1

Nexus

Identity Services Engine (ISE)

Bootstrapping Lab Guide
Developers
This lab was created by: Aruna Yerragudi, Technical Marketing Engineer, Secure Access and
Mobility Product Group, Cisco Systems.

Lab Overview
The student will install ISE, and use the Setup Wizard to get the basic configuration needed for
wired user authentication and verify the user authentication. The student will also configure a
wired switch using the CLI commands list generated by the Setup Wizard.
Lab participants should be able to complete the lab within the allotted lab time of 2 hours.

Lab Exercises
This lab guide includes the following exercises:

Lab Exercise 1: Installation Verification

Lab Exercise 2: Setup Wizard

Lab Exercise 3: Wired Switch Configuration

Lab Exercise 4: Wired User Authentication Verification

ISE 1.2 Bootstrap Lab Guide

Product Overview
The Cisco Secure Access and TrustSec is the Borderless Network access control solution,
providing visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform
that gathers real-time information from the network, users, and devices. ISE then uses this
information to make proactive governance decisions by enforcing policy across the network
infrastructure utilizing built in standard based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users
and devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally laborintensive tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own
device (BYOD), through policy-enabled services.

ISE 1.2 Bootstrap Lab Guide

Lab Topology

Lab IP and VLANs

Internal IP Addresses
Device

Name/Hostname

IP Address

Access Switch (3560X)

3k-access.demo.local

10.1.100.1

Data Center Switch (3560CG)

3k-data.demo.local

10.1.129.3

Wireless LAN Controller (2504)

wlc.demo.local

10.1.100.61

Wireless Access Point (2602i)

ap.demo.local

10.1.90.x/24 (DHCP)

ASA (5515-X)

asa.demo.local

10.1.100.2

ISE Appliance

ise-1.demo.local

10.1.100.21

ISE 1.2 Bootstrap Lab Guide

ISE Feed Server

ise-feedserver.demo.local

10.1.100.41

AD (AD/CS/DNS/DHCP)

ad.demo.local

10.1.100.10

NTP Server

ntp.demo.local

128.107.212.175

MobileIron

mobileiron.demo.local

10.1.100.15

Mail

mail.demo.local

10.1.100.40

LOB Web

lob-web.demo.local

10.1.129.12

portal.demo.local, updates.demo.local

10.1.129.8

business.demo.local

10.1.129.9

it.demo.local

10.1.129.10

records.demo.local

10.1.129.11

LOB DB

lob-db.demo.local

10.1.129.20

Admin (Management) Client

admin.demo.local

10.1.100.6

(also FTP Server)

ftp.demo.local

Windows 7 Client PC

w7pc-guest.demo.local

10.1.50.x/24 (DHCP)

Internal VLANs and IP Subnets

VLAN

VLAN Name

IP Subnet

Description

10

ACCESS

10.1.10.0/24

Authenticated users or access network using ACLs

20

MACHINE

10.1.20.0/24

Microsoft machine-authenticated devices (L3

segmentation)

IC-ASA-ACCESS

10.1.29.0/24

Interconnect subnet between ASA and Access switch

30

QUARANTINE

10.1.30.0/24

Unauthenticated or non-compliant devices (L3

segmentation)

40

VOICE

10.1.40.0/24

Voice VLAN

50

GUEST

10.1.50.0/24

Network for authenticated and compliant guest users

90

AP

10.1.90.0/24

Wireless AP VLAN

100

Management

10.1.100.0/24

Network services (AAA, AD, DNS, DHCP, etc.)

129

WEB

10.1.129.0/24

Line-of-business Web servers

130

DB

10.1.130.0/24

Line-of-business Database servers

(29)

Note:

Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.

ISE 1.2 Bootstrap Lab Guide

Accounts and Passwords

Access To

Account (username/password)

Access Switch (3560X)

admin / ISEisC00L

Data Center Switch (3560X)

admin / ISEisC00L

Wireless LAN Controller (2504)

admin / ISEisC00L

ASA (5515-X)

admin / ISEisC00L

ISE Appliances

admin / ISEisC00L

AD (CS/DNS/DHCP/DHCP)

admin / ISEisC00L

Web Servers

admin / ISEisC00L

Admin (Management) Client

admin / ISEisC00L

Windows 7 Client

W7PC-1\admin / ISEisC00L

(Local = W7PC-guest )

DEMO\admin / ISEisC00L

(Domain = DEMO)

DEMO\employee1 / ISEisC00L

Connecting to Lab Devices

Note:

To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components

Note:

Admin PC access is through RDP, therefore you must have an RDP client installed on your computer

Connect to a POD
Step 1

In the LabOps student portal, click on the Topology tab. Click on the Admin PC, then click on
the RDP Client option that appears:

Step 2

Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in
as admin / ISEisC00L

Note: All lab configurations can be performed from the Admin client PC.

Connect to ESX Server Virtual Machines

Step 1

During the lab exercises, you may need to access and manage the computers running as virtual
machines.

ISE 1.2 Bootstrap Lab Guide

Step 1

From the Admin client PC, click the VMware vSphere Client icon on the taskbar

Step 2

Click OK when the VMware vSphere Client starts.

Step 3

Once logged in, you will see a list of VMs that are available on your ESX server.
Note: p##_admin VM may not be visible when you login as the student.

Step 4

This Lab uses the following VMs :

p##_ad
p##_ise-1-bootstrap
p##_lob-web
p##_w7pc-guest

Note: ## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be p02_ad.

Step 5

You have the ability to power on, power off, or open the console (view) these VMs.
Note: This is for information purpose only. All the required VMs are already turned on. So, DONOT turn on any other
VMs.

To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select
one of these options:

Step 6

To access the VM console, select Open Console from the drop-down.

Step 7

To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Step 2

Step 3

ISE 1.2 Bootstrap Lab Guide

Connect to Lab Device Consoles

Step 1

To access the lab switches and ISE servers using SSH:

a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY
shortcut and it shows a list of devices and ISE servers.

b. Select the device that youd like to log into and double click on it.
c.

If prompted, click Yes to cache the server host key and to continue login.

d. Login using the credentials listed in the Accounts and Passwords table.

ISE 1.2 Bootstrap Lab Guide

Pre-Lab Setup Instructions

Basic Connectivity Test
Step 1

To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from
the Windows desktop of the Admin client PC:

Step 2

Verify that ping succeeds for all devices tested by the script.

Note:

The ping test may fail for VMs that have not yet completed the boot process.

ISE 1.2 Bootstrap Lab Guide

Lab Exercise 1: Basic Installation Check

Exercise Description
While ISE comes preinstalled when ordered on a physical appliance, there are times when a
physical appliance may need to be reinstalled (aka reimaging). For virtual machine environments,
ISE will need to be freshly installed into the virtual machine. Installation of ISE consists of

booting from the ISE ISO image

starting the installation process which installs the operating system and ISE application.

the installation pauses and a setup dialog must be completed before the installation
resumes and completes.

For installation steps and the Configuring Cisco ISE refer to

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1114266

Exercise Objective
In this exercise, you will

log in to ISE and perform basic installation checks

Lab Exercise Steps

Step 1

Log in to the virtual machine console of the VM named p##_ise-1-bootstrap. You should see
the following prompt:
ise-1 login:

Step 2

Note:

Login using the credentials admin/ISEisC00L.

You can use the VM console interface to access the ISE CLI, or you may SSH to ISE. On a physical
appliance, the serial port or the keyboard and video may be used to access the ISE CLI.

Step 3

Enter show run to confirm the setup settings you entered, and also to see other settings and
their default values.

Step 4

Use these commands to answer the following questions:

Command
show version
show inventory
show application status ise
What is the name of the operating system?
What is the full version number of the operating system?
What is the full version number of ISE?

ISE 1.2 Bootstrap Lab Guide

10

What is the ISE product ID (PID)?

What is the ISE serial number (SN)?
How much RAM does this VM have?
How many CPUs?
What is the disk capacity?
How many NICs does it have?
What are the ISE processes?
Step 5

Confirm that time synchronization is working

a. Immediately after the primary NTP server is configured, you will see that ISE is in an
unsynchronized state:
ise-1/admin# show ntp
Configured NTP Servers:
ntp.demo.local
unsynchronised
polling server every 64 s
remote

refid

st t when poll reach

delay

offset

jitter

==============================================================================
127.127.1.0

.LOCL.

10 l

17

64

377

0.000

0.000

0.001

2 u

12

64

377

0.732

-9.929

3.790

*128.107.212.175 10.81.254.131

* Current time source, + Candidate

Warning: Output results may conflict during periods of changing synchronization.

After a few minutes, ISE should synchronize with the primary NTP server. The asterisk indicates
which time server it has synchronized with:
ise-1/admin# sh ntp
Configured NTP Servers:
ntp.demo.local
synchronised to NTP server (128.107.212.175) at stratum 3
time correct to within 82 ms
polling server every 1024 s
remote

refid

st t when poll reach

delay

offset

jitter

==============================================================================
127.127.1.0

.LOCL.

10 l

*128.107.212.175 10.81.254.131

2 u

64

377

0.000

0.000

0.001

686 1024

25

377

1.004

0.876

1.182

* Current time source, + Candidate

Warning: Output results may conflict during periods of changing synchronization.

ISE 1.2 Bootstrap Lab Guide

11

If you see that ISE has synchronized to the local machine as shown below, that should be a
warning sign that NTP time synchronization is not working:
ise-pap-1/admin# show ntp
Primary NTP

: ntp.demo.local

synchronised to local net at stratum 11

time correct to within 10 ms
polling server every 1024 s
remote

refid

st t when poll reach

delay

offset

jitter

==============================================================================
*127.127.1.0

.LOCL.

128.107.212.175

.LOCL.

10 l

64

4 u 1026 1024

377
377

0.000
0.478

0.000
-866.81

0.001
60.476

Warning: Output results may conflict during periods of changing synchronization.

Note:

Synchronization with the NTP server may not be immediate. You may need to wait 10-15 minutes for ISE to
select the NTP server over the local clock please be patient

ISE 1.2 Bootstrap Lab Guide

12

Lab Exercise 2: Setup Wizard

Exercise Description
This exercise walks you through the various steps of the Setup Wizard allowing the ability to
select wired, wireless networks, user and/or guest access, enabling profiling, posture, BYOD,
entering the Network Device details, allowing you to pick either Active Directory or the ISE
Internal database for the user information and the subnets that need to be protected from the
guest access.

Exercise Objective
In this exercise, your goal is to:

familiarize yourself with the Setup Wizard

use the Setup Wizard to configure the wired user authentication

Lab Exercise Steps

Step 1

Start a web session with ISE. From the Admin PC,

a. Open a Firefox browser window and browse to http://ise-1.demo.local
b. The session will be redirected to the secure login page, https://ise-1.demo.local/admin
c.

You will be asked to confirm a security exception confirm the security exception
i. What is the security exception?
ii. Examine the web sites certificate who is the certificate issuer?

Step 2

Login using the ISE credentials admin/ISEisC00L

Step 3

When logging in for the first time, the ISE is installed with the Eval License. The below message
will pop-up.

Check the box against the Do no show this message again and Click on OK.
Note:

The above window will not appear in the lab as the ISE image has been installed with a 5 year
license.

ISE 1.2 Bootstrap Lab Guide

13

Step 4

When logging in for the first time, the Setup Assistant Wizard pops up as shown below:

a. Choose the check box against Dont ask me again if you do not wish to see this for
further logins and click on Yes to launch the Setup Assistant.
b. If youve selected No for the Setup Assistant Wizard and would like to re-launch it, the
Setup Assistant Wizard can be launched from the top right hand corner. Select the Run
setup assistant option.

Step 5

The first screen on the Setup Assistant gathers the basic details about the type of deployment.
For this lab, select the options as shown below:

ISE 1.2 Bootstrap Lab Guide

14

a. Since, we will not using IP phone, uncheck the box again Cisco Unified IP Phones
b. Click on Next to go to the Configure Network Access Service.
Step 6

In the Configure Network Access Service, well be selecting the various options and
specifying the required information for each option.

a. For Do you want to authenticate users using Cisco ISE?, select Yes.
b. Select the checkbox against Join the Active Directory domain and enter the following
i. Domain: demo.local
ii. Administrator Name: admin
iii. Administrator Password: ISEisC00L
c.

Click on Join Active Directory domain to join into the AD.

d. Once the join succeeds, the option for Select an AD group shows. Scroll down and
select the group as shown below

Step 7

Next proceed to selecting the other options. Since we are using the Setup Wizard to do the
Wired User Authentication, well be skipping over some of the options.

ISE 1.2 Bootstrap Lab Guide

15

a. Skip the question for Posture.

b. Select Yes for Do you want to enable endpoint profiling?
i. For the SNMP string enter ISEisC00L
c.

Leave all the other options at the default No.

Click on Next to go the Network Devices section.

Step 8

At this point you should be in the Select Network Devices section. Enter the information for the
Network Device under test as shown below.
a. Click on the checkbox against the Cisco Catalyst 3560 Series Switches
b. For the other details, enter the information as below :
i. Device Name: 3K-Access
ii. Device IP Address: 10.1.100.1/32
iii. Employee VLAN Id: 10
iv. Employee Switched VLAN Interface: 10.1.10.1/24
v. DHCP Server IP address: 10.1.100.10

ISE 1.2 Bootstrap Lab Guide

16

vi. Default Gateway IP address: 10.1.29.1

vii. Uplink IP Address: 10.1.29.2/24

c.

For RADIUS Shared Secret enter ISEisC00L

d. Click on Next to go the next section.

Step 9

In this section Review and Confirm You Choices, you can review all the choices selected in
the previous screens.

ISE 1.2 Bootstrap Lab Guide

17

If there are any corrections to be made, click on the Previous to change the settings.
If all the information is correct, click on Confirm Configuration Settings.
Step 10

At this point ISE will start generating the ISE and switch configurations. Youll see a progress
screen as shown below.

Step 11

After all the configurations are generated, youll see the following:

Goti

a. The following tabs are shown:

i. Review your selection
ii. Network Device Configuration
iii. ISE Configurations.

b. Go to the Network Device Configuration tab and copy and paste the switch
configuration to the notepad on the Admin PC. Well use some of these commands to
configure the switch in Lab Exercise 3.

c.

Go to ISE Configuration tab to verify the various ISE Configs that were auto generated.

d. Click on Exit to exit the Setup Wizard.

ISE 1.2 Bootstrap Lab Guide

18

e. Next, go to Administration > Identity Management > External Identity Sources >
Active Directory and verify the AD configuration.
f.

Go to Policy > Authentication to see the Authentication policies that were generated. All
the policies generated using the Setup Wizard will have the prefix AutoGen

g. Go to Policy > Authorization to verify the Authorization rules and policies that were auto
generated using the Setup Wizard.

End of Exercise: You have successfully completed this exercise.

Proceed to next section.

ISE 1.2 Bootstrap Lab Guide

19

Lab Exercise 3: Wired Switch Configuration

Exercise Description
There are numerous lines of IOS configuration that are required for the TrustSec identity
functionality. This exercise walks you through the key TrustSec elements of a baseline IOS
configuration which were generated by the ISE Setup Wizard

Exercise Objective
In this exercise, your goal is to review and understand the IOS baseline configurations described
in this exercise.
The switch is already configured with the VLAN and the routing configurations. So, well only be
configuring the missing commands.
Note:

Some of the CLI commands may already be pre-configured. Verify and configure only the missing
CLI configs.

Lab Exercise Steps

Step 1

Login to the 3k-access switch from the Admin PC desktop using the PUTTY, credentials
admin/ISEisC00L.

Step 2

For this entire exercise use the Switch commands that were generated by the ISE Setup Wizard
in Step 11.b from Lab Exercise 2.

Step 3

From the section titled ! AAA Configuration in the switch commands, configure the AAA
settings
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius

Step 4

Enable RADIUS Change of Authorization (CoA)

aaa server radius dynamic-author
client 10.1.100.21 server-key ISEisC00L

ISE 1.2 Bootstrap Lab Guide

20

aaa session-id common

Step 5

Configure the CLI commands for device discovery

ip dhcp snooping
ip device tracking

Step 6

Enable 802.1X authentication globally on the switch

dot1x system-auth-control

Step 7

Configure the RADIUS settings

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.1.100.21 auth-port 1812 acct-port 1813 key
ISEisC00L
radius-server vsa send accounting
radius-server vsa send authentication

Step 8

The VLAN configuration should already be pre-configured on the switch. So, skip the VLAN
configuration commands

Step 9

Enable IOS http servers for web auth

ip http server
ip http secure-server

Step 10

The routing configurations are already configured on the switch. DO NOT make any changes to
the routing configuration

Step 11

The following logging commands are for troubleshooting and POC only and not for production
networks.
logging host 10.1.100.21 transport udp port 20514
logging origin-id ip
logging source-interface Vlan100

Step 12

Configure Ingress Port ACLs

ISE 1.2 Bootstrap Lab Guide

21

ip access-list extended ACL-DEFAULT

remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.100.21 eq 443
permit tcp any host 10.1.100.21 eq www
permit tcp any host 10.1.100.21 eq 8905
permit tcp any host 10.1.100.21 eq 8909
permit udp any host 10.1.100.21 eq 8905
permit udp any host 10.1.100.21 eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
Step 13

Enable command for Profiling

access-list 20 remark ISE Profiling SNMP probe access
access-list 20 permit 10.1.100.21
snmp-server community ISEisC00L RW
snmp-server host 10.1.100.21 version 2c ISEisC00L

Step 14

Now, configure the interface level commands which include the basic identity settings on the
switch ports and the identity mode. Go to the GigInterface0/1 to configure all the interface
settings
switchport access vlan 10
switchport mode access
ip access-group ACL-DEFAULT in

ISE 1.2 Bootstrap Lab Guide

22

authentication event fail action next-method

authentication event server dead action authorize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Ensure that the port is not in shutdown state. If so, issue the CLI command no shutdown.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

ISE 1.2 Bootstrap Lab Guide

23

Lab Exercise 4: Wired User Authentication

Verification
Exercise Description
After configuring the required policies on the ISE and doing the switch configuration, the last step
to is to verify that the defined policies can be used for Wired Users.

Exercise Objective
In this exercise, your goal is to verify the Wired User Authentication and understand the
authorization profiles that the authentication matched with.

Lab Exercise Steps

Step 1

Open and login to the VMware vSphere Client on the desktop of your lab console

Step 2

If the p##_w7-pc-guest VM is not turned on already, start it by right-clicking on the VM and

selecting Power > Power On

Step 3

Right-click on p##_w7-pc-guest VM and select Open Console.

Step 4

Login to your Windows 7 Enterprise endpoint with the credentials admin/ISEisC00L. You may
need to use the menu item (top left of vsphere client) VM > Guest > Send Ctrl+Alt+Del to
invoke the Windows login screen

Step 5

From the Windows desktop, click Start and type services.msc Scroll down until you see the
Wired AutoConfig (not WLAN AutoConfig) service.

Step 6

Right-Click Wired AutoConfig and select Properties.

ISE 1.2 Bootstrap Lab Guide

24

Step 7

Choose Startup type: Automatic

Step 8

Start the service and select OK.

Step 9

From the Windows desktop, go to Start Menu > Control Panel > Network and Internet >
Network and Sharing Center

Step 10

Select Change Adapter Settings from the left column.

Step 11

Right-click on the network adapter called w7-pc-guest-wired and select Enable

Step 12

Right-click again on the network adapter named w7-pc-guest-wired and select Properties
from the menu.

Step 13

Click the Authentication tab (this was enabled by starting the Wired AutoConfig service) and
verify the settings:

Step 14

Select Settings next to Microsoft: Protected EAP (PEAP) and uncheck Validate Server
Certificate.

ISE 1.2 Bootstrap Lab Guide

25

Step 15

For Select Authentication Method choose Secured password (EAP-MSCHAP v2) then
select Configure

Step 16

Uncheck "Automatically use my Windows logon name and password" to prevent

username/password caching and allow you to easily test many different users and groups.

Step 17

Select OK

Step 18

Select Additional Settings

Step 19

Enable Specify authentication mode and choose User authentication

ISE 1.2 Bootstrap Lab Guide

26

Step 20

Select OK and OK again to save and exit settings. The endpoint should now be ready to
handle 802.1X user authentication.

Step 21

You should see a message popup on the Windows 7 Endpoint: Additional information is
needed to connect to this network. Click on the message to view the 802.1X user
authentication dialog.

Note:

Step 22

Note:

If you wait too long to respond, the message may disappear. If so, disable and enable the interface to get
the pop-up back.

Enter the credentials for the user account employee1/ISEisC00L

Microsoft Windows does not provide any feedback for a Passed Authentication but it will re-prompt you for a
failed authentication.

ISE 1.2 Bootstrap Lab Guide

27

Step 23

Verify your authentication passed in ISE under Operation > Authentications. You should the
authentication information in the live logs similar to below :

Verify that the authorization profile used matches the profile defined using the Setup Wizard.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.

ISE 1.2 Bootstrap Lab Guide