6 ise 1 3 pvt lab guide
DESCRIPTION
ISE 1.3 Lab GuideTRANSCRIPT
-
Lab Overview
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 1 of 70
Cisco ISE 1.3 Lab Guide
Developers and Lab Proctors This lab was created by Secure Access and Mobility Technical Marketing teams, with main contributions
from Jason Kunst, Imran Bashir, and Hsing-Tsu Lai.
Lab Overview This lab is designed to help attendees understanding how to deploy Cisco Identity Services Engine (ISE)
focusing on new key ISE 1.3 features such as Active Directory Multi-Join, ISE Internal Certificate
Services, and many Guest enhancements. In the lab the students will learn how configure ISE to connect
multiple AD domains, and use ISE internal CA to issue certificates for BYOD endpoints. The lab also
covers the new Guest UI available in ISE 1.3.
Lab participants should be able to complete the lab within the allotted time of 2 hours.
Lab Exercises This lab guide includes the following exercises:
Lab Exercise 1 : Active Directory Multi-Join
Lab Exercise 2 : BYOD with Internal CA
Lab Exercise 3 : AnyConnect Unified Agent
Lab Exercise 4 : Guest Access Management
-
Product Overview: ISE
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 2 of 70
Product Overview: ISE Cisco Identity Service Engine (ISE) is a context aware identity-based platform that gathers real-time
information from the network, users, and devices. ISE then uses this information to make proactive
governance decisions by enforcing policy across the network infrastructure utilizing built in standard
based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users and
devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive
tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own device
(BYOD), through policy-enabled services.
Lab Topology
-
Lab IP and VLANs
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 3 of 70
Lab IP and VLANs
Internal IP Addresses
Internal VLANs and IP Subnets
Device Name/Hostname IP Address
Access Switch (3560CG) 3560CG.demo.local or 3560CG 10.1.100.1
Wireless LAN Controller (virtual)
vwlc.demo.local 10.1.100.41
Wireless Access Point (varied) ap.demo.local 10.1.90.x/24 (DHCP)
ASA (5505) asa.demo.local 10.1.70.1
ISE Appliance ise-1.demo.local 10.1.100.21
AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10
Mail mail.demo.local 10.1.100.40
Services services.demo.local, ntp.demo.local
portal.demo.local, updates.demo.local
business.demo.local
it.demo.local
records.demo.local
10.1.100.12
10.1.100.222
10.1.100.223
10.1.100.224
10.1.100.225
Admin (Management) Client
(also FTP Server)
admin.demo.local
ftp.demo.local
10.1.100.6
VLAN VLAN Name IP Subnet Description
10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs
20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3 segmentation)
50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users
90 AP 10.1.90.0/24 Wireless AP VLAN
99 LAB.LOCAL 10.1.99.0/24 AD domains lab.local and sam.lab.local
100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)
130 DB 10.1.130.0/24 Line-of-business Database servers
172 ISE.LOCAL 172.17.100.0/24
AD domain ise.local
-
Connecting to Lab Devices
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 4 of 70
Accounts and Passwords
Connecting to Lab Devices
Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for access to all the other lab components
Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD Step 1 Launch the Remote Desktop application on your system
a. Connect to you POD Admin PC using RDP.
b. Login as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Step 1 From the Admin client PC, click the VMware vSphere Client icon on the taskbar
Step 2 Click OK when the VMware vSphere Client starts.
Step 3 You have the ability to power on, power off, or
open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the
left-hand pane and right-click to select one of
these options:
a. To access the VM console, select Open Console from the drop-down.
Access To Account (username/password)
Access Switch (3560CG) admin / ISEisC00L
Wireless LAN Controller (virtual) admin / ISEisC00L
ASA (5505) admin / ISEisC00L
ISE Appliances admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP) admin / ISEisC00L
Services Servers admin / ISEisC00L
Admin (Management) Client admin / ISEisC00L
-
Connecting to Lab Devices
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 5 of 70
b. To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console
menu:
Step 4 For this lab ensure that the following VMs are up and running:
p##-ad
p##-ise-1-13update
p##-mail
p##-services
p##-vWLC
p##-admin (might not be visible)
p##-w7pc-corp (should be Power-OFF)
p##-ws2012r2-lab.local
p##-ws2012r2-sam.lab.local
## refers to the pod number that you are assigned to. E.g., For POD 2, p##-ad would be p02-ad.
w7pc-guest may be powered on manually during the exercises.
Connect to Lab Device Command-Line Terminal
Step 1 To access the lab switches and ISE servers using SSH:
a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY
shortcut and it shows a list of devices and ISE servers.
-
Pre-Lab Setup Instructions
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 6 of 70
b. Select the device that youd like to log into and double click on it.
c. If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
Pre-Lab Setup Instructions
Basic Connectivity Test Step 1 To perform a basic connectivity test for the primary lab devices, run the
pingtest.bat script from the Windows desktop of the Admin client PC.
Step 2 Verify that ping succeeds for all devices tested by the script.
Controlling iPad via VNC Client Below are some tips for controlling the iPad UI via VNC client which will be useful for the entire lab:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to input text, and click on it.
Note: When interacting with the iPad VNC session, US keyboard is preferred.
Note: US keyboard is needed for the RDP session too unless you have additional language packs installed to provide keyboard
mappings. This is only for the RDP sessions.
-
Lab Exercise 1: Active Directory Multi-Join
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 7 of 70
Lab Exercise 1: Active Directory Multi-Join
Exercise Description
ISE customers often have users from several AD domains. The main reasons are:
Multi-Tenant: Service Providers -- to manage authentications for customers
Enterprise: Acquisition e.g. Company A buys Company B; Segmentation to separate
production from lab test instances or due to security concerns (e.g. PCI)
Before ISE 1.3, an ISE deployment may join to only one Microsoft Active Directory (AD) domain, and
requires two-way trusts to authenticate users located in other AD domains. Now an ISE 1.3 deployment
can join directly to multiple AD domains to authenticate users and computers in them. ISE 1.3 represents
each AD instance as an AD Join Point, each of which is essential the same as the AD identity store in
previous releases.
Exercise Objective
In this exercise, you are to explore new features implemented for ISE 1.3 Active Directory. You are to
(Join Point #1) Join to a simple domain demo.local and check out new user interface
(Join Point #2) Add and join to the second domain sam.lab.local and experiment with
authentication domains
Create a simple Identity rewrite rule
Learn about the new Diagnostic Tools
Step 1 Login to ISE admin web portal
a. Launch the Mozilla Firefox web browser. Enter the URL https://ise-1.demo.local
b. Login with username admin and password ISEisC00L
(Accept/Confirm any browser certificate warnings if present)
The ISE Dashboard should display. Navigate the interface using the multi-level menus.
Step 2 Access ISE Active Directory configuration page by navigating to Administration > Identity
Management > External Identity Sources and select Active Directory from the left-hand
pane.
Step 3 Join ise-1 to demo.local (in a single-domain forest)
a. Click the hyperlink demoAD under the Joint Point Name column.
b. Tick the checkbox next to ISE node ise-1.demo.local and then click Join.
https://ise-pap-1.demo.local/
-
Lab Exercise 1: Active Directory Multi-Join
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 8 of 70
c. In Join Domain pop-up window, fill in
* AD User Name admin
* Password ISEisC00L
Specify Organization Unit OU=ISE,OU=HCC,DC=DEMO,DC=LOCAL
Note 1: To specify an organization unit is new in ISE 1.3 and it is optional in this step as admin is a domain admin user. When employed, we may create the ISE computer object in a location other than the Microsoft AD default location, which is CN=COMPUTERS,DC=DEMO,LOCAL.
Note 2: OU=ISE,OU=HCC is pre-created in this labs AD domain demo.local, to demonstrate this option.
d. Click OK to start the join operation.
e. A window Join Operation Status will pop up. Wait until the node status turns
Completed, and then click Close.
f. The Connection tab shall show ad.demo.local as the domain controller and Default-First-
Site-Name as the site.
g. Click on the Groups tab to view the pre-defined groups.
h. In case of upgrade or renaming groups, also click Update SID Values to get the latest
group-to-SID mappings. Save when done.
Step 4 Join ise-1 to sam.lab.local (a child domain in a two-domain forest)
a. Click Active Directory from the left-hand pane to return to the main configuration page.
b. Click Add. In the Connection tab, fill in
* Join Point Name sam.lab.local
* Active Directory Domain sam.lab.local
Note: The Join Point Name is its ISE dictionary name for this external identity source and needs to be unique among all identity sources. Although here we use the same name as its AD domain, they are not required to match.
c. Submit when done.
d. Click Yes, when prompted after ISE Reloading page following the create,
Would you like to Join all ISE Nodes to the Active Directory Domain?
e. In Join Domain pop-up window, fill in
* AD User Name lisa
* Password ISEisC00L
Specify Organization Unit OU=theSimpsons,DC=SAM,DC=LAB,DC=LOCAL
Note: OU=theSimpsons is pre-created in sam.lab.local. lisa is not a domain admin user but granted Full Control permissions for OU=theSimpsons through AD delegation of control, so she can create and delete the computer object for ise-1 in this OU. Note: This AD is using the Microsoft default security policy, which allows any domain users to add workstations to domain. For example, another domain user maggie can also join ise-1 to the AD domain with ise-1 computer account to be created at the default location but NOT in this OU. Neither lisa or maggie can delete the ise-1s computer account at the default location.
f. Click OK to start the join operation.
g. A window Join Operation Status will pop up. Wait until the node status turns
Completed, and then click Close.
h. The Connection tab shall show ws2012r2-2.sam.lab.local as the domain controller and
Default-First-Site-Name as the site.
-
Lab Exercise 1: Active Directory Multi-Join
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 9 of 70
Step 5 Authentication Domains (a.k.a. Domain Whitelisting) in Join Point sam.lab.local
a. Click tab Authentication Domains to review the current settings. The checkbox Use
all Active Directory domains for authentication is shown as selected, which is the default.
The domain sam.lab.local is a child domain of lab.local. Both AD domains are shown with
a YES value for their Authenticate column so users from either domain can authenticate.
Step 6 Test Authentication Domains with default Use all AD domains for authentication in Join Point
sam.lab.local
a. Click back to tab Connection. Tick ise-1.demo.local and click Test User.
b. Test User Authentication with a user in lab.local (the parent domain). In Test User
Authentication Window, fill in
* Username homer
* Password ISEisC00L
Authentication Type MS-RPC (drop-down)
Authentication Data Retrieve Groups
Retrieve Attributes
c. Click Test. The authentication result should be SUCCESS.
d. Click Close when done viewing the results.
Step 7 Test Authentication Domains with selected AD domain(s) sam.lab.local only
a. Click tab Authentication Domains.
b. Un-tick the option Use all Active Directory domains for authentication. Note that Authenticate column turns from YES to NO for both domains.
c. Select sam.lab.local and click Enable Selected to turn its Authenticate column to YES.
Then, Save.
d. Click tab Connection. Select ise-1.demo.local and click Test User.
e. Test User Authentication with a user in lab.local (the parent domain). In Test User
Authentication Window, fill in
* Username homer
* Password ISEisC00L
Authentication Type MS-RPC (drop-down)
Authentication Data Retrieve Groups
Retrieve Attributes
f. Click Test. The authentication result should be FAILED.
g. Click Close when done viewing the results.
Step 8 Identity Rewrites manipulate identity names before searches in AD. Here exemplifies this
feature by Eduroam Realm Striping
Eduroam uses realm for routing the authentication requests so it needs the client supplicants to
send the outer identity in the form of username@realm. Certain 802.1X supplicants, such as
Windows native supplicants, are not configurable to use different identities for inner and outer
identities, so that the home RADIUS authentication server may receive the requests in that form
(username@realm). If the realm is not one of the authentication domains, a Join Point may be
-
Lab Exercise 1: Active Directory Multi-Join
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 10 of 70
configured either to strip it or to rewrite the identity to a UPN with an authentication domain
suffix.
a. Click tab Advanced Settings for the join point sam.lab.local.
Note: This is at Administration > Identity Sources > External Identity Sources. Select sam.lab.local under Active Directory in the left pane.
b. Scroll down to the last section Identity Rewrite.
c. Choose Apply the Rewrite Rules Below to modify username.
d. Scroll down to see the built-in rules. Click the drop-down arrow next to the gears icon in
rule #4 if Indentity Matches [IDENTITY]@[DOMAIN]. And, select Duplicate above.
e. In the newly duplicated rule, update the rule as below:
If Identity Matches [IDENTITY]@demo.edu rewrite as [IDENTITY]
f. Click the button Try Rules
g. In the pop-up Test rewrite window, input [email protected] in the text box next to Test
Subject. It should result in maggie as the rewrite.
h. Click Close when done.
i. Click Save to persist the rewrite rules.
Step 9 AD Diagnostic Tool is a new utility in ISE 1.3 AD to help determining any environment issues
related to the join points.
a. Click Active Directory from the left-hand pane to return to the main configuration page.
b. Click Advanced Tools and then select Diagnostics Tools from the drop-down menu.
c. Click Run All Tests.
d. If Summary shows Failure(s), click the hyperlink See Details for warning/failed test
details. Then, click Close when done.
Note: The DNS failures are due to known defect CSCuq95531.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
mailto:[email protected]
-
Lab Exercise 2: ISE 1.3 BYOD with Internal Certificate Authority
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 11 of 70
Lab Exercise 2: ISE 1.3 BYOD with Internal
Certificate Authority
Managing certificates for BYOD adds significant complexity and expense when using Microsoft Public Key Infrastructure. ISE 1.3 introduces Internal Certificate Authority (CA), which is designed to simplify BYOD deployments but works in concert with existing PKI infrastructure.
Internal CA provides a Single Management Console to manage endpoints and their certificates. For example, deleting an endpoint in ISE will revoke the certificates associated with that endpoint.
Multiple deployment models are supported for the Internal CA, it supports stand alone and subordinate
deployments. Removes corporate PKI team from every BYOD interaction. In regards to the architecture,
Primary PAN (PPAN) may be Subordinate to an existing Root CA or may be Standalone Root CA.
All PSNs are Subordinate CAs to
PPAN
PSNs are SCEP Registration
Authorities (RAs)
Promotion of Standby PAN:
o Will not have any effect on operation of the subordinate CAs. o For Standby to become Root CA must manually install the Private/Public keys from PPAN.
This section is further divided for clarity
Lab Exercise 2.1: Configure ISE Internal CA for BYOD
Lab Exercise 2.2: Configure ISE for Single-SSID BYOD
Lab Exercise 2.3: Test and Verify Onboarding of Non-corporate iPad
Lab Exercise 2.1: Configure ISE Internal CA for BYOD
Exercise Description This lab discusses Internal CA configuration for BYOD devices.
Exercise Objective In this exercise, your goal is to configure the ISE 1.3 Internal CA. This includes completion of the
following tasks:
Verify Internal Certificate Authority is running and is operational
Create a certificate template to provision BYOD devices.
Step 1 Login to ISE @ https://ise-1.demo.local/admin/ with username admin and password ISEisC00L
-
Lab Exercise 2.2: Configure ISE for Single SSID BYOD
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 12 of 70
Step 2 Go to Administration > System > Certificates. Under Certificate Authority, select Internal
CA Settings and verify Internal CA is running.
Step 3 In the same page Administration > System > Certificates. Under Certificate Authority, click
Certificate Templates. ISE 1.3 preloaded with EAP_Authentication_Certificate_Template,
which could be used for BYOD. In this Lab we will create a new template to go through
certificate template creation process.
Step 4 In Certificate Templates page, click Add, and fill-in with the following values
Click Submit to save the changes.
Note: ISE 1.3 internal CA come with a default configuration and is already running when ISE is installed. Overall the administration
configuration experience is super easy to setup.
Lab Exercise 2.2: Configure ISE for Single SSID BYOD
Exercise Description This exercise reviews ISE configurations for BYOD wireless deployment with one wireless SSID. You will
learn how to configure an ISE client provisioning policy rule that uses the internal CA as the PKI provider
for ISE native supplicant provisioning (NSP).
Exercise Objective In this exercise your goal is to configure ISE for single SSID Wireless BYOD, which includes the
completion of the following tasks:
* Name internalCertBYOD
Description ISE internal cert template
Common Name (CN) $UserName$
Organizational Unit (OU)
Organization (O)
City (L)
State (ST)
Country (C)
Subject Alternative Name (SAN) MAC Address
Key Size 2048
* SCEP RA Profile ISE Internal CA
Valid Period 730
-
Lab Exercise 2.2: Configure ISE for Single SSID BYOD
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 13 of 70
Create Client Provisioning Policy to use ISE internal CA to issue BYOD endpoint
certificates.
Review the Certificate Authentication Profile and the Identity Source Sequence
Review the Authentication Policy to accept 802.1X authentication from wireless access
devices with EAP-TLS or PEAP/EAP-MSCHAPv2 protocols.
Review the Authorization Policy to allow registration as well as supplicant provisioning
and to grant full access to registered devices.
Step 1 If timed out, re-login to the ISE administration web portal at https://ise-1.demo.local using the
credentials admin / ISEisC00L
Step 2 Create Client Provisioning Policy for Native Supplicant Provisioning
a. Go to Policy > Client Provisioning and create a new rule, which will look like the
following:
Status Rule Name Identity Groups
Operating Systems
Other Conditions
Results
Apple iOS Any Apple iOS All - iOS WPA2e TLS
You may add a new Native Supplicant Configuration/Wizard Profile in-line within the Results cell.
Create the native supplicant profile iOS WPA2 TLS in-line as shown below:
* Name iOS WPA2e TLS
Description -
* Operating System Apple iOS All
* Connection Type Wireless
* SSID ##-ISECOLD
Security WPA2 Enterprise
* Allowed Protocol TLS
Certificate Template internalCertBYOD
Note: SSID value is case-sensitive and needs to be exactly the same as the one defined in the WLC. To avoid typos, copy the SSID name from the WLC and paste it on the ISE GUI. To find SSID for your POD, Go to admin PC, launch a browser and login to WLC (https://vwlc.demo.local) with Username = admin and Password = ISEisC00L. Click WLANs and then copy the name of the Secure SSID i.e. ##-ISECOLD (e.g. 02-ISECOLD for pod-02).
b. Click Save to persist the native supplicant profile. Save again to update to Client
Provisioning Policy.
You may skip the rest of this exercise and jump to Exercise 2.3, if already familiar with ISE BYOD from the previous ISE releases.
https://ise-1.demo.local/
-
Lab Exercise 2.2: Configure ISE for Single SSID BYOD
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 14 of 70
Step 3 Go to Administration > Identity Management > External Identity Sources > Certificate
Authentication Profile. Review
Preloaded_Certificate_Profile.
ISE 1.3 comes with this profile that has most
common settings, such as using Subject
Common Name as the User Name.
Step 4 Go to Administration > Identity Management > Identity Source Sequences.
Review Identity Source Sequence
DOT1X_ID_Sequence.
Note-1: When using this identity source sequence in EAP-TLS authentications, it will pick the certificate authentication profile. In password-based authentications, it will use the other identity sources in the authentication search list.
Note-2: All_AD_Join_Points is new in ISE 1.3. It is an AD scope that includes all AD join points.
Step 5 Go to Policy > Policy Elements > Results >
Authentication > Allowed Protocols. Review PEAPoTLS,
which allows only two protocols:
a. EAP-TLS
b. PEAP with inner method EAP-MS-CHAPv2
Step 6 Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Review
two Authorization Profiles that are used in the Authorization Policy one for full network access
and the other for native supplicant provisioning.
-
Lab Exercise 2.2: Configure ISE for Single SSID BYOD
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 15 of 70
a. Authorization Profile for allowing Full Network Access
Name wlcFullAccess
Description --
Access Type ACCESS_ACCEPT
Common Tasks
Airespace ACL Name PERMIT-ALL-TRAFFIC
Attributes Details
Access Type = ACCESS_ACCEPT Airespace-ACL-Name = PERMIT-ALL-TRAFFIC
b. Authorization Profile for allowing Supplicant Provisioning
Step 5
Step 7 Go to Policy > Policy Sets. Select wirelessDOT1X. Expand its Authentication Policy and
ensure that the authentication policy is configured as below. The modified are highlighted in
Yellow.
Enabled Name Protocols Identity Source Options
Default Rule (if no match)
Allow Protocols PEAPoTLS and use DOT1X_ID_Sequence Reject Reject Drop
Step 8 Next, expand the Authorization Policy to review two rules as shown below the Rule Name
Registered with ISE and EAP-TLS and Employee Personal Device.
Name wlcSupplicantProvisioning
Description --
Access Type ACCESS_ACCEPT
Common Tasks
Web Redirection (CWA,MDM,NSP,CPP)
Drop-down menu: Native Supplicant Provisioning ACL: PERMIT-2-ISE-a-DNS Value: BYOD Portal (default)
Attributes Details
Access Type = ACCESS_ACCEPT cisco-av-pair = url-redirect-acl=PERMIT-2-ISE-a-DNS cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionIdValue&portal=&action=nsp
S Rule Name Groups Other Conditions Permissions
Registered with ISE and EAP-TLS
Any EndPoints:BYODRegistration EQUALS Yes
wlcFullAccess
AND
Network Access:EapAuthentication EQUALS EAP-TLS
AND
CERTIFICATE:Subject Alternative Name EQUALS Radius:Calling-Station-ID
Employee_Personal_Device Any Network Access:EapAuthentication EQUALS EAP-MSCHAPv2
wlcSupplicantProvisioning
Default Any - DenyAccess
-
Lab Exercise 2.3: Test and Verify Onboarding of Non-corporate iPad
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 16 of 70
Lab Exercise 2.3: Test and Verify Onboarding of
Non-corporate iPad
Exercise Description This exercise will onboard an Apple iPad to validate the policies configured previously.
Warning: The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to configuration and limitations of remotely controlling an interactive device like the iPad in a lab environment please do not deviate from the exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual
resetting and prevent you from experiencing the full potential of the lab.
Exercise Objective In this exercise, your goal is to complete the following tasks:
On-board the iPad with ISE internal CA issued certificate.
Review ISE Live Logs to monitor the process
Step 1 Enable ##-ISECOLD in WLC.
a. Login to vWLC web portal @ https://vwlc.demo.local as admin / ISEisC00L
b. Menu WLANs and select WLAN ID 1 ##-ISECOLD, Enable Selected from the drop-down
next to Go, and hit Go.
Step 2 Double click on the batch file vnc-to-iPad on the admin-PCs Desktop to start a VNC session to
the iPad. The batch file will prompt you to press any key to continue. You will then see the VNC
Viewer pop up.
Step 3 On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: You might not see the Profiles menu option, when no profile installed on the iPad.
Step 4 Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies and
Data.
Step 5 Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network ##-ISECOLD
a. Enter the username/password AD
credentials (employee1/ISEisC00L) and click Join
b. Click to Accept the certificate
c. Next click on the blue arrow of the connected network and verify the IP address assigned
https://vwlc.demo.local/
-
Lab Exercise 2.3: Test and Verify Onboarding of Non-corporate iPad
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 17 of 70
Note: IP address for iPad might be different depending on the DHCP server in the POD, iPad might get an IP address from
10.1.10.x subnet which is OK.
Step 6 Now launch the mobile Safari app and access the website portal.demo.local.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect to the
self-provisioning page.
This will take you to the ISE 1.3 BYOD Welcome Screen, which guides the end-user over a
series of steps to onboard the device and also keeps tracks of these steps with proper
numbering.
Click Start to proceed.
Next, enter Device Name and Description
Device Name Personal iPad
Description This is my iPad
Click Continue to proceed.
Step 3 prompts to Launch Apple Profile and Certificate
Installers Now. Click to proceed.
When prompted to install the root CA certificate that
signed the SSL server certificate of ISE, click
Install.
Accept any Warnings to complete this installation.
Step 7 It switches back to the self-provisioning page in
Safari. Shortly afterwards, the ISE Profile
Service pops up and prompts Install.
Click Install to start the Apple Over-The-Air
(OTA) enrollment process. This will automatically
generate the key, enroll the identity certificate,
and save the resulting signed Wi-Fi profile to the
iPad.
Note: If errors in installing the profile, do the following:
Verify a SCEP CA profile has been created (Administration > System > Certificates > Certificate Authority > Internal/External CA Settings)
Verify the CA and RA certificates have been downloaded to the Certificate Store (Administration > System > Certificates > Certificate Management > Trusted Certificates)
Check the console output of the iPad using the iPhone Configuration Utility (iPCU) from Apple, which is installed on the admin PC (Start > All Programs > iPhone Configuration Utilities)
Step 8 Now entering portal.demo.local in the mobile Safari app should take you to the website.
-
Lab Exercise 2.3: Test and Verify Onboarding of Non-corporate iPad
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 18 of 70
Step 9 Verifying Settings > General > Profiles shows two profiles are installed
Note: iOS WPA2e TLS is the name of the supplicant profile created in Step 2 of Exercise 2.2
Step 10 Go to Operations > Authentications. Check the live logs on ISE admin web portal to verify that
the correct authorization profiles were applied. Initially, the device is authorized for
wlcSupplicantProvisioning. Once the provision is done, the wlcFullAccess profile is applied.
Note: For debugging, enable DEBUG logging for relevant components -- client, guest, provisioning, SCEP, and OCSP. (Admin>System>Logging>Debug Log > Conifg)
Step 11 Under Administration > System > Certificates > Certificate Management > Endpoint Certificates, look at the certificate issued to the iPad
Note: The certificate is shown as issued one the day before. This is by design to reduce issues (e.g. CSCui15922) where endpoints may clock slightly earlier than the CA.
More Troubleshooting Tips
Helpful WLC CLI commands:
Debugging client traffic debug client
Debugging AAA authentication debug aaa events enable
Debugging 802.1X events debug dot1x events enable
Bypass captive portal config network web-auth captive-bypass enable
End of Exercise: You have successfully completed this exercise. Proceed to next section.
-
Lab Exercise 3: AnyConnect Unified Agent
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 19 of 70
Lab Exercise 3: AnyConnect Unified Agent
Lab Exercise 3.1: Configure Client Provisioning Services
for Unified Agent
Exercise Description AnyConnect ISE Posture, shown as a new System Scan tile, is replacing NAC agent for Windows
and OSX. This exercise covers how to configure policies to web-deploy AnyConnect from ISE.
Exercise Objective In this exercise, your goal is to complete the following tasks:
Complete general system settings to support Client Provisioning and Posture Services
Update Cisco conditions, OS, and AV/AS support chart
Add client posture agent software
Create and add AnyConect Agent profiles and configuration(s)
Define Client Provisioning Policy
The diagram highlights the key tasks covered in this exercise including System Settings,
Download of Dynamic Updates and CPP Packages, Agent Profiles and CPP Policy:
-
Lab Exercise 3.1: Configure Client Provisioning Services for Unified Agent
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 20 of 70
Lab Exercise Steps Step 1 Access ISE admin web interface
a. Launching the Mozilla Firefox web browser on the admin client PC and entering in the
address field https://ise-1.demo.local
b. Login with username admin and password ISEisC00L
(Accept/Confirm any browser certificate warnings if present)
The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.
Step 2 Verify the ISE proxy configuration for software downloads.
Navigate to Administration > System > Settings and select Proxy from the left-hand pane.
Note: (New) ISE 1.3 supports Basic Proxy authentication.
Proxy host server : port proxy-wsa.esl.cisco.com : 80
Step 3 Download pre-built posture checks for AV/AS and Microsoft Windows.
a. Click the icon to the left of Posture in the left-hand pane to expand the contents of the
Posture settings, and then click Updates. The Update Information in the bottom right-
hand pane displays the last time Posture updates took place.
b. Review and add a check mark to Automatically Check for updates starting from
initial delay as shown below:
Web
Update Feed URL: https://www.cisco.com/web/secure/pmbu/posture-update.xml
Proxy Address: proxy-wsa.esl.cisco.com
Proxy Port: 80
Automatically check for updates starting from initial delay every 24 hours
a. Click the Save button.
d. Click Update Now to run it immediate.
Note: You may proceed to next steps while the update is running.
Step 4 Configure general settings for agent behavior:
a. Select General Settings from the left-hand pane under the Posture settings. Review the
default values for Remediation Timer, Network Transition Delay, and Default Posture
Status.
b. Check (enable) the checkbox to Automatically Close Login Success Screen After
and set time to 5 seconds.
c. Posture Lease is new in ISE 1.3. It controls posture assessment at re-authentications.
For example, after disconnecting from network in the office to attend a conference, a user
needs not posture again when reconnecting at the conference room.
For this lab, we set the posture lease to 1 Day
-
Lab Exercise 3.1: Configure Client Provisioning Services for Unified Agent
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 21 of 70
Posture General Settings Remediation Timer 6 Minutes
Network Transition Delay 3 Seconds
Default Posture Status Compliant
Automatically Close Login Success Screen After
5 Seconds
Posture Lease
[ ] Perform posture assessment every time a user connects to the network
Perform posture assessment every 1 Days
d. Click Save.
Note: The posture agent profiles may be used to override these global settings.
Step 5 Configure an Acceptable Use Policy for ISE Posture.
a. Select Acceptable Use Policy from the left-hand pane under the Posture settings.
b. Click Add. Enter the following values for the new AUP policy:
* Configuration Name aupAnyUser
Configuration Description Simple Acceptable Use Policy
Show AUP to Agent Users [
() Use URL for AUP message
( ) Use file for AUP message
AUP URL / AUP File http://updates.demo.local/AUP.html (Case Sensitive)
* Select User Identity Groups Any
c. Click Submit when finished.
Step 6 Download AnyConnect files.
a. Open a new tab in FireFox to https://tools.demo.local/cp/, and download the following
files by right-click and Save Link As to the Downloads folder.
i. anyconnect-win-4.0.00048-k9.pkg
ii. anyconnect-win-compliance-3.6.9492.2.pkg
iii. anyconnect-VPN-disable.xml
iv. anyconnect-NAM-EAP-FAST.xml
b. Back to ISE admin web UI, go to Policy > Policy Elements > Results and click the
icon to left of Client Provisioning to expand its contents.
c. Select Resources in the left-hand pane.
d. From the right-hand pane, click Add then click Agent Resources from local Disk from
the drop-down list. Select Cisco Provided Packages from Category drop-down.
e. Browse to C:\Users\admin\Downloads\, select to open, Submit, and Confirm the
checksum for:
anyconnect-win-4.0.00048-k9.pkg
anyconnect-win-compliance-3.6.9492.2.pkg
http://updates.demo.local/AUP.htmlhttps://tools.demo.local/cp
-
Lab Exercise 3.1: Configure Client Provisioning Services for Unified Agent
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 22 of 70
CLIENT PROVISIONING FILE REFERENCE:
AnyConnectDesktopWindows: AnyConnect ISE Posture module for Windows.
AnyConnectDesktopOSX: AnyConnect ISE Posture module for OSX.
Compliance Module(s): AnyConnectComplianceModuleOSX, AnyConnectComplianceModuleWindows are
OPSWAT modules that provide updates to AV/AS vendor support for AC ISE Posture Agent.
AnyConnect ISE Posture Agent Profiles: Configuration files for AnyConnect ISE Posture
agent.
Step 7 Create an AnyConnect posture profile for Windows clients.
a. From the right-hand pane, click Add then select NAC or AnyConnect Posture Profile from
the drop-down list.
b. In ISE Posture Agent Profile Settings > New Profile, click on drop down arrow for Select a
Category and then select AnyConnect
c. Enter the following values for the new Agent profile. When finished, click Submit.
ISE Posture Agent Profile Settings The defaults should work for most cases. Changed items are highlighted. See ISE User Guide, Release 1.3 for more info on Agent Profile Parameters and Applicable Values.
AnyConnect
* Name: acPostureWinProfile
Description: AnyConnect ISE Posture Profile for Windows clients
Agent Behavior
Parameter Value Notes Description
Enable debug log No Enables the debug log on the agent
Operate on non-802.1X wireless
No Enables the agent to operate on non-802.1X wireless networks.
Enable signature check No OSX: N/A Enables signature checking of executables before the agent will run them.
Log file size 5 MB The maximum agent log file size
Remediation timer 4 mins The default is empty which means use the global setting. The default of global setting is 4.
The time the user has for remediation before they will be tagged as non-compliant
IP Address Change
Parameter Value Notes Description
Enable agent IP refresh Yes Enables VLAN change detection Sets the Vlan change detection flag on the server, to transmit the configured dhcp release delay, and the dhcp renew delay values from the server to the client.
VLAN detection interval 0 secs 0 means VLAN detection is disabled
The interval at which the agent will check for a VLAN change
Ping or ARP Ping Ping timeout.
Maximum timeout for ping 1 secs
DHCP renew delay 1 secs
DHCP release delay 4 secs
Network transition delay 3 secs The default is empty which means uses the global setting. The default of global setting is 3.
The period for which the agent suspends network monitoring so it can wait for a planned IP change to happen
-
Lab Exercise 3.1: Configure Client Provisioning Services for Unified Agent
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 23 of 70
Posture Protocol
Parameter Value Notes Description
PRA retransmission time 120 secs This is the agent retry period if there is a Passive Reassessment communication failure
Discovery host biz.demo.local The server that the agent should connect to
* Server name rules * need to be blank by default to force admin to enter a value. "*" means agent will connect to all
A list of wildcarded, comma-separated names that defines the servers that the agent can connect to. E.g. "*.cisco.com
Step 8 Configure an AnyConnect VPN profile to hide the VPN tile in AnyConnect GUI.
Note: We need a VPN profile in order not to show AnyConnect VPN module tile on the client machine. Ref: CSCur22131: Discrepancy with VPN module appearing on client when it is de-selected
a. Click Add then click Agent Resources from local Disk from the drop-down list.
b. Browse to C:\Users\admin\Downloads\
c. Select anyconnect-VPN-disable.xml, downloaded in Step 7.
d. Click Submit to save changes. Confirm when prompted for Please confirm this
package's SHA1 hash matches : 7f7003bd2e53ab111aa55f63a0d737a373276501.
Step 9 Upload NAM profile to ISE.
a. Click Add then Agent Resources from local Disk from the drop-down list.
Category: Customer Created Packages
Type: AnyConnect Profile
Name: acNAMProfile
Description: Profile to Configure AnyConnect NAM for EAP-FAST.
b. Browse to C:\Users\Admin\Downloads\
c. Select anyconnect-NAM-EAP-FAST.xml
d. Click Submit to save changes. Confirm when prompted for Please confirm this
package's SHA1 hash matches : aae7e54819644d3219b7282a179133a184c1d3bd.
Step 10 Create an AnyConnect configuration profile for Windows clients.
a. From the right-hand pane, click Add then select AnyConnect Configuration from the
drop-down list.
b. Under AnyConnect Package, click on drop down arrow for Choose a Package and then
select AnyConnectDesktopWindows 4.0.48.0
Category: Customer Created Packages
Type: AnyConnect Profile
Name: acVPNdisableProfile
Description: Profile to disable VPN tile.
-
Lab Exercise 3.1: Configure Client Provisioning Services for Unified Agent
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 24 of 70
c. Enter the following values for the new Agent Configuration. When finished, click Submit
to save the changes.
Step 11 Define Client Provisioning Policy for Employees
a. Go to Policy > Client Provisioning.
b. Add a new rule, either insert above or below the existing policy, as
below, and then Save when done.
Rule Name ID Groups OS Conditions Results
Employee WinAll Any Windows All demoAD.local:ExternalGroups EQUALS demo.local/HCC/Groups/Employees
Agent Configuration
Agent: acConfigWin
Note: Ensure you saved your Client Provisioning Policy!
End of Exercise: You have successfully completed this exercise. Proceed to next section.
* AnyConnect Package: AnyConnectDesktopWindows 4.0.48.0
* Configuration Name: acConfigWin
Description: An AnyConnect agent configuration for Windows
* Compliance Module Anyconnect-win-compliance-3.6.9492.2.pkg
AnyConnect Module Selection
ISE Posture VPN
Network Access Manager Web Security ASA Posture
Start Before Logon Diagnostic and Reporting Tool
Profile Selection
ISE Posture VPN
Network Access Manager Web Security
Customer Feedback
acPostureWinProfile acVPNdisableProfile
acNAMProfile - -
-
Lab Exercise 3.2: Define Authorization Policy for Client Provisioning and Posture Compliance
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 25 of 70
Lab Exercise 3.2: Define Authorization Policy for Client
Provisioning and Posture Compliance
Exercise Description This exercise includes modifications to an existing Authorization Policy to ensure that endpoints
that are not posture compliant are redirected to ISE client provisioning portal, and that only
posture compliant endpoints are granted privileged network access.
Exercise Objective In this exercise, your goal is to complete the following tasks:
Define a Downloadable ACL (dACL) that restricts network access for endpoints whose
compliance state is either Unknown or NonCompliant.
Review a URL Redirect ACL on the access switch to ensure that general http/https traffic
is redirected to the ISE Policy Service node while allowing access to remediation servers.
Define a new Authorization Profile that apply the quarantine dACL and Redirect ACL to
redirect endpoints to provisioning and posture services.
Add new rules to the Authorization Policy that leverage the new Authorization Profiles to
quarantine, assess posture, and remediate endpoints that are not posture compliant.
Update existing Authorization Policy rules such that privileged network access is based
on posture compliance.
The diagram highlights the key tasks covered in this exercise including Authorization Profiles,
their component dACLs, and Authorization Policy:
-
Lab Exercise 3.2: Define Authorization Policy for Client Provisioning and Posture Compliance
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 26 of 70
Lab Exercise Steps Step 1 Access the admin interface of the ISE Administrative node.
a. Go to the Admin client PC and launch the Mozilla Firefox web browser. Enter the
following URL in the address field:
https://ise-1.demo.local
b. Login with username admin and password ISEisC00L
(Accept/Confirm any browser certificate warnings if present)
The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.
Step 2 Define a dACL that restricts network access for endpoints that are not posture compliant.
a. Go to Policy > Policy Elements > Results and click icon to left of Authorization (or
double-click Authorization) to expand its contents.
a. Select Downloadable ACLs from the left-hand pane.
b. Click Add from the right-hand pane under DACL Management and enter the following
values for the new dACL:
Note: Copy-and-paste the DACL content from https://tools.demo.local/cp/DACL_POSTURE_REMEDIATION.txt
* Name POSTURE_REMEDIATION
Description Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only.
* DACL Content permit udp any any eq domain permit icmp any any permit tcp any host 10.1.100.21 eq 8443 permit tcp any host 10.1.100.21 eq 8905 permit udp any host 10.1.100.21 eq 8905 permit tcp any host 10.1.100.222 eq 80
The following describes the purpose of individual ACL entries:
Downloadable ACL Entry Description
permit udp any any eq domain Permit DNS for name resolution
permit icmp any any Permit ICMP for initial troubleshooting
permit tcp any host 10.1.100.21 eq 8443 Permit CWA/CPP to ISE Policy Service node
permit tcp any host 10.1.100.21 eq 8905 Allow Agent discovery direct to Policy Service node
permit udp any host 10.1.100.21 eq 8905 Allow Agent discovery and keep-alives
permit tcp any host 10.1.100.222 eq 80 Explicit allow to remediation server
c. Click Submit when completed.
Step 3 Define dACL for AD Login Access
Click Add from the right-hand pane under DACL Management and enter the following values for
the new dACL:
https://ise-pap-1.demo.local/
-
Lab Exercise 3.2: Define Authorization Policy for Client Provisioning and Posture Compliance
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 27 of 70
Note: Copy-and-paste the DACL content from https://tools.demo.local/cp/DACL_AD_LOGIN_PROCESS.txt
* Name AD_LOGIN_ACCESS
Description Employee AD Access
* DACL Content permit udp any eq bootpc any eq bootps permit udp any any eq domain permit icmp any any permit tcp any host 10.1.100.10 eq 88 permit udp any host 10.1.100.10 eq 88 permit udp any host 10.1.100.10 eq ntp permit tcp any host 10.1.100.10 eq 135 permit udp any host 10.1.100.10 eq netbios-ns permit tcp any host 10.1.100.10 eq 139 permit tcp any host 10.1.100.10 eq 389 permit udp any host 10.1.100.10 eq 389 permit tcp any host 10.1.100.10 eq 445 permit tcp any host 10.1.100.10 eq 636 permit udp any host 10.1.100.10 eq 636 permit tcp any host 10.1.100.10 eq 1025 permit tcp any host 10.1.100.10 eq 1026
Step 4 Review URL Redirect ACL on the access switch. An Authorization Profile will reference this ACL
and work in conjunction with the accompanying dACL applied to the switchport interface.
a. From the Admin client PC, use the desktop shortcut for the PuTTY to launch a
terminal session to the c3560cg switch using the credentials admin / ISEisC00L.
b. Enter the following command at the access switch exec shell prompt to verify the
contents of the ACL:
3560CG# show ip access-lists ACL-AGENT-REDIRECT Extended IP access list ACL-AGENT-REDIRECT 10 deny tcp any host 10.1.100.222 eq www 20 permit tcp any any eq www
Step 5 Define a new Authorization Profile PostureRemediation that leverages both the new dACL for
port access control and the URL Redirect ACL for traffic redirection.
a. Return to the ISE admin interface from the Admin client PC.
b. Click Authorization Profiles from the left-hand pane under Policy > Policy Elements >
Results > Authorization.
c. Click Add from the right-hand pane and enter the values for the Authorization Profile as
shown below.
Name Posture Remediation
Description Permit access to posture and remediation services; redirect traffic to client provisioning and posture services.
Access Type ACCESS_ACCEPT
DACL Name POSTURE_REMEDIATION
Web Redirection (CWA, MDM, NSP, CPP)
Client Provisioning (Posture) ACL: ACL-AGENT-REDIRECT Value: Client Provisioning Portal (default)
d. The resultant Attribute Details should appear at the bottom of the page as the following:
-
Lab Exercise 3.2: Define Authorization Policy for Client Provisioning and Posture Compliance
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 28 of 70
e. Scroll to bottom of page and click Submit to apply your changes.
Step 6 Define a new Authorization Profile for Compliant Employees named Employee that allows
complete access.
a. From the left-hand pane under Policy > Policy Elements > Results > Authorization>
Authorization Profiles.
b. Click Add from the right-hand pane and enter the values for the Authorization Profile as
shown below.
Name Employee
Description Full Access
Access Type ACCESS_ACCEPT
DACL Name PERMIT_ALL_TRAFFIC
c. The resultant Attribute Details should appear at the bottom of the page as the following:
d. Scroll to the bottom and click Submit to apply your changes.
Step 7 Define a new Authorization Profile for AD Login
a. Click Authorization Profiles from the left-hand pane under Policy > Policy Elements >
Results > Authorization.
b. Click Add from the right-hand pane and enter the values for the Authorization Profile as
shown below.
Name AD Login
Description Allow machine to login to AD through dot1.x
Access Type ACCESS_ACCEPT
DACL Name AD_LOGIN_ACCESS
c. The resultant Attribute Details should appear at the bottom of the page as the following:
d. Scroll to the bottom and click Submit to apply your changes.
Step 8 Update the Authorization Policy to support posture compliance.
a. Go to Policy > Policy Sets > Default
Access Type = ACCESS_ACCEPT
DACL = POSTURE_REMEDIATION
cisco:cisco-av-pair=url-redirect-acl=ACL-AGENT-REDIRECT
cisco:cisco-av-pair=url-redirect =https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=&action=cpp
Access Type = ACCESS_ACCEPT
DACL = PERMIT_ALL_TRAFFIC
Access Type = ACCESS_ACCEPT
DACL = AD_LOGIN_ACCESS
-
Lab Exercise 3.2: Define Authorization Policy for Client Provisioning and Posture Compliance
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 29 of 70
b. Update the existing Authorization Policy with the following values as highlighted using the
selector at the end of a rule entry to insert or duplicate rules above:
S Rule Name Groups Other Conditions Permissions
Domain Computer Any demoAD.local:ExternalGroups EQUALS demo.local/Users/Domain Computers
AD Login
Employee Compliant Any demoAD.local:ExternalGroups
EQUALS demo.local/HCC/Groups/employees Employee
AND
Session:PostureStatus EQUALS Compliant
Employee NonCompliant
Any demoAD.local:ExternalGroups EQUALS demo.local/HCC/Groups/Employees
Posture Remediation
AND
Session:PostureStatus NOT EQUALS Compliant
Basic_Authenticated_Access Any Network_Access_Authentication_Passed PermitAccess
Default Any - DenyAccess
c. Click Save to apply your changes.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
-
Lab Exercise 3.3: Test and Monitor Client Provisioning Services for AnyConnect
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 30 of 70
Lab Exercise 3.3: Test and Monitor Client Provisioning
Services for AnyConnect
Exercise Description This exercise validates the Client Provisioning and Authorization Policy configuration completed
in the previous lab exercises. Since no Posture Policy has been configured, all users should be
posture compliant. The AC ISE Posture Agent will be tested and monitored in this exercise. In
addition to AC ISE Posture Agent provisioning, this exercise will also validate agent policies such
as AUP, auto-closure of login success screens, and agent profile configuration.
Exercise Objective In this exercise, your goal is to complete the following tasks:
Login to the secured lab network from a Windows 7 PC client as an Employee via 802.1X
machine authentication and user authentication and verify NAC Agent provisioning.
Review ISE and switch logs to validate proper operation and application of the
Authorization Policy.
Lab Exercise Steps
Step 1 Power ON VM guest p##-w7pc-corp.
Step 2 Establish a terminal session with the access switch (10.1.100.1).
Step 3 Validate the session status of the switchport authorization after Windows login (802.1X User
authentication):
a. At the W7PC-corp VM console, send Ctrl+Alt+del and login to Windows domain.
To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console
menu:
Login as user DEMO\employee1 / ISEisC00L. Issue show authentication sessions for
interface GigabitEthernet0/4. After successful 802.1X user authentication, the
Authorization Policy should match the Employee_NonCompliant rule (Authorization
Profile = Posture_Remedation). The output should appear similar to that shown below:
3560CG# sh auth sess int g0/4 details
3560CG(config-if)#do sh auth sess int G0/4 det
Interface: GigabitEthernet0/4
-
Lab Exercise 3.3: Test and Monitor Client Provisioning Services for AnyConnect
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 31 of 70
MAC Address: 0050.5693.a76b
IPv6 Address: Unknown
IPv4 Address: 10.1.10.201
User-Name: DEMO\employee1
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0164010000001B0233334D
Acct Session ID: 0x00000015
Handle: 0x54000010
Current Policy: POLICY_Gi0/4
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-5464abc7
URL Redirect: https://ise-
1.demo.local:8443/portal/gateway?sessionId=0A0164010000001B0233334D&portal=528d2310-
276c-11e4-9866-005056bf01c9&action=cpp&token=a654130b16dfa0bcc928d989f42226a8
URL Redirect ACL: ACL-AGENT-REDIRECT
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
a. Verify that 802.1X user authentication (User-Name = DEMO\employee1) completed
successfully and that the dACL (ACS ACL) named POSTURE-REMEDIATION pushed to
the interface.
b. A named URL Redirect ACL = ACL-AGENT-REDIRECT has also been applied that
defines the traffic to be redirected to the link specified by URL Redirect. The redirect
URL must include the domain name of the ISE Policy Service node, reference to port
8443, the current session ID, and reference action to cpp (Client Provisioning Portal). If
any of these items are missing, then web authentication will fail.
Step 4 Validate Client Provisioning (aka Web-Deploy) for the AnyConnect.
a. From w7pc-corp, launch Firefox web browser and type in www.cisco.com. It will
immediately redirect to ISE client provisioning portal (CPP). (Accept/Confirm any browser
certificate warnings if present)
Note: If receiving [ 500 ] Internal Error, please clear auth session on the switch while the user logged-in and try
again. Defect: CSCup20844
-
Lab Exercise 3.3: Test and Monitor Client Provisioning Services for AnyConnect
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 32 of 70
b. Click the Start button.
c. After CPP takes ~ 10 seconds to detect any existing AnyConnect installation, it shows an
info page for the location to download and install AnyConnect.
d. Expand + This is my first time here and click the hyperlink and download AnyConnect
ISE Setup Assistant.
e. Double click to run the downloaded program. If prompted by Windows UAC, enter
credentials admin / ISEisC00L.
Note: Admin privileges are required to install AnyConnect for the first time. Once installed, upgrades can occur without escalated privileges. AnyConnect can also be distributed using an MSI installer package.
f. AnyConnect ISE Network Setup Assistant window appears. Click Connect to start
running AnyConnect Downloader Click Yes to restart your computer now when
prompted.
-
Lab Exercise 3.3: Test and Monitor Client Provisioning Services for AnyConnect
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 33 of 70
g. After reboot and re-login, AnyConnect shows an AUP.
h. Click Accept to agree to the AUP. The login success screen should display indicating
Full Network Access and automatically close after 2 seconds per the Agent profile
configuration.
i. The client should now have full network
access. To validate, open a web browser and
verify that access to www.cisco.com is
allowed.
Step 5 Verify the session status of the switchport
authorization for a compliant Employee.
a. Repeat the show authentication sessions output for interface GigabitEthernet0/4. The
Authorization Policy should match the Employee rule (Authorization Profile = Employee)
and output should appear similar to that shown below:
3560CG#sh auth sess int g0/4 details
3560CG(config-if)#do sh auth sess int G0/4 det
Interface: GigabitEthernet0/4
MAC Address: 0050.5693.a76b
IPv6 Address: Unknown
IPv4 Address: 10.1.10.201
User-Name: DEMO\employee1
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0164010000001B0233334D
Acct Session ID: 0x00000015
Handle: 0x54000010
Current Policy: POLICY_Gi0/4
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
-
Lab Exercise 3.3: Test and Monitor Client Provisioning Services for AnyConnect
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 34 of 70
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4478ace7
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
b. In the above output, note that the dACL (ACS ACL) = PERMIT_ALL_TRAFFIC has been
successfully downloaded to the interface to grant the compliant Employee full network
access.
Step 6 Verify the authentication/authorization phases of the 802.1X Auth and Client Provisioning from
the ISE admin interface.
a. Go to Operations > Authentications. View the recent entries associated with the
Employee session by MAC Address, IP address, Interface, or Session ID. It may be help
to filter the log entries by entering a couple bytes of the Session ID or MAC address
(Calling Station ID) into the appropriate column header and hitting Enter. Click the circled
x in the field to clear the filter.
b. Referring to the sample log below, you should see entries similar to the following that
match the output received from the switch, where 1 is the lowest or first entry:
1. Successful 802.1X machine authentication of the Domain Computer host/w7pc-corp.demo.local using
PEAP(EAP-MSCHAPv2); Authorization Profile named AD_Login applied.
2. dACL named AD_LOGIN_ACCESS has been successfully downloaded.
3. Successful 802.1X user authentication of the Domain User DEMO\employee1; Authorization Profile named
Posture_Remediation applied.
4. dACL named POSTURE_REMEDIATION has been successfully downloaded.
5. Successful authentication of host/w7pc-corp using EAP-FAST (EAP-MSCHAPv2) due to NAM installation.
6. dACL named AD_LOGIN_ACCESS has been successfully downloaded.
7. Successful machine authentication of host/w7pc-corp.demo.local using PEAP (EAP-MSCHAPv2) due to reboot.
-
Lab Exercise 4: Guest Access Management
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 35 of 70
8. Successful machine authentication of host/w7pc-corp using EAP-FAST (EAP-MSCHAPv2) due to reboot.
9. Successful 802.1X user authentication of the Domain User employee1; Authorization Profile named
Posture_Remediation applied.
10. dACL named POSTURE_REMEDIATION has been successfully downloaded.
11. Posture reported compliant and dynamic authorization (CoA) succeeded for session based on posture status
change.
12. Authorization Profile named Employee applied; dACL PERMIT_ALL_TRAFFIC applied.
13. dACL named PERMIT_ALL_TRAFFIC has been successfully downloaded.
14. Session State is Started.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 4: Guest Access Management
Exercise Description This exercise will show you how to setup and configure Guest Access Management with ISE 1.3.
Cisco ISE Guest gives sponsors/employees/lobby ambassadors the ability to create a guest
account and send it to a guest. Guests can also create their own accounts and the additional
ability can be required for guests to get approval by a sponsor or person they are visiting. There
are three built-in types of guest portals: Hotspot, Self-Registered, and Sponsored. We will be
working with the first 2 use cases (hotspot and self-registered) in this lab. The self-registered
portal is essentially the same as sponsored (without the setting to allow self reg)
Exercise Objective In this exercise, your goal is to complete the following tasks:
Lab Exercise 4.1: Configure Authorization Profiles for Guest Hotspot and Self Registration
Lab Exercise 4.2: Configure Policy Sets for Guest Authentication and Authorization
Lab Exercise 4.3: Configure Hotspot with basic customization
Lab Exercise 4.4: Test the Hotspot Portal
Lab Exercise 4.5: Configure Settings for Self-Registered with Sponsor Approval
Lab Exercise 4.6: Test Self Registration Portal with Approval Flow
Lab Exercise 4.7: Configure Settings for Sponsored Access
Lab Exercise 4.8: Test Sponsored Guest Flow
-
Lab Exercise 4.1: Configure Authorization Profiles for Guest Hotspot and Self Registration
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 36 of 70
Lab Exercise 4.9: Work with Guest reporting
Lab Exercise 4.1: Configure Authorization
Profiles for Guest Hotspot and Self Registration
Exercise Description In this Exercise you will setup the needed authorization profiles and policies to work with policy
sets for a hotspot and self-registration portals
Exercise Objective In this exercise, your goal is to complete the following task:
Configure Authorization Profiles for Hotspot & Self-Registration policies
Step 1 Return to the ISE UI and login if needed
Step 2 Configure Authorization Profiles for Hotspot Redirect
a. Navigate to Policy Policy Elements Results
b. Expand Authorization
c. Click Authorization Profiles
Step 3 Configure Authorization Profile for Hotspot Redirect
a. Click Add
* Name HotSpot Redirect
Description -
* Access Type ACCESS_ACCEPT
Common Tasks
Web Redirection (CWA )
Hot Spot ACL: ACL-WEBAUTH-REDIRECT Value: Hotspot Guest Portal (default)
Note: The ACL is case-sensitive and should match exactly as defined in WLC.
-
Lab Exercise 4.1: Configure Authorization Profiles for Guest Hotspot and Self Registration
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 37 of 70
b. Click Submit
Step 4 Configure Authorization Profile for Guest Redirect
a. Click Add
* Name Guest Redirect
Description -
* Access Type ACCESS_ACCEPT
Common Tasks
Web Redirection (CWA )
Centralized Web Auth ACL: ACL-WEBAUTH-REDIRECT Value: Self-Registered Guest Portal (default)
Note: The ACL is case-sensitive and should match exactly as defined in WLC.
b. Click Submit
Step 5 Configure Authorization Profile for Guest Permit Access
a. Click Add
* Name Guest Permit
Description Internet Access for Guests
* Access Type ACCESS_ACCEPT
Common Tasks
Airespace ACL Name GUEST_ACL
Note: The ACL is case-sensitive and should match exactly as defined in WLC.
b. Click Submit
Note: You should have 3 new Authorization profiles after completing this task: HotSpot_Redirect, Guest_Redirect and GuestPermit
Authorization profiles for the basic portal setup has been completed. Lets now work with the Policy Sets.
-
Lab Exercise 4.2: Configure Policy Sets for Guest Authentication and Authorization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 38 of 70
Lab Exercise 4.2: Configure Policy Sets for
Guest Authentication and Authorization
Exercise Description In this exercise you will setup the needed authorization profiles and policies using policy sets to
work with the hotspot and self-registration portals
Exercise Objective In this exercise, your goal is to complete the following tasks:
Configure Policy Sets for Wireless_MAB
Configure Authentication Policies for Wireless_MAB
Configure Authorization Policies for Hotspot and Self Register Portal
Step 1 Configure the Policy Set for Guest Access
a. Navigate to Policy Policy Sets
b. Click on the + and Create Above
c. Click Edit on the far right to edit the Policy Name and Conditions
Attribute Value
Name wirelessMAB
Description -
Select Attribute
Select Existing Condition from Library Compound Condition Wireless_MAB
d. Click Done
e. Expand the Authentication Policy
f. Click Edit for the Default Rule
-
Lab Exercise 4.2: Configure Policy Sets for Guest Authentication and Authorization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 39 of 70
g. Under Allowed Protocols
Select HostLookup
h. Select Identity Source
Internal Endpoints
i. Select Continue for If
user not found
j. Click Done
k. Collapse Authentication Policy l. Expand Authorization Policy
Info for saving time: The following table and screenshot are how we are setting up the authorization policy for HotSpot and Guest Access if you would like to attempt this without following the steps then please do, or continue on with the steps below the screenshot. Remember after you enter your first rule above default you can use Duplicate above instead to save time. Dont forget to click Save and then skip to Section 3.3.
S Rule Name Identity Groups Other Conditions Permissions
Guest Internet Access Any Radius:Called-Station-ID ENDS_WITH guest AND
NetworkAccess:UseCase EQUALS Guest Flow
Guest Permit
Guest Redirect Any Radius:Called-Station-ID ENDS_WITH guest Guest Redirect
Hotspot Internet Access GuestEndpoints Radius:Called-Station-ID ENDS_WITH hotspot Guest Permit
Hotspot Redirect Any Radius:Called-Station-ID ENDS_WITH hotspot HotSpot Redirect
Default Any - DenyAccess
Step 2 Configure Authorization Policy for Hotspot Redirection
a. Click arrow to the right of edit of Default Rule and insert a new rule above
-
Lab Exercise 4.2: Configure Policy Sets for Guest Authentication and Authorization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 40 of 70
b. Enter Rule Name as Hotspot Redirect
c. Click the + next to Condition d. Choose Condition Create new Condition e. Select attribute Radius Called-Station-ID Ends With hotspot
Note: If you enter Calling-Station-ID then it wont work, be careful
f. Under Permissions click + Select an item Standard Hotspot Redirect
g. Click Done
Step 3 Configure Authorization Policy for Hotspot Internet Access
a. Click arrow to the right of Hotspot Redirect and duplicate above, change the values to the
following
Info for Saving time: Remember to use Duplicate above and then change what is needed instead of inserting new fresh policies
Attribute Value
Rule Name Hotspot Internet Access
Identity Group Endpoint Identity Group GuestEndpoints
Conditions Radius: Called-Station-ID Ends with hotspot
Permissions Guest Permit
b. Click Done
Step 4 Configure Authorization Policy for Guest Redirect a. Click arrow to the right of edit of HotSpotInternetAccess and duplicate above
Attribute Value
-
Lab Exercise 4.3: Configure Hotspot with basic customization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 41 of 70
Attribute Value
Rule Name Guest Redirect
Identity Group Any
Conditions Create New Condition Select Attribute Radius Called-Station-ID Ends with guest
Permissions Standard Guest Redirect
b. Click Done
Step 5 Configure Authorization Policy for Guest Permit a. Click arrow to the right of edit of GuestRedirect and duplicate above
Attribute Value
Rule Name Guest Internet Access
Identity Group Any
Conditions
Create New Condition Select Attribute Radius Called-Station-ID Ends with guest Add another attribute/value NetworkAccess: UseCase EQUALS Guest Flow
Permissions Standard Guest Permit
b. Click done Dont Forget to Click Submit
Hotspot and Guest Authentication/Authorization Setup has been completed. Lets now look at the Default Hotspot Portal. The default settings are a good start. We will also go over some of the cool extras to go along with it.
Lab Exercise 4.3: Configure Hotspot with basic
customization
Exercise Description In this Exercise you will configure the minimal settings plus a few minor customizations setting up
the hotspot portal. There are many options, features and functions for setting up and customizing
guest to play with later on your own
Exercise Objective In this exercise, your goal is to complete the following tasks:
Configure Hotspot Settings
Work with basic customization
-
Lab Exercise 4.3: Configure Hotspot with basic customization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 42 of 70
Step 1 Click Guest Access Configure Guest Portals
Notice how the defaults portals indicate
they have been configured in an
authorization policy. It also explains
what each of the portals is used for.
This makes it easier to setup and
troubleshoot.
Step 2 Click on the Hotspot Guest Portal (default) and click Edit
Lets highlight some of the new settings that make hotspot operational. Note this is also known as DRW
(Device Registration Web Auth) and it is meant for simple registration of a device MAC address with a
splash page, optional AUP and other options.
Step 3 Navigate to the section under Portal Settings that shows the Endpoint Identity Groups and Purging.
Step 4 Look at the following settings, Guest Endpoint and Purging, leave these default.
GuestEndpoints:
This Hotspot configuration by default will automatically take the MAC address from the MAB (MAC
authentication bypass) and place it into GuestEndpoints group. Remember in our authorization policy
that we based GuestInternet Access off GuestEndpoints as an identifier. This group could be changed so
that you have different Endpoint groups for different portals or types of access. Its also available in the
self registered and sponsor portal types. Dont change this group.
Purging:
Next notice the new purge policy. This will remove the device after it has been in the endpoint group for
30 days. The purge runs daily. This setting can be set as low as 1 day. There is no way to set it lower as
the purge runs as a process 1x a day. In ISE 1.2, DRW, required the endpoints to be manually purged
-
Lab Exercise 4.3: Configure Hotspot with basic customization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 43 of 70
from the database when you wanted to remove access. There is a link to advanced purge policies where
you can purge
Step 5 Click on the little arrow next to Portal Settings to collapse this section. Step 6 Under the Acceptable Use Policy (AUP) Page Settings notice Include an AUP is already
enabled - An AUP is not necessary but likely a customer would want one. Step 7 Check the box to enter an access code of iseiscool An access code is used to protect the open
SSID from those outside of your business from getting Internet access. This can also be configured for self registration and sponsor approval flows
Step 8 Notice on the right side of the screen the flow chart in real-time, if you change/add/remove a
component you see the changes immediately. Try toggling the checkbox Include An AUP off and on and notice the difference
-
Lab Exercise 4.3: Configure Hotspot with basic customization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 44 of 70
A new option in ISE 1.3 is the option to customize where the user is sent for a success. Configure success page redirection to a static URL
Step 9 Scroll down to the section that says Authentication Success Settings
Step 10 Enter URL: http://www.cisco.com
Step 11 Scroll to the top of the page and Click Save Step 12 Click on the Page Customization section at the top of the page
ISE 1.3 gives you basic customization built right into the product. It also makes it easier to
see what changes you are making in real-time. We wont go into detail of all of these but to
start you notice at the top of the page you can change things like the logos, banner and main
text elements. You can also choose from some built in color themes.
Step 13 Lets start by messing with the portal theme. Click on the pull down and pick the High Contrast Theme. Notice how the Preview window in the bottom right of the screen shows the changes.
Step 14 Now click on the Tweaks button to see how you change the colors a little more. Feel free to play around a little, click on the Page Background Color. When done, click OK. To tweak the button color equires advanced customization using CSS and themes (e.g. jQuery Theme Roller, not covered in this class). Now that you have played around with the tweaks go back to the Portal Theme and change it back to the Default Blue Theme
http://www.cisco.com/
-
Lab Exercise 4.3: Configure Hotspot with basic customization
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 45 of 70
Step 15 Lets upload a logo and a banner Step 16 On the workstation using Firefox and in a new tab, click on the bookmark for tools/guest.
Step 17 Click on the link for iseiscool-images.zip
Step 18 Check Save File and Click OK the file will be saved to C:\Users\admin\Downloads Step 19 Click on the download arrow in the upper right of firefox to open the location it downloaded
Step 20 Right click on the package and choose the option to Extract All Step 21 Use the default location C:\Users\admin\Downloads\iseiscool-images Step 22 Click Next and OK to close window, close all tabs and explorer windows for the download
process Step 23 Go back to ISE tab in Firefox Step 24 Upload the banner and logo for mobile (iseiscool_logo_hotspot.png & iseiscool-banner.png) from
the location C:\Users\admin\Downloads\iseiscool-images
Note: Use the same logo for both mobile and desktop
Step 25 Remove the text for Banner title as it Is part of the logo (you may need to click in another place on
the page for the mobile preview to refresh)
-
Lab Exercise 4.4: Test the Hotspot Portal
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 46 of 70
Step 26 Below this main section where you can tweak the overall look and feel, you can also go into each of the pages. Depending on your portal settings and portal type you will see different options on the left hand side of the page. You can also tweak the text in the different areas on the page.
Step 27 After some basic customization is done check out the desktop preview (same as the portal test URL at the top of the page) by clicking on the option in the bottom right of the mini preview.
Note: You can test full flow without using a real client.
Step 28 Close the desktop preview
Step 29 Click Save at the top of the page
You have now completed setup of the Hotspot Portal. Next step is to try it out.
Lab Exercise 4.4: Test the Hotspot Portal
Exercise Description In this Exercise you will work with the hotspot portal you configured
Exercise Objective In this exercise, your goal is to complete the following task(s):
Test the hotspot Portal
Step 1 Enable SSIDs hotspot and guest in WLC
-
Lab Exercise 4.4: Test the Hotspot Portal
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 47 of 70
a. Login to vWLC web portal @ https://vwlc.demo.local as admin / ISEisC00L
b. Menu WLANs
c. Select WLAN ID 1 ##-ISECOLD, Disable Selected from the drop-down next to Go, and
hit Go.
d. Select WLAN ID 2 ##-hotspot, Enable Selected from the drop-down next to Go, and hit
Go.
Step 2 Remove the iPad from ISE internal endpoints (as we registered it during the BYOD lab 2 and it needs to be removed for this lab)
On ISE GUI go to Administration > Identity Management > Identities > endpoints Select your iPad and Select Delete > Delete Selected
Step 3 From the workstation double click on the icon VNC-to-iPad on the desktop and press any key to continue. The IPad screen will launch If not already on the home screen, right click on the screen
Step 4 Go to settings Wi-Fi Step 5 If Wi-Fi is disabled then turn it on and skip past the clean-up steps
Here are the steps to start with new session (clean-up)
a. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: You might not see the Profiles menu option, when no profile installed on the iPad.
b. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear
Cookies and Data.
c. Forget any networks the device is automatically connecting to d. Disable the Wi-Fi e. On the Windows workstation, navigate to Admin Identity Management Identities
Endpoints and delete the iPad, you can delete anything in the list as there should only be your iPad connected
f. Launch Firefox, go to vwlc, and login. g. On the vWLC click on Monitor then Clients on the left side bar h. Find your wireless session (there should only be one), click on the MAC address and
then click Remove in the upper right of the window i. Go back to the iPad and enable the Wi-Fi
Step 6 On the iPad from the list of wireless networks find the one that shows XX-hotspot, click to
connect to this Step 7 Once youre connected to the hotspot (shows in the upper left of the iPad screen). Right click on
the iPad screen to show the home screen and then launch Safari. Step 8 Using safari enter a site to visit, cnn.com, you will be redirected to the hotspot portal Step 9 Enter the passcode iseiscool and click accept Step 10 You are redirected to a success page and then can choose your original site. Step 11 Enter cnn.com Step 12 Navigate to Operation Authentications and look at the sessions that came through.
https://vwlc.demo.local/
-
Lab Exercise 4.5: Configure Settings for Self-Registration with sponsor approval flow
ISE_1.3_PVT_Lab_Guide_2014-11-14.docx 11/17/2014 10:17:00 AM PST Page 48 of 70
a. When you first come in MAB from hotspot SSID redirects to hotspot b. After AUP acceptance, the device is authorized by GuestEndpoints Group on a separate
line. Step 13 Cleanup the iPad connection before continuing on with self-registration
a. Close the browser tab on the iPad b. Right click to go to home screen c. Forget the hotspot network on the iPad, make sure its not connecting to another network,
if it is also forget such network. d. Turn Wi-Fi off e. Navigate to Admin Identity Management Identities Endpoints and delete the
iPad, you can delete anything in the list as there should only be your iPad connected
HOTSPOT COMPLETE! You have now completed setup and testing of the Hotspot Portal. Next lets look into
Self-Registration with Sponsor Approval
Lab Exercise 4.5: Configure Settings for Self-
Registration with sponsor approval flow
Exercise Description In this Exercise you will configure the minimum settings to allow you to use the self-registered
flow with sponsor approval
Exercise Objective In this exercise, your goal is to complete the following tasks:
Configure Guest Settings
Configure Sponsor Groups
Configure Self Registration Portal
-
L