****************************************** Web Security Appliance (WSA) ****************************************** ============================================================= Lab # 1 - Basic CLI Initialization ============================================================= Default username/password : admin/ironport resetconfig - Sets the WSA to factory default ------------------------------------------------------------------------------------ Interfaceconfig ------------------------------------------------------------------------------------ -> Edit -> 1 [Management Interface] -> IP Address : 192.1.200.50 -> Subnet Mask : 255.255.255.0 -> Hostname : wsa.kbits.in -> FTP : Y -> SSH : Y: -> HTTP : Y : 8080 -> HTTPS : Y : 8443 -> Demo Certificate : Yes -> Redirection : Yes -> Acknowledge the change : Yes -> Enter to get back to the prompt -> Setgateway : 192.1.200.2 -> commit -> Enter for Blank Comment Note: In Eve-NG, reboot the device and install the license ============================================================= Lab # 2 - Initializing the WSA from GUI ============================================================= ------------------------------------------------------------------------------------ - Initializing the WSA from GUI ------------------------------------------------------------------------------------ -> Browse to the WSA from the Management [https://192.1.200.50:8443] -> Username : admin -> Password : ironport -> System Administration -> System Setup Wizard -> System Name : wsa.kbits.in -> DNS Server : 192.1.200.2 -> Proxy Server : No -> Management Interface IP : 192.1.200.50/24 ; Hostname : wsa.kbits.in -> Default Gateway : 192.1.200.2 -> Transparent Redirection : Skip for Right now -> Admin Password : ironport -> System Alerts E-mail : kb@kbits.live -> SMTP Server : 192.1.200.25 -> Take the defaults for the rest -> Install the Configuration Note: You will loose the Web Page. This is due to the fact, it uses the hostname to browse. Change it back to the IP. ============================================================= Lab # 3 - Configuring Transparent Redirection ============================================================= ----- WSA ----- Network -> Transparent Redirection -> Edit Device -> WCCP Version 2 -> Submit -> Add Service Service Profile Name : R2 Dynamic Service ID : 55 Port Numbers : 80,8088 Router IP Address : 192.1.200.2 Password : cisco Submit Commit Comments : Commit Changes Security Services -> Web Proxy -> Edit Settings HTTP Ports to Proxy : 80,8088 Submit Commit Comments : Commit Changes ---- R2 ---- ip wccp version 2 ! access-list 1 permit host 192.1.200.50 ! access-list 101 permit tcp any any eq 80 ! ip wccp 55 group-list 1 redirect-list 101 password cisco ! Interface E 0/1 ip wccp 55 redirect in ASA Example: access-list WSA permit ip host 192.1.200.50 any ! access-list REDIR permit tcp any any eq 80 access-list REDIR permit tcp any any eq 8088 ! wccp 55 group-list WSA redirect-list REDIR password cisco ! wccp interface inside 55 redirect in ============================================================= Lab # 4 - Configuring Identities on the WSA ============================================================= ----- WSA ----- Web Security Manager -> Authentication -> Identities -> Add Identity Name : ADMIN Profile Address : 192.1.50.1-100 Name : SALES Profile Address : 192.1.50.101-200 Submit Commit Comments : Commit Changes ============================================================= Lab # 5 - Configuring Access Policies ============================================================= ----- WSA ----- Web Security Manager -> Web Policy -> Access Policies -> Add Policy Name : SALES Policy Identities : SALES Profile URL Categories : Blocks : Adults Pornography Sports & recreation News Social Networking Gambling Gamimg Submit Commit Comments : Commit Changes Name : ADMIN Policy Identities : ADMIN Profile URL Categories : Blocks : Adults Pornography Social Networking Gambling Gamimg Submit Commit Comments : Commit Changes ============================================================= Lab # 6 - Configuring Custom Policies ============================================================= ----- WSA ----- Web Security Manager -> Custom Policy Elements -> Custom URL Categories -> Add Custom Category Name : SALESLIST URL : .espn.com,www.espn.com,.bbc.com,www.bbc.com Submit Name : ADMINLIST URL : .cnn.com,www.cnn.com Submit Commit Comments : Commit Changes Web Security Manager -> Web Policy -> Access Policies -> SALES Policy -> URL Categories Custom Categories -> Include the SALESLIST in the Policy Specify the Action as : Allow for SALESLIST Submit Commit Comments : Commit Changes Web Security Manager -> Web Policy -> Access Policies -> ADMIN Policy -> URL Categories Custom Categories -> Include the ADMINLIST in the Policy Specify the Action as : Block for ADMINLIST Submit Commit Comments : Commit Changes ****************************************** ISE ****************************************** ============================================================= Lab # 1 - Basic Topology Setup ============================================================= ----- SW1 ----- Interface E0/0 switchport trunk encapsulation dot1q switchport mode trunk ! vlan 100 ! Interface range E0/2-3, E1/0 switchport mode access switchport access vlan 100 ! ip routing ! Interface vlan 100 ip address 10.1.1.11 255.255.255.0 no shut ----- SW2 ----- Interface E0/0 switchport trunk encapsulation dot1q switchport mode trunk ! vlan 100 ! ip routing ! Interface vlan 100 ip address 10.1.1.12 255.255.255.0 no shut ----- R1 ----- Interface E0/0 ip address 10.1.1.15 255.255.255.0 duplex full no shut ============================================================= Lab # 2 - CLI Initialization of ISE ============================================================= ----- ISE ----- Username: admin Password: Test123 You are required to change your password immediately (password aged) Changing password for admin. (current) UNIX password: Test123 Enter new UNIX password: Ccie123 Retype new UNIX password: Ccie123 ++++++++++++++++++++++++++++++++++++++++++ Changing the OS Admin Password ++++++++++++++++++++++++++++++++++++++++++ password: Enter old password: Ccie123 Enter new password: Cisco@123 Confirm new password: Cisco@123 ++++++++++++++++++++++++++++++++++++++++++ Changing the ISE Admin Password ++++++++++++++++++++++++++++++++++++++++++ application reset-passwd ise admin Enter new password: Cisco@123 Confirm new password: Cisco@123 ++++++++++++++++++++++++++++++++++++++++++ Changing Network Configurations ++++++++++++++++++++++++++++++++++++++++++ no ip name-server 10.1.1.254 -> Say "No" to restart ip name-server 10.1.1.2 -> Say "Yes" to restart. It will take some time for the restart of the services. ============================================================= Lab # 3 - Enable the Device Admin Service ============================================================= ----- ISE ----- 1. Log in using the a username of "Admin" with a password of "Cisco@123" 2. Navigate to the following: Administration -> System -> Deployment -> Select ISE Check the box to Enable the Device Admin Service and Click the Save button ============================================================= Lab # 4 - Configure the Network Devices for ISE AAA ============================================================= ----------- SW1/SW2/R1 ----------- ++++++++++++++++++++++++++++++++++ Create the Relationship with ISE ++++++++++++++++++++++++++++++++++ aaa new-model ! tacacs server ISE-1 address ipv4 10.1.1.1 key Cisco@123 tacacs server ISE-2 address ipv4 10.1.1.5 key Cisco@123 ! aaa group server tacacs TAC-SVRS server name ISE-1 server name ISE-2 ++++++++++++++++++++++++++++++++++ Configure AAA Lists ++++++++++++++++++++++++++++++++++ username admin privilege 15 password admin ! aaa authentication login LIST1 group TAC-SVRS local aaa authorization exec LIST1 group TAC-SVRS aaa authorization command 15 LIST1 group TAC-SVRS aaa authorization config-commands aaa accounting exec LIST1 start-stop group TAC-SVRS aaa accounting command 15 LIST1 start-stop group TAC-SVRS ++++++++++++++++++++++++++++++++++ Apply the Lists to the Lines ++++++++++++++++++++++++++++++++++ line vty 0 4 login authentication LIST1 authorization exec LIST1 authorization command 15 LIST1 accounting exec LIST1 accounting command 15 LIST1 transport input telnet ssh ============================================================= Lab # 5 - Configure the Network Devices on ISE ============================================================= ----- ISE ----- Administration -> Network Resources -> Network Device Groups Name: SWITCHES Parent Group: All Device Types Name: ROUTERS Parent Group: All Device Types Administration -> Network Resources -> Network Devices Name: SW1 IP: 10.1.1.11 Network Device Group: SWITCHES Protocol: TACACS+ Password:Cisco@123 ============================================================= Lab # 6 - Configure the Groups & Device Admin Users ============================================================= ----- ISE ----- Administration -> Identity Management -> Groups -> User Identity Groups Name: SUPER-ADMINS Name: ROUTING-ADMINS Name: SWITCHING-ADMINS Administration -> Identity Management -> Identities Name: Admin1 Password: Cisco@123 Group: SUPER-ADMINS Name: Admin2 Password: Cisco@123 Group: ROUTING-ADMINS Name: Admin3 Password: Cisco@123 Group: SWITCHING-ADMINS ============================================================= Lab # 7 - Configure an EXEC Policy Element ============================================================= ----- ISE ----- Work Center -> Device Administration -> Policy Elements -> Results -> TACACS Profile Name: PRIV_15 Default Privilege: 15 ============================================================= Lab # 8 - Configure Command Sets for the Groups/Users ============================================================= ----- ISE ----- Work Center -> Device Administration -> Policy Elements -> Results -> TACACS Command Sets Name: SUPER-ADMINS-CMDS Commands: Permit All Name: ROUTING-CMDS Commands: configure - terminal ip - routing router network distribute-list redistribute access-list Name: SWITCHING-CMDS Commands: configure - terminal vlan Interface switchport spanning-tree ============================================================= Lab # 9 - Configure the Authorization Policy for Device Admin ============================================================= ----- ISE ----- Work Center -> Device Administration -> Device Admin Policy Sets -> Default -> Authorization Policy Name: SUPER-ADMINS Condition: Identity Group: SUPER-ADMINS Results: CMD-SET:SUPER-ADMINS-CMDS & Profile:PRIV_15 Name: ROUTING-ADMINS Condition: Identity Group: ROUTING-ADMINS & Device Type: ROUTERS Results: CMD-SET:ROUTING-ADMINS-CMDS & Profile:PRIV_15 Name: SWITCHING-ADMINS Condition: Identity Group: SWITCHING-ADMINS & Device Type: SWITCHES Results: CMD-SET:SWITCHING-ADMINS-CMDS & Profile:PRIV_15