Instructions2.pdf
-
Upload
tikhanovski -
Category
Documents
-
view
76 -
download
2
Transcript of Instructions2.pdf
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 1
ISE Profiling Services Lab Guide
Developers and Lab Proctors This lab was created by: James Burke
Lab Overview This lab is designed to help attendees understand how to configure and deploy ISE Profiler. It covers the basic configuration and management for profiling devices in an 802.1X environment. Lab Users should be able to complete the lab within the allotted lab time of (2) hours.
Lab Exercises This lab guide includes the following exercises:
• Lab Verification
• Lab Exercise 1: Enable ISE Probes for Profiling
• Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes
• Lab Exercise 3: Verify Profiled Endpoints and Probe attribute information
• Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints
• Lab Exercise 5: Verify IP Phone default Policy
• Lab Exercise 6: Logging and Reporting
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 2
Product Overview: ISE The Cisco Identity Services Engine (ISE) is an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security and streamline their service operations. Its unique architecture allows enterprises to gather real time contextual information from network, users, and devices to make proactive governance decisions by tying identity back into various network elements including access switches, wireless controllers, VPN gateways, and datacenter switches. Cisco Identity Services Engine is a key component of the Cisco TrustSec™ Solution.
TrustSec Lab Topology
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 3
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 4
Internal IP addresses The table that follows lists the internal IP addresses used by the devices in this setup.
Device Name/Hostname IP Address
Core Switch (Nexus 7k) 7k-core.demo.local 10.1.100.1 10.1.250.1
Access Switch (3560X) 3k-access.demo.local 10.1.250.2
Data Center Switch (3560X) 3k-server.demo.local 10.1.251.2
ISE Appliance ise-1.demo.local 10.1.100.21
ISE Appliance ise-2.demo.local 10.1.100.22
ISE Appliance ise-3.demo.local 10.1.100.23
ISE Appliance ise-4.demo.local 10.1.100.24
AD Server (CA/DNS/DHCP) ad.demo.local 10.1.100.10
NTP Server ntp.demo.local 128.107.220.1
Public Web Server www-ext.demo.local 10.1.252.10
Internal Web Server www-int.demo.local 10.1.252.20
Admin (Management) Client (also FTP Server)
admin.demo.local ftp.demo.local
10.1.100.6
Windows 7 Client PC win7-pc.demo.local DHCP (10.1.10.x/24)
Internal VLANs and IP Subnets The table that follows lists the internal VLANs and corresponding IP subnets used by the devices in this setup.
VL AN Number
VL AN Name IP Subnet Description
10 ACCESS 10.1.10.0/24 Network f or authenticated users or access network using ACLs
20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated dev ices (L2 segmentation)
30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant dev ices (L2 segmentation)
40 VOICE 10.1.40.0/24 Dedicated Voice VLAN
50 GUEST 10.1.50.0/24 Network f or authenticated and compliant guest users
60 VPN 10.1.60.0/24 VPN Client VLAN to ASA outside interface
70 ASA (trusted) 10.1.70.0/24 ASA inside network to IPEP untrusted interface
80 IPEP (trusted) 10.1.80.0/24 Dedicated IPEP VLAN for trusted interface
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 5
90 AP 10.1.90.0/24 Wireless AP connection for LWAAP tunnel
100 DATACENTER 10.1.100.0/24 Network serv ices (AAA, AD, DNS, DHCP, NTP, etc.)
(250) 10.1.250.0/24 Dedicated interconnect subnet between Core and Access switch.
(251) 10.1.251.0/24 Dedicated interconnect subnet between Core and Data Center switch.
252 WEBSVR 10.1.252.0/24 Web Serv er network
Note: Dedicated VLANs have been preconf igured for optional access policy assignments based on user identity , prof iling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. This lab will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment f or policy enf orcement. By def ault, all client PC access will remain in the ACCESS VLAN 10 and IP phones will be placed in VOICE VLAN 40.
Accounts and Passwords The table that follows lists the accounts and passwords used in this lab.
Access To Account (username/password)
Core Switch (Nexus 7k) admin / C!sco123
Access Switch (3560X) admin / cisco123
Data Center Switch (3560X) admin / cisco123
ASA (VPN gateway ) admin / cisco123
ISE Appliances admin / def ault1A
AD Server (DNS/DHCP/DHCP) administrator / cisco123
Web Serv ers administrator / cisco123
Admin (Management) Client admin / cisco123
Windows 7 Client (Local = WIN7-PC) (Domain = DEMO)
WIN7-PC\administrator / cisco123 WIN7-PC\admin / cisco123 DEMO\admin / cisco123 DEMO\employee1 / cisco123
Connecting to Lab Devices Note: To access the lab, you must f irst connect to the Admin PC. The Admin PC prov ides a launching point f or
access to all the other lab components
Note: Admin PC access is through RDP, therefore you must hav e an RDP client installed on y our computer
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 6
Connect to a POD Step 1 Launch the Remote Desktop application on your system.
a. In the LabOps student portal, click on the Topology tab
b. Click on the Admin PC, then click on the RDP Client option that appears:
c. Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in as DEMO\admin / cisco123 (Domain = DEMO)
d. All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines During the lab exercises, you may need to access and manage the computers running as virtual machines.
Step 1 From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2 The IP address of your pod’s ESX server is 10.1.11.X where X = 10+(your pod number)
e.g. pod 1 = 10.1.11.11, pod 9 = 10.1.11.19, pod 15 = 10.1.11.25, pod 24 = 10.1.11.34
Note: Be careful to only connect to your pod’s ESX server. If unsure, contact y our class proctor.
Step 3 Enter student / cisco123 for the username and password:
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 7
Step 4 Click Login.
Step 2 Once logged in, you will see a list of VMs that are available on your ESX server:
Step 5 You have the ability to power on, power off, or open the console (view) these VMs. To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select one of these options:
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 8
Step 6 To access the VM console, select Open Console from the drop-down.
Step 7 To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Connect to Lab Device Consoles:
Step 1 To access the consoles of the lab switches and ISE servers using SSH:
a. From the Admin client PC, double-click the desired PuTTY shortcut on the Windows desktop. Example:
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 9
You can also use the shortcuts in the Windows Quick Launch toolbar.
b. If prompted, click Yes to cache the server host key and to continue login.
c. Login using the credentials listed in the Accounts and Passwords table.
Step 2 To access the console for other devices using SSH:
a. From the Admin client PC, go to Start and select from the Windows Start Menu to open a terminal session using PuTTY.
b. Refer to the Internal IP Addresses table, and then enter the hostname or IP address of the desired device in the Host Name (or IP address).
c. Click Open.
d. If prompted, click Yes to cache the server host key and to continue login.
e. Login using the credentials listed in the Accounts and Passwords table
Pre-Lab Setup Instructions Basic Connectivity Test
To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from the Windows desktop of the Admin client PC:
Verify that ping succeeds for all devices tested by script.
Note: The ping test may fail for VMs that have not yet completed the boot process.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 10
Lab Verification: Verify initial lab setup and configuration Exercise Description
Initial lab setup and pre-configuration verification.
Exercise Objective Verify the default bootstrap configuration and connectivity.
Lab Exercise Steps
Step 1 Go to the Admin client PC and open a web browser to log into your ISE appliance (https://ise-1.demo.local) with username/password = admin / default1A
Step 2 Verify your network access switch (3k-access) is configured and setup correctly.
a. Go to Administration > Network Resources > Network Devices and select 3k-access
b. Verify the IP address is 10.1.250.2
c. Verify the authentication settings shared secret being used. Click the Show button and verify “cisco123” is the shared secret.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 11
Step 3 Use the desktop shortcut for the PuTTY SSH client to launch a terminal session to the 3k-access switch (10.1.250.2) using the credentials admin / cisco123 (enabled password cisco123).
Step 4 Make sure interface Gi 0/1 – 4 are administratively shutdown. In this lab we are only concerned about the IP Phone and IP Camera.
Step 5 On the access switch verify MAB is configured on the switch ports for non-authenticating devices.
Step 6 Also verify Multi-Auth authentication is enabled on the switch port. This is needed for the IP Phone to authenticate. Both voice and data domains will authenticate via 802.1X and then fall over to MAB.
Step 7 Verify the change of authorization command is configured on your switch. This is essential for when devices change profiles or the authorization settings change for a device or user. The ISE node will send the new authorization parameters to the switch via this mechanism.
Step 8 Verify the AAA accounting records are enabled.
aaa server radius dynamic-author
client 10.1.100.21 server-key cisco123
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
interface Gi0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-ALLOW in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
d t1 th ti t
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 12
Step 9 Verify Radius VSA information is configured for accounting and authentication.
radius-server vsa send accounting
radius-server vsa send authentication
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 13
Lab Exercise 1: Enable ISE, Probes, and Network Device for Profiling Exercise Description
This exercise will enable the profiling probes and NAD communication on your ISE Policy Service node.
Exercise Objective At the end of this exercise you will learn how to enable the probes for your ISE Policy Service node via the GUI.
Lab Exercise Steps Step 1 Log into your ISE device via the admin GUI.
Step 2 Go to Administration > System > Deployment. Click on your ISE node.
Step 3 In General Settings, verify Policy Service is enabled. Verify the Enable Profiling Service is enabled.
Step 4 In the right hand pane click the Profiling Configuration tab.
a. Leave Netflow Probe disabled
b. Enable DHCP Probe.
i. The device interface should be Gi0. (Gi0 is the interface on the ISE appliance)
ii. Leave the default UDP port 67.
c. Enable DHCPSPAN Probe.
i. The device interface should be Gi0
d. Enable HTTP Probe.
i. The device interface should be Gi0
e. Enable RADIUS Probe
f. Enable DNS Probe
i. Keep the defaults
g. Enable SNMPQUERY Probe.
i. Keep the defaults
h. Enable SNMPTRAP Probe.
i. Leave Link Trap Query Disabled
ii. Enable MAC Trap Query
iii. Device Interface should be Gi0
iv. Port 162 leave as default.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 14
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 15
Step 5 Click the Save button and make sure your changes were saved successfully.
Step 6 Now go to your pre-configured NAD device on ISE to enable SNMP communication. Administration > Network Resources > Network Devices
a. Click on the 3k-access switch
b. In the configuration page enable the SNMP Settings section
c. Expand the setting and select SNMP version 2c
d. Enter ciscoro as the read only community string
e. Verify Link Trap Query is enabled.
f. Verify MAC Trap Query is enabled.
g. Set the polling interval to 600 seconds (LAB USE ONLY !)
h. Leave all other settings the same and click Save.
Note: Y ou can use multiple interf aces to enable the ISE probes. You can also enable ISE Profiling on other Policy Serv ice nodes if you hav e the proper licensing in place.
Step 7 Enable the Change of Authorization globally for Profiling. This will allow any status changes of a device to be sent to the access device for an endpoint.
a. Go to Administration > System > Settings > Profiling > CoA Type = Reauth
Note: Use caution when enabling this feature when f irst profiling y our dev ices. The Change of Authorization will occur for all newly profiled dev ices.
Step 8 To verify the default actions for profiled devices, go to Policy > Policy Elements > Results > Profiling > Exception Actions (Advanced Exception actions will not be covered in this lab.)
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 16
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 17
Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes Exercise Description Configure ISE probes
Exercise Objective In this exercise, your goal is to configure and verify your ISE probes are working as advertised.
Lab Exercise Steps Step 1 Console into the 3k-access switch.
Step 2 Enable SNMP on the switch.
Step 3 Turn on SNMP debug by typing debug snmp packet at the exec shell prompt on the access switch. If using remote console (SSH/Telnet), then make sure you also enter terminal monitor on the command line so you will see the output.
Step 4 Verify SNMP communication between the ISE node and the switch. You should see the SNMP requests coming into the switch from ISE-1 similar to that shown below. You should also see responses from the switch for SNMP MIB requests from ISE Profiling Service.
snmp-server community ciscoro RO
snmp-server community ciscorw RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.100.21 version 2c ciscoro
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 18
Step 5 Turn off the SNMP debug by typing no debug all from exec mode prompt on the switch command line interface.
Step 6 Bring up switchport Gi 0/2 by entering the command no shutdown under the interface in configuration mode.
Step 7 Verify RADIUS packets are being sent to ISE by entering debug radius authentication from exec mode on the access switch. These will be sent when a MAC Authentication Bypass (MAB) session is initiated for clientless devices. This information will be received by the Profiler Radius Probe and used in profiling endpoints.
Step 8 You will see the following output. MAB will take some time to initiate after the DOT1X authentication requests time out.
3k-access# debug snmp packet
*Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24
*Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24
*Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24
*Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24
*Apr 19 13:50:25.758: SNMP: Get-bulk request, reqid 2133241990, nonrptr 0, maxreps 10
system = NULL TYPE/VALUE9 13:50:25.758: SNMP: Response, reqid 2133241990, errstat 0, erridx 0
system.1.0 = Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2)
system.2.0 = products.797
sysUpTime.0 = 428342588
system.4.0 =
system.5.0 = 3k-access.demo.local
system.6.0 =
system.7.0 = 6
system.8.0 = 0
sysOREntry.2.1 = cisco.7.129
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 19
*Apr 20 14:40:45.339: %AUTHMGR-5-START: Starting 'mab' for client (001e.e599.fc5b) on Interface Gi0/2 AuditSessionID 0A0164010000000F04A3DB09
*Apr 20 14:40:45.339: AAA/AUTHEN/8021X (00000011): Pick method list 'default'
*Apr 20 14:40:45.339: RADIUS/ENCODE(00000011):Orig. component type = DOT1X
*Apr 20 14:40:45.339: RADIUS(00000011): Config NAS IP: 0.0.0.0
*Apr 20 14:40:45.339: Getting session id for DOT1X(000
*Apr 20 14:40:45.339: RADIUS/ENCODE(00000011): acct_session_id: 16
*Apr 20 14:40:45.339: RADIUS/ENCODE: Best Local IP-Address 10.1.250.2 for Radius-Server 10.1.100.21
*Apr 20 14:40:45.339: RADIUS(00000011): Send Access-Request to 10.1.100.21:1812 id 1645/56, len 206
*Apr 20 14:40:45.339: RADIUS: authenticator B7 9E 45 1D 55 C4 2F C2 - 4D 15 7F 5C B4 24 5A 60
*Apr 20 14:40:45.339: RADIUS: User-Name [1] 14 "001ee599fc5b"
*Apr 20 14:40:45.339: RADIUS: User-Password [2] 18 *
*Apr 20 14:40:45.339: RADIUS: Service-Type [6] 6 Call Check [10]
*Apr 20 14:40:45.339: RADIUS: Framed-MTU [12] 6 1500
*Apr 20 14:40:45.348: RADIUS: Called-Station-Id [30] 19 "1C-17-D3-43-73-83"
*Apr 20 14:40:45.348: RADIUS: Calling-Station-Id [31] 19 "00-1E-E5-99-FC-5B"
*Apr 20 14:40:45.348: RADIUS: Message-Authenticato[80] 18 3 4F 1C 47 96 7D FA B2 40 F3 6D 62 B5 84 D3 [ OG}@mb]
*Apr 20 14:40:45.348: RADIUS: EAP-Key-Name [102] 2 *
*Apr 20 14:40:45.348: RADIUS: Vendor, Cisco [26] 49
*Apr 20 14:40:45.348: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0164010000000F04A3DB09"
*Apr 20 14:40:45.348: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Apr 20 14:40:45.348: RADIUS: NAS-Port [5] 6 50002
*Apr 20 14:40:45.348: RADIUS: NAS-Port-Id [87] 17 "GigabitEthernet0/2"
*Apr 20 14:40:45.348: RADIUS: NAS-IP-Address [4] 6 10.1.250.2
*Apr 20 14:40:45.348: RADIUS(00000011): Started 5 sec timeout
*Apr 20 14:40:45.599: RADIUS: Received from id 1645/56 10.1.100.21:1812, Access-Accept, len 157
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 20
Step 9 Turn off the Radius debug when finished by typing no debug all on the command line.
Step 10 Configure an additional IP helper address to the ISE appliance on Interface Vlan10 (Access) and Interface Vlan40 (Voice) for DHCP information to be sent to the ISE DHCP probe (ex.):
Step 11 Do a shut/no shut on the interfaces Gi 0/1 – 8. This will retrigger DHCP requests and send DHCP requests to ISE
Step 12 Go to the Windows 7 PC and reboot it. Go to Start > Shutdown > Restart. This is needed due to the VM and IP phone not detecting link state.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.10
ip helper-address 10.1.100.21
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 21
Lab Exercise 3: Verify Profiled Endpoints and Probe information Exercise Description
You will verify and endpoints and the received information collected by each probe.
Exercise Objective In this exercise, your goal is to correctly identify newly profiled endpoints and their unique attributes collected on the network.
Lab Exercise Steps Step 1 Go to the ISE-1 Home page and see if there are any Profiled Endpoints.
Look at the “Profiled Endpoints” to see if you have endpoints being profiled.
Step 2 Go to Administration > Identity Management > Identities > Endpoints
Step 3 You should now see MAC addresses show up in the Endpoints View
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 22
Step 4 Click on one of the endpoints to verify attribute data received by the probes.
The latest information received by a certain Probe will be listed as:
EndPointSource = (ex. SNMPTrap Probe)
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 23
Step 5 Go back to Endpoints and click on the Microsoft-Workstation
a. You can verify the DNS probe is working by locating the “host-name” attribute. DNS was setup in the Bootstrap Lab 1.
b. You can also verify the DHCP Probe is working by locating the “dhcp-class-identifier” which was sent by the DHCP request of the Windows Client.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 24
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 25
Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints Exercise Description
In this exercise, your goal is to create Profile and Authorization Policies.
Exercise Objective In this exercise, your goal is to verify your Profiles and Authorization Policies for your Profiled Endpoints by validating the authentication session and its policy.
Lab Exercise Steps Step 1 We now want to create our own Profile based on more specific information than the generic
“Cisco-Device” profile that some of these endpoints are being profiled into.
Step 2 Go to Administration > Identity Management > Identities > Endpoints
a. You should now see a few Endpoints profiled as “Cisco-Device”
b. Click on the MAC address that is connected to port Gi 0/2
c. Under the attributes details look for some information that is interesting based on device type. You should see this under the cdp information collected from the SNMP Probe.
d. Write down the cdp Platform information. For example, CIVS-IPC-4500
e. Also note the MAC OUI information = Cisco Systems
Example output below:
Step 3 Go to Policy > Policy Elements > Conditions > Profiling to create a matching rule for the device attribute information to be used in a Profiling Policy.
Formatted: Font: (Def ault) Arial, 10 pt
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 26
Step 4 Under Profiling Conditions click Create.
a. Name = cdpIPCAMERA
b. Type = SNMP
c. Attribute Name = cdpCachePlatform
d. Operator = Contains
e. Attribute Value = CIVS-IPC
Step 5 Click Submit.
Note: Cisco OUI Conditions are already created.
Step 6 Now go to Policy > Profiling > Profiling Policies
Step 7 Click Create.
a. Name the Policy = MY_IP_Cameras
b. Policy Enabled = Checked
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 27
c. Minimum Certainty Factor = 25
d. Exception Action = None
e. Create Matching Identity Group = Enabled (This will be used later in our Authorization Policy)
f. Parent Policy = None
g. Rules:
i. If Condition Cisco-DeviceRule1Check1 Then Certainty Factor Increases 10
ii. If Condition cdpIPCAMERA Then Certainty Factor Increases 25
Step 8 Click Submit.
Step 9 Go to Administration > Identity Management > Groups > Endpoint Identity Groups and verify the new Identity Group = MY_IP_Cameras
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 28
Step 10 Go to Policy > Authorization
Step 11 Create a new Authorization Policy
a. Rule Name = Profiled IP_Cameras
b. Identity Groups = MY_IP_Cameras
c. Other Conditions = None
d. Permissions = PermitAccess
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 29
Step 12 Click Save.
Step 13 Verify you have a default Authentication rule for MAB. This is crucial in making sure the MAB authentication is matched and you are using the Internal Endpoints as the Identity store. Profiler Endpoints are stored in this Identity Store.
a. Go to Policy > Authentication:
b. The MAB authentication rule states:
If a Wired_MAB [Radius:Service-Type=10(Call Check) and Radius:NAS-Port-Type=15(Ethernet)] request is matched and has the allowed Protocols defined in the Default Network Access policy, then use Internal Endpoints as the Identity Store.
Formatted: Font: (Def ault) Arial, 10 pt
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 30
Step 14 Go to the 3k-access switch and bounce interface Gi0/2 by using shut / no shut
Step 15 Verify the MAB request was successful and the device was Authorized under the “Profiled IP _Cameras” Authorization Policy.
a. Go to Monitor > Authentications
Step 16 Click on the details icon to get more detailed information. There are details worth pointing out based on the configurations:
a. Authentication Method = MAB
b. Username = MAC address of your device
c. NAS Port ID = What port the device is connected
d. Service Type = Call Check
e. Identity Store = Internal Endpoints
f. Identity Group – Profiled:MY_IP_Cameras
g. Authorization Policy Matched Rule = Profiled IP Cameras
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 31
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 32
Lab Exercise 5: Verify the IP Phone default Policy Exercise Description
Verify the IP phone is authorized and active.
Exercise Objective In this exercise, your goal is to verify the IP Phone has been successfully authenticated and authorized by ISE. With ISE there is a pre-configured Authorization Policy for Cisco IP Phones for convenience.
Lab Exercise Steps Step 1 On the 3k-access switch, shutdown the port Gi0/1 using the shutdown command.
Step 2 Use no shutdown to bounce the link for a new MAB request.
Step 3 Verify the Authentication and Authorization was successful on the switch.
Step 4 On the 3k-access switch, enter the command show authentication sessions interface Gi0/1.
*Apr 22 15:00:14.654: %AUTHMGR-5-START: Starting 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0
*Apr 22 15:00:14.914: %MAB-5-SUCCESS: Authentication successful for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0
*Apr 22 15:00:14.914: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0
*Apr 22 15:00:15.954: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 33
Step 5 Log into ISE GUI and verify the Authentication. Go to Monitor > Authentications.
3k-access # sh authentication sessions int Gi0/1
Interface: GigabitEthernet0/1
MAC Address: 1c17.d341.d18b
IP Address: Unknown
User-Name: 1C-17-D3-41-D1-8B
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0164010000002A24BB3A47
Acct Session ID: 0x0000002B
Handle: 0x1D00002A
Runnable methods list:
Method State
dot1x Failed over
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 34
Step 6 Click on the MAC address for the IP Phone connect to Gi0/1:
Step 7 Look into the details of the authentication and authentication result to verify the details of the default permissions.
Step 8 Notice the cisco-av -pair=device-traffic-class=voice which tells the switch this MAC belongs to the voice vlan.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 35
Note: The IP Phone Authorization Profile details can be f ound here: Policy > Policy Elements > Results > Authorization Profiles > Cisco_IP_Phones
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 36
Lab Exercise 6: Profiler Logging and Reporting Exercise Description
Understand Profilers logging and reporting capabilities.
Exercise Objective In this exercise you enable debug logging and generate a Profiled endpoint report.
Lab Exercise Steps Step 1 You can create different Endpoint reports from Profiling.
a. Go to Monitor > Reports > Catalog > Endpoint
b. Click on the Endpoint Profiler Summary
c. You can run a report from the last 30 minutes to the last 30 Days
Step 2 You will get the output of the endpoints logged for the day and the Policy the endpoint has been profiled into.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 37
Step 3 You can enable Profiler Log collection to Debug for advanced troubleshooting
a. Go to Administration > System > Logging > Debug Log Configuration
b. Select ise-1 from right pane
c. Scroll down the list and click on the Profiler radial button.
d. Click on current log setting to display a drop-down list.
e. Set the Log setting to DEBUG.
f. Click Save.
Step 4 To display the debug logs go to Monitor > Troubleshoot > Download Logs > ISE-1
Under the Debug log type select profiler.log
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 38
Appendix: Additional Resources
SNMP Attributes
MAC Notification:
• MacStatus
• Vlan
• MACAddress
• dot1dBasePort
• MoveFromPort (for mac move notifcation)
• MoveToPort (for mac move notifcation)
• Timestamp
Link Notification:
• ifIndex
• ifAdminStatus
• ifOperStatus
• ifDescr
• ifType
• ifSpeed
• ifPhysAddress
Switch Information mib walk:
• Switch IP Address/Subnet
• Switch Description if available
• sysUpTime
• sysContact
• sysName
• sysLocation
• Switch ifIndex
• All portIfIndex
• Configured Vlan information (VLAN state, name, port, ifIndex)
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 39
CDP Information
• cdpCacheVersion
• cdpCacheNativeVLAN
• cdpCacheDevicePort
• MACAddress
• cdpCacheLastChange
• cdpCacheAddressType
• cdpCacheDeviceId
• cdpCacheAddress
• cdpCachePlatform
• cdpCacheCapabilities
• cdpCacheDuplex
CISCO-AUTH-FRAMEWORK-MIB
• cafSessionAuthorizedBy
• cafSessionAuthUserName
• cafSessionAuthVlan
• cafSessionClientMacAddress
• cafSessionDomain
• cafSessionStatus
• VlanName
DHCP Attributes Any attribute parsed out of the DHCP traffic will be mapped into an endpoint attribute. For a list of possible attributes see:
http://www.iana.org/assignments/bootp-dhcp-parameters/
HTTP User Agent
The browser user agent as well as any http attributes present will be captured and added to the endpoint to add to the profiling capability. For a full list of possible attributes see:
http://www.rfc-editor.org/rfc/rfc2616.txt
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 40
DNS Probe
Upon endpoint creation, a DNS lookup will try to determine the endpoint name FQDN. A new attribute will be added to the endpoint FQDN. Reverse DNS lookup will be done only when an endpoint detected by the DHCP, Radius and SNMP probes contains following attributes. This means that, for DNS lookup, at least one of the following probes need to started along with DNS probe.
• DHCP IP Helper, DHCP Span – “dhcp-requested-address”
• Radius Probe – “Framed-IP-Address”
• SNMP Probe – “cdpCacheAddress”
• HTTP Probe – “Source IP”
Radius Attributes
We will be collecting and assigning to endpoints Radius attributes from both the request and the response. For a list of Radius attributes, see the RFCs defined at http://en.wikipedia.org/wiki/RADIUS.
Netflow Attributes
We will be collecting any an all attributes sent through Netflow. Please consult http://www.faqs.org/rfcs/rfc3954.html for details on netflow attributes. Here is a sample:
• IN_BYTES
• IN_PKTS
• FLOWS
• PROTOCOL
• TOS
• TCP_FLAGS
• L4_SRC_PORT
• IPV4_SRC_ADDR
• SRC_MASK
• L4_DST_PORT
• IPV4_DST_ADDR
• DST_MASK
• IPV4_NEXT_HOP
• LAST_SWITCHED
• FIRST_SWITCHED
• OUT_BYTES
• OUT_PKTS
• IPV6_SRC_ADDR
• IPV6_DST_ADDR
• IPV6_SRC_MASK
• IPV6_DST_MASK
• IPV6_FLOW_LABEL
• ICMP_TYPE
• DST_TOS
• SRC_MAC
• DST_MAC
• SRC_VL AN
• DST_VLAN
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10/20/2011 41
• IP_PROTOCOL_VERSION
• DIRECTION
End of Lab: Congratulations! You have successfully completed the lab. Please let your proctor know you finished and provide any feedback to help improve the lab experience.