Documente Academic
Documente Profesional
Documente Cultură
Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine
(ISE) in a Bring Your Own Device (BYOD) environment. This lab covers the configuration of
Cisco ISE to address the common requirements for BYOD. Students will be introduced to the ISE
My Devices Portal, which enables employees to self-manage their devices. Students will
experience ISE single-SSID configuration and provisioning of the certificates for the BYOD
endpoints (Apple iPad) using ISE internal CA. The students will learn how to manage their own
devices in the My Devices Portal by testing the blacklist features. In the lab the students will learn
how configure ISE to connect multiple AD domains, and use ISE internal CA to issue certificates
for BYOD endpoints.
Lab participants should be able to complete the lab within the allotted time of 2 hours.
Lab Exercises
This lab guide includes the following exercises:
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 1 of 25
Lab Topology
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 2 of 25
Name/Hostname
IP Address
3k-access.demo.local
10.1.100.1
wlc.demo.local
10.1.100.61
ap.demo.local
10.1.90.x/24 (DHCP)
ISE Appliance
ise-1.demo.local
10.1.100.21
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
mail.demo.local
10.1.100.40
NTP
ntp.demo.local
128.107.212.175
Tools
tools.demo.local
128.107.210.137
LOB-web
lob-web.demo.local
10.1.129.12
portal.demo.local, updates.demo.local
10.1.129.8
business.demo.local
10.1.129.9
it.demo.local
10.1.129.10
records.demo.local
10.1.129.11
admin.demo.local
10.1.100.6
ftp.demo.local
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
20
MACHINE
10.1.20.0/24
10.1.29.0/24
(29)
30
QUARANTINE
10.1.30.0/24
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
90
AP
10.1.90.0/24
Wireless AP VLAN
98
ISE.LOCAL
10.1.98.0/24
AD domain ise.local
99
LAB.LOCAL
10.1.99.0/24
100
Management
10.1.100.0/24
129
WEB
10.1.129.0/24
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 3 of 25
Account (username/password)
admin / ISEisC00L
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Server
admin / ISEisC00L
admin / ISEisC00L
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD
Step 1
Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
From the Admin client PC, click the [ ESXi-core ] icon on the desktop
Step 2
Step 3
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 4 of 25
Step 4
For this lab ensure that the following VMs are up and running:
p##_ad
p##_admin
p##_ise-1-base
p##_lob-web
p##_vWLC
(likely invisible)
## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be
p02_ad. w7pc-guest may be powered on manually during the exercises.
b. Select the device that youd like to log into and double click on it.
c.
If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 5 of 25
Step 2
Control-A to select all lines in the web page above and then Control-C to copy them.
Step 3
Step 4
Verify that ping succeeds for all devices tested and then [ File Exit ] the program or close the
window when completed.
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
Note: When interacting with the iPad VNC session, US keyboard is preferred.
Note: US keyboard is needed for the RDP session too unless you have additional language packs installed to provide keyboard
mappings. This is only for the RDP sessions.
ISEisC00L
Step 2 In the MONITOR summary page, the Controller Summary section has a field Up Time showing
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 6 of 25
rebooted and up for more than 15 minutes, please report it to the lab proctor or open a ticket with
LabOps support.
Step 3
Join to the Active Directory. Access ISE Active Directory configuration page by navigating to
Administration > Identity Management > External Identity Sources and select Active
Directory from the left-hand pane.
Join ise-1 to demo.local (in a single-domain forest)
a. Click the hyperlink demoAD under the Joint Point Name column.
b. Tick the checkbox next to ISE node ise-1.demo.local and then click Join.
c.
The Connection tab shall show ad.demo.local as the domain controller and Default-FirstSite-Name as the site.
WLC Configuration
Step 1
Note: SSID names will change per POD; e.g. POD 01 = 01-wpa2e
Step 2
Click
Step 3
Step 4
Click
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 7 of 25
ROOT_CA is the root CA for the entire ISE PKI hierarchy but can also be subordinate to an
existing enterprise root CA.
NODE_CA is responsible for issuing the subordinate EP_CA and OCSP certificates
EP_CA is responsible for issuing identity and device certificates to endpoints.
OCSP is responsible for signing the OCSP responses
Exercise Description
This lab covers the ISE Internal CA configurations to provision BYOD devices. Certificates would
be provisioned to personal devices and would later be used to connect to the corporate network
using EAP-TLS authentication.
Exercise Objective
In this exercise, your goal is to familiarize with and configure the ISE internal CA. This includes
completion of the following tasks:
Step 1
Login to ISE
https://ise-1.demo.local/admin/login.jsp
Username
Password
ISE_21_BYOD_Lab_Guide_2016-07-26
admin
ISEisC00L
Page 8 of 25
Under Administration > System > Certificates > Certificate Authority, go to Internal CA
Settings and Verify Internal CA is running on your POD
Step 3
Under Administration > System > Certificates > Certificate Authority click Certificate
Templates.
Step 4
ISE comes with a default certificate template which could be used for BYOD. In this Lab we will
use the Default Certificate Template. Select this default certificate template
EAP_Authentication_Certificate_Template and click Edit and notice the various values as
shown below.
Attribute
Value
Name EAP_Authentication_Certificate_Template
This template will be used to issue certificates
Description
for EAP Authentication
Subject
Common Name (CN)
Organizational Unit (OU)
Organization (O)
City (L)
State (ST)
Country (C)
Subject Alternative Name (SAN)
Key Size
SCEP RA Profile
Valid Period
$UserName$
Example unit
Company name
City
State
US
MAC Address
2048
ISE Internal CA
730
Notes: ISE internal CA come with a default configuration and is already running when ISE is installed. Overall the administration
configuration experience is super easy to setup.
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 9 of 25
Exercise Objective
In this exercise, your goal is to configure ISE for single SSID Wireless BYOD, which includes the
completion of the following tasks in ISE:
Modify the Authentication Policy to accept 802.1X authentication from wireless access
devices with EAP-TLS or PEAP(EAP-MSCHAPv2) protocols.
Modify the Authorization Policy to allow registration as well as supplicant provisioning and
to grant full access to registered devices.
Step 1
Open a new tab on the web browser and access the ISE administration web interface at
https://ise-1.demo.local using the credentials admin / ISEisC00L
Step 2
Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c.
This network device is preconfigured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Authentication Settings
Protocol
Shared Secret
Value
wlc
10.1.100.61 / 32
WLC
GOLD-ISE
RADIUS
ISEisC00L
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 10 of 25
OPTIONAL: Well now configure the External SCEP CA Profiles in case deployment demands
to use their own PKI system for certificate provisioning.
a. Navigate to Administration > System > Certificates > Certificate Authority > External
CA Settings
b. Go to SCEP RA Profiles. Add a new profile as below
Attribute
Name
Description
URL
Value
mscep (or any unique id)
-
http://ad.demo.local/certsrv/mscep/mscep.dll
Note: ISE provides ability to test and add multiple SCEP URLs at the same time by clicking
+ button
Note: If this fails, please ask the proctor to check on the mscep server VM.
MSCEP VM is the same as Microsoft AD Server, Proctor can either stop and start service (NDES) or restart the AD server (Poweroff & Power-on)
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 11 of 25
Step 4
Under Administration > System > Certificates, go to Trusted Certificates, both the
CA and RA (registration authority) certificates of the certificate chain for the SCEP server
should have been automatically retrieved.
Go to Administration > Identity Management > External Identity Sources > Certificate
Authentication Profile to review the built-in profile Preloaded_Certificate_Profile.
This preloaded profile fits our need so we will use it in this lab.
Step 5
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 12 of 25
Note: When using this identity source sequence in EAP-TLS authentications, it will pick the certificate authentication profile. In
password-based authentications, it will use the other identity sources in the authentication search list.
Step 6
Go to Policy > Authentication and ensure that the authentication policy is configured as below:
Enabled
Step 7
Name
MAB
Condition
IF Wired_MAB OR
Wireless_MAB
Protocols
Identity Source
allow
Default Network and use Internal Endpoints
protocols Access
Options
Reject
Continue
Drop
Dot1X
IF Wired_802.1X OR allow
Default Network and use All_User_ID_Stores Reject
Wireless_802.1X protocols Access
Reject
Drop
Default Rule
allow
Default Network and use All_User_ID_Stores Reject
(if no match)
protocols Access
Reject
Drop
Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Drill
down to NSP_Onbroad a built-in Authorization Profile that is used in the Authorization Policy for
supplicant provisioning.
a. Update the redirect ACL to PERMIT-2-ISE-a-DNS, which is configured in our WLC.
Attribute
Name
Description
Access Type
Common Tasks
DACL
Web Redirection
Value
NSP_Onboard
-ACCESS_ACCEPT
PERMIT_ALL_TRAFFIC
Drop-down menu: Native Supplicant Provisioning
ACL: PERMIT-2-ISE-a-DNS
Value: BYOD Portal (default)
Attributes Details
Access Type = ACCESS_ACCEPT
DACL = PERMIT_ALL_TRAFFIC
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 13 of 25
Next, enable two built-in Authorization Policy rules under Policy > Authorization
Employee_EAP-TLS and Employee_Onboarding, by double-clicking on the gray-out state icon
and select Enabled.
Step 9
Identity Groups
Other Conditions
Blacklist
Wireless_802.1X
Cisco-IP-Phone Non_Cisco_Profiled_Phones
Rule Name
Wireless Black List Default
Profiled Cisco IP Phones
Profiled Non Cisco IP
Phones
Compliant_Devices_Access
Employee_EAP-TLS
Employee_Onboarding
Permissions
Blackhole_Wireless_Access
Cisco_ IP_Phones
Non_Cisco_IP_Phones
Network_Access_Authentication_Passed PermitAccess
AND Compliant_Devices
Wireless_802.1X AND
PermitAccess AND BYOD
BYOD_is_Registered AND EAP-TLS
AND MAC_in_SAN
Wireless_802.1X AND EAP-MSCHAPv2 NSP_Onboard AND BYOD
...
Basic_Authenticated_Acess
Default
Network_Access_Authentication_Passed PermitAccess
Any
DenyAccess
Go to Policy > Client Provisioning and review the built-in rule for iOS as below:
Status
Rule Name
iOS
Identity
Operating
Groups
Systems
Any
Apple iOS All
Other
Results
Conditions
Cisco-ISE-NSP
Step 11
Go to Policy > Policy Elements > Results > Client Provisioning > Resources and update
the built-in native supplicant profile Cisco-ISE-NSP by selecting it and click Edit.
Step 12
Under the Wireless Profile(s) section, select the SSID name ISE and click Edit.
Step 13
Replace the SSID Name ISE with ##-wpa2e, where ## is your pod number. 10-wpa2e for pod
10, for example.
SSID Name*
##-wpa2e
ISE_21_BYOD_Lab_Guide_2016-07-26
WPA2 Enterprise
TLS
EAP_Authentication_Certificate_Template
Page 14 of 25
Click
Step 14
and then copy the name of the Secure SSID e.g. ##-wpa2e. If SSID is disabled,
Click Submit to save the changes for the wireless profile. Then, scroll down, click Submit again
to save the change for the native supplicant profile as a whole.
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 15 of 25
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Connect to the iPad via VNC to test the wireless BYOD feature
Connect the iPad to the corporate SSID and check the onboarding of Apple iPad and
installation of the profiles for the native supplicant for the corporate user
Step 1
Double click on the batch file vnc-to-ipad on the Desktop to start a VNC session to the iPad.
Step 2
The batch file will prompt you to press any key to continue. You will then see the VNC Viewer
pop up.
Step 3
On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
Step 4
Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies and
Data.
Step 5
Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network ##-wpa2e
a. Enter the username/password AD credentials (employee1/ISEisC00L) and click Join
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 16 of 25
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
b. Click to Accept the certificate
c.
Next click on the blue arrow of the connected network and verify the IP address assigned
Note: IP address for iPAD might be different depending on the DHCP server in the POD, iPAD might get an IP address from
10.1.10.x subnet which is OK.
Step 6
Now launch the mobile Safari app and access the website portal.demo.local.
You will receive a warning Cannot Verify Server Identity. Click Continue then be redirected to
the self-provisioning page.
Note: If a red error shown and the Register button is grey out, check if a Client Provisioning Policy rule has been created for the
Apple iOS (Policy > Client Provisioning).
Also, run a Supplicant Provisioning Report (Operations > Reports > Endpoints and Users > Supplicant Provisioning > Run)
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 17 of 25
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
This will take you to the ISE BYOD Welcome Screen, which guides the end-user over a series
of steps to on-board the device and also keeps tracks of these steps with proper numbering.
Click Start to proceed.
Next end-user would be requested to enter Device Name and Description
Attribute
Device Name
Description
Value
Personal_iPAD
This is my iPAD
Step 8
Click Install to start the Apple Over-The-Air (OTA) enrollment process. This will automatically
generate the key, enroll the identity certificate, and save the resulting signed Wi-Fi profile to the
iPad.
Step 9
Now entering portal.demo.local in the mobile Safari app should take you to the website.
Step 10
Verifying Settings > General > Profiles shows two profiles are installed
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 18 of 25
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
Step 11
Check the RADIUS live logs on ISE admin web console to verify that the correct authorization
profiles were applied. The sequence will look similar to the following. Initially, the device will be
authorized for NSP_Onborad. Once the provision is done, another authentication occurs and the
PermitAccess profile will be applied.
Note: For detailed troubleshooting, enable DEBUG logging for relevant components -- client, guest and provisioning.
(Admin>System>Logging>Debug Log > Conifg)
Step 12
Under Administration > System > Certificates > Certificate Management > Overview, look
at the summary of certificates issues to personal devices
Step 13
Under Administration > System > Certificates > Certificate Management > Endpoint
Certificates, look at all the certificates issues to personal devices
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 19 of 25
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
Step 14
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 20 of 25
Exercise Objective
In this exercise, your goal is to familiarize with and configure the My Devices Portal on ISE. This
includes completion of the following tasks:
Step 1
b. Login with username admin and password ISEisC00L. The ISE Dashboard should
display. Navigate the interface using the multi-level menus.
Step 2
Attribute
Value
Portal Behavior and Flow Settings
Use these settings to specify the My Devices experience for this portal.
Portal Settings
mydevices.demo.local
Fully qualified domain name (FQDN):
Endpoint identity group:
RegisteredDevices
Purge endpoints in this identity group when they
30 days
reach
Identity source sequence: *
MyDevices_Portal_Sequence
Acceptable Use Policy (AUP) Page Settings
Include an AUP
On first login only
Post-Login Banner Page Settings
Include Post-Login Banner Page
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 21 of 25
Preview
a. Navigate to Administration > Device Portal Management > Device Portal
Management > My Devices. From there, Click the My Devices Portal (default).
b. On the same page, towards the right of the screen, click on Portal Test URL and open
the My Devices Portal Page. Login with the following credentials
Attribute
Username
Password
c.
Value
employee1
ISEisC00L
d. There will be options available to add devices but do not add any devices at this time.
This will be performed in later lab exercises.
Note: Please accept/confirm any browser certificate warnings if present, which mostly due to the browser not trusting the root CA
certificate that signs the SSL server certificate of the ISE.
This preview is generated depending on the device youre using to access the page, e.g. is using Windows OS, the screen would be
presented as per OS and screen specification.
ISE allows customization of more pages for BYOD flows, at present we have demonstrated customizing My Devices Page but
other pages follow same customization logic
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 22 of 25
Lab Exercise 5: Test and Verify the Lost function on My Devices Portal
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
From the My Devices Portal mark the device as Lost to observe the Change of Authorization
(CoA) occur and restrict access from the device
When the device is reinstated on the My Devices Portal, Change of Authorization is again
triggered and the device should now be given a full network access
Login to WLC web interface https://wlc.demo.local as admin/ISEisC00L to review the WLAN
and ACLs used in this exercise.
a. WLAN: ##-wpa2e
b. ACLs: BLACKLIST, PERMIT-ALL-TRAFFIC, PERMIT-2-ISE-a-DNS and PERMIT-2-ISEa-DNS-a-INTERNET
Note: The # in ##-wpa2e is to be replaced with the assigned pod number; e.g. 01-wpa2e for POD1
Note: PERMIT-2-ISE-a-DNS has access entries to permit DNS as it appears blocked otherwise.
Step 2
Update the authorization profile Blackhole_Wireless_Access under Policy > Policy Elements
> Results > Authorization > Authorization Profiles.
a. Replace the value for url-redirect-acl BLACKHOLE in the 2nd cisco-av-pair with
BLACKLIST.
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect=https://ip:port/mydevices/blackhole.jsp
cisco-av-pair = url-redirect-acl= BLACKLIST
Note: The right-hand-side value for url-redirect-acl has to match an ACL name defined in WLC
b. Save changes
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 23 of 25
Lab Exercise 5: Test and Verify the Lost function on My Devices Portal
Step 3
Step 4
Select your iPAD and then click Lost? for the iPad. The device will now be blocked from
accessing the network. Note the icon change under the State.
Step 5
From the VNC session to the IPad, switch to the mobile Safari app. Reload the page wwwint.demo.local and the user will see a message similar to below.
Step 6
Under Operations > RADIUS Livelog, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Lost then a reauthorization matches the device to
the Blackhole_Wireless_Access profile
Step 7
Back to My Devices Portal and click Reinstate. The iPad should now be allowed to the network.
Notice the change in the icon under State.
Step 8
The Live Authentications logs should show an entry Dynamic Authorization (CoA) succeeded
followed by a re-authentication, which put the device in PermitAccess profile.
Step 9
On iPad, again try to access portal.demo.local. The website should now be accessible.
Step 10
On iPad, go to Settings > Wi-Fi and slide the virtual switch to turn off the Wi-Fi
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 24 of 25
Lab Exercise 6: Test and Verify the Stolen function on My Devices Portal
Exercise Objective
In this exercise, your goal is to complete the following task:
Step 1
From the My Devices Portal initiate the Stolen action on the device to observe the Change of
Authorization (CoA) occur and the certificates being revoked for the device
Perform Stolen
a. From the iPad VNC session, verify iPad Wi-Fi is ON and connected to ##-wpa2e
b. Go to My Devices Portal, select the iPAD and click Stolen for the iPad. Accept the
warning and say Yes. The device will now be blocked from accessing the network.
Step 2
On ISE, verify under Administration > Certificates > Certificate Management > Endpoint
Certificates that the certificate is also revoked.
Step 3
From the VNC session to the IPad, notice that the device is no longer connected to the network.
Step 4
Under Operations > RADIUS > Live Logs, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Stolen then a reauthorization occurs which make
the authentication fail and go to the Default Policy which denies access. Depending on the
timing and OCSP cache time to live setting, the endpoint might get blacklisted first.
Step 5
Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
c.
Remove the two profiles installed by the ISE BYOD services on iPad under Settings >
General > Profiles.
d. Go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 25 of 25