Академический Документы
Профессиональный Документы
Культура Документы
• Requirements
• Topology
• Get Started
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
NOTE: It is required that you have at least two end user devices for this demonstration—one for monitoring and connecting to the
backend components, and at least one device to actually onboard. For example, if you plan on onboarding a laptop during the
demonstration, it is required that you have a second laptop. The first laptop would be necessary to access the dCloud
Workstation1 via RDP (to show the ISE UI and other demo features) and the second laptop would be necessary to demonstrate
joining the hotspot or guest networks.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 26
Cisco dCloud
The device onboarding sections of this guide demonstrate differentiated levels of network access based on user role. ISE supports
four levels of access:
• Guest only access – Users with guest access can access the Internet and the main portal URL, but are not allowed
access to internal portal resources or internal records. Guest user access is covered in the Guest Access Management
demo guide. That guide demonstrates various guest access scenarios including hotspot, self-registered guests, and
sponsored guests.
• Tier 2 Limited Access – Users with Tier 2 level access can access the Internet and the main portal URL for their
scenario, as listed in Table 3—Available Portals. Additionally, they will be able to access the internal resources of the
portal, but will not have access to internal records. Available Tier 2 username information is listed in Table 4—Credentials
and Access Level.
• Tier 1 Full Access – Users with Tier 1 level access have full access to the network resources. This includes full portal
access as well as Internet access. Full portal access allows Tier 1 users to access the main portal page as listed in Table
3—Available Portals, as well as internal resources and internal records for that portal. Available Tier 1 username
information is listed in Table 4—Credentials and Access Level.
NOTE: If you are having problems with any of the redirect flows with ISE and Apple iOS devices, please check this link:
https://communities.cisco.com/community/technology/security/pa/ise/blog/2017/07/07/apple-ios-103-and-ise-web-redirection
NOTE: iOS 9 will not work with BYOD and the well known certificate we are using in this demo.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 26
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
helpdesk_user
CSR 198.18.133.212 WebRDP or AnyConnect security_admin Session ID
Session Owner
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 26
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 26
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
3. Open Firefox on Workstation1. Your homepage is set to http://topo.dcloud.cisco.com, which allows you to view the topology
and links to backend demo components. Click the home button in Firefox if you ever need to get back to the topology screen.
4. On Workstation1, ensure your Country is enabled on the demo wireless controller (WLC). [Show Me How]
NOTE: The WLC login for this demo requires session specific credentials. The username is the name you use to log in to the
dCloud UI and the password is the session ID. You can obtain this information from the session details section of your active
demo. The generic username of dcloud is also provided, and can be used with the unique session ID as password, if necessary.
5. Provision your 3000, 2000, or 1000 Series AP [Show Me How] or your integrated 819W AP [Show Me How].
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 26
Cisco dCloud
NOTE: If using an endpoint router, this step only needs to be completed once. This is a HIGHLY recommended when using these
demos. Without an endpoint router, the AP must be re-provisioning with the new demo WLC IP address EACH time you schedule
a new demo.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 26
Cisco dCloud
NOTE: If your AP is not set properly to FlexConnect mode, you will not see any of the SSIDs being broadcast even if your AP is
successfully registered to the controller.
• You now have the option of connecting to Workstation1 through the AP. [Show Me How]
9. You may need to complete additional demonstration preparation activities, based on the location of your demonstration.
• Complete the additional demonstration preparation activities for demonstrating at a Cisco Office. [Show Me How]
• Complete the additional demonstration preparation activities for demonstrating at a Customer Site. [Show Me How]
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 26
Cisco dCloud
In this scenario, employees bring their own personal and mobile devices into the workplace, and wish to connect them to the
network. To do that, you will first connect the device to the open dCloud-Guest SSID and go through an onboarding process. The
onboarding process allows the user to register their device automatically with the ISE system. Once registered, the user will later
be able to manage their personal devices through the ISE My Devices portal. Additionally, during the onboarding process ISE will
generate a digital certificate for the device using a built in certificate authority, and issue the certificate to the user device along with
a profile that instructs the device to connect to the secured dCloud-Registered SSID. After onboarding, the user safely and
securely connects to the secured wireless network using a digital certificate for authentication. Upon joining the secured network,
ISE dynamically assigns authorization policies for the user based on their role, giving the user only the network access required.
Steps
Device Onboarding
1. Clear settings for each personal User BYOD Device used in the demonstration. If device settings are not cleared, you may
not be redirected to the guest portal or other pages when needed.
NOTE: Perform Steps 2-10 if you have already completed the Cisco ISE Guest Access Management demonstration. If you have
not already completed that guide, skip to Step 11.
2. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:
• Clicking the home button and clicking the ISE icon from the topology homepage.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 26
Cisco dCloud
3. Login as admin/C1sco12345.
NOTE: If you encounter a problem deleting the endpoints, clear your browser cache and try again.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 26
Cisco dCloud
6. From Workstation1, access the WLC login page at http://wlc1.dcloud.cisco.com using one of the following methods:
• Clicking the home button in the browser to be brought back to the Topology diagram, and clicking on the vWLC.
7. Login to the vWLC using the same device specific credentials used to provision endpoints during demonstration
preparation.
11. Any clients that previously joined the hotspot are listed. Scroll to the right and hover the mouse over the dropdown arrow until
it expands, then click Remove.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 26
Cisco dCloud
12. Connect the personal User BYOD Device to the open network SSID: dCloud-Guest.
NOTE: Throughout the demonstration, you will be connecting to specific dCloud WiFi signals. While we refer to them generically,
they will all be appended with the unique session ID, for example, dCloud-Guest-123456.
13. Open the supported, built-in web browser on the personal User BYOD Device and browse to the Main Portal URL (shown in
Table 3—Available Portals) for the selected scenario. Click Continue if you encounter a security warning.
• Supported browsers: Apple devices (Safari), Windows devices (IE/Edge (recommended), Chrome or FF), Android devices
(Chrome).
14. Enter the username and password for the selected Tier 2 user on the Guest Portal (refer to Table 4—Credentials and
Access Levels).
15. When prompted, accept installation for certificates, profiles and apps and complete the enrollment process for your device.
[Show Me How]
NOTE: It is highly recommended that you read the Show Me How link above, since Apple devices have new requirements.
NOTE: Starting from ISE 2.2 , ISE supports dual ssid flow using the Apple Mini-Browser (Captive Network Assistant) that pops up
automatically when connecting to captive portal networks. This demo is bypassing the captive portal so that it doesn’t pop up
automatically. It is not recommended to use the captive portal in this flow. For more information see the community post pros/cons
of the different flows and methods utilized.
https://communities.cisco.com/docs/DOC-71469
NOTE: After device authentication, it may take up to 30 seconds for changes to take effect. If you have trouble connecting to
dCloud_Registered, wait a few moments and try again.
16. After the device supplicant and certificate have been provisioned, your device should be connected to the SSID
dCloud_Registered. If your device does not connect automatically, you should select the dCloud_Registered SSID in your
Wi-Fi settings.
17. Clear Personal Device Settings to forget the dCloud-Guest network. [Show Me How]
NOTE: Throughout the demonstration, you will be connecting to specific dCloud WiFi signals. While we refer to them generically,
they will all be appended with the unique session ID, for example, dCloud-Registered-123456.
HIGHLIGHT
• The user device has been onboarded to use the network and has reconnected to the network securely using a certificate.
From this point forward, the device will automatically connect to the corporate network for easy access.
• Explain that entering Guest credentials puts the user through the guest flow. If you enter Network Access Credentials
(AD or internal users/non-guests) then you will be redirected to onboard the device using the Self Provisioning Portal.
• This demonstrates the Dual SSID flow. There is a Single SSID flow available where the user would connect to the secure
SSID first using PEAP/MSCHAPv2 and then be onboarded to connect via TLS.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 26
Cisco dCloud
The user device has been successfully onboarded to the network, and should now have the appropriate level of access. Since the
user is a Tier 2 user, they should have access to the Internet, the main portal URL for their scenario as listed in Table 3—Available
Portals, and to internal resources for that portal. However, they should not have access to the internal records of the portal.
1. Open the native browser on the user device and navigate to http://www.cisco.com to demonstrate that the user has Internet
access.
2. Navigate back to the Main Portal URL associated with the selected scenario shown in Table 3—Available Portals. (i.e.
health.dcloud.cisco.com).
a. Click the General Resources link in the upper left. The user should have access to the general resources. Click the
Home link to return to the Main Portal URL.
b. Click the Internal Resources link in the middle left box. The user should have access to the internal resources section of
the portal.
c. From within the internal resources section, click the link for Internal Records. Depending on the portal, this link may be
named slightly different, for example, Corporate Financial Records. The user should not have access. Click the home link
to return to the Main Portal URL.
NOTE: The main portal pages for the four scenarios listed in Table 3—Available Portals differ only slightly. Each portal has the
same basic layout: each has a General Resources link accessible to all users, and an Internal Resources link for Tier 1 and Tier 2
users only. Once inside the internal resources section, each portal has two links that are restricted to Tier 1 users only. The Tier 1
only internal records links are listed below in Table 5—General/Internal Resources and Records per Portal.
For purposes of this demonstration, do not explore the My Registered Devices link on the main page at this time. That link will be
covered later in this demonstration.
Scenario / Vertical General Resources (All) Internal Resources (Tier 1 & 2 Only) Internal Records (Tier 1 Only)
Healthcare For Patients and Families For Healthcare Professionals Medical Records / Insurance Server
Education For Students and Guests For Faculty/Educators Student Records / Student Contacts
Federal For Visitors For Federal Agents Background Records / Human Resource Server
Corporate For Customers and Guests For Corporate Employees Corporate Financial Records / HR Records
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 26
Cisco dCloud
Cleanup devices
The next step will be to onboard a Tier 1 user device. If you plan to use the same device that you did for Tier 2, you must go
through the cleanup process below. If you use a separate device to onboard for Tier 1, the cleanup process below is not
necessary, and you can continue to the network security policy enforcement for Tier 1 users section below.
NOTE: It is imperative that you follow the instructions below carefully. Because we have already gone through another flow, ISE
has already profiled the device, authenticated it, authorized it, and added it to an endpoint group. In order to be successful with the
next scenario, it is important that we remove the device completely from ISE and the WLC as well as clear local device settings.
1. Clear settings for each personal User BYOD Device used in the demonstration. If device settings are not cleared, you may
not be redirected to the guest portal or other pages when needed.
2. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:
• Clicking the home button and clicking the ISE icon from the topology homepage.
NOTE: If you encounter a problem deleting the endpoints, clear your browser cache and try again.
5. From Workstation1 access the WLC login page at http://wlc1.dcloud.cisco.com using one of the following methods:
• Clicking the home button in the browser to be brought back to the Topology diagram, and clicking on the vWLC.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 26
Cisco dCloud
6. Login to the vWLC using the same device specific credentials used to provision endpoints during demonstration
preparation.
10. Any clients that previously joined the network are listed. Scroll to the right and hover the mouse over the dropdown arrow until
it expands, then click Remove.
We have seen how ISE dynamically provided access for a Tier 2 level user. Next, we will demonstrate how ISE offers a different
policy for Tier 1 users that includes access to the internal records.
1. Go through the Device Onboarding section a second time, logging in as a Tier 1 user instead of a Tier 2 user. Once you have
onboarded successfully, and have joined the dCloud-Registered SSID as a Tier 1 user, continue to the next step.
2. Clear Personal Device Settings to forget the dCloud-Guest network. [Show Me How]
NOTE: Throughout the demonstration, you will be connecting to specific dCloud WiFi signals. While we refer to them generically,
they will all be appended with the unique session ID, for example, dCloud-Registered-123456.
3. Open the native browser on the user device and navigate to http://www.cisco.com to demonstrate that the user has Internet
access.
4. Navigate back to the Main Portal URL associated with the selected scenario shown in Table 3—Available Portals above. (i.e.
health.dcloud.cisco.com).
5. Click the General Resources link in the upper left box. The user should have access to the general resources. Click the
home link to be brought back to the Main Portal URL.
6. Click the Internal Resources link in the middle left box. The user should have access to the internal resources section of the
portal.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 26
Cisco dCloud
7. From within the internal resources section, click the link for Internal Records. As a Tier 1 user, the device should now have
access to the internal records.
NOTE: For the name of the Internal Records page for each portal, see Table 5—General/Internal Resources and Records per
Portal.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 26
Cisco dCloud
You have now on-boarded a device using both Tier 1 and Tier 2 access level credentials. Next, you will look briefly at the ISE UI, to
demonstrate the basics of how ISE dynamically profiled the device, and dynamically allowed the proper level of access
2. In the Demo Devices section of the topology map, click ISE. This will bring you to the ISE login page at
https://ise.securitydemo.net.
4. Select Operations > RADIUS > Live Logs. This screen displays the most recent authentications and authorization attempts
in ISE.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 26
Cisco dCloud
In ISE, we can see the registration history as our Tier 2 and Tier 1 users were onboarded.
• Initially, the Tier 2 user connected to the open SSID dCloud-Guest and was authenticated/authorized using MAC
Authentication Bypass (MAB). ISE does not yet know who the user is, so it sends back the GUEST_REDIRECT policy.
This policy tells the WLC to redirect all user traffic to the ISE guest portal.
• The user then logged in as nurse (Tier 2 user) and the device was properly profiled as an Apple iPad.
• Once the user went through the onboarding process, the device was issued a digital certificate by the ISE CA, and the
user successfully logged into the secured dCloud-Registered network using the digital certificate. ISE dynamically
assigned the user the TIER2_WIRELESS_ACCESS authorization profile.
• The TIER2_WIRELESS_ACCESS profile returns the name of an ACL that is already preconfigured on the WLC. This
ACL allows the Tier 2 users to get to the main portal and internal portal, but not internal records.
Similarly, we see exactly what happened as the Tier 1 user onboarded (consistency).
• We can see that this time the user logged in with the Tier 1 user doctor, and that his device was correctly profiled as an
Apple OSX Mavericks Workstation.
• Because the doctor is a Tier 1 user, ISE assigns the TIER1_WIRELESS_ACCESS policy.
• Similar to the TIER2_WIRELESS_ACCESS policy, this returns to the WLC the name of an ACL. The Tier1 ACL allows
the user to access all portal resources, including internal records.
NOTE: ISE now features an integrated certificate authority (CA) to issue digital certificates. Next, you will explore the internal ISE
CA and see how it generated certificates for our Tier 1 and Tier 2 users.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 26
Cisco dCloud
5. Go back to the ISE UI and click Administration > System > Certificates.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 26
Cisco dCloud
Steps
1. On Workstation1, launch Firefox from the desktop to access the topology home page at http://topo.dcloud.cisco.com.
2. In the Default Portal Logins section of the topology map, click My Devices. This will bring you to the ISE My Devices Portal
at https://mydevices.securitydemo.net.
3. Login to the MyDevices portal with the same user credentials you used for the Tier 1 onboarding process (captain, doctor,
dean or manager).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 26
Cisco dCloud
4. Accept the AUP, then click Continue to move to the Manage Devices screen where you should see the device you onboarded
earlier for the Tier 1 user.
5. Click any device you previously registered. You are brought to a screen where you can manage the device, and can
perform the following operations:
Figure 20. Operations in the Manage Devices section of the My Devices Portal
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 26
Cisco dCloud
7. Click Yes to the confirmation window that pops up to confirm you wish to mark the device as lost. Verify the device now shows
as lost under Manage Devices.
NOTE: Because the device has been marked as lost by the user, Cisco ISE revokes network access for this device, adding the
device to a blacklisted device group, and dynamically pushing down a blacklist policy that restricts the device’s network access.
1. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:
• Clicking the home button and clicking the ISE icon from the topology homepage.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 26
Cisco dCloud
3. Click on the Operations > RADIUS > Live log. This screen displays the most recent authentications and authorization
attempts in ISE. You can see that the user device has been dynamically assigned a new authorization profile called
Blackhole_Wireless_Access.
NOTE: When the user marks a device as lost, ISE adds that device to an internal blacklisted group, and dynamically sends back
the Blackhole_Wireless_Access policy to the device. This policy blacklists the device by sending back to the WLC the name of
an ACL preconfigured on the WLC that denies all traffic.
4. After selecting the device that was marked lost, close the web browser and re-open it. When you try to access a web page,
you are redirected to the ISE blacklist portal. Click Continue through any security or certificate warnings.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 26
Cisco dCloud
If the device remains lost, ISE will continue to blacklist it indefinitely. However, if a lost device is found, the user has the ability to
reinstate network access for that device.
2. Select the device marked as lost to get to the Manage Device screen.
3. Click Reinstate and confirm by clicking Yes. The device is again marked as registered instead of lost in the Manage Devices
window.
NOTE: ISE has now reinstated the device. The device has been removed from the blacklist group automatically, and ISE has
dynamically sent back the proper Tier 1 authorization policy to the WLC. This process is seamless to the user, and the user does
not need to go through the onboarding process again.
4. In ISE, click Operations > RADIUS Livelog to see the most recent events. You can see that ISE has dynamically pushed
down the TIER1_WIRELESS_ACCESS policy, as the device has been reinstated.
NOTE: ISE is able to dynamically update the device network access policy by sending AAA CoA (Change of Authorization)
messages to the WLC. This can be done with proper configuration and a supported WLC or switch for seamless transitions.
5. On the user device, open a web browser and access http://www.cisco.com to demonstrate that the device has been
reinstated.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 26
Cisco dCloud
3. Click Stolen to mark the device as being stolen. Click Yes to the confirmation window that pops up to confirm you wish to
mark the device as stolen.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 26
Cisco dCloud
NOTE: Because the device has been marked as stolen by the user, Cisco ISE revokes network access for this device. In this
scenario, ISE has already issued a digital certificate for the device using the internal CA. ISE revokes the certificate that was
previously issued and adds the device to a Stolen device group.
This scenario is notably different from the lost situation, because ISE revokes the user certificate. Once a certificate is revoked,
that certificate can never be unrevoked for security purposes. If the device is recovered in the future, the device must be re-
onboarded and must obtain a new digital certificate from ISE as a security measure.
Once the device is marked as stolen the end user device will immediately be kicked off the network. The device will fail
authentication for all future attempts to access the dCloud-Registered network, due to the revoked device certificate.
Even though the device has been designated stolen in ISE, the device may still successfully access a previously connected
wireless network that is not part of the demo.
1. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:
• Clicking the home button and clicking the ISE icon from the topology homepage.
3. Hover your mouse on the Operations > RADIUS > Live log. On this screen, we can see the most recent authentications and
authorization attempts in ISE. You can see that the user device marked as Stolen is now Failing Authentication, since its
certificate was revoked by ISE.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 26
Cisco dCloud
5. Under Certificate Authority, click Issued Certificates. Demonstrate that the device certificate is permanently revoked.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 26