SISE21

Implementing and Configuring

Cisco Identity Services Engine

(SISE) v2.1

Remote Lab Administration Guide

1X

2X

3X

4X

5X

6X

7X

8X

9X

10X

11X

12X

2 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1

Contents

1. Overview .................................................................................................................... 3

2. Course Version ........................................................................................................... 3

3. Students per Pod........................................................................................................ 3

4. Remote Lab Description ............................................................................................. 3

5. Remote Lab Topology ................................................................................................ 5

6. Lab Exercise Tips ........................................................................................................ 6

6.1. General Guidelines .......................................................................................... 6

6.2. Controlling iPad Via iPad Viewer ..................................................................... 6

6.3. IP Addressing and Access Details ..................................................................... 7

Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage. ............................................................................................. 8

Lab 2: Integrate Cisco ISE with Active Directory .......................................................... 8

Lab 3: Configure Basic Policy on Cisco ISE ................................................................... 8

Lab 4: Configure Conversion to Policy Sets .................................................................. 8

Lab 5: Configure Access Policy for Easy Connect ......................................................... 8

Lab 6: Configure Guest Access .................................................................................... 8

Lab 7: Configure Guest Access Operations .................................................................. 8

Lab 8: Create Guest Reports ........................................................................................ 9

Lab 9: Configuring Profiling ......................................................................................... 9

Lab 10: Customize the Cisco ISE Profiling Configuration .............................................. 9

Lab 11: Run Cisco ISE Profiler Feed Reports ................................................................ 9

Lab 12: Configure BYOD .............................................................................................. 9

Lab 13: Blacklisting a Device ........................................................................................ 9

Lab 14: Configure Compliance Services on Cisco ISE ................................................... 9

Lab 15: Configure Client Provisioning .......................................................................... 9

Lab 16: Configure Posture Policies ............................................................................ 10

Lab 17: Test and Monitor Compliance Based Access ................................................. 10

Lab 18: Test Compliance Policy ................................................................................. 10

Lab 19: Configure Cisco ISE for VPN Access ............................................................... 10

Lab 20: Configure Threat-Centric NAC using Cisco AMP ............................................ 10

Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration ................................. 11

Lab 22: Configure Cisco ISE for Basic Device Administration ..................................... 11

Lab 23: Configure TACACS+ Command Authorization ............................................... 11

7. Remote Lab Support ................................................................................................ 12

Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 3

1. Overview

The purpose of the Remote Lab Administration Guide is to assist in the setup and configuration of the classroom for connecting to the Remote Lab for Implementing and Configuring Cisco Identity Service Engine (SISE) v2.1 This guide is not a substitute for Cisco Course Administration Guide (CAG). It’s imperative that Instructor goes through the entire guide to familiarize himself with the remote lab setup. This guide does not include any access details. All access details will be included in the Remote Lab Administrator’s email.

2. Course Version

This is the original release of the course named Implementing and Configuring Cisco Identity Services Engine (SISE) v2.1.

3. Students per Pod

Each Pod can accommodate 2 students.

4. Remote Lab Description

The remote lab is accessed via RDP to the following location.

rlabs.globalknowledge.ae:443 Login using the credentials provided in the access details email from Remote Lab Support Team. Please refer the attached GK MEA Remote Lab Access Procedure for connecting to the remote lab. Upon successful authentication, a new window opens up the lab topology for this lab. You can gain access to the consoles of the different devices in the lab by simply clicking (left Click) the device that you would like to access. Once a device is clicked, a new tab is added to the lab interface which gives access to the selected device.

4 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1

Access to the console connections is exclusive. If you are unable to access the console of a particular device you can always clear the console lines to that device by selecting Clear line of the device option obtained by right clicking the (tab name)/(device from topology) . General administrative tasks listed below can be carried out by right clicking the respective Device from the topology/tab name. For Devices

Close console connection to the device

Change font of the terminal

Clear line of the device

Send Ctrl Break

Power Management

For Server/Client PC’s

Send Ctrl Alt Del to Server/PC

Close console connection to Server/PC

Power Management

A helpful tips section is also provided towards the bottom right corner of the topology that lists the Known issues/work around that the remote lab developer has come across during the preparation of this lab.

Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 5

5. Remote Lab Topology

The network topology diagram for Implementing and Configuring Cisco Identity Service Engine (SISE) v2.1remote lab is shown below.

Each Pod is provided with the following equipment:

Cisco ISE v2.1 VM 1

AD Server 1 1

W7PC-Corp 1

W7PC-Guest 1

W7PC-CoA 1

vWLC 1

WSA 1

ASAv-941 1

iPad mini 1

3702I LWAP 1

Catalyst 3850 Switch 1

6 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1

6. Lab Exercise Tips

The lab set up is exactly same as standard Cisco SISE v2.1 course.

6.1. General Guidelines

The switch port connectivity for the PCs are different from the ones mentioned in the Cisco Lab Guide. Please refer to the switch-port details provided in the Lab Topology Tab of the Remote Lab Interface

SMS service might not work since the Service Provide may block such communication.

Device Management (Powering on or Off or Power reset ) for the VMs/Devices can be done by right-clicking on the respective tab for the device.

iPad access is provided through vnc. The iPad can be accessed from the Admin-PC by clicking the "iPad Viewer" icon.

6.2. Controlling iPad Via iPad Viewer

Below are some tips for controlling the iPad UI via iPad Viewer that will be useful for the lab:

Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with a trackpad) Touch with two fingers on the Trackpad If Secondary Click is configured.

Mouse: Mouse pointer mimics touching the iPad screen with one finger.

Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll. (On Mac with a trackpad) Use three-finger scrolling.

Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.

Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 7

The tab key is not available on the iPad’s virtual keyboard so you will have to move the pointer to the text field you want to input text, and click on it.

When interacting with the iPad VNC session, US keyboard is preferred. If you have a mouse attached to your computer you will find it easier to navigate the iPad session also.

6.3. IP Addressing and Access Details

IP Addressing

This table lists the internal IP addresses that are used in the labs.

Device Hostname IP Address

ISE-1 ise-1 10.1.100.21

AD Server-1 AD 10.1.100.10

AdminPC Admin-PC 10.1.100.6

W7PC-Corp w7pc-corp DHCP

W7PC-Guest w7pc-Guest DHCP

W7PC-CoA w7pc-coa 10.1.60.100

WSA wsa.demo.local 10.1.100.30

vWLC ##-vWLC 10.1.100.61

ASAv ciscoasa 10.1.100.4

3k-Access Switch 3k-Access 10.1.100.1

Accounts and Passwords

The below table lists the accounts and passwords that are used in the labs.

Device Username Password

ISEBootSrap admin ISEisC00L

AD Demo administrator ISEisC00L

AdminPC admin ISEisC00L

W7PC-Corp admin ISEisC00L

W7PC-Guest admin ISEisC00L

W7PC-CoA admin ISEisC00L

WSA admin ISEisC00L

vWLC admin ISEisC00L

ASAv admin ISEisC00L

3k-Access Switch admin ISEisC00L

8 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1

Active Directory Accounts (ad.demo.local)

Group Users Password

demo.local\employees employee1,employee2 ISEisC00L

demo.local\contractors contractor1,contractor2 ISEisC00L

Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage.

No change

Lab 2: Integrate Cisco ISE with Active Directory

No change

Lab 3: Configure Basic Policy on Cisco ISE

No change

Lab 4: Configure Conversion to Policy Sets

No change

Lab 5: Configure Access Policy for Easy Connect

No change

Lab 6: Configure Guest Access

No change

Lab 7: Configure Guest Access Operations

Task 2 Step 44: To clear all existing browser cache, delegate need to clear the Safari Cache in iPad. For the same delegate may follow these steps in iPad : Settings >> Safari >> Clear History and Website Data

Task 4 Step 1: If the delegates are doing the optional lab they need to delete the existing account “sholmes” from the sponsor portal as it is already authenticated. For managing the accounts delegates may

Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 9

follow these steps: Work Centre >> Guest Access >> Manage Accounts.

Lab 8: Create Guest Reports

No change

Lab 9: Configuring Profiling

No change

Lab 10: Customize the Cisco ISE Profiling Configuration

No change

Lab 11: Run Cisco ISE Profiler Feed Reports

No change

Lab 12: Configure BYOD

Task 4 Step 2: To remove any existing traces of the iPad from the previous labs. Please ensure to remove all the Wireless Clients from the WLC. For managing the wireless Clients delegates may follow these steps : Monitor >> Clients

Lab 13: Blacklisting a Device

Task 6 Step 8: For reflecting the stolen status at the Live Logs, the delegates might have to reconnect the iPad from ##wpa2e.This will evoke the logs show in screen shot attached.

Lab 14: Configure Compliance Services on Cisco ISE

No change

Lab 15: Configure Client Provisioning

Task 2 Step 8: For downloading the xml files delegates may right click on the link mentioned in the lab guide and select the option ‘Save Link As’.

10 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1

Task 3 Step 3: In the screenshot AC Employee Win All policy is wrongly shown as enabled. It should be in disabled state

Lab 16: Configure Posture Policies

No changes

Lab 17: Test and Monitor Compliance Based Access

No changes

Lab 18: Test Compliance Policy

No changes

Lab 19: Configure Cisco ISE for VPN Access

Task 2 Step 3: Delegates need to enable the check box for Enabling Cisco Anyconnect VPN Client access on the interfaces. While doing this delegate will be asked to select the Anyconnect image file. Delegates may use ‘Browse Flash’>> and select anyconnect-win-4.3.01095-k9.pkg file

Task 2 Step 23: In between the installation process it might prompt for the trusting the server connection. Delegates may go ahead and check the checkbox to continue trusting and done certificate.

Procedure may also prompt for changing the setting for the connection. Delegates may click the option ‘change settings’.

Lab 20: Configure Threat-Centric NAC using Cisco AMP

Task 1 Step 1:For carryout the AMP lab exercises the each delegate need to have individual AMP Cloud account. For the AMP Cloud account delegates may contact the instructor.

For the AMP lab, the Cisco Learning Partners will need to request in advance an AMP Cloud account for each student and instructor.

Please take the following steps:

At least 3 business days prior to the class start please request accounts.

Send email request to amp-learning-accounts@cisco.com indicating the number of accounts required, name of the delegates, email ID and the start and end dates of the class during which the accounts

Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 11

will be used. Cisco AMP team will be sending the AMP Account credentials to the delegate’s email account directly, which they will have to use for carrying out the lab exercises.

This account will active for 6 months and delegates could use this account for further practice sessions.

Task 3 Step 5: For the Windows Installer URL delegates need to use the following URL: ad.demo.local/Audit_FireAMPSetup.exe

Task 3 Step 10: Delegates need to use ACL_WEBAUTH_REDIRECT instead of ACL_INTERNET_ONLY. Its rightly mentioned in the screen shot included for reference in lab guide.

Task 5 Step 1: Delegates need to use the following credentials as in lab guide its wrongly mentioned. ‘W7pc-corp\admin’ and ‘ISEisC00L’

Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration

Task 1 Step 2: In Lab Guide its wrongly mentioned to use the root certificate named aaa.demo.local Delegates need to use the ise-1 root certificate in this task.

Task 1 Step 10: Login credentials for CertSrv are wrongly mentioned in lab Guide. Delegates may use Administrator/ISEisC00L

Task 3 Step 4: Since policy set is enabled the delegates need to navigate Policy >> Policy Sets >> in the left pane select ‘Default’ then in right pane scroll down to Authorization.

Task 6 Step 4: Delegates may access the console of w7pc-corp from the pod topology by clicking on the VM icon.

Lab 22: Configure Cisco ISE for Basic Device Administration

Task 1 Step 2: The ISE may take a while to reflect the new TACACS feature in its GUI after enabling it.

Task 1 Step 23: The delegates may use the commands in the file named “SISE21 TACAC Switch Configs” placed at the Admin PC Desktop.

Lab 23: Configure TACACS+ Command Authorization

No changes

12 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1

7. Remote Lab Support

Please note that our primary form of support is through email. Our email id is remotelabsupport@globalknowledge.ae

In order to have an interactive communication with the instructors, we are also available on Skype and our Skype name isgkrlsmea . In case you cannot find us on Skype, please send an email onremotelabsupport@globalknowledge.ae, we will login in Skype at the earliest for you.