1

ISE Workshop

Table of Contents
Discovery Guide
Pre-Lab Activity: Accessing the Remote Lab 2
Discovery 1: Initial Configuration of Cisco ISE 7
Discovery 2.1: Certificate Operations 18
Discovery 2.2: Cisco ISE Node Deployment 31
Discovery 2.3: Configure and Add Network Access Devices to Cisco ISE 37
Discovery 3: Integrate Cisco ISE with Active Directory 42
Discovery 4.1: Configuring Cisco ISE for MAC Authentication Bypass (MAB) 51
Discovery 4.2: Configuring Cisco ISE for Wired 802.1X Authentication 72
Discovery 4.3: Configuring Cisco ISE for Wireless 802.1X Authentication 87
Discovery 6: Configure Guest Access 104
Discovery 7: Guest Access Operations 108
Discovery 8: Guest Reports 145
Discovery 9: Configuring Profiling 148
Discovery 10: Customizing the Cisco ISE Profiling Configuration 157
Discovery 11: ISE Profiling Reports 162
Discovery 12: BYOD Configuration 165
Discovery 13: Blacklisting a Device 191
Discovery 14: Compliance 200
Discovery 15: Configuring Client Provisioning 214
Discovery 16: Configuring Posture Policies 220
Discovery 17: Testing Compliance Based Access 231
Discovery 18: Compliance Policy Monitoring 234

1
 2

Pre-Lab Activity: Lab Topology and Access

Visual Objective
The figure illustrates what you will accomplish in this activity. In this lab, you will
be able to connect to the lab through Remote Desktop Connection and/or VNC.

2
 3

Job Aids
These job aids are available to help you complete the lab activity.

Internal IP Addresses
This table lists the internal IP addresses that are used in the labs.
Device Name or Hostname IP Address

Access Switch (3560X) 3k-access.demo.local 10.1.100.1

ISE Appliance #1 ise-1.demo.local 10.1.100.21

ISE Appliance #2 ise-2.demo.local 10.1.100.22

Active Directory Server (CA, DNS, ad.demo.local 10.1.100.10

and DHCP)

NTP Server ntp.demo.local 10.1.100.10

Public Web Server www-ext.demo.local 10.1.252.10

Internal Web Server www-int.demo.local 10.1.252.20

Admin (Management) Client admin.demo.local 10.1.100.100

FTP Server ftp.demo.local 10.1.100.100

Wireless LAN Controller wlc.demo.local 10.1.100.61

Client PC -- DHCP

BYOD PC -- DHCP

3
 4

Accounts and Passwords

This table lists the accounts and passwords that are used in the labs.
Access To Account (Username and Password)

3K Access Switch (3560X) admin and cisco123

ISE Appliance(s) admin and default1A

Wireless LAN Controller cisco and cisco

Active Directory Server (DNS, DHCP, and administrator and default1A

DHCP)

MDM Server admin and default1A

ASA admin and cisco123

Web Servers administrator and cisco123

Admin PC admin and cisco123

Client PC (Windows 10) CLIENT\admin and <no password>

(Local = CLIENT) DEMO\admin and cisco123
(Domain = DEMO) DEMO\employee1 and cisco123

4
 5

Active Directory Accounts (ad.demo.local)

Group Users Password

demo.local/Users/Domain Computers — —

demo.local/Users/Domain Users user1, user2 cisco123

demo.local/Users/contractors contractor1, contractor2 cisco123

demo.local/Users/employees employee1, employee2 cisco123

demo.local/Users/staff staff1, staff2 cisco123

demo.local/Users/students student1, student2 cisco123

Internal VLANs and IP Subnets

This table lists the internal VLANs and corresponding IP subnets that are used in the
labs.
VLAN VLAN Name IP Subnet Description
Number

10 ACCESS 10.1.10.0/24 Network for authenticated users or access network

using ACLs

11 WIRELESS 10.1.11.0/24 Wireless Access Point (AP) connection for LWAAP

tunnel

20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (Layer 2

segmentation)

30 QUARANTINE 10.1.30.0/24 Unauthenticated or noncompliant devices (Layer 2

segmentation)

40 VOICE 10.1.40.0/24 Dedicated voice VLAN

50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest

users

60 ASA 10.1.60.0/24 Outside Interface

100 DATACENTER 10.1.100.0/24 Network services (AAA, Active Directory, DNS,

DHCP, NTP, and so on)

252 WEBSVR 10.1.252.0/24 Web server network

Note Dedicated VLANs have been preconfigured for optional access policy assignments that
are based on user identity, profiling, or compliance status. This lab will focus on the use
of downloadable ACLs (DACLs) rather than VLAN assignment for policy enforcement. By
default, all Client PC access will remain in the ACCESS VLAN 10, and IP phones will be
placed in the VOICE VLAN 40.

5
 6

Task 1: Connect to VNC Clients and Lab Device Consoles

Step 1 To access the Admin PC via noVNC, do the following:
◼ From the Lab Diagram, click the Admin PC icon.
◼ The page should open to the Desktop, if not please inform
your instructor.
◼ Setting the Desktop Resolution to 1600 x 1200 will provide
best results.

Note The login username is: admin and the password is: cisco123 (this information is listed in
the Accounts and Passwords table).

Note Click on the ‘three-button’ icon to send Ctrl-Alt-Del and the ‘X’ to
disconnect.

Step 2 To access the Client PC and BYOD via noVNC, do the following:
◼ From the Lab Diagram, click Client PC or BYOD.
◼ The page should open to the Desktop, if not please inform your
instructor.
Step 3 To access the consoles of the lab Switch and Cisco ISE appliance(s) using
SSH, do the following:
◼ From the Admin PC, double-click the desired PuTTY shortcut located
in the Shortcuts folder on the Windows desktop, the PuTTY shortcuts
are identified by the type of ‘Shortcut’ and have two computers
connected by a lightning bolt.

◼ Login using the credentials that are listed in the Accounts and
Passwords table found above.

6
 7

Discovery 1: Introduction to Cisco ISE

This discovery is designed to reinforce the material that is covered in the lecture.
The overall goal of this discovery is to introduce the student to the Cisco ISE.
Logging into the CLI and run a few commands to examine the current system gives
some experience working with the CLI. Later in the discover logging into GUI to
explore that interface. The Lab Team installed Cisco ISE on the VMware Server,
and they have run the install script on the system.
The Lab Team provided the following information to configure the Cisco ISE:

Enter hostname: ise-1(should be lower case)

Enter IP address: 10.1.100.21
Enter IP netmask: 255.255.255.0
Enter IP default gateway: 10.1.100.1
Enter default DNS domain: demo.local
Enter primary name server: 10.1.100.10
Enter NTP server: 10.1.100.10
Enter system timezone: UTC
Enable SSH server? Y
Enter username: admin
Enter password: default1A

Activity Objective
In this exercise, you will verify the installation of Cisco ISE and perform post
installation tasks. After completing this activity, you will be able to meet these
objectives:
◼ Verify initial Discovery setup and configuration
◼ Verify services, NTP, and DNS settings
◼ Gather Data
Command List
The table describes the commands that are used in this activity.
ISE CLI Commands

Command Description

show application status ise Display ISE application

show version Displays Hardware/Software information

show inventory Hardware Information, PID, VID, SN

show ntp Show NTP servers

show running-config Display current system operating configuration

nslookup DNS lookup for an IP address or hostname

show tech–support Displaced technical support information

7
 8

Task 1: Validating ISE Configuration

In this task, you will examine the configuration of the Cisco ISE on a Virtual
Machine.
Activity Procedure
Complete these steps on ISE-1:
Step 4 From the Lab Diagram, login to the Admin PC
Step 5 Open the Shortcuts folder on desktop and double click on the ISE-1putty
shortcut, it is the one with the two computers. Click yes, if prompted by
the Server Key prompt, the username/password for ISE-1 is
admin/default1A.

If the screen appears too small or not the right color you can change the
settings in PuTTY using Change Settings… then Window > Appearance to
change the font and Window > Colors to change the colors.
Step 6 Enter show run to confirm the setup settings that are entered and to see
other settings and their default values.
Step 7 Use these commands to answer the following questions:
show version
show inventory
show application status ise

8
9

9
10

10
 11

Step 8 Verify that time synchronization is working.

show ntp

Step 9 At the command prompt enter the following command:

nslookup ise-1.demo.local

11
 12

Task 2: Initial GUI login and Familiarization

In this task, you will Login to the Cisco ISE web user interface and become familiar
with its layout and navigation.
Activity Procedure
Complete these steps:
Step 1 From the Lab Diagram, login to the Admin PC.
Step 2 Open the Shortcuts folder on desktop and double click on the ISE-1
Firefox icon.

Step 3 You will be directed to the secure login page. (https://ise-

1.demo.local/admin)
Step 4 If presented with a security exception confirm it.
Step 5 Login using the Cisco ISE web user interface credentials: admin for
username and default1A for password. On the Cisco Smart Call Home
Telemetry select the Provide later checkbox, then Accept and close.
Step 6 Familiarize yourself with the Cisco ISE homepage. You may need to
scroll to see all the information.

Tip If you are using an evaluation license, you may see a message “Licenses about expire”
at every login just click the OK button.

Step 7 Click on the gear icon in the top right corner and choose “About Identity
Services Engine”
Q4) What is the Cisco ISE version?

12
 13

Step 8 Test the mouse hover behavior, as follows:

◼ Move the mouse over the graphics on the dashboard. You should see
additional graphic data.
◼ Move the mouse over to the Alarm Area and click the detach icon
(double window icon) located at the top right corner. This will allow
you to view your alarm summary information in a dedicated window.
Pick an alarm and click on it to open the detailed information about
that alarm.

◼ Return to the Home Dashboard; Navigate to different areas of the user

interface.
Step 9 Navigate to Endpoints, click the hamburger button then select Context
Visibility > Endpoints. Again, explore the various sub-menus available
here. Do the same with the Users and Network Devices menus available
under Context Visibility.

Hamburger Button

Note Context Visibility provides the administrator with a more holistic view of the network.
It allows for quick sorting and filtering of context information. Administrators can view
dashlets to get detailed informational data.

13
 14

Step 10 Click on “Cisco ISE” to return to the Home tab, now you can add
additional dashboards in 2 ways. You can click the + symbol to the right
of the submenus or click the pull-down hamburger button on the far
right of the page. The + symbol will only allow you to create a new
dashboard and define its attributes. The pull-down hamburger button gives
you more option beyond this, such as adding additional dashlets to the
present view. You can also change the layout of the display and manage
dashboards as well.

14
 15

Step 11 Add a new test dashboard by using either method mentioned above. Name
it “MY-TEST” and click Save when done. Then select 2 or 3 dashlet
parameters of your choice to be included with that dashboard. Then click
Save. You can then view this new dashboard once complete, and it will
appear as a sub-menu option.

Step 12 By clicking the large gear icon on the right, notice that you can rename
this dashboard, and add additional dashlets. If you click Add Dashlets, you
will see that you can configure the dashboard to display what is important
to you, for your environment. Click the ‘X’ to exit.

Step 13 Now, go ahead and delete this Dashboard by clicking the ‘X’ next to the
MY-TEST name and click OK on the pop-up warning window to remove
the dashboard. You will be adding dashboards in later labs that will be
more relevant to the task being performed.

15
 16

Step 14 Similarly, by navigating to the Context Visibility > Endpoints page (hint:
use the hamburger button) and clicking on the pull-down hamburger drop
down button icon on the right, you are presented with options to create
new views, or directly jump to a pre-existing dashboard. Click Create
New. Again, you will be customizing these pages in later Discoveries
where appropriate.

Step 15 Next, navigate to the other menu options available just to familiarize
yourself with GUI navigation, click on the hamburger button in the upper
left. You will be accessing most of the configuration options available in
much more detail throughout the entire course.
The Operations tab will allow you to view live logs and live sessions for
things such as RADIUS and TACACS+ sessions.
The Policy tab is where you will perform authentication and authorization
configurations, as well as profiling, provisioning, and posture. Take the
time to view the default policies that come with ISE for authentication,
authorization, profiling, and provisioning. You will be modifying some of
these and adding new policy configurations in later labs.
The Administration tab is where you will perform system functions,
identity management, add network resources, device portals, and other
services available on Cisco ISE.
Step 16 There is a new menu option starting in ISE version 2.1 called Work
Centers. This provides a guided workflow process for configuring various
ISE services. Work Centers also offer direct links to specific configuration
pages. Take some time to click on the different sub-menu options and pay
particular notice to the overview pages. These pages will help guide you
through the ISE workflow process. For example, choose the “Overview”
option under the headings for Network Access. Look over the steps
needed to implement Network Access.

16
17

17
 18

Discovery 2.1: Certificate Operations

Activity Objective
In this activity, you will prepare, process, and install certificates on each Cisco ISE
node. After completing this activity, you will be able to meet these objectives:
◼ Install CA Certificate
◼ Generate a Certificate Signing Request (CSR)
◼ Enroll Cisco ISE with external CA
◼ Install Cisco ISE Identity Certificate(s)
◼ Verify Cisco ISE Identity Certificate(s)

Visual Objective

18
 19

Task 1: ISE-1 Certificate Configuration

By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for EAP,
Admin, Portal, and pxGrid services. In a typical enterprise environment, this certificate is
replaced with server certificates that are signed by a trusted CA.
We need to establish system certificates on each deployment node for TLS-enabled
authentication protocols such as EAP-TLS, for authenticating the Admin portal, for browser and
REST clients to access the Cisco ISE web portals, and for the pxGrid service.
In this task, you will enroll Cisco ISE with the CA in your pod. You will download and install a
certificate, as well as generate a Certificate Signing Request (CSR). Finally, you will bind the
CA-signed certificate to the CSR, and then verify its validity.

For more information please see: How To: Implement ISE Server-Side Certificates.

Activity Procedure
Complete these steps:
Step 1 If not already open, from the Lab Diagram, login to the Admin PC.
Step 2 In the shortcuts folder open the site using the CertSrv icon this will take
you to http://ad.demo.local/certsrv.
Step 3 From the Select a task: section, click Download a CA certificate,
certificate chain, or CRL.
Step 4 In the CA certificate section, leave the Current certificate highlighted.
From the Encoding method: section, choose Base 64.

19
 20

Step 5 Click Download CA certificate and choose Save File. Click Ok.

Step 6 This file will be saved as certnew.cer in the Downloads folder, change
the name of the file to demo-ca.cer.

Note Each time that a certificate is saved, the file number is incremented (for example,
certnew.cer, certnew2.cer, and certnew3.cer). In order to save the confusion this might
cause, rename the certificate to something meaningful.

Step 7 We will now install the Root CA into Firefox, from the browser window
select Install CA certificate.

Step 8 Select the Trust this CA to identify website checkbox and click OK.

Step 9 If not already open, from the shortcuts folder, double-click the ise-
1.demo.local shortcut. Login to ISE using username: admin and
password: default1A

Note A browser certificate error message appears which can be ignored. Add an exception for
this connection.

20
 21

Step 10 From the Cisco ISE Admin Portal on ise-1, click on the hamburger icon
and navigate to Administration > System > Certificates

Step 11 Select Trusted Certificates from the menu on the left.

Step 12 Click Import to add the CA certificate as a Trust Certificate. Use the table
below to complete the form.
Attribute Value

Certificate File Favorites > Downloads\demo-

ca.cer

Friendly Name demo.local CA

Trust for authentication within ISE [X]

Trust for client authentication and Syslog [X]

Tip If the CA will also issue endpoint certificates, then select “Trust for client authentication
and syslog”. If the CA is a public trusted root, then do not check the client authentication
check-box.

Step 13 Click Submit. You should receive a message box in the lower right-hand
corner indicating the successful import. (Only visible for a few seconds)

21
 22

Step 14 Navigate to Administration > System > Certificates > Certificates

Signing Requests and click on the Generate Certificate Signing
Request (CSR) button to create a certificate signing request (CSR).

Step 15 Fill out the form with the following information:

Attribute Value

Usage Multi-Use

Node [X] ISE-1

Common Name (CN) $FQDN$

Organization Unit (OU) IT
Organization (O) ISE Lab
City (L) San Jose
State (ST) CA
Country (C) US

Subject Alternative Name (SAN) DNS Name: ise-1.demo.local

DNS Name: 10.1.100.21
IP Address: 10.1.100.21

Key type RSA

Key Length 4096

Digest to Sign With SHA-256

Certificate Policies Leave blank

Note Adding the IP address as both a DNS name and IP address solves a compatibility issue
with Microsoft clients.

22
 23

Step 16 Click the Generate button.

Step 17 Click Export to export the CSR.
Step 18 If prompted for application to use, choose Windows WordPad.

Note File is saved in C:\Users\admin\Downloads\ise1MultiUse.pem

Step 19 From the open .PEM file, highlight and copy the entire contents to the
clipboard. (CTRL-A followed by CTRL-C)
Step 20 Browse to http://ad.demo.local/certsrv/, if the site is already open select
the Home link in the upper right. If you try to use Firefox the request for
the certificate may produce an error; if it does use the IE web browser.

Step 21 Select Request a certificate.

Step 22 Select advanced certificate request.
Step 23 Follow the onscreen instructions using the following table:
Attribute Value

Base-64-encoded certificate request <Paste contents of .PEM file here>Make sure no

white spaces are below the “END CERTIFICATE
REQUEST”

Certificate Template Web Server

Additional Attributes <Leave blank>

Step 24 Click Submit.

Step 25 From the Certificate Issued screen, choose Base 64 encoded and click
Download certificate.
Step 26 Choose Save File and click OK. The file will be saved as certnew.cer in
the Downloads Folder, open the folder and rename this file to ise-1.cer.
Step 27 Return to Cisco ISE Admin Portal on ise-1, navigate to Administration >
System > Certificates > Certificate Signing Requests. You will bind the
certificate to the signing request.

23
 24

Step 28 Select the ise-1#Multi-Use CSR and choose Bind Certificate.

Step 29 Under the Certificate File section, click Browse… , and select the
certificate file is Download\ise-1.cer. Click Open.
Step 30 For the Friendly Name field enter: ISE-1-Multi-Use
Step 31 Under Usage choose Admin, EAP Authentication and Portal. Select OK
for each Popup. Under Portal, add a new Portal Group Tag by entering
ISE LAB CGT.

Step 32 Click Submit and answer Yes to the resulting prompts.

Step 33 Close the WordPad application (this is so you do not confuse this file with
the next one!).
Step 34 Click OK in popup that explains application server will restart. While
ISE-1 is restarting you can continue to Task 2.

Note When a change is made on the Cisco ISE, you will see a brief pop-up on the bottom right
of the browser screen. This will show that the change was either successful or
unsuccessful. This process can take several minutes since the ISE appliance must
restart to apply the certificate

24
 25

Task 2: ISE-2 Certificate Configuration

In this task, you will establish the lab certificate authority as a trusted root CA and
have the CA issue a certificate to the Cisco ISE-2 and install this certificate.
Activity Procedure
Complete these steps:
Step 1 From the shortcuts folder, double-click the ISE-2.demo.local shortcut.
Login to ISE using username: admin and password: default1A
If prompted with a license warning hit Accept and close.

Note Note: If a browser certificate error message appears. You can ignore it and add an
exception for this connection. If no message appears an exception already existed.

Step 2 From the Cisco ISE Admin Portal on ise-2, navigate to Administration >
System > Certificates > Trusted Certificates. (hint: use the hamburger
icon)
Step 3 Click Import to add the CA certificate as a Trust Certificate.
Attribute Value

Certificate File Downloads\demo-ca.cer

Friendly Name demo.local CA

Trust for authentication within ISE [X]

Trust for client authentication and Syslog [X]

Step 4 Click Submit. You should receive a message box in the lower right-hand
corner indicating the successful import. (Only visible for a few seconds)
Step 5 Navigate to Administration > System > Certificates > Certificates
Signing Requests and click on the Generate Certificate Signing
Request (CSR) button to create a certificate-signing request (CSR).

25
 26

Step 6 Fill out the form with the following information:

Attribute Value

Usage Multi-Use

Node(s)
Ise-2 [X]

Common Name (CN) $FQDN$

Organization Unit (OU) IT
Organization (O) ISE Lab
City (L) San Jose
State (ST) CA
Country (C) US

Subject Alternative Name DNS Name: ise-2.demo.local

DNS Name: 10.1.100.22
IP Address: 10.1.100.22

Key type RSA

Key Length 4096

Digest to Sign With SHA-256

Note Adding the IP address as both a DNS name and IP address solves a compatibility issue
with Microsoft clients.

Step 7 Click Generate.

Step 8 Click Export to export the CSR.
Step 9 Click Save File and Click OK.
Step 10 From the Firefox Downloads screen, double-click ise2MultiUse.pem that
was created.

Note File is saved in C:\Downloads\ise2MultiUse.pem

Step 11 From the open .PEM file, highlight and copy the entire contents to the
clipboard.
Step 12 From the Firefox or IE web browser, browse to
http://ad.demo.local/certsrv/.
Step 13 Select Request a certificate.
Step 14 Select advanced certificate request.

26
 27

Step 15 Follow the onscreen instructions using the following table:

Attribute Value

Base-64-encoded certificate request <Paste contents of .PEM file here> Make sure
there are no white spaces after “END
CERTIFICATE REQUEST”

Certificate Template Web Server

Additional Attributes <leave blank>

Step 16 Click Submit.

Step 17 From the Certificate Issued screen, choose Base 64 encoded and click
Download certificate.
Step 18 Choose Save File and click OK, the file will be named certnew.cer and
saved in the Downloads folder, rename this file ise-2.cer.
Step 19 From the Cisco ISE Admin Portal on ise-2, navigate to Administration >
System > Certificates > Certificate Signing Requests. You will bind the
certificate to the signing request.
Step 20 Select the ise2#Multi-Use CSR and choose Bind Certificate.
Step 21 Under the Certificate File section, click Browse… , and select the
certificate file is Downloads\ise-2.cer, Click Open.
Step 22 For the Friendly Name field enter: ISE-2-Multi-Use.
Step 23 Under Usage, choose Admin, EAP Authentication, and Portal. Under
Portal, add a new Portal Group Tag by entering ISE LAB CGT.

Step 24 Click Submit, Yes and Ok to the resulting prompts.

Note When a change is made on the Cisco ISE, you will see a brief pop-up on the bottom right
of the browser screen. This will show that the change was either successful or
unsuccessful. This process can take several minutes since the ISE appliance must
restart to apply the certificate. Use the CLI to view the status of the system.

27
 28

Task 3: Client Certificate Configuration

Certificates are used in a network to provide secure access. Certificates are used to identify
Cisco ISE to an endpoint and also to secure the communication between that endpoint and the
Cisco ISE node. Certificates are used for all HTTPS communication and the Extensible
Authentication Protocol (EAP) communication.
Activity Procedure
Complete these steps:
Step 1 If not already open, from the Lab Diagram, login to the Client PC.
Step 2 Open Firefox and browse to: http://ad.demo.local/certsrv.
Step 3 From the Select a task: section, click Download a CA certificate,
certificate chain, or CRL.
Step 4 In the CA certificate section, leave the Current certificate highlighted.
From the Encoding method: section, choose Base 64.
Step 5 Click Download CA certificate and choose Save File. Click Ok.

Step 6 This file will be saved as certnew.cer in the Downloads folder, change
the name of the file to demo-ca.cer.

Note Each time that a certificate is saved, the file number is incremented (for example,
certnew.cer, certnew2.cer, and certnew3.cer). In order to save the confusion this might
cause, rename the certificate to something meaningful.

28
 29

Step 7 We will now install the Root CA into Firefox, from the browser window
select Install CA certificate.

Step 8 Select the Trust this CA to identify website checkbox and click OK.

Step 9 Open the Downloads folder.

Step 10 Right-click on the certificate you downloaded in the step 6 above. Click
on Install Certificate.
Step 11 For the Store Location select the Local Machine. Click Next.
Step 12 Select the radio button Place all certificates in the following store, then
click Browse…
Step 13 Select the Trusted Root Certification Authorities, then click OK.

29
 30

Step 14 Click Next and Finish.

Step 15 Click OK on the resulting pop-up box.

30
 31

Discovery 2.2: Cisco ISE Node Deployment

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will convert the ise-1 node from standalone to primary, register
a secondary node, configure roles for the nodes, and verify connectivity. After
completing this activity, you will be able to meet these objectives:
◼ Convert the ise-1 node from standalone to primary
◼ Register the ise-2 node to the ise-1 node and configure roles for each node
◼ Verify connectivity and proper communication within the distributed
deployment

Visual Objective

31
 32

Task 1: Convert ISE-1 from Standalone to Primary

In this task, you will convert ise-1 from standalone to primary.
Activity Procedure
Complete these steps:
Step 1 From the Lab Diagram, login to the Admin PC.
Step 2 From the shortcuts folder, double-click the ise-1.demo.local shortcut.
Login to ISE using username: admin and password: default1A
Step 3 From the Cisco ISE Admin Portal on ise-1, navigate to Administration>
System > Deployment

Step 4 You may see the screen go dark and will see a pop-up window in the top
middle of the page with this message, “This node is in Standalone mode.
To register other nodes, you must first edit this note and change
Administration Role to Primary.” Click OK.
Step 5 In the Deployment section, select Deployment then ise-1 by clicking the
checkbox to the left. Click Edit

32
 33

Step 6 In the General Settings under Personas in the Administration Role area,
you will see the following. Click the Make Primary button as shown
here:

Note You will immediately see the role change to Primary. However, the configuration has not
been sent to the Cisco ISE.

Step 7 In the Personas section, deselect the Enable Profiling Service checkbox.
This will disable Profiling Service.

33
 34

Step 8 Click Save. The screen will go dark while the Cisco ISE node is
processing this configuration change. When the update is completed, you
will see a success pop-up window open on the screen. Click Ok and the
ISE interface will be redirected to the login page.

Note This process may take up to 10 minutes.

Note If you log in before the processing on ise-1 is complete, you may see this message:
“Unable to communicate with the Monitoring node. Please check if the application server
on ise-1.demo.local is running and is accessible from your browser.”

Note You can use the PuTTY shortcut to ise-1 and run a show application status ise
command to follow the Application Service status.

Step 9 From the web browser, login back into ISE-1.

Step 10 From the Cisco ISE Admin Portal on ise-1, navigate to Administration>
System > Deployment
In the Deployment Nodes section, the Personas will list Administration,
Monitoring, and Policy Service. The Role(s) should be PRI (A), PRI
(M).

34
 35

Task 2: Add ISE-2 to ISE-1 and Configure Roles

In this task, you will configure the rules for the primary Admin node, add the
remaining Cisco ISE node to the node running the primary Admin persona, and
configure the appropriate roles for this deployment.
Activity Procedure
Complete these steps:
Step 1 From the Cisco ISE Admin Portal on ise-1, navigate back to the
Administration > Deployment > Deployment Nodes list. Click the
Register button and choose Register an ISE Node.
Step 2 In Step 1 of the Register ISE Node section, fill in the following details
and click Next.
Attribute Value

Host FQDN ise-2.demo.local

Username admin

Password default1A

Step 3 In Step 2 of the Register ISE Node section, configure the following
details and click Submit.
Attribute Value

Administration Secondary

Monitoring [X] Secondary

Policy Service [X]

Enable Session Services [X] Node Group: None

Enable Profiling Service [ ] unchecked

Other Items [ ] unchecked

Step 4 You will see the confirmation pop-up, click OK.

Note This process may take several minutes.

35
 36

Step 5 Verify the Deployment Nodes details with the following information. It
could take a while for ise-2 Node Status to turn green. (Proceed with the
next lab and come back to these validation steps.)
Hostname Node Personas Role(s) Services Replication
Type Status

ise-1 ISE Administration PRI(A) Session Green Box -

Monitoring SEC(M) Connected

Policy Service

ise-2 ISE Administration SEC(A) Session Green Box -

Monitoring PRI(M) Connected
Policy Service

Note If you log in before the processing on ISE-2 is complete, you may see this message:
“Unable to communicate with the Monitoring node. Please check if the application server
on ise-2.demo.local is running and is accessible from your browser.”

Note You can use the PuTTY shortcut to ISE-2 and run a show application status ise
command to follow the application service statuses.

Step 6 From the shortcuts folder, double-click the ISE-2.demo.local shortcut.

Login to ISE using username: admin and password: default1A
Step 7 Observe that the portal configuration of the ISE-2 node that is now the
Secondary Admin node has a limited menu.

36
 37

Discovery 2.3: Configure and Add Network

Access Devices to Cisco ISE
Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure Cisco ISE for utilization of the NADs in this
topology. You will add two of the NADs manually and a third NAD (NTRadPing)
as a test device. You will then verify the configuration of the Switch and WLC.
After completing this activity, you will be able to meet these objectives:
◼ Create network device groups (NDGs) & Add Network Access Devices (NADs)
to Cisco ISE

Visual Objective

37
 38

Task 1: Network Devices

In this task, you will add four different Device Type groups and three different
Device Location groups. You will also add the lab equipment in the Cisco ISE
device database and configure a RADIUS client test tool to send Cisco ISE RADIUS
requests.
Activity Procedure
Complete these steps:
Step 1 From the Lab Diagram, login to the Admin PC.
Step 2 From the shortcuts folder, double-click the ISE-1.demo.local shortcut.
Login to ISE using username: admin and password: default1A
Step 3 From the Cisco ISE Admin Portal on ise-1, navigate to Work Centers >
Device Administration > Network Resources > Network Device
Groups or use Administration > Network Resources > Network Device
Groups
Step 4 From the right pane, click the +Add to create the following 4 NDGs, use
All Device Types as the Parent Group:
◼ Test
◼ Wired
◼ Wireless

Step 5 From the right pane, click the +Add to create the following NDGs, use All
Locations as the Parent Group:
◼ HQ
◼ RnD Lab

38
 39

Step 6 From the Cisco ISE Admin Portal on ise-1, from the side menu bar
navigate to Network Devices. In the right pane, click +Add to configure
a new network device.
Attribute Value

Name NTRadPing

IP Address 10.1.100.100/32

Device Profile Cisco (leave Model and Software blank)

Network Device Group: Location RnD Lab

Network Device Group: IPSEC No

Network Device Group: Device Type Test

Radius Authentication Settings ✓: Shared Secret cisco123

Step 7 Click Submit

Step 8 Configure the wired lab switch as a network device.
Attribute Value

Name 3k-access

IP Address 10.1.100.1/32

Device Profile Cisco

Network Device Group: Location HQ

Network Device Group: IPSEC No

Network Device Group: Device Type Wired

Radius Authentication Settings ✓: Shared Secret cisco123

Step 9 Click Submit.

Step 10 Configure the WLC as a network device.
Attribute Value

Name WLC

IP Address 10.1.100.61/32

Device Profile Cisco

Network Device Group: Location HQ

Network Device Group: IPSEC No

Network Device Group: Device Type Wireless

Radius Authentication Settings ✓: Shared Secret cisco123

39
 40

Step 11 Click Submit. Does your table look like the one below?

Step 12 From the Admin PC desktop, start NTRadPing.

Step 13 Send a RADIUS request to the Cisco ISE by clicking Send in NTRadPing.
Response should be Access-Reject

Note NTRadPing is preconfigured.

Step 14 Confirm that the authentication request received by the Cisco ISE:
Operations > RADIUS Live Logs. You should see a failure with current
time stamp. This is because ISE is not yet configured to pass
authentication requests to Active Directory, which is where this user
account exists.
Step 15 Click the page icon under the Details column.

40
 41

Step 16 Close the Authentication Details screen when complete.

Note Review the information in the authentication summary. Notice that an authentication
failure has occurred.

41
 42

Discovery 3: Integrate Cisco ISE with Active

Directory
Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will integrate the Cisco ISE into Microsoft Active Directory.
After completing this activity, you will be able to meet these objectives:
◼ Join Cisco ISE to Microsoft Active Directory
◼ Confirm that authentication and authorization functionality is working

Visual Objective

42
 43

Task 1: Join ISE to Active Directory Domain

In this task, you will join the Cisco ISE to Microsoft Active Directory and confirm
that the authentication and authorization functionality is working correctly.
Activity Procedure
Complete these steps:
Step 1 In the ISE Admin Portal, navigate to Work Centers > Network Access >
Overview. Select the Introduction link in the left-hand panel. In the
Prepare panel of the Work Center, select the External Identity Store link.

Step 2 Select the Active Directory folder in the left pane.

Step 3 In the right pane, click the Add button.

43
 44

Step 4 Enter the domain name under the Connection tab:

Attribute Value

Join Point Name demo.local

Active Directory Domain demo.local

Step 5 Click Submit to save this configuration.

Step 6 Select No in the resulting dialog pop-up.
Step 7 From the AD1 connection table, select both ise-1.demo.local and ise-
2.demo.local by selecting the appropriate checkbox(s).

Step 8 Click Join.

Step 9 Enter the Microsoft Active Directory credentials, admin for username and
cisco123 for password, in the pop-up window that appears (You will have
to type the password). Click OK.

Note The Cisco ISE does not require elevated Microsoft Active Directory credentials to join
Microsoft Active Directory; it just requires a regular user account that has permissions to
join a workstation. (Default Microsoft Active Directory permissions allow a user to join up
to 10 workstations to Microsoft Active Directory.)

44
 45

Step 10 If the operation was successful, you should see the following popup
display the Join status. If the window does not close automatically click
Close when complete.

Note For Microsoft Active Directory debugging information, debugging may be turned on from
Administration > System > Logging > Debug Log Configuration. Click the node
name and then enable Microsoft Active Directory debugging from the Active Directory
Debug tab.

Note To view the Microsoft Active Directory debug log, go to Operations > Troubleshoot >
Download Logs. Click the node and then choose the ad_agent.log file from the Debug
Logs tab.

45
 46

Task 2: Add Active Directory Groups

In this task, you will retrieve Microsoft Active Directory Groups and confirm that
user attributes can be queried. User membership in Active Directory Groups and
user attributes downloaded from AD can be used in ISE network access policies to
determine level of network access.
Activity Procedure
Complete these steps:
Step 1 From the Cisco ISE Admin Portal on ise-1, return to Administration >
Identity Management > External Identity Sources > Active Directory
> demo.local.
Step 2 From the right pane, select the Groups tab. We will use the Microsoft AD
Groups in policies later.
Step 3 From the Groups tab, click Add > Select Groups From Directory
Step 4 Change Type Filter to GLOBAL, click Retrieve Groups and Add the
following groups by selecting the appropriate checkbox(s): (If the groups
don’t show up close the browser and reopen)
Name Group Type

demo.local/Users/Domain Admins GLOBAL

demo.local/Users/Domain Computers GLOBAL

demo.local/Users/Domain Users GLOBAL

demo.local/Users/contractors GLOBAL

demo.local/Users/employees GLOBAL

demo.local/Users/staff GLOBAL

demo.local/Users/students GLOBAL

Step 5 Click OK.

Step 6 Scroll down and click the Save button.
Step 7 From the right pane, select the Attributes tab to review the available
Microsoft Active Directory attributes.
Step 8 From the Attributes tab, click Add > Select Attributes from Directory.
Step 9 Enter user1 as a sample user in the text box. Click Retrieve Attributes.
You should see the user1 Active Directory attributes appear.
Step 10 Select badPwdCount and userPrincipalName from the list and click OK.
Step 11 Scroll down and click Save.

46
 47

Task 3: Test Active Directory Authentication

In this task, you will test if Microsoft Active Directory authentication is working by
adding a rule to the authentication policy to send requests from Test Devices to
Microsoft Active Directory.
Activity Procedure
Complete these steps:
Step 1 From the Cisco ISE Admin Portal on ise-1, navigate to Policy > Policy
Sets. Click on the right arrow at the end of the line, under the View
column, to expand the policy set.

Step 2 Next, click on the Arrowhead in front of the Authentication Policy to

expand the Authentication Policy drop down.

47
 48

Step 3 Select the Actions gear icon at the right end of the MAB rule and click
Insert new row above, so your new rule is above the MAB rule.

Step 4 In the Rule Name field, enter Test Authentications.

Step 5 Click the + (plus) to create a new condition. The Condition Studio will
open. From the right pane of the editor, click on the Click to add an
attribute box.

48
 49

Step 6 In the drop-down menu to the right of the Equals, select: All Device
Types#Test. Compare your screen to the screenshot below:

Step 7 Scroll down and click on the Use button at the bottom right to exit the
Conditions Studio. (Do not click on the Save button unless you want to
save the condition to the library.)
Step 8 Choose the identity store by clicking the link internal users then selecting
demo.local from the dropdown.

Step 9 At the bottom or top right side of the screen, click Save.
Step 10 From the Admin PC desktop, use NTRadPing to send an authentication
request for the username user2 and for the password cisco123. Response
should be Access-Accept.

49
 50

Step 11 From the Cisco ISE Admin Portal on ise-1, navigate to Operations >
RADIUS Live Logs and confirm that the authentication is successful.
You can click the icon under Details to view more information.

50
 51

Discovery 4.1: Configuring Cisco ISE for MAC

Authentication Bypass (MAB)
Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
The need for secure network access has never been greater. In today's diverse
workplaces, consultants, contractors, and even guests require access to network
resources over the same LAN connections as regular employees, who may
themselves bring unmanaged devices into the workplace. As data networks become
increasingly indispensable in day-to-day business operations, the possibility that
unauthorized people or devices will gain access to controlled or confidential
information also increases.
The best and most secure solution to vulnerability at the access edge is to use the
intelligence of the network. One access control technique that Cisco provides is
called MAC Authentication Bypass (MAB). MAB uses the MAC address of a
device to determine what kind of network access to provide.
In this activity, you will learn about the default behavior of the Cisco IOS IEEE
802.1X state machine and how it relates MAC Authentication Bypass (MAB) of
device authentication, specifically when authenticating against the Cisco ISE. After
completing this activity, you will be able to meet these objectives:
◼ Review the Cisco ISE default access policy
◼ Verify the default authorization policies for the endpoints
◼ Understand the default authentication behavior of the Cisco ISE
◼ Understand the behavior of MAC Authentication Bypass (MAB) on the switch
◼ Authenticate an IP phone, and wireless access point using MAC Authentication
Bypass (MAB) and static MAC authorization
◼ Assign an endpoint a specific authorization policy that is based on a static group
mapping

51
 52

Visual Objective

52
 53

Task 1: Discovery Prep

In this task, you will verify/document the MAC of the Cisco IP phone.
Activity Procedure
Complete these steps:
Step 1 From the Admin PC, double-click the 3k-access PuTTY shortcut located
in the Shortcuts folder on the Windows desktop and login to the switch
using username: admin / password: cisco123
Step 2 Enable interface GigabitEthernet 0/6 using the no shutdown command:
3k-access #configure terminal
Enter configuration commands, one per line. End with
CNTL/Z.
3k-access(config)#interface GigabitEthernet0/6
3k-access(config-if)#no shutdown
3k-access(config-if)#end
Step 3 Wait for the phone to boot up, this will take several minutes. The use the
show mac address-table command to verify the Cisco IP phone is
connected to interface GigabitEthernet 0/6.
3k-access #show mac address-table interface gig0/6
Mac Address Table

Vlan Mac Address Type Ports

10 some MAC address DYNAMIC Gi0/6

40 some MAC address DYNAMIC Gi0/6
Total Mac Addresses for this criterion: 2

Q10) What is the Cisco IP phone MAC address listed in the command
line output?

Step 4 Disable interface GigabitEthernet 0/6 using the shutdown command:

3k-access #configure terminal
Enter configuration commands, one per line. End with
CNTL/Z.
3k-access(config)#interface GigabitEthernet0/6
3k-access(config)#shutdown
3k-access(config)#end

53
 54

Task 2: Verify Default ISE Configuration

In this task, you will verify the licensing and profiling configuration of the ISE.
Activity Procedure
Complete these steps:
Step 1 Verify the current configuration of Profiling Probes by navigating to
Administration > System > Deployment.
Step 2 From the left pane, choose Deployment, select ise-1 from the list and
click Edit. Verify that the Enable Profiling Service checkbox is
unchecked.
Step 3 Return to the Deployment Nodes list, select ise-2 from the list and click
Edit. Verify that the Enable Profiling Service checkbox is unchecked.
Step 4 Navigate to Administration > System > Settings > Protocols > RADIUS
uncheck the Suppress repeated failed Clients checkbox. Click ok in the
dialog box. Click Save.
Instead of providing a line of information for each client transaction in the
client logs, only the most recent successful event is shown, providing a
more manageable list of transactions to view. This effect is provided by
the ‘Suppress Repeated Successful Authentications’ check-box, which is
checked by default. In the lab environment, repeated successful entries can
cause issues. Leave this box checked.
Step 5 From the Cisco ISE Admin Portal on ise-1, navigate to Policy > Policy
Sets > Default. Select the arrow under the View column and then
expand the Authentication Policy.
Step 6 Examine the Cisco ISE standard authentication policies.

Note MAC addresses that are sent from the switch using any of the Default Network Access
protocols will be evaluated against existing addresses in the Internal Hosts database. If
they are not found, a RADIUS Access-Reject response will be returned.

Authentication Rules

Status Rule Name Conditions Use

Test Authentications Device:Device Type EQUALS Device Type#All Device Types#Test demo.local

MAB Wired_MAB or Wireless_MAB Internal Endpoints

Dot1X Wired_802_1X or Wireless_802_1X All_User_ID_Stores

54
 55

Status Rule Name Conditions Use

Default Rule All_User_ID_Stores

Note Web Authentication is not RADIUS-based and is automatically managed by the Session
Service, so there is no need to create a separate authentication method for WebAuth.

Step 7 Open the Authorization Policy dropdown.

Step 8 Examine the Cisco ISE standard authorization policies that are
preconfigured. There is already a policy that could be used to get ISE
working from day one. See chart.

Authorization Policies

Status Rule Name Conditions Results - Profiles

Wireless Black List Default Wireless Access AND Blacklist Blackhole_Wireless Access

Profiled Cisco IP Phones Cisco-IP-Phone Cisco_IP_Phones

Profiled Non Cisco Phones Non_Cisco_Profiled_Phones Non_Cisco_IP_Phones

Unknown_Compliance_Redirect Network_Access_Authentication_Passed AND Cisco_Temporal_Onboard

Compliance_Unknown_Devices

NonCompliant_Devices_Redirect Network_Access_Authentication_Passed AND Cisco_Temporal_Onboard

Non_Compliant_Devices

Compliant_Devices_Access Network_Access_Authentication_Passed AND PermitAccess

Compliant_Devices

Employee_EAP-TLS Wireless_802.1X AND BYOD_is_Registered PermitAccess

AND EAP-TLS AND MAC_in_SAN

Employee_Onboarding Wireless_802.1X AND EAP-MSCHAPv2 NSP_Onboard

Wi-Fi_Guest_Access Guest_Flow AND Wireless_MAB PermitAccess

Wi-Fi_Redirect_to_Guest_Login Wireless_MAB Cisco_WebAuth

55
 56

Basic_Authenticated_Access Network_Access_Authentication_Passed PermitAccess

Default DenyAccess

56
 57

Task 3: MAC Authentication Bypass (MAB) Behavior

In this task, you will verify the behavior of 802.1X and MAC Authentication Bypass
(MAB) on the switch.
Please see: Cisco ISE Secure Wired Access Prescriptive Deployment Guide
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-
prescriptive-deployment-guide/ta-p/3641515

Activity Procedure
Complete these steps:
Step 1 From the Cisco ISE Admin Portal on ise-1, navigate to Context Visibility
> Endpoints. Scroll down and verify that there are no endpoints listed. If
there are endpoints that are listed, delete them by checking each one and
clicking the Trash Can button, select Selected, then click yes to confirm.
Step 2 From the Admin PC, double-click the 3k-access PuTTY shortcut locate in
the Shortcuts folder on the Windows desktop and login to the switch using
username: admin and password: cisco123
Step 3 Validate the AAA servers on the switch.
3k-access#show aaa servers
RADIUS: id 1, priority 1, host 10.1.100.21, auth-port 1812,
acct-port 1813
State: current UP, duration 38301s, previous
duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration
38301s, previous duration 0s
!<Output truncated>
Step 4 Execute the following test command on the switch to validate if the switch
and ISE can communicate over RADIUS or if the credentials result in a
passed or failed authentication. The test-user and test-password are not a
real username and password; these are variables used to test RADIUS
communication between Switch and ISE.
3k-access#test aaa group radius test-user test-password
new-code
We expect this command result in User Rejected, but is show us that the
switch and ISE are communicating.
Step 5 Validate the RADIUS settings on the switch.
3k-access#show running-config | include radius

57
 58

Step 6 Show the interface GigabitEthernet 0/6 configuration (show run int Gi0/6).
Confirm the following information matches, add any missing entries.
3k-access#show running-config interface GigabitEthernet0/6
interface GigabitEthernet0/6
description IP Phone
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-ALLOW in
shutdown
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 30
mab
dot1x pae authenticator
spanning-tree portfast
end

Note Notice that the bolded items are related to 802.1X & MAC Authentication Bypass (MAB)

Step 7 In EXEC mode, enable terminal monitoring and enable RADIUS

authentication debugging. This will help you see when MAB
authentication failover begins if the endpoint cannot perform an 802.1X
authentication.
3k-access#terminal monitor
3k-access#debug aaa authentication
3k-access#debug aaa authorization
Step 8 Enter configuration mode and enable GigabitEthernet 0/6 to authenticate
your agentless device.
3k-access #configure terminal
Enter configuration commands, one per line. End with
CNTL/Z.
3k-access(config)#interface GigabitEthernet 0/6
3k-access(config-if)#no shutdown
3k-access(config-if)#end
◼ After you enable the switch port, you will see the IEEE 802.3af inline
power being granted to the phone:
Dec 28 18:22:57.821: %ILPOWER-5-POWER_GRANTED: Interface
Gi0/6: Power granted

58
 59

◼ Shortly after that will be the link-up notifications:

Dec 28 18:22:58.408: %LINK-3-UPDOWN: Interface
GigabitEthernet0/6, changed state to down
Dec 28 18:23:01.068: %LINK-3-UPDOWN: Interface
GigabitEthernet0/6, changed state to up
Dec 28 18:23:02.075: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/6, changed state to up
◼ The switch port is configured with ‘authentication order mab
dot1x’. The switch port will initiate a MAB authentication request
immediately upon endpoint MAC address detection:
◼ However, the Cisco ISE does not have this MAC in the endpoint list,
so it will fail MAB authentication:
Dec 28 18:23:18.393: %MAB-5-FAIL: Authentication failed for
client (some MAC address) on Interface Gi0/6 AuditSessionID
0A016401000000022DDA5A9A
◼ Because the ‘authentication order mab dot1x’ option has been
configured, the Cisco IOS will attempt an 802.1X authentication next:
◼ After approximately 60 seconds (or 2 x 30-second timeouts), use the
‘show dot1x all’ command to see the timeouts, 802.1X will fail
because the endpoint did not respond to the 802.1X authentication
challenges from the switch port authenticator:
Dec 28 18:36:41.111: %DOT1X-5-FAIL: Authentication failed
for client (some MAC address) on Interface Gi0/6
AuditSessionID 0A016401000000032DE52F76

Note After the hold period expires, the Cisco IOS authentication manager will restart the
authentication process with MAB.

Note If the authentication is successful, the MAC address may have been previously seen by
ISE and authenticated. In the GUI navigate to Context Visibility > Endpoints. Check
the box next to the IP Phone MAC Address then click delete (Trash Canister). Say yes
to the pop-up message.

Step 9 From the Cisco ISE Admin Portal on ise-1, navigate to Operations >
RADIUS Live Logs. Choose a failed event for your endpoint mac
address.
Step 10 Click the Details link next to the log entry for additional information.
What is the MAC address of the Cisco IP Phone?

59
 60

Task 4: Authenticate an IP Phone

In this task, you will authenticate an IP phone.
Activity Procedure
Complete these steps:
Step 1 From the Cisco ISE Admin Portal on ise-1, navigate to Work Centers >
Network Access > Identities > Endpoints.
Step 2 From the right pane, check the box next to the MAC address of the Cisco
IP Phone and choose Edit (the pencil icon).

Note Use the MAC Address was verified/documented in the task above.

Step 3 Enable Static Group Assignment and in Identity Group Assignment

dropdown, select Cisco-IP-Phone.

Step 4 Click Save.

Note If you are unable to save the MAC address, verify that it does not already exist in the
table. If it does exist in the table, you can either edit the one that already exists or delete
it and create a new one.

Note You may need to wait 30-60 Seconds for the authenticator state machine to reset on the
switch to restart the MAC Authentication Bypass (MAB) process or you can force the
issue by performing a shut/no shut on the switchport.

60
 61

Step 5 Return to the Overview > RADIUS Live Logs, has the phone
successfully authenticated? If not, return to the switch and bounce
(perform shutdown/no shutdown) the GigabitEthernet 0/6 interface. The
phone will reboot, this device is PoE so wait a few minutes.
Step 6 Click the Details link next to the log entry for additional information.
Verify the correct authentication results.

Step 7 From the 3k-access SSH session, do you will see log messages in the
switch console showing a successful authentication?
View the authorization status within the Cisco IOS. Use the command
show authentication sessions interface g0/6 detail. Your MAC address
will be different from the screenshot.

Step 8 Shutdown interface GigabitEthernet 0/6. The phone has no Call Center to
connect to and will keep rebooting if this is not done.

61
 62

Task 5: Wireless Access Points

In this task, you will create an identity group, Endpoint identity profile,
authorization profile, and authorization rule for a wireless access point.
Activity Procedure
Complete these steps:
Step 1 From the 3k-access SSH session, enable the switch port GigabitEthernet
0/3 using the no shutdown command. It will take 30-60 seconds for the
wireless access point to boot up.
3k-access#configure terminal
3k-access(config)#interface GigabitEthernet0/3
3k-access(config-if)#no shutdown
3k-access(config-if)#end
Step 2 From the 3k-access SSH session, view the authorization status within the
Cisco IOS. The AP will need to boot before you see the following output.
(This will take a few minutes)
3k-access#show auth session int GigabitEthernet0/3 detail
Interface: GigabitEthernet0/3
MAC Address: <ap MAC address>
IPv6 Address: Unknown
IPv4 Address: 10.1.100.250
User-Name: <ap MAC address>
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000C4A0E971BB4
Acct Session ID: 0x00000C3D
Handle: 0x88000C3B
Current Policy: POLICY_Gi0/3

Local Policies:
Idle timeout: 30 sec
Service Template:
DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Method status list:

Method State

mab Authc Success

62
 63

Note If the authentication is successful, the MAC address may have been previously seen by
ISE and authenticated. In the GUI navigate to Context Visibility > Endpoints. Check
the box next to the Access Point MAC Address then click delete (Trash Canister). Say
yes to the pop-up message.

Step 3 From the Cisco ISE Admin Portal on ise-1, navigate to Work Centers >
Network Access > Policy Elements and then select Results >
Authorization Profiles in the left menu.
Step 4 Click +Add to create a new Access-Point authorization profile that will
permit the Access Point and allow all traffic from it.
Attribute Value

Name Access-Point

Description Profile for Wireless Access Points

Access-Type ACCESS_ACCEPT

Network Device Profile Cisco

DACL Name: PERMIT_ALL_IPV4_TRAFFIC

Note You may optionally define and apply a new, downloadable ACL that only permits DHCP,
DNS and the CAPWAP protocol.

Step 5 Click Submit.

Step 6 Navigate to Id Groups tab.
Step 7 Under the Endpoint Identity Groups section, click +Add to create a new
group for access points called Access-Point:
Attribute Value

Name Access-Point

Description Wireless Access Point

Parent

Step 8 Click Submit.

63
 64

Step 9 Navigate to Policy Sets then select the Default Policy Set click on the
gear icon at the end of the line. Select Insert New row above and create
a new Policy Set.
Highlight the words on the new line that was created, New Policy Set 1.
You will be modifying the following fields:
• Name: Wired Access
• Description: Wired access policy set
• Conditions: See step 10.
• Allowed Protocols: See step 12.
Step 10 Create a New Condition with the following condition, by clicking on the
plus icon:
DEVICE:Device Type EQUALS All Device Types#Wired:
• Under the Editor section click on the line that reads Click to add an
attribute.
• Select the Computer (Network Device) icon, forth from left.
• Select the line that reads DEVICE: Device Type.
• Leave the default Equals.
• Click on the down arrow to open a drop-down menu, select All Device
Types#Wired
• Validate with the screenshot below:

Step 11 Click the Use button to add this condition.

Step 12 Use the dropdown arrow to select Default Network Access as the
Allowed Protocols.

64
 65

Step 13 Validate that your Policy Set looks like the screenshot below:

Step 14 Click Save.

Step 15 Click on the arrow ( > ) at the end of the Wired Access Policy Set rule.
Step 16 Open the Authentication Policy under the new Wired Access Policy Set
rule. Click the gear icon (actions menu) at the end of the default rule line
(in the Actions column). Select Insert a new rule above and create the
following authentication policy rules:
Attribute Value

Rule Name Wired MAB

Conditions Select the plus icon (+) to create the condition. From the Conditions
Library on the left, locate the Wired_MAB predefined condition from the
list then drag and drop the condition to the dashed area in the Editor on
the right. Click Use.
Use (Identity Source) Click the arrow with the x and replace Internal Users with Internal Endpoints
Expand the Options section by clicking on the > to the left of the word Options
Options:
If Auth Fail: REJECT
If User not found: CONTINUE
If Process fail: DROP

65
 66

Step 17 Scroll down the page and expand the Authorization Policy (1) section.
Step 18 Click on the plus ( + ) icon next to the word Status to create a new
authorization rule.

Step 19 Name this new authorization rule: Access Point Rule.

Step 20 Hit the ‘+’ to use the Conditions Studio.
Step 21 Under the Editor section click on the line that reads Click to add an
attribute.
Step 22 Select the Three-People (Identity Group) icon, forth from left.
Step 23 Select the line that reads Identity Group <space> Name.
Step 24 Leave the default Equals.
Step 25 Click on the down arrow to open a drop-down menu, select Endpoint
Identity Groups:Access-Point

66
 67

Step 26 Validate your results with the screenshot below:

Step 27 Scroll down and click Use.

Step 28 In the Results | Profiles column click the down arrow, do not click on the
plus icon, to assign the rule the Access_Point authorization profile.
Enabled Name Conditions Results | Profiles

✓ Access Point Rule Completed above Access-Point

✓ Default None Deny Access

Step 29 Observe the processing order rule placement and then click the Save
button located at bottom right.

67
 68

Step 30 From the Cisco ISE Admin Portal on ise-1, navigate to Work Centers >
Network Access > Identities > Endpoints.
Step 31 Select the check box next to Access Point MAC address and select the
pencil icon to edit the AP’s Endpoint record. Add the AP to the Access-
Point Identity Group. If it is not in the list bounce (shut and no shut) the
switcport Gi0/3.

Step 32 Click Save.

Step 33 From the 3k-access SSH session, wait a few minutes or type shutdown and
no shutdown on GigabitEthernet 0/3 switch port to trigger a
reauthentication. The reauthentication process may take a few minutes to
happen. After the successful authentication, notice the new authorization
information.

68
 69

Step 34 From the 3k-access SSH session, view the authorization status within the
Cisco IOS.

Step 35 From the Cisco ISE Admin Portal on ise-1, navigate to Work Centers >
Network Access > Overview > RADIUS Livelog.
Step 36 Click the Details link next to the log entry for additional information.

69
 70

Task 6: Create an Authorization Rule for the Cisco IP Phone

In this task, you will create an identity group, Endpoint identity profile,
authorization profile, and authorization rule for a Cisco IP Phone.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Network Access > Policy Sets.
Step 2 Click on the ‘>’ at the end of the Wired Access Policy Set.
Step 3 Select the Authorization Policy in the Wired Access Policy Set.
Step 4 Click on the plus ( + ) icon next to the word Status to create a new
authorization rule.

Step 5 Name this new authorization rule: Cisco IP Phone.

Step 6 Hit the + and use the Conditions Studio > Editor to match the Identity
Group Name Equals Endpoint Identity Groups: Profiled: Cisco-IP-
Phone and hit USE to set the condition.

Step 7 In the Results | Profiles column assign the rule the Cisco_IP_Phones
authorization profile.
Enabled Name Conditions Results | Profiles

✓ Cisco IP Phone Completed in step 6 Cisco_IP_Phones

✓ Access Point Rule Completed in Task 5 Access-Point

✓ Default None Deny Access

70
 71

Step 8 Observe the processing order rule placement in the example above and
then click the Save button located at bottom right.

71
 72

Discovery 4.2: Configuring Cisco ISE for Wired

802.1X Authentication
Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will complete an IEEE 802.1X user authentication using a Client
PC endpoint against the Active Directory identity source. After completing this
activity, you will be able to meet these objectives:
◼ Install AnyConnect
◼ Join Client PC to Active Directory
◼ Configure Client PC 802.1X supplicant
◼ Configure Cisco switch port for 802.1X support
◼ Create an Identity Store Sequence
◼ Update the 802.1X Authentication Rule
◼ Verify Microsoft Windows machine authentication & user authentication
◼ Create and apply authorization permissions

Visual Objective

72
 73

Task 1: Install AnyConnect, Join Client PC to Active Directory

In this task, you will install Cisco AnyConnect and configure the Client PC to join a
Microsoft Active Directory domain.
Activity Procedure
Complete these steps:
Step 1 From the Lab Diagram, connect to the Client PC.
Step 2 Navigate to C:\AnyConnect and click Setup.

73
 74

Step 3 Select Yes in the pop-up.

Step 4 Select modules Core & VPN, Network Access Manager, ISE Posture
and Diagnostic And Reporting Tool then click, Install Selected.

Step 5 Accept any prompts.

Step 6 At the completion of the install, restart using the power button in the Start
menu the Client PC. If prompted to login, there is no password for the
local Admin account.
Step 7 Open AnyConnect, from the Start menu Start > Cisco > AnyConnect.
Click the hamburger icon highlighted below, from the Network Access
Manager (NAM). Choose Manage Networks… > Network.

Manage Networks
Button

74
 75

Step 8 Examine the wired network profile is already set to do 802.1X.

Step 9 Close the AnyConnect Network Management box.
Step 10 Open the Folder icon in the tray.
Step 11 Right-click on the ‘This PC’ and select Properties.
Step 12 Click the Change Settings button in the Computer Name, domain, and
workgroup settings section.

Step 13 To join the domain, choose the Change… button.

◼ Select the Domain radio button.

◼ Enter demo.local in the domain textbox and click OK.
◼ When prompted, enter admin for username and cisco123 for password
and click OK.
◼ When prompted click OK and Restart the Client PC.
◼ If an error message appears when connecting to the AD Domain,
verify that interface Gi0/1 is enabled.

75
 76

Task 2: Cisco Switch 802.1X Configuration

In this task, you will configure a Cisco switch to support 802.1X for client
workstations.
Activity Procedure
Complete these steps:
Step 1 From the Admin PC, double-click the 3k-access PuTTY shortcut locate in
the Shortcuts folder on the Windows desktop and login to the switch using
username: admin / password: cisco123
One of the simplest ways to configure IBNS 2.0 is to convert an existing
IBNS 1.0 configuration on the switch. However, using a composite
configuration in IBNS 1.0 style is recommended for the system to generate
the best possible policy configuration in the new style. Note that when you
convert the configurations, a policy map, a set of class maps, and service
templates that will be configured for every single port that has the identity-
related configuration. Therefore, the recommendation is to covert a single-
port IBNS 1.0 configuration to IBNS 2.0 in a lab, and once a level of
comfort is reached in this setting, deploy it in production.

Note The authentication display new-style command converts an existing IBNS 1.0
configuration to IBNS 2.0. The new style configurations can be reverted to the old style
with the authentication display legacy privileged EXEC mode command. However, note
that in the new style, if any changes are made to the policy map or any IBNS 2.0-specific
commands, or if the system is reloaded with new style configurations written to the
startup configuration, you will not be able to revert to the IBNS 1.0 style configurations
from IBNS 2.0.

Step 2 Convert the system authentication configuration mode to IBNS 2.0:

3k-access# configure terminal
Enter configuration commands, one per line. End with
CNTL/Z.
3k-access(config)#authentication convert-to new-style
This operation will permanently convert all relevant
authentication commands to their CPL control-policy
equivalents. As this conversion is irreversible and will
disable the conversion CLI 'authentication display
[legacy|new-style]', you are strongly advised to back up
your current configuration before proceeding.
Do you wish to continue? [yes]: yes

Note Use the authentication display config-mode command in EXEC mode to display the
current configuration mode; legacy if it is legacy mode and new-style if it is Identity-
Based Networking Services configuration mode.

76
 77

Step 3 Exit to the privilege mode and notice the new class-map and policy-map
configurations, use the ‘show run command’ and view the changes.

The switch is now running new style configuration mode, show

authentication commands are now replaced with show access-session.
Step 4 Open the file ‘SISE v3 3560SwitchConfig.txt’ file in the Discovery 4-2
folder on the desktop of the Admin PC, copy and paste the configuration
of the Service-Policy Template into the 3k-access switch’s global
configuration mode.

77
 78

Step 5 Configure an interface template to use before the port is authenticated,

these lines can be copied from the configuration opened in the step above:
3k-access #configure terminal
Enter configuration commands, one per line. End with
CNTL/Z.
3k-access(config)#template PORT-AUTH-TEMPLATE
3k-access(config-template)#description ** Endpoints and
Users **
3k-access(config-template)#switchport access vlan 10
3k-access(config-template)#switchport mode access
3k-access(config-template)#switchport voice vlan 40
3k-access(config-template)#authentication periodic
3k-access(config-template)#authentication timer
reauthenticate server
3k-access(config-template)#access-session port-control auto
3k-access(config-template)#mab
3k-access(config-template)#dot1x pae authenticator
3k-access(config-template)#spanning-tree portfast
3k-access(config-template)#service-policy type control
subscriber DOT1X-ISE
3k-access(config-template)#end

Note In IBNS 2.0, the default port mode is open mode. To move the port to closed mode,
configure the access-session closed interface command explicitly either within the
interface template or on the physical port

Step 6 Configure 802.1X on interface GigabitEthernet 0/1 using the following

commands (hint: To save time and improve accuracy cut and paste the
configuration from the 3560SwitchConfig.txt file in the Discovery 8-1
folder on the desktop of the Admin PC):
3k-access #configure terminal
Enter configuration commands, one per line. End with
CNTL/Z.
3k-access(config)#default interface GigabitEthernet0/1
Interface GigabitEthernet0/1 set to default configuration
3k-access(config)#
3k-access(config)#interface GigabitEthernet0/1
3k-access(config-if)#source template PORT-AUTH-TEMPLATE
3k-access(config-if)#ip access-group ACL-DEFAULT in
3k-access(config-if)#spanning-tree portfast
3k-access(config-if)#end
3k-access # copy running-config startup-config

78
 79

Step 7 Check the cumulative configuration applied on the port at runtime:

3k-access # show derived-config interface Gi0/1
Building configuration...

Derived configuration : 525 bytes

!
interface GigabitEthernet1/0/1
description ** Endpoints and Users **
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-DEFAULT in
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber DOT1X-ISE
end

79
 80

Task 3: Identity Source Sequences

In this task, you will create an Identity Store Sequence.
Activity Procedure
Complete these steps.
Step 1 From the Cisco ISE Admin Portal on ise-1 navigate to Work Centers >
Network Access > Identities > Identity Source Sequences.
Step 2 Click +Add to create a new Identity Source Sequence.
Attribute Value

Name: AD_Users

Description: AD Users

Authentication Search List Value

Selected: demo.local

Advanced Search List Settings Value

Selected: Do not …

Step 3 Click Submit.

80
 81

Task 4: Update the 802.1X Authentication Rule

In this task, you will update the 802.1X Authentication Rule.
Activity Procedure
Complete these steps:
Step 1 From the Network Access Work Center, navigate to Policy Sets > Wired,
use the arrow on the right to drill down into the Wired Policy Set select
the Authentication Policy.
Step 2 Create the Dot1X Authentication Rule below the Wired MAB rule. (hint:
Use the gear icon)
Step 3 Use the Wired_802_1X condition and to check the Identity Source
Sequence that you created by selecting the drop-down menu in the “Use”
column to choose the identity source for the rule.
Enabled Name Condition USE (Identity Source) Options

✓ Wired MAB Wired_MAB Internal Endpoints Reject

Continue
Drop

✓ Wired Dot1X Wired_802.1X AD_Users Reject

Reject
Drop

✓ Default Rule All_Users_ID_Stores Reject

(if no match) Reject
Drop

Step 4 Click Save.

81
 82

Task 5: Custom Authorization Policies

In this task, you will create and apply new authorization permissions.
Activity Procedure
Complete these steps:
Step 1 From the Cisco ISE Admin Portal on ise-1, navigate to Work Centers >
Network Access > Policy Elements > Results.
Step 2 From the left pane, select Downloadable ACLs.
Step 3 From the right pane, click +Add and create the following downloadable
ACL (DACL).
Attribute Value

Name: ACL-Domain-Computer

Description Domain Computer access

DACL Content: remark demo.local Domain Controller

permit ip any host 10.1.100.10

Note The Cisco ISE does not validate the spelling for ACLs. It is highly recommended to test
each ACL by using the Check Syntax link below the DACL Content form.

Step 4 Click Submit.

Step 5 From the left pane, select Authorization Profiles.

82
 83

Step 6 From the right pane, click +Add and create the following authorization
profile for machine-authenticated domain computers:
Attribute Value

Name Domain-Computer

Access-Type ACCESS_ACCEPT

Network Device Profile Cisco

✓ DACL Name ACL-Domain-Computer

✓ Reauthentication Timer: 3600 seconds

Maintain Connectivity: RADIUS-Request

Step 7 Click Submit.

Step 8 From the right pane, click +Add and create the following authorization
profile for domain users:
Attribute Value

Name Domain-User

Access-Type ACCESS_ACCEPT

Network Device Profile Cisco

✓ DACL Name PERMIT_ALL_TRAFFIC

✓ Reauthentication Timer: 3600 seconds

Maintain Connectivity: RADIUS-Request

Step 9 Click Submit.

Step 10 Select the Policy Sets tab from the tab menu in the current work center.
Click on the arrow at the end of the Wired policy set line to drill down
into the policy set.

83
 84

Step 11 Under the Authorization Policy, create new authorization rules for both
the Domain-Computer and Domain-User see the table below. Use the
Identity Group (three heads icon) for the condition.
Enabled Name Conditions Authorization

✓ Cisco IP Phone IdentityGroup Name EQUALS Endpoint Cisco_IP_Phones

Identity Groups:Profiled:Cisco-IP-Phone

✓ Access Point Rule IdentityGroup Name EQUALS Endpoint Access-Point

Identity Groups:Access-Point

✓ Domain- Computer demo.local:External Groups EQUALS Domain-Computer

demo.local/Users/Domain Computers

✓ Domain- User demo.local:External Groups EQUALS Domain-User

demo.local/Users/Domain Users

✓ Default Deny Access

Step 12 Click Save.

Step 13 Return to the Client PC and restart the system.

Note If you logged off the Client PC. You will need to login to the Client PC using: admin and
password cisco123 to restart.

84
 85

Step 14 Login to the Client PC using the username:

◼ To log in use the Username demo\employee1 and password cisco123
Step 15 From the Cisco ISE Admin Portal on ise-1, navigate to Work Centers >
Network Access > Overview > RADIUS Livelogs. Verify 802.1X
machine authentication and user authentication was successful and the
new permissions were applied.
Step 16 Click the icon under the Details column for additional information, and
you will see that the authentication succeeded.

85
 86

Step 17 From the 3k-access SSH session, view the authorization status within the
Cisco IOS.
3k-access#show access-session interface GigabitEthernet0/1
detail
Interface: GigabitEthernet0/1
MAC Address: 000c.29bc.6068
IPv6 Address: Unknown
IPv4 Address: 10.1.10.100
User-Name: employee1
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 3600s (server), Remaining: 3230s
Timeout action: Reauthenticate
Common Session ID: 0A0164010000003C1D767820
Acct Session ID: 0x00000038
Handle: 0x4700002D
Current Policy: POLICY_Gi0/1

Local Policies:
Idle timeout: 30 sec
Service Template:
DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:

ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-

57f6b0d3

Method status list:

Method State
mab Stopped
dot1x Authc Success

Step 18 Restart the Client PC.

86
 87

Discovery 4.3: Configuring Cisco ISE for

Wireless 802.1X Authentication
Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure the Cisco ISE for wireless 802.1X authentication.
After completing this activity, you will be able to meet these objectives:
◼ Verify switch configuration
◼ Configure the Cisco ISE for wireless authentication
◼ Verify the wireless LAN controller (WLC) configuration
◼ Synchronize an access point (AP) to the WLC for connectivity and operation
◼ Associate to the WLC via an authenticated SSID as an employee

Visual Objective

87
 88

Task 1: Discovery Prep

In this task, you will verify the configuration of devices that are needed for this
Discovery.
Activity Procedure
Complete these steps:
Step 1 From the 3k-access SSH session, shutdown interfaces GigabitEthernet
0/1-6.
3k-access #configure terminal
3k-access(config)#interface range GigabitEthernet0/1 - 6
3k-access(config-if)#shutdown
3k-access(config-if)#end

Task 2: ISE Configuration

Policy Set Creation - Wireless Access
Step 1 Navigate to the Work Centers > Network Access > Policy Sets.
Step 2 Click the gear icon at the end of the Wired Access policy and from the
menu select Insert new row below to create a new policy set for wireless
access.
Step 3 Configure the Wireless Access policy set according to the following table
and compare your results with the following screenshot, click Save after
creating the new policy:
Name Description Conditions Allowed Protocols

Wireless Access Wireless Access Policy Set DEVICE:Device Type EQUALS Default Network Access
All Device Types#Wireless

88
 89

Authentication - Wireless Access

Step 4 Click on the arrow at the end of the newly created Wireless Access Policy
Set, then open the Authentication Policy section.
Step 5 Create a new line above the Default Authentication rule.
Step 6 Use the table below to create the Wireless MAB authentication rule:
Attribute Value

Rule Name Wireless MAB

Conditions Select the plus icon (+) to create the condition. From the Conditions
Library on the left, locate the Wireless_MAB predefined condition from
the list then drag and drop the condition to the shaded area in the Editor
on the right. Click Use.
Use (Identity Source) Internal Endpoints
Options:
If Auth Fail: REJECT
If User not found: CONTINUE
If Process fail: DROP

Step 7 Click on the gear icon at the end of the Wireless MAB rule to create a new
rule below. Use the table below to create the Wireless 802.1X
authentication rule:
Attribute Value

Rule Name Wireless 802.1X

Conditions Select the plus icon (+) to create the condition. From the Conditions
Library on the left, locate the Wireless_802.1X predefined condition from
the list then drag and drop the condition to the shaded area in the Editor
on the right. Click Use.
Use (Identity Source) AD_Users
Options: (leave default)
If Auth Fail: REJECT
If User not found: REJECT
If Process fail: DROP

89
 90

Step 8 Compare your screen to the one below:

Wireless Authorization Policy

Step 9 Open the Authorization Policy section.
Step 10 Create a new rule above the Default rule by clicking on the gear icon. Use
the table below to create this rule:
Attribute Value

Rule Name Wireless AD Employees

Conditions Select the plus icon (+) and create the condition > Attributes =
demo.local:ExternalGroups; equals; demo.local/Users/employees

Permissions To create the permissions for this rule, we will click on the plus (+) on the Profiles
column. Select Create a New Authorization Profile.
Name: Wireless Employee Access
Common Tasks: Airespace ACL Name: Allow-All
Click Save at the bottom of the form.
Use the drop-down to select this new Authorization Profile.

Step 11 Verify your policy with the one shown below:

90
 91

Step 12 Click the Save button.

91
 92

Task 3: Configure & Verify the Cisco WLC configuration

In this task, you will load a WLC configuration and verify the WLC is settings.
Activity Procedure
Complete these steps:
Step 1 From the Admin PC, open Shortcuts folder and double-click the shortcut
to connect to the wireless LAN controller (WLC) at
https://wlc.demo.local. Confirm and add security exceptions.

Step 2 Login to the WLC with the credential cisco for username and cisco for
password. You will see the Monitor page giving a status overview of the
WLC. Click on the Advanced link in the upper right corner of the screen.
Step 3 From the Cisco WLC Admin Portal menu, navigate to Commands. In the
Download file to Controller window verify the file options that follow (#
= Pod Number):
Attribute Value

File Type Configuration

Transfer Mode FTP

IP Address 10.1.100.10

File Path /

File Name WLC#_A.cfg

Server Login Username admin

Server Login Password cisco123

Server Port Number 21

92
 93

Step 4 Click Download to install the configuration file. Follow the prompts to
complete the process. You will most likely see an error message. This is
normal, click OK.
Step 5 Once the process is complete (takes about 5 minutes), you will be
prompted to login to the WLC again. Login to the WLC with the
credential cisco for username and cisco for password. You will see the
Monitor page giving a status overview of the WLC.

Note If the configuration download or installation fails, contact the instructor.

Step 6 From the Cisco WLC Admin Portal menu, navigate to Controller >
General. Verify the global controller options that follow. If you make any
changes, click Apply.
Attribute Value

Name WLC

AP Multicast Mode 239.0.0.1

Default Mobility Domain Name demo

RF Group Name demo

Web Radius Authentication PAP

Step 7 From the Cisco WLC Admin Portal menu, navigate to Controller >
Interfaces. Verify the configuration of the interfaces.
Interface Name Port VLAN IP Address Gateway DHCP Interface
ID Type

access 1 11 10.1.11.2 10.1.11.1 10.1.100.10 Dynamic

guest 1 50 10.1.50.2 10.1.50.1 10.1.100.10 Dynamic

management 1 100 10.1.100.61 10.1.100.1 10.1.100.10 Static

virtual - NA 198.51.0.1 - - Static

Step 8 From the Cisco WLC Admin Portal menu, navigate to Controller >
Ports. Verify that you are using Port 1, and it is Link Up.
Step 9 From the Cisco WLC Admin Portal menu, navigate to Controller > NTP
> Server. Verify the NTP server configuration.
Server Index Server Address Key Index NTP Msg Auth Status

1 10.1.100.10 0 AUTH_DISABLE

Step 10 From the Cisco WLC Admin Portal menu, navigate to Wireless. Verify
that there are no APs listed. The interface is shutdown on the switch port
where the Access Point (AP) is connected.

93
 94

Step 11 From the Cisco WLC Admin Portal menu, navigate to Security >
RADIUS > Authentication. Verify the RADIUS settings. If changes are
made, click Apply.
Attribute Value

Call Station ID Type for both Acct and Auth System MAC Address

Use AES Key Wrap unchecked

MAC Delimiter Hyphen

Step 12 Click the 1 under the Server Index, verify the RADIUS Authentication
Server entry for the Cisco ISE. The Shared Secret is not shown, but it is
cisco123.
Attribute Value

Server Index (Priority) 1

Server Address 10.1.100.21

Shared Secret Format ASCII

Shared Secret cisco123

Key Wrap unchecked

Port Number 1812

Server Status Enabled

Support for CoA Enabled

Server Timeout 2 seconds

Network User Enabled

Management unchecked

IPSec unchecked

Step 13 Repeat the above step for 10.1.100.22 using 2 for the Server Index.
Step 14 From the Cisco WLC Admin Portal menu, navigate to Select Security >
RADIUS > Accounting. Verify the Global accounting settings.
Attribute Value

MAC Delimiter Hyphen

Step 15 Click the 1 under the Server Index, verify the RADIUS Accounting
Server entry for the Cisco ISE. The Shared Secret is not shown, but it is
cisco123.

94
 95

Attribute Value

Server Index (Priority) 1

Server IP Address 10.1.100.21

Shared Secret Format ASCII

Shared Secret cisco123

Port Number 1813

Server Status Enabled

Server Timeout 2 seconds

Network User Enabled

IPSec unchecked

Step 16 Repeat the above step for 10.1.100.22 using Server Index 2.
Step 17 From the Cisco WLC Admin Portal menu, navigate to Security > Access
Control Lists > Access Control Lists. Verify the following access
control lists by clicking each one:
Name Action Sequence Source Destination Protocol Source Dest. DSCP Direction
IP IP Port
Port
Allow-All Permit 1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Any Any Any Any Any
Internet-Only Permit 1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 UDP Any DNS Any Any
Deny 2 0.0.0.0 0.0.0.0 10.1.0.0 Any Any Any Any Any
255.255.0.0
Permit 3 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Any Any Any Any Any

Note Internet-Only ACL is missing first entry that permits DNS. Be sure to add the rule and
save the changes by clicking the apply button.

Step 18 From the Cisco WLC Admin Portal menu, navigate to Management >
Logs > Config. Verify that the Cisco ISE is set as the syslog server to
correlate log messages in the authentication log details.
Attribute Value

Syslog Server IP Address 10.1.100.21

95
 96

Step 19 From the Cisco WLC Admin Portal menu, navigate to WLANs. Verify
the configured WLANs. (# = Pod Number)
WLAN ID Type Profile Name WLAN SSID Admin Status Security Policies

1 WLAN p#-wpa2e p#-wpa2e Enabled [WPA2][Auth(802.1X)]

2 WLAN p#-hotspot p#-hotspot Disabled MAC Filtering

3 WLAN p#-guest p#-guest Disabled MAC Filtering

4 WLAN p#-test p#-test Disabled None

Step 20 From the Cisco WLC Admin Portal menu, navigate to WLANs. Verify
the WLAN p#-wpa2e profile by clicking the 1 under WLAN ID. (#=Pod
Number) Click Apply if changes are needed.
Attribute Value

General

Profile Name p#-wpa2e

Type WLAN

SSID p#-wpa2e

Status  Enabled

Radio Policy All

Interface and Group access

Broadcast SSID  Enabled

Security—Layer 2

Layer 2 Security WPA+WPA2

WPA Policy [ ]

WPA2 Policy  Enabled

WPA2 Encryption  AES

Auth Key Mgmt 802.1X

Security—Layer 3

Layer 3 Security None

Security—AAA Servers

Authentication Server #1 10.1.100.21, Port: 1812

Accounting Server #1 10.1.100.21, Port: 1813

Authentication Server #2 10.1.100.22, Port: 1812

Accounting Server #2 10.1.100.22, Port: 1813

Advanced

Allow AAA Override  Enabled

96
 97

NAC State ISE NAC

Note Enabling Allow AAA Override is critical because attributes from the AAA server (or Cisco
ISE) will take precedence over the local WLC configuration.

Note The WLAN p#-test is an open system WLAN with no security applied. This WLAN can be
used if troubleshooting is required.

97
 98

Task 4: Access Point (AP) Connectivity

In this task, you will synchronize an Access Point (AP) to the WLC for operation.
Activity Procedure
Complete these steps:
Step 1 From the 3k-access SSH session, verify the switch port GigabitEthernet
0/3 to the Access Point (AP) is shutdown:
3k-access#show interface status
Port Name Status Vlan Duplex Speed Type
Gi0/1 ** En disabled 10 auto auto
10/100/1000BaseTX
Gi0/2 disabled 1 auto auto
10/100/1000BaseTX
Gi0/3 Access Point disabled 100 auto auto
10/100/1000BaseTX

Step 2 From the 3k-access SSH session, enable the switch port GigabitEthernet
0/3 using the no shutdown command. This will power up and connect the
access point.
3k-access#configure terminal
Enter configuration commands, one per line. End with
CNTL/Z.
3k-access(config)#interface GigabitEthernet0/3
3k-access(config-if)#no shutdown
3k-access(config-if)#end

Note It will take a few minutes for the Access Point (AP) to power up and the switch to
authenticate the Access Point (AP) using MAC Authentication Bypass (MAB).

Step 3 From the 3k-access SSH session, verify the authentication session on
interface GigabitEthernet0/3.
3k-access#show access-sessions interface GigabitEthernet0/3
detail
Interface: GigabitEthernet0/3
MAC Address: 0007.7da3.b129
IPv6 Address: Unknown
IPv4 Address: 10.1.100.250
User-Name: 00-07-7D-A3-B1-29
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000C4D0EF47570

98
 99

Acct Session ID: 0x00000C44

Handle: 0xF2000C3E
Current Policy: POLICY_Gi0/3

Local Policies:
Idle timeout: 30 sec
Service Template:
DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-
57f6b0d3

Method status list:

Method State
mab Authc Success

Note If you do not see this successful authorization, you will need to troubleshoot your
authorization policy on the Cisco ISE.

Step 4 From the Cisco WLC Admin Portal menu, navigate to Wireless and edit
the Access Point (AP) configuration by clicking the MAC address under
the AP Name column. Under the General tab, configure AP Mode to local.
If you don’t see your AP, give it a few minutes and refresh the screen.

Note The AP needs to be in local mode to function properly as a standard AP and not wireless
bridge or any other special feature mode.

Step 5 Click Apply.

99
 100

Task 5: Wireless Authentication for Employees

In this task, you will connect/associate to the WLC via an authenticated SSID as an
employee from the Client Computer.

Note It is critical to make sure that you only associate to your pod’s SSID’s.

Activity Procedure
Complete these steps:
Step 1 Login to the Client PC using the username:
◼ .\admin and password cisco123

Note To send the Windows Ctrl-Alt-Del sequence when using VNC, access the VNC menu by
clicking the VNC icon at the top left of the screen. Select Send Ctrl-Alt-Del.

Step 2 From the Client PC Desktop, go to Control Panel > Network and
Internet > Network and Sharing Center.
Step 3 Select Change adapter settings, disable the Inside NIC. If prompted for
a username and password use admin / cisco123
Step 4 Right click and Enable the Wireless Network Connection, choose
Connect / Disconnect. Verify that you see the following SSID, p#-
wpa2e. (#=Pod Number) in the AnyConnect client. You may need to
enable the wireless in the AnyConnect client.
Step 5 Return to the desktop, from the notification tray, click the AnyConnect
icon.
Step 6 Choose Network Details > Managed Networks

100
 101

Step 7 Click Add and fill out the profile with the information shown below. (# =
your assigned pod number)

Media Wireless

Descriptive Name p#-wpa2e

SSID p#-wpa2e

Security wpa2 enterprise AES

802.1X Configuration Password PEAP

Step 8 Click OK.

101
 102

Step 9 If not prompted for a username/password, from the notification tray

choose the AnyConnect icon. Under the Network section choose p#-
wpa2e.

Step 10 You should get a popup asking for your username and password. Sign in
with the username demo\employee1 and password cisco123.
Step 11 From the Client PC, open a web browser. Verify that the authenticated
user can reach the internal site www-int.demo.local and external site
www-ext.demo.local.
Step 12 Return to the Admin Portal of Cisco ISE
Step 13 Navigate to Work Centers > Network Access > Overview > RADIUS
Livelogs.
Step 14 Identify the employee1 access record from the WLC in the list.

Step 15 Click the details icon to see the authentication details.

102
 103

Step 16 Identify the following fields to indicate that you matched the correct
policy.

103
 104

Discovery 6: Configure Guest Access

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure the settings in Cisco ISE that are the core
components of Guest Access. After completing this activity, you will be able to
meet these objectives:
◼ Configure Guest Settings for Guest Access in Cisco ISE 3.0
◼ Configure the Guest Locations and SSID feature in Cisco ISE 3.0

Visual Objective

104
 105

Task 1: Guest Settings

In this task, you will configure the basic settings for guest operations.
Activity Procedure
Complete these steps:
Step 1 On your Admin PC in the Cisco ISE admin portal navigate to Work
Centers > Guest Access > Overview, examine the steps needed to
implement Guest services.
Take a moment to review the Overview section. You will notice that much
of the “Prepare” steps have been previously completed in other
Discoveries. In the previous Discovery, you configured basic settings from
the “Prepare” step. You will now configure portals.
Step 2 Navigate to Work Centers > Guest Access > More > Settings
Mail Settings
Step 3 Select Guest Email Settings and modify the Default ‘From’ email address
to be [email protected].
Step 4 Click Save.
Step 5 Select the Administration menu in the Guest Access menu bar.
Step 6 From the navigation panel on the left, select SMTP Server.
Step 7 In the SMTP Server text box, enter mail.demo.local and click Save. There
is no actual email server in the lab environment.
Custom Fields
Step 8 Return to Guest Access > More > Settings page and choose Custom
Fields.
Step 9 Define the following custom field information and then click Add.

Custom field name Data type Tip text

Person Visiting String Enter the name of the person you are visiting.

Step 10 Click Save.

105
 106

Guest Username Policy

Step 11 Select Guest Username Policy.
Step 12 Verify the Minimum username length to 4 and then also modify the
Characters Allowed in Randomly – Generated Usernames, Minimum
alphabetic field to 4 as well.
Step 13 Click Save.
Guest Password Policy
Step 14 Select Guest Password Policy.
Step 15 For Discovery purposes modify the Minimum password length to 2 and
then also modify the Alphabetic uppercase, to 2 as well. This not the
recommended practice in a production deployment.
Step 16 Click Save.
Guest Purge Policy
Step 17 Select Guest Account Purge Policy.
In the Time of purge field notice the time is set to 1:00 AM. Due to the
fact that Cisco ISE is set up for the UTC time zone, an adjustment needs to
be made as corporate policy dictates that this occur after midnight local
time.
Here you, the student, have an option, you can choose to configure
according to the actual local time zone of your class or you can configure
according to the Pacific Time zone.
Step 18 If you are using the Pacific Time zone, enter 11:00 PM.
Step 19 Click Save.

106
 107

Task 2: Guest Locations

In this task, you will configure locations. You will configure a few set locations
and you will also configure the location of your class. This will be used later to
align the access times with your local class time zone.
Activity Procedure
Step 1 Navigate to Work Centers > Guest Access > Settings and then select
Guest Locations and SSIDs.
Step 2 In the Guest Locations area enter the following location and time zone
information.

Tip In the time zone area begin typing to activate filtering.

Guest Locations

Location name Time Zone

New York America/New_York

Chicago America/Chicago

<YOUR CITY> <YOUR TIME ZONE>

Step 3 In the Guest SSID’s field enter your guest SSID (p#-guest) from your
WLC WLAN (# = pod number).
This feature is helpful if for instance your organizational guest network
has different SSIDs based on location. For example, Guest-US, Guest-EU,
Guest-APAC, etc.

Note Do not navigate away to your ISE guest locations/SSID page without saving first, as you
will lose your Guest Location form data.

Step 4 Click Save.

107
 108

Discovery 7: Guest Access Operations

This activity has you exploring multiple Cisco ISE guest access configurations and
operations. It helps you to really understand how, various guest access scenarios
work, and why you might want to use them in your organization. You will start with
configuring Cisco ISE guest access using a hotspot portal. This is for organizations
that just want the simplest method of providing guest access, with less concern for
strict access control or tracking who uses the service. Some organizations require a
bit more control and awareness concerning who uses guest access. You will learn
how to accommodate these scenarios, such as guest access for self-registration, and
self-registration with sponsor approval. Finally, you will configure and validate
sponsored guest access.
Complete this Discovery activity to practice what you learned in the related
module.

Activity Objective
In this activity, you will explore multiple Cisco ISE guest access configurations and
operations. After completing this activity, you will be able to meet these objectives:
◼ Configure Cisco ISE guest access using a hotspot portal
◼ Configure Cisco ISE guest access for self-registration
◼ Configure Cisco ISE guest access for sponsored guest access

108
 109

Visual Objective

109
 110

Task 1: Hotspot Portal Operations

In this task, you will configure Cisco ISE guest access with a hotspot portal. This
type of access is appropriate were accepting and AUP only is sufficient to meet
network security policy.
Activity Procedure
Complete these steps:
WLC ACL Configuration
Step 1 From the Admin PC, open Shortcuts folder and double-click the shortcut
to connect to the wireless LAN controller (WLC) at
https://wlc.demo.local.

Step 5 Login to the WLC with the credentials username:cisco and

password:cisco. You will see the Monitor page giving a status overview of
the WLC. Click on the Advanced link in the upper left.

110
 111

Step 6 From the Cisco WLC Admin Portal menu, navigate to WLANs, select the
WLAN ID next to the hotspot SSID. Click on the Security tab, and then
the AAA Servers tab. Select the ISE-1 and ISE-2 IP Addresses for Server
1 and 2 respectively in both the Authentication Servers and Accounting
Servers dropdowns.

Step 7 On the General tab for the WLAN click the Enabled checkbox to activate
the WLAN, then click Apply in the upper right-hand corner.
Step 8 Navigate to Security > Access Control Lists > Access Control Lists.
Step 9 Click the New button in the upper right. Type the name of the ACL to be
created, ACL-WEBAUTH-REDIRECT. Click Apply
Step 10 Select the ACL name link and select the Add New Rule button in the
upper right to create the rules in the table below:
Seq Source IP Destination IP Protocol Source Port Dest. Port DSCP Direction Action
1 Any Any UDP Any DNS Any Any Permit
2 Any 10.1.100.21 Any Any Any Any Inbound Permit
255.255.255.255
3 10.1.100.21 Any Any Any Any Any Outbound Permit
255.255.255.255

Portal Configuration
Step 11 Return to the Cisco ISE admin portal and navigate to Work Center >
Guest Access > Portal & Components.
Step 12 Select the Guest Portals link.
Step 13 Click the Create button.
Step 14 In the pop-up select Hotspot Guest Portal and then click Continue…

111
 112

Step 15 In the Portals Settings and Customization window configure the following
items in bold:
Hotspot Portal Settings and Customization

Attribute Value

Portal Name Demo – Hotspot

Description The demo.local Hotspot

Portal Behavior and Flow Settings

Portal Settings

HTTPS Port 8443

Allowed interfaces Gigabit Ethernet 0

Certificate group tag ISE Lab CGT

CoA Type CoA Reauthenticate

Endpoint identity group GuestEndpoints

Display language Use browser locale

Acceptable Use Policy (AUP) Page Settings

Include in AUP page [X]

Require an access code [X] 123456

Require scrolling to the end of AUP [X]

Post – Access Banner Page Settings

Included Post–Access Banner X]

Support Information Is Settings

Included Support Information page [X]

Fields to include [ X ] MAC address

[ X ] IP address
[ X ] Browser user agent
[ X ] Policy server
[ X ] Failure code

Empty fields Hide field

Step 16 Scroll to the top and click Save.

Step 17 In the pop-up window, click OK to change the certificate for all the
portals on the same port.
Step 18 In the customization setting area click Portal Page Customization.

112
 113

Step 19 Before making any modifications, observe the Preview on the right side of
the page.
Step 20 This is the Mobile preview page. Below this preview is the Desktop
Preview link. Clicking on it will open up a new browser window.

Step 21 Scroll back up to the top and to the right of the Portal Theme select the
Step 22 Tweaks…button.
Step 23 Observe the color options that you can modify. Click the color square at
the end of the Banner Color line. Play around with the color tool as you
see fit. Pick a custom color or enter #8a099b in the hex box.
Step 24 Click OK.
Step 25 Leave all other colors the default and click OK.
Step 26 Scroll down to the AUP text box. Wherever you see Cisco Systems in the
AUP change it to The Demo Shop.

113
 114

Step 27 Select or highlight one of the “The Demo Shop” names and bold it using
the toolbar for the AUP text section. Make any other text modifications
you desire

Step 28 In the Access Code text box type in, Enter Access Code .

Step 29 On the Left side under Pages, select Authentication Success.

Step 30 Edit both Browser Page Title and the Content Title and modify them to
Access Granted.
Step 31 Scroll down to Optional Content 2 and add the following text: Use coupon
code 130 at checkout for extra savings!

114
 115

Step 32 Using the toolbar, bold and underline 130 then change the font color of
130 to red. Then select the text and change the font size to large.

Step 33 Scroll to the up and click Refresh Preview to review your work.

Step 34 In the left pane, click Support Information.

Step 35 Scroll down and in the Support Information Text field; modify the phone
number from (xxx)-xxx-xxxx to (555) 555-1234.
Step 36 In the left pane, click Error Messages.
Step 37 Observe the error messages and the message text that the users would be
shown in the event of an error.
Step 38 Each line of the message Text is inline editable. Modify the
ui_invalid_access_code_error message text to read: Wrong access code.
See the front desk for assistance.

115
 116

Tip You might want to change the ui_invalid_license_error from “No valid system license
exists.” to something generic since this will be seen by customers.

Step 39 Scroll to the top and click Save.

Step 40 In the left pane, click Acceptable Use Policy and in the preview section
click the link Desktop Preview and observe the desktop preview in a new
tab. Close the tab when you are done.
Step 41 Return to the Guest Portal main page. As indicated below the list of Guest
Portals types, you must create an authorization profile (top box in figure).
Click the hyperlink at the bottom of the page to go to the authorization
profile configuration page (bottom box in figure). Your portal will not be
authorized until you create an Authorization Profile referencing this portal
and then use it in an Authorization policy that references the related
Authorization Profile.

Step 42 Click +Add in the right pane toolbar.

116
 117

Step 43 Create the following authorization profile:

Hotspot Authorization Profile

Attribute Name Value

Name Hotspot Access

Common Tasks

Web Redirection Hot Spot

ACL: ACL-WEBAUTH-REDIRECT
Value: Demo-Hotspot

Step 44 Scroll down and click Submit.

Step 45 Click +Add in the right pane toolbar.
Step 46 Create the following authorization profile for guest access.
Guest Authorization Profile

Attribute Name Value

Name Guest Access

Common Tasks

Airespace ACL Name Allow-All

Note Obviously the Allow-All would be inappropriate for a production network.

Step 47 Scroll down and click Submit.

Step 48 Navigate to Work Centers > Guest Access > More > Policy Sets and
access the Wireless Access policy set.
Step 49 Add the following Authorization Policy rule above the Wireless AD
Employees rule.

Note Make sure to verify your WLAN ID for your p##_hotspot WLAN is correct and the WLAN
is enabled.

117
 118

Hotspot Authorization Policy

Attribute Value

Rule Name Hotspot

Conditions Airespace:Airespace-Wlan-Id EQUALS 2

Results Hotspot Access

Step 50 Add another rule above the Hotspot rule you just created with the
following parameters.
Guest Access Authorization Policy

Attribute Value

Rule Name Guest Access

Conditions IdentityGroup-Name EQUALS Endpoint Identity Groups: GuestEndpoints

Results Guest Access

Step 51 Verify your configuration with the following screenshot.

Step 52 Scroll down and click Save.

Step 53 Navigate to Work Centers> Guest Access > Portals & Components and
select Guest Portals.

118
 119

Step 54 Observe that the Demo – Hotspot portal is now authorized compared to
the other default portals. If you don’t see that, navigate away from that
page and then back again.

Step 55 Click Demo – Hotspot to enter the configuration for that portal.
In the right side, examine the Guest Flow. This diagram is based on the
settings you configured on the left. In this simple hotspot flow, the user
will need to accept the AUP (1) and then they will have successfully
logged on the network (2). You have enabled Support Information and that
is represented in the block on the right.

When you test access in the next section, you will observe this flow.

119
 120

Test Access
Step 1 Access your Client PC according to your lab specific instructions.

Caution If you are having difficulty, notify your instructor.

Step 2 Make sure you are logged on as Client/admin.

Step 3 Open the Network and Sharing Center and then Change adapter settings.
Disable the Ethernet interface named Inside, and enable the wireless
interface, if needed.
Step 4 Adjust the settings on the AnyConnect client, click the gear icon, and re-
enable the network services and enable the Wi-Fi adapter, if needed.
Step 5 In the Network section click on the icon to manage your networks. Choose
Manage Networks and remove p#-wpa2e. Close the manage networks
box.
Step 6 From the Network section dropdown choose your SSID p#-hotspot.
Step 7 Open IE and browse to www-ext.demo.local. (it may take a little time for
the redirect to populate the window).

Note Click Continue if you are prompted to verify the Server Identity.

120
 121

Step 8 Observe the modifications that you made. For example, the Banner and
“The Demo Shop” and its initial name bolding.
Step 9 Click in the Access code box and enter an incorrect access code of 1234
and click Accept and observe the result, which should match the error
message you configured.

Step 10 Click the Contact Support link at the bottom. Observe the Support
Information page opens in a new tab (This may take 30-60 seconds).
Observe the modification of the help desk phone number

Step 11 Close this tab to return to the AUP page.

Step 12 Now enter to correct access code: 123456 and click Accept.
Step 13 This correlates to the AUP, step 1, in the previous flow diagram. Click
Continue
Step 14 You should see the customized Access Granted messages with the coupon
code that you configured at the bottom.
Step 15 This correlates to the Success, step 2, in the previous flow diagram.

121
 122

Step 16 Now navigate to the www-ext.demo.local. This should succeed.

Step 17 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 18 Navigate to Operations > RADIUS Live Logs and observe the
authentication records. Notice the first Hotspot access and then the
Identity Group GuestEndpoints and Guest Access Authorization Profile
match.

Step 19 Note the endpoint MAC address below.

Step 20 Navigate to Context Visibility > Endpoints.

Find the Client PC MAC address and in the mac address column; then
click on the MAC address and then click the attributes tab; compare the
results.
Observe the following fields that correlate with the portal configuration
you made earlier. Also notice the device has been statically assigned to the
GuestEndpoints Identity Group. This was a configuration in the Hotspot
portal upon successful authentication.

122
 123

Task 2: Self-Registration Portal Operations

In this task, you will configure Cisco ISE guest access for guest self-registration.
This type of access is appropriate where users connect to the network and create
their own parameter-limited accounts.

Activity Procedure
Complete these steps:
Configure Guest Type
In this section, you will configure a custom guest type that will restrict access to
business days and hours.
Step 1 In the Cisco ISE Admin portal, navigate to Work Centers > Guest
Access > Portals & Components and then select Guest Types from the
left navigation panel.
Step 2 Observe the default guest types.
Step 3 Click the Create button.
Step 4 Configure a guest type according to the following table, change the bold
items:
Guest Type

Attribute Value

Guest type name Business Daily

Description Business hours on business days

Collect Additional Data

Custom Fields… Person Visiting

Required [ ]

Tip <leave as default>

Maximum Access Time

Maximum account duration 5 days Default 2

Allow access only on these [X]

days and times

From 9:00 AM

To 5:00 PM

Days [ ] Sun [ X ] Mon [ X ] Tue [ X ] Wed [ X ] Thu [ X ] Fri [ ] Sat

Account Expiration Notification

Send account [X] 5 hours Before

expiration notification account
expires

123
 124

Email [X]

Messages Your account at The Demo Shop is going to expire in 5 hours.

Step 5 Scroll up and click Save.

Step 6 Click Close.
Configure Guest Portal
Step 7 Navigate back to Guest Access > Portals & Components.
Step 8 Select Guest Portals.
Step 9 Click Self-Registered Guest Portal (default).
Step 10 In the Portals Settings and Customization window configure the following:

Self-Registration Portal Settings and Customization

Attribute Value

Portal Name Self-Registered Guest Portal (default)

Description The Demo Self-Registration Portal

Portal Behavior and Flow Settings

Portal Settings

Employees using this portal as guest inherent Weekly (default)

login options from

Login Page Settings

Include in AUP page [X] on page

Require acceptance [X]

Require scrolling to the end of AUP [X]

Registration Form Settings

Assign to guest type Business Daily

Fields to include Required

[ X ] User name [ ]
[ X ] First name [X]
[ X ] Last name [X]
[ X ] Email address [X]
[ X ] Phone number [ ]
[ X ] Company [ ]
[ X ] Location [X]

124
 125

Guest can choose from these locations to set their San Jose
time zone <SELECT YOUR LOCATION FROM THE LIST>
(remove others)

SMS Service Provider [ ] [ ]

Person being visited [X] [X ]

Reason for visit [X] [X]

Include in AUP [X] on page

Do not allow guest with an email address from [ X ] example.com

Self-Registration Success Settings

Allow guest to send information to self using Print [ X ]

Email [ ]
SMS [ ]

Include in AUP [X] on page

Require acceptance [X]

Require scrolling to end of the AUP [ ]

Allow guest to log in directly from the Self- [X]

Registration Success Page

Acceptable Use Policy (AUP) Page Settings

Include in AUP page [X]

Use different AUP for employees [ ]

Skip AUP for employees [X]

Require scrolling to end of AUP [ ]

Show AUP Every 1 days

Guest Device Registration Settings

Automatically register Guest devices [X]

Allow guest register devices [X]

Post-Login Banner Page Settings

Include a Post-Login Banner page [ ]

Support Information Is Settings

Include Support Information page [X]

125
 126

Fields to include [ X ] MAC address

[ X ] IP address
[ X ] Browser user agent
[ X ] Policy server
[ X ] Failure could

Empty fields Hide field

Step 11 Scroll up and click Save.

126
 127

Step 12 Examine the Guest Flow and when you are comfortable in your
understanding of the flow continue to the next step.

Step 13 Click Portal Page Customizations.

Step 14 Examine the customization options. They are like the Hotspot portal
customizations with the option to customize the additional pages in this
self- registration flow. For time sake, you will only add the footer and
modify one other field. Add the following text to the Footer Elements
(Top right of page): All access is logged.

Tip Remember if adding support information to the guest flow is an option; modify the
Support information text phone number from all x’s to an actualnumber.

Note You will not be modifying the AUP to change the company name from Cisco Systems to
The Demo Shop due to time constraints.

Step 15 Scroll down on the right side to view the preview screen, click Refresh
Preview.

127
 128

Step 16 Scroll down and observe the footer you created.

Step 17 Change to a different page by clicking on the boxes to the left and observe
the footer is consistent.
Step 18 In the selection menu in the lower left, expand Notifications and then
select Print.
Step 19 Observe the variables that are used in the text.
Step 20 Create a new line at the bottom of the text box. Add the text Location:
Step 21 In the toolbar, click the Insert Variable icon and observe the variables that
are available. Select Location name to insert that variable. (You might
need to scroll down and then scroll over to find the variable.

128
 129

Step 22 Verify your work with the following screenshot.

Step 23 Scroll up and click Save, then Close.

Step 24 Use the shortcut hyperlink to create an Authorization profile at the bottom
of the page.

Step 25 Click +Add and create an authorization profile according to the table
below.
Self-Registration Authorization Profile

Attribute Name Value

Name Self-Registration Portal

Common Tasks

Web Redirection Centralized Web Auth

ACL: ACL-WEBAUTH-REDIRECT
Value: Self-Registered Guest Portal (default)

Step 26 Scroll down and click Submit.

Step 27 Navigate to Policy Sets and access the Wireless Access policy set in order
to change the Authorization rules.
Step 28 Under the Authorization Policy, at the end of the line for the Hotspot
rule, click the gear icon and select Duplicate Above
Step 29 Modify the duplicated rule to match the following Authorization Policy
rule.

129
 130

Self-Registration Authorization Policy

Attribute Value

Rule Name Self-Registration

Conditions Airespace:Airespace-Wlan-Id EQUALS 3

Permissions Self-Registration Portal

Step 30 Click Use.

Step 31 Disable the Hotspot rule.
Step 32 Verify your configuration with the following screenshot.

Step 33 Scroll down and click Save.

Step 34 Return to the WLC. From the Cisco WLC Admin Portal menu, navigate to
WLANs, select the WLAN ID next to the p#-guest SSID.
Step 35 Select the enable checkbox on the General tab to enable the WLAN
Step 36 Click on the Security tab, and then the AAA Servers tab. Verify the ISE-1
and ISE-2 for Server 1 and 2 respectively in both the Authentication
Servers and Accounting Servers dropdowns. If the servers need to be
changed or added, make the changes now.
Step 37 Click the Apply button.
Test Access
Step 1 Access your Client PC per your lab specific instructions.
Step 38 Make sure you are logged on as WIN7-PC/admin.
Step 39 In the notification tray click the AnyConnect icon. In the Network section
click on the icon to manage your networks. Choose Manage Networks
and remove p#-hotspot. Close the manage networks box.
Step 40 Return to ise-1 admin console, you now need to delete your client
computer out of the GuestEndpoints Group.

130
 131

Navigate to Client Visibility, find the MAC address of the Client PC and
delete the entry.

Note You also may have to manually clear the client from the WLC. As the WLC holds or
caches association sessions to handle Wi-Fi signal disruptions and roams.

Step 41 Return to your Client PC; From the Notification tray click on the
AnyConnect icon, in the Network section choose your SSID p#-guest.
Step 42 Open IE go to www-ext.demo.local.. You should be redirected to the Self-
Registration Portal. (this may take a minute to appear in the browser).
Step 43 Use your mouse to scroll down to the bottom and click Or register for
guest access.

Step 44 Create an account using the following information.

Create Guest Account

Attribute Value

Username

First name John

Last name Watson

Email address [email protected]

Phone number <ENTER A PHONE NUMBER>

Company Holmes Investigations

Location <SELECT A LOCATION>

Person being visited (email) [email protected]

Reason for visit Consultation

Person visiting Mycroft

Step 45 Click Register.

Step 46 Observe your account details.

131
 132

Step 47 Click Print.

Step 48 Once the page loads and the print dialog comes up, click Cancel to cancel
the print process. Observe the details and the modification at the bottom
with the Location field.

Step 49 Navigate back to the first tab and click I agree to the terms and then Sign
On.
Step 50 Click that you Accept the AUP.
Step 51 In the Device Registration window Click No, skip registration.
Step 52 You should see a success page showing that you are now online.
Step 53 Now navigate to www-ext.demo.local. This should succeed.
Step 54 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 55 Navigate to Operations > RADIUS Live Logs and observe the
authentication records. Notice the first Self-Registration Portal access was
based on the MAC address and then the records switch to using the
username identity with the Guest Access Authorization Profile match.

Step 56 Navigate to Context Visibility > Endpoints.

Step 57 Find the Client PC MAC address and select the checkbox and click Edit
in the toolbar.

132
 133

Step 58 Observe the following fields, which now provide more meaningful
information about the endpoint instead of just a MAC address.

133
 134

Task 3: Sponsored Guest Logins

In this task, you will perform sponsored guest account operations. You will be
creating the accounts as a sponsor and then providing information to the guest.

Activity Procedure
Complete these steps:
Remove Endpoint from Cisco ISE
Step 1 Access your Client PC according to your lab specific instructions.
Step 2 Make sure you are logged on as CLIENT/admin.
Step 3 In the notification tray click the AnyConnect icon. In the Network section
click on the icon to manage your networks. Choose Disable Wireless.

Step 4 Return to ise-1 admin page, you now need to delete your client computer
out of the GuestEndpoints Group. Navigate to Context Visibility>
Endpoints > Authentication and delete the entry for your Client
Computer.

Note You may have to manually clear the client from the WLC. As the WLC holds or caches
association sessions to handle Wi-Fi signal disruptions and roams.

134
 135

Configure Guest Portal

Step 5 Navigate to Work Centers > Guest Access > Portals & Components.
Step 6 On the left navigation panel, click Guest Portal, and then select the
Sponsored Guest Portal (default) link.
Step 7 In the Portals Settings and Customization window configure the following:
Sponsored Portal Settings and Customization

Attribute Value

Portal Name Sponsored Guest Portal (default)

Description The Demo Sponsored Guest Portal

Portal Behavior and Flow Settings

Portal Settings
Employees using this portal as guest inherent Weekly (default)
login options from

Certificate group tag ISE LAB CGT

Login Page Settings

Include in AUP page [X] on page

Require acceptance [X]

Require scrolling to the end of AUP [ ]

Allow guest to change password after login [X]

Post-Login Banner Page Settings

Included Post–Access Banner

135
 136

Step 8 Examine the Guest Flow and when you are comfortable in your
understanding of the flow continue to the next step.

Step 9 Scroll up and click Save and then Close.

Step 10 Use the shortcut hyperlink to create and Authorization profile at the
bottom of the page.

Step 11 Click the check box, Self-Registration-Portal and then click Duplicate in
the tool bar.
Step 12 Modify the authorization profile according to the table below.
Sponsored Portal Authorization Profile

Attribute Name Value

Name Sponsored Portal

Common Tasks

Web Redirection Centralized Web Auth

ACL: ACL-WEBAUTH-REDIRECT
Value: Sponsored Guest Portal (default)

136
 137

Step 13 Scroll down and click Submit.

Step 14 Navigate to Policy Sets and access the Wireless Access policy set.
Step 15 In the Authorization Policy section, find the Self-Registration rule, click
the gear and select Duplicate Above.
Step 16 Modify the duplicated rule to match the following Authorization Policy
rule.
Sponsored Portal Authorization Policy

Attribute Value

Rule Name Sponsored Portal

Conditions Airespace-Airespace-Wlan-Id EQUALS 3

Permissions Sponsored Portal

Step 17 Disable the Self-Registration rule

Step 18 Verify your configuration with the following screenshot.

Step 19 Scroll down and click Save.

Sponsor Group Modification
Step 20 Return to Work Centers > Guest Access > Portals & Components >
Sponsor Groups.
Step 21 Select the ALL_ACCOUNTS line in an open area (do not click any text)
and then click Duplicate in the toolbar above.
Step 22 Edit the ALL_ACCOUNTS (default) copy1 Sponsor Group.
Step 23 Click the Members… button above the Sponsor Group Members section.

137
 138

Step 24 Select the demo.local:demo.local/Users/Employees group and move it to

the Selected User Groups side.
Step 25 Click OK.
Step 26 Modify the rest of this sponsor group according to the following table.
Sponsor Group

Attribute Value

Disable Sponsor Group [ ]

Sponsor group name DEMO-ALL

Description All Guest Accounts for Local

ALL_ACCOUNTS and demo.local
Employees
Sponsor Group Members ALL_ACCOUNTS (default)
demo.local:demo.local/Users/Employees

This sponsor group can create accounts using these Business Daily
guest types Contractor (default)
Daily (default)
Weekly (default)

Create Guest Types at San Jose

Chicago

Sponsor Permissions

Sponsor Can Create

Multiple guest accounts assigned to specific [ ]

guests (Import)

Limit to batch of 200

Multiple guest accounts to be assigned to any guess [X]

(Random)

Default username prefix d-guest-

Allow sponsor to specify a username prefix [ ]

Limit to batch of 25

Start date cannot be more than # days into the [X] 31

future
Sponsor Can Manage All guest accounts
Sponsor Can

View guests’ passwords [X]

Reset guests’ account passwords [X]

Extend guest accounts [X]

Send SMS notifications with guests’ credentials [ ]

138
 139

Delete guests’ account [X]

Suspend guests’ account [X]

Require sponsor to provide a reason [X]

Reinstate suspended guests’ accounts [X]

Approve request from self-registering guests [X]

Access Cisco ISE guest accounts using the [ ]

programmatic interface (Guest REST API)

Tip If you are having trouble selecting the Guest Types and/or the Locations, Save and
Close your work and open IE and edit this page in IE. When done, save your work and
return to Firefox.

Step 27 Scroll up and click Save. Then Close the page.

Customize Sponsor Portal
Step 28 Navigate to Sponsor Portals on the menu on the left.
Step 29 Select, Sponsor Portal (default) portal to edit.
Step 30 Modify the portal to the settings below.
Sponsor Portal Settings and Customization

Attribute Value

Portal Name Sponsor Portal (default)

Description The DEMO Sponsor portal

Portal Behavior and Flow Settings

Portal Settings

SSIDs available to sponsors <Your pod SSID if you configured it>

Acceptable Use Policy (AUP) Page Settings

Include an AUP page [ ]

Step 31 Scroll up and click Save and then Close.

Test Access
Step 2 Access your Client PC according to your lab specific instructions.
Step 3 Make sure you are logged on as WIN7-PC/admin.
Step 4 In the notification tray click the AnyConnect icon. In the Network
section click on the icon to manage your networks. Choose Enable
Wireless and then choose your SSID p#-guest. Close the manage
networks box.

139
 140

Step 5 Open IE, then load www-ext.demo.local. Wait for the web-redirection to
complete.
Step 6 On the Sponsored Guest Portal Page use your mouse to scroll down to the
bottom and notice there is no link to click for self-registration.
Step 7 Return to ISE Admin on the Admin PC.
Step 8 Navigate to Work Centers > Guest Access > Portals and Components
> Sponsor Portals
Step 9 Click Sponsor Portal (default). In the portal page at the top, Click
Portal test URL, this link is at the end of the Description box.
Notice that the Sponsor Portal is shown, and that Cisco ISE automatically
redirected to URL to port 8445. You will need to create an exception for
the step to proceed.

Step 10 Log in with the domain credentials in UPN format

[email protected] / cisco123.

140
 141

Step 11 Under Create Accounts in the Guest Information section click Random
and observe the Username prefix is pre-populated with d-guest- as per
the policy you created earlier.

Step 12 Select Weekly as the Guest type.

Step 13 Use the following information to create two random guest accounts.
Create Random Accounts

Attribute Value

Number of accounts 2

Username prefix <LEAVE DEFAULT> d-guest-

End of business day [ ]

Language English - English

Duration 2

From Date (yyyy-mm-dd) <ENTER TODAYS DATE>

From Time 06:00

To Date (yyyy-mm-dd) <ENTER TOMORROWS DATE>

To Time 19:00

Location <SELECT YOUR CLASS LOCATION>

Step 14 Click Create.

Step 15 Record the created guest account information below.

141
 142

Created Guest Accounts

Username Password

d-guest-

d-guest-

Step 16 Connect to your Client PC and login with one of the “d-guest-“ accounts
that were created by the employee sponsor.
Step 17 Accept the AUP.
Step 18 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 19 Navigate to Work Centers > Guest Access > Reports >Reports> Guest
Access Reports and view the Guest Accounting and Sponsor Login and
Audit sections. Observe the authentication records for both the Sponsor
Login and Audit and the Guest Accounting.

142
 143

Task 5: Guest Account Management via the Sponsor Portal

In this task, you will perform guest account management via the sponsor portal.
You will suspend and then reinstate an account, you will examine guest account
properties, reset a guest password, and you will then delete a guest account.

Activity Procedure
Complete these steps:
Step 1 On the Admin PC access your Sponsor Portal.
Step 2 Click the Manage Accounts tab.
Step 3 Observe the accounts that you have created during this Discovery. Notice
that one of the random accounts which was sponsored by the employee1 is
in the state Created

Step 4 Select one of those accounts and click Suspend.

Step 5 Notice in the pop-up window, you are prompted, “Are you sure you want
to suspend the selected accounts?” and then you are prompted for a reason
for suspension.
Step 6 Enter the following reason, “No-show for meeting.” and click OK.

143
 144

Step 7 Notice now that the state of an account is Suspended.

Step 8 Reselect that account and notice the only options now are to Delete,
Reinstate, and Print..

Step 9 Click Reinstate and click Ok when prompted for confirmation.

Step 10 Edit the first random account, which has the state Active.
Step 11 Enter the first name “G” and last name “Lestrade” and the company
“Scotland Yard”.
Step 12 Click Save.
Step 13 Confirm your data-entry and click Done.
Step 14 On the random account with the state of Created, reset the password.
When prompted do not select Print, SMS, or Email just click OK.
Step 15 Click the account name to view the new password. Then click Done.
Step 16 Observe the Time Left on the jwatson account.
Step 17 Select the jwatson account and click Extend.
Step 18 Notice that the maximum number of days as five. Enter 5 in the box and
click OK.
Step 19 Observe the extension of the time via the Time Left field.
Step 20 Select the random account with the state of Created and Delete the
account. Confirm the deletion by clicking OK.

144
 145

Discovery 8: Guest Reports

Complete this Discovery activity to practice what you learned in the related
module.

Activity Objective
In this activity, you will run guest reports that are directly available from the
Cisco ISE dashboard. After completing this activity, you will be able to meet
these objectives:
◼ Run guest reports from the Authenticated Guests dashlet
◼ Run guest reports from the Authenticated Guests dashlet sparklines

Visual Objective

145
 146

Task 1: Run Reports from Cisco ISE Dashboard

In this task, you will run reports for guest access from the Cisco ISE dashboard.

Activity Procedure
Complete these steps:
Step 20 On the Admin PC navigate to the Cisco ISE dashboard by clicking Home.
Step 21 Observe Authenticated Guests in the metrics dashlet area (top of the
screen).

Step 22 Click the Authenticated Guest dashlet tab to run the guest report for that
specific time window.
Step 23 You should see that 100% of your guests have a status of “Connected”.
Click on the circular graphic in the Guest Status area.

146
 147

Step 24 You should see something similar to the example shown below. You can
see graphics for GUESTS STATUS, GUESTS TYPE, FAILER REASON,
AND MORE. Below that you see the list of devices, along with their
MAC addresses. Clicking on the MAC address here would bring you to
the same informational screen you just looked at.

Step 25 Navigate to Context Visibility > Users > Guest.

Step 26 Click on the username of your guest connection. Now click on the mac
address.

Observe the information gathered about the endpoint.

Step 27 Navigate to Operations > Reports.
Step 28 Open the Reports drawer and then open the Guest drawer. Run the
Sponsor Login and Audit report using today as the Time Range. Explore
the other reports in this section.

147
 148

Discovery 9: Configuring Profiling

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure the Cisco ISE Profiler service and service
settings. After completing this activity, you will be able to meet these objectives:
◼ Enable the Profiler Service
◼ Configure the Cisco ISE NAD definitions for SNMP Profiling
◼ Configure global SNMP profiler settings
◼ Verify NAD configurations for profiling operations

Visual Objective

148
 149

Task 1: Configuring Profiling in Cisco ISE

The figure highlights the general policy architecture and key components for
Cisco ISE Profiling Services. The configuration process begins with the
enablement of specific probes on an ISE appliance running the Policy Service
persona. Different probes are responsible for collecting different types of
endpoint attributes. These attributes are matched to conditions, which can then
match rules across a library of device types or profiles. Based on a generic
weighting scale, each matching condition can be assigned a different weight or
certainty factor (CF) that expresses the relative value that the condition
contributes to classification of the device to a specific profile. Although
conditions may match in multiple profiles, the profile for which the endpoint has
the highest cumulative CF is the one assigned to the endpoint.

Activity Procedure
Complete these steps:
Clean Endpoint data from ISE before Enabling Profiling
Step 1 Return to the Cisco ISE Admin Portal on the Admin PC
Step 2 From the Admin PC, navigate to Work Centers > Profiler > Overview to
view the required configuration steps needed to enable and configure the
profiler service.
Enable Profiling Service
Step 3 Navigate back to Work Centers > Profiler > Overview. Under the
Prepare column and under the Profiling Configuration section, click the
Deployment link to enable the profiling service. This can also be
reached via to Administration > System > Deployment.
149
 150

Step 4 In the right pane select your ISE-1 node to edit it, follow these steps on
ISE-2 as well.
Step 5 At the bottom under Policy Service, select the Enable Profiling Service.

Step 6 In the right pane at the top, observe that the Profiling Configuration tab
became available after selecting the Enable Profiling Service feature.
Select the Profiling Configuration tab.
Step 7 Observe the specific probes that are enabled by default:
▪ DHCP
▪ RADIUS
▪ Network Scan (NMAP)
▪ SNMPQUERY
▪ Active Directory
Step 8 Enable the HTTP probe.
Step 9 Scroll down and click Save.
Step 10 Click OK on the pop-up window notifying you of the Policy Service
persona change. You will get a notice that the system will restart.
Step 11 Check the status from the ISE CLI with the command show application
status ise and noticing the Application Server status. Wait for the service
to be running.

150
 151

Task 2: Configure the Feed Service

With the Profiler Feed Service, you can retrieve new and updated endpoint profiling policies
and the updated OUI database as a feed from a designated Cisco feed server through a
subscription in to Cisco ISE. In this task, you will enable and configure notification settings for
the Cisco Profiler Feed Service. You will also force a manual update.

Activity Procedure
Complete these steps:
Step 1 In the ISE admin portal, navigate to Work Centers > Profiler > Feeds.
Step 2 Verify the checkbox is ticked for Enable Online Subscription Update.
Step 3 Check Notify administrator when a download occurs and use the email
address [email protected].

Note When initially configuring the feed service, it is a good idea to test the feed service
connection. This will result in an unsuccessful test because our lab is not
connected to the Internet.

Note Email notification requires that a SMTP server is configured on Cisco ISE. This can be
done via the Administration>Settings>SMTP Server page.

Step 4 Scroll down and click Save.

Note The update process will take some time. At least 30-45 minutes.

You can verify the operation of the Feed Service operations by scrolling to the bottom of
the page and viewing the Latest Update section.

151
 152

Task 3: Configuring Profiling in Cisco ISE

In this task, you will modify the NAD definition configuration for profiling in Cisco
ISE.

Activity Procedure
Complete these steps:
Configure Cisco ISE NAD configuration for Profiling
Step 1 Navigate to Work Center > Profiler > Network Devices.
Step 2 Click the 3k-access switch to edit the NAD profile.
Step 3 Configure the following settings:

Attribute Value

SNMP Settings Enabled

SNMP Version 2c

SNMP RO Community ciscoro

Polling Interval 600

Link Trap Query Disabled

MAC Trap Query Disabled

Originating Policy Services Node Auto

152
 153

Tip While not a mandatory step in the lab topology, the practice of setting the Originating
Policy Service Node for SNMP profiling operations to the node closest to the NAD is a
best practice and tuning configuration. Especially in a larger or geographically dispersed
ISE deployment.

Step 4 Scroll down and click Save.

Step 5 Return to the list of Network Devices.
Step 6 Perform the same modification using the same values to the pod WLC.
Modify Profiler Configuration
Step 7 Navigate to Work Centers > Profiler > More > Settings. In the left
pane, select Profiler Settings. This can page can also be reached via
Administration > System > Settings.
Step 8 If the goal is visibility only, then we would leave the default value of No
CoA for the CoA Type. Otherwise, select Port Bounce. This will help
ensure that even clientless endpoints will go through complete
reauthorization process, including an IP address refresh, if needed. If
multiple endpoints are detected on the switch port, ISE will revert to using
the Reauth option to avoid service disruption of other connected devices.
Modify the Profiler Configuration according to the following table:

Attribute Value

CoA Type Port Bounce

Change custom SNMP community strings ciscoro

Confirm change custom SNMP community strings ciscoro

All other settings Default

153
 154

Step 9 Click Save. Verify that the SMNP community strings are correct by
clicking Show.
Verify Profiler Exception Action
Step 10 Navigate to Work Centers > Profiler > Policy Elements. In the left
pane, select Exception Actions. This can also be reached via Policy >
Policy Elements > Results.
Step 11 Click FirstTimeProfile to view the action details.
Observe that the COA Action is to Force COA. This occurs, when an
endpoint profile which is “Unknown” is profile for the first time.

Note This is the default action for all the Cisco provided exception actions.

Task 4: NAD Configuration for Profiling

In this task, you will verify the profiling configuration on your pod WLC and 3k-
access switch. Your pod NADs are already preconfigured.

Activity Procedure
Complete these steps:
Step 1 On your Admin PC, open the shortcuts folder.
Step 2 Click the Firefox link for wlc.demo.local.
Step 3 Login with cisco / cisco.
Step 4 Navigate to the WLANs tab.
Step 5 Click on WLAN ID 3 and disable the p#-guest WLAN.
Step 6 Click WLAN ID 1.
Step 7 Re-enable this WLAN.
Step 8 Click the Advanced tab.

154
 155

Step 9 Verify that the Allow AAA Override, DHCP Addr. Assignment: Required,
and NAC State: ISE NAC settings are enabled.
Step 10 Scroll down to the right-hand side section Radius Client Profiling.
Step 11 If not already enabled, click both DHCP Profiling and HTTP Profiling
under the Radius Client Profiling

Step 12 Click Apply at the top and click OK to the pop-up message.
Step 13 Click the < Back button.
Step 14 Complete the same configuration on your other WLANs (2 & 3) but leave
these WLAN’s disabled.
Step 15 Access your 3k-access switch using the username admin and password
cisco123.
Step 16 Run the following command to see the preconfigured SNMP
configuration.
show run | section snmp-server

155
 156

Note You may notice that the switch is configured for SNMP trap functionality. The switch
configuration is used for multiple classes. Some of which use the SNMP trap functionality.
Since the switch is preconfigured, if you desire to explore this functionality after your
Discovery is complete, all you would need to do is enable the SNMP trap probe and
enable the trap query functionality in your Cisco ISE NAD SNMP definition. If you do not
see the expected output, notify your instructor.

Step 17 Run the following command to see the preconfigured ip helper-address

configuration for the ACCESS VLAN (10) that sends DHCP packets to
both the DHCP server and the ISE node.
show run interface VLAN 10

156
 157

Discovery 10: Customizing the Cisco ISE

Profiling Configuration
Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure the Cisco ISE profiler service to use profiling
data to make policy determinations. After completing this activity, you will be
able to meet these objectives:
◼ Examine EndPoint profiled data
◼ Create a Logical Profile
◼ Utilize a Logical Profile as an Identity condition for authorization policy
selection
◼ Create a custom profiler policy based on observed endpoint data.

Visual Objective

157
 158

Task 1: Examine Endpoint Data

In this task, you will examine the collective endpoint data since turning profiling
on Cisco ISE.

Activity Procedure
Complete these steps:
Step 1 On your Admin PC in the Cisco ISE Admin portal navigate to Work
Centers > Endpoint Classification.
Step 2 Observe the list of endpoints that have been learned since the enabling
profiling.

Step 3 Click the endpoint profile for the Cisco-AIR-LAP endpoint.

Observe the indicated attributes for this endpoint, what is the
EndPointSource? If you scroll down, you also observe other related
attributes.
Step 4 Return to the Endpoint List.
Profile your client PC
Step 5 From your lab access your client PC.
Step 6 If you are not logged on. Log on as admin / cisco123.
Step 7 Connect to the p#-wpa2e, using PEAP, login with employee1 / cisco123.
Step 8 From the start menu, click Control Panel. Choose Network and Sharing
Center. On the left choose Change adapter settings.
Step 9 Click on the menu icon (the dots and lines) in the AnyConnect client and
choose Manage Networks.
Step 10 Click the Statistics tab.
Step 11 Your machine should have an IP address in the 10.1.11.x network. Record
the Physical Address (MAC Address).
Step 12 Close all open dialog boxes.

158
 159

Step 13 Return to your Admin PC and on your list of endpoints click the refresh
button.
Step 14 You should have at least one Microsoft-Workstation endpoint profile
added to your list.
Step 15 You should also see the Hostname and IP Address for this record in the
list. If you don’t, enter employee1 in search box under Username. (Use
the quick filter if you don’t easily see your MAC address)

Step 16 Select this endpoint profile to observe the endpoint attribute data.
Step 17 Observe that the attribute list contains much more data than seen before
for other endpoints. Pay particular attention to the following list of
attributes:
◼ EndPointSource
◼ Framed-IP-Address
◼ IdentityGroup
◼ MatchedPolicy
◼ NAS-Port-Type
◼ OUI
◼ Total Certainty Factor
Step 18 Return to the Endpoint List.

159
 160

Task 2: Examine a Logical Profile

In this task, you will create a logical profile that will be utilized in a future
authorization policy.

Activity Procedure
Complete these steps:
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler >
Profiling Policies and then in the left pane under Profiling, select Logical
Profiles. Examine some of the existing Profiles.
Step 2 Examine the Mobile Devices Logical Profile record.

160
 161

Task 3: Creating a New Authorization Policy using a Logical

Profile
In this task, you will create an authorization policy assigning the previously
configure logical profile to a fixed authorization profile.
Activity Procedure
Complete these steps:
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Policy
Sets and enter the Wireless Access policy set.
Step 2 In the Authorization policy, insert a new policy above the Guest Access
policy. To find the Condition, EndPoints Logical Profile, notice the icon
in the screen shot below. Select that icon and scroll down until you find
the correct condition.
Smart Devices Authorization Policy

Attribute Value

Rule Name Smart Devices

Conditions EndPoints LogicalProfile Equals Mobile Devices

(when building the condition in the Condition Studio use the Unclassified attribute
and search for Logical)

Result Guest Access

Step 3 Scroll down and click Save.

161
 162

Discovery 11: ISE Profiling Reports

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will run reports that focus on profiling data. After
completing this activity, you will be able to meet these objectives:
◼ Run Endpoint Profile Changes Reports
◼ Run Profiled Endpoints Summary Report
◼ Run profiling-based reports from the Cisco ISE Dashboard

Visual Objective

162
 163

Task 1: Run Cisco ISE Profiling Reports

In this task, you will run reports based on profiling data gathered in previous
Discoveries.
Activity Procedure
Complete these steps:
Endpoint Profile Changes Report
Step 1 Navigate to Work Centers > Profiler > Reports.
Step 2 In the Report Selector pane navigate to Reports > Profiler Reports >
Profiled Endpoint Summary.
Step 3 Run the report using the Time Range of Last 7 Days.
Step 4 Observe the Details and then the Raw details of a record, see example
below.

Step 5 In the Raw Log report page and observe the additional level of detail
available.

Step 6 Return to the ISE Admin portal when done.

163
 164

Home Page Dashlet Reports

Step 7 Navigate to the Home > Endpoints tab.
Step 8 Observe the number of Profiled Endpoints in the Endpoint Categories

section.

Step 9 Click on the profiled category.

Step 10 Observe the endpoints listed.
Step 11 Similarly, the Home > Summary > Endpoints page will display the
similar information, as well as additional summary information. Both
Context Visibility and Home pages can be customized to meet your
needs by adding new Dashboards, or Dashlets, by clicking the gear icon in
the upper right corner of the pane
Step 12 Close all tabs and return to the ISE Admin portal when done.

164
 165

Discovery 12: BYOD Configuration

In this activity, you will configure Cisco ISE for BYOD onboarding. You will start
by creating a customized My Device portal. Next, you will how Cisco ISE can
dramatically reduce your operational overhead. You will configure a scenario in
which certificates are automatically provisioned, via the Cisco ISE internal CA.
These certificates will be deployed via a Native Supplicant Provisioning profile,
which you will define. You will configure a certificate authentication profile, and
this profile will use attributes from internally deployed CA certificates. With all of
this in place, you will configure Cisco ISE authentication and authorization policies
for BYOD access, and then use this configuration to onboard a mobile BYOD
device.

Activity Objective
In this activity, you will configure Cisco ISE for BYOD on boarding. After
completing this activity, you will be able to meet these objectives:
◼ Create a customized My Device portal
◼ Configure Cisco ISE to provision certificates via the internal CA and
deploy those certificates via a Native Supplicant Provisioning profile
◼ Configure a certificate authentication profile that utilizes the attributes
from the internally deployed CA certificates
◼ Configure Cisco ISE authentication and authorization policies for BYOD
access
◼ Onboard a BYOD device

165
 166

Visual Objective

166
 167

Task 1: Portal Provisioning

In this task, you will create a customized My Devices portal for employee device
management.
Activity Procedure
Complete these steps:
Portal Enablement
Step 1 Navigate to Work Centers > BYOD > Overview. Take a moment to
review the three major phases of BYOD configuration – Prepare, Define,
Go Live and Monitor.

Step 2 You have accomplished the “Prepare” phase items in previous

Discoveries. So, move on to the “Define” phase by clicking the link for
web portals. Then choose My Devices Portals in the left column.

167
 168

Step 3 Edit the My Devices Portal (default) following the table below:
My Devices Portal Settings and Customization

Attribute Value

Portal Name My Device Portal (default)

Description Device Portal for Demo Employees

Portal Behavior and Flow Settings

Portal Settings

HTTPS Port 8443

Allowed interface Gigabit Ethernet 0

Certificate group tag ISE Lab CGT

Fully qualified domain name (all FQDN) mydevices1.demo.local

Endpoint identity group RegisteredDevices

Authentication Method MyDevices_Portal_Sequence

Idle timeout 10

Display language Use browser locale

Login Page Settings

Maximum failed login attempts before ratelimiting 5

Time between login attempts when rate limiting 2

Include in AUP page [X] on page

Require acceptance [X]

Require scrolling to the end of AUP [ ]

Acceptable Use Policy (AUP) Page Settings

Include in AUP page [X]

Require scrolling to end of AUP [ ]

Show AUP First Login Only

Post-Login Banner Page Settings

Included Post–Login Banner page X

Employee Change Password Settings

Allow internal users to change their own
passwords

Support Information Is Settings

Included Support Information page [X]

168
 169

Fields to include [ X ] MAC address

[ X ] IP address
[ X ] Browser user agent
[ X ] Policy server
[ X ] Failure code

Empty fields Hide field

Step 4 Scroll up and click Save.

Note Enabling the Support Information feature is an easy way to provide the end user with a
place to go to see their MAC address. Consider using some of the instructional or
optional fields on the My Devices and Add Devices page or others to provide this
information to the end user.

Portal Authentication Modification

Step 5 Navigate to Work Centers > BYOD > Identities (Click on the Identities
tab). Then choose Identity Source Sequences in the left column.
Step 6 Edit the MyDevices_Portal_Sequence.
Step 7 Move the All_AD_Join_Points to the top of the list in the Authentication
Search List Selected box in order to optimize processing since most user
accounts that will be using this feature are located in Active Directory.

Step 8 Scroll down and click Save.

169
 170

Portal Authentication Test

Step 9 Still at Work Centers > BYOD, choose the Portals & Components tab.
Then choose My Devices Portals and edit the My Devices Portal
(default) portal.
At the top to the right of the Description field right click the Portal test
URL and open in another tab.

Step 10 In Firefox go to the next tab in the browser. Add and exception to the
certificate warning. You should see the customize My Devices Portal but
you previously configured.

Step 11 Login with the Active Directory user credentials

[email protected] / cisco123

170
 171

Step 12 Agree to the AUP and Sign On, on the next page click the Continue.

Step 13 You have successfully logged into the My Devices Portal using Active
Directory credentials. Your page should look like the figure below.

Step 14 Return to your Cisco ISE Admin portal.

171
 172

Task 2: Provisioning Configuration

In this task, you will configure certificate provisioning using the internal CA
functionality Cisco ISE. You will then configure a supplicant provisioning policy
utilizing that internal CA provisioning configuration.
Cisco ISE comes with a default certificate template, which could be used for
BYOD. You will use that default certificate template with a few modifications
that are specific to this deployment.

Note It is important that any time a default template is used, it is modified to fit the specific
installation environment.

Activity Procedure
Complete these steps:
Certificate Provisioning
Step 21 Under the BYOD tab, click the Portals & Components tab. In the left
pane, expand Certificates and then select Certificate Templates.
Step 22 Duplicate the EAP_Authentication_Certificate_Template (select the tick
box and then Duplicate).
Step 23 Modify the template according to the following table. Verify configuration
with the subsequent screenshot.

Note In this configuration, you will be configuring the OU to be the distinguishing attribute that
will store the functional purpose of the certificate inside each certificate that is issued. By
performing this step, an Authorization Policy rule could be configured with a condition to
match this attribute and then apply the appropriate authorization profile.

BYOD EAP Authentication Certificate Template

Parameter Description

Name BYOD_EAP_AUTH_365

Description BYOD certificate template for approved Demo access

Organizational Unit (OU) BYOD

Organization (O) The Demo Shop

City (L) San Jose

State (ST) CA

Country (C) US

Subject Alternative Name MAC Address

172
 173

Key Size 2048

SCEP RA Profile ISE Internal CA

Valid Period 365

Step 24 Scroll down and click Submit

Client Provisioning and Native Supplicant Provisioning
Step 25 Navigate to the Client Provisioning tab in the BYOD Work Centers menu
bar.
Step 26 Create a new policy rule at the top of the list according to the following
table (use the tiny downward arrow (this is the old action menu icon) and
select Insert new policy above). You will be creating a new Native
Supplicant Profile (NSP) in line. Perform the instructions after the table
for the creation of the NSP.

173
 174

Win_WPA2_BYOD Client Provisioning Policy Rule

Attribute Value

Rule Name Win_WPA2_BYOD

Identity Groups Any

Operating Systems Windows All

Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/employees

Results Config Wizard: WinSPWizard 2.2.0.52

Wizard Profile: Created using the table below.

Inline Native Supplicant Profile Procedure

Step Action Notes

1. Expand Results.

2. Click the down selector icon, down arrow, to Choose a Wizard

Profile.
3. Click the cog in the toolbar area.

4. Select Create New Profile.

5. Create a Native Supplicant Profile using the followingdata. It is important that your pod
▪ Name Win_WPA2_TLS_BYOD SSID (p#-wpa2e) match
what is exactly configured
▪ Description Pod ## BYOD NSP for your pod. Having your
▪ Operating System Windows All WLC portal open in a
separate tab and
performing a copy/paste
Click +Add to Add a Profile
from there is the most
▪ SSID p#-wpa2e reliable method.
▪ Security WPA2 Enterprise
# = your pod number
▪ Allowed Protocol TLS
▪ Certificate Template BYOD_EAP_AUTH_365

6. Click Save, scroll to the bottom and click Save again.

174
 175

Step 27 Click Done at the far right of this new Rule.

Step 28 Disable the Windows rule below the new rule you created.

175
 176

Step 29 Compare your configuration with the following screenshot:

Step 30 Scroll down and click Save

176
 177

Task 3: Policy Configuration

In this task, you will configure the policy components for BYOD access.
Activity Procedure
Complete these steps:
Certificate Authentication Profile Creation
Step 1 Navigate to the Ext Id Sources tab at the top of the current BYOD Work
Center window. In the left pane, choose Certificate Authentication
Profile.
Step 2 In the right pane, click +Add to create a Certificate Authentication Profile
according to the following information. Could we have used the preloaded
profile?
Certificate Authentication Profile
Attribute Value

Name CN_USERNAME

Description Subject contains CN=username

Identity Store [not applicable]

Use Identity From Subject – Common Name

Match Client Certificate Against Never

Certificate In Identity Store

Step 3 Verify your configuration with the following screenshot then click
Submit.

Identity Source Sequence Creation

177
 178

Step 1 Still under the BYOD Work Center, choose Identities tab. In the left
pane, choose Identity Source Sequences.
Step 2 Click +Add to create an Identity Source Sequence according to the
following information. When finished click Submit.

Attribute Value
Identity Source Sequence
Name DOT1X_X509_Username
Description ISS to get username from certificate
Certificate Based Authentication
Select Certificate Authentication [X] CN_USERNAME
Authentication Search List

Selected All_AD_Join_Points
Internal Ussers
Guest Users
Advanced Search List Settings
Selected Treat as if the user was not found and proceed to the
next store in the sequence.

Allowed Protocols Review

Step 3 Still under the BYOD Work Center, choose Policy Elements tab.
Step 4 In the left pane, choose Results > Allowed Protocols.
Step 5 In the right pane, click Default Network Access.
Step 6 Confirm that EAP-TLS and PEAP with an inner method to EAP-TLS are
both allowed. If they are not enabled, enable them and click save. This is
sufficient for this access use case (TLS client certificate-based access).

178
 179

Tip Take note of the option below both “Allow EAP-TLS” and the “Allow EAP-TLS” under
“Allow PEAP”. The option to “Allow Authentication of expired certificates to allow
certificate renewal in the Authorization Policy”. Using this feature allows for some
flexibility. Enabling this feature by itself weakens the security that is inherent in the
expiration process of X.509 v3 certificates. However, Cisco ISE has a dictionary
condition, CertRenewRequired, which could be used in an Authorization Policy near the
top or as a Global Exception policy, which evaluates the expiration of the certificate and if
it is expired, can be used to apply an Authorization Profile that redirects to the CWA
portal. Hovering your mouse over the (i) icon at the end of the line will pop-up a message
indicating this as shown in the following screenshot.

Authentication Policy Configuration

Step 7 Under the BYOD tab, choose Policy Sets and expand the Wireless Access
policy set.
Step 8 Select the authentication policy and expand the rules.
Step 9 Edit the following rule.
Authentication Policy Rule

Attribute Value

Name Wireless_802.1X

Condition Wireless_802.1X

Identity Source DOT1X_X509_Username

Options

If authentication failed Reject

If user not found Reject

If process failed Drop

179
 180

Step 10 Click Save.

Authorization Profile Configuration
Step 11 Verify the airespace acl named NSP-ACL, exists on the WLC. On the
WLC, go to Security>Access Control Lists>Access Control Lists.
Select the NSP-ACL to review the entries to see what this ACL does.

Step 12 Return to the ISE Admin Portal and click the Policy Elements tab in the
BYOD Work Center. In the left pane, choose Results > Authorization
Profiles.
Step 13 Create the two following Authorization Profiles:
WLC Native Supplicant Provisioning Authorization Profile
Attribute Name Value

Name WLC_NSP
Common Tasks

Web Redirection Native Supplicant Provisioning

ACL: NSP-ACL
Value: BYOD Portal (default)

180
 181

WLC User Access Authorization Profile

Attribute Name Value

Name WLC_User_Access

Common Tasks

Airespace ACL Name Allow-All

Authorization Policy Configuration

Step 14 Under the BYOD Work Center, choose Policy Sets. Expand the Wireless
Access policy set.
Step 15 Expand the Authorization Policy and insert the two following
authorization policy rules below the Smart Devices rule in order.
BYOD NSP Authorization Policy

Attribute Value

Rule Name BYOD NSP

Conditions EAP-MSCHAPv2 (hint: both are library conditions)

AND
Wireless_802.1X

Results: Profiles WLC_NSP

BYOD Access Authorization Policy

Attribute Value

Rule Name BYOD Access

Conditions Wireless_802.1X (hint: all are library conditions)

AND
BYOD_is_Registered
AND
EAP-TLS
AND
MAC_in_SAN

Results: Profiles WLC_User Access

181
 182

Step 16 Compare your configuration with the following screenshot:

Step 17 Scroll down and click Save.

182
 183

Task 4: BYOD PC Registration

In this task, you will login to the PC as an employee to perform the BYOD
registration. You will then connect with the provisioned configuration and
deployed certificate.
Activity Procedure
Complete these steps:
Endpoint Cleaning from Previous Discoveries
Step 1 Access your BYOD PC from the RLab Web Page.
Step 2 Login with the BYOD\admin user.
Step 3 Open the Windows Network and Sharing Center. Select Manage wireless
networks from the left menu.
Step 4 Click Add.
Step 5 Select Manually connect to a wireless network.
Step 6 Fill out the table using the example below:

183
 184

Step 7 Click Next and then select Change connection settings.

Step 8 Click on the Secuity tab, then the Settings button.

Step 9 Uncheck the Validate server certificate and click on the Configure…
button next to the Select Authentication Method: drop-down box.

184
 185

Step 10 Uncheck the tick-box for automatically using login. Click OK, then OK
again.
Step 11 Click on the Advanced settings verify the User or computer authentication
mode is selected.

Step 12 When prompted for additional credentials enter [email protected]

for the User name and cisco123 for the Password.

PC Onboarding
Step 13 Open IE and navigate to www-ext.demo.local.
Step 14 Process through the portal process by clicking Start.

185
 186

Step 15 Enter the device name employee1_PC in the description My Laptop.

Also observe that the Device ID or MAC address is included on the
bottom.

Step 16 Click Continue.

Step 17 Click the Run button in the pop-up.

Note If the security scan fails, view the Downloads folder and right-click on the program.
Select Run anyway.

Step 18 Click the Start button on the Network Setup Assistant.

186
 187

Step 19 When prompted click Yes to install the root-CA certificate profile.

Step 20 Continue with the install acknowledging all prompts when presented.
Step 21 Your final screen will be that the profile is installed message. Click Exit.

187
 188

Step 22 Open the Network and Sharing Center. Double click on the pXX-wpa2e
profile you created earlier. Click on the Security tab.

Notice that you connection is now using a Certificate.

Step 23 Open the Internet Options in IE, this is done by clicking on the gear icon
in the upper right in the browser. Click on the Content tab and then the
Certificate button.
Step 24 Double-click the [email protected] certificate. Examine the
certificate.
Step 25 Observed the Subject is [email protected] and the Subject
Alternative Name is the MAC address respectively.

Cisco ISE Admin Portal Verification

Step 26 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 27 Navigate to Operations > RADIUS Live Logs and observe the
authentication records for the BYOD access.
Step 28 Click the Details icon for the record that was assigned the Authorization
Profile WLC_User_Access.

188
 189

Step 29 Observe the Overview section and notice the indicated sections below.

Step 30 Examine the Steps section and towards the bottom observe the 15048
messages indicating the EAP authentication and the querying of the
Subject Alternative Name and the MAC address as the Radius.Calling-
Station-ID.

Step 31 Close this tab and return to the Cisco ISE admin portal.
Step 32 Navigate to Work Centers > BYOD >Identities > Endpoints.
Step 33 Find the Client PC’s MAC address and open the profile. Observe the
record in this list.
Step 34 Click the attributes tab and find the Device Registration and BYOD
Registration fields indicating the Client PC status is an endpoint.
Step 35 Click on the Authentication tab and then scroll down to the page to see
similar information:

189
 190

Step 36 Return to the Cisco ISE admin portal and navigate to

Administration>System > Certificates > Certificate Authority >
Issued Certificates.
Step 37 Observe the endpoint certificate that has been deployed to the
employee1_PC.
Step 38 Select the certificate and click View in the toolbar.

Tip If you scroll to the bottom you will see a SAH-1 and MD5 hash fingerprints. This could be
useful for helpdesk operator to be able to verify a certificate with the user over the phone,
for example.

Step 39 Click Close.

190
 191

Discovery 13: Blacklisting a Device

In the previous Discovery, you learned how to configure a BYOD solution. In this activity, you
will learn how to manage that solution. The focus is on how to mark a device lost, and then
stolen.
You will examine Cisco ISE to see how the endpoint is processed for each of these situations.
You will then reinstate a lost or stolen device. You will also process an endpoint for
reenrollment after a certificate has been revoked.

Activity Objective
In this activity, you will configure Cisco ISE settings and polices for
compliance-based access. After completing this activity, you will be able to meet
these objectives:
◼ Configure Cisco ISE Blacklist Portal.
◼ Configure Authorization Profile components for blacklisting.
◼ Configure Authorization Policy rules for blacklisting.

Visual Objective

191
 192

Task 1: Blacklisting a Device

In this task, you will mark an on-boarded device as "lost".

Activity Procedure
Complete these steps:
Updating the Blacklist Portal to Use Configured Certificate Group Tag
Step 1 Navigate to Work Centers > BYOD > Portals & Components. In the
left pane, choose Blacklist Portal.
Step 2 Click on Blocked List Portal, and then click Edit.
Step 3 Under Portal Behavior and Flow Settings expand Portal Settings and
change the certificate of the group tag from Default Portal Certificate
Group to ISE Lab CGT.
Step 4 Scroll up and click Save.
Update the Blacklist Authorization Profile
Step 5 Under the BYOD tab, click the Policy Elements tab. Then choose Results
> Authorization Profiles in the left pane.
Step 6 Edit the Blackhole_Wireless_Access profile.
Step 7 Scroll down to Advanced Attribute Settings and change the URL
redirect ACL from BLACKHOLE to BLACKLIST.

Step 8 Scroll down and click Save.

192
 193

Create the Blacklist Authorization Rule

Step 9 Navigate to the Wireless Access Policy Set and under the Authorization
rules add the following rule above the BYOD NSP rule: (This being a very
important rule, it should be the first rule evaluated).
Attribute Value

Rule Name Wireless Black List

Conditions Wireless Access

AND
IdentityGroup Name: EQUALS Endpoint Identity Groups:Blacklist

Result Blackhole_Wireless_Access

Step 10 Click Save.

Marking a Device as Lost
Step 11 On your Admin PC and Firefox, open a new tab and navigate to the My
Devices portal by using the URL https://mydevices1.demo.local.
Step 12 Log in with the credentials employee1 / cisco123
Step 13 Accept the terms and conditions, click Signon and then click Continue.
Step 14 Observed that the status is Registered.
Step 15 Manage the device by clicking on the record.
Step 16 Click the Lost button.
Step 17 Click Yes to acknowledge that you want to mark the device is lost.
Step 18 Observed that the status is now Lost.

193
 194

Task 2: Lost Access Verification

In this task, you will attempt to access the network with a "lost" device.

Activity Procedure
Complete these steps:
Step 1 In the Cisco ISE admin portal, navigate to Operations > Live Logs.
Step 2 You should already observe an authentication success record for the
employee1 BYOD device that has the resulting Blackhole_Wireless
Access authorization profile result. Cisco ISE issued a CoA when the
device was marked lost. The device automatically re-authenticated as it
normally would and matched the Wireless Black List Default
authorization policy rule.
Step 3 Return to your BYOD device and in the browser navigate to the www-
ext.demo.local. You should be redirected to the blacklist portal
automatically, if the device connects at all.

If the device doesn’t connect verify that it was blacklisted in the Radius
Live Log.

194
 195

Task 3: Endpoint Record Observations

In this task, you will examine the endpoint data record for a "lost” device.

Activity Procedure
Complete these steps:
Setting Update Information
Step 31 Return to the Cisco ISE admin portal.
Step 4 Navigate to Work Centers > BYOD > Identities. Choose Endpoints in
the left pane.
Step 5 Find the BYOD MAC address and observe the record in this list.
Step 6 Scroll over and observe that the Device Registration field indicating the
endpoint is Lost, you may have to add this column from the Gear icon on
the left. (If the Device Registration column is missing use the gear in the
upper right corner of the table to add the column to the table)

Step 7 If you like, you can also navigate to Context Visibility > Endpoints, and
view a dashlet that reports the device status as “lost”
Step 8 In the upper right-hand corner of your screen, click the search icon, and,
type [email protected] and press Enter
Step 9 Select [email protected] from the suggestions box.

195
 196

Step 10 In the search results window, notice Blackhole_Wireless in the text. Click
the record to view the details.

Step 11 Observe that the status is Authenticated & Authorized and assigned
Blackhole_Wireless Access.

Step 12 Click Endpoint Details at the top.

196
 197

Step 13 Observe the Identity Group in the Authorization Profile.

Step 14 Close the result box by simply click outside the box area.

197
 198

Task 4: Un-Blacklisting the Device

In this task, you will go through the process of un-blacklisting a device.
Activity Procedure
Complete these steps:
Setting Update Information
Step 1 On the admin PC, access the previously opened My Devices Portal tab.
Step 2 It is likely that your session has timed out. Login credentials
[email protected] / cisco123
Step 3 Click Accept to the AUP and then click Continue.
Step 4 Manage the device by clicking on the record.
Step 5 Click Reinstate.

Step 6 Click Yes to the pop-up.

Step 7 Observe the device status has been returned to Registered.

198
 199

Task 5: Verify Access Capability

In this task, you will verify network access after the device has been reinstated.
Activity Procedure
Complete these steps:
Setting Update Information
Step 1 In the Cisco ISE admin portal, navigate to Operations > Live Logs.
Step 2 You should already observe an authentication success record for the
employee1 BYOD device but has the resulting WLC_User Access
authorization profile result. Cisco ISE issued a CoA when the device was
marked Reinstated. The device automatically re-authenticated as it
normally would and matched the BYOD Access authorization policy rule.

Step 3 Open the www-ext.demo.local. Youshould be up to successfully

connect to the webpage.

199
 200

Discovery 14: Compliance

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure Cisco ISE settings and polices for
compliance-based access. After completing this activity, you will be able to meet
these objectives:
◼ Configure Cisco ISE Posture Settings
◼ Configure Authorization Profile components for compliance-based access
◼ Configure Authorization Policy rules for compliance-based access.

Visual Objective

200
 201

Task 1: Posture Preparation

In this task, you will configure Cisco ISE posture general settings that will be used
later to check posture compliance of clients.
Activity Procedure
Complete these steps:
Setting Update Information
Step 1 From the Cisco ISE Admin Portal on ise-1 navigate to Work Centers >
Posture > Overview.
Step 2 In the Prepare section, under Updates, click on the link for downloading
posture updates. This page can also be reached via Administration >
System > Settings > Posture > Updates.
Step 3 From the left pane, select Posture Updates to download prebuilt posture
checks for antivirus, AS, and Microsoft Windows.

Note The Update Information should be empty since no updates have been downloaded yet.

Step 4 To download and install the Posture Updates, perform the following steps:
◼ Select the Offline radio button.
◼ Beside File to update, click Browse.
◼ Select Desktop in the left pane of the Windows Explorer, select
Posturing file folder from the right pane, then posture-offline.zip and
click Open.
◼ Click Update Now.

Note This file was downloaded from Cisco using this link:
(https://www.cisco.com/web/secure/pmbu/posture-offline.html)

201
 202

This process can take up to approximately 20 minutes to install. It should

complete quickly though. Once complete, the Update Information will
specify the date and time of the Last Update. The version information for
Cisco conditions and antivirus and AS support will also be displayed.
Cisco ISE system performance will be extremely slow during this process
and some functions will not operate. After the update has complete the
system performance will return to normal.

Posture General Settings

Step 5 If needed, navigate to Work Centers > Posture > Settings, click the
Posture General Settings link.
The settings on this page are used when no Posture Agent Profile is
specified in the client provisioning policy. The Posture Agent Profile is
created at Policy > Policy Elements > Results > Client Provisioning >
Resources. You will be configuring the client provisioning policy later in
the Discovery. However, it is a good practice to set a baseline
configuration here if a policy is misconfigured or absent in the future.
Step 6 Change the Remediation Timer field from 4 minutes to 20 minutes to
allow for patching or other required remediation steps to be performed by
the end-user.
Step 7 Enable the Automatically Close Login Success Screen After setting and
change the value from 0 to 3 seconds.

Note Leaving the value at 0 would configure the client to not display login success screen.
This may be optimal in some organizations.

Step 8 Validate that the ‘Perform posture assessment every time a user
connect to the network’ is selected.
Step 9 Uncheck ‘Cache Last Known Posture Compliant Status’ tick box.
Step 10 Click Save.

Adding resources to Cisco ISE

Step 11 Navigate to Work Centers > Posture > Client Provisioning then to
Resources.
Step 12 In the right pane, click +Add and from the menu select Agent resources
from local Disk.
Step 13 Select the category of Cisco Provided Packages.
Step 14 Click Browse and navigate to your Desktop > Posturing folder and select
Webagent-4.9.5.2-isebundle.zip and click Open.
Step 15 Click Submit and click Confirm when prompted to confirm the hash.

202
 203

Configure the Client Provisioning Policy

Step 16 First, we will configure a policy for guest users. Navigate to Client
Provisioning Policy in the left menu.
Step 17 Add a new rule according to the following tables. To add a rule, click the
Black arrow at the end of the Win_WPA2_BYOD Rule and choose
Insert New Policy Above. Leave the other options, Profile, Compliance
Module, and Agent Customization Package as they are. No change for
these items is needed for this Discovery.
Guest Win All - Client Provisioning Policy Rule

Attribute Value

Rule Name Guest Win All

Identity Groups Any

Operating Systems Windows All

Other Conditions Network Access:UseCase EQUALS Guest Flow

Results Agent: WebAgent 4.9.5.2

Step 18 Click Done at the end of the Policy and then Save.
Step 19 Verify your configuration with the following screenshot

Portal Modification
Step 20 Navigate to Work Centers > Guest Access > Portals & Components,
then Guest Portals and edit the Self-Registered Guest Portal.
Step 21 Scroll down to the Guest Device Compliance Settings section and enable
‘Require guest device compliance’.

Step 22 Scroll up and click Save, then Close.

203
 204

Step 23 Navigate to Work Centers > BYOD > Settings, then Retry URL on the
left.
Step 24 Configure the Retry URL as www-int.demo.local

Step 25 Click Save.

204
 205

Task 2: Authorization Profiles

In this task, you will configure a simple compliance policy check.
Activity Procedure
Complete these steps:
Create Downloadable ACLs for Compliance
Step 1 Navigate to Work Centers > Posture > Policy Elements. In the left pane,
click on Downloadable ACLs. This page can also be reached via Policy >
Policy Elements > Results and then Authorization > Downloadable ACLs.
Step 2 Create the following Posture Remediation dACL, validate and click
Submit when finished.
Downloadable ACL – ACL_POSTURE_REMEDIATION

Attribute Value

Name ACL_POSTURE_REMEDIATION

Description Permit access to posture services and remediation and deny

everything else.

DACL Content permit udp any eq bootpc any eq bootps

permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
permit udp any host 10.1.100.21 eq 8905
permit udp any host 10.1.100.21 eq 8906
permit tcp any host 10.1.100.22 eq 8443
permit udp any host 10.1.100.22 eq 8905
permit udp any host 10.1.100.22 eq 8906

205
 206

Step 3 Create the following AD Login Access dACL.

Downloadable ACL – ACL_AD_LOGIN

Attribute Value

Name ACL_AD_LOGIN

Description Permit access to AD login services and deny everything else.

DACL Content permit udp any eq bootpc any eq bootps

permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq ntp
permit tcp any host 10.1.100.10 eq 135
permit udp any host 10.1.100.10 eq netbios-ns
permit tcp any host 10.1.100.10 eq 139
permit tcp any host 10.1.100.10 eq 389
permit udp any host 10.1.100.10 eq 389
permit tcp any host 10.1.100.10 eq 445
permit tcp any host 10.1.100.10 eq 636
permit udp any host 10.1.100.10 eq 636
permit tcp any host 10.1.100.10 eq 1025
permit tcp any host 10.1.100.10 eq 1026

206
 207

Step 4 Create the following Internet only dACL.

Downloadable ACL – ACL_INTERNET_ONLY

Attribute Value

Name ACL_INTERNET_ONLY

Description Permit DHCP/DNS, Deny Internal website, Permit External Website.

DACL Content permit udp any any eq domain

permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.252.10
deny ip any 10.1.252.0 0.0.0.255
permit ip any any

A URL redirect ACL needs to pre-exist on a switch and cannot be a

dACL. Your 3k-access switch is preconfigured with the ACL that you
will use. It is named ISE- URL-REDIRECT.

Note If you desire, you may open a connection to the 3k-access switch and verify by issuing a
show ip access-list ISE-URL-REDIRECT.

Note You will be referencing the name of the URL in authorization profiles. Spelling must
match exactly.

Create Authorization Profiles for Compliance

Step 5 Navigate to Authorization Profiles.
Step 6 By clicking +Add, create each of the following authorization profiles.
Posture Remediation - Authorization Profile

Attribute Name Value

Name Posture Remediation

Common Tasks

DACL Name ACL_POSTURE_REMEDIATION

Web Redirection Client Provisioning (Posture)

ACL: ISE-URL-REDIRECT
Value: Client Provisioning Portal (default)

207
 208

CWA Posture Remediation - Authorization Profile

Attribute Name Value

Name CWA Posture Remediation

Common Tasks

DACL Name ACL_POSTURE_REMEDIATION

Web Redirection Centralized Web Auth

ACL: ISE-URL-REDIRECT
Value: Self Registration Guest Portal (default)

Internet Only - Authorization Profile

Attribute Name Value

Name Internet Only Access

Common Tasks

DACL Name ACL_INTERNET_ONLY

Step 7 Modify the Domain Computer authorization profile to use the newer port
restrictive dACL for AD Login, ACL_AD_LOGIN and then click Save.

208
 209

Task 3: Adjusting Authorization Policy for Compliance

In this task, you will adjust the authorization policy for compliance checking.
Activity Procedure
Complete these steps:
Policy Set Evaluation
Step 1 Navigate to Policy > Policy Sets > Wired Access > Authorization
Policy.
Examine the authorization policy rules and notice that right now things are
clean. You have a rule for employees, a rule for domain computer
authentication, and a default deny rule at the end. Having created all the
guest access rules under the wireless access policy has allowed the wired
policy to stay clean. By using the condition function of policy sets to
differentiate policy it’s possible, and in this situation, advantageous to split
our wired access into two different parts in a way comparably to how we
split our overall access into wired and wireless policy sets.
In the following steps you will go through the process of creating a
separate policy set for wired MAB access. This will allow you to
consolidate all your policies that would apply to wired MAB access in a
central location without having to evaluate whether policy would apply to
an 802.1X session or a MAB session. You will also modify the existing
Wired Access to apply to 802.1X sessions.
Policy Set Modification
Step 2 Using the gear icon on the right side of the Wired Policy Set, create the
following Wired MAB Policy Set above Wired Access.

Note Policy sets are evaluated like Access control lists, top down. Like ACLs, the order of
your rules can determine if your policy functions as expected.

Policy Set – Wired_MAB_Access

Name Description Condition(s) Allowed Protocols

Wired MAB Access Wired MAB Device Wired_MAB Default Network Access
Access

Step 3 Click Save and verify your policy set with the following screenshot.

209
 210

Step 4 Modify the Wired Access policy set according to the table below (add the
bolded items)
Policy Set – Wired 802.1X Access

Name Desciption Condition(s)

Wired 802.1X Access Wired 802.1X DEVICE:Device Type EQUALS All Device Types#Wired
Device Access AND [add condition from studio library]
Wired_802.1X

Note While in this specific lab environment and configuration, it is not necessary to build a
compound condition of device type wired and Wired_802.1X, the purpose for doing so is
to illustrate the flexibility and capability of the policy set condition aspect of Cisco ISE.

Tip Applying this logic, it would be possible to create a condition matching a specific device
location and access method, wired or wireless, etc. and access type, MAB or 802.1X, to
create and maintain organized policy sets.

Step 5 Verify your modification with the following screenshot.

Step 6 Scroll down and click Save.

Wired MAB Policy Set Modification
Step 7 From the main Policy Sets screen, expand the Wired_MAB_Access
policy set.
Step 8 Edit the Default Authentication policy rule to Continue if the user is not
found.

Step 9 In the authorization policy, add the following Authorization policy rule
above the Default rule.

210
 211

Guest Internet - Authorization Policy

Attribute Value

Rule Name Guest Internet

Conditions NetworkAccess:UseCase EQUALS Guest Flow

Permissions Internet Only Access

Step 10 Modify the Default rule to use the authorization profile CWA Posture
Remediation. Also remove the DenyAccess default profile.
Step 11 Verify your policy with the following screenshot.

Step 12 Scroll down and click Save.

Caution In a production environment it would be important to copy and create policy rules to
facilitate profiled devices which would access the network by way of MAB. For the sake
of time and due to the simplicity of this lab environment you will not be creating or
configuring such rules. Examples of this would be to copy the Access Point and Profiled
Cisco IP Phones rules over from the Wired_8021X_Access policy.

Wired 802.1X Policy Set Modification

Step 13 Return to the main Policy Sets screen and expand the Wired 802.1X
Access policy set.
Step 14 Edit the Wired AD Employees authorization policy rule.
Step 15 Expand the Conditions section. The Conditions Studio window will
appear.
Step 16 Drag the following condition Compliant_Devices to the Editor block.

211
 212

Step 17 Verify your configuration with the following screenshot.

Step 18 Click Use at the bottom.

Tip Saving the posture status condition to the library for reuse with a simplified name would
make reading policy conditions in their final state easier than reading and attribute value
statement.

Step 19 Add the following authorization policy rule above the Default rule.

212
 213

AD Posture Assessment - Authorization Policy

Attribute Value

Rule Name AD Posture Assessment

Condition Session:PostureStatus NOT_EQUALS Compliant AND

demo.local:ExternalGroups Equals demo.local/Users/employees

Permissions Posture Remediation

Step 20 Verify your configuration with the following screenshot.

Step 21 Scroll down and click Save.

213
 214

Discovery 15: Configuring Client Provisioning

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure Cisco ISE to provision Cisco posture
agents. After completing this activity, you will be able to meet these
objectives:
◼ Configure Client Provisioning settings for updates from Cisco online.
◼ Configure Client Resources for utilization in compliance-based access.
◼ Configure Client Provisioning policies for the utilization of posture agents

Visual Objective

214
 215

Task 1: Client Updates

In this task, you will review the client provisioning settings and then perform a
posture component update.
Activity Procedure
Complete these steps:
Client Provisioning Settings
Step 1 Navigate to Work Centers > Posture > Settings. Expand the Software
Updates section and click on Client Provisioning.
Step 2 Observe the default configuration in Cisco ISE 3.x that client provisioning
is enabled by default.

215
 216

Task 2: Client Resources

In this task, you will configure Cisco ISE for utilization of Cisco posture agent
(Cisco NAC Agent).
Activity Procedure
Complete these steps:
Downloading Cisco NAC Agent from Cisco
Step 1 Navigate to Work Centers > Posture > Client Provisioning >
Resources. This page can also be reached via Policy> Policy Elements>
Results then to Client Provisioning> Resources.
Step 2 In the right pane, click +Add and from the menu select Agent resources
from Local Disk. In Category choose Cisco Provided Packages
◼ Click Browse and locate the following files located at Desktop >
Posturing Folder.
◼ Choose anyconnect-win-4.x.xxxx.xxxx-webdeploy-k9.pkg file
from the folder and click Open. Click Submit to start the download
process. You will confirm the Hash result by clicking Confirm.
◼ Repeat the steps for the anyconnect-isecompliance- 4.x.xxx.pkg
file.
Step 3 Perform the same operation as in the previous step for the following
custom profile. Instead, you will choose Customer Created Package as
the category. Fill out the form according to the tables below.
acNAMProfile - Customer Created Agent Resource Package

Attribute Value

Category Customer Created Packages

Type AnyConnect Profile

Name acNAMProfile

Description AnyConnect NAM-PEAP Config

File Desktop\Posturing\ anyconnect-NAM-PEAP.xml

Configure AnyConnect Agent Profile

Step 4 In the right pane, click +Add and from the menu select NAC Agent or
AnyConnect Posture Profile.
Step 5 Select AnyConnect from the select a Category dropdown box.
Step 6 Create the following profile.

216
 217

AnyConnect Posture Agent Profile Settings

AnyConnect

*Name acWinPostureProfile

Description AnyConnect Windows Posture Profile

Agent behavior

Enable debug log No

Operate on non-802.1X wireless No

Attribute Value

Enable signature check No

Log file size 5 MB

Remediation timer 4 mins

IP Address Change

Enable agent IP refresh Yes

VLAN detection interval 0 secs

Ping or ARP Ping

Maximum timeout for ping 1 secs

DHCP renew delay 1 secs

DHCP release delay 4 secs

Network transition delay 3 secs

Posture Protocol

PRA retransmission time 120 secs

Discovery host www-int.demo.local

* Server name rules *.demo.local

◼
Note The discovery host needs to be something that will resolve via DNS to generate
traffic (packets) to hit the url-redirect. That traffic will then be redirected to the supporting ISE node
◼ running the Policy Services persona.

Step 7 Scroll down and click Submit.

Create the AnyConnect Configuration File.

Step 8 In the right pane, click +Add and from the menu select AnyConnect
Configuration.
Step 9 Create the following configuration.

217
 218

acConfigWin - AnyConnect Configuration

Attribute Value

* Select AnyConnect Package AnyConnectDesktopWindows 4.x.xxx

* Configuration Name acConfigWin

Description AnyConnect agent configuration for Windows

* Compliance Module Anyconnect-win-compliance-4.x.xxx

AnyConnect Module Selection

ISE Posture [X ]

VPN [ ]

Network Access Manager [X ]

Diagnostic and Reporting Tool [X ]

Profile Selection

ISE Posture acWinPostureProfile

VPN

Network Access Manager acNAMProfile

Step 10 Leave the rest of the form as default, scroll down and click Submit.

218
 219

Task 3: Client Provisioning Policies

In this task, you will configure Cisco ISE to provision Cisco posture agents in
order to enforce compliance base access.
Activity Procedure
Complete these steps:
Configuring Client Provisioning Policies.
Step 32 Navigate to Work Centers > Posture > Client Provisioning and in the
left pane select Client Provisioning Policy. This page can also be reached
via Policy > Client Provisioning.
Step 11 Configure the following rule above the Guest Win All Rule
Employee Win All - Client Provisioning Policy Rule

Attribute Value

Rule Name Employee Win All

Identity Groups Any

Operating Systems Windows All

Other Conditions demo.local:externalGroups equal demo.local/Users/Employees

Results Agent: acConfigWin

Step 12 Verify your configuration with the following screenshot then click Done,
then Save.

219
 220

Discovery 16: Configuring Posture Policies

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure some simple Cisco ISE posture policies to
provide for a functional orientation to posture policies. After completing this
activity, you will be able to meet these objectives:
◼ Configure posture conditions
◼ Configure posture remediation
◼ Configure posture requirements
◼ Configure posture policies

Visual Objective

220
 221

Task 1: Configuring Posture Conditions

In this task, you will configure some simple file conditions as well as antivirus
compound conditions for both installation and definition age.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Policy Elements, and then
expand Conditions > File. This page can also be reached via Policy >
Policy Elements > Results > Conditions and then expand Posture > File
Condition.
Step 2 In the right pane, click +Add and create the following three File
Conditions.

Caution Be aware of the case of the file name putty.exe. The Cisco NAC Agent file evaluation is
case sensitive.

Caution The operator is Later than, not Later than or Equal to. This is a common error in
configuration.

File Condition – PuTTY_Version

Attribute Value

Name PuTTY_Version

Description Check for an acceptable PuTTY Version

Operating System Windows All

File Type FileVersion

File Path ABSOLUTE_PATH C:\Program Files\putty.exe

Operator Later than

File Version 0.61

File Condition – Bad_File

Attribute Value

Name Bad_File

Description Check for a Bad file

Operating System Windows All

File Type FileExistence

File Path ABSOLUTE_PATH C:\ise\virus.txt

Operator DoesNotExist

221
 222

File Condition – Good_File

Attribute Value

Name Good_File

Description Check for a Good file

Operating System Windows All

File Type FileExistence

File Path ABSOLUTE_PATH C:\ise\good.txt

Operator Exist

Step 3 In the left pane, select Anti-Virus.

Step 4 In the right pane, click +Add and create the following two Anti-Virus
Conditions.

Caution Be sure to Submit after each one.

AV Compound Condition – ClamWin_AV_Installed

Attribute Value

Name ClamWin_AV_Installed

Description Check if ClamWin AV is Installed

Operating System Windows 7 (All)

Vendor ClamWin (note: NOT ClamAV)

Check Type [ X ] Installation [ ] Definition

Products for Selected Vendor

Product Name ClamWin Antivirus

ClamWin Free Antivirus

222
 223

AV Compound Condition – ClamWin_AV_Current

Attribute Value

Name ClamWin_AV_Current

Description Check for ClamWin AV Current

Operating System Windows 7 (All)

Vendor ClamWin

Check Type [ ] Installation [ X ] Definition

Option ▪ Allow virus definition file to be [ 7 ] days older than ( X ) current

system date

Products for Selected Vendor

Product Name ClamWin Antivirus

ClamWin Free Antivirus

223
 224

Task 2: Configuring Posture Remediation

In this task, you will configure remediation processes to instruct users on how
to handle systems that do not meet compliance requirements.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers>Posture>Policy Elements> Remediations
>File. This can also be reached via Policy > Policy Elements > Results
and then Posture > Remediation Actions > File.
Step 2 In the right pane, click +Add and create the following File Remediation.
File Remediation – PuTTY_62

Attribute Value

Name PuTTY_62

Description Approved PuTTY version 0.62

Version 0.62

File to Upload C:\Programs Files\putty.exe

Step 3 Click +Add again and create the following File Remediation.
File Remediation – Good_File

Attribute Value

Name Good_File

Description Our corporate good file

Version 1.0

File to Upload C:\good.txt

Step 4 In the left-hand pane, select Link.

224
 225

Step 5 In the right pane, click +Add and create the following Link Remediation.
Link Remediation – Install_ClamWin_AV

Attribute Value

Name Install_ClamWin_AV

Description URL link to install ClamWin AV package

Remediation Type Manual

Interval 0

Retry Count 0

URL http://www-int.demo.local

Step 6 Click Submit.

Step 7 In the left-hand pane, select Anti-Virus.
Step 8 In the right pane, click +Add and create the following AV remediation.
AV Remediation – Update_ClamWin_AV

Attribute Value

Name Update_ClamWin_AV

Description Update ClamWin definitions

Remediation Type Manual

Interval 0

Retry Count 0

Operating System Windows

Vendor ClamWin (note: NOT ClamAV)

Step 9 Click Submit.

Step 10 Edit the default AnyAVDefRemediationWin remediation and change the
Remediation Type from Automatic to Manual and click Save. You may
have to click off Any and then back on to be able to Click Save.

225
 226

Task 3: Configuring Posture Requirements

In this task, you will configure posture requirements that utilize the previously
configured conditions and remediations.
Activity Procedure
Complete these steps:
Step 1 In the left pane, click Requirements.
Step 2 Edit the Any_AV_Installation_Win requirement and modify the
Remediation Action. Change the Message Shown to Agent User to the
following:
An approved Antivirus program was NOT detected on your PC. All users
should have a current AV program installed.
Click Done at the end of the row when finished. If the Done button isn’t
visible at the end of the line, just double click that entry.
Step 3 Add the following Requirements at the bottom of the list by using the
same method as adding policy rules (Edit down arrow at end of line).
Posture Requirement – ClamWin AV Install Win7

Attribute Value

Name ClamWin AV Install Win7

Operating System Windows 7 (All)

Compliance Module 3.x or earlier

Posture AnyConnect

Conditions User Defined > Anti-Virus > ClamWin_AV-Installed

Remediation Actions Action: Install_ClamWin_AV

226
 227

Posture Requirement – ClamWin AV Current Win7

Attribute Value

Name ClamWin AV Current Win7

Operating System Windows 7 (All)

Compliance Module 3.x or earlier

Posture AnyConnect

Conditions User Defined > Anti-Virus > ClamWin_AV_Current

Remediation Actions Action: Update_ClamWin_AV

Message Shown to Agent User:

All users should have ClamWin AV with current signatures.

Posture Requirement – PuTTY 62

Attribute Value

Name PuTTY 62

Operating System Windows (All)

Compliance Module Any Version

Posture AnyConnect

Conditions User Defined > File Conditions > PuTTY_Version

Remediation Actions Action: PuTTY_62

Message Shown to Agent User:

Save this file to C:\Program Files\

Posture Requirement – Good File

Attribute Value

Name Good File

Operating System Windows (All)

Compliance Module Any Version

Posture AnyConnect

Conditions User Defined > File Conditions > Good_File

Remediation Actions Action: Good_File

Message Shown to Agent User:

Right-click and save this file to C:\ise\

227
 228

Posture Requirement – Bad File

Attribute Value

Name Bad File

Operating System Windows (All)

Compliance Module Any Version

Posture AnyConnect

Conditions User Defined > File Conditions > Bad_File

Remediation Actions Action: Message Text Only

Message Shown to Agent User:

You have a bad file. Go delete the file C:\ise\virus.txt

Note You should have the following requirements in your list (the screenshot below is for

information only. Your screen will not look exactly the same).

Step 4 Scroll down and click Save.

228
 229

Task 4: Configuring Posture Policies

In this task, you will configure posture policies that will be utilized in client
access assessments. You will be adding these policies in a disabled state and
enabling them in a later Discovery.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Posture Policy. This can also be
reached via Policy > Posture.
Step 2 Create the following rules.

Note Posture Policy Status is configured by changing the icon at the beginning of the rule.

Note Requirement Status is configured by changing the icon in front of the Requirement
Name

Posture Policy – File Checks

Attribute Value

Status Enabled

Name File Checks

Identity Groups Any

Operating System Windows (All)

Compliance Module 3.x or earlier

Other Conditions -

Requirements Status Requirement Name

Mandatory Good File

Mandatory PuTTY 62

Audit Bad File

229
 230

Posture Policy – AD Win7 Users AV

Attribute Value

Status Enabled

Name AD Win7 Users AV

Identity Groups Any

Operating System Windows 7 (All)

Compliance Module 3.x or earlier

Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/Employees

Requirements Status Requirement Name

Optional ClamWin AV Install Win7

Optional ClamWin AV Current Win7

Step 3 Scroll down and click Save.

Check your work against the following figures (Will be on two single
lines):

Line is continued below:

230
 231

Discovery 17: Testing Compliance Based Access

Complete this Discovery activity to practice what you learned in the related
module.

Activity Objective
In this activity, you will perform client-based access utilizing the previously
configured posture compliance configuration. After completing this activity, you
will be able to meet these objectives:
◼ Perform client access utilizing Cisco AnyConnect for compliance checking.
Visual Objective

231
 232

Task 1: Cisco AnyConnect Access

In this task, you will use the Cisco AnyConnect to perform compliance testing
and remediation.
Activity Procedure
Complete these steps:
Step 1 Access your switch and enable interface GigabitEthernet 0/1.
Step 2 Login to your Client PC, with the credentials:
WIN7-PC\admin password cisco123.
Step 3 Open the Control Panel located on the desktop. Open Network and
Sharing Center, and click on Change Adapter Settings. Disable the
Wireless Network Connection and enable the Inside connection.
Step 4 In the notification tray at the bottom right of the desktop, click on the
arrow to show the hidden icons. Click on the AnyConnect icon to open
the AnyConnect Secure Mobility Client.
Step 5 Select the 802.1X PEAP network and if asked log in using the credentials
demo\employee1 password cisco123
Step 6 After the completion of the scan AnyConnect will give you detailed
information on the scan. Notice below you have one required update
(Good File) and two optional updates (ClamWin). We will only be
updating the required file.

232
 233

Step 7 Make sure the required update (Good File) is highlighted and click Start.
Navigate to C:\ise\ and Save the good.txt file. You will now see the
status of that update change to Done.

Step 8 Since the ClamWin is optional you can click Skip to bypass those
updates. AnyConnect System Scan will then show your system as
compliant.
Step 9 Return to your admin PC, open the shortcut folder, and access your 3k-
acccess switch. Validate that the user has been authorized. (Hint: show
access-session)

233
 234

Discovery 18: Compliance Policy Monitoring

Complete this Discovery activity to practice what you learned in the related module.

Activity Objective
In this activity, you will examine the effects of a faulty policy and review methods
of identifying and troubleshooting such a policy. After completing this activity,
you will be able to meet these objectives:
◼ Use Posture Reports for troubleshooting
◼ Use the Posture Troubleshooter tool

Visual Objective

234
 235

Task 1: Use Posture Reports for Troubleshooting

In this task, you will examine posture reports as a mechanism to troubleshoot
compliance-based access failures.
Activity Procedure
Complete these steps:
Step 1 Return to the Client PC, navigate to c:\ise\ and right click to make a text
file called virus.txt
Step 2 Restart the Client PC and log back in with the username CLIENT\admin
and password cisco123. Allow AnyConnect to test your system, this will
generate information for you to view in the reports.
Step 3 Return to the Cisco ISE admin portal.
Step 4 Navigate to Operations > Reports and then Reports > Endpoints and
Users > Posture Assessment by Endpoint.
Step 5 Click Run to generate the report based on the selected time range.
Step 6 Click on the Details icons for passed and/or failed posture assessment to
review the information.

235
 236

Task 2: Using the Posture Troubleshooter

In this task, you will examine posture troubleshooter as a mechanism to identify
compliance- based access failures.
Activity Procedure
Complete these steps:
Step 1 Return to the Cisco ISE admin portal.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then
General Tools > Posture Troubleshooting.
Step 3 In the form; click the Select button at the end of the Username field. In the
next pop- up click Search. From the list of Usernames select
demo\employee1 and click Apply.
Step 4 Go to the bottom of the form and click Search.
Step 5 In the results, click on one of the results and click Troubleshoot.
Step 6 Click Show Results Summary once complete.

Step 7 Observe the details of what passed, what failed.

Step 8 Click Done.

236
237

237