ISE 1.3 Guide

Cisco
Identity Services Engine (ISE)

Not For Resale (NFR)
Config Guide

Connected Architectures Partner Organization (CAPO)
Secure Access and Mobility Product Group (SAMPG)

April 6th 2015
ise_nfr_partner_bundle@cisco.com
Cisco ISE NFR Guide

Table of Contents

1 Introduction ....................................................................................................................................... 3
2 Topology ............................................................................................................................................. 4
3 Equipment Specifications ................................................................................................................ 6
4 VM Networking Configuration ....................................................................................................... 7
5 Next Steps ........................................................................................................................................ 24
CLEANUP: BEFORE YOU PROCEED .................................................................................................. 26
SCENARIO 1: DEMONSTRATE THE GUEST ACCESS FOR A WIRELESS HOTSPOT ........................... 27
SCENARIO 2: DEMONSTRATE THE GUEST ACCESS FOR A SELF-REGISTER PORTAL ..................... 29
SCENARIO 3: DEMONSTRATE THE GUEST ACCESS FROM A SPONSORED ACCOUNT .................. 32
SCENARIO 4: DEMONSTRATE ONBOARDING OF A NON-CORPORATE APPLE IPAD .................... 35
6 Appendix 1: Bill of Materials ......................................................................................................... 40
7 Appendix 2: Catalyst 3560 Configuration ................................................................................... 41
8 Appendix 3: Virtual Wireless LAN Controller ............................................................................. 44
9 Appendix 4: ASAv Configuration .................................................................................................. 51
10 Appendix 5: Configure a Network Serial Console Port .......................................................... 52
11 Appendix 6: Telnet to Network Serial Console Port ............................................................... 53
Cisco ISE NFR Guide
Introduction
This document provides details to build out hardware and software components for the Identity Services
Engine (ISE) Not For Resale (NFR) partner bundle. The bundle provides partners with ISE, NetSvc VM and
other Cisco infrastructure VMs such as virtual ASA and virtual WLC that partners can leverage to
configure a purpose built lab. The ISE OVA image included with the NFR kit comes already configured for
simple insertion into a lab environment.

The Services image included with the NFR kit is a Linux (CentOS) VM that provides key ISE services such
as NTP, DNS, DHCP, LDAP and MAIL. The Linux VM is preconfigured, but can be customized to meet
specific customer use cases or scenarios.

This document was written with specific hardware in mind, but can be customized to match your
environment. The table below lists the hardware components used in this guide. A detailed Bill of
Materials is also available in Appendix 1.

This guide provides step-by-step procedure on how to setup ISE 1.3 environment to demonstrate key
customer use cases such as Secure Access, Guest Services and BYOD.

Cisco ISE NFR Guide
Topology
Below presents the recommended physical topology for the ISE NFR program.

SWITCH (Catalyst 3560CG)
Interface
G0/1
G0/2
G0/10
Switch Mode
Access
Access
TRUNK
VLAN
10
100
All
Destination
VMNIC 1
AP
VMNIC 0
ASAv Edge Firewall (Virtual Machine)

Interface
VMNIC 2 (ASAv G0/0)
VMNIC 0 (ASAv G0/1)
VLAN
70
Destination
Internet
3k-Access G0/10
vWLC - Wireless Controller (Virtual Machine)

Interface
VMNIC 0 (vWLC MGMT)
(vWLC Service Port)
VLAN
100
Destination
3k-Access G0/10
Cisco ISE NFR Guide
VLANs and IP Subnets

VLAN
NAME
IP SUBNET
DESCRIPTION
10
ACCESS
10.1.10.0/24
50
WIRELESS GUESTS
10.1.50.0/24
GUEST
70
CORP
10.1.70.0/24
CORPORATE NETWORK (INSIDE)
100
MGMT
10.1.100.0/24
MANAGEMENT
IP Addresses and Login Credentials

Device
DNS Names
IP Address
Login Credentials
10.1.100.1 (MGMT)
admin / ISEc0ld
Domain: securitydemo.net
SWITCH
3560CG
10.1.70.2 (CORP)
ASAv (EGFW)
egfw
10.1.70.1 (CORP)
admin / ISEc0ld
10.1.100.254 (MGMT)
vWLC
vwlc
10.1.100.41 (MGMT)
10.1.20.41 (SERVICE-PORT)
ISE
ise
10.1.100.21
admin / ISEc0ld
NETSVC*
[AD/CS/DNS/DHCP/NTP/MAIL]
netsvc
10.1.100.40
root / ISEc0ld
updates
10.1.100.221
portal
10.1.100.222
biz
10.1.100.223
it
admin / ISc0ld
employee / ISEc0ld

sponsor /ISEc0ld
10.1.100.224
records
10.1.100.225
dev
10.1.20.40
prod
10.1.20.39
CIMC
10.1.100.3
admin / (default: password)
ESXI
10.1.100.2
root / ISEc0ld
Cisco ISE NFR Guide
Equipment Specifications
3.1
Hardware1
HARDWARE
3.2
3.3
DESCRIPTION
UCS SERVER C22 M3
2 x 2.4GHz CPU, 8 x 300GB HD, 64GB RAM, 1 x Quad NIC (+2 x NICs Incl. onboard, Total 6 NICs require)
WS-C3560CG-8PC-S
Catalyst 3560 Compact Switch 8 GE PoE(+)
AIR-CAP2602I-A-K9
802.11n CAP w/CleanAir; 3x4:3SS; Mod; Int Ant; A Reg Domain
WINDOWS PC
Windows 7 to setup and administrate the setup.
Network Access Devices 2

DEVICE
VERSION
SYSTEM BOOT IMAGE
Catalyst 3560CG
15.2(2)E2
c3560c405ex-universalk9-mz.152-2.E2.bin
vWLC (VM)
7.6.130
AIR-CTVM-K9-7-6-130-0.aes
ASAv (VM)
9.3(2)
asa932-smp-k8.bin
VMware
APPLICATIONS
DESCRIPTION
DOWNLOAD
ESXi 5.5 or Latest
VMware Hypervisor.
Go To VMware
vCSA 5.5 or Latest
vCenter Server Appliance
Go To VMware
vSphere Client
Client to connect to ESXi hosts or vCenter
Show Me
3.4
Virtual Machines4
NAME
DESCRIPTION
FILE
NETSVC
DNS, DHCP, NTP, HTTP & MAIL (CENTOS 5.11)
OVA
ISE 1.3 NFR
Integrated Service Engine 1.3
OVA
Virtual Wireless LAN Controller
OVA
Click Here (Cisco.com)
Virtual ASA
OVA
Click Here (Cisco.com)
vWLC
ASAv
DOWNLOAD
Click Here (Box.net)

NOTE: To download the appropriate VMs (OVA) and NAD configurations please use the links provided in the above table.
For the VMs that are to be downloaded from Cisco.com (links provided above) please match the code version in (3.2).
Refer to Appendix 1 Bill of Materials for more details.

Refer to Appendix 1 Bill of Materials for more details.
3
vCenter is only required for the ASAv.

2
Cisco ISE NFR Guide
VM Networking Configuration

This section covers the process to install all the VMs needed in this guide including ISE, NetSvc VM, WLC
virtual controller (vWLC) and Virtual ASA (vASA). For simplicity, this guide will cover direct connection
from the vSphere client to an ESXi host instead of vSphere. The steps that follow assume that there is a
working ESXi environment with the vSphere client installed and the admin machine.

It is very important to plan physical connections and VLANs early in the development process. This will
ensure that you are able to complete all desired use cases with available NICs.

As per the above diagram there will be only three network Card interfaces need on the UCS which
means we need to configure 3 vSwitches (Virtual Switches) as follow:
To configure networking in the vSphere client select the UCS host and click the Configuration tab. Select
Networking in the Hardware pane and ensure vSphere Standard Switch is selected.
Click on Properties under vSwitch1 (It may start from vSwitch0) then go through the next steps below as
per the diagram to rename.

Change Network Label Management Network to VMK-NET and
Note: VMKernel Networking layer provides connectivity to hosts.

Repeat the above steps to change the Network Label and VLAN ID to MGMT and 100 respectively.
7

Cisco ISE NFR Guide

Next configure vSwitch2 by mapping it to vmnic1. Start by clicking Add Networking

Pick connection type as Virtual Machine then click on Next.
Select vmnic1 then click Next.

Change the Network Label to ACCESS. Click Next and then Finish when done which should take you back
to the Network Configuration main screen.

Cisco ISE NFR Guide

Follow the previous steps to configure vSwitch3 and check vmnic2 as the assigned network adapter
then click Next.

Change the Network Label to EGFW-OUTSIDE. Click Next and then Finish when done which should take
you back to the Network Configuration main screen.

Next we will add vSwitch4 and skip Network Access step and NOT SELECT any vmnic and then change
the Network Label to ESXI-HOST-ONLY and click Next.

As per the network diagram we will be adding two VM Port Groups to vSwitch1.
Click on vSwitch1 Properties.
Cisco ISE NFR Guide

Click on Add

Then select Virtual Machine

Change the Network Label and VLAN ID to CORP and 70 respectively.

Click Next and Finish when done and then repeat the above steps to add another port group called
Trunk with a VLAN ID All (4095).
10

Cisco ISE NFR Guide

If you follow the above steps correctly the VM Networking will look like the following screenshot:

The Virtual Wireless LAN Controller requires virtual switch to operate in Promiscuous Mode. This is not
the default setting and you will need to update the TRUNK port group. Select the Properties link above
the vSwitch with the TRUNK port group. Within the vSwitch Properties window, select the TRUNK port
group and click Edit, now click the Security tab, select the Promiscuous Mode check box, and change
the option to Accept. Click OK when complete.
11

Cisco ISE NFR Guide
4.1
NetSVC

The NetSVC VM provides key ISE services such as DNS, DHCP, NTP,
HTTP, and MAIL. The CentOS 5.11 VM is preconfigured, but can be
customized to meet specific customer use cases or scenarios. To
begin importing the VM into your environment, open the vSphere
client and connect to the desired ESXi host.

From the menu bar, select File > Deploy OVF Template

Browse to and select the Source, NetSvc.ova, from the USB drive. Select Next to continue. Click Next to
accept the default values on the OVF Template Details, Name and Location, Resource Pool and Disk
Format. If you havent already downloaded the OVA Please refer to Table 3.4.

Except in Network Mapping section select MGMT as the Destination Network.
Confirm the settings on the Ready to complete screen and click Finish to begin the VM Deployment.

12

Cisco ISE NFR Guide

From vSphere, you have the ability to control multiple facets of Virtual Machine operations. At the most
basic level, you can power on, power off, or open the console of VMs.
To power on the NetSvc VM, right-click the NetSvc VM and select Power > Power On.

Also, you can use a shortcut (Ctrl+B) or Power-On button from the top menu after selecting the VM

Click the
icon to launch a VM console as the VM powers on.

Once the VM boots up, verify the DNS, DHCP, NTP, HTTP, and MAIL services are running properly.

You can use the VM Console or SSH to verify. To SSH into the NetSvc VM (IP: 10.1.100.40). Login with
user: root and password: ISEc0ld.
DNS
[root@netsvc ~]# service named status
number of zones: 7
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
named (pid 2407) is running...

[root@netsvc ~]# host netsvc.securitydemo.net
netsvc.securitydemo.net has address 10.1.100.40

[root@netsvc ~]# host ise.securitydemo.net
ise.securitydemo.net is an alias for ise-1.securitydemo.net.
ise-1.securitydemo.net has address 10.1.100.21

Here is just an example, Please configure as per your environment.
Configuration file named.conf located at /var/named/chroot/etc/
Adjust forwarders as needed; e.g. at Cisco Lab networks.
forwarders {
// Google public DNS servers
8.8.8.8;
8.8.4.4;
// OpenDNS servers
208.67.222.222;
208.67.220.220;
};
13

Cisco ISE NFR Guide

DHCP
[root@netsvc ~]# service dhcpd status
dhcpd (pid 2602) is running...
NTP
[root@netsvc ~]# service ntpd status
ntpd (pid 2587) is running...

[root@netsvc ~]# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 5 64 3 0.000 0.000 0.001

Here is just an example, Please configure as per your environment.
Configuration file located at /etc/ntp.conf. Adjust the list of external NTP servers as needed.
# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org

server 0.us.pool.ntp.org iburst
HTTP
[root@netsvc ~]# service httpd status
httpd (pid 2705) is running...

Mail (Postfix)
[root@netsvc ~]# service postfix status
master (pid 2673) is running...

IMAP (Dovecot)
[root@netsvc ~]# service dovecot status
dovecot (pid 2615) is running...

14

Cisco ISE NFR Guide
4.2

ISE NFR
The ISE NFR VM ships with configurations for most of the features in ISE including
Dot1x, Guest, BYOD and Posture. Follow the same procedure as the NetSvc VM to
import the ISE NFR OVA. From the vSphere client, select File > Deploy OVF
Template (If you havent already downloaded the OVA Please refer to Table 3.4)

Browse to and select the Source,
ISE-1.3-NFR.ova, from the USB drive. Select Next
to continue.

Change the Name to ISE NFR and select Next and accept default Disk Format and then select Next again

Next under Network Mapping section select
MGMT as the Destination Network.

Confirm the settings on the Ready to Complete screen and click Finish to begin the VM Deployment.

To power on the ISE NFR VM, right-click the VM
and select Power > Power On. Also, you can use
a shortcut (Ctrl+B) after selecting the VM.
To verify that services are running properly, SSH to the ISE NFR VM at 10.1.100.21.
Login with user: admin and password: ISEc0ld.

login as: admin
admin@10.1.100.21's password: ISEc0ld

Verify that ISE services are running by issuing the show applications status ise command and confirming
that all services are running.
ise/admin# show application status ise
15

Cisco ISE NFR Guide
ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
Database Listener running 2796
Database Server running 38 PROCESSES
Application Server running 5569
Profiler Database running 3793
AD Connector running 5924
M&T Session Database running 2373
M&T Log Collector running 5828
M&T Log Processor running 5785
Certificate Authority Service running 5741
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
Identity Mapping Service disabled

Verify that NTP is properly synced to the ISE NFR VM by issuing the show ntp command and confirming
that 10.1.100.40 is the current time source. The asterisk shows what timeserver ISE is synchronized
with. Allow a few minutes for synchronization to complete.

ise/admin# show ntp
Configured NTP Servers:
10.1.100.40

synchronized to NTP server (10.1.100.40) at stratum 11
time correct to within 961 ms
polling server every 64 s

remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 10 l 9 64 377 0.000 0.000 0.001
10.1.100.40 ------ 16 u - 256 0 0.000 0.000 0.000

Current time source, + Candidate

Warning: Output results may conflict during periods of changing synchronization.

Now lets try to access ISE from GUI and test.
Open http://10.1.100.21 in a browser (ex: Firefox) and login to ISE. User: admin and pass: ISEc0ld
16

Cisco ISE NFR Guide
4.3
Virtual Wireless LAN Controller
Installation
Download the Virtual Wireless LAN Controller (vWLC) ver 7.6.130.0 (Supports OEAP) from Cisco. The
.OVA file is required for the first time installation only and the .aes file is used for upgrades.

After downloading the appropriate ova, deploy the vWLC ova by selecting your ESXi host and clicking
File > Deploy OVF Template Browse to download location of your ova and click Open.

Click Next to confirm the source and Next again to confirm the OVF Template Details.

Change the Name to vWLC and select Next and accept default Disk
Format and then select Next again

Next under Network Mapping section Change the Destination
Network to TRUNK and click Next.

17

Cisco ISE NFR Guide

Finally, confirm appliance details and click Finish to deploy the VM.

Installation will complete in a few minutes and the vWLC will be ready for configuration. When the
vWLC Virtual Machine is ready to power on and bootstrap, select the vWLC VM in the Home > Inventory
> Inventory window, and use shortcut (Ctrl+B) to power it on.
Click the
icon to launch a VM console as the VM powers on.

The installation process will continue. When prompted to Press any key to use this terminal as the
default terminal, be sure to click in the window and press any key.
Wait until the vWLC prompts Would you like to terminate autoinstall? Type yes and click Enter. When
prompted, enter the following information to bootstrap the vWLC and press Enter
Prompt
System Name
Enter Administrative User Name
Enter Administrative Password
Re-enter Administrative Password

Service Interface IP Address Configuration
Service Interface IP Address
Service Interface Netmask

Management Interface IP Address
Management Interface Netmask
Management Interface Default Router
Management Interface VLAN Identifier (0 = untagged)
Management Interface Port Num
Management Interface DHCP Server IP Address

Virtual Gateway IP Address
Mobility/RF Group Name
Network Name (SSID)
Configure DHCP Bridging Mode
Value
vWLC
admin
ISEc0ld
ISEc0ld

static
10.1.20.41
255.255.255.0

10.1.100.41
255.255.255.0
10.1.100.1
100
1
10.1.100.40

1.1.1.1
ISECOLD
ISECOLD
NO
18
Cisco ISE NFR Guide

Allow Static IP Address

Configure a RADIUS Server now
Enter the RADIUS Servers Address
Enter the RADIUS Servers Port
Enter the RADIUS Servers Secret

Enter Country Code list
Enable 802.11b Network
Enable 802.11a Network
Enable 802.11g Network
Enable Auto-RF

Configure a NTP server now
Enter the NTP servers IP address
Enter a polling interval between 3600 and 604800
Configuration correct? If yes system will save it and reset

YES

YES
10.1.100.21
1812
ISEc0ld

US
YES
YES
YES
YES

YES
10.1.100.40
3600
YES
After the vWLC reboots, login with the credentials admin / ISEc0ld. Issue a show interface
summary to ensure the management interface is up. The service-port is not being used and
should not have connectivity.
4.4
Adaptive Security Virtual Appliance (ASAv)

Download the OVA of Adaptive Security Virtual Appliance (ASAv) ver 9.3.2 (Not 9.3.2.200) from
CCO.

NOTE: To deploy ASAv you will require a vCenter and cant be done directly from ESXi host. We
will use vSphere Desktop Client. If you prefer Web Client please refer to cisco docs here. But
you would need to match the Networking Mapping as per the below.
After downloading the appropriate OVA, first login to the vCenter
and make sure you select the correct ESXi Host (under the
appropriate Datacenter/Cluster if any) and then deploy the ASAv
OVA by selecting your ESXi host and clicking File > Deploy OVF
Template

Browse to download location of your ova and click Open.
19

Cisco ISE NFR Guide

Click Next to confirm the source and Accept License and click Next.
Now accept ALL default settings and start the deployment, as we will apply the appropriate
configuration later.
Once the ASAv VM installation is complete (Dont Power-On the VM yet).
First right-click the ASAv and select Edit Settings and assign Network adapters to the
appropriate Port Groups:
Network adapter 1 > MGMT
Network adapter 2 > EGFW-OUTSID
Network adapter 3 > CORP

Then follow the steps below to Configure Network Serial Port and ASAv to be able to Telnet to it.
1. Fix Repeated characters Issue.
2. Configure a Network Serial Console Port. (Port URL: telnet://:10062) [Refer: Appendix 5 ]
3. Select the ASAv VM and Power-On (Ctrl+B). Then click the icon to launch the VM
console.
4. Once at ASAv cmd prompt, create a blank file called use_ttyS0 in the root directory of
disk0. Easiest way is to copy another file and rename. Here are the commands to do just
that.
ciscoasa(config)# cd coredumpinfo
ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0

5. Reload the ASAv. Enter reload cmd.
6. Test the telnet connection to the ASAv via Service Port we configured. [ Refer: Appendix 6 ]
In the next section you will deploy the NAD Configuration.
4.5
NAD Configuration & Licensing

Note: When you purchase the equipment make sure you include the correct licenses.
20

Cisco ISE NFR Guide

Please refer to Appendix 1 - Bill of Materials for more information.

Note: Download NAD Configs from here or copy-&-paste from Appendix 2, 3 and 4.
[1] 3560CG Switch Configuration & License

WS-C3560CG-8PC-S requires a minimum of IP Base license for this Kit. Once you have the
latest code 15.2(2) E2 and updated licensing on the switch, you can Copy-and-Paste the
configuration from Appendix 2.
[2] vWLC Configuration & License

vWLC License

Note: For demonstration purpose you can activate an Evaluation License. Check link for details.
Partners can leverage the NFR program for the most cost effective vWLC licensing. It does ship
with an evaluation license by default, but the best practice is to purchase a full license. The Cisco
SKU for the vWLC is L-AIR-CTVM-5-K9 and it is part of the sample BoM provided in Appendix 1.
Point the browser of your admin machine to
https://vwlc or https://10.1.100.41 and login with the
credentials admin / ISEc0ld. Use a supported browser
such as FireFox for the best results.

Initially, there are 0 Access Points Supported. If you have a full license, navigate to Management
> Software Activation > Commands. From the Action drop-down, select Install License. Enter the
appropriate path to your license and click Install License.

Accept the EULA and restart the vWLC. Go to Commands > Reboot and click the Reboot button.
Adjust popup blocker settings in your browser as required to show the EULA.
21

Cisco ISE NFR Guide

After the vWLC reloads, navigate to Management > Software Activation > Licenses. Select the
base-ap-count link next to the appropriate license.

Regardless of the license type, select High
from the Priority drop-down box and click
Set Priority.

Click I Accept to accept the EULA and OK to acknowledge the
requirement to reboot the controller. Go to Commands >
Reboot and click the Reboot button.

The controller will restart and you should see the correct number of access points supported in
the Monitor > Summary screen.

vWLC Configuration
New APs with the proper code level should readily join the vWLC. If your AP does not, console
into it and view the join information. Troubleshoot DHCP and communications with the vWLC as
required. Also, verify that the clock and the AP and vWLC are in sync.

If it can communicate with the vWLC but cannot join, ensure that the code level is 7.6.130.0 or
above. This is a requirement to join the vWLC and the AP will need to be updated by a physical
WLC if it is not at this level. To perform the software update, you can point the AP to a local WLC.
(Note: This issue has been resolved in ver 8.0 and we will include 8.x ver in our next release.)

22

Cisco ISE NFR Guide

Another reason an AP may not join the vWLC is if there is an older SSC hash from previously
joining a controller. If this is the case, issue the following commands on the AP and monitor the
console to determine if the AP is able to join.

AP1111.1111.1111# test capwap erase
AP1111.1111.1111# test capwap restart

From your admin machine, browse back to the controller at https://vwlc or https://10.1.100.41
and login with the credentials admin / ISEc0ld. Click the WIRELESS tab and ensure your AP is
listed.

Now that the AP is registered, select the AP
name to change the Mode to FlexConnect. The
vWLC does not yet support local mode APs so
this is a required step for vWLC deployments
only. In the AP Details screen, select
FlexConnect from the AP Mode drop-down box
and click Apply. Click OK to confirm the warning
that the AP will reboot.

In the vWLC GUI, navigate Commands >

Download File. Enter the following information
adjusting values as required for your
environment. Start the FTP server on the admin
machine and place the demo config (see
Appendix 3.) in the appropriate directory. Click
Download followed by OK to confirm that the
file is not encrypted.
The FTP transfer will proceed, the configuration
file will be loaded, and the system will be reset. After the GUI is available login with the
credentials admin / ISEc0ld and confirm that a complete configuration is now available.
[3] ASAv Configuration & License

For the purpose of demonstration you can use ASAv in unlicensed state, the only
disadvantage is it will give Maximum throughput of 100 kbps.
23

Cisco ISE NFR Guide

In order to activate ASAv License it should be configured to be able to reach to the
Internet. ASAv will also need to periodically connect with Cisco's SMART licensing servers
to obtain entitlement.

ASAv Configuration
Telnet [see Appendix 6] to ASAv and Copy-and-Past the config provided in Appendix 4.
Note: Please make any necessary changes to the base config as per your environment.

ASAv License
Starting version 9.3(2), ASAv licensing has moved to Cisco Smart Software Licensing. You
will need an active account to request a token.

If you prefer to use a licensed ASAv you will need to register for SMART Licensing
account. For detailed instruction download the guide here.

Incase you already have SMART Account and you have already requested for token, then
follow the instructions below:
Once enter the following commands:
ASAv(config)# license smart
ASAv(config-smart-lic)# feature tier standard
ASAv(config-smart-lic)# throughput level 100M
ASAv(config-smart-lic)# exit
ASAv(config)# exit
ASAv# license smart register idtoken <token-for-internal-asav>

Fore more details go to link.

5

Next Steps
At this point, your ISE NFR environment has demo configuration loaded on each of the VMs and
NADs. We recommend taking snapshots of each of your VMs. This will be beneficial if you need to
revert to this state at any time in the future. Prior to taking snapshots, it is a best practice to
power down virtual machines. Use the native OS when possible to ensure minimum disruption.
For ISE, access the CLI and issue app stop ise followed by halt to cleanly shut down the appliance.
24

Cisco ISE NFR Guide

Once a VM is powered down, use the vSphere client to take a snapshot. Navigate to Home >
Inventory > Inventory and select the appropriate VM.
From the toolbar, select the Take Snapshot
button. In the pop-up window enter a Name and
Description and click OK. More information about snapshot best practices is available in VMware
documentation.

We recommend updating software versions to current releases as desired. Refer to individual
product release notes and upgrade guides for detailed release and configuration information.

This completes the ISE NFR guide. Please submit feedback to ise_nfr_partner_bundle@cisco.com
25

Cisco ISE NFR Guide
CLEANUP: BEFORE YOU PROCEED

If this is the first time you are going through these use-cases, you might not have to follow all the steps to clean. But to be
sure please go through the steps below.

a.
APPLE IPAD
1.
Close all browser tabs.
2.
Go to Settings > Wi-Fi and forget the WIFI network its connected to and slide the virtual
switch to disable
Wi-Fi.
3.
Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies
and Data.
4.
On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: You might not see the Profiles menu option, if there are no profiles installed on the iPad.
b.
ISE SESSION
1.
Navigate to Operations > Authentications > Show Live Sessions. In the column marked
CoA Action, click on the pull down for any active session and choose Session
termination.
2.
Verify the session has been terminated.
3.
Navigate to Administration > Identity Management > Identities > Endpoints and delete
the Apple iPad,
26

Cisco ISE NFR Guide

SCENARIO 1: DEMONSTRATE THE GUEST ACCESS FOR A WIRELESS HOTSPOT
DEMO DESCRIPTION
The guest can connect to a Wireless Hotspot and quickly get access to the network. Also, notice that
the customized guest portals are shown to the guest.
NOTICE: iPAD is required for this demonstration and make sure to follow the above steps to clean it before each demo.

Step 1
Enable SSIDs hotspot in WLC

1.
Login to vWLC web portal @ https://vwlc.securitydemo.net as admin/ ISEc0ld
2.
Select WLANs from top Menu.
3.
Check WLAN ID 2 ##-ISECOLD-hotspot, select Enable Selected from the drop-down and
hit Go.

Step 2
The following sequence provides the progression of onboarding the Apple iPad:
1. Navigate to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and
connect to the network ##-ISECOLD-hotpot (## refers to the POD No.)
2. Now launch the mobile Safari app, close any tabs, and access Google via the bookmarks.
If receiving a warning Cannot Verify Server Identity, click Continue and it will redirect
to the Guest page.
3. Enter isecold as the Access Code and Accept the AUP (Acceptable Use Policy). Show that
the customized portal is now shown to the guest as below

27

Cisco ISE NFR Guide

4. After accepting the AUP, the message is shown that you have successfully connected.
Retry going back to the Google website or click on the link to go to cisco.com and if the
site loads successfully, then this Use-case is complete.

5. Navigate to Operation Authentications and look at the sessions logs.
STOP! Before you proceed to the next demo please clean the iPad and ISE Session [Click Here]
Hotspot complete! You have now completed hotspot use-case. Next lets look into self-registration.

End of Exercise: You have successfully completed this exercise.

28

Cisco ISE NFR Guide

SCENARIO 2: DEMONSTRATE THE GUEST ACCESS FOR A SELF-REGISTER PORTAL
DEMO DESCRIPTION
The guest comes to a company and would like to create their own guest account. After registration,
the credentials are shown instantly on the next screen or can be sent via email for the guest to log on
and get Internet access. Though not shown in this demo, after self-registration you can also add
sponsor approval to the flow.
DEMO ACTIONS

Step 1
Enable SSIDs guest in WLC

1.
Login to vWLC web portal @ https://vwlc.securitydemo.net as admin / ISEc0ld
2.
3.
Check WLAN ID 2 ##-ISECOLD-host, Select Disable Selected from the drop-down and
hit Go.
4.
Check WLAN ID 3 ##-ISECOLD-guest, Select Enable Selected from the drop-down and
hit Go.

Step 2
1.
Navigate to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and
connect to the network ##-ISECOLD-guest
2.
Now launch the mobile Safari app, close any tabs, and go to Google.com. If you
receive any warning, click Continue and it will redirect to the Guest page.
3.
Since this is a self-registered use case, Click on Dont have an account to create
your own account.
4.
Create a guest account using the following info:

Attribute
Value
Username
First Name
Last Name
Email address
Guest
John
Doe
guest@securitydemo.net

NOTE: Incase you want to demo sponsor approval you will have to fill in Person being Visited (email) field.
29

Cisco ISE NFR Guide

5.
Accept AUP and Click Register button.
6.

Note the Login Credentials, and then click the Sign On button.
7.

Enter Login Credentials and Access Code isecold and Accept AUP and Click Sign On
Note: Access Code adds an extra layer of security and its usually given offline. Example: In a classroom, the instructor
will put it on the whiteboard.

8.
After Signing On, the message is shown that you have successfully connected. Retry
going back to the Google website or click on the link to go to cisco.com

9.
Navigate to Operation Authentications and look at the sessions logs.
30

Cisco ISE NFR Guide

Warning: If you see a message, Maximum Devices Reached, then please follow the steps below to clean up the iPad connection, this was
caused because the endpoint is already in the store and you didnt delete it after you ran through the previous exercise.
You have now completed setup of Self-registration with sponsor approval flow
31

Cisco ISE NFR Guide

SCENARIO 3: DEMONSTRATE THE GUEST ACCESS FROM A SPONSORED ACCOUNT
DEMO DESCRIPTION
The employee would like to provision guest access to a visitor guest who is visiting the hospital. The
employee would like to do that only for a couple of hours. To do so the employee will login to the
network and will go to the guest provisioning service page (ISE Sponsor Portal). Then enter the name
and email address for the guest along with the time of access and the guest server will generate a
password that the guest can use to gain access.

DEMO ACTIONS
1.
Access Sponsor Portal via desktop browser, go to Sponsor.SecurityDemo.net and login as sponsor /
ISEc0ld
2.
Accept AUP and proceed to create a guest account page.
3.
Before creating a new account please delete the guest account created in previous demo.
4.
Now go to Create Accounts tab, by default the Guest Type is Contractor for this portal. Change it if
you need to. Enter the following information and Click on Submit.
Attribute
First Name
Last Name
Email address
Duration (Days)
From Date
To Date
Value
John
Doe
guest@securitydemo.net
10
Set the Start Date/Time
Set the End Date/Time
Note

Enter email as it is.
You can set as desired

5.
The Sponsor Portal creates an account and generates an account password for the guest user. Click
on Notify at the bottom on the screen to send the info to the guest via email (sms or print).

6. Check the
Email box and enter
32

Cisco ISE NFR Guide

sponsor@securitydemo.net in the Sponsors email field and click OK.
7.

Now the email is sent to the Guest and Sponsor. To verify go to the mail.securitydemo.net and
log in using the credentials guest / ISEc0ld. From the email get the username/password to login
to WIFI as guest.

8.
The following sequence provide the progression of onboarding the Apple iPad:
1)
Navigate to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect
to the network ##-ISECOLD-guest (## refers to the POD No.)
2)
Now launch the mobile Safari app, close any tabs, and access Google.com and it will redirect
to the Guest page.
3)
Enter user/pass and access code isecold. Then accept AUP and click Sign On
Note: Access Code adds an extra layer of security (given offline). Ex: In a classroom, the instructor will put it on a whiteboard.
33

Cisco ISE NFR Guide

4)
After Signing On, the message is shown that you have successfully connected. Retry going
back to the Google website or click on the link to go to cisco.com

5)
Navigate to Operation Authentications and look at the sessions logs.

PREVIEW T HE M ANAGED A CCOUNTS O PTION
1.
Navigate to Guest Access Manage Accounts
2.
At the top of the page click on Managed Accounts
The managed account option is a quick easy way to see all the accounts and perform sponsor actions. The admin
account is auto-authenticated and not part of any sponsor group. It has permissions to do everything and see
everything, accept if the guest changes their password they wont be able to see it (just like any other sponsor). If
the sponsor portal session terminates for any reason, the admin will have to go back to the admin UI to get back in
or login with a valid sponsor account. Their admin credentials will not get them back in unless it is part of a sponsor
group. This was just a preview and we will be using the sponsor portal to do our work.
You have now completed this demo.

34

Cisco ISE NFR Guide

SCENARIO 4: DEMONSTRATE ONBOARDING OF A NON-CORPORATE APPLE IPAD
DEMO DESCRIPTION
In this demo you will get the experience of onboarding an Apple iPad onto the network in a BYOD use
case. From the iPad you will connect over the wireless network to the single SSID (corp). You will use
your AD (NetSvc) credentials to let Cisco ISE know that the iPad is a personal device that belongs to
you the employee. When you connect to the network you will verify profile installation for the native
supplicant on the iPad. Using Cisco ISE live logs you will monitor the onboarding process and verify
successful completion via the My Devices Portal.
DEMO ACTIONS

Step 1
Enable SSIDs corp in WLC

1.
Login to vWLC web portal @ https://vwlc.securitydemo.net as admin / ISEc0ld
2.
3.
Check WLAN ID 3 ##-ISECOLD-guest, Select Disable Selected from the drop-down and hit Go.
4.
Check WLAN ID 1 ##-ISECOLD-corp, Select Enable Selected from the drop-down and hit Go.

Step 2
Update SSID for ISECOLD TLS -- Native Supplicant Profile under
Policy -> Policy Elements -> Results -> Client Provisioning -> Resources.
35

Cisco ISE NFR Guide

Step 3
1.
Navigate to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect
to the network ##-ISECOLD-corp (## refers to the POD number if any.)
2.
Enter the login (Internal AD) credentials, user: employee pass: ISEc0ld and click Join
3.
Click to Accept the certificate
4.
Next click on the blue arrow of the connected network and verify the IP address assigned
5.
Now launch the mobile Safari app, close any tabs, and access Google.com and it will redirect
to the ISE 1.3 BYOD Welcome Screen, which guides the end-user over a series of steps to on-
board the device and also keeps tracks of these steps with proper numbering.
6.
Click Start to proceed.
36

Cisco ISE NFR Guide

7.
Next end-user would be requested to enter Device Name and Description

Device Name
Description
Peronal_iPAD
This is my Personal iPAD

8.
Click Continue to proceed and when it prompts the user to launch Apple Profile and
Certificate Installers Now, click the button to proceed
9.
When prompted to install the Root CA certificate that signed the SSL server certificate of ISE,
click Install. Again click Install to accept any Warnings to complete this installation.
The process switches back to the self-provisioning page in Safari, and the ISE Profile Service
pops up and prompts Install Now.
10. Click Install Now to start the Apple Over-The-Air (OTA) enrollment process. This will
automatically generate the key, enroll the identity certificate, and save the resulting signed
Wi-Fi profile to the iPad.
Youll see the following message on the browser showing that you are now connected.
37

Cisco ISE NFR Guide

11. Now entering portal.securitydemo.net in the mobile Safari app should take you to the
internal website to show you have the correct access.

Note: If you still cant redirect to portal.securitydemo.net then check if SSID was updated in Native
Supplicant Profile in Policy
12. Verifying Settings > General > Profiles shows two profiles are installed

13. Check the live logs on ISE admin web console to verify that the correct authorization profiles
were applied. The sequence will look similar to the following.

14. Go to the https://mydevices.securitydemo.net and inspect the endpoint registration states.
Login as employee/ISEc0ld.
15. Once the newly installed Wi-Fi profile authenticates the device to the network, this state will
move to Registered.
38

Cisco ISE NFR Guide

16. On ISE, navigate to Administration > System > Certificates:

Look at the summary of the certs issued below:

17. Navigate to Certificate Management > Endpoint Certificates, look at the certs issued. You
can view and revoke any certs from here.
39

Cisco ISE NFR Guide
Appendix 1: Bill of Materials
Catalyst Switch
WS-C3560CG-8PC-S
CAB-AC-RA
RCKMNT-19-CMPCT=
Description
Catalyst 3560C Switch 8 GE PoE(+), 2 x Dual Uplink, IP Base
Power Cord,110V, Right Angle
19in RackMount for Catalyst 3560 Compact Switch
Quantity List Price

1
1,795
1
0
1
75
CON-SNT-WSC3560C
ASAv
SMARTNET 8X5XNBD Catalyst 3560C Switch 8 GE PoE, 2 x Dual

Description
1
102
Quantity List Price
LASAV5SK9=
Virtual WLC
L-AIR-CTVM-5-K9
CON-SAU-CTVM5K9
ASAv5 License Delivers up to 100 Mbps of throughput

Description
Cisco Virtual Wireless Controller (w/5 Access Points License)
SW APP SUPP + UPGR Cisco Virtual Wireless
1
3-4K
Quantity List Price
1
750
1
150
Access Point
AIR-CAP2602I-A-K9
Description
802.11n CAP w/CleanAir; 3x4:3SS; Mod; Int Ant; A Reg Domain
Quantity List Price

1
1,095
CON-SNT-AIRCAPN2
SMARTNET 8X5XNBD 802.11n CAP w/CleanA
UCS Server
UCSC-C22-M3S
UCS-CPU-E5-2440
UCS-MR-1X162RY-A
A03-D300GA2
UCSC-RAID-9240-8I
R2XX-RAID5
UCSC-PCIE-IRJ45
UCSC-PSU-450W
CAB-9K12A-NA
UCSC-RAIL1
CON-SNT-C22M3S
Third Party Products
Power Strip
Rack Screws
Cable Ties
VMware License
Microsoft Subscription
Description
UCS C22 M3 SFF w/ rail kit, w/o PSU, CPU, mem, HDD, PCIe
2.40 GHz E5-2440/95W 6C/15MB Cache/DDR3 1333MHz
16GB DDR3-1600-MHz RDIMM/PC3-12800/dual rank/1.35v
300GB 6Gb SAS 10K RPM SFF HDD/drive sled mounted
MegaRAID 9240-8i, RAID 0/1/10/5/50 for C22/C24
Enable RAID 5 Setting
Intel i350 Quad Port 1Gb Adapter
450W power supply for C-series rack servers
Power Cord, 125VAC 13A NEMA 5-15 Plug, North America
Rail Kit for C220, C22, C24 rack servers
SMARTNET 8X5XNBD UCS C22 M3 Server - SFF
Description
Tripp Lite Waber Power Strip 15ft
Premium Screws with washers
4", 8", and 14" ties to secure equipment
vSphere Essentials Kit
MSDN or TechNet options available
Rack Mount Case
Pelican BB0040 or similar
Quantity List Price

1
1,688
2
2353
4
625
8
589
1
797
1
1
1
999
1
560
1
0
1
0
1
202
Quantity List Price
1
30
1
20
1
40
1
560
1
300
1
40

44
800
Cisco ISE NFR Guide
Appendix 2: Catalyst 3560 Configuration
!GLOBAL SETTINGS

hostname 3560CG
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$5EQI$44ry3iROTTWKRp3IXeYeR1
!
username admin privilege 15 password 0 ISEc0ld
username radius-test password 0 ISEc0ld
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
client 10.1.100.21
server-key ISEc0ld
!
aaa session-id common
system mtu routing 1500
ip routing
!
!
ip dhcp snooping vlan 10,20,50,100
ip dhcp snooping
no ip cef optimize neighbor resolution
no ip domain-lookup
ip domain-name securitydemo.net
ip device tracking
vtp domain securitydemo
vtp mode transparent
!
epm logging
!
crypto pki trustpoint TP-self-signed-504244352
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-504244352
revocation-check none
rsakeypair TP-self-signed-504244352
!
!
crypto pki certificate chain TP-self-signed-504244352
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35303432 34343335 32301E17 0D313130 33333030 31323935
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3530 34323434
33353230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9A17456B 9AD3E7E6 BC02A23F 85FE0656 3D2ACB24 8CF41470 A0088D9D 0EB01EC2
41

Cisco ISE NFR Guide

5F8F4D48 B3CBE769 238D193F D0EC4135 7A51FBF8 7514BB46 6C6F579D 557408F2
BFB83849 BE376D00 9C913754 A0A610CD 4FE4667B 26A3698E 58E6CAFB 4A8DF840
8E226F59 50F3A8A9 E27B379A 0B082222 45BCE7D3 2F1B5C8E 7009A859 E8E425F1
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014E5 A509B44F 68B8025A 4BB2BE02 338A4A18 810D6A30 1D060355
1D0E0416 0414E5A5 09B44F68 B8025A4B B2BE0233 8A4A1881 0D6A300D 06092A86
4886F70D 01010505 00038181 002901F3 F4E12038 D9E86F9E 662269CE DF0A335D
EB586188 AC84257B CB9B09CE 16D2CA73 543FDAF5 BC6BE244 87EB67AE C204200E
8C988856 347B907D 1778371D 2524FA7B 192EC573 5EBCB585 149459B9 721A8450
231D3B33 B1C65ADF 3CCC66BA C8E8F5D4 A08382D9 A13BD755 EC9C35F2 20281305
501861F0 B31E4A60 A9D811FE 8A

quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
vlan 10
name ACCESS
!
vlan 20
name SGFW
!
vlan 50
name GUEST
!
vlan 70
name CORP
!
vlan 100
name MGMT
!
!
ip ssh version 2
lldp run
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
description UCS-vmnic1
switchport access vlan 10
switchport mode access
shutdown
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
42

Cisco ISE NFR Guide

authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
description AP
!
description UCS-M
!
!
!
!
!
!
!
description UCS-vmnic0
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.40
!
interface Vlan50
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.40
!
interface Vlan70
ip address 10.1.70.2 255.255.255.0
!
interface Vlan100
ip address 10.1.100.1 255.255.255.0
!
ip http server
ip http secure-server
ip http active-session-modules none
!
ip route 0.0.0.0 0.0.0.0 10.1.70.1
ip route 172.17.0.0 255.255.0.0 192.168.100.2
!
ip access-list standard SNMP-RO
permit 10.1.100.21
deny any
!
43

Cisco ISE NFR Guide

ip access-list extended ISE-URL-REDIRECT
deny tcp any host 10.1.100.221 eq www
permit tcp any any eq www
ip access-list extended vtyAccess
permit tcp 10.1.100.0 0.0.0.255 any eq 22
!
ip radius source-interface Vlan100
ip sla enable reaction-alerts
logging trap debugging
logging origin-id ip
logging source-interface Vlan100
logging host 10.1.100.21 transport udp port 20514
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ise
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813
automate-tester username radius-test ignore-acct-port idle-time 5
key ISEc0ld
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
access-class vtyAccess in
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
transport input ssh
line vty 5 15
access-class vtyAccess in
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
transport input ssh
!
ntp server 10.1.100.40
end

Appendix 3: Virtual Wireless LAN Controller
config acl counter start

config acl rule add ISE-URL-REDIRECT 1
config acl rule source port range ISE-URL-REDIRECT 1 53 53
config acl rule direction ISE-URL-REDIRECT 1 in
config acl rule action ISE-URL-REDIRECT 1 permit
config acl rule destination port range ISE-URL-REDIRECT 1 0 65535
config acl rule destination address ISE-URL-REDIRECT 1 10.1.100.40 255.255.255.255
config acl rule protocol ISE-URL-REDIRECT 1 17
44

Cisco ISE NFR Guide

config acl rule source address ISE-URL-REDIRECT 2 10.1.100.40 255.255.255.255
config acl rule direction ISE-URL-REDIRECT 2 out
45

Cisco ISE NFR Guide

config acl rule add MACHINE_ACL 1
config acl rule source port range MACHINE_ACL 1 0 65535
config acl rule destination port range MACHINE_ACL 1 0 65535
config acl rule destination address MACHINE_ACL 1 10.1.100.2 255.255.255.255
config acl rule destination address MACHINE_ACL 2 10.1.100.224 255.255.255.254
config acl rule action MACHINE_ACL 3 permit
config acl rule add EMPLOYEE_ACL 1
config acl rule source port range EMPLOYEE_ACL 1 0 65535
config acl rule destination port range EMPLOYEE_ACL 1 0 65535
config acl rule destination address EMPLOYEE_ACL 1 10.1.100.2 255.255.255.255
config acl rule destination address EMPLOYEE_ACL 2 10.1.100.224 255.255.255.254
config acl rule action EMPLOYEE_ACL 3 permit
config acl rule add ITADMIN_ACL 1
config acl rule source port range ITADMIN_ACL 1 0 65535
config acl rule action ITADMIN_ACL 1 permit
config acl rule destination port range ITADMIN_ACL 1 0 65535
config acl rule add ITADMIN_ACL 65
config acl rule source port range ITADMIN_ACL 65 0 65535
config acl rule destination port range ITADMIN_ACL 65 0 65535
config acl rule add CONTRACTOR_ACL 1
config acl rule source port range CONTRACTOR_ACL 1 0 65535
config acl rule destination port range CONTRACTOR_ACL 1 0 65535
config acl rule destination address CONTRACTOR_ACL 1 10.1.100.2 255.255.255.255
config acl rule destination address CONTRACTOR_ACL 2 10.1.100.224 255.255.255.254
config acl rule protocol CONTRACTOR_ACL 2 6
46

Cisco ISE NFR Guide

config acl rule action CONTRACTOR_ACL 3 permit
config acl rule add GUEST_ACL 1
config acl rule source port range GUEST_ACL 1 0 65535
config acl rule direction GUEST_ACL 1 in
config acl rule action GUEST_ACL 1 permit
config acl rule destination port range GUEST_ACL 1 53 53
config acl rule protocol GUEST_ACL 1 17
config acl rule destination address GUEST_ACL 2 10.1.100.16 255.255.255.240
config acl rule add USER_ACL 1
config acl rule source port range USER_ACL 1 0 65535
config acl rule destination port range USER_ACL 1 0 65535
config acl rule destination address USER_ACL 1 10.1.100.2 255.255.255.255
config acl rule destination address USER_ACL 2 10.1.100.224 255.255.255.254
47

Cisco ISE NFR Guide

config acl rule action USER_ACL 3 permit
config acl rule add BLACKHOLE 1
config acl rule source port range BLACKHOLE 1 0 65535
config acl rule direction BLACKHOLE 1 out
config acl rule action BLACKHOLE 1 permit
config acl rule destination port range BLACKHOLE 1 0 65535
config acl rule direction BLACKHOLE 2 in
config acl rule protocol BLACKHOLE 2 17
config acl rule direction BLACKHOLE 3 in
config acl rule destination address BLACKHOLE 3 10.1.100.21 255.255.255.255
config acl rule protocol BLACKHOLE 3 6
config acl create ISE-URL-REDIRECT
config acl apply ISE-URL-REDIRECT
config acl create MACHINE_ACL
config acl apply MACHINE_ACL
config acl create EMPLOYEE_ACL
config acl apply EMPLOYEE_ACL
config acl create ITADMIN_ACL
config acl apply ITADMIN_ACL
config acl create CONTRACTOR_ACL
config acl apply CONTRACTOR_ACL
config acl create GUEST_ACL
config acl apply GUEST_ACL
config acl create USER_ACL
config acl apply USER_ACL
config acl create BLACKHOLE
config acl apply BLACKHOLE
config location expiry tags 5
config dhcp proxy disable bootp-broadcast disable
config serial timeout 0
config remote-lan session-timeout 5 0
config remote-lan mac-filtering disable 5
config remote-lan create 5 EtherTunnel EtherTunnel
config remote-lan exclusionlist 5 60
config remote-lan interface 5 access
config remote-lan security web-auth server-precedence 5 local radius ldap
config sysname vWLC
config 802.11a cac voice sip bandwidth 64 sample-interval 20
config 802.11a cac voice sip codec g711 sample-interval 20
48

Cisco ISE NFR Guide

config 802.11a cleanair alarm device enable 802.11-nonstd
config 802.11a cleanair alarm device enable 802.11-inv
config 802.11a cleanair alarm device enable jammer
config snmp version v3 disable
config snmp community delete public
config snmp community delete private
config snmp community ipaddr 10.1.100.0 255.255.255.0 ISEc0ld
config snmp community mode enable ISEc0ld
config snmp community create ISEc0ld
config advanced probe limit 2 500
config advanced 802.11a channel add 36
config advanced probe-limit 2 500
config advanced 802.11b channel add 1
config country US
config interface port management 1
config interface nat-address management set 172.23.112.165
config interface nat-address management enable
config interface address management 10.1.100.41 255.255.255.0 10.1.100.1
config interface dhcp management primary 10.1.100.40
config interface vlan management 100
config interface address service-port 10.1.20.41 255.255.255.0
config interface dhcp service-port disable
config interface address virtual 1.1.1.1
config interface port access 1
config interface address dynamic-interface access 10.1.10.41 255.255.255.0 10.1.10.1
config interface create access 10
config interface dhcp dynamic-interface access primary 10.1.100.40
config interface vlan access 10
config interface port guest 1
config interface address dynamic-interface guest 10.1.50.41 255.255.255.0 10.1.50.1
config interface create guest 50
config interface dhcp dynamic-interface guest primary 10.1.100.40
config interface vlan guest 50
config sessions timeout 120
config time ntp interval 3600
config time ntp server 1 10.1.100.40
config wlan session-timeout 1 7200
config wlan exclusionlist 1 60
config wlan broadcast-ssid enable 1
config wlan mac-filtering enable 2
config wlan mac-filtering enable 3
49

Cisco ISE NFR Guide

config wlan nac radius enable 1
config wlan interface 1 access
config wlan interface 2 guest
config wlan interface 3 guest
config wlan mfp client enable 1
config wlan create 1 01-ISECOLD-corp 01-ISECOLD-corp
config wlan nasid vWLC 1
config wlan usertimeout 7200 1
config wlan wmm allow 1
config wlan create 2 01-ISECOLD-hotspot 01-ISECOLD-hotspot
config wlan create 3 01-ISECOLD-guest 01-ISECOLD-guest
config wlan security wpa enable 1
config wlan security web-auth server-precedence 1 radius
config wlan dhcp_server 1 0.0.0.0 required
config wlan aaa-override enable 1
config wlan security wpa akm 802.1x disable 2
config wlan security wpa wpa2 ciphers aes disable 2
config wlan security wpa wpa2 disable 2
config wlan security wpa disable 2
config wlan sip-cac send-486busy disable 3
config wlan security wpa akm 802.1x disable 3
config wlan security wpa wpa2 ciphers aes disable 3
config wlan security wpa wpa2 disable 3
config wlan security wpa disable 3
config wlan security pmf optional 5
config wlan profiling radius http enable 1
config wlan profiling radius dhcp enable 1
config wlan radius_server auth add 1 1
config wlan radius_server acct add 1 1
config mobility group domain 01-vWLC
config certificate ssc hash validation disable
config certificate generate webauth
50

Cisco ISE NFR Guide

config certificate generate webadmin
config radius auth add encrypt 1 10.1.100.21 1812 password 1 c26450af0b2197075df16a0043324a93
3b28ea9a08c13a56eb6ccb93220588f688c90940 16
74aa38326317080f1aea84257bb2ed4d00000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000
config radius auth retransmit-timeout 1 30
config radius auth rfc3576 enable 1
config radius auth enable 1
config radius acct add encrypt 1 10.1.100.21 1813 password 1 cd643253085f2578b191048d4ec8178a
90cf261df5cfd6375df95e030a845266f41d31bc 16
88bb79e85a0dc02add3701aa3f51e178000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000
config radius acct retransmit-timeout 1 30
config radius acct enable 1
config nmsp notification interval rssi rfid 2
config network ap-discovery nat-ip-only disable
config network mgmt-via-wireless enable
config network rf-network-name 01-vWLC
config network fast-ssid-change enable
config network web-auth captive-bypass enable
config network multicast l2mcast disable service-port
config network multicast l2mcast disable virtual
config mdns profile service add default-mdns-profile AirPrint
config mdns profile service add default-mdns-profile AppleTV
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_2
config mdns profile service add default-mdns-profile Printer
config mdns profile create default-mdns-profile
config mdns service query enable AirPrint
config mdns service query enable AppleTV
config mdns service query enable HP_Photosmart_Printer_1
config mdns service query enable HP_Photosmart_Printer_2
config mdns service query enable Printer
config database size 2048
config 802.11b 11gsupport enable
config 802.11b cac voice sip bandwidth 64 sample-interval 20
config 802.11b cac voice sip codec g711 sample-interval 20
config 802.11b cleanair alarm device enable 802.11-inv
config 802.11b cleanair alarm device enable 802.11-nonstd
config 802.11b cleanair alarm device enable jammer
config ap autoconvert flexconnect
config ap packet-dump capture-time 10
config ap packet-dump truncate 0
config ap packet-dump buffer-size 2048
config rfid timeout 1200
config rfid status enable
config rfid mobility pango disable
config mgmtuser add encrypt admin 1 9408040aa9832b25d3f7039f9f87efc9 f958c37c9f319b5f7062054ca885047cbf7012c1 16
7f309b05ff4d0906c890fc5f3bf4860700000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000 read-write
Appendix 4: ASAv Configuration

conf term
hostname egfw
domain-name securitydemo.net
51

Cisco ISE NFR Guide

enable password ISEc0ld
passwd ISEc0ld
username admin password ISEc0ld privilege 15
!
nameif outside
security-level 0
!!-----------------------------------------
!! outside ip address is per-pod or use dhcp
ip address N1.N2.N3.N4 M1.M2.M3.M4
no shut
!
nameif corp
security-level 100
ip address 10.1.70.1 255.255.255.0
no shut
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.1.100.254 255.255.255.0
!
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.1.100.40
domain-name securitydemo.net
!
nat (any,outside) after-auto source dynamic any interface
access-group outsideIN in interface outside
!!-----------------------------------------
!! outside route is per-pod or use dhcp
route outside 0.0.0.0 0.0.0.0 G1.G2.G3.G4 1
route corp 10.1.0.0 255.255.128.0 10.1.70.2 1
!
!!-----------------------------------------
!! generate new 2K key for SSH
crypto key zeroize rsa noconfirm
crypto key generate rsa modulus 2048 noconfirm
!
ssh 10.1.100.0 255.255.255.0 management
ssh version 2
http server enable
http 10.1.100.0 255.255.255.0 management
!
ntp server 10.1.100.40 source management prefer
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
no call-home reporting anonymous

10 Appendix 5: Configure a Network Serial Console Port

Note: Need a VMware Enterprise Plus license to use the serial port over network.
Also, need to change the security profile under ESXi Host > Configuration > Security Profile > Under FireWall > FireWall
Properties and check box next to VM serial port connected over network.

52

Cisco ISE NFR Guide

[1] Right-Click ASAv, Select Edit Settings

[2] Click Add, Select Serial Port
[3] Select Connect via Network

[4] Select Server and specify a Port URL: telnet://:<Port#>

[5] Click OK to complete the configuration.
11 Appendix 6: Telnet to Network Serial Console Port

Telnet to the ESXi Host IP address and the port number you specified when you added the serial port.
53

Cisco ISE NFR Guide

WINDOWS (Putty)
MAC (Terminal)
user$ telnet <ESXi-Host-IP> <Port#>
ex: telnet 10.1.100.2 10062

54

ISE 1.3 Guide

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ISE 1.3 Guide

Загружено:

Авторское право:

Доступные форматы

Cisco

Identity Services Engine (ISE)

Cisco ISE NFR Guide

Cisco ISE NFR Guide

Cisco ISE NFR Guide

ASAv Edge Firewall (Virtual Machine)

VMNIC 2 (ASAv G0/0)

VMNIC 0 (ASAv G0/1)

vWLC - Wireless Controller (Virtual Machine)

VMNIC 0 (vWLC MGMT)

(vWLC Service Port)

Cisco ISE NFR Guide

VLANs and IP Subnets

CORPORATE NETWORK (INSIDE)

IP Addresses and Login Credentials

admin / (default: password)

Cisco ISE NFR Guide

UCS SERVER C22 M3

Catalyst 3560 Compact Switch 8 GE PoE(+)

802.11n CAP w/CleanAir; 3x4:3SS; Mod; Int Ant; A Reg Domain

Windows 7 to setup and administrate the setup.

Network Access Devices 2

SYSTEM BOOT IMAGE

ESXi 5.5 or Latest

vCSA 5.5 or Latest

vCenter Server Appliance

Client to connect to ESXi hosts or vCenter

DNS, DHCP, NTP, HTTP & MAIL (CENTOS 5.11)

ISE 1.3 NFR

Integrated Service Engine 1.3

Virtual Wireless LAN Controller

Click Here (Cisco.com)

Click Here (Cisco.com)

Refer to Appendix 1 Bill of Materials for more details.

Cisco ISE NFR Guide

Cisco ISE NFR Guide

Select vmnic1 then click Next.

Cisco ISE NFR Guide

Cisco ISE NFR Guide

Cisco ISE NFR Guide

Cisco ISE NFR Guide

Cisco ISE NFR Guide

icon to launch a VM console as the VM powers on.

Cisco ISE NFR Guide

# Use public servers from the pool.ntp.org project.

Cisco ISE NFR Guide

Cisco ISE NFR Guide

ISE PROCESS NAME STATE PROCESS ID

Cisco ISE NFR Guide

Virtual Wireless LAN Controller

Cisco ISE NFR Guide

icon to launch a VM console as the VM powers on.

Cisco ISE NFR Guide

Adaptive Security Virtual Appliance (ASAv)

Cisco ISE NFR Guide

NAD Configuration & Licensing

Cisco ISE NFR Guide

[1] 3560CG Switch Configuration & License

[2] vWLC Configuration & License

Cisco ISE NFR Guide

Cisco ISE NFR Guide

In the vWLC GUI, navigate Commands >

[3] ASAv Configuration & License

Cisco ISE NFR Guide