Professional Documents
Culture Documents
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 2-1: Enable ISE Probes, Verify Profiled Endpoints and Probe information
Lab Exercise 2-2: Enable Device Sensor and SNMP Query Profiles
Lab Exercise 2-3: Create Profiles and Authorization Policies using Logical Profiles
Lab Exercise 2-4: Profile Feed Service configuration with logging and reporting
Page 1 of 39
Page 2 of 39
Name/Hostname
IP Address
3k-access.demo.local
10.1.100.1
3k-data.demo.local
10.1.129.3
wlc.demo.local
10.1.100.61
ap.demo.local
10.1.90.x/24 (DHCP)
ASA (5515-X)
asa.demo.local
10.1.100.2
ISE Appliance
ise-1.demo.local
10.1.100.21
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
NTP Server
ntp.demo.local
128.107.212.175
LOB Web
lob-web.demo.local
10.1.129.12
LOB DB
lob-db.demo.local
10.1.129.20
admin.demo.local
10.1.100.6
ftp.demo.local
Windows 7 Client PC
w7pc-1.demo.local
10.1.50.x/24 (DHCP)
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
20
MACHINE
10.1.20.0/24
10.1.29.0/24
(29)
Note:
30
QUARANTINE
10.1.30.0/24
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
90
AP
10.1.90.0/24
Wireless AP VLAN
100
Management
10.1.100.0/24
129
WEB
10.1.129.0/24
130
DB
10.1.130.0/24
Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Page 3 of 39
Access To
Account (username/password)
admin / ISEisC00L
admin / ISEisC00L
admin / ISEisC00L
ASA (5515-X)
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Servers
admin / ISEisC00L
admin / ISEisC00L
Windows 7 Client
W7PC-1\admin / ISEisC00L
DEMO\admin / ISEisC00L
(Domain = DEMO)
DEMO\employee1 / ISEisC00L
Page 4 of 39
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components.
Note:
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer.
c.
Note:
admin / ISEisC00L
From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2
Step 3
Once logged in, you will see a list of VMs that are available on your ESX server:
Page 5 of 39
Step 4
You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options:
Step 5
Step 6
To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Step 7
For this lab ensure that the following VMs are up and running:
Page 6 of 39
b. Select the device that youd like to log into and double click on it.
c.
If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
The ping test may fail for VMs that have not yet completed the boot process otherwise inform the instructor if
you have problems pinging devices required during the lab such as the Cisco switch, WLC, ISE server, etc.
Page 7 of 39
Exercise Objective
Login to the Identity Service Engine admin portal, join AD domain, load WLC configuration and
verify the configuration of the Cisco 3560-X access switch network device configuration. Also
verify from the CLI of the Cisco 3560-X access that the radius and interface configurations are
properly configured.
As part of a previous lab, the ISE appliance was joined to the Windows AD domain demo.local.
To prevent issues after lab pod initialization, the ISE appliance was deliberately removed from
the domain using the Leave function. To complete this lab, it will be necessary to rejoin the ISE
appliance to the AD domain. Access the ISE admin interface to rejoin the Windows AD domain.
a. Go to the Admin client PC and launch the Mozilla Firefox web browser. Enter the
following URL in the address field:
https://ise-1.demo.local
b. Login with username admin and password ISEisC00L
(Accept/Confirm any browser certificate warnings if present)
The ISE Home Dashboard page should display. Navigate the interface using the multilevel menus.
Step 2
Step 3
Go to Administration > Identity Management > External Identity Stores and select Active
Directory from the left-hand pane then verify the connection status as not joined to Domain.
Select ise-1 and click Join at the bottom of the configuration page:
Page 8 of 39
Enter the credentials admin / ISEisC00L when prompted to allow the AD operation, and then
click OK.
Step 5
After a few moments, a message should appear to indicate that the node has successfully
joined the domain and the status will be completed the click Close
Step 6
You should now see the status as Connected to: ad.demo.local as shown in the example
below.
Step 7
Select the Groups tab at the top of the AD Server configuration page.
Step 8
Since AD groups were retrieved during the AD Join in a previous lab, the original saved
configuration should still be present. Verify the following groups are displayed at a minimum. If
not, re-add them and re-save the configuration:
demo.local/HCC/Groups/Employees
demo.local/HCC/Groups/Staff
demo.local/Users/Domain Admins
demo.local/Users/Domain Users
Page 9 of 39
WLC Configuration
Step 1
Configuration
(unchecked)
FTP
10.1.100.6
/
p##-wlc-4hr.txt
ftp
ftp
21
Note: The ## in p##-wlc-4hr.txt is to be replaced with your assigned pod; ex: p02-wlc-4hr.txt for pod 2.
c.
Click on the button Download in the right-hand corner to start the file transfer. The
following message pops-up after the clicking the Download button. Click OK.
Note: WLC will automatically reset after downloading the updated configuration. You can optionally use ping t
wlc to monitor the WLC see when it finished rebooting.
Go back to the Admin client PC and return to your ISE browser session. Login again if needed.
https://ise-1.demo.local
Step 2
Step 3
Verify
your
network
access
switch
(3k-access)
is
setup
and
configured
correctly
a. Go
to
Administration
>
Network
Resources
>
Network
Devices
and
select
3k-access
Page 10 of 39
b. Verify
the
configuration
of
the
3k-access
switch
IP
address
as
shown
in
the
example
below.
Verify
the
authentication
settings
shared
secret
being
used.
Click
the
Show
button
and
verify
ISEisC00L
is
the
shared
secret.
Step 4
Now
from
the
Admin
PC
desktop
launch
the
shortcut
for
the
PuTTY
SSH
client
to
start
a
terminal
session
to
the
3k-access
switch
(10.1.100.1)
using
the
credentials
admin
/
ISEisC00L
(enabled
password
cisco123).
Click
YES
on
any
Putty
security
warnings.
Step 6 On
the
access
switch
verify
the
configuration
required
for
interface
g0/1
using
the
show
run
interface
g0/1
command.
It
is
okay
that
the
interface
is
currently
in
shutdown
mode.
Interface
will
be
enabled
later
in
the
exercises.
Step 5
Page 11 of 39
interface
GigabitEthernet0/1
description
dot1X/mab
clients
switchport
access
vlan
50
switchport
mode
access
switchport
block
unicast
switchport
voice
vlan
40
shutdown
authentication
event
fail
action
next-method
authentication
host-mode
multi-auth
authentication
open
authentication
order
mab
dot1x
authentication
priority
dot1x
mab
authentication
port-control
auto
authentication
periodic
authentication
timer
reauthenticate
server
authentication
timer
inactivity
server
authentication
violation
restrict
mab
snmp
trap
mac-notification
change
added
snmp
trap
mac-notification
change
removed
dot1x
pae
authenticator
spanning-tree
portfast
spanning-tree
bpduguard
enable
Using the show run aaa command, verify the switch configuration for RADIUS Server
commands including AAA authentication and accounting commands for Dot1x and network. Also
verify the RADIUS Server VSA attributes are enabled.
Step 7
ISE 1.2 Profiling Lab.docx Version 1.0.1
Page 12 of 39
Page 13 of 39
Lab Exercise 2-1: Enable ISE, Probes, and Network Device for Profiling
Exercise Objective
At the end of this exercise you will learn how to enable ISE probes including DHCP, HTTP,
Radius, SNMP Query and Device Sensor on the ISE Policy Service Node (PSN).
Step 2
Step 3
Step 4
Step 5
In General Settings, verify Policy Service and the Enable Profiling Service are enabled.
Page 14 of 39
Lab Exercise 2-1: Enable ISE, Probes, and Network Device for Profiling
Step 6
In the right hand pane click the Profiling Configuration tab and enable the following probes.
a. Enable DHCP Probe using the interface GigabitEthernet 0 (default interface) with the
default UDP port 67.
b. Enable HTTP Probe with the default interface.
c.
Step 7
Click the Save button and make sure your changes were saved successfully.
Step 8
From the ISE server under Administration > Network Resources > Network Devices,
configure the SNMP configuration for the 3k-access layer switch.
a. Click on the 3k-access switch and scroll to the SNMP Settings window.
b. Configure the following settings:
i. SNMP box is checked to enable the configuration.
ii. SNMP version 2c
iii. SNMP RO Community ISEisC00L
iv. Change the Polling Interval from the default of 3600 seconds to 600 seconds
v. Verify Link Trap Query is enabled.
vi. Verify MAC Trap Query is enabled.
c.
Page 15 of 39
Lab Exercise 2-1: Enable ISE, Probes, and Network Device for Profiling
Note:
Step 9
The polling interval set to 600 seconds is for LAB use only. You can use multiple interfaces to enable
certain ISE probes, which can help with scaling of the probe traffic to the Policy Service Node(s). You can
also enable ISE Profiling on additional PSNs based on proper licensing.
Enable the global Change of Authorization (CoA) for profiling. This will allow any
authorization/profiling changes of a device to be sent to the NAD for that endpoint.
a. Go to Administration > System > Settings > Profiling
b. Change the CoA Type: to Reauth
c.
Page 16 of 39
Lab Exercise 2-1: Enable ISE, Probes, and Network Device for Profiling
Note:
Use caution when enabling this feature for the first time. The Change of Authorization (CoA) will occur
automatically for all new profiled devices endpoints.
Step 10 Verify the default actions for profiled devices. From the ISE web portal go to Policy > Policy
Elements > Results > Profiling > Exception Actions. Here you will see the default Profiler
Actions for AuthorizationChange, EndPointDelete and FirstTimeProfile. If you click on one of the
default profiler names, you will see the CoA Action set to Force COA.
ISE 1.2 Profiling Lab.docx Version 1.0.1
Page 17 of 39
Lab Exercise 2-1: Enable ISE, Probes, and Network Device for Profiling
Note: Advanced Exception actions will not be covered in this lab.
Step 11 From the Administration > System > Settings > Protocols > RADIUS disable the options for
NOTE: For lab purposes, proof-of-concepts and initial profiling it is recommended to disable
the suppress anomalous clients option to better monitor Operations > Authentications.
Page 18 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Exercise Objective
In this exercise you will verify the configure for the SNMP query and DHCP probes and device
sensor feature on the Cisco Wired Switch and Wireless LAN Controller and then verify that DHCP
and CDP and being sent from the wired switch and that DHCP and HTTP data is being sent from
the WLC to the ISE PSN node via Radius Accounting packets.
From Putty, SSH into the 3k-access switch with the admin/ISEisC00L credentials.
Step 2
Verify the SNMP server configuration on the access switch using the show run | include
snmp-server command.
Step 3
For the DCHP probe configuration, we need to verify that the access layer switch has the
additional IP helper address for the ISE appliance (10.1.100.21) on interface Vlan 50 for DHCP
packet information to be sent to the ISE DHCP probe.
Step 4
From the Vsphere Client, open a console session to the p##_w7pc-guest VmWare image.
Login with the credentials admin/ISEisCooL then start the Control Panel application and select
View network status and tasks under the Network and Internet section. Next click Change
adapter settings and then right click the w7pc-guest-wired interface and enable.
Page 19 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Step 5
Use the getmac command from the windows command prompt and record the mac address of
your windows 7 guest pc operating system below for future reference.
MAC Address:___________________________
Step 6
Enable SNMP debug to verify SNMP data is being sent to the ISE PSN.
config terminal
logging monitor 7
end
terminal monitor
debug snmp packet
Step 7
From the SSH session to the 3k-access, enable the interface g0/1 using the no shutdown
command.
Step 8
Next from a windows command prompt, verify that you have received an IP Address from the
DCHP server using the ipconfig command.
Step 9
Verify SNMP communication between the ISE node and the switch. You should see the SNMP
requests coming into the switch from ISE-1 similar to that shown below. You should also see
responses from the switch from the SNMP MIB requests from ISE Profiling Service.
Page 20 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Step 10 From the ISE admin web portal go to the Administration > Identity Management > Identities
Page 21 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Note: Initially your endpoint profile for the Windows 7 Guest PC will be learned from the DHCP Probe
data received by ISE from the access switch. Once the SNMP query runs the endpoint profile data
will be updated as shown in the next example.
Step 12 After about 60 seconds, refresh the endpoint database and re-select your endpoint mac
address. You will eventually see the endpoint profile attributes updated to include the SNMP
query probe data received.
Step 1
Step 2
conf t
interface Vlan50
no ip helper-address 10.1.100.21
ISE 1.2 Profiling Lab.docx Version 1.0.1
Page 22 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Step 3
From Administration > Network Resources > Network Device and edit the 3k-access switch
configuration.
Step 4
UNCHECK the box for the SNMP Settings configuration and then click the SAVE button.
NOTE: We are disabling the DHCP IP Helper address and the SNMP Query as per best practice when
using Device Sensor feature to keep from getting the same profiling data multiple times. This will also
eliminated extra replication processes for the ISE databases.
Step 5
From the Access switch SSH session, add the following commands to enable the device-sensor
configuration.
device-sensor filter-list cdp list ISE
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-spec cdp include list ISE
!
device-sensor filter-list dhcp list DHCP
option name host-name
option name class-identifier
option name client-identifier
!
device-sensor filter-spec dhcp include list DHCP
!
device-sensor accounting
device-sensor notify all-changes
epm logging
Step 6
From Administration > Identity Management > Identities select the Endpoints folder and then
remove the existing endpoint for the Windows 7 Guest PC VmWare again.
Step 7
Next perform a shutdown/no shutdown on interface g0/1 from the access switch that will then
have radius accounting packets sent to ISE, which will recreate the endpoint profile.
Step 8
Verify
the
endpoint
data
was
generated
from
the
Device
Sensor
(Radius
Accounting
packets)
as
per
the
example
below.
Page 23 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Step 9
Now from the Windows 7 system, start a browser session going to www.bing.com. You will see
the ISE policy service node (PSN) URL redirect to the guest service portal. From the redirect
the ISE profiling engine will now get additional data from the HTTP user-agent string.
Step 10 Now go back to the ISE browser session and refresh the endpoint profile for the Windows 7
From
Policy
>
Authorization
create
a
new
authorization
policy
for
the
IP
Camera
before
the
Guest
DOT1X
authorization
policy.
Rule
Name:
IP
Camera
Conditions
(Identity
groups
and
other
conditions):
Identity:
Any
Select
Attribute
Conditions:
Create
New
Condition
(Advance
Option)
Step 12
Page 24 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Expression:
Endpoints
>
Endpoint
Policy
EQUALS
>
Cisco
Device
(folder)
>
Cisco-IP-Camera
Then:
Standard
>
Permit
Access
Now
no
shutdown
the
interface
g0/2
from
the
3k-access
switch.
Then
give
the
IP
Camera
endpoint
a
few
minutes
to
power-up
and
initialize.
You
can
verify
from
the
Operations
>
Authentications
when
the
endpoint
has
been
profiled.
Step 14 From
the
Administration
>
Identities
Management
>
Endpoints,
verify
the
endpoint
profile
for
the
IP
Camera.
Step 13
Page 25 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
From your browser, open a session to the Wireless LAN Controller (WLC). https://wlc.demo.local
Step 2
Step 3
Page 26 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Step 4
Step 5
Next click on the Advanced tab for the n-p##-TS-WPA2 WLAN where ## is your pod number.
Page 27 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Step 6
Scroll down to the Client Profiling section and select DHCP Profiling.
When you select the DHCP Profiling probe you will get a warning message displayed below click
OK.
Step 7
Step 8
Next select the HTTP Profiling and then click APPLY button in the upper-right hand corner.
Step 9
Verify the configuration for the Client Profiling as shown in the example below.
Step 12 From the Home screen of the VNC connection to the iPad, select the Settings button at the
Page 28 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Notes: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
When interacting with the iPad VNC session, US keyboard is preferred. If you have a mouse attached to your computer you will find
it easier to navigate the iPad session also.
US keyboard is needed for the RDP session too unless you have additional language packs installed to provide keyboard mappings.
This is only for the RDP sessions
Note: The next steps are to ensure that the iPad device is starting clean for the next part of the lab.
Step 1
Step 2
Step 3
Next we will clear out any cached history, cookies and data stored with Safari.
a. Settings > Safari
b. Click Clear History
c. Click Clear Cookies and Data
Now that your Apple iPad is cleanup we can proceed with the rest of the lab. Select the Wi-Fi
menu option and turn on the Wi-Fi.
Step 4
Step 5
From the Choose a Network select n-pXX-TS-WPA2e (where XX is your pod number) SSID.
When prompted enter the credentials for username and password: employee1/ISEisC00L and
click the Join button.
Step 6
Step 7
Page 29 of 39
Lab Exercise 2-2: Enabling SNMP Query, DHCP and Device Sensor Probes
From the ISE administration browser, Administration > Identity Management > Identities >
Endpoints and select the Apple iPad endpoint profile and verify the profile data that was learned.
Step 8
Page 30 of 39
Lab Exercise 2-3: Create Profiles and Authorization Policies using Logical Profiles
Exercise Objective
In this exercise you will configure a new Logical Profile for the companys smart devices
including Android, Apple-iDevices, Apple-iPads, Apple-iPhones. One the new logical profile is
configured you will then create a new authorization policy using the logical profile created.
From Policy > Profiling > Logical Profiles click the Add button
Step 2
Build the following logical profile as shown in the example below and save.
Page 31 of 39
Lab Exercise 2-3: Create Profiles and Authorization Policies using Logical Profiles
Policy > Authorization and create the new rule after the IP-Camera policy.
Step 3 From the Operations > Authentications click on the Show Live Sessions button in the
left-hand corner.
Step 4 Find the session for your iPad (match the identity employee1) and using the CoA Action
dropdown box select Session Reauthentication. This will send a change of authorization to
the WLC forcing a new authentication and authorization process.
Step 5 Go back to the Administration > Identities > Endpoints and select the Apple-iPad
Endpoint Profile and note the changes in the update endpoint profile as shown in the example
below.
Page 32 of 39
Lab Exercise 2-3: Create Profiles and Authorization Policies using Logical Profiles
Page 33 of 39
Exercise Objective
In this exercise, you will configure the Profiler Feed Service option. You will then run the profile
update feature and see the resulting profile and OUI updates. Next you will run one of the reports
for Profile Feed Service.
From the vSphere client power on the p##_ISE-FeedService and p##_Mail images.
Step 2
Step 3
Check the box to Enable Profiler Feed Service and click the OK button on the following
warning message.
Step 4
Step 5
Step 6
Check the box to notify administrator when download occurs and enter the email address of
admin@demo.local for the administrator email address.
Page 34 of 39
Step 8 Add the following values for the Feed Service Subscriber Information.
a.
b.
c.
d.
Administrator
Administrator
Administrator
Administrator
a. From the Admin PC, locate the Putty SSH client on the desktop and SSH to the ise-1
command-line interface (CLI) using the credentials admin / ISEisC00L.
b. Issue the cli command show application status ise to ensure that all ISE applications
are running.
c.
Issue the cli command terminal length 0 to make the verbose log easier to navigate.
d. Issue the show logging application ise-psc.log tail | include FEED to monitor the
download from the feed server.
Step 11 From the ISE GUI, from Administration > Feed Service > Profiler, click on the Update Now
Page 35 of 39
Step 13 Switch back to the Putty SSH session and wait for the download to begin and should see log
Step 14 The key words FEEDMANUALDOWNLOAD indicates that this was initiated by the Update Now
manual option. For the automatic updates, the keyword would be FEEDAUTODOWNLOAD as below:
ISE 1.2 Profiling Lab.docx Version 1.0.1
Page 36 of 39
Run the report for the ISE Profile Feed Service by running a query for the new OUIs
downloaded.
a. Navigate to Operations > Reports.
b. Select Deployment Status from the left-hand panel.
c.
f.
ISE 1.2 Profiling Lab.docx Version 1.0.1
Page 37 of 39
h. Take a note of the Object Name field and the Modified Properties.
Step 2
Also run the Operations Audit report from Operations > Reports > Deployment Status
> Operation Audit and click the RUN button.
Page 38 of 39
End of Profiler Lab: You have successfully completed all the exercises for
this lab.
Page 39 of 39