********************* Lab # 1 - ISE - CLI ********************* =============== Passwords =============== 1. Configuring / Setting the OS Admin Password: password Enter old password: Test123 Enter new password: Kbits@123 Confirm new password: Kbits@123 2. Resetting the ISE Application Password: application reset-passwd ise admin Enter new password: Kbits@123 Confirm new password: Kbits@123 ********************* Lab # 2 - ISE - CLI ********************* ================= Configuring DNS ================= config t ! ip name-server 10.1.1.2 no - To restart no ip name-server 10.1.1.254 yes - To restart To verify the status ---------------------- show application status ise ******************************************** Lab # 3 - Base setup ******************************************** =================================================== 1. Configure Trunking and VLANs on both switches =================================================== ------ SW1 ------ vlan 10,20,100,101 ! Interface E 0/0 switchport trunk encapsulation dot1q switchport mode trunk ------ SW2 ------ vlan 10,20,100,101 ! Interface E 0/0 switchport trunk encapsulation dot1q switchport mode trunk =================================================== 2. Assign Ports to VLANs =================================================== +++++++++++ VLAN 100 +++++++++++ ------ SW1 ------ interface range e 0/2-3 switchport mode access switchport access vlan 100 ! ip routing ! Interface vlan 100 ip address 10.1.1.254 255.255.255.0 no shut ------ SW2 ------ ip routing ! Interface vlan 100 ip address 10.1.1.252 255.255.255.0 no shut +++++++++++ VLAN 101 +++++++++++ ------ SW1 ------ interface e 1/0 switchport mode access switchport access vlan 101 ! Interface vlan 101 ip address 10.2.2.254 255.255.255.0 no shut ------ R1 ------ interface E 0/0 ip address 10.2.2.1 255.255.255.0 duplex full no shut +++++++++++ VLAN 10 +++++++++++ ------ SW1 ------ Interface E 1/1 switchport mode access switchport access vlan 10 ---- R1 ---- interface E 0/1 ip address 10.10.10.1 255.255.255.0 duplex full no shut +++++++++++ VLAN 20 +++++++++++ ------ SW1 ------ Interface E 1/2 switchport mode access switchport access vlan 20 ---- R2 ---- interface E 0/2 ip address 10.20.20.1 255.255.255.0 duplex full no shut =================================================== 3. Configure L3 Routing =================================================== ----- SW1 ----- router eigrp 123 network 10.0.0.0 ----- SW2 ----- router eigrp 123 network 10.0.0.0 ----- R1 ----- interface E 0/3 ip address 10.3.3.1 255.255.255.0 no shut ! router eigrp 123 network 10.0.0.0 =================================================== 4. Configure DHCP =================================================== ----- SW1 ----- ip dhcp excluded-address 10.1.1.1 10.1.1.100 ip dhcp excluded-address 10.1.1.251 101.1.1.254 ip dhcp excluded-address 10.10.10.1 10.10.10.100 ip dhcp excluded-address 10.20.20.1 10.20.20.100 ! ip dhcp pool VLAN-100 network 10.1.1.0 /24 default-router 10.1.1.254 ! ip dhcp pool VLAN-10 network 10.10.10.0 /24 default-router 10.10.10.1 dns-server 10.1.1.2 ! ip dhcp pool VLAN-20 network 10.20.20.0 /24 default-router 10.20.20.1 dns-server 10.1.1.2 ----- R1 ----- interface E 0/1 ip helper-address 10.2.2.254 ! interface E 0/2 ip helper-address 10.2.2.254 ***************************************************** Lab # 4 - Dot1x Authentication ***************************************************** -------------------------------------------------------------------------- 1. Configure the Network Devices on ISE using RADIUS -------------------------------------------------------------------------- ----- ISE ----- A. Create a Network Device Group Administration -> Network Resources -> Network Device Groups Name: SWITCHES B. Create Network Device Entries for SW2 Administration -> Network Resources -> Network Devices -> Add Name: SW2 IP Address: 10.1.1.252/32 Device Type: SWITCHES Protocol: RADIUS Shared Secret Password: Cisco@123 ----------------------------------------------------------------------------------------------------- 2. Configure the Switch for Dot1x Authentication ------------------------------------------------------------------------------------------------------ ----- SW2 ----- aaa new-model ! radius server ISE1 address ipv4 10.1.1.1 auth-port 1812 acct-port 1813 key Cisco@123 ! aaa group server radius ISE-SVRS server name ISE1 ! dot1x system-auth-control ! aaa authentication dot1x default group ISE-SVRS aaa authorization network default group ISE-SVRS ! Interface range E0/1-2 switchport mode access switchport access vlan 100 authentication port-control auto authentication order dot1x mab authentication priority dot1x mab mab dot1x pae authenticator no shut -------------------------------------------------------------------------- 3. Configure the Local Authentication Database (Groups & Users) -------------------------------------------------------------------------- -------------- ISE - Groups -------------- Administration -> Identity Management -> Groups -> User Identity Groups Name: SALES Name: TECH -------------- ISE - Users -------------- Administration -> Identity Management -> Identities Username: User1 Password: Cisco@123 Group: SALES Username: User2 Password: Cisco@123 Group: TECH ----------------------------------------------------------------------------------------------------- 4. Create Authorization Policy to link the Groups to the appropriate Authorization Profile ------------------------------------------------------------------------------------------------------ ------------------------------ ISE - Authorization Policy ------------------------------ Policy -> Default -> Authorization Policy -> Insert at the Top Name: SALES-AUTH-POLICY -------------- Conditions: -------------- GROUP: SALES Authentication Type: Wired_802.1x Network Device: SWITCHES -------------- Assignment -------------- PermitAccess ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Name: TECH-AUTH-POLICY -------------- Conditions: -------------- GROUP: TECH Authentication Type: Dot1x Network Device: SWITCHES Wired_802.1x -------------- Assignment -------------- PermitAccess ***************************************************** Lab # 5 - Dot1x Authentication with VLAN Assignment ***************************************************** ------------------------------------------------------------------------------------------------------ 1. Create Authorization Profiles to define characteristics that need to pushed to the Network Device ------------------------------------------------------------------------------------------------------ ------------------------------ ISE - Authorization Profiles ------------------------------ Policy -> Policy Elements -> Results -> Authorization -> Authorization Profiles -> Add Name: SALES-AUTH-PROF VLAN ID: 10 Name: TECH-AUTH-PROF VLAN ID: 20 ----------------------------------------------------------------------------------------------------- 2. Edit the Authorization Policy to link the Groups to the appropriate Authorization Profile ------------------------------------------------------------------------------------------------------ ------------------------------ ISE - Authorization Policy ------------------------------ Policy -> Default -> Authorization Policy -> Insert at the Top Name: SALES-AUTH-POLICY -------------- Conditions: -------------- GROUP: SALES Authentication Type: Wired_802.1x Network Device: SWITCHES -------------- Assignment -------------- SALES-AUTH-PROF ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Name: TECH-AUTH-POLICY -------------- Conditions: -------------- GROUP: TECH Authentication Type: Dot1x Network Device: SWITCHES Wired_802.1x -------------- Assignment -------------- TECH-AUTH-PROF ***************************************************** Lab # 6 - Dot1x Authentication with DACL ***************************************************** -------------------------------------------------------------------------- 1. Configure the DACL on ISE -------------------------------------------------------------------------- ----- ISE ----- 1. Create the DACL Policy -> Policy Elements -> Results -> Authorization -> DACL Name: END-USER-DACL Content: Deny tcp any any eq 23 permit ip any any 2. Assign the DACL to the Authorization Profiles. Policy -> Policy Elements -> Results -> Authorization -> Authorization Profile SALES-AUTH-PROFILE DACL: END-USER-DACL TECH-AUTH-PROFILE DACL: END-USER-DACL ***************************************************** Lab # 7 - Joining the Active Directory Domain ***************************************************** 1. Configure the Active Directory Join Point Name: AD-KBITS Domain-Name: Kbits.live Admin User Account: administrator Password: Kbits@123 Administration -> Identity Management -> External Identity Sources -> Active Directory 2. Download the required groups from the AD Administration -> Identity Management -> External Identity Sources -> Active Directory -> KBITS-AD -> Groups SALES-AD TECH-AD 3. Use the AD-KBITS in the Identity Source Sequences Administration -> Identity Management -> Identity Source Sequence -> All_Users_ID_Store -> *************************************************************** Lab # 8 - Configure Authorization Policies based on AD Groups *************************************************************** 1. Configure the following Authorization Policy based on AD Groups: Policy -> Policy Sets -> ">" -> Authorization Policy -> Insert new row above Name: SALES-AD-AUTH-POLICY Condition: - Network Device Group: Switches - KBITS-AD/External Groups: Kbits.live/SALES-AD - Authentication Type: Wired_Dot1x Result: - SALES-AUTH-PROFILE Name: TECH-AD-AUTH-POLICY Condition: - Network Device Group: Switches - KBITS-AD/External Groups: Kbits.live/TECH-AD - Authentication Type: Wired_Dot1x Result: - TECH-AUTH-PROFILE *************************************************************** Lab # 9 - Configure VPN Authentication thru ISE/AD *************************************************************** -------------------------------------- 1. Configure the ASA for ASDM Access -------------------------------------- ------ ASA ------ http server enable ! Username admin password Cisco@123 privilege 15 ! http 10.1.1.0 255.255.255.0 inside Aaa authentication http console LOCAL -------------------------------------------------------------------------------------------------------------- 2. Log into ASA thru ASDM and configure a VPN Connection using the VPN Wizard. Use the following parameters: -------------------------------------------------------------------------------------------------------------- ➢ Connection Profile Name: AC-VPN ➢ Interface: Outside ➢ Device Certificate: o New Self-Signed o New TrustPointName: SELF-TP o Generate a New Self-Signed Identity Certificate using default Parameters. ➢ Add the existing Windows AnyConnect Image. ➢ AAA Server Configuration o Server Group Name: ISE o Authentication Protocol: RADIUS o Server IP: 10.1.1.1 o Interface: Inside o Server secret key: Cisco@123 ➢ IPv4 Pool Configuration o Pool Name: VPN-POOL o Range: 192.168.1.1-192.168.1.254 o Subnet Mask: 255.255.255.0 -------------------------------------------------------------------------- 3. Configure the Network Device on ISE using RADIUS -------------------------------------------------------------------------- ----- ISE ----- A. Create a Network Device Group Administration -> Network Resources -> Network Device Groups Name: VPN-FIREWALL B. Create Network Device Entries for ASA Administration -> Network Resources -> Network Devices -> Add Name: ASA1 IP Address: 10.3.3.10/32 Device Type: VPN-FIREWALL Protocol: RADIUS Shared Secret Password: Cisco@123 --------------------------------------------------------------------------------------------------------------------- 4. Configure a new Authorization Policies at the top based on the below parameters. The profile will be used for VPN Users: --------------------------------------------------------------------------------------------------------------------- ➢ Name: VPN-SALES-AD-POLICY o Conditions: ▪ External Identity Group: AD-KBITS/SALES-AD ▪ Network Device Group: VPN-FIREWALLS o Profile: PermitAccess ➢ Name: VPN-TECH-AD-POLICY o Conditions: ▪ External Identity Group: AD-KBITS/TECH-AD ▪ Network Device Group: VPN-FIREWALLS o Profile: PermitAccess ➢ Use the AnyConnect Application to connect to the ASA (192.1.10.10). Verify that you can ping all the internal devices *************************************************************** Lab # 10 - Configure VPN Authentication using a DACL *************************************************************** 1. Configure a DACL by copy the END-USER-DACL. Name the DACL SALES-VPN-DACL. 2. Configure Authorization Profiles for AD-KBITS/SALES-AD. Create a SALES-VPN-AUTH-PROF profile. Configure the Profile to use the SALES-VPN-DACL created in the previous task. 3. Re-configure the AD-EMP-VPN-POLICY to use the Authorization Profile created in the previous step/ ➢ Name: VPN-SALES-AD-POLICY o Conditions: ▪ External Identity Group: AD-KBITS/SALES-AD ▪ Network Device Group: VPN-FIREWALLS o Profile: SALES-VPN-AUTH-PROF ➢ Use the AnyConnect Application to connect to the ASA (192.1.10.10). Verify that you cannot ping all the internal devices. You should be able to telnet into the Routers.