10 Verify the authenticated user can reach the internal site www-int.demo.local:
Step 11 If you get an error Unable to find proxy server in the browser, it is most likely a failed
association to an SSID. Disable and re-enable the Wireless LAN Connection and pick p#-
employee SSID again to fix it.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA::A

Step 12 Verify the wireless connection from the WLC management interface.
Controller (WLC) at https://wlc.demo.local using the credentials admin / cisco123,
b. Go to Monitor > Clients
c. Verify there is an entry for your Windows 7 client connected to the p#-employee WLAN
and Authentication status is Yes.
d. Click the link for the client MAC address and review the details of the session under
Client Properties including the following values:
i. IP address = 10.1.11.x
ii. Username = employee1
iii. Interface = access
e. Under the Security Information section, review the details of the following values:
i. ACL Name = PERMIT-ALL-TRAFFIC
ii. ACL Applied = Yes
Note: Since the default WLC policy is no ACL, it would have been possible to grant full access upon successful
authentication without an explicit ACL assignment. This lab exercise shows that any ACL could have been
applied based on the organizational security policy.

!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:<A

Lab Exercise 5: Configure WLC for Guest
Access using Web Authentication
Configure the WLC to authenticate Guest users on a Guest SSID using web authentication.
Exercise Objective
Define wireless ACLs for Guest access

Define a virtual interface to facilitate the redirection of web requests to an external web
authentication page hosted on the ISE node
Configure a WLAN for Guest using web authentication
OPTIONAL: Install a CA-signed WLC device certificate to support web authentication
Step 1 From the Admin client PC, open a web browser and connect to the Wireless LAN Controller
(WLC) at https://wlc.demo.local using the administrative credentials admin / cisco123.
Step 2 The WLC uses a virtual interface to facilitate redirection of web requests from client devices to
an authentication page. During initial setup, an IP address is assigned to this virtual interface.
To be redirected based on domain name rather than IP address, a DNS name can be assigned
to the interface. Certificates can optionally be generated based on this DNS name.
Define a DNS name for the WLC virtual interface:
a. Navigate to Controller > Interfaces.
b. Select the interface named virtual.
c. Update the table as shown:
Attribute Value
Interface Name virtual
MAC Address nn:nn:nn:nn:nn:nn
IP Address 1.1.1.1
DNS Host Name wlc-virtual.demo.local
Note: In this lab the virtual interface was assigned an initial IP address of 1.1.1.1. The hostname wlc-virtual has
been pre-populated in the lab DNS server for the demo.local domain.
d. Click Apply to save changes.

Step 3 Configure WLC ACLs for Guest access:
a. Navigate to Security > Access Control Lists > Access Control Lists.
b. Create the following Access Control Lists by clicking New!
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:CA

Name Seq Source Destination Proto Src Dst DSCP Direction Action
IP IP col Port Port
ACL-WEBAUTH-REDIRECT 1 Any 10.1.100.21 TCP Any Any Any Inbound Permit
255.255.255.255
2 10.1.100.21 Any TCP Any Any Any Outbound Permit
255.255.255.255
3 Any Any Any Any Any Any Any Deny
INTERNET-ONLY 1 Any Any UDP Any DNS Any Inbound Permit
2 Any Any UDP DNS Any Any Outbound Permit
3 Any 10.1.0.0 Any Any Any Any Inbound Deny
255.255.0.0
4 10.1.0.0 Any Any Any Any Any Outbound Deny
255.0.0.0
4 Any Any Any Any Any Any Any Permit
PERMIT-ALL-TRAFFIC 1 Any Any Any ANY Any Any Any Permit
c. Review the ACLs for errors. The resulting ACLs should appear as the following. Be
particularly watchful of the Direction and Action settings for accuracy:
Note: DNS is permitted by default for pre-authenticated endpoints.
Step 4 Configure global web authentication settings.

a. Navigate to Security > Web Auth > Web Login Page and configure the use of the ISE
Guest Portal for web authentication:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:9A

Attribute Value
Web Authentication Type External (Redirect to external server)
Redirect URL after login www.cisco.com
External Webauth URL https://10.1.100.21:8443/guestportal/Login.action
b. Select Certificate under Security > Web Auth. Note that the current certificate for web
authentication was generated based on the virtual interface IP address and was locally
generated. To minimize the chance for certificate warnings seen by Guest users during
rd
web authentication, installation of a trusted 3 -party certificate for the WLC is
recommended. See the optional task at the end of this exercise for details on installing a
CA-signed certificate for web authentication to the lab WLC.
Note: The Cisco WLC does not currently support Central Web Authentication (CWA) as covered in the Basic
Classification and Guest Services labs for wired access. Instead, the WLC supports web authentication
similar to Local Web Authentication (LWA) performed on Cisco switches. In LWA, the access device
intercepts the login credentials via the web authentication process and then submits them to ISE via
RADIUS for authentication and authorization.
Step 5 Navigate to WLANs and create a WLAN profile for the Guest network by selecting the drop-
down Create New and clicking on Go:
Note: Prefix your SSID with your pod number (p#-) in order to make it unique from the other lab pod SSIDs!
General
Type WLAN
Profile Name p#-guest
SSID p#-guest
ID 2
Status Enabled
Radio Policy All
Interface / Group access
Broadcast SSID Enabled
Security Layer 2
Security Layer 3
Web Policy Enabled
Authentication Enabled
Preauthentication ACL ACL-WEBAUTH-REDIRECT
Security AAA Servers
Authentication Server #1 10.1.100.21, Port:1812
Accounting Server #1 10.1.100.21, Port:1813
Advanced
Allow AAA Override Enabled
Note: Enabling Allow AAA Override is critical to allow attributes from the AAA server (ISE) to take precedence over
the local WLC configuration.
Step 6 Select Apply to save then select Apply again to activate the configuration.
Step 7 Select WLANs again to review your current settings:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:DA
WLAN ID Type Profile Name WLAN SSID Admin Security Policies
Status
1 WLAN p#-employee p#-employee Enabled [WPA2][Auth(802.1X)]
2 WLAN p#-guest p#-guest Enabled Web-Auth
Step 8 Save the WLC configuration and reboot for all changes to take effect.
a. Click Save Configuration in the upper right corner of the main WLC admin interface and
acknowledge the prompt to confirm save.
b. Select Commands > Reboot. Acknowledge any messages to confirm reboot.
A
OPTIONAL TASK: Install a CA-signed WLC Certificate for Web Authentication
Step 9 Since the Security > Web Auth > Certificate page does not support FTP transfers for the
download of the web authentication certificate as required for our lab, we will perform the
transfer directly from the WLC console. Open up a terminal session to the WLC using the
PuTTy SSH client.
a. From the Admin client PC desktop, select Start > PuTTY from the Windows Start Menu.
b. Enter wlc in the hostname field and click Open.
c. Login to the WLC console using the credentials admin / cisco123.
Step 10 Enter the following highlighted transfer commands into the WLC console:
(Cisco Controller) >
transfer download serverip 10.1.100.6
transfer download mode ftp
transfer download username anonymous
transfer download datatype webauthcert
transfer download path /
transfer download filename wlc-cert.pem
transfer download certpassword cisco123
transfer download start
Mode............................................. FTP
Data Type........................................ Site Cert
FTP Server IP.................................... 10.1.100.6
FTP Server Port.................................. 21
FTP Path......................................... /
FTP Filename..................................... wlc-cert.pem
FTP Username..................................... anonymous
FTP Password..................................... *********
This may take some time.

Are you sure you want to start? (y/N) y
FTP Webauth cert transfer starting.
FTP receive complete... Installing Certificate.
Certificate installed.
Reboot the switch to use new certificate.
(Cisco Controller) >

!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:EA
Step 11 Save and reboot the WLC to use the new certificate:
(Cisco Controller) >Areset system
The system has unsaved changes.

Would you like to save them now? (y/N) y
Configuration Saved!
System will now restart!
A
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA:FA

Lab Exercise 6: Test and Verify Wireless
Authentication for Guests
This lab exercise reviews the process of connecting to a wireless SSID configured for Guest
authentication. A Windows 7 client PC will be used to authenticate to the Cisco WLC using web
authentication to the ISE Guest Services portal. The student will test login using the credentials
obtained through the Guest Self-Service
AAAAAA feature and verify Internet access is grantedA only after
successful authentication.
Exercise Objective
Associate to a Guest SSID and test web authentication.
Generate guest user credentials using the Self-Service feature.
Verify Internet only network access is granted after successful authentication as a Guest.
Step 1 From the Win7-PC client, login as user DEMO\employee1 / cisco123.

Step 2 Associate the Windows client wireless adapter to the Guest SSID. Disconnect from the p#-
employee SSID, if still connected, and connect to the p#-guest SSID as shown below:
Step 3 Launch a web browser and acknowledge any certificate warnings. Using the Firefox browser,
you can simply create exceptions. If use Internet Explorer, then you may receive the following
browser warning:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA<"A

Be sure to click No in order to correctly display the web authentication page. This IE warning
can be squelched by allowing the display of mixed mode content in the Internet and Local
Intranet zones of the browser configuration.
You should be redirected to the ISE web authentication portal.
Step 4 Create a new self-service Guest user account:

a. Click the Self Service button from the login portal!
!and enter the following values into the form, and then click Submit:
Attribute Value
First Name Guest
Last Name User
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA<!A

Company Company ABC
Optional Data 1 (enter reason for access)
Timezone UTC
b. Write down the assigned username and password credentials:
Username: _________________________
Password: __________________________
extra characters.
c. Click the OK button to display the Web authentication login page again.
d. Enter your new Username/Password credentials and click the Log In button.
e. If an AUP was enabled for web authentication, check the box to Accept terms and
conditions and then click Accept.
Note: It is possible to also authenticate Employees via web authentication. To allow this requires that the Default
Authentication Policy rule in ISE includes AD users in the Identity Source, such as the Identity Sequence
AD_InternalUsers.
Step 5 Upon successful authentication, you should be redirected to the default web page. A smaller
web page should also appear to acknowledge successful web authentication and to allow Guest
users to log out of the wireless network through a web browser:
Step 6 Verify the authenticated user can reach an external site such as www.cisco.com:
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA<8A

Step 13 Verify the authenticated user can NOT reach an internal site such as www-int.demo.local.
If web page displays, then it may be in the browser cache. Be sure to clear the cache and
reattempt access.
Step 7 View the Guest authentication in the ISE Monitor > Authentications log:
Device AuthZ
guser001 nn:nn:nn:nn:nn:nn 10.1.11.100 wlc Guest Guest:Workstation Auth Succeeded
guser001 Guest Guest Authentication
Step 8 Verify the wireless connection from the WLC management interface.
Controller (WLC) at https://wlc.demo.local using the credentials admin / cisco123.
b. Go to Monitor > Clients
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA<:A

c. Verify there is an entry for your Windows 7 client connected to the p#-guest WLAN and
Authentication status is Yes.
d. Click the link for the client MAC address and review the details of the session under
Client Properties including the following values:
i. IP address = 10.1.11.x
ii. Username = guser001
iii. Interface = access
e. Under the Security Information section, review the details of the following values:
i. ACL Name = INTERNET-ONLY
ii. ACL Applied = Yes
Step 9 Validate the ACL entries that are being used and with what frequency by going to Security >
Access Control Lists > Access Control Lists.
a. Select ACL-WEBAUTH-REDIRECT and view the counters for each rule entry.
b. Click the Back button and select INTERNET-ONLY to view the counters for each rule
entry.
!"#$%&#!'"#()*+,+--#./0#12)3+4&56%7!""89!:#*+;<='3>?@A AAA 5/B+A A A AAAAAAAAA<<A

I
ISE Remote Access VPN using

Inline Posture Node Lab Guide

Lab Overview
for remote access VPN clients. When deployed for VPN users, ISE uses a special inline
appliance known as an Inline Posture node to support advanced features such as posture
assessment and authorization control. The Inline Posture node provides traffic redirection
required for Client Provisioning and supports Change of Authorization (CoA) to dynamically
change access based on endpoint context.
This lab covers the configuration of an ISE Inline Posture node to support authentication,
authorization, and Posture Services for both Employees and Contractors via the NAC Agent and
Web Agent, respectively. Attendees will use a Windows PC with the AnyConnect VPN Client to
test access policies through an ASA appliance. Lab participants should be able to complete the
lab within the allotted lab time of 2 hours.
Lab Exercises
Lab Exercise 1: Introduction to ISE Inline Posture Node Deployment for VPN Users
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'I
Lab Exercise 2: Deploy and Configure an Inline Posture Node
Lab Exercise 3: Review VPN Gateway and Routing Configuration Requirements to

Support Inline Posture Node Integration
Lab Exercise 4: Configure Authorization Profiles and Policy for Inline Posture Node
Deployments
Lab Exercise 5: Test and Monitor VPN Client Access for Contractors via an Inline Posture
Node using the Web Agent
Lab Exercise 6: Test and Monitor VPN Client Access for Employees via an Inline Posture
Node using the NAC Agent



Pods 1-9 128.107.220.1X:2005 10.1.11.1X

Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11
Example: POD 10 128.107.220.20:2005 10.1.11.20
Connect to a POD:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICI
I
Step 4 Click Login.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJI
these options:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKI

desktop. Example:
c. Click Open.
II
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDI
Lab Topology
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII"I

10.1.250.1
ISE Appliance (Administration/Policy ise-1.demo.local 10.1.100.21

Service/Monitoring)
ISE Inline Posture Node (trusted) ise-4.demo.local 10.1.80.2

ISE Inline Posture Node (untrusted) 10.1.70.2
ASA (inside) asa.demo.local 10.1.70.1

ASA (outside) 10.1.60.1

(Remediation Server) updates.demo.local 10.1.252.21

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIILI
in this setup.

Number

using ACLs

segmentation)

segmentation)

users
70 ASA (trusted) 10.1.70.0/24 ASA inside network to Inline Posture Node untrusted
interface
80 Inline Posture 10.1.80.0/24 Dedicated Inline Posture Node VLAN for trusted
Node (trusted) interface

Access switch.

Data Center switch.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIBI

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIAI


Posture Node
Lab 10 ISE Wireless Access 3k-access-lab1-end.cfg


[OK - 8275/4096 bytes]

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'!I
3k-access# reload

Step 3 Modify the bootstrap config.
b. Take the ASA (Gi0/4) and Win7-PC (Gi0/1) switchports out of shutdown:
c. Change the access VLAN for the Win7-PC switchport to 60 (same as the ASA outside
interface):
3k-access(config-if)# switchport access vlan 60
3k-access#
Step 4 Verify the 3k-access configuration changes:

a. Show the running configuration for interface GigabitEthernet 0/1 and verify the values
match those in the output below:
b. Show the running configuration for interface GigabitEthernet 0/4 and verify the values
match those in the output below:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII''I
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'CI
Lab 6 Remote Access VPN using Inline pX-ise-1-lab6

Posture Node pX-ise-4-lab6

pX-ise-2-lab7
pX-ise-3-lab7


!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'JI
level menus.
click OK.

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'KI
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'DI
Lab Exercise 1: Introduction to ISE Inline
Posture Node Deployment for VPN Users
This exercise reviews the overall concept of the ISE Inline Posture node and integration to
support remote access VPNs.
Exercise Objective
Understand the basic concepts of the ISE Inline Posture node for use with VPN
deployments.
Review the general traffic and session flow for VPN user access through an ISE Inline
Posture node.
Review the overall configuration flow for ISE Inline Posture node deployment.
Lab Exercise Steps

Step 1 Analyze the diagram below which shows the logical connections in ISE deployments using an
Inline Posture node for remote access VPNs:
Note: In the diagram above and throughout this lab guide you will see reference to the terms IPEP and PDP. This
terminology is based on the core policy model which includes entities known as Policy Enforcement Points
(PEPs) and Policy Decision Points (PDPs). Therefore, the term Inline PEP, or IPEP, is sometimes used to
refer to the Inline Posture node and PDP is sometimes used to refer to the Policy Service node.
All traffic from the VPN gateway must traverse the Inline Posture node to ensure that ISE can
apply traffic policies for access to the secured network. Traffic from the VPN gateway and
connecting users arrives on the Inline Posture nodes eth1, or Untrusted, interface. Traffic from
the protected network arrives on the Inline Posture nodes eth0, or Trusted, interface. The Inline
Posture node supports both bridged and routed modes.
The Inline Posture node is also responsible for redirecting HTTP/S traffic to Client Provisioning
services on the ISE Policy Service node in the event of unknown or non-compliance with
Posture Policy. Based on the Authorization Policy, the Inline Posture node can also support
dynamic Change of Authorization (CoA) for the established VPN sessions.
Step 2 Review the overall session flow for the VPN + Inline Posture node use case per the above
example:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'"I
a. Remote user authenticates to VPN gateway (ASA) using RADIUS.
b. As the RADIUS client, ASA sends authentication request to the AAA Server (Inline
Posture node).
c. As a RADIUS Proxy, the Inline Posture node relays the RADIUS authentication request
to the ISE node providing the RADIUS Server function (Policy Service node).
d. ISE Policy Service node authenticates user per the configured Identity Store and returns
RADIUS response to Inline Posture node which in turn is relayed to the ASA, the network
access device (NAD).
e. Based on the Authorization Policy, the Policy Service node will return attributes to the
Inline Posture node and optionally to the ASA itself.
Each Authorization Policy rule entry can reference separate Authorization Profiles for
both the Inline Posture Node Profile and NAD (Standard Authorization Profile).
o Inline Posture Node Profile: Specifies RADIUS attributes to be applied to the
Inline Posture node such as a URL for redirection to the Client Provisioning
service and downloadable ACLs (dACLs) for policy enforcement by the Inline
Posture node.
o Standard Authorization Profile: Specifies any RADIUS attributes intended for
NAD,or ASA in this example.
f. If the Authorization Policy determines that the endpoint is NonCompliant with Posture
Policy, or if the posture status is Unknown, then the Policy Service node will return a URL
redirect attribute value to the Inline Posture node along with a dACL to specify traffic to
be allowed. All HTTP/HTTPS traffic denied by the dACL will be redirected to the
specified URL.
g. Upon reporting posture as Compliant, a reauthorization can occur to send the Inline
Posture node a new dACL which permits privileged access to the internal network.
Step 3 Review the general configuration flow for an ISE deployment using an Inline Posture node:
a. Configure a dedicated appliance as a stand-alone ISE node.
b. Add (Register) the stand-alone ISE node to an existing ISE Administration Primary node
as an Inline Posture node.
c. Configure the Inline Posture node from the ISE Administration node.
d. OPTIONAL: Deploy a second ISE Inline Posture node appliance and configure
Active/Standby failover.
Note: HA failover configuration is beyond the scope of this lab.
e. Add the Inline Posture node as a network access device in the ISE inventory.
f. Configure Authorization Profiles (Inline Posture Node Profiles) for use by the Inline
Posture node; optionally configure Authorization Profiles (Standard Profiles) for use by
the NAD.
g. Configure the Authorization Policy to apply the Inline Posture node profiles to VPN users
based on identity and posture status.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'LI
h. Configure the network infrastructure to properly route/switch traffic to/from Inline Posture
node and its downstream networks.
i. Configure the VPN gateway (ASA) for RADIUS authentication and accounting with the
Inline Posture node configured as the RADIUS server.
j. Test VPN access via the Inline Posture node.

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'BI
Lab Exercise 2: Deploy and Configure an Inline
Posture Node
This exercise reviews the process to register a new ISE stand-alone node into an existing ISE
deployment. Once registered as an Inline Posture node, the new ISE node will undergo a
number of changes to change its persona from that of a stand-alone ISE node. Once complete,
the Inline Posture node can be configured per network requirements.
Exercise Objective
Change the deployment mode of the existing stand-alone ISE node to that of Primary to
support a multi-node ISE deployment.
Review the base configuration of a second ISE stand-alone node prior to registration as
an Inline Posture node.
Register the new ISE stand-alone node as an Inline Posture node under the Primary
Administration node.
Configure the Inline Posture node for use with an ASA VPN gateway.
Add the Inline Posture node as a network access device (NAD) in ISE.
Lab Exercise Steps

Step 1 Access the admin interface of the ISE-1 appliance.
level menus.
Step 2 Change the stand-alone ISE node to a Primary Administration node also running the Policy
Service and Monitoring roles.
Note: This change will allow other nodes to be registered to the Primary Administration node to support a multi-
node (distributed) deployment.
a. Go to Administration > System > Deployment and click Deployment from the left-
hand pane to display the node list.
b. Select ise-1 from the right-hand pane. The node configuration displays under the under
the default General Settings tab as shown below:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII'AI
c. Select the Make Primary checkbox to change the Replication Role from STANDALONE
to PRIMARY.
d. Click Save at the bottom of page to save your changes.
e. Verify that the Administration Role is now set to PRIMARY:
f. When the process is complete, click the Deployment Nodes List link at top of form to
redisplay the node list:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIC!I
g. Again, verify that Role has changed to Primary as shown below:
Step 3 Review the base configuration of the second ISE stand-alone node (ise-4) prior to registration
as an Inline Posture node.
Note: Before you configure the role for an ISE instance, ensure that the node is freshly installed or the application
configuration has been reset if the instance was earlier used in a standalone or distributed deployment. In
this lab, we will be using a freshly installed ISE node with basic networking configured.
a. Access the console of the secondary ISE appliance ise-4.
i. From the Admin client PC, go to Start and select from the Windows
Start Menu to open an SSH terminal session using PuTTY.
ii. Enter ise-4 (or 10.1.80.2) in the Host Name (or IP address) field and click Open.
iii. If prompted, click Yes to cache the server host key and to continue login.
iv. Login using the credentials admin / default1A
b. Review the current configuration using the show run command. Output should appear
similar to the following:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIC'I
Note that only the trusted interface GigabitEthernet 0 (eth0) is configured and is
connected to the VLAN 80 network (10.1.80.0/24). Configuration of the untrusted
interface GigabitEthernet 1 (Untrusted eth1) is performed after node registration from the
ISE-1 Administration node.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICCI
In this lab the Inline Posture node will be configured as a routed device whereby each
interface will be on different L2 networks and the node will be treated as an L3 hop in the
network.
Note: In bridged mode, both interfaces will typically share the same IP address as both interfaces are on the same
L2 network. In this latter mode, it is a requirement that the Inline Posture node eth0 interface reside on a
separate, routed network apart from other ISE nodes and devices with which it needs to communicate.
c. Exit the ise-4 terminal session.

Step 4 It is critical that each ISE node be entered into DNS for proper name resolution between nodes.
Verify network connectivity and DNS resolution from the Primary Administration node to the new
standalone node.
a. Access the console of the Primary Administration node ise-1:
i. From the Admin client PC, launch the PuTTY shortcut for ISE-1 on the Windows
desktop.
ii. If prompted, click Yes to cache the server host key and to continue login.
iii. Login using the credentials admin / default1A
b. Validate both connectivity and name resolution by entering the command ping ise-4 at
the console:
c. Exit the ise-1 terminal session.

Step 5 Register the new ise-4 node as an Inline Posture node from the Primary Administration node
(ise-1):
a. Return to the ise-1 web admin interface.
b. Go to Administration > System > Deployment and select Register > Register an
Inline Posture Node from the Deployment Nodes menu in the right-hand pane.
c. Enter the hostname ise-4 and User Name / Password admin / default1A then click Next.
Note: The access credentials for ise-4 were configured upon initial access to the ise-4 web admin interface
following its initial bootstrap. General bootstrap procedures were covered in a previous lab and therefore
were not included as part of this lab. The ise-4 node is assumed to have completed bootstrap and
certificates installed.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICJI
d. Verify that the following form displays the correct FQDN and IP address, then click
Submit at the bottom of the page:
e. The ise-4 node will need to update its persona to the new role. This process may take a
few minutes and the node will require a reboot to complete the changes. Acknowledge
any messages that convey this information:
The ise-4 node should appear under the Deployment Nodes page as a node with the
Node Type Inline Posture.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICKI
Step 6 Configure the Inline Posture node.
a. From Administration > System > Deployment, click the icon to the left of
Deployment in the left-hand pane to display all configured nodes.
b. Click ise-4 from the left-hand pane.
Note: If an error is received when attempting to access the node, then wait a minute or two before retrying to allow
the Inline Posture node change process to complete.
The node configuration displays under the under the default General Settings tab. Note
the new configuration tabs available for the Inline Posture node:
General Settings
Basic Information
Deployment Modes
Filters
Radius Config
Managed Subnets
Static Routes
Logging
Failover
c. Review the logical lab topology. This will assist in understanding the values provided for
the Inline Posture node configuration:
Step 7 Configure Inline Posture node Basic Information.

Select the Basic Information tab and enter the following values into the form:
Attribute Value Attribute Value
Basic Information
Host Name ise-4 Domain Name demo.local
Time Sync Server DNS Server
Primary ntp.demo.local Primary 10.1.100.10
Secondary - Secondary -
Tertiary - Tertiary -
Trusted Interface (to protected network) Untrusted Interface (to managed network)
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICDI
Attribute Value Attribute Value
IP Address 10.1.80.2 IP Address 10.1.70.2
Subnet Mask 255.255.255.0 Subnet Mask 255.255.255.0
Default Gateway 10.1.80.1 Default Gateway 10.1.70.1
Set Management VLAN [ ] Set Management VLAN [ ]
ID 0 ID 0
Step 8 Configure Inline Posture node Deployment Modes.

Select the Deployment Modes tab and choose Routed Mode:
Attribute Value
( ) Maintenance Mode
Mode ( o ) Routed Mode
( ) Bridged Mode
Step 9 Configure Inline Posture node Filters.

To allow management traffic from the ASA to flow through the Inline Posture node, we must add
a filter to whitelist the ASAs inside interface MAC address. It is also critical to include the IP
address in the MAC Filter or else any traffic that passes through the ASA will also be allowed
through the Inline Posture node. Although less secure, it is also possible to only enter the ASAs
host IP address as a Subnet Filter.
Note: If short on time to complete lab, you may choose to enter an IP Subnet Filter using the IP address and host
mask of the ASAs inside interface (10.1.70.1/255.255.255.255). If so, complete sub-steps 9a and 9b below,
then proceed directly to step 9i to enter the Subnet Filter in the Inline Posture node configuration.
Note: If time permits, update the MAC Filter in the Inline Posture node configuration. To do so, you need to
determine the MAC address of the ASAs inside (trusted side) interface. Since the ASA is currently
inaccessible from its trusted side through the Inline Posture node, we will access the ASA from its outside
interface. For this purpose, admin access to the outside interface was preconfigured on the ASA. Be sure to
complete all sub-steps in this task.
a. From the VMware vSphere Client, open the Win7-PC client VM. Login to the Windows
desktop using the following local computer account:
Username: DEMO\employee1
Password: cisco123
b. Open a DOS command prompt and use the ipconfig command to validate that you have
an IP address on the 10.1.60.0/24 network, as shown in the following example:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIC"I
If the client does not have a valid IP address or has an address in a different subnet, use
ipconfig /release followed by ipconfig /renew to renew the IP address.
c. Launch the Cisco ASDM-IDM Launcher shortcut from the Windows desktop and login
using the credentials admin / cisco123. (Hostname = asa.demo.local:4433):
d. Accept any certificate warnings.

e. When ASDM finishes loading, select Tools > Command Line Interface from the File
menu:
f. Under the Single Line command field, enter show interface vlan 1 and click Send:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICLI
I
g. Verify the IP address is 10.1.70.1 and then note the MAC Address value:
Your lab pods ASA inside (VLAN 1) MAC Address: _________________________
h. Click Close to exit the CLI window.
i. Select the Filters tab and enter the following values into the form:
MAC Filters
MAC Address IP Address Description
<ASA_inside_MAC> 10.1.70.1 ASA inside (allow management traffic)
Subnet Filters
Subnet Address Subnet Mask Description
- - -
Step 10 Configure Inline Posture node RADIUS Config.

Select the Radius Config tab and enter the following values into the form:
Shared Timeout Retries Description
IP Address
Secret (in seconds)
Server Configuration
5 3 ISE Policy Service node
10.1.100.21 cisco123
(ise-1)
Client Configuration
10.1.70.1 cisco123 5 3 ASA VPN (inside)
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICBI
Step 11 Configure Inline Posture node Managed Subnets.
Managed Subnets specifies the IP address used by the Inline Posture node to communicate
with hosts connected to managed subnets. These subnets are directly connected (L2 adjacent)
to the Inline Posture node on the eth1 (Untrusted) interface. This entry is required for each
VLAN that traverses Inline Posture node eth1 interface for which no explicit management IP is
configured.
The Inline Posture node in this lab has only a single network connected to the eth1 interface
which has an explicit management IP address of 10.1.70.2/24 that was configured under the
Basic Information tab. Therefore, no configuration is necessary for the Managed Subnets tab:
IP Address Subnet Mask VLAN ID Description
- - - -
Step 12 Configure Inline Posture node Static Routes.

The Inline Posture node does not participate in dynamic routing updates and requires static
routes to communicate to remote networks. For remote networks reachable from the Trusted
interface, the Inline Posture node uses the default gateway address configured for the eth0
interface. For remote networks that the Inline Posture node needs to reach from the Untrusted
interface, static routes must be configured. For remote access VPNs, these networks include
the address pools assigned to VPN clients that are reachable via the VPN gateway as next hop.
Select the Static Routes tab and enter the following values into the form:
Interface Description
Subnet Address Subnet Mask
Type
10.1.60.0 255.255.255.0 Untrusted ASA outside network
10.1.200.0 255.255.255.0 Untrusted ASA VPN Client address pool
The 10.1.60.0/24 network has been added in this lab to allow traffic such as ICMP pings to work
to the Inline Posture node Untrusted interface.
Step 13 Configure Inline Posture node Logging to the ISE M&T node which is co-resident on the labs
ISE Administration node (ise-1.demo.local).
Select the Logging tab and enter the following values into the form:
Attribute Value
Port 20514
Step 14 Failover configuration is not covered in this lab. Therefore, do not make any changes under the
Failover tab. Leave the default configuration (HA disabled).
Step 15 Click Save at the bottom of the page to apply all Inline Posture node configuration changes.
This process may take a few minutes to complete and the node will require a reboot to complete
the mode and networking changes. Acknowledge any messages that convey this information
and wait for the Inline Posture node to reboot.
Step 16 OPTIONAL: Verify Inline Posture node status and configuration.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIICAI
a. Using the VMware vSphere Client, access the ise-4 appliance console VM.
b. Login using the credentials admin / default1A.
c. Wait for the system to complete reboot.
d. Check that the Inline Posture node processes are running by entering the command
show pep status. The click kernel module should be loaded and the runtime java
application should be running and process ID noted.
e. Review the Inline Posture node configuration using the show pep summary command.
f. Use Ctrl+Alt to exit the ise-4 VM console window.
Step 17 Add the Inline Posture node as a network access device from the ise-1 admin interface.
a. Go to the Admin client PC and access the ise-1 admin interface from the Mozilla Firefox
browser (URL: https://ise-1.demo.local ; Credentials: admin / default1A)
b. Navigate to Administration > Network Resources > Network Devices and select
Network Devices from the left-hand pane
c. Click Add from the right-hand pane menu and enter the following values into the form:
Attribute Value
Name ise-4
Inline Posture node for
Description
ASA VPN
Model Name -
Software Version -
Location (default)
Device Type (default)
[ ] Authentication Settings
Protocol RADIUS
d. Click Submit to apply changes.

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJ!I
Lab Exercise 3: Review VPN Gateway and
Routing Configuration Requirements to
Support Inline Posture Node Integration
An Inline Posture node must be inserted into the traffic path between the network access device
(NAD), such as a VPN gateway, and the protected network. Although this can be a physical
insertion such that the two Inline Posture node interfaces connect to different physical networks, a
more typical deployment will be a logical separation such that the Inline Posture node interfaces
connect to the same switch and VLANs are used to segregate traffic. It is critical to understand
the traffic flow between the different devices in an Inline Posture node deployment and to ensure
that there are no traffic loops around the Inline Posture node for traffic that requires access
control. It is also important to configure routing and switching to ensure VPN connections are
properly routed through the Inline Posture node in both directions.
In addition to infrastructure switching and routing design, the NAD must also be configured to
interoperate with the Inline Posture node for authentication, authorization, and accounting.
This exercise reviews the infrastructure and VPN gateway configuration requirements to support
Inline Posture node.
Exercise Objective
Review the basic traffic flow through the Inline Posture node.
Verify the internal routing configuration to support the VPN and Inline Posture node
deployment.
Review and verify the VPN gateway configuration to support the Inline Posture node
deployment.
Lab Exercise Steps

Step 1 Review the diagram below which shows the logical connections in ISE deployments using an
Inline Posture node for remote access VPNs:
a. Review the lab logical topology. This will assist in understanding the required routing and
ASA VPN configuration required to support the Inline Posture node deployment. In the
actual physical lab topology, the Inline Posture node has both interfaces connected to the
core switch via VLAN 70 (Inline Posture node Untrusted) and VLAN 80 (Inline Posture
node Trusted).
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJ'I
b. Review the following routing configuration from left to right (from the VPN Client to
Trusted network):
i. Once the VPN connection is established, the remote clients default gateway is
the ASA for internal networks
ii. The ASA default gateway is the Inline Posture node (ise-4) eth1 interface
(10.1.70.2).
iii. The Inline Posture node default gateway is the core switch (7k-core) VLAN 80
interface (10.1.80.1).
c. Review the following routing configuration from right to left (from Trusted network to the
VPN clients):
i. The core switch (7k-core) uses dynamic routing to learn the routes to all Trusted
networks. To reach any networks downstream from the Inline Posture node,
static routes are required. Therefore, 7k-core requires static routes to the
following networks pointing to the Inline Posture node eth0 interface as the next
hop:
10.1.60.0/24 (Optional in lab to support test traffic from remote user PC.)
10.1.70.0/24 (Required to support ASA management traffic)
10.1.200.0/24 (Required for VPN client connectivity via the Inline Posture
node)
ii. The Inline Posture node (ise-4) was configured with static routes for the following
remote networks:
10.1.60.0/24 (Optional for lab testing)
10.1.200.0/24 (Required for VPN client connectivity
iii. The ASA has direct host routes for its VPN client connections.
Step 2 Verify the routing configuration for the core switch (7k-core).
a. From the Admin client PC, launch the PuTTY shortcut for 7k-Core on the Windows
desktop.
c. Login using the credentials admin / C!sco123.
d. Check the routing configuration using the command show ip route.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJCI
Verify the following routes are present:
10.1.60.0/24 [1/0] via 10.1.80.2, Vlan 80
10.1.70.0/24 [1/0] via 10.1.80.2, Vlan 80
10.1.200.0/24 [1/0] via 10.1.80.2, Vlan 80
Step 3 Verify the routing configuration of the Inline Posture node (ise-4).
a. Open Start > PuTTY from the Windows Start Menu to access the console of the ise-4
node (10.1.80.2) using the credentials admin / default1A.
b. Check the routing configuration using the command show pep summary. Verify the
following routes are present:
10.1.60.0/24 eth1
10.1.70.0/24 eth1
10.1.200.0/24 eth1
0.0.0.0/0 eth0
Step 4 Verify the ASA routing configuration.
a. From the Win7-PC client, access the ASDM interface (admin / cisco123).
b. Go to 1) Monitor (main menu) > 2) Routing (left column) > 3) Routes (left column) and
verify the following DEFAULT route is present in the routing table:
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.70.2, inside
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJJI
Step 5 Test connectivity through the Inline Posture node.
Attempt to ping 10.1.70.1 (ASA inside interface) from either the Admin client PC. This will help
validate that both routing and the Inline Posture node MAC filter has been properly configured.
If the pings are successful, you should now be able to manage the ASA from the Admin client
using SSH/Telnet.
Step 6 Verify the RADIUS configuration of the ASA.
In order for the Inline Posture node to authorize VPN users, the VPN gateway must use
RADIUS as the authentication protocol. Additionally, RADIUS Accounting must be configured
so that the Inline Posture node can associate an IP address to a username identity used for
authentication. Downloadable ACLs (dACLs) will be applied at the Inline Posture node based
on this IP address and ISE Authorization Policy.
a. Use PuTTY from Admin client to access the asa (10.1.70.1) console using credentials
admin / cisco123 / cisco123 (enable).
b. From the ASA console, run the following commands:
asa# show run aaa-server
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJKI
asa# show run tunnel-group
The first command will show the IP address of the AAA Server. This should be the Inline
Posture node (ise-4) eth1 address (10.1.70.2).
The second command will show whether the above AAA Server has been configured for
authentication and accounting for the default Tunnel Group used by the lab VPN users.
Compare your output to the example below:
In the above example, RADIUS is the name assigned to the AAA server group which
includes the Inline Posture node (host 10.1.70.2) as a RADIUS Server.

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJDI
Lab Exercise 4: Configure Authorization
Profiles and Policy for Inline Posture Node
Deployments
The ISE Authorization Policy determines the type of access and services users and endpoints get
based on their identity and other conditions. For a given set of conditions an Authorization Profile
is specified that defines access in terms of dACLs, VLANs, URL redirects, and other RADIUS
attributes. In the Inline Posture node case, a different set of Authorization Profiles must be
configured to communicate attributes directly to the inline PEP while still allowing standard
Authorization Profiles to be configured for passing attributes to the network access device (NAD).
This exercise reviews the configuration of dACLs, Authorization Profiles, and Authorization Policy
to support an ISE deployment with Inline Posture nodes deployed.
Exercise Objective
Configure a new dACL to be applied to the Inline Posture node for posture and
remediation of VPN users.
Configure Inline Posture Node Profiles to support both Employees and Contractors that
connect via VPN.
Configure a Standard Authorization Profile to be used in conjunction with Inline Posture

Node Profiles.
Configure the Authorization Policy to support both Employees and Contractors for use
cases with and without an Inline Posture node.
Configure the Authentication Policy to support authentication requests from the VPN
gateway.
Lab Exercise Steps

Step 1 Define a dACL that restricts network access for VPN users that are not posture compliant.
a. Go to the Admin client PC and access the ISE-1 admin interface from the Mozilla Firefox
browser (URL: https://ise-1.demo.local ; Credentials: admin / default1A)
b. Go to Policy > Policy Elements > Results and click the icon to right of
Authorization.
c. Select Downloadable ACLs from the left-hand pane.
d. Click Add from the right-hand pane under DACL Management and enter the following
values for the new dACL.
Attribute Value
Name POSTURE_REMEDIATION_IPEP
Permit access to posture and remediation services and deny all
Description
other access.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJ"I
Attribute Value
permit icmp any any
DACL Content permit tcp any host 10.1.100.21 eq 8905
Note: There is currently NO ACL syntax checking for dACL contents so it is imperative that entries be carefully
reviewed for errors prior to submitting.
Note: The Inline Posture node does not rely on redirect ACLs. It automatically redirects TCP port 80 and 443
traffic to the specified redirect URL if not explicitly allowed by the DACL. The
POSTURE_REMEDIATION_IPEP dACL differs in this regard from the POSTURE_REMEDIATION dACL
used for non-Inline Posture node hosts. The latter must explicitly permit general http/https traffic to be
redirected while the Inline Posture node dACL does not.
The following describes the purpose of individual ACL entries:

permit udp any any eq domain Permit DNS for name resolution
permit icmp any any Permit ICMP for initial troubleshooting
permit tcp any host 10.1.100.21 eq 8443 Permit CWA/CPP to ISE Policy Service node
permit tcp any host 10.1.100.21 eq 8905 Allow Agent Discovery direct to Policy Service node
permit udp any host 10.1.100.21 eq 8905 Allow Agent Discovery and Keep-alives
permit udp any host 10.1.100.21 eq 8906 Allow Agent Discovery and Keep-alives
permit tcp any host 10.1.252.21 eq 80 Explicit allow to remediation server
(implicit deny any any) Redirect remaining http/https traffic; deny all other traffic.
e. Click Submit when completed

Step 2 Define a new Inline Posture node Authorization Profile for posture and remediation named
Posture_Remediation_IPEP that leverages both the new dACL for port access control and a
URL Redirect for traffic redirection to Client Provisioning and Posture Services.
a. Click Inline Posture Node Profiles from the left-hand pane (under Policy > Policy
Elements > Results > Authorization).
b. Click Add from the right-hand pane and enter the values for the Inline Posture node
Authorization Profile as shown below.
Attribute Value
Name Posture_Remediation_IPEP
Description Permit access to posture and remediation services and deny all other access.
DACL Name [ ] POSTURE_REMEDIATION_IPEP
Dictionary Cisco:cisco-av-pair =II
Attributes url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp
Note: It is necessary to directly type (or copy and paste) the string value url-redirect=https://ip:8443... into the
cisco-av-pair attribute field.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJLI
cisco:cisco-av-pair = ipep-authz=true
DACL = POSTURE_REMEDIATION_IPEP
cisco:cisco-av-pair = url-redirect =https://ip:8443/guestportal/gateway?sessionId=SessionIdValue@action=cpp
Note: The attribute cisco:cisco-av-pair = ipep-authz=true is automatically added to the Inline Posture Node
Profile. This specifies attributes specific to Inline Posture node authorization versus NAD authorizations as
defined in the Standard Authorization Profile.

Step 3 Define a new Inline Posture node Authorization Profile for Contractors/Web Agent users named
Contractor_IPEP that references the existing dACL named INTERNET_ONLY to allow posture
compliant Contractors access to the Internet.
a. Click Inline Posture Node Profiles from the left-hand pane.
Attribute Value
Name Contractor_IPEP
Permit Internet access and deny all other access to posture
Description
compliant Guests/Contractors that connect through via VPN.
DACL Name [ ] INTERNET_ONLY
DACL = INTERNET_ONLY

Step 4 Define a new Inline Posture node Authorization Profile for Employees/NAC Agent users named
Employee_IPEP that leverages the existing dACL named PERMIT_ALL_TRAFFIC to allow
posture compliant Employees full network access.
a. Click Inline Posture Node Profiles from the left-hand pane.
Attribute Value
Name Employee_IPEP
Permit full network access to posture compliant Employees that
Description
connect through a VPN.
DACL = PERMIT_ALL_TRAFFIC
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJBI
Step 5 OPTIONAL: Define a new Standard Authorization Profile named NAD_Profile for use with Inline
Posture node. The intent of this profile is to include an additional message in RADIUS reply
messages for the NAD that can be displayed in the Authentication details and used for tracking
and troubleshooting Inline Posture node sessions.
a. Click Authorization Profiles from the left-hand pane under Policy > Policy Elements >
b. Click Add from the right-hand pane and enter the values for the Authorization Profile as
shown below.
Attribute Value
Name NAD_Profile
Description Custom RADIUS Reply message
Advanced Attributes Radius:Reply-Message = NAD_ProfileI

Reply-Message = NAD_Profile

Step 6 Configure the Authorization Policy to support Employees and Contractors for both VPN and
non-VPN network access.
a. Go to Policy > Authorization.
b. Update the existing Authorization Policy with the following values as highlighted using the
selector at the end of a rule entry to insert or duplicate rules:
Identity
Groups
Profiled Cisco IP Phones Cisco- - Cisco_IP_Phones
IP-
Phone
Computers
Employee_IPEP Any demo.local:ExternalGroups Employee_IPEP
EQUALS demo.local/Users/employees AND
AND NAD_Profile
AND
Radius:NAS-Port-Type EQUALS Virtual
Employee_PreCompliant_IPEP Any demo.local:ExternalGroups Posture_Remediation_IPEP
EQUALS demo.local/Users/employees AND
AND NAD_Profile
Session:PostureStatus NOT_EQUALS
Compliant
AND
AND
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIJAI
Identity
Groups
AND
Compliant
Contractor_IPEP Any demo.local:ExternalGroups Contractor_IPEP
EQUALS demo.local/Users/contractors AND
AND NAD_Profile
AND
Contractor_PreCompliant_IPEP Any demo.local:ExternalGroups Posture_Remediation_IPEP
EQUALS demo.local/Users/contractors AND
AND NAD_Profile
Compliant
AND
Contractor Any demo.local:ExternalGroups Guest
EQUALS demo.local/Users/contractors
AND
Default Any - CWA_Posture_Remediation
c. Click Save to apply your changes.
Note: Background information on the use of the _IPEP policy rules: Each policy rule for Employee and
Contractor has been split into two rules: a standard rule for the non-VPN (no Inline Posture node) use case,
and another rule for the VPN (Inline Posture node) use case. These entries appear as RuleName and
RuleName_IPEP (same rule name but with the _IPEP suffix).
The application of the _IPEP rule is determined by the condition Radius:NAS-Port-Type. For the VPN use
case with Inline Posture node, the value of this attribute EQUALS Virtual. For the non-VPN (no Inline
Posture node) use case, the value is not set so it is critical that this entry occur after the corresponding
_IPEP rule. This allows assignment of different Authorization Profiles based on the access type. The profile
names also have the same names with the exception of the _IPEP suffix. The actual dACL and URL
redirect information specified in the profiles are the same, but in the VPN case, the dACLS and redirects are
applied to the Inline Posture node, not the NAD.
Note: Background information on the use of the Contractor role: In other ISE labs from this series, the
Contractor role has been associated with an Internal Identity Group named Contractor that was assigned
using Guest Services. In this lab, the Contractor role is assigned from the External Identity Group
demo.local/Users/contractors in the AD directory. The change is being made for VPN use case since
typical VPN users will not be accounts created using Guest Services, but more likely are permanent or semi-
permanent members of an organization. Also, accounts created using Guest Services require that initial
login occur using CWA to activate the account. Access through Inline Posture node is based on RADIUS
authentication from the NAD, not CWA. Therefore, a user created with Guest Services cannot perform initial
login through the Inline Posture node.
Note: Be sure final rule order is in the exact order as shown in the table. You can drag and drop the
marker at the beginning of a policy rule to change the order of rules as needed, then save changes.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIK!I
Step 7 Configure the Authentication Policy to support authentication from the VPN gateway against the
AD Server.
a. Go to Policy > Authentication.
Review the current policy which includes two rules to support Wired MAB and Wired
802.1X authentication requests. Neither of these rules will support authentication
requests from the VPN gateway.
The final Default Rule will accept all access types, but is configured to only authenticate
against the Internal Users database. Change the Default Rule to include the AD identity
store.
b. Update the existing Authentication Policy with the following value as highlighted:
Status Rule Name Condition Allowed Protocol Identity Sources

Test DEVICE:Device Type DefaultNetworkAccess demo.local
Authentications Equals All Device
Types#Test
MAB Wired_MAB DefaultNetworkAccess Internal Endpoints
Dot1X Wired_802_1X DefaultNetworkAccess AD_InternalUsers
Default Rule - DefaultNetworkAccess AD_InternalUsers

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIK'I
Lab Exercise 5: Test and Monitor VPN Client
Access for Contractors via an Inline Posture
Node using the Web Agent
The Inline Posture node appliance is responsible for applying the appropriate enforcement and
redirection policies based on a VPN users identity and posture status. This exercise verifies
Contractor access via VPN gateway using an Inline Posture node. Client Provisioning Services
are also validated for the Contractor role which is configured to use the NAC Web Agent. Posture
Services with the Inline Posture node are validated using the Web Agent and a Guest AV Posture
Policy that requires Contractors to have any supported AV client installed and AV signatures
current. Session and policy monitoring are conducted using both ISE GUI-based and Command-
line tools.
Exercise Objective
Connect and authenticate to the lab network as a Contractor using a VPN client to verify
ISE authentication through an Inline Posture node.
Download the NAC Web Agent over a VPN client connection.
Perform posture assessment and validate posture compliance using the Web Agent
Monitor the session status for the Contractor from the ISE Inline Posture node console.
Review the session status for the Contractor from the ISE admin interface.
Lab Exercise Steps

Step 1 Monitor the ISE session status for a VPN user from the Inline Posture node console.
a. Access the console of the Inline Posture node (ise-4 @ 10.1.80.2) and login using the
b. View the current sessions established through the Inline Posture node using the
command show pep table session at the # shell prompt as shown:

c. The output should show that no sessions are currently established.
d. Display the current dACLs deployed to the Inline Posture node:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKCI
e. Upon initial start of the system, the output should show that there have been no dACLs
applied except for the default deny all since no sessions have been established. As
dACLs are downloaded for new sessions, they will be cached and reused for other
sessions that require the same dACL.
Interpreting the output of the dACL table using the above example:
Entry Description
3 Total number of dACLs
0 dACL 0: First dACL (starting at 0)
0 all deny all (First and only entry for dACL 0)
1 dACL 1: Second dACL
empty No entries (empty dACL)
2 dACL 2: Third dACL
Each dACL entry begins with either a 0 or 1 where 0 = deny and 1 = permit. In the above
example, 0 all is equivalent to deny all, or deny ip any any.
Step 2 Delete ClamWin AV signatures on the Win7 PC to ensure that the client AV software is out of
compliance with AV signature updates.
a. If not already logged in, log into the Windows 7 PC client as DEMO\employee1 /
cisco123, where DEMO is the Windows domain name.
b. From the Win7-PC client, run (double-click) the Delete_ClamWin_AV_Updates script

from the Lab Tools shortcut on the Windows desktop.
c. Close the Lab Tools folder.
Step 3 Establish a VPN session from the Windows 7 PC client as a Contractor user.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKJI
a. Click the Cisco AnyConnect VPN Client shortcut from the Windows desktop.
b. From the VPN client login window, make sure the Connect to: field is set to
asa.demo.local or the actual outside IP address of the ASA VPN gateway (10.1.60.1).
Click Select.
c. Accept any certificate warnings, if prompted.
d. At the login prompt, enter the Contractors AD login credentials (contractor1 / cisco123)
and then click Connect.II
e. Accept any certificate warnings received. Optionally import the certificate to the local PC
store to prevent further warnings for this connection.
f. When VPN session is fully established, the AnyConnect window will close and the
AnyConnect icon in the Windows task tray will indicate Connected:
Step 4 Review the active authentications from the ISE admin interface.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKKI
a. Go to the Admin client PC and access the ISE admin interface using the Mozilla Firefox
web browser. URL: https://ise-1.demo.local (admin / default1A)
b. Go to Monitor > Authentications and review the entries associated to the contractor1:
c. Click the Details icon for the first (bottom) entry as shown in the graphic to view
additional details of the session. Note some of the key attributes of this session:
Username: contractor1
MAC/IP Address: 10.1.60.200
Network Device: ise-4 : 10.1.70.1 :
Access Service: Default Network Access
Identity Store: demo.local
Authorization Profiles: Posture_Remediation_IPEP,NAD_Profile
Active Directory Domain: demo.local
Selected Identity Stores: demo.local,Internal Users
Authorization Policy Matched Rule: Contractor_PreCompliant_IPEP
b. Note the Matched Rule in the Authorization Policy is Contractor_PreCompliant_IPEP and
the corresponding profiles:
Inline Posture Node Profile = Posture_Remediation_IPEP
Standard Authorization Profiler = NAD_Profile
d. Close the detailed session window and click on the second entry for contractor1. Note
details of the Authentication Result per example below:
These entries coincide with the components defined in the Inline Posture Node Profile
named Posture_Remediation_IPEP. This profile includes a URL redirect to Client
Provisioning Services and the dACL named POSTURE_REMEDIATION_IPEP.
e. Close the detailed session window. Note the third (top) entry in sample Authentication
Sessions diagram shows the explicit download of the POSTURE_REMEDIATION_IPEP
dACL to the Inline Posture node. This entry will only display in the log for the first
download. The dACL is then cached on the Inline Posture node and is not downloaded
again unless the dACL is modified.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKDI
Step 5 Repeat the process to monitor the ISE session status for a VPN user from the Inline Posture
node console.
a. Return to the ISE Inline Posture node console.
c. The output should show that one session is currently established for IP address
10.1.200.10. This is the IP address assigned to the VPN client from the address pool.
The Profile ID value of 1 reflects the current dACL # applied to this session.
d. Enter the command show pep table accesslist to display the current dACLs deployed to
the Inline Posture node:
e. The output shows that the new dACL #1 has been applied to the Inline Posture node
since the initial VPN session was established. This is the
POSTURE_REMEDIATION_IPEP dACL.
Interpreting the output of the dACL table using the above example:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIK"I
Entry Description
3 Total number of dACLs
0 dACL 0: First dACL (starting at 0)
0 all deny ip any any
1 dACL 1: Second dACL
1 udp and (dst port 53) permit udp any any eq 53
1 icmp permit icmp any any
1 tcp and (dst host 10.1.100.21) and (dst port 8443) permit tcp any host 10.1.100.21 eq 8443
1 udp and (dst host 10.1.100.21) and (dst port 8905) permit udp any host 10.1.100.21 eq 8905
1 udp and (dst host 10.1.100.21) and (dst port 8906) permit udp any host 10.1.100.21 eq 8906
0 all deny ip any any
2 dACL 2: Third dACL
Step 6 Complete Contractor posture assessment and remediation using the NAC Web Agent.
a. From the Win7-PC client, launch a web browser.
b. Since a URL redirect has been applied to the Inline Posture node for this session, the
client is automatically redirected to the Agent Downloader page to provision the posture
agent identified in the Client Provisioning Policy. Click the Click to install agent button.
c. Accept any prompts to install applets to facilitate agent download.
d. The NAC Web Agent will load, perform a brief scan, and then present the results of the
posture assessment. The Posture Policy for AV should fail as shown below:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKLI
e. As a temporal client for use by any Windows PC including non-admin users, the Web
Agent does not allow for code execution. Therefore, the Contractor/Guest user must
initiate the remediation.
Right-click on the ClamWin icon in the Windows task tray and click Download Virus
Database Update:
f. The ClamWin AV window will open and show the progress of the signature updates.
Click Close when AV update is complete:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKBI
signature files from the remediation server as shown above. If the above process fails, then go to Posture >
Policy from the ISE admin interface, and change the requirements for the posture rule named
Contractor_Windows AV Installed and Current policy from Mandatory to Optional.
g. Click the Re-Scan button in the Web Agent window to have posture re-assessed based
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIKAI
h. Click Continue to complete the Web Agent session. The login success screen should
auto-close after two seconds per the configured policy.
i. From the original agent install window, click the browser Home icon, or re-enter
www.cisco.com into the URL address field to verify the Contractor/Guest user now has
Internet access.
Step 7 Review the active authentications from the ISE admin interface.
a. From the Admin client PC, access the ISE admin interface and go to Monitor >
Authentications and review the entries associated to the contractor1:
b. Note the application of a new dACL named INTERNET_ONLY following successful

completion of the posture assessment and remediation using the NAC Web Agent. Click
the Details icon for the last entry which shows details of the dACL download.
c. Note details of the Authentication Result per example below:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIID!I
These entries reflect the contents of the INTERNET_ONLY dACL. Since this dACL is not
yet present on the Inline Posture node, it is explicitly downloaded and is cached by the
Inline Posture node for successive sessions that reference the same dACL.
f. Close the detailed session window.
Step 8 Repeat the process to monitor the ISE session status for a VPN user from the Inline Posture
node console.
a. Return to the ISE Inline Posture node console.
d. Enter the command show pep table accesslist to display the current dACLs deployed
to the Inline Posture node:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIID'I
e. The output shows that a new dACL #2 has been applied to the Inline Posture node. This
is the INTERNET_ONLY dACL.
Note the last few entries of dACL #2, the INTERNET_ONLY dACL:
0 (dst net 10.1.0.0 mask 255.255.0.0) # 0 = Deny access to network 10.1.0.0/16
1 all # 1 = Permit all
0 all # 0 = Deny all (implicit deny all entry)
This dACL basically denies access to the lab network (10.1.0.0/16) and permits all other
external access to the Internet.

!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDCI
Lab Exercise 6: OPTIONAL: Test and Monitor
VPN Client Access for Employees via an Inline
Posture Node using the NAC Agent
The Inline Posture node is responsible for applying the appropriate enforcement and redirection
policies based on a VPN users identity and posture status. This exercise verifies Employee
access via VPN gateway using an Inline Posture node. Client Provisioning Services are also
validated for the Employee role which is configured to use the NAC Agent. Posture Services
using an Inline Posture node are validated using the NAC Agent and an Employee AV Posture
Policy that requires Employees to have ClanWin AV installed and AV signatures current. Session
and policy monitoring are conducted using both ISE GUI-based and Command-line tools. .
Exercise Objective
Connect and authentication to the lab network as an Employee using a VPN client to
verify ISE authentication through an Inline Posture node.
Download and install the NAC Agent over a VPN connection for posture assessment and
remediation.
Monitor the session status for the Employee from the ISE Inline Posture node console.
Review the session status for the Employee from the ISE admin interface.
Lab Exercise Steps

Step 1 Prepare the Win7-PC client for a new connection as an Employee (Domain User).
a. If not already logged in, log into the Windows 7 PC client as DEMO\employee1 /
cisco123, where DEMO is the Windows domain name.
b. Close any open Web browser windows.
c. Delete ClamWin AV signatures on the Win7 PC to ensure that the client AV software is
out of compliance with AV signature updates by running (double-clicking) the Delete
ClamWin AV Updates script from the Windows desktop.
d. Disconnect any previous VPN session by double-clicking the AnyConnect icon in the
Windows task tray. From the AnyConnect VPN Client interface, select the Connection
tab from the menu and then click Disconnect.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDJI
Step 2 Establish a VPN session from the Windows 7 PC client as an Employee.
a. If not already open, launch the Cisco AnyConnect VPN Client using the shortcut from
the Windows desktop.
b. From the VPN client login window, make sure the Connect to: field is set to
asa.demo.local or the actual outside IP address of the ASA VPN gateway (10.1.60.1).
Click Select.
c. At the login prompt, enter the Employees AD login credentials (employee1 / cisco123)
and then click Connect.II
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDKI
d. Accept any certificate warnings received. Optionally import the certificate to the local PC
store to prevent further warnings for this connection.
e. When VPN session is fully established, the AnyConnect window will close and the
AnyConnect icon in the Windows task tray will indicate Connected:
Step 3 Complete Employee posture assessment and remediation using the NAC Agent.
a. From the Win7-PC client, launch a web browser.
b. Since a URL redirect has been applied to the Inline Posture node for this session and the
NAC Agent has not yet been installed on the PC, the client is automatically redirected to
the Agent Downloader page to provision the posture agent identified in the Client
Provisioning Policy. Click the Click to install agent button.
c. Click Allow if prompted for permissions to install software.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDDI
d. The NAC Agent installer will run:
e. Follow the NAC Agent installation prompts and accept the license agreement and default
values to complete the provisioning process. If prompted by Windows UAC, enter
Note: Admin privileges are required to install NAC Agent for the first time. Once installed, upgrades can occur
without escalated privileges. NAC Agents can also be distributed using an MSI installer package.
f. A message should appear at the bottom of the original Agent Downloader window
indicating Cisco Agent was successfully installed! Close this window.
g. After installation of the NAC Agent is complete, agent discovery for ISE will occur and the
agent will popup to begin the posture assessment process. Due to an out-of-compliance
condition for the AV policy, remediation should be initiated. The Remediation Action was
set to Automatic so the message Remediating System will appear at the bottom of the
agent window as shown:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIID"I
h. Auto-remediation will trigger the ClamAV client to update its signature definitions and a
notification should be viewable from the Windows task tray upon successful update:
signature files from the remediation server as shown above. If the above process fails, then go to Posture >
Policy from the ISE admin interface, and change the requirements for the posture rule named
Employee_Windows AV Installed and Current policy from Mandatory to Optional.
i. The Acceptable Use Policy page should display indicating Temporary Network Access.
The AUP was configured in a previous lab step to display for any NAC Agent user and to
point to a URL on an internal Web server. Click the link Network Usage Policy Terms
and Conditions to see the hosted AUP:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDLI
j. A new Web page will open to display the AUP. Close this window when ready to
proceed.
k. Click Accept to agree to the AUP. The login success screen should display indicating
Full Network Access and automatically close after 2 seconds per the agent configuration.
l. The client should now have full network access. To validate, open a Web browser and
verify that access to www.cisco.com is allowed.
Step 4 )*F5*MI-N*I9/-5F*I94-N*6-5/9-5,60IOE,+I-N*I$%&I9<+56I56-*EO9/*(
a. Go to the Admin client PC and access the ISE admin interface using the Mozilla Firefox
b. Go to Monitor > Authentications and review the entries associated to the employee1:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDBI
c. Click the Details icon for the first (bottom) entry as shown in the graphic to view
additional details of the session. Note some of the key attributes of this session:
Username: employee1
MAC/IP Address: 10.1.60.200
Network Device: ise-4 : 10.1.70.1
Access Service: Default Network Access
Identity Store: demo.local
Authorization Profiles: Posture_Remediation_IPEP,NAD_Profile
Active Directory Domain: demo.local
Selected Identity Stores: demo.local,Internal Users
Authorization Policy Matched Rule: Employee_PreCompliant_IPEP
c. Note the Matched Rule in the Authorization Policy is Employee_PreCompliant_IPEP and
the corresponding profiles:
Inline Posture Node Profile = Posture_Remediation_IPEP
Standard Authorization Profiler = NAD_Profile
g. Close the detailed session window. Note the third (top) entry in sample Authentication
Sessions diagram shows the explicit download of the PERMIT_ALL_TRAFFIC dACL to
the Inline Posture node. This entry will only display in the log for the first download. The
dACL is then cached on the Inline Posture node and is not downloaded again unless the
dACL is modified.
Step 5 Monitor the ISE session status for a VPN user from the Inline Posture node console.
a. Access the ISE Inline Posture node console.
d. Enter the command show pep table accesslist to display the current dACLs deployed to
the Inline Posture node. Note the value of dACL #4 (starting from 0):
This is the PERMIT_ALL_TRAFFIC dACL.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIIIDAI
Interpreting the output of the dACL contents above:
Entry Description
3 dACL 3 (fourth dACL starting from 0)
1 all permit ip any any
0 all deny ip any any (implicit deny at end of dACL)
Step 6 During the configuration of the Authorization Policy, an optional Standard Authorization Profile
named NAD_Profile was defined as a method to perform additional tracking and validation of
RADIUS communications between the ISE Policy Service node, ISE Inline Posture node, and
NAD.
Verify the correct processing of the optional Authorization Profile configuration named
NAD_Profile applied to the Inline Posture node rules in the Authorization Policy.
a. From the Windows 7 PC client, disconnect any previous VPN session by double-clicking
the AnyConnect icon in the Windows task tray. From the AnyConnect VPN Client
interface, select the Connection tab from the menu and then click Disconnect.
b. Establish a terminal session to the ASA (10.1.70.1) using the logjn credentials admin /
cisco123 (enable cisco123). From the privileged console, enter the command debug
radius decode to enable RADIUS debugging with packet decode.
c. From the Windows 7 PC client, if not already open, launch the Cisco AnyConnect VPN
Client using the shortcut from the Windows desktop. Click Select and login to using the
credentials employee1 / cisco123 and then click Connect.
d. Accept any certificate warnings received. When VPN session is fully established, the
AnyConnect window will close and the AnyConnect icon in the Windows task tray will
indicate Connected.
e. %56/*I-N*I3.?I.7*6-IN90I9PE*9<QI:**6I560-9PP*<RI,6/*I-N*I123I/,66*/-5,6I50I*0-9:P50N*<RI
-N*I3.?I.7*6-IM5PPI:*I9:P*I-,I/,++465/9-*IM5-NI-N*I$%&I0Q0-*+(IISN*I3.?I.7*6-IM5PPI
94-,+9-5/9PPQI<50TP9QRI:E5*OPQI0/96I0Q0-*+I96<I-N*6I<50TP9QI-N*I.U2I,6/*IT,0-4E*I
/,+TP596/*IN90I:**6IF9P5<9-*<(II
3,-*I-N9-I.1I05769-4E*0IN9F*I9PE*9<QI:**6I4T<9-*<RI96<I-N*E*O,E*IE*+*<59-5,6I50I6,-I
E*V45E*<WI,6PQI9//*T-96/*I,OI-N*I.U2I50IE*V45E*<IT*EI-N*I/,6O574E*<IT,P5/Q(III
Click Accept to agree to the AUP. The login success screen should display indicating
Full Network Access and automatically close after 2 seconds per the agent configuration.
f. The Win7-PC client should now have full network access. To validate, open a Web
browser and verify that access to www.cisco.com is allowed.
g. Go to the Admin client PC and access the ISE admin interface using the Mozilla Firefox
h. Go to Monitor > Authentications and review the current entries associated to the
employee1. Click the Details icon for the first (bottom) entry of the last session:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII"!I
i. A new window will open to display session details. Note the contents under the
Authentication Result section:
j. Return to the ASA console session and view the debug output. In the RADIUS
Response sent during authentication, a message similar to the following should be
displayed:
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII"'I
I
k. Verify the RADIUS response matches that shown from the ISE log.
Step 7 Additional Inline Posture node debugging.
a. To view additional log information directly from the Inline Posture node, login to the Inline
Posture node console using the credentials admin / default1A.
b. Use the command show pep loglevel to view current logging level.
c. Use the command pep set loglevel # (where # is a value from 0-3, 0=info, 1=warn,
2=debug, 3=trace)
d. To view the Inline Posture node logs, use the command show pep log. A useful option
is to use output modifiers to view the most recent log entries, as in the following example
to display the last 15 log entries:
# show pep log | last 15
e. Here is the sample log output with loglevel set to 3 (trace):
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII"CI
Note the details of the last Inline Posture node session established by user employee1,
Note the discovery of the endpoint IP address of 10.1.200.10 for user employee1 and the
application of dACLS, first POSTURE_REMEDIATION_IPEP before user is determined
posture compliant, and then followed by PERMIT_ALL_TRAFFIC once the user is
deemed posture compliant.
It is critical that the ASA (or any NAD configured with an Inline Posture node) have
RADIUS Accounting enabled and sent to the Inline Posture node to learn the IP address
of the endpoint and to determine when devices have disconnected from the NAD.
Without the IP address, dACLs will fail to be applied to the Inline Posture node, even
though the ISE authentication log shows that the dACLs were sent to the Inline Posture
node. They will be received by the Inline Posture node, but cannot be applied without a
valid IP address associated to the session.
!"#$%&#'(!#)*+,-*#.//*00#123#40567#$2&2#89:#;45<*=&>?%@ABC!D"#E*FAG(<,/HI II>9-*I I
I I I IIIIIIIIIII"JI

ISE Pre ATP Lab Guide Combined

Uploaded by

Copyright:

Available Formats

ISE Pre ATP Lab Guide Combined

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISE Pre ATP Lab Guide Combined

Uploaded by

Copyright:

Available Formats

What is the purpose of the lab?

What is the purpose of the lab?

What are the main components covered in the lab?

What are the main components covered in the lab?

*

Bootstrapping Identity Services

Lab Exercise 2: Web UI Familiarization

Lab Exercise 3: Certificate Configuration

Lab Exercise 4: Network Devices

Lab Exercise 5: Understanding ISE Default Access Policy

Lab Exercise 6: Active Directory Integration

!"#$%&'&()(* *** * * * * ***********+*

Product Overview: Identity Services Engine

Lab Topology and Access

Pod Access Information

Device Admin PC (RDP Access) ESX Server (vSphere Access)

Pods 1-9 128.107.220.1X:2005 10.1.11.1X

Pods 10-19 128.107.220.2X:2005 10.1.11.2X

Example: POD 1 128.107.220.11:2005 10.1.11.11

Example: POD 10 128.107.220.20:2005 10.1.11.20

Step 3 Enter student / cisco123 for the username and password:

Step 4 Click Login.

!"#$%&'&()(* *** * * * * ***********-*

!"#$%&'&()(* *** * * * * ***********.*

Connect to Lab Device Consoles:

!"#$%&'&()(* *** * * * * ***********/*

!"#$%&'&()(* *** * * * * ***********)*

Device Name/Hostname IP Address

Core Switch (Nexus 7k) 7k-core.demo.local 10.1.100.1

Access Switch (3560X) 3k-access.demo.local 10.1.250.2

Data Center Switch (3560X) 3k-server.demo.local 10.1.251.2

ISE Appliance ise-1.demo.local 10.1.100.21

ISE Appliance ise-2.demo.local 10.1.100.22

ISE Appliance ise-3.demo.local 10.1.100.23

ISE Appliance ise-4.demo.local 10.1.100.24

AD Server (CA/DNS/DHCP) ad.demo.local 10.1.100.10

NTP Server ntp.demo.local +,01+('1,,(1+

Internal Web Server www-int.demo.local 10.1.252.20

Admin (Management) Client admin.demo.local 10.1.100.6

Windows 7 Client PC win7-pc.demo.local DHCP (10.1.10.x/24)

Internal VLANs and IP Subnets

VLAN VLAN Name IP Subnet Description

10 ACCESS 10.1.10.0/24 Network for authenticated users or access network

20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L2

30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L2

40 VOICE 10.1.40.0/24 Dedicated Voice VLAN

50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest

60 VPN 10.1.60.0/24 VPN Client VLAN to ASA outside interface

70 ASA (trusted) 10.1.70.0/24 ASA inside network to IPEP untrusted interface

!"#$%&'&()(* *** * * * * ***********'*

90 AP 10.1.90.0/24 Wireless AP connection for LWAAP tunnel

(250) 10.1.250.0/24 Dedicated interconnect subnet between Core and

(251) 10.1.251.0/24 Dedicated interconnect subnet between Core and

252 WEBSVR 10.1.252.0/24 Web Server network

Accounts and Passwords

Access To Account (username/password)

Core Switch (Nexus 7k) admin / C!sco123

Access Switch (3560X) admin / cisco123

Data Center Switch (3560X) admin / cisco123

ASA (VPN gateway) admin / cisco123