Page 1 of 12

Lab 4: Access Policy for EasyConnect

Lab Overview
In this lab, you will configure Cisco ISE to support the EasyConnect feature. You will configure EasyConnect for Enforcement Mode and then configure Access
Policy for EasyConnect. You will validate EasyConnect Operation and then disable the EasyConnect feature.

EasyConnect provides port-based authentication similar to 802.1X, but easier to implement. EasyConnect learns about the authentication from Active
Directory and provides session-tracking for active network sessions. Session Directory notifications can be published with PxGrid.

Both EasyConnect and 802.1x can be configured on the same port, but you must have a different ISE policy for each service.

EasyConnect feature limitations:

• EasyConnect cannot be used with CWA or BYOD use cases.

• EasyConnect supports only Cisco devices.

• Endpoint logoff Event is not supported.

Estimated Completion Time

60 minutes

Lab Procedures
• Configure ISE to Support EasyConnect

• Modify the EasyConnect Policy Set

• Test EasyConnect Connections

• Disable EasyConnect

Perform Only If You Have Done a Reset

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are accessing the system after you have attended the 5
day course), you will need to prepare or verify the environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Configure ISE to Support EasyConnect

In this task, you will affect the necessary configuration changes on the Cisco ISE to support EasyConnect. First, you will enable the feature itself, by enabling
the Passive Identity service on the dedicated Policy server (PSN) you intend to use for EasyConnect. This enables ISE to retrieve group and event information
from Active Directory.

1. Configure ISE to Support EasyConnect.

1.1. On the Admin-PC, open Firefox and use the ISE bookmark to log in to the ISE admin portal as admin/admin$Pwd.

1.2. Navigate to Administration > System> Deployment.

1.3. Click the ise link in the hostname column. Scroll down to enable Passive Identity Service, as shown below. Then click Save.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 2 of 12

1.4. It will take a few minutes for the service to start. Access the ISE CLI and verify that the service is running by issuing the show application status ise
command. Wait until the service is running before proceeding.

ise/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
Database Listener running 3457
Database Server running 65 PROCESSES
Application Server running 7188
Profiler Database running 4874
ISE Indexing Engine running 8967
AD Connector running 9578
M&T Session Database running 2961
M&T Log Collector running 7711
M&T Log Processor running 7573
Certificate Authority Service running 7409
EST Service running 7531
SXP Engine Service disabled
TC-NAC Docker Service disabled
TC-NAC MongoDB Container disabled
TC-NAC RabbitMQ Container disabled
TC-NAC Core Engine Container disabled
VA Database disabled
VA Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID Service running 30929
DHCP Server (dhcpd) disabled
DNS Server (named) disabled

2. The Active Directory Domain Controller has already been integrated with Cisco ISE. Even so, you must still configure a Domain controller for EasyConnect.

Note: EasyConnect uses Active Directory login audit events generated by the Active Directory domain controller to gather user login information. The Active
Directory server must be configured properly so the ISE user can connect and fetch user login information. To save time, the domain controller (Data-Srv)
has been pre-configured for you. To learn how to do this for yourself, see the ISE v2.1 Admin Guide section titled “Active Directory Requirements to Support
Passive Identity Service.”

2.1. Navigate to Administration > PassiveID > AD Domain Controllers.

2.2. Click Add to add a new domain.

2.3. In the General Settings section, enter the following values:

Setting Value

Display Name GKLABS AD

Domain FQDN gklabs.com

Host FQDN data-srv.gklabs.com

Username admin

Password admin$Pwd

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 3 of 12

2.4. Click the button labeled Verify DC connection settings. This should pass, as indicated in the example below. Be sure to click Submit.

2.5. Back on the AD Domain Controllers page, refresh to update the status and then click General Settings and note the default settings for AD-to-ISE
connections, as shown below and described in the table. The defaults are fine, this is merely an exploratory step. Click Cancel when you are done
reviewing these settings.

Settings Description

History Interval The time during which EasyConnect reads user login information that already occurred. This is required upon startup or restart of Identity
Mapping to catch up with events generated while it was unavailable.

User session The amount of time the user can be logged in. EasyConnect identifies new user login events from the DC, however the DC does not report
aging time when the user logs off. The aging time enables Cisco ISE to determine the time interval for which the user is logged in.

Use NTLMv1 or The communications protocol between ISE and the DC. Both ISE and DC should preferably be configured to use NTLMv2, which is the
v2 Protocol default on both ISE, and current Windows servers.

2.6. Additional information about Identity Caching:

◾ Once an identity has been mapped, it can be reused for merges until a new logon event from the same user, or until the cache expires (session
aging time).

◾ If a user disconnects and reconnects with the same IP address, then MnT will remerge the identity mapping, no additional login is required from
the end user.

◾ If another endpoint accesses the network with the same IP (deliberately or unintentionally) then they can be merged to the original AD user′s
identity mapping.

◾ If a user′s IP address changes, then they must log off and perform a new AD logon to refresh the ID mapping with current information.

Task 2: Modify the EasyConnect Policy Set

Now that the service is enabled, you need to configure policy result elements, which will then be leveraged in a policy set. First, you will create a restricted
Policy Result Element that only allows Passive Identity Tracking, which must be enabled for all profiles used for EasyConnect authorization. This ensures that
the EasyConnect process can run properly and enables ISE to issue a CoA to the NAD. Then you will create a DACL for the switch. When a user initially

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 4 of 12

connects, they are unknown, and so must be restricted to ONLY those minimum services required to authenticate to AD. This includes DHCP, DNS, and Active
Directory Services. You will also create Policy Result Elements for Employee Access and Contractor Access to the network. Finally, you will configure an
authentication policy that references this restricted Allowed Protocols list, and you will create an authorization policy that references the DACL.

3. Create a new list of allowed protocols for EasyConnect Authentication.

3.1. Navigate to Work Centers > Network Access > Policy Elements. In the left pane, choose Results> Allowed Protocols.

3.2. In the right pane, click the Add icon to create a new set of allowed protocols.

3.3. Name the list EasyConnect. Make sure that Process Host Lookup is the ONLY allowed protocol, all others should be disabled.

3.4. After validating that only Process Host Lookup is enabled and all others are not checked, scroll down and click Submit.

3.5. Allowed Protocols Services should look as follows.

4. Create DACLs for EasyConnect Authorization.

4.1. You should still be at Policy Elements> Results from the previous task. In the left pane, click Downloadable ACLs.

4.2. Click the Add icon and name the new DACL HOST_LOOKUP_ACL.

Note: Open a new tab in Firefox and use the DACL bookmark to view the list of DACLs for the course. Click the one with the name indicated to copy and
paste its contents.

4.3. In the DACL Content field, enter the following:

remark LDAP
permit tcp any host 10.10.1.25 eq 389
permit udp any host 10.10.1.25 eq 389

remark LDAP Global Catalog

permit tcp any host 10.10.1.25 eq 3268

remark kerberos
permit tcp any host 10.10.1.25 eq 88
permit udp any host 10.10.1.25 eq 88
permit tcp any host 10.10.1.25 eq 464
permit udp any host 10.10.1.25 eq 464

remark DNS
permit udp any host 10.10.1.25 eq 53
permit tcp any host 10.10.1.25 eq 53

remark SMB
permit tcp any host 10.10.1.25 eq 445
permit udp any host 10.10.1.25 eq 445

remark RPC
permit tcp any host 10.10.1.25 eq 135

remark NetBIOS
permit udp any host 10.10.1.25 eq 137

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 5 of 12

permit udp any host 10.10.1.25 eq 138

permit tcp any host 10.10.1.25 eq 139

remark NTP
permit udp any host 10.10.1.25 eq 123

remark DHCP Client

permit udp any host 10.10.1.25 eq 67

remark Dynamic Ports

permit tcp any host 10.10.1.25 range 49152 65535
permit udp any host 10.10.1.25 range 49152 65535

4.4. The DACL should look as follows.

4.5. Click Submit.

Note: The syntax of the DACL will be checked when you click Submit.

4.6. Click the Add icon and name the new DACL EMPLOYEE_ACL.

Note: Open a new tab in Firefox and use the DACL bookmark to view the list of DACLs for the course. Click the one with the name indicated to copy and
paste its contents.

4.7. In the DACL Content field, enter the following:

remark Denies access to the management subnet

deny ip any 10.10.2.0 0.0.0.255
remark Permits Internet and Corporate Access
permit ip any any

4.8. The DACL should look as follows.

4.9. Click Submit.

4.10. Click the Add icon and name the new DACL CONTRACTOR_ACL.

Note: Open a new tab in Firefox and use the DACL bookmark to view the list of DACLs for the course. Click the one with the name indicated to copy and
paste its contents.

4.11. In the DACL Content field, enter the following:

remark Allows DC access

permit ip any host 10.10.1.25
remark Deny access to Corporate
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
remark Permits Internet Access
permit ip any any

4.12. The DACL should look as follows.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 6 of 12

4.13. Click Submit.

5. Create Authorization Profiles for EasyConnect.

5.1. In the left pane, select Authorization Profiles.

5.2. Click Add and create an authorization profile with the following parameters.

Attribute Value

Name AD Access

Passive Identity Tracking enabled

DACL Name HOST_LOOKUP_ACL

Note: Passive Identity Tracking must be enabled for all authorization profiles used for EasyConnect authorization in order for the EasyConnect process to
run properly and enable ISE to issue a CoA.

5.3. Scroll down and click Submit.

5.4. Click Add and create an authorization profile with the following parameters.

Attribute Value

Name Employee Access

Passive Identity Tracking enabled

DACL Name EMPLOYEE_ACL

5.5. Scroll down and click Submit.

5.6. Click Add and create an authorization profile with the following parameters.

Attribute Value

Name Contractor Access

Passive Identity Tracking enabled

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 7 of 12

DACL Name CONTRACTOR_ACL

5.7. Scroll down and click Submit.

5.8. Standard Authorization Profiles should look as follows.

6. Configure the EasyConnect Policy Set.

You have just created a Policy Result for Authentication where Process Host Lookup is the only protocol allowed for authentication purposes. You also
created DACLs and authorization policies for authorization. You will now reference these elements in the EasyConnect Policy Set.

6.1. Navigate to Work Centers > Network Access > Policy Sets. (Or Policy > Policy Sets.)

6.2. In the left pane, select the Policy Set EasyConnect.

6.3. For the Authentication Policy, delete the MAB and Dot1X rules, then edit the Default Rule, as indicated below.

Attribute Value

Rule Name Default Rule (if no match) <Leave this section untouched>

Conditions Allowed Protocols > EasyConnect

And Use Internal Endpoints

If authentication failed Reject

If user not found Continue

If process failed Drop

6.4. Click Done and save your changes; your Authentication Policy should look as follows.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 8 of 12

6.5. For the Authorization policy, start by deleting all authorization rules except the default.

6.6. Edit the default Authorization rule′s Condition. Choose Standard > AD Access.

6.7. Click Done, and then click Save.

6.8. Click the triangle at the end of the Default Rule, and choose Insert new rule above. Add the following two authorization rules.

Attribute Value

Rule Name Employees

Conditions if Any

and PassiveID:PassiveID_Groups EQUALS GKLABS:gklabs.com/DomainGroups/Employees

Then Employee Access

Attribute Value

Rule Name Contractors

Conditions if Any

and PassiveID:PassiveID_Groups EQUALS GKLABS:gklabs.com/DomainGroups/Contractors

Then Contractor Access

6.9. Your EasyConnect Policy Set should look as follows.

6.10. Scroll down and click Save.

Task 3: Test EasyConnect Connections

In this task, you will verify the operation of EasyConnect from the perspective of both the Microsoft AD server, and the Cisco ISE.

7. Work with EasyConnect.

7.1. Access the L3-Switch and enter the commands to shut the port. Switch credentials are admin/admin$Pwd with enable secret of san-fran.

conf t
int g0/3
shut

7.2. Access User-PC2.

7.3. Log off if necessary, and log back in with the credentials gklabs\admin/admin$Pwd.

7.4. From the Windows taskbar, click Run and enter services.msc to open the services window.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 9 of 12

7.5. Verify that the Wired AutoConfig service is stopped and set it to have a startup type of Disabled.

Note: This ensures that 802.1X is neither configured nor functional on the Ethernet NIC.

7.6. Log off User-PC2.

7.7. Access the L3-Switch and enter the commands to open the port. Switch credentials are admin/admin$Pwd with enable secret of san-fran.

no shut
end

7.8. Log on to User-PC2 with the credentials employee1/gklabs.

7.9. Access the Admin-PC and, in the ISE GUI, navigate to Operations > RADIUS > Live Logs.

7.10.
Click the gear icon and clear the Endpoint ID column then click Go.

7.11.
Set refresh to Every 10 seconds.

7.12. You should see entries similar to the ones below (it may take a few seconds for them to show up, depending on the refresh rate selected).

Note: If you do not see all four entries discussed below, it may be that the HOST_LOOKUP_ACL is cached on the L3-Switch because of the User-PC on G0/2.
Issue the command show ip access-lists or show ip access-lists int g0/3 on the L3-Switch to verify it has downloaded.

In line 1 above, the machine is authenticated via MAB. The Policy Set named EasyConnect was matched. The default Authentication policy limited allowed
protocols to only Process Host Lookup (EasyConnect), and the default Authorization policy applied the AD Access Authorization Profile.

In Line #2, ISE sent a CoA to the switch, with the DACL named HOST_LOOKUP_ACL. This limited the endpoint to only those services which are required to get
authenticated: DHCP, DNS, and AD. The user was therefore able to authenticate to the AD server, with employee credentials. Due to the integration of Cisco
ISE and Microsoft AD, ISE learned of this successful AD authentication.

In line #3, you see the Employees Authorization policy was applied, with the Authorization profile named Employee Access.

In Line #4, ISE sent a new CoA to the switch, with the EMPLOYEE_ACL access-List.

7.13. Navigate to Context Visibility > Endpoints and click the MAC address (00:50:56:00:00:23) of the endpoint. In the Attributes tab of that view, you will
see much useful information, as shown below.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 10 of 12

7.14. Access the L3-Switch console and use the show authentication sessions command. You should see the DACL.

L3-Switch#show authentication sessions int g0/3 details

Interface: GigabitEthernet0/3
MAC Address: 0050.5600.0023
IPv6 Address: Unknown
IPv4 Address: 10.10.10.200
User-Name: 00-50-56-00-00-23
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Common Session ID: 0A0A02010000001704FFF6EC
Acct Session ID: 0x00000018
Handle: 0x1B000009
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
ACS ACL: xACSACLx-IP-EMPLOYEE_ACL-5936dd59

Method status list:

Method State

mab Authc Success

7.15. Access the Data-Srv and open Server Manager.

7.16. From the Tools menu, select Event Viewer.

7.17. In the left pane, navigate to Windows Logs > Security.

7.18.
In the far right pane, click Find and search for employee1.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 11 of 12

7.19. Click Find Next and search the list of events for one where Event ID = 4768. This should be an Audit Success message.

7.20. On User-PC2, log off as employee1 and log back in with the credentials contractor1/gklabs.

7.21. On the Admin-PC, view Operations > RADIUS > Live Logs.

7.22. You should see entries similar to the ones you just reviewed above, only resulting in Contractor Access.

7.23. Access the Data-Srv, Event Viewer > Windows Logs > Security. Refresh this view by right clicking the Security Log and choosing Refresh.

7.24. Search the list of events for the top-most event in the list where Event ID = 4768. Again, you should see an entry similar to the one above, only for
contractor1.

7.25. This validates that EasyConnect is functioning as correctly.

Task 4: Disable EasyConnect

Now that you have proven this concept, you should disable the EasyConnect feature so it does not interfere with future lab activities.

8. Modify the Device Group of the L3-Switch.

8.1. On the Admin-PC in the ISE GUI, navigate to Administration > Network Resources > Network Devices.

8.2. Edit the L3-Switch and change the Location from Test to HQ.

8.3. Scroll down and click Save; your Network Devices list should look as follows.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017
 Page 12 of 12

9. Disable the EasyConnect Policy Set.

Changing the Location of the L3-Switch from Test to HQ ensures that none of the current Network Devices will use the EasyConnect Policy Set. Here you will
also disable the Policy Set as an additional safety precaution.

9.1. Navigate to Work Centers > Network Access > Policy Sets.

9.2. Select the EasyConnect Policy Set in the left pane. Then click Edit at the end of the policy set.

9.3. Use the down arrow next to the Status icon and choose Disabled, as shown below.

9.4. Click Done at the end of the line, then scroll down and click Save.

9.5. Your Policy Sets should look as follows.

10. Disable the EasyConnect Service.

Lastly, you will disable the EasyConnect Service itself.

10.1. Navigate to Administration > System> Deployment.

10.2. Click the ise link in the hostname column. Scroll down to disable Passive Identity Service, as shown below.

10.3. Click Save.

Lab Complete

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L04.htm 19/09/2017