cpoc ise lab ise setup ssh login 1: cli login user input ssh (use putty) to 10.10.10.10: username:...

CPOC ISE Lab

Lab Overview:

IP Subnets

There are four identical and isolated pods. There is no Internet access from any of the pods during this lab, nor is there connectivity between any of the pods.

ʻinternalʼ: 10.10.10.0/24, DHCP range 10.10.10.100-254ʻguestʼ: 10.10.11.0/24, DHCP range 10.10.11.100-254

IP Addresses

10.10.10.1 = local 3750 switch/gateway (although this is a flat lab)# DHCP server for your pod10.10.10.10 = ISE10.10.10.11 = Windows 2003 Server / AD10.10.10.100+ = initial DHCP address of the pod PCs

Devices

User PC• a Windows 7 PC• joined to the local cpoc.army.mil domain• used for 802.1x• can be used for web and SSH access to ISE• can be used for telnet access to local switch• connected to PC port of the IP phone

Management PC• a Windows XP PC• not on the Windows domain• not used for 802.1x• can be used for web and SSH access to ISE• can be used for telnet access to local switch• connected to switch port G1/0/2

IP Phone• Cisco 7970 phone• connected to switch port G1/0/1

NGB CPOC! March 1-3, 2011

! 1

Basic ISE SetupSSH Login

1: CLI Login

User Input

SSH (use Putty) to 10.10.10.10:

username: adminpassword: Cisc01 (C i s c ʻzeroʼ ʻoneʼ)

Lab Discussion

The IP address was applied when ISE was installed. The ʻadminʼ username/password was created when ISE was installed. Do not lose this initial login when you install ISE. Once you login to the CLI, you can create additional CLI users. CLI users do not have login rights to the web interface, and web users do not have access to the CLI - they are mutually exclusive. CLI users can either be normal ʻuserʼ (read-only) or ʻadminʼ (full administrative privileges).

2: Familiarization with the CLI Interface

User Input

The SSH connection to ISE is similar to a console connection to the server. You are presented with an IOS-lite interface. Here is a list of available CLI commands:

NGB-ISE/admin# ?Exec commands: application Application Install and Administration backup Backup system backup-logs Backup system and application logs clock Set the system clock configure Enter configuration mode copy Copy commands debug Debugging functions (see also 'undebug') delete Delete a file dir List files on local filesystem exit Exit from the EXEC forceout Force Logout all the sessions of a specific system user halt Shutdown the system mkdir Create new directory nslookup DNS lookup for an IP address or hostname patch Install System or Application Patch pep PEP Configuration ping Ping a remote ip address ping6 Ping a remote ipv6 address reload Reboot the system restore Restore system

NGB CPOC! March 1-3, 2011

! 2

rmdir Remove existing directory show Show running system information ssh SSH to a remote ip address tech TAC commands telnet Telnet to a remote ip address terminal Set terminal line parameters traceroute Trace the route to a remote ip address undebug Disable debugging functions (see also 'debug') write Write running system information

NGB-ISE/admin#

Lab Discussion

There are certain tasks that can only be done at the CLI, such as:

system shutdown - haltchange basic network attributes - configureconfiguration file management - copy, backup, restore, write

Do not modify any of the network settings in an active ISE. Such changes cause the ISE engine to be reset. If you need to modify network settings, find a period of low network volume or schedule an outage window.

User Input

Verify that all ISE components are operational:

NGB-ISE/admin# show application status ise

ISE Database listener is running, PID: 3077ISE Database is running, number of processes: 27ISE Application Server is running, PID: 3391ISE M&T Session Database is running, PID: 2866ISE M&T Log Collector is running, PID: 3434ISE M&T Log Processor is running, PID: 3486ISE M&T Alert Process is running, PID: 3412

NGB-ISE/admin#

ISE consists of a number of databases and servers. The show application status ise command displays the various applications. Each must be ʻrunningʼ for ISE to be fully operational. When first booted, the ISE Application Server historically takes the longest to become operational (running). You typically have network connectivity to ISE before ISE is fully functional.

NGB CPOC! March 1-3, 2011

! 3

3: Create New CLI Users

User Input

Configure two new users for ISE CLI access (hint - config mode). Create one normal ʻuserʼ and one ʻadminʼ user. The default password policy requires one capital letter, one lower-case letter, one number, a minimum of six total characters and cannot contain either the user name or any form of ʻciscoʼ. Attempt to login with each of these new users and compare the privilege differences.

4: Modify the Password Policy

User Input

Attempt to modify the CLI password policy (hint - config mode). Verify that your new password restrictions (or freedoms) actually work.

5: Explore the CLI

User Input

Explore some of the commands available in the CLI. Donʼt get too aggressive in your desire to configure features. Just try to gain an understanding of what can be done at the CLI.

Lab Discussion

Most network security tasks can only be done via the web interface.

NGB CPOC! March 1-3, 2011

! 4

Basic ISE SetupWeb Login

1: Web Login

Firefox is the preferred browser. Your mileage may vary with other choices.

Point the browser to https://10.10.10.10. The browser should redirect to https://10.10.10.10/admin and present you with the login screen:

Username: adminPassword: default1A (d e f a u l t ʻoneʼ ʻcapital-Aʼ)

Lab Discussion

This username/password (admin) is a default for ISE. In a production network, you should either disable this account or change the password once you gain access to the web interface. Do not modify the ʻadminʼ account during this lab. Once you login to the web interface, you can create additional web users. Web users do not have login rights to the CLI, and CLI users do not have access to the web interface - they are mutually exclusive.

NGB CPOC! March 1-3, 2011

! 5

Upon login to the web interface, you are presented with the ISE home screen. It is a busy screen, so no graphic is provided in this lab (since it will only be an eye chart). Some snippets of the home screen are shown and described below.

ISE Config Corner

The information bar at the top of each window is identical. In the upper-left corner, you can return to the Home screen which gives you an overall status of your network, or advance into the Monitor, Policy or Administration tasks. You can click on any of the items shown to go into that portion of ISE (new screen), or hover over any of the items with a drop-down indication to display a menu of the options for that task. These drop-down menu expansions are called easy-access mega menus.

ISE Assistance Corner

The upper-right corner provides information about this ISE server. Here, you see the name of your server (NGB-ISE) and the name of the logged-in user (admin). You can Log Out, send Feedback to Cisco (Internet connection required) or search for information within the local ISE database. This search capability is helpful to quickly find a MAC or IP address or a username. ISE Workflows provide scripts to ease the configuration of different options. Additional Workflows will be added in future releases.

ISE Global Toolbar

Along the bottom of every window is the global toolbar. Here, you can access online help, and see instant status of alarms. You can also click on any of the alarms to drill down further into them.

NGB CPOC! March 1-3, 2011

! 6

2: Create New Web Users

User Input

Create two new ISE web users (hint - Administration > System > Admin Access). Click on Administrators in the left column. Create (Add) one new administrator and promote one existing user to have login privileges. Once done, logout of ISE and login using each of your new accounts. Test to see if any restrictions exist with a super user versus the other administrator types. A sample screen with new users is shown below.

3: Perform Some Monitoring and Troubleshooting Tasks

User Input

On the Home screen, examine the System Summary dashlet. From there, you can see the memory, CPU usage and latency for the ISE device. The default display time is 24-hours. You can adjust this to 60-minutes for finer detail. When you mouse over the bar chart (spark bars) in each column, you should see corresponding CPU, memory and latency values. A sample System Summary is shown below.

NGB CPOC! March 1-3, 2011

! 7

User Input

Update the refresh interval for live events (hint: Monitor > Authentications). From here, you can adjust the refresh rate, the number of records shown over that interval, and the amount of time that the records are maintained. A sample Authentications screen is shown below.

User Input

Create some favorite reports to be examined later in the lab. Start by creating a RADIUS Failed Authentication Log for today (hint: Monitor > Reports > Catalog > AAA Protocol. Select the RADIUS Authentication radio button and add that to your favorites. On the template page that follows, create a name for this new favorite. Also, change the Authentication Status to Fail, and verify that the Time Range is Today. When done, add this to your favorites.

Next, create a second favorite for Posture Assessment (hint: Monitor > Reports > Catalog > Posture. Select the Posture Detail Assessment radio button and add that to your favorites. On the template page, create a name and add this to your favorites.

When done, both of these reports should appear in your Favorites Reports list (Monitor > Reports > Favorites). Note that there are already some default favorite reports. A sample Reports window is shown below.

NGB CPOC! March 1-3, 2011

! 8

ISELocal Authentication - RADIUS Validation

In this portion of the lab, you will configure ISE for local authentication. Local authentication is best used for special (private) user accounts for access into network devices. It is also a simple way to validate that RADIUS is working between ISE and a network device. Local authentication would not be used for either user or machine authentication into the network. Perform the following configurations from your either your User or Management workstation.

1: Configure Your Switch for AAA

Lab Discussion

Each pod in the lab has its own switch:

Pod 1: PitchforkPod 2: SawPod 3: ShovelPod 4: Wrench

User Input

Telnet to your switch and enable AAA:

Enable AAA:

switch(config)# aaa new-model

Authenticate VTY sessions via RADIUS:

switch(config)# aaa authentication login vty group radiusswitch(config)# line vty 0 15switch(config-line)# login authentication vty

Do not authenticate console sessions:

switch(config)# aaa authentication login console noneswitch(config)# line console 0switch(config-line)# login authentication console

2: Create an Internal User Identity Group

User Input

(Administration > Identity Management > Groups)

NGB CPOC! March 1-3, 2011

! 9

Navigate to the User Identity Groups page. Click on the User Identity Groups option in the left pane. You see that there are some default Groups already present. Add a new group that you will use in this lab.

New Group: ______________________________

A sample user identity group is shown below.

3: Create an Internal User

User Input

(Administration > Identity Management > Identities)

Create a new Internal User and add that user to your recently-created User Identity Group. Click on the Users option in the left pane. Add a new user. You must enter a Name and Password. ISE does enforce default password requirements - see if you can figure them out. Add this new user to your new User Group.

New Username/Password: ________________________________________

A sample Identities window is shown below.

NGB CPOC! March 1-3, 2011

! 10

4: Configure ISE for Default RADIUS Devices

User Input

(Administration > Network Resources > Network Devices)

Enable ISE to answer to any device who sends a RADIUS request that has the shared secret. Go to the Network Devices page. Click on the Default Device option in the left pane. Enable this option and enter the RADIUS Shared Secret (cisco321). It is good practice to use a different “default” RADIUS password than a password used for specific devices. Submit your changes. A sample screen is shown below.

5: Configure Your Switch for RADIUS

Configure your switch to communicate with ISE using the new default RADIUS secret.

switch(config)# radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key cisco321

NGB CPOC! March 1-3, 2011

! 11

6: Test the New Internal User with the Default RADIUS Devices

User Input

From the CLI prompt of your switch, telnet to your switch (telnet to yourself). Since you have configured RADIUS, you should be prompted for a username/password upon connection. You can use the new local username/password that you created to login to your switch.

If you are not prompted for a username/password, then check the RADIUS server config (IP address and secret). If you cannot login, verify the proper spelling of the new username/password that you created.

7: Create Some Network Device Groups in ISE

User Input

(Administration > Network Resources > Network Device Group)

Network Device Groups (NDGs) are used to classify network devices in ISE policies. NDGs are a way to group multiple devices together in user-defined categories that are later used in authentication and authorization policies.

Navigate to the Network Device Group page. Click on the All Device Types in the left column. Create four new NDGs. The “add” feature is found by clicking the gear. Create the following NDGs:

• “Wired-Devices”• “Wireless-Devices”• “Routers”• “Switches”

A sample screen with four new NDGs is shown below.

NGB CPOC! March 1-3, 2011

! 12

8: Add a Network Device

User Input

(Administration > Network Resources > Network Devices)

Add your local switch to ISE. Navigate to the Network Device page Click on the Network Devices option in the left pane and Add your switch. You can use any Name you want, but you must enter the IP address of your switch (use the 10.x.x.x IP address). You can select one of the NDGs that you recently created. For Authentication, use RADIUS and use ‘cisco123’ as the shared secret (this is different than the default shared secret). It is good practice to use a different “default” RADIUS password than a password used for specific devices. See below for a sample completed screen.

NGB CPOC! March 1-3, 2011

! 13

Lab Discussion

While not done in this lab, it is possible to import devices using a CSV file. If you have existing spreadsheets of network devices, you can move that data into a proper format/template and import them into ISE. In the Network Devices screen, press the Import button to generate a template and later read an existing CSV file.

9: Change the RADIUS Configuration in Your Switch

Re-Configure your switch to communicate with ISE using the new RADIUS secret.

switch(config)# radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key cisco123

10: Test the New Internal User

User Input

From the CLI prompt of your switch, telnet to your switch (telnet to yourself). Since you have configured RADIUS, you should be prompted for a username/password upon connection. You can use the new local username/password that you created to login to your switch.

If you are not prompted for a username/password, then check the RADIUS server config (IP address and secret). If you cannot login, verify the proper spelling of the new username/password that you created.

Once you have validated that RADIUS works (the switch can talk to the ISE server), disable VTY RADIUS authentication.

switch(config)# aaa authentication login vty none

There is no need for continual login authentication to your switch in this lab.

NGB CPOC! March 1-3, 2011

! 14

802.1xAD Authentication

This section of the lab will show how to use ISE to perform authentication against a Windows Active Directory. ISE can perform both machine and user authentication with AD. Different policies will be created to show how these options can be selected.

1: Ensure that ISE and AD are Time Syncʼd

Lab Discussion

Time synchronization is important when devices join a windows domain. If there is more than a five minute difference, than a clock skew error occurs. To ensure that ISE and AD have common time (note that ʻaccurateʼ is different than ʻcommonʼ), synchronize the ISE clock with the AD server.

User Input

Enable NTP from the ISE console. Point ISE to the AD server.

NGB-ISE/admin(config)# ntp server 10.10.10.11

The ISE clock should synchronize to the AD clock within a few seconds. Examine the NTP status to verify.

NGB-ISE/admin# show ntp status

Lab Discussion

(Administrations > System > Settings > System Time)

NTP can also be set from the web interface. Browse to the System Time window and set the appropriate values.

2: Have ISE Join the Domain

User Input

(Administration > Identity Management > External Identity Sources > Active Directory)

ISE must be part of the Windows Domain to perform authentication against AD. Navigate to the Active Directory page and click the Connection tab. On this page, use the following information:

NGB CPOC! March 1-3, 2011

! 15

Domain: cpoc.army.milIdentity Store Name: <default = AD1, you may change this>Username: administratorPassword: cisco

If you created a new Identity Store Name, record it here: ____________________

The Identity Store name will be used when creating policies.

When finished, click Join at the bottom of the window. The status should show CONNECTED. Below is a sample screen.

3: Select AD Groups to Authenticate Against

User Input

In the Active Directory window, select the Groups tab. Click the Add button and then choose Select Groups from Directory:

• Domain: cpoc.army.mil• Filter: *

Click Retrieve Groups to read the directory structure of the domain. It may take a minute or two to retrieve the directory structure (this is typical regardless of the size of the domain - translation - this may be time to get a snack or visit the restroom). Add ʻDomain Usersʼ and ʻDomain Machinesʼ to ISE by checking the respective boxes and clicking OK. Save your configuration before leaving this window. Below is a sample screen with those two groups added.

NGB CPOC! March 1-3, 2011

! 16

Lab Discussion

ISE will only retrieve the first 100 entries from the domain. You can trim the search with the filter field. For example, you can enter ʻCN=Builtin*ʼ in the Filter field to retrieve only groups that start with the word “Domain”. This filter is very helpful in domains that have hundreds or thousands of groups.

Lab Discussion

These AD groups will be used later to create policy conditions. If no groups are selected, then no AD authentications can be performed. The selection of groups here does not imply that all users within those groups are authenticated via ISE/AD. These groups must be referenced in policies to be treated as authentication sources.

4: Configure Your Switch for Dot1x

Lab Discussion

The following configurations should be performed from your Management workstation. These switch configurations will limit the ability of the User workstation until dot1x is fully configured in the network.

User Input

Telnet to your switch and enable dot1x. AAA was already globally enabled and RADIUS is already operational.

NGB CPOC! March 1-3, 2011

! 17

Enable dot1x globally:

switch(config)# aaa authentication dot1x default group radiusswitch(config)# aaa authorization network default group radiusswitch(config)# aaa authorization auth-proxy default group radiusswitch(config)# dot1x system-auth-control

Create the dot1x ACL. This ACL defines the type of traffic that is permitted prior to dot1x authentication. It is always good practice to create an ACL prior to applying an ACL.

switch(config)# ip access-list extended acl-defaultswitch(config-ext-nacl)# remark DHCPswitch(config-ext-nacl)# permit udp any eq bootpc any eq bootpsswitch(config-ext-nacl)# remark DNSswitch(config-ext-nacl)# permit udp any any eq domainswitch(config-ext-nacl)# remark ICMP/pingswitch(config-ext-nacl)# permit icmp any anyswitch(config-ext-nacl)# remark PXE Bootswitch(config-ext-nacl)# permit udp any any eq tftpswitch(config-ext-nacl)# deny ip any any

Configure the interface for dot1x (this is the interface of your User PC):

switch(config)# interface gigabitEthernet 1/0/1switch(config-if)# description dot1x portswitch(config-if)# switchport mode accessswitch(config-if)# switchport access vlan 10switch(config-if)# ip access-group acl-default inswitch(config-if)# authentication host-mode multi-domainswitch(config-if)# authentication openswitch(config-if)# authentication priority dot1x mabswitch(config-if)# authentication event fail action next-methodswitch(config-if)# authentication port-control autoswitch(config-if)# mab

Lab Discussion

Now that dot1x is configured on the switch port, you should start to receive authentication reports in ISE. Take a look at the Monitor tab to see what is happening. Until ISE is fully configured to use the AD information, any attempt to authentication on configured network ports will fail.

Your switch should also react to the dot1x configurations. Authentication failures (which are expected at this point) should show up on the switch console. Enable console messages on the VTY ports:

switch# terminal monitor

NGB CPOC! March 1-3, 2011

! 18

5: Create a New Identity Source Sequence

User Input

(Administration > Identity Management > Identity Source Sequences)

ISE uses Identity Source Sequences to determine where to look to validate authentication requests. By default, only the Internal User database is used.

Create a new Identity Source Sequence (ISS) first by browsing the Identity Source Sequences Page. Add a new ISS. You can name it anything you want, but you will need this name when we create policies.

Identity Source Sequence: ______________________________

In the Authentication Source List portion of the window, make sure that AD1 (or whatever you named your Identity Store earlier) is moved into the Selected column. Save your work. A sample Create Identity Source Sequences window is shown below.

NGB CPOC! March 1-3, 2011

! 19

NGB CPOC! March 1-3, 2011

! 20

6: Examine the Current Policy Elements

(Policy > Policy Elements > Conditions > Authentication > Compound Conditions)

Policy Elements are attributes that are mapped into authentication policies. ISE has a few default policy elements. It is possible to create more. Take a look at the current ones by browsing to the Compound Conditions screen. We will use elements from this screen later in the lab. A sample Compound Conditions screen is shown below.

7: Create an Authentication Policy

(Policy > Authentication)

Create a new Authentication Policy that will use Active Directory as a means of authentication. Browse to the Authentication Policy window and add a new policy at the top of the existing list (hint - the Actions drop-down button). Give your new policy a unique name.

Authentication Policy: ______________________________

Configure the following attributes in this new authentication policy:

• Policy Type: Rule-Based• Attribute: Select “Wired_802_1X”• Select Network Access: Select “Default Network Access”• Set Identity Source: Select the Identity Source Sequence you recently created

Save your work when done. A sample Authentication Policy window is shown below.

NGB CPOC! March 1-3, 2011

! 21

8: Examine the Current Authorization Profiles

(Policy > Policy Elements > Results > Authorization > Authorization Profiles)

Authorization Profiles define what actions can be taken once authentication has passed. Examine the default Authentication Profiles. For our lab, the default profiles are adequate. You can examine the current profiles and create additional ones if you want. Do not modify the default profiles. A sample Authorization Profiles window is shown below.

NGB CPOC! March 1-3, 2011

! 22

9: Create an Authorization Policy

(Policy > Authorization)

Now, you must create an Authorization Policy that permits AD users. Browse to the Authorization Policy window and create a new rule at the top of the list. Apply the following attributes:

Name: <your choice>Identity Groups: <...>Other Conditions: <none>Permissions: Permit Access

Now, users and machines who authenticate against AD are permitted access via ISE. A sample authorization policy is shown below.

** NEED GRAPHIC **

10: Test the New AD User

User Input

Attach a Window 7 PC/laptop to your pod. Connect it to the port that you configured for dot1x. The initial dot1x configuration will use PEAP (the built-in Windows 7 dot1x client).

You can verify the dot1x operation both in your switch and in ISE. In your switch, type:

switch# show authentication sessions

And in ISE, you can see authentication successes and failures on the Home page.

NGB CPOC! March 1-3, 2011

! 23

Profiling

NGB CPOC! March 1-3, 2011

! 24

Posture Assessment

NGB CPOC! March 1-3, 2011

! 25