Cisco Identity Services Engine (ISE)

Not For Resale (NFR)

Config Guide

Connected Architectures Partner Organization (CAPO)

Secure Access and Mobility Product Group (SAMPG)
February 13th 2014
ise_nfr_partner_bundle@cisco.com

Cisco ISE NFR Guide

Table of Contents
1

Introduction ................................................................................................................................ 3

Lab Hardware and Topology ................................................................................................. 3

Network Access Devices.......................................................................................................... 5

Virtual Machines........................................................................................................................ 6

4.1
4.2
4.3
4.4
4.5
4.6

Services NFR .................................................................................................................................... 11

ISE NFR ............................................................................................................................................ 15
Virtual Wireless LAN Controller ...................................................................................................... 19
Installation ...................................................................................................................................... 19
Licensing .......................................................................................................................................... 22
Configuration .................................................................................................................................. 24

Next Steps................................................................................................................................... 26

Appendix 1: Bill of Materials ............................................................................................... 27

Appendix 2: Catalyst 3560 Configuration ....................................................................... 28

Appendix 3: ASA Configuration .......................................................................................... 35

Cisco ISE NFR Guide

Introduction

This document provides details to build out hardware and software components for the Identity Services
Engine (ISE) Not For Resale (NFR) partner bundle. The bundle provides partners with ISE and Services
VMs partners can leverage to configure a purpose built lab. The ISE NFR partner bundle is orderable on
marketplace: http://cisco.mediuscorp.com/ise.
The ISE image included with the NFR kit comes with a minimal configuration for simple insertion into a
lab environment. There are 20 non-expiring base and advanced licenses and the image supports
upgrades. The USB drive from Marketplace includes a configuration file that can be used to restore the
base configuration and licenses.
The Services image included with the NFR kit is a Linux VM that provides key ISE services such as NTP,
DNS, DHCP, LDAP, and CA. The Linux VM is preconfigured, but can be customized to meet specific
customer use cases or scenarios. This image works well for training, demonstrations, and POCs, but is
not supported for production deployments.
Through the Cisco Partner Community, we made information available to stand up a pre-configured
demo environment that highlights key ISE use cases. Additional files referenced in this document can be
downloaded from here: https://communities.cisco.com/docs/DOC-36078
As a partner, you can leverage the information in this document and on the community listed above for
a pre-configured environment. Alternately, you can work through the configuration elements leveraging
the ISE COLD (COnfigured Limited Deployment) program. The net result will be the similar, but ISE COLD
will also serve as an enablement activity as you build the configuration for each of the components.
More information about ISE COLD, including the Build and Use Case guides, is available on the partner
community: https://communities.cisco.com/docs/DOC-32999

Lab Hardware and Topology

The document was written with the recommended hardware in mind, but can be customized to match
your environment. The table below lists recommended hardware components for the solution. A
detailed Bill of Materials is available in Appendix 1.
Hardware
UCS C22 M3 SERVER
WS-C3560CG-8PC-S
ASA5505-BUN-K9
AIR-CAP2602I-A-K9

Description
8x300GB HD, 64 GB RAM, 2x6C CPU, Quad GbE
Catalyst 3560C Switch 8 GE PoE(+), 2 x Dual Uplink
ASA 5505 Security Appliance
802.11n CAP w/CleanAir; 3x4:3SS; Mod; Int Ant; A Reg Domain

Below is a representation of the recommended topology for the ISE NFR program. You can refer to the
ISE COLD program for detailed guidelines to install and configure the hardware.
3

Cisco ISE NFR Guide

ASA5505

DHCP Client

vlan 30

Internet

fa0/0

.1

g0/1

vlan 60

.1

3560CG

g0/8

10.1.60.0/24

fa0/3
vlan 20

10.1.20.0/24

g0/9

.1

fa0/1
vlan 70

vlan 100

10.1.70.0/24

g0/10

AP-2600

vlan 90

.2

fa0/2

vmnic 0
g0/5

Trunk

vmnic 1

g0/4

vlan 10

vmnic 2

g0/3

vlan 20

vmnic 3

g0/6

vlan 100

management

g0/2

vlan 100

vmnic 4

UCS C22M3

g0/7

vmnic 5

vlan 10

MGMT

Customer
Network

Switch (S) 15.0(2)SE

Port
0/1
0/2
0/3
Config
vlan 100 vlan 100 vlan 20
Destination Admin
vmnic 4 vmnic 3

0/4
vlan 10
vmnic 2

ASA (A) 9.1.1

Port
0/0
0/1
Config
vlan 30 vlan 70
Destination Internet S-0/10

0/2
vlan 60
vmnic 0

0/3
vlan 20
S-0/9

VLAN #
10
20
30
50
60
70
90
100

IP Subnet
10.1.10.0/24
10.1.20.0/24
DHCP
10.1.50.0/24
10.1.60.0/24
10.1.70.0/24
10.1.90.0/24
10.1.100.0/24

VLAN Name
ACCESS
SGFW
ASA_OUTSIDE
GUEST
ASA_VPN
ASA_IN
WIRELESS
DATACENTER

0/5
Trunk
vmnic 1

0/6
0/7
vlan 100 vlan 10
UCS-M Devices

0/8
Trunk
AP

0/9
vlan 20
A-0/3

0/10
vlan 70
A-0/1

Description
Access network for users
Network for SGFW users
Outside network for internet access
Network for guest users
VPN Client to ASA VPN interface
Switch Uplink to ASA
Wireless AP connection for LWAPP tunnel
Network services (AAA, AD, DNS, DHCP, NTP, vWLC, etc.)

Cisco ISE NFR Guide

Credentials

Use the following credentials to access the Network Access Devices and Virtual Machines.
Device

IP

Username

Password

Switch

10.1.100.1

admin

ISEc0ld

ASA

10.1.70.1

admin

ISEc0ld

vWLC

10.1.100.41

admin

ISEc0ld

ISE NFR

10.1.100.21

admin

ISEc0ld

Services NFR

10.1.100.12

administrator

ISEc0ld

Use the following accounts to authenticate to the ISE local database.

Username

Password

employee

ISEc0ld

itadmin

ISEc0ld

contractor

ISEc0ld

Network Access Devices

Begin by updating the 3560-CG-8PC using the configuration available in Appendix 2 and in the partner
community. This guide was built with a 3560CG-8PC switch running the 15.0(2) SE2 release. Load this or
a similar release to ensure proper functionality. This configuration is based on the Universal Switch
Configuration from the TrustSec Design Zone and the configuration elements available in the ISE COLD
program. Refer to the partner community and additional documentation on the design zone to learn
more about the individual commands and their functions:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Next, update the configuration on your ASA. Note that the default password for the ASA is blank. First,
erase the default config. Then, apply a security plus license and the load the configuration available in
Appendix 3 and in the partner community. This guide was built with an ASA 5505 running the 9.1(1)
release. Load this or another release that will provide a consistent configuration environment.

Cisco ISE NFR Guide

Virtual Machines

This section covers the process to install the Services and ISE virtual machines included in the ISE NFR kit
and the vWLC available from CCO. OVA files were provided for ISE and Services VMs to enable simple
insertion into an existing ESXi environment. For simplicity, this guide will cover direct connection from
the vSphere client to an ESXi host instead of vSphere. The steps that follow assume that there is a
working ESXi environment with the vSphere client installed and the admin machine. Refer to the ISE
COLD program for detailed configuration steps.
In the example environment, each VLAN has a dedicated NIC. Trunk ports can be used on supported
NICs, but were unnecessary in the environment because of the six available NICs. It is very important to
plan physical connections and VLANs early in the development process. This will ensure that you are
able to complete all desired use cases with available NICs.
For this setup, the DATACENTER network is required for connectivity to the Services and ISE VMs. To
configure networking in the vSphere client, navigate to Home > Inventory > Inventory. Select the UCS
host and click the Configuration tab. Select Networking in the Hardware pane and ensure vSphere
Standard Switch is selected.

First, edit the default vSwitch0 to include the DATACENTER VLAN traffic. Click the Properties link next
to vSwitch0. On the Ports tab, click Add to add a network to support virtual machine traffic. Select
Virtual Machine for the Connection Type and click Next.

Enter a Network Label of DATACENTER and click Next.

Cisco ISE NFR Guide

Confirm the new setting and click Finish and then Close.

Next, you will add additional vSphere Standard Switches. This guide will walk you through the
configuration of one as an example and provide a table for the additional switches. To begin, click Add
Networking...

Cisco ISE NFR Guide

Select Virtual Machine for the Connection Type and click Next.

Select the Create a vSphere standard switch radio button, ensure that the box for vmnic0 is checked
and click Next.

None

Enter a network label of ASSESSMENT and click Next.

Confirm settings and click Finish.

This completes the initial vSwitch configs. Follow the steps above to add networking for the following
vSwitches. The first two lines were created above, but are added as a reference to build the remaining
vSwitches.
Connection Type
Virtual Machine
Virtual Machine
Virtual Machine
Virtual Machine
Virtual Machine

vSphere standard switch vmnic

vmnic 4
vmnic 0
vmnic 1
vmnic 2
vmnic 3

Network Label
DATACENTER
VPN
WIRELESS
ACCESS
SGFW

Cisco ISE NFR Guide

When complete, your virtual networking environments should provide similar functionality to the
example below.

Both ISE and the Virtual Wireless LAN Controller require virtual switches to operate in promiscuous
mode. This is not the default setting and you will need to update the DATACENTER and WIRELESS
vmnics. Select the Properties link above the vSwitch with the DATACENTER port group. Within the
vSwitch Properties window, select the DATACENTER port group and click Edit

Cisco ISE NFR Guide

In the DATACENTER Properties window, click the Security tab, select the Promiscuous Mode check box,
and change the option to Accept. Click OK when complete.

Complete the same steps for the WIRELESS port group to enable Promiscuous Mode.

The WIRELESS port group also needs to be a trunk to support wireless network operations. Within the
WIRELESS Properties window, select the General tab and select the All (4095) option in the VLAN ID
(Optional) field. Click OK followed by Close to complete the updates.

10

Cisco ISE NFR Guide

5.1

Services NFR

The Services NFR VM provides key ISE services such as DNS, DHCP, NTP, HTTP, OPEN LDAP, and CA. The
Linux VM is preconfigured, but can be customized to meet specific customer use cases or scenarios.
View the Configuration Example to learn more about the CA setup and functionality. To begin importing
the VM into your environment, open the vSphere client and connect to the desired ESXi host.

From the menu bar, select File > Deploy OVF Template

Browse to and select the Source, Services NFR.ova, from the USB drive. Select Next to continue. Click
Next to accept the default values on the OVF Template Details, Name and Location, Resource Pool, Disk
Format, and Network Mapping sections. Confirm the settings on the Ready to Complete screen and click
Finish to begin the VM Deployment.

11

Cisco ISE NFR Guide

From vSphere, you have the ability to control multiple facets of Virtual Machine operations. At the most
basic level, you can power on, power off, or open the console of VMs. To power on the Services VM,
right-click the ad VM and select Power > Power On. Alternately, you can select Services NFR under the
ESXi host and select

from the menu bar to power it on.

To upgrade the configuration, copy the dhcpd.conf file from the partner community to a host running an
FTP server. SSH to the Services NFR VM at 10.1.100.12 and login as root with a password of ISEc0ld.
login as: root
root@10.1.100.12's password: ISEc0ld

Follow the process below to update and restart the DHCP service.
[root@magicserver ~]# ftp <ftp server IP>
!Authenticate to ftp server
Name (10.1.100.112:root): admin
331 Password required for admin.
Password: ISEc0ld
!Change the local directory
ftp> lcd /etc/dhcp/
Local directory now /etc/dhcp
!Upload the dhcpd.conf file
ftp> get dhcpd.conf
local: dhcpd.conf remote: dhcpd.conf
227 Entering Passive Mode (10,1,100,112,207,128).
150 Opening data connection for dhcpd.conf.
226 File sent ok
1455 bytes received in 0.000151 secs (9635.76 Kbytes/sec)
!Exit the ftp session
ftp> quit
221 Goodbye.
!Restart the dhcpd service
[root@magicserver ~]# service dhcpd restart
Redirecting to /bin/systemctl

restart dhcpd.service

12

Cisco ISE NFR Guide

Verify the DNS, DHCP, NTP, HTTP, OPEN LDAP, and CA services by issuing the following commands and
ensuring that the services are active (running).
DNS: systemctl status named.service
[root@magicserver ~]# systemctl status named.service
named.service - LSB: start|stop|status|restart|try-restart|reload|force-reload DNS server
Loaded: loaded (/etc/rc.d/init.d/named)
Active: active (running) since Fri, 06 Sep 2013 10:58:03 -0700; 6 days ago
Process: 1098 ExecStart=/etc/rc.d/init.d/named start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/named.service
1166 /usr/sbin/named -u named -t /var/named/chroot

DHCP: systemctl status dhcpd.service

[root@magicserver ~]# systemctl status dhcpd.service
dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/lib/systemd/system/dhcpd.service)
Active: active (running) since Fri, 06 Sep 2013 10:57:59 -0700; 6 days ago
Main PID: 1087 (dhcpd)
CGroup: name=systemd:/system/dhcpd.service
1087 /usr/sbin/dhcpd -d

NTP: systemctl status ntpd.service

[root@magicserver ~]# systemctl status ntpd.service
ntpd.service - Network Time Service
Loaded: loaded (/lib/systemd/system/ntpd.service)
Active: active (running) since Fri, 06 Sep 2013 10:57:48 -0700; 6 days ago
Main PID: 761 (ntpd)
CGroup: name=systemd:/system/ntpd.service
761 /usr/sbin/ntpd -n -u ntp:ntp g

13

Cisco ISE NFR Guide

HTTP: systemctl status lampp.service

[root@magicserver ~]# systemctl status lampp.service
lampp.service - LSB: XAMPP
Loaded: loaded (/etc/rc.d/init.d/lampp)
Active: active (running) since Fri, 06 Sep 2013 10:58:50 -0700; 6 days ago
Process: 1588 ExecStart=/etc/rc.d/init.d/lampp start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/lampp.service
1743 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt...
1762 /bin/sh /opt/lampp/bin/mysqld_safe --datadir=/opt/...
1821 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt...
1849 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt...
1850 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt...
1851 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt...
1853 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt...
1855 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt...
2130 /opt/lampp/sbin/mysqld --basedir=/opt/lampp --data...
2292 proftpd: (accepting connections)

OPEN LDAP: systemctl status dirsrv.service

[root@magicserver ~]# systemctl status dirsrv.service
dirsrv.service - SYSV: 389 Directory Server
Loaded: loaded (/etc/rc.d/init.d/dirsrv)
Active: active (running) since Fri, 06 Sep 2013 10:58:10 -0700; 6 days ago
Process: 1174 ExecStart=/etc/rc.d/init.d/dirsrv start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/dirsrv.service
1190 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-magicserve...

CA: systemctl status pki-cad.service

[root@magicserver ~]# systemctl status pki-cad.service
pki-cad.service - SYSV: Certificate Authority (Tomcat 6.0)
Loaded: loaded (/etc/rc.d/init.d/pki-cad)
Active: active (running) since Fri, 06 Sep 2013 10:58:32 -0700; 6 days ago
Process: 1439 ExecStart=/etc/rc.d/init.d/pki-cad start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/pki-cad.service
1511 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/t...

14

Cisco ISE NFR Guide

5.2

ISE NFR

The ISE NFR VM ships with a minimal configuration and a configuration backup is available for demo
environments. Follow the same procedure as the Services VM to import the ISE NFR OVA. From the
vSphere client, select File > Deploy OVF Template

Browse to and select the Source, ISE NFR.ova, from the USB drive. Select Next to continue. Click Next to
accept the default values on the OVF Template Details, Name and Location, Resource Pool, Disk Format,
and Network Mapping sections. Confirm the settings on the Ready to Complete screen and click Finish
to begin the VM Deployment.

To power on the Services VM, right-click the ad VM and select Power > Power On. Alternately, you can
select Services NFR under the ESXi host and select

from the menu bar to power it on.

15

Cisco ISE NFR Guide

To verify that services are running properly, SSH to the ISE NFR VM at 10.1.100.21. Login as admin with a
password of ISEc0ld.
login as: admin
admin@10.1.100.21's password: ISEc0ld

Verify that ISE services are running by issuing the show applications status ise command and confirming
that all services are running.
ise/admin# show application status ise
ISE Database listener is running, PID: 5137
ISE Database is running, number of processes: 37
ISE Application Server is running, PID: 7517
ISE Profiler DB is running, PID: 6097
ISE M&T Session Database is running, PID: 4030
ISE M&T Log Collector is running, PID: 7600
ISE M&T Log Processor is running, PID: 7667
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE!
% MINIMUM DISK SIZE FOR THIS PERSONA: 200 GB, CURRENT DISK SIZE: 137 GB

Verify that NTP is properly synced to the Services NFR VM by issuing the show ntp command and
confirming that 10.1.100.12 is the current time source. The asterisk shows what time server ISE is
synchronized with. Allow a few minutes for synchronization to complete.

ise/admin# show ntp

Configured NTP Servers:
10.1.100.12
10.1.100.10
synchronized to NTP server (10.1.100.12) at stratum 3
time correct to within 70 ms
polling server every 1024 s
remote

refid

st t when poll reach

delay

offset

jitter

==============================================================================
127.127.1.0
*10.1.100.12
10.1.100.10

.LOCL.
129.6.15.29
.STEP.

10 l

64

377

0.000

0.000

0.001

2 u

983 1024

377

0.419

3.541

1.503

16 u

- 1024

0.000

0.000

0.000

* Current time source, + Candidate

Warning: Output results may conflict during periods of changing synchronization.

16

Cisco ISE NFR Guide

The next step is to restore the Demo Configuration to ISE. Download the current version from the
Security Partner Community: https://communities.cisco.com/docs/DOC-36078. Then, access the ISE GUI
at https://10.1.100.21 and login with the credentials admin / ISEc0ld. Navigate to Administration >
System > Maintenance and select the Repository Link.

Select the FTP Repository and click Edit. Update the settings as required for your environment and click
Save. Start the FTP server on the admin machine and place the demo config in the appropriate directory.

Then, navigate to Administration > System > Backup & Restore. Select FTP from the History for
Repository Dropdown and confirm the Demo Configuration is listed.

17

Cisco ISE NFR Guide

Click the Restore link to the right of the NFR_1.x_Demo-CFG-X.tar.gpg configuration and enter the
Encryption Key ISEc0ldISEc0ld. Click Start Restore and wait for the process to complete.

The restore process will take about 30 minutes depending on network and VM resources available. You
can monitor the process by entering show restore status in the ISE CLI. When finished verify the new
configuration elements for Secure Access, Profiling, Guest, Posture, SGA, and BYOD.

18

Cisco ISE NFR Guide

5.3

Virtual Wireless LAN Controller

5.3.1 Installation
Download the latest Virtual Wireless LAN Controller (vWLC) from CCO. The .ova file is required for the
first time installation only and the .aes file is used for upgrades.

After downloading the appropriate ova, deploy the vWLC ova by selecting your ESXi host and clicking
File > Deploy OVF Template Browse to download location of your ova and click Open. Click Next to
confirm the source and Next again to confirm the OVF Template Details.

19

Cisco ISE NFR Guide

Enter vWLC for the Name and click Next. Click the radio button for Thick Provision Lazy Zeroed and click
Next.

Change the Destination Network to WIRELESS and click Next. Finally, confirm appliance details and click
Finish to deploy the VM.

Installation will complete in a few minutes and the vWLC will be ready for configuration. When the
vWLC Virtual Machine is ready to power on and bootstrap, select the vwlc VM in the Home > Inventory
> Inventory window, and click to power it on.
Select the
icon to launch a VM console and click in the console as the VM powers on. The installation
process will continue. When prompted to Press any key to use this terminal as the default terminal, be
sure to click in the window and press any key.
20

Cisco ISE NFR Guide

Wait until the vWLC prompts Would you like to terminate autoinstall? Type yes and click Enter. When
prompted, enter the following information to bootstrap the vWLC and press Enter
Prompt
System Name
Enter Administrative User Name
Enter Administrative Password
Re-enter Administrative Password
Service Interface IP Address Configuration
Service Interface IP Address Configuration
Management Interface Netmask
Management Interface IP Address
Management Interface Netmask
Management Interface Default Router
Management Interface VLAN Identifier (0 = untagged)
Management Interface Port Num
Management Interface DHCP Server IP Address
Virtual Gateway IP Address
Mobility/RF Group Name
Network Name (SSID)
Configure DHCP Bridging Mode
Allow Static IP Address
Configure a RADIUS Server now
Enter the RADIUS Servers Address
Enter the RADIUS Servers Port
Enter the RADIUS Servers Secret
Enter Country Code list
Enable 802.11b Network
Enable 802.11a Network
Enable 802.11g Network
Enable Auto-RF
Configure a NTP server now
Enter the NTP servers IP address
Enter a polling interval between 3600 and 604800
Configuration correct? If yes system will save it and reset

Value
vWLC
admin
ISEc0ld
ISEc0ld
static
10.1.80.41
255.255.255.0
10.1.100.41
255.255.255.0
10.1.100.1
100
1
10.1.100.10
1.1.1.1
ISECOLD
ISECOLD
NO
YES
YES
10.1.100.21
1812
ISEc0ld
US
YES
YES
YES
YES
YES
10.1.100.10
3600
YES

After the vWLC reboots, login with the credentials admin / ISEc0ld. Issue a show interface summary to
ensure the management interface is up and issue ping 10.1.100.1 to confirm connectivity to the default
gateway. The service-port is not being used and should not have connectivity.

21

Cisco ISE NFR Guide

5.3.2 Licensing
Partners can leverage the NFR program for the most cost effective vWLC licensing. It does ship with an
evaluation license by default, but the best practice is to purchase a full license. The Cisco SKU for the
vWLC is L-AIR-CTVM-5-K9 and it is part of the sample BoM provided in Appendix 1.
Point the browser of your admin machine to https://vwlc or https://10.1.100.41 and login with the
credentials admin / ISEc0ld. Use a supported browser such as FireFox for the best results.

Initially, there are 0 Access Points Supported. If you have a full license, navigate to Management >
Software Activation > Commands. From the Action drop-down, select Install License. Enter the
appropriate path to your license and click Install License.

Accept the EULA and restart the vWLC. Go to Commands > Reboot and click the Reboot button. Adjust
popup blocker settings in your browser as required to show the EULA.

22

Cisco ISE NFR Guide

After the vWLC reloads, navigate to Management > Software Activation > Licenses. Select the base-apcount link next to the appropriate license.

Regardless of the license type, select High from the Priority drop-down box and click Set Priority.

Click I Accept to accept the EULA and OK to acknowledge the requirement to reboot the controller. Go
to Commands > Reboot and click the Reboot button.

The controller will restart and you should see the correct number of access points supported in the
Monitor > Summary screen.

23

Cisco ISE NFR Guide

5.3.3 Configuration
New APs with the proper code level should readily join the vWLC. If your AP does not, console into it and
view the join information. Troubleshoot DHCP and communications with the vWLC as required. Also,
verify that the clock and the AP and vWLC are in sync.
If it can communicate with the vWLC but cannot join, ensure that the code level is 7.3.1.35 or above.
This is a requirement to join the vWLC and the AP will need to be updated by a physical WLC if it is not at
this level. To perform the software update, you can point the AP to a local WLC or the controller we
setup in the Cisco DMZ at 128.107.255.109.
Another reason an AP may not join the vWLC is if there is an older SSC hash from previously joining a
controller. If this is the case, issue the following commands on the AP and monitor the console to
determine if the AP is able to join.
AP1111.1111.1111# test capwap erase
AP1111.1111.1111# test capwap restart

From your admin machine, browse back to the controller at https://vwlc or https://10.1.100.41 and
login with the credentials admin / ISEc0ld. Click the WIRELESS tab and ensure your AP is listed.

Now that the AP is registered, select the AP name to change the Mode to FlexConnect. The vWLC does
not yet support local mode APs so this is a required step for vWLC deployments only. In the AP Details
screen, select FlexConnect from the AP Mode drop-down box and click Apply. Click OK to confirm the
warning that the AP will reboot.

24

Cisco ISE NFR Guide

The next step is to restore the Demo Configuration to ISE. Download the current version from the
Security Partner Community: https://communities.cisco.com/docs/DOC-36078. This configuration is
based on the Universal Wireless LAN Controller Configuration from the TrustSec Design Zone. Refer to
that document on the design zone to learn more about the individual commands and their functions:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
In the vWLC GUI, navigate Commands > Download File. Enter the following information adjusting values
as required for your environment. Start the FTP server on the admin machine and place the demo config
in the appropriate directory. Click Download followed by OK to confirm that the file is not encrypted.

The FTP transfer will proceed, the configuration file will be loaded, and the system will be reset. After
the GUI is available login with the credentials admin / ISEc0ld and confirm that a complete configuration
is now available.

25

Cisco ISE NFR Guide

Next Steps

At this point, your ISE NFR environment has demo configuration loaded on each of the VMs and NADs.
To learn more about the configuration elements review ISE COLD the Build and Use Case guides on the
partner community: https://communities.cisco.com/docs/DOC-32999
We recommend taking snapshots of each of your VMs. This will be beneficial if you need to revert to this
state at any time in the future. Prior to taking snapshots, it is a best practice to power down virtual
machines. Use the native OS when possible to ensure minimum disruption. For ISE, access the CLI and
issue app stop ise followed by halt to cleanly shut down the appliance.

Once a VM is powered down, use the vSphere client to take a snapshot. Navigate to Home > Inventory >
Inventory and select the appropriate VM.
From the toolbar, select the Take Snapshot
button. In the pop-up window enter a Name and
Description and click OK. More information about snapshot best practices is available in VMware
documentation.

We recommend updating software versions to current releases as desired. Refer to individual product
release notes and upgrade guides for detailed release and configuration information.
This completes the ISE NFR guide. Please submit feedback to ise_nfr_partner_bundle@cisco.com and
refer to the community post for program updates: https://communities.cisco.com/docs/DOC-36078.
26

Cisco ISE NFR Guide

Appendix 1: Bill of Materials

Catalyst Switch
WS-C3560CG-8PC-S
CAB-AC-RA
RCKMNT-19-CMPCT=
CON-SNT-WSC3560C
ASA
ASA5505-SEC-BUN-K9
CAB-AC-C5
ASA5505-PWR-AC
ASA-AC-M-5505
ASA-AC-E-5505
ASA5505-RACK-MNT=
CON-SNT-AS5SBK9
Virtual WLC
L-AIR-CTVM-5-K9
CON-SAU-CTVM5K9

Description
Catalyst 3560C Switch 8 GE PoE(+), 2 x Dual Uplink, IP Base
Power Cord,110V, Right Angle
19in RackMount for Catalyst 3560 Compact Switch
SMARTNET 8X5XNBD Catalyst 3560C Switch 8 GE PoE, 2 x Dual
Description
ASA 5505 Sec Plus Appliance with SW UL Users HA 3DES/AES
AC Power Cord, Type C5, US
ASA 5505 AC Power Supply Adapter
AnyConnect Mobile - ASA 5505 (req. Essentials or Premium)
AnyConnect Essentials VPN License - ASA 5505 (25 Users)
ASA 5505 Rack Mount Kit
SMARTNET 8X5XNBD ASA5505-SEC-BUN-K9
Description
Cisco Virtual Wireless Controller (w/5 Access Points License)
SW APP SUPP + UPGR Cisco Virtual Wireless

Quantity List Price

1
1,795
1
0
1
75
1
102
Quantity List Price
1
1695
1
0
1
0
1
100
1
100
1
350
1
203
Quantity List Price
1
750
1
150

Access Point
AIR-CAP2602I-A-K9
CON-SNT-AIRCAPN2

Description
802.11n CAP w/CleanAir; 3x4:3SS; Mod; Int Ant; A Reg Domain
SMARTNET 8X5XNBD 802.11n CAP w/CleanA

Quantity List Price

1
1,095
1
44

UCS Server
UCSC-C22-M3S
UCS-CPU-E5-2440
UCS-MR-1X162RY-A
A03-D300GA2
UCSC-RAID-9240-8I
R2XX-RAID5
UCSC-PCIE-IRJ45
UCSC-PSU-450W
CAB-9K12A-NA
UCSC-RAIL1
CON-SNT-C22M3S
Third Party Products
Power Strip
Rack Screws
Cable Ties
VMware License
Microsoft Subscription
Rack Mount Case

Description
UCS C22 M3 SFF w/ rail kit, w/o PSU, CPU, mem, HDD, PCIe
2.40 GHz E5-2440/95W 6C/15MB Cache/DDR3 1333MHz
16GB DDR3-1600-MHz RDIMM/PC3-12800/dual rank/1.35v
300GB 6Gb SAS 10K RPM SFF HDD/drive sled mounted
MegaRAID 9240-8i, RAID 0/1/10/5/50 for C22/C24
Enable RAID 5 Setting
Intel i350 Quad Port 1Gb Adapter
450W power supply for C-series rack servers
Power Cord, 125VAC 13A NEMA 5-15 Plug, North America
Rail Kit for C220, C22, C24 rack servers
SMARTNET 8X5XNBD UCS C22 M3 Server - SFF
Description
Tripp Lite Waber Power Strip 15ft
Premium Screws with washers
4", 8", and 14" ties to secure equipment
vSphere Essentials Kit
MSDN or TechNet options available
Pelican BB0040 or similar

Quantity List Price

1
1,688
2
2353
4
625
8
589
1
797
1
1
1
999
1
560
1
0
1
0
1
202
Quantity List Price
1
30
1
20
1
40
1
560
1
300
1
800
27

Cisco ISE NFR Guide

Appendix 2: Catalyst 3560 Configuration

!GLOBAL SETTINGS
config t
ip domain-name demo.local
no ip domain-lookup
hostname 3560CG
crypto key generate rsa general-keys mod 2048
ip http server
ip http secure-server
service password-encryption
enable secret 0 ISEc0ld
username admin password ISEc0ld
ip routing
!
!GLOBAL AAA
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa accounting dot1x default start-stop group radius
!
radius-server host 10.1.100.21 auth-port 1812 acct-port 1813 key ISEc0ld
radius-server dead-criteria time 5 tries 3
aaa server radius dynamic-author
client 10.1.100.21 server-key ISEc0ld
!
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
ip radius source-interface Vlan100
ip sla enable reaction-alerts
logging origin-id ip
logging source-interface Vlan100
logging host 10.1.100.21 transport udp port 20514
28

Cisco ISE NFR Guide

snmp-server trap-source Vlan100

snmp-server source-interface informs Vlan100
aaa session-id common
dot1x system-auth-control
!
!
!PROFILING
snmp-server community ISEc0ld RO
snmp-server enable traps mac-notification change
snmp-server host 10.1.100.21 version 2c ISEc0ld
!
ip dhcp snooping vlan 10,20,50,90,100
ip dhcp snooping
no ip domain-lookup
ip domain-name demo.local
ip device tracking
!
device-sensor filter-list dhcp list MY_DHCP_LIST
option name host-name
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list MY_LLDP_LIST
tlv name system-name
tlv name system-description
!
device-sensor filter-list cdp list MY_CDP_LIST
tlv name device-name
tlv name platform-type
device-sensor filter-spec dhcp include list MY_DHCP_LIST
device-sensor filter-spec lldp include list MY_LLDP_LIST
device-sensor filter-spec cdp include list MY_CDP_LIST
device-sensor accounting
device-sensor notify all-changes
epm logging
lldp run
!
!
29

Cisco ISE NFR Guide

!ACCESS-LISTS
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly deny DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
!
ip access-list extended ACL-ALLOW
permit ip any any
!
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
!
ip access-list extended ACL-DFLT-LESS-RESTRICT
remark DHCP, DNS, ICMP
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 5355
permit icmp any any
remark Allow Microsoft Ports (used for better login performance)
permit tcp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq ntp
permit tcp any host 10.1.100.10 eq 135
permit udp any any eq netbios-ns
permit udp any any eq 1900
permit udp any host 10.1.100.10 eq netbios-ns
permit tcp any host 10.1.100.10 eq 139
30

Cisco ISE NFR Guide

permit tcp any host 10.1.100.10 eq 389

permit udp any host 10.1.100.10 eq 389
permit tcp any host 10.1.100.10 eq 445
permit tcp any host 10.1.100.10 eq 636
permit udp any host 10.1.100.10 eq 636
permit tcp any host 10.1.100.10 eq 1025
permit tcp any host 10.1.100.10 eq 1026
permit tcp any host 10.1.100.21 eq 8443
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
!
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny udp any host 10.1.100.21 eq 8909
deny udp any host 10.1.100.21 eq 8905
deny tcp any host 10.1.100.21 eq 8443
deny tcp any host 10.1.100.21 eq 8909
deny tcp any host 10.1.100.21 eq 8905
deny tcp any host 192.186.47.19 eq www
deny tcp any host 150.214.142.197 eq www
deny tcp any host 72.232.246.234 eq www
deny tcp any host 207.57.106.31 eq www
deny tcp any host 69.163.100.14 eq www
deny tcp any host 216.34.181.59 eq www
deny tcp any host 216.34.181.138 eq www
deny tcp any host 70.38.0.134 eq www
permit ip any any
!
ip access-list extended ACL-WEBAUTH-REDIRECT
remark explicitly deny DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
!
exit
31

Cisco ISE NFR Guide

!
!VLAN SETTINGS
vlan 10
name ACCESS
vlan 20
name SGFW
vlan 50
name GUEST
vlan 90
name WIRELESS
vlan 100
name DATACENTER
!
!
!INTERFACE SETTINGS
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.10
ip helper-address 10.1.100.12
!
interface Vlan50
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.10
ip helper-address 10.1.100.12
!
interface Vlan90
ip address 10.1.90.1 255.255.255.0
ip helper-address 10.1.100.10
ip helper-address 10.1.100.12
!
interface Vlan100
ip address 10.1.100.1 255.255.255.0
!
!

32

Cisco ISE NFR Guide

interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
ip dhcp snooping trust
!
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 10
switchport mode access
ip access-group ACL-DFLT-LESS-RESTRICT in
authentication event fail action next-method
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
macsec
mka default-policy
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface GigabitEthernet0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/6
switchport access vlan 100
switchport mode access
!

33

Cisco ISE NFR Guide

interface GigabitEthernet0/7
switchport access vlan 10
switchport mode access
ip access-group ACL-DFLT-LESS-RESTRICT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet0/8
switchport access vlan 90
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/10
no switchport
ip address 10.1.70.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.70.1
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
exec-timeout 0 0
password 7 11202A2014420708
logging synchronous
ntp server 10.1.100.12
do write mem
34

Cisco ISE NFR Guide

Appendix 3: ASA Configuration

conf t
hostname asa
domain-name demo.local
crypto key generate rsa modulus 1024
enable password ISEc0ld level 15
passwd ISEc0ld
names
ip local pool Remote_Access_Pool 10.1.40.10-10.1.40.100 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 30
no shut
!
interface Ethernet0/1
switchport access vlan 70
no shut
!
interface Ethernet0/2
switchport access vlan 60
no shut
!
interface Ethernet0/3
switchport access vlan 20
no shut
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
35

Cisco ISE NFR Guide

interface Vlan20
nameif sgfw
security-level 90
ip address 10.1.20.1 255.255.255.0
!
interface Vlan30
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan60
nameif vpn
security-level 60
ip address 10.1.60.1 255.255.255.0
!
interface Vlan70
nameif inside
security-level 100
ip address 10.1.70.1 255.255.255.0
!
boot system disk0:/asa911-k8.bin
asdm image disk0:/asdm-711.bin
!
object network NAT_GUEST
subnet 10.1.50.0 255.255.255.0
object network NAT_VPN
subnet 10.1.60.0 255.255.255.0
object network NAT_INSIDE
subnet 10.1.70.0 255.255.255.0
object network NAT_SGFW
subnet 10.1.20.0 255.255.255.0
object network NAT_ACCESS
subnet 10.1.10.0 255.255.255.0
object network NAT_DATACENTER
subnet 10.1.100.0 255.255.255.0
object network NAT_RA
subnet 10.1.40.0 255.255.255.0
!
36

Cisco ISE NFR Guide

object network AD
host 10.1.100.10
object network datacenter-network
subnet 10.1.100.0 255.255.255.0
!
object-group security DEV-USERS-SGOG
security-group name CONTRACTOR_SG
security-group name ITADMIN_SG
object-group security PROG-USERS-SGOG
security-group name EMPLOYEE_SG
security-group name ITADMIN_SG
object-group network DM_INLINE_NETWORK_1
network-object object INSIDE_HOSTS
network-object object datacenter-network
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
!
object network NAT_GUEST
nat (inside,outside) dynamic interface
object network NAT_VPN
nat (vpn,outside) dynamic interface
object network NAT_INSIDE
nat (inside,outside) dynamic interface
object network NAT_SGFW
nat (sgfw,outside) dynamic interface
object network NAT_ACCESS
nat (inside,outside) dynamic interface
object network NAT_DATACENTER
nat (inside,outside) dynamic interface
object network NAT_RA
nat (vpn,outside) dynamic interface
object network REMOTE_ACCESS
subnet 10.1.40.0 255.255.255.0
object network INSIDE_HOSTS
subnet 10.1.100.0 255.255.255.0
!
!
37

Cisco ISE NFR Guide

route inside 10.1.10.0 255.255.255.0 10.1.70.2 1

route inside 10.1.50.0 255.255.255.0 10.1.70.2 1
route inside 10.1.90.0 255.255.255.0 10.1.70.2 1
route inside 10.1.100.0 255.255.255.0 10.1.70.2 1
same-security-traffic permit intra-interface
!
user-identity default-domain LOCAL
http server enable
http 10.1.100.0 255.255.255.0 inside
ssh 10.1.100.0 255.255.255.0 inside
telnet 10.1.100.0 255.255.255.0 inside
ntp server 10.1.100.10 source inside
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
!
no telnet timeout
no ssh timeout
no console timeout
dhcpd domain demo.local
dhcpd address 10.1.60.10-10.1.60.20 vpn
dhcpd dns 8.8.8.8 interface vpn
dhcpd enable vpn
!
username admin password ISEc0ld
!
!
access-list inside_access_in extended permit ip object-group-security PROG-USERS-SGOG any securitygroup name PROD_SRVR_SG any log
access-list inside_access_in extended permit ip object-group-security DEV-USERS-SGOG any securitygroup name DEV_SRVR_SG any log
access-list inside_access_in extended deny ip object-group-security PROG-USERS-SGOG any securitygroup name DEV_SRVR_SG any log
access-list inside_access_in extended deny ip object-group-security DEV-USERS-SGOG any securitygroup name PROD_SRVR_SG any log
access-list inside_access_in extended permit ip any any
access-list sgfw_access_in extended permit ip 10.1.20.0 255.255.255.0 object AD
access-list sgfw_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.20.0
255.255.255.0 object INSIDE_HOSTS
access-list sgfw_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
access-list sgfw_access_in extended permit ip any any
38

Cisco ISE NFR Guide

access-group sgfw_access_in in interface sgfw

access-group inside_access_in in interface inside
!
aaa-server ISE protocol radius
interim-accounting-update
aaa-server ISE (inside) host 10.1.100.21
key ISEc0ld
authentication-port 1812
accounting-port 1813
radius-common-pw ISEc0ld
!
!
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192
AES 3DES DES
crypto map vpn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn_map interface vpn
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
subject-name CN=asa.demo.local,O=ISE COLD,C=US
crl configure
39

Cisco ISE NFR Guide

crypto ca trustpool policy

!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable vpn client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
!
ssl trust-point ASDM_TrustPoint2 vpn
webvpn
enable vpn
anyconnect image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
40

Cisco ISE NFR Guide

anyconnect profiles Cert_Auth disk0:/cert_auth.xml

anyconnect enable
group-policy DfltGrpPolicy attributes
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
default-domain value demo.local
address-pools value Remote_Access_Pool
group-policy Cert_Auth_GP internal
group-policy Cert_Auth_GP attributes
wins-server none
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev2 ssl-client
default-domain value demo.local
address-pools value Remote_Access_Pool
webvpn
anyconnect profiles value Cert_Auth type user
username admin password 4EPDpfjfh..r.PlM encrypted
tunnel-group DefaultRAGroup general-attributes
authentication-server-group ISE
tunnel-group Cert_Auth type remote-access
tunnel-group Cert_Auth general-attributes
address-pool Remote_Access_Pool
authorization-server-group ISE
default-group-policy Cert_Auth_GP
username-from-certificate use-entire-name
tunnel-group Cert_Auth webvpn-attributes
authentication certificate
group-alias Cert_Auth enable
group-url https://10.1.60.1/Cert_Auth enable
!
!
end
write mem

41