lab3-cciesecv4-questionset
-
Upload
pham-quoc-bao -
Category
Documents
-
view
809 -
download
0
description
Transcript of lab3-cciesecv4-questionset
CCIE
voicelabs.com1
QUESTION SET
LAB 3
REAL LABS
www.cciesecuritylabs.com
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Initial Guidelines
1. Read all of the questions in a section before you start the configuration. It is even recommended that you read the entire lab exam before you proceed with any configuration.
2. Exam questions have dependencies on others. Read through the entire workbook to help identify these questions and the best order of configuration. Section do not have to be completed in the order presented in the workbook.
3. Most questions include verification output that can be used to check your solutions.
Highlighted section in output verification displays MUST be matched to ensure correctness.
4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware issues in your equipment, contact the onsite lab proctor as soon as possible.
5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before starting the exam, confirm that all devices in you rack are in working order. During the exam, if any device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot be marked and may cause you to lose substantial points.
6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.
7. Points are awarded only for working configurations. Towards the end of the exam, you should test the functionality of all sections of the exam.
8. You will be presented with preconfigured routers and switches in your topology. The routers and switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP, VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the pre configurations at any time, unless the change is specified in a question.
9. Throughout the exam, assume these values for variables if required:
- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11
- SS is your Site ID for the lab exam location, Read the next page for your location.
- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are instructed to do so.
- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8 respectively
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
- Z is any number.
10. You are allowed to add static and default routes (if required) on any device.
11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure that additional addressing does not conflict with a network that is already used in your topology. Routing Protocols preconfigured are shown in the Lab Routing Diagram.
12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS, Test-PC and Cisco ISEs as required in the question.
13. All device names, access information and username/password combinations are summarized on the following pages. Do NOT change these settings.
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIE Security Lab Equipment and Software v4.0
Hardware • Cisco 3800 Series Integrated Services Routers (ISR) • Cisco 1800 Series Integrated Services Routers (ISR) • Cisco 2900 Series Integrated Services Routers (ISR G2) • Cisco Catalyst 3560-24TS Series Switches • Cisco Catalyst 3750-X Series Switches • Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances • Cisco IPS Series 4200 Intrusion Prevention System sensors • Cisco S-series Web Security Appliance • Cisco ISE 3300 Series Identity Services Engine • Cisco WLC 2500 Series Wireless LAN Controller • Cisco Aironet 1200 Series Wireless Access Point • Cisco IP Phone 7900 Series* • Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required. Software Versions • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x • Cisco IPS Software Release 7.x • Cisco VPN Client Software for Windows, Release 5.x • Cisco Secure ACS System software version 5.3x • Cisco WLC 2500 Series software 7.2x • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) • Cisco WSA S-series software version 7.1x • Cisco ISE 3300 series software version 1.1x • Cisco NAC Posture Agent v4.X • Cisco AnyConnect Client v3.0X
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Summary of username and Password for all devices
Device Username Password Router cisco Cisco
Switches cisco Cisco IPS cisco 123cisco123
WSA admin ironport WLC cisco Cisco123 AP ciscoAP CCie123
ESXi Server admin Cisco ISE admin Cisco123 Acs admin Cisco123 ASA admin cisco
Test-PC Test-PC Cisc0123
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 1: Test PC and Vmware ESXI server
Topology 2: Local Candidate PC
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 3: Switch Cabling
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 4 : layer 2
To be attached soon...
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 5 : LOGICAL
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
OUR CCIE SECURITY ENGINEERS ARE AVAILABLE ON GOOGE TALK CHAT for support any questions related to our workbooks at ([email protected])
YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION
CCIE R&S ----> WWW.CCIERNSLABS.COM
CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM
CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON OTHER TRACKS
Launched !!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION I – PERIMETER SEC0URITY
1.1 Configure routing and Basic Access on ASA1
Complete each task to provide basic connectivity and routing capabilities on ASA3.
1) ASA3 should be in single-context routed mode and configured using the information
in the table below:
Interface Nameif Switch Vlans Sec Level IP Address Gi 0/0 outside 3 0 7.7.3.10/24 Gi 0/1 inside 4 100 7.7.4.10/24 Gi 0/2 dmz 8 50 7.7.8.12/24
Use exact names and numbers as shown in the table.
2) Add static routes as follows:
Interface Network Next Hop inside Configure a Default Route 7.7.4.1 dmz 7.7.11.0/24 7.7.8.3
3) Configure NTP
ASA should use SW1 to source its time. Verify your solutions by successfully pinging the following
R3#ping 7.7.8.3
R3#ping 150.1.7.20
R3#ping 7.7.19.1
R3#ping 7.7.4.1
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.2 Configure ASA3 in Multi-Context Firewall Mode
Part A: Initialize ASA1
ASA1 must be configured as a multi-context firewall.
Use the following outputs to complete the initial configuration.
Context details
Name Config URL C1 C1.cfg C2 C2.cfg
Admin Admin.cfg
The config-url file should be saved on the disk:0
You can permit ICMP traffic from any to any on both contexts.
You can modify the Catalyst switch configuration to complete this task.
When the task is completed, ensure that you are able to ping all major subnets within your
network, including the ISE1 150.1.7.20
Use exact names and numbers as shown in the table
Context “c1” initialization details:
Context “c1” routing configuration details:
Interface Network Next Hop inside 0.0.0.0/0 7.7.3.8
outside 7.7.0.0/16 7.7.55.3
Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/2 Not Shared inside 3 100 7.7.3.10/24 Gi 0/0 Not Shared outside 33 0 7.7.33.10/24
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Context “c2” initialization details:
Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/3 Shared Inside 8 100 7.7.8.10/24 Gi 0/1 Shared Outside 5 0 7.7.5.10/24
Context “c2” routing configuration details:
Interface Network Next Hop Inside 7.7.0.0/16 7.7.8.12
outside 0.0.0.0 7.7.5.3
1.3 Configure Active-Active failover between ASA1 and ASA2
- Configure LAN-based Multi-Context active-active failover on ASA1 and ASA2
- Use GigabitEthernet 0/4 in VLAN 100 on SW2 for the failover.
- Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby
- Enable stateful failover using fail-over interface GigabitEthernet 0/4
- Use all other parameters accordingly to achieve this task
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Your output must match all parameters highlighted below:
ASA2#show failover Failover On Failover unit Primary Failover LAN Interface: fover Ethernet4 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.6, Mate 8.6 Group 1 last failover at: 06:12:45 UTC Apr 16 2007 Group 2 last failover at: 06:12:43 UTC Apr 16 2007 This host: Primary Group 1 State: Active Active time: 359610 (sec) Group 2 State: Standby Ready Active time: 3165 (sec) context1 Interface inside (7.7.3.10): Normal context1 Interface outside (7.7.33.10): Normal context2 Interface inside (7.7.8.11): Normal context2 Interface outside (7.7.5.11): Normal Other host: Secondary Group 1 State: Standby Ready Active time: 0 (sec) Group 2 State: Active Active time: 3900 (sec) context1 Interface inside (7.7.3.11): Normal context1 Interface outside (7.7.33.11): Normal context2 Interface inside (7.7.8.10): Normal context2 Interface outside (4.4.5.10): Normal
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.4 Initialize and Configure ASA4
Configure ASA4 is to be deployed between R3 and SW6 by completing the below task
1) ASA4 should be in single-context routed mode and configured using the information
in the table below:
Interface Nameif Switch Vlans Sec Level IP Address Gi 0/3 inside 99 100 7.7.99.10/24 Gi 0/0 outside 14 0 7.7.14.10/24 Gi 0/2 backup 15 0 7.7.15.10/24
2) Configure a Secured OSPF process 1
Configure OSPF area 1 to establish neighborship
Assign network 7.7.99.0 to area 1
Assign network 7.7.14.0 to area 0
Make sure the default route originated from R6 should be installed in the Routing Table
Ensure that networks 10.10.110.0/24 and 10.10.120.0/24 (SW6) are added to the routing table
on ASA4 but are not propagated into area 0.
Verify by checking the routing table on R3.
3) Configure SLA monitor
If traffic destined for network 150.1.7.0/24 via outside interface, does not have reachability
to 7.7.6.6 then the traffic should be diverted using backup interface. Configure max-timeout to
2 seconds.
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.5 Configure NAT
1) Configure NAT on the Cisco ASA4 firewall using the following information
NAT control is required.
Ensure all packets sourced with 10.10.110.10 and 10.10.120.10 needs to be translated to
Outside/Backup interface (whichever is UP) in order to pass through the ASA. However packets
sourced with 7.7.0.0/16 and destined ti 7.7.0.0/16 and 150.1.0.0/16 should not be translated.
Verify your solution using packet-tracer command
2) Configure Static Port Mapping on ASA3 using the following information
SW1 is hosting HTTP and TELENT using the 20.20.20.1 (loopback 1).
Using Static port mapping translate 20.20.20.1 to 7.7.8.20 for HTTP traffic arriving from dmz
interface and translate 20.20.20.1 to 7.7.3.20 for TELNET traffic arriving from outside interface
Verify your solution using packet-tracer command
1.6 Configure Zone Base Firewall (Class Based Access-List)
There is a zone base firewall (R3) between R4 and R5.
Create necessary zone and following conditions are met
- Ensure OSPF traffic are not affected
- Network 7.7.2.0 is on outside interface
- Ensure ICMP and Telnet traffic is inspected and allowed from outside interface
- The Class default statistics should be referred to verify your solution.
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION II. IPS and Context security
2.1 – Initialize the Cisco IPS Sensor Appliance
Initialize the Cisco IPS Sensor appliance as follows: Parameters Settings Hostname IPS
Management Configure the Command and control Management 0/0 interface in vlan 4 Sensor IP Address 7.7.4.100/24 Default Gateway 7.7.4.1
Sensor ACL 7.7.0.0/16, 151.ss.1.0/24, 150.1.7.0/24 Telnet Enable telnet Management
Auto IP Logging Enable ip Logging on sig0, Log 200 pkts, log time 30 secs, log bytes 5024 The username and password for the Cisco IPS console are cisco and 123cisco123.
DO NOT CHANGE THEM.
Use the console to initialize the Cisco IPS sensor appliance using the details in this table Ensure
that the Management0/0 interface is up and functioning (refer to the Lab Topology diagram).
You can modify Cisco Catalyst switches configuration if required.
Create the following users in IPS Account Type Username Password Admin wlc Cisco123 Service monitor test123
Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:
IPS# ping 7.7.4.1
IPS# ping 150.1.7.100
Ensure that the following ping and telnet connection is successful from SW1
SW1# ping 7.7.4.100
SW1# telnet 7.7.4.100
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.2 Deploy the Cisco IPS Sensor Using an In-line VLAN Pair
Configure the Cisco IPS appliance using these guidelines:
I) G0/0 port connected to SW5 should be in promiscuous mode using virtual sensor vs0
II) Configure the interface pairing as shown in the Lab Topology diagram and assign vs2
Parameters Settings Interface Gig 0/2 & Gig 0/3
Vlan Vlan 33 & Vlan 55 You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to the lab diagram for the required information.
You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate
PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall
and/or routing configuration to ensure that this works.
Ensure that the sensor is passing traffic successfully.
For testing, ensure that this ping from R6 is passing through the sensor with the packets
being displayed on the sensor console.
IPS# packet display gigabitethernet0/0
R6#ping 7.7.4.1
However ensure that this ping from R6 is not passing through the sensor
IPS# packet display gigabitethernet0/0
R6#ping 7.7.8.3
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.3 Implement custom signatures on the Cisco IPS sensor
A custom signature 60000 is required on the Cisco IPS sensor as follows & assign it to vs2 Trigger - Whenever it detects tacacs+ packet sourced from 192.168.0.0/16 network Action – Produce verbose Alert Alert-severity – High Signature-Definition 0 Verify by configuration as follows
R6# test aaa group tacas cisco cisco legacy.
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.4 Initialize the Cisco WSA and Enable WCCP Support
The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.
Using the Test-PC or Candidate PC, connect to WSA and configure as following
Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport
Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:
Parameters Settings Hostname Wsa.cisco.com Interface M1 to be used for Management
Ip Address 7.7.4.150/24 Default Gateway 7.7.4.1
System Information Admin:ironport, [email protected], time:US/America/LA NTP Server 7.7.4.1
DNS 150.1.7.10 L4 Traffic Monitoring Duplex: T1 (in/out)
Accept all other defaults
From ASA/c2, verify that you can ping M1 interface of WSA:
ASA3/c2(config)# ping 7.7.4.150
Configure WCCP redirect from the inside interface of ASA3/c2 to WSA using:
Redirect-list: HTTP and HTTPS traffic from vlan 150
Group-list to limit redirections to the WSA only
Service-group must be in the appropriate range
Note: You can use any names for your redirect-list and group-list.
Be sure to use a service-group. Do not use the default web-cache.
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
You may have to reboot WSA after configuration of WCCP if the ASA reports following event in the logs:
WCCP-EVNT: D90: Here_I_An packet from 7.7.4.150 ignored: bad web-cache id.
Use the following to verify your solution from the Test-PC, and then check HTTP requests on
R3 for the address of the WSA:
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION III – Secure Access
3.1 Troubleshooting Site to Site IKEv2 IPSEC VPN
Complete the configuration of an IKEv2 tunnel between R6 and ASA3.
R6 has been partially configured and will indicate the policy parameters to use.
Ensure that traffic 192.168.6.6 (lo) from R6 is able to communicate to 20.20.20.1 (lo) on SW1
There are faults on R6 and ASA3 that must be corrected to complete this question.
Verify using following
R6# show crypto ikev2 sa
ASA3# show vpn-sessiondb detail l2l
3.2 Troubleshooting VRF aware GET VPN
Troubleshoot GET VPN solution for traffic traversing between 10.10.x.0/24 (loopback of R1,R4
and R5) networks. R2 is must be used as the keyserver and R1, R4 and R5 are group members
Verifying using the following commands
R2# sh crypto gdoi group GETVPN
R2# sh crypto gdoi ks policy
R2# sh crypto gdoi ks members
R2# sh crypto isakmp sa
R2# sh crypto ipsec sa
R4# sh crypto gdoi gm
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
R4# sh crypto gdoi gm acl
R4# sh crypto gdoi gm rekey
R4# sh crypto gdoi group GETVPN
3.3 Configure Features on the Cisco WLC
Configure WLAN for Admin and Guest using the below information
Parameters Guest Admin Vlan 120 110 SSID guest admin
Authentication Web Authentication wpa2 + dot1x Interface Name dynint2 dynint1
IP Address 10.10.120.2 10.10.110.2 Subnet /24 /24
Gateway 10.10.120.1 10.10.110.1 Local Authentication Yes
Username guest Password Cisco123 WLAN ID 12 11
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION IV. System Hardening and Availability
4.1 Configure Secure OSPF Process
Configure md5 authentication for area 1 to protect routing info.
Ensure cisco is used as authentication key between the devices in area 1.
4.2 Configure Remote Switched Port Analyzer (RSPAN)
Configure SLA Monitor on SW5 such that it duplicates the packets arrived on below ports and sends it to the promiscuous port G0/0 of the IPS
Source Ports on SW6 = G1/0/1 G1/0/2 and G1/0/5
Destination Ports = G1/0/1
Remote Vlan = Vlan 10
Verify using the below command
IPS# packet display gig 0/0
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION V. Threat Identification and Mitigation
5.1 Secure DHCP Enviroment
Implement security feature to protect DHCP traffic without using DHCP SNOOPING.
Restrict port f0/2 and f0/3 on SW3 connected to R4 and R5 respectively from untrusted traffic.
5.2 Configure WLAN Security
Configure WLAN security on WLC by collaborating with cisco IPS.
WLC should store the shun-list from the IPS
Upon WLAN client matching the source IP address should automatically discontinue the network acess
for that cleint.
Use the following information for configuring the WLAN Security
1) IP address (7.7.4.150) of the IPS to be configured in WLC
2) WLC username and password (wlc/Cisco123) to be configured in IPS
3) IP Adress List (SHUN-LIST)
• 10.20.203.33
• 10.20.203.101
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION VI. Identity Management
6.1 Configure Support for MAB/802.1X for Voice and Data VLANs
The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via
DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).
The requirement is to add security to this connection through authentication and authorization
on SW6 (RADIUS source interface 7.7.99.1/VLAN99) and ISE1 (150.1.7.20) using MAC
Authentication Bypass (MAB) to assign the RADIUS attributes required to
move the phone into the voice VLAN.
Use the following information to complete this task:
- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)
- Verify that you have an authentication rule for MAB on the Cisco ISE.
- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a
permit on all traffic on ISE1.
- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)
- Voice VLAN will support MAB for authentication
- Data VLAN will provide support for the Test-PC that must connect through Phone using
802.1X.
- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.
If MAB is not successful, 802.1X endpoints should be allowed to connect.
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
The following output should be used to verify your solution
The Test-PC must be allowed to connect through the authenticated Cisco IP Phone
1. SW 6 G1/0/1 should have been configured to support a voice & data Vlan
2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
using the following info
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Attribute Value Group Name Test-PC_Group
Username/Password Test-PC/Cisc0123 Access Type Access_Accept
Common Tasks DACL Name DATA_VLAN_DACL DACL Policy Permit ip any any
Vlan 99
The following output should be used for verification
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
6.2 Configure Central Web Authentication With Wired Clients
Test-PC connected the IP Phone should be able access 7.7.15.3 web proxy authentication server
In this question you are required to configure port g1/0/1 to use web authentication as fallback
mechanism, upon Dot1x/Mab authentication failure.
Use the information below to complete the question
1. Create an identity on ISE1 with the name: guest and password: cisco that will be used for
authentication and mapped to an authorization policy
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2. Configure an Authorization Profile and Authorization Policy rule as follows
Parameters Settings Name Guest
Description Permit Guest User Access Type Access_Accept
Common Tasks Web Authentication Centralized
ACL Web-Auth DACL Name Guest_DACL DACL Policy Permit HTTP/HTTPS and DOMAIN
3. Configure SW6 G1/0/1 for web authentication support which will enable the Test-PC to
authenticate via centralized web authentication server and receive an authorization Policy
Verify your solution by disabling the dot1z authentication on test-PC and authenticate via the
centralized web authentication server and match the below output.
SW6# show authentication session interface gig1/0/1
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION
CCIE R&S ----> WWW.CCIERNSLABS.COM
CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM
CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON OTHER TRACKS
LAUNCHED!!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Thank You for using cciesecuritylabs workbooks.