Академический Документы
Профессиональный Документы
Культура Документы
Labs
Plaban
Advanced Identity Service Engine (ISE)
Labs
Lab 1 – Preparing the Network for ISE
R2 R3
F 0/0 (.2) F 0/0 (.3)
192.168.10.0/24 VLAN 10
F 0/1 (.10)
SW1 SW2
R1
F 0/0 (.1)
WiFi Enabled PC
(.15) (.16)
192.168.100.0/24 VLAN 100
(.35) (.100)
(.50)
Initial Setup:
Lab Tasks:
Task 1
Configure R1 as a DNS Server. It should resolve the following domain-names to
the IP:
Ise.demo.in : 192.168.100.35
R1.demo.in : 192.168.100.1
R1
IP DNS Server
!
IP host ise.demo.in 192.168.100.35
IP host R1.demo.in 192.168.100.1
Task 2
Configure R1 as the DHCP Server for VLAN 100. It should be configured with
the following parameters:
R1
Task 3
Configure R1 as the DHCP Server for VLAN 10. It should be configured with
the following parameters:
R1
Task 4
Configure R1 as the DHCP Server for VLAN 20. It should be configured with
the following parameters:
R1
Task 5
Configure R1 as the DHCP Server for VLAN 30. It should be configured with
the following parameters:
R1
Lab Scenario:
Configuring Profiling
Creating Users
Initial Setup:
Lab Task:
Task 1
Open a Browser and browse to https://192.168.100.35. The Username of the
the ISE is admin. The Password was set to Plaban123.
ISE
Task 2
Change the Deployment Mode to Primary.
ISE
Task 3
Update the Posture Database based on the offline method. The File for the
posture update should be located in the LabFiles Folder.
ISE
Task 4
Turn on Profiling on the ISE appliance for the following probes:
DHCP
DHCP SPAN
RADIUS
ISE
Task 5
Configure the following Endpoint & User Identity Groups on the ISE appliance:
ISE
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Open the ISE Admin page and configure the SW1 as a Network Device using
cisco123 as the secret key.
ISE
Task 2
Open the ISE Admin page and configure the SW1 as a Network Device using
cisco123 as the secret key.
ISE
Task 3
Configure SW1 to communicate to ISE using RADIUS as the protocol and
cisco123 as the secret key. Also, configure the Switches with a local username
of admin with a password of admin. Configure a enable password of cisco. This
will be used by the ISE to Validate the Config for ISE.
SW1
Aaa new-model
Radius-server host 192.168.100.35 key cisco123
!
Username admin password admin
Enable secret cisco
Task 4
Configure SW2 to communicate to ISE using RADIUS as the protocol and
cisco123 as the secret key. Also, configure the Switches with a local username
of admin with a password of admin. Configure a enable password of cisco. This
will be used by the ISE to Validate the Config for ISE.
SW2
Aaa new-model
Radius-server host 192.168.100.35 key cisco123
!
Username admin password admin
Enable secret cisco
Task 5
Use the Config Validation Operation Tool to telnet into SW1 and validate the
config. All the configuration that appears in red needs to be filled up. Use
notepad to do that and paste the config to SW1. Optionally, you can use the
Dot1x Switch config file that I have provided in the Labfiles folder.
ISE
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Re-initialize the WLC if required by using the Recover-config command from
the CLI.
WLC
Recover-config
Task 2
Initialize the WLC based on the following parameters:
Hostname : WLC
Admin Username : admin
Admin Password : Plaban@12353
IP Address : 192.168.100.100
Subnet Mask : 255.255.255.0
Default Gateway : 192.168.100.1
Management VLAN : 100
Physical Interface : 1
Virtual-IP : 100.100.100.100
Mobility Group : MGMT
Management SSID : MGMT
Radio : Enable all Radio
Auto RF : Yes
NTP Server : 192.168.100.1
WLC
Task 3
Open a browser. Type https://192.168.100.100. Login using the
administrator name and password created in the previous step. Are you
successful??
WLC
Task 4
In WLC, under the Security Menu, configure the WLC to communicate to ISE
(192.168.100.35) as the authentication and accounting server. Use cisco123
as the secret key.
WLC
Task 5
Open the ISE Admin page and configure the WLC as a Network Device using
cisco123 as the secret key.
ISE
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Configure the Default Network Policy Results for authentication to support MS-
CHAP v2. Also, completely disable EAP-TLS for the policy (3 locations).
ISE
Task 2
Configure the following User Identities and assign them to the appropriate
groups:
ISE
ISE
Task 4
Run the services.msc file from the Run menu. Make sure the
WiredAutoConfig service is running. This turns on the Dot1x service on the
PC.
PC
Task 5
On the Wired Dot1x client machine, follow the instructions below to make sure
the device is ready for Dot1x authentication.
PC
Task 6
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Sales1
as the username with a password of Cisco123. Did you connect??
PC
Task 7
Open the command prompt. Type IPCONFIG. What IP address was assigned to
the User?. It should be from the VLAN that was configured on the Switchport
(VLAN 100).
PC
Task 8
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication.
SW2
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
As the client is connected as a VM Device, we need to Fail the Physical Adapter
for the VM Device authorization to work properly. Add the Physical MAC as an
Endpoint and assign it to the PHYSCIAL_PC group.
ISE
Task 2
Configure the Authorization Policies Result sets to assign Users to VLANS.
Configure the following policies:
SALES_WIRED_AUTH – VLAN – 20
MARK_WIRED_AUTH – VLAN – 30
ISE
Name : PHYSICAL_PC
o Group : PHYSICAL_PC
o Authentication Type : Wired_MAB
o Auth. Profile : Deny_Access
Name : SALES_DOT1X_WIRED
o Group : SALES
o Authentication Type : Wired_802.1x
o Auth. Profile : SALES_WIRED_AUTH
Name : MARK_DOT1X_WIRED
o Group : MARK
o Authentication Type : Wired_802.1x
o Auth. Profile : MARK_WIRED_AUTH
ISE
Task 4
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Sales1
as the username with a password of Cisco123. Did you connect??
PC
Task 5
Open the command prompt. Type IPCONFIG. What IP address was assigned to
the User?
PC
SW2
Task 7
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Mark1
as the username with a password of Cisco123. Did you connect??
PC
Task 8
Open the command prompt. Type IPCONFIG. What IP address was assigned to
the User?
PC
Task 9
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication. Also, check
to see the VLAN assignment to the port. Does it match the running config?
SW2
Initial Setup:
Lab Task:
Task 1
Configure the Authorization Policies Result DACLs to control User traffic.
Configure the following policies:
SALES_ACL
o Deny icmp any any
o Permit ip any any
MARK_ACL
o Deny tcp any any eq 23
o Permit ip any any
ISE
Task 2
Configure/modify the Authorization Policies Result sets to control User traffic
based on DACL. Configure the following policies:
SALES_WIRED_AUTH
o VLAN - 20
o DACL - SALES_ACL
MARK_WIRED_AUTH
o VLAN - 30
o DACL - MARK_ACL
ISE
Task 3
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Sales1
as the username with a password of Cisco123. Did you connect??
PC
Task 4
Open the command prompt. Type Ping 192.168.100.16. Are you successful?
Use Putty to telnet to 192.168.100.16. Are you successful?
PC
Task 5
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication.
SW2
Task 6
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Mark1
as the username with a password of Cisco123. Did you connect??
PC
Task 7
Open the command prompt. Type Ping 192.168.100.16. Are you successful?
Use Putty to telnet to 192.168.100.16. Are you successful?
PC
Task 8
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication. Also, check
to see the VLAN & DACL assignment to the port. Does it match the running
config?
SW2
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Under the Authentication page, Change the name of MAB Authentication to
MAB_Wired. Don’t change any other property. Save the Configuration change.
ISE
Task 2
Open the command prompt on the Wired Client PC. Type IPCONFIG /all. Find
out the MAC Address. Copy it into Notepad. Change the format to
XX:XX:XX:XX:XX:XX.
PC
Task 3
Add a Endpoint Identity in ISE. Use the MAC Address of the PC. Assign this
Endpoint to the ADMIN-PC endpoint group.
ISE
Task 4
Configure a new Authorization Policy based on the following:
Name : ADMIN_PC_WIRED_MAB
o Group : ADMIN_PC
o Authentication Type : Wired_MAB
o Auth. Profile : Permit_Access
ISE
Task 5
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Do NOT put any credentials or
disable the 802.1x capability on the NIC. Let me fail to MAB. Check the Switch
to make sure the Authentication is success based on MAB using the Show
authentication session interface F X/X command.
PC
Task 6
Open the command prompt. Type IPCONFIG. What IP address was assigned to
the Device?
PC
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Configure the Authorization Policies Result DACLs to control User traffic.
Configure the following policies:
ADMIN_PC
o Deny ip any host 192.168.100.199
o Permit ip any any
ISE
Task 2
Configure the Authorization Policies Result sets to control User traffic based on
DACL. Configure the following policies:
ADMIN_PC_AUTH
o VLAN - 100
o DACL - ADMIN_PC
ISE
Task 3
Configure the ADMIN_PC Authorization Policy based on the following:
Name : ADMIN_PC_WIRED_MAB
o Group : ADMIN_PC
o Authentication Type : Wired_MAB
o Auth. Profile : ADMIN_PC_AUTH
ISE
Task 4
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Do NOT put any credentials or
disable the 802.1x capability on the NIC. Let me fail to MAB. Check the Switch
to make sure the Authentication is success based on MAB using the Show
authentication session interface F X/X command.
PC
Task 5
Open the command prompt. Type IPCONFIG. What IP address was assigned to
the Device?
PC
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Configure a VLAN Interface for VLAN 10 based on the following parameters:
Interface Name : IT
VLAN : 10
Physical Interface : 2
IP Configuration
o IP Address : 192.168.10.100
o Subnet : 255.255.255.0
o Default Gateway : 192.168.10.1
DHCP Server : 192.168.100.1
WLC
Task 2
Configure a VLAN Interface for VLAN 20 based on the following parameters:
WLC
Task 3
Configure a VLAN Interface for VLAN 30 based on the following parameters:
WLC
Task 4
Configure a common WLAN for company that will use ISE for VLAN and
Interface assignment. Configure the WLAN based on the following:
WLC
Task 5
Under the Authentication page, Copy the Dot1x_Wired policy. Set the name of
the authentication policy to Dot1x_Wireless. Change the authentication
method condition to Wireless_802.1x. Leave the rest of the parameters the
same. Save the Policy.
ISE
Task 6
Configure the Authorization Policies Result sets to assign Wireless Users to
VLANS. Configure the following policies:
WIRELESS_IT – VLAN – 10
WIRELESS_SALES – VLAN – 20
WIRELESS –MARK – VLAN – 30
ISE
Task 7
Configure the Authorization Policies based on the following:
Name : IT_WIRELESS
o Group : IT
o Authentication Type : Wireless_802.1x
o Auth. Profile : WIRELESS_IT
Name : SALES_ WIRELESS
o Group : SALES
o Authentication Type : Wireless_802.1x
o Auth. Profile : WIRELESS_SALES
Name : MARK_ WIRELESS
o Group : MARK
o Authentication Type : Wireless_802.1x
o Auth. Profile : WIRELESS_MARK
ISE
Task 8
Go to Network Connections; Right-click on the Wireless NIC; Click View
Wireless Networks; Select demo_ISE. Login in as IT1. Did you connect?
PC
Task 9
Open a command prompt. Type ipconfig. What IP address was assigned to the
wireless client?
PC
Task 10
Open the Command prompt. Type tracert 192.168.30.3. What are the hops
from the Wireless client to the destination?
PC
Task 11
Bounce the Wireless NIC (Disable & Enable it). Right-click on the Wireless NIC;
Click View Wireless Networks; Select demo_ISE. Login in as Sales1. Did you
connect?
PC
Task 12
Open a command prompt. Type ipconfig. What IP address was assigned to the
wireless client?
PC
Task 13
Open the Command prompt. Type tracert 192.168.30.3. What are the hops
from the Wireless client to the destination?
PC
Task 14
Bounce the Wireless NIC (Disable & Enable it). Right-click on the Wireless NIC;
Click View Wireless Networks; Select demo_ISE. Login in as Mark1. Did you
connect?
PC
PC
Task 16
Open the Command prompt. Type tracert 192.168.20.2. What are the hops
from the Wireless client to the destination?
PC
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Configure an ACL on the WLC under the Security Menu based on the following
Parameters:
WLC
Task 2
Configure the Authorization Policies Result sets to assign Wireless Users the
appropriate ACL. Configure the following policies:
Authorization Profile : WIRELESS_SALES
o Airespace ACL Name - SALES_ACL
Authorization Profile : WIRELESS_MARK
o Airespace ACL Name - MARK_ACL
ISE
Task 3
Go to Network Connections; Right-click on the Wireless NIC; Click View
Wireless Networks; Select demo_ISE. Login in as Sales1. Did you connect?
PC
Task 4
Open a command prompt. Type ipconfig. What IP address was assigned to the
wireless client?
PC
Task 5
Open the Command prompt. Type ping 192.168.20.2. Are you successful?
PC
Task 6
Telnet to 192.168.100.16. Are you successful?
PC
Solution on AVI File
Lab 12 – Configuring Wireless MAB
Authentication - VLAN Assignment
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Under the Authentication page, copy the MAB_WIRED policy. Change the name
to MAB_Wireless. Change the Method to Wireless_MAB. Don’t change any
other property. Save the Configuration change.
ISE
Task 2
Open the command prompt on the Wireless Client PC. Type IPCONFIG /all.
Find out the MAC Address. Copy it into Notepad. Change the format to
XX:XX:XX:XX:XX:XX.
PC
Task 3
Add a Endpoint Identity in ISE. Use the MAC Address of the PC. Assign this
Endpoint to the ADMIN-PC endpoint group.
ISE
Task 4
Configure a new Authorization Policy based on the following:
Name : ADMIN_PC_WIRELESS_MAB
o Group : ADMIN_PC
o Authentication Type : Wireless_MAB
o Auth. Profile : WIRELESS_IT
ISE
Task 5
Configure a new WLAN on the WLC based on the following:
Name : NW_ADMINS
o Interface : Management
o Security Layer 2 : None with MAC_Filtering
o Settings:
o RADIUS Server Overwrite Interface
o Allow AAA interface override
o Authentication & Accounting Servers : 192.168.100.35
o Authentication Order : RADIUS should be preferred
o Advanced :
o Allow AAA interface override
o NAC-State : RADIUS_NAC
WLC
Task 6
Bounce the Wireless Adapter. (Disable and Enable). A ballon near the system
tray will ask ask you for additional credentials. Do NOT put any credentials. Let
me fail to MAB. Check the Switch to make sure the Authentication is success
based on MAB using the Show authentication session interface F X/X
command.
PC
Task 7
Open the command prompt. Type IPCONFIG. What IP address was assigned to
the Device?
PC
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Enable the port on the switch connected to the IP Phone. Find the MAC
address using the Show authentication session command.
SW1
Task 2
Add the IP Phone as an Endpoint on ISE. Assign it to the pre-defined Cisco IP
Phone Identity Group
ISE
Task 3
Check to make sure that the pre-created Authorization rule for Cisco IP Phones
exists.
ISE
Solution on AVI File
Task 4
Check the Switch to make sure the Authentication is successfull based on MAB
using the Show authentication session interface F X/X command.
SW1
Lab Scenario:
Initial Setup:
Lab Task:
Task 1
Make sure the IP Phone Switch port has the following command:
Interface F 4/0/18
authentication host-mode multi-auth
SW1
Task 2
As the client is connected as a VM Device, we need to Fail the Physical Adapter
for the VM Device authorization to work properly. Add the Physical MAC as an
Endpoint and assign it to the PHYSCIAL_PC group. As there is a Authorization
policy for the PHYSCIAL_PC group, we don't need to do anything more.
ISE
Solution on AVI File
Task 3
We will use the existing rules for Wired Dot1x to authenticate the PC behind
the IP Phone.
ISE
Task 4
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Sales1
as the username with a password of Cisco123. Did you connect??
PC
Task 5
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication.
SW2
Lab Scenario:
Configure the Client Provisiong Resources for the NAC and Web Agents.
Initial Setup:
Lab Task:
Task 1
Add the Client files for the Web Agent under the Policy Results for Client
Provisioning resources.
ISE
Task 2
Configure a Client Provisioning Policy based on the following:
Name : CP_ALL_WINDOWS
o Operating System : Windows All
o Agent : Web Agent
ISE
Task 3
Configure an Application Condition under Policy -> Conditions -> Posture
Name : SALES_APP
o Process Name : notepad.exe
o Application Operator : Running
o Operating System : Windows All
ISE
Task 4
Configure an AV Condition under Policy -> Conditions -> Posture
Name : Symantec
o Vendor : Symantec
o Operating System : Windows All
o Products : Norton 360 / 20.X & 6.X
ISE
Task 5
Configure a Posture Policy for the SALES Group under Policy -> Posture based
on the following:
Name : SALES_POSTURE
o Group : SALES
o Operating System : Windows All
o Requirement:
o Name : SALES_REQ
o Condition : SALES_APP
o Remediation Action : Message Text of your Choice
ISE
Task 6
Configure a Posture Policy for the MARK Group under Policy -> Posture based
on the following:
Name : MARK_POSTURE
o Group : MARK
o Operating System : Windows All
o Requirement:
o Name : MARK_REQ
o Condition : Symantec
o Remediation Action : Message Text of your Choice
ISE
Task 7
Configure a PRE-AUTH ACL for the NON-COMPLIANT users under Policy ->
Results based on the following:
Name : PRE_AUTH
o permit udp any any eq 67
o permit udp any any eq 68
o permit udp any any eq 53
o permit ip any host 192.168.100.35
ISE
Task 8
Configure a Authorization Profile fort the NON-COMPLIANT Users based on the
following:
Name : NON_COMPLIANT
o DACL : PRE_AUTH
o VLAN : 100
o Web Authentication: Posture Discovery
o ACL : ABC
ISE
Task 9
Configure the Redirection ACL called ABC on the Switch based on the following
entries:
Redirection ACL
o deny udp any any eq 67
o deny udp any any eq 68
o deny udp any any eq 53
o deny ip any host 192.168.100.35
o permit ip any any
SW
Task 10
Configure the Authorization Policies based on the following:
Name : NON_COMPLIANT
o Authentication Type : Wired_802.1x
o Session: PostureStatus NOT EQUALS Compliant
o Auth. Profile : NON_COMPLIANT
Name : SALES_ WIRED
o Group : SALES
o Authentication Type : Wired_802.1x
o Session: PostureStatus EQUALS Compliant
o Auth. Profile : WIRED_SALES
Name : MARK_ WIRED
o Group : MARK
o Authentication Type : Wired_802.1x
o Session: PostureStatus EQUALS Compliant
o Auth. Profile : WIRED_MARK
ISE
Task 11
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Sales1
as the username with a password of Cisco123. Did you connect??
PC
Task 12
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication.
SW2
Task 13
Ping 192.168.20.2. Are you successful?
PC
PC
Task 15
Run notepad.exe from the run menu. Leave it running and re-scan the PC. Are
you successfully logged into the Network?
PC
Task 16
Ping 192.168.20.2. Are you successful?
PC
Task 17
Bounce the LAN Adapter. (Disable and Enable). A ballon near the system tray
will ask ask you for additional credentials. Click on it and Log in using Mark1
as the username with a password of Cisco123. Did you connect??
PC
Task 18
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication.
SW2
Task 19
Open a browser. Type Http://r1.demo.in. In should redirect you to a page and
ask you to run the web agent. Confirm all the Prompts. Once done, does it pop
a message about the MARK_REQ.
PC
Lab Scenario:
Configure Local Web Authentication (LWA) as a backup to Dot1x & MAB
Initial Setup:
Lab Task:
Task 1
Configure the Switch for aaa authentication and authorization lists. Configure
the default authentication list for login to point to the already configured
RADIUS server. Protect the Console with no authentication. Also, configure a
default auth-proxy authorization list to point to the RADIUS server.
SW2
Task 2
Configure the Switch as a https server
SW2
Ip http secure-server
Solution on AVI File
Task 3
Configure a PRE-AUTH & a POST-AUTH ACL with the following entries:
Name : PRE-AUTH
o permit udp any any eq 67
o permit udp any any eq 68
o permit udp any any eq 53
o permit ip any host 192.168.100.35
Name : POST-AUTH
o deny icmp any host 192.168.100.16
o permit ip any any
SW2
Task 4
Configure a Admission rule with a name of LWA that does authentication based
on Http
SW2
Task 5
Configure a Fallback Profile that links the PRE-AUTH ACL and the Admission
rule to it. Name if FB-LWA
SW2
Task 6
Configure the Interface authentication order and priority to include webauth as
an authentication mechanism. Also, attach the fallback profile to the interface.
SW2
Interface F 4/0/22
Authentication order mab webauth
Authentication priority mab webauth
Authenticatoin fallback FB-LWA
Solution on AVI File
Task 7
Configure a End User Group called LWA-GROUP. Configure the following User
Identity and assign them to the LWA Group
ISE
Task 8
Configure a Authorization Profile fort the LWA Group based on the following:
Name : LWA
o Filter-ID : POST_AUTH
o Web Authentication (Local Web Auth): Enable
ISE
Task 9
Configure the Authorization Policies based on the following:
Name : LWA
o Group : LWA-GROUP
o Auth. Profile : LWA
ISE
Task 10
Bounce the LAN Adapter. (Disable and Enable). Disable 802.1x authentication
for the NIC. Did you connect??
PC
Task 11
On SW2, type the Show authentication session command to verify the
authentication. You can also use the Show authentication session interface
F X/X to get more detailed information about the authentication.
SW2
Task 12
Ping 192.168.100.1. Are you successful?
PC
Task 13
Open a browser. Type Http://r1.demo.in. In should redirect you to a page and
ask you to authenticate. Login using LWA1 as the username and Cisco123 as
the password. Are you successful?
PC
Task 14
Ping 192.168.100.1. Are you successful?
PC
Lab Scenario:
Configure Central Web Authentication using Admin-created Accounts
Initial Setup:
Lab Task:
Task 1
Configure the Interface authentication order and priority back to include only
mab and dot1x authentication mechanisms. Also, remove the fallback profile
from the interface.
SW2
Interface F 4/0/22
Authentication order mab dot1x
Authentication priority mab dot1x
No Authenticatoin fallback FB-LWA
Solution on AVI File
Task 2
Configure the Wired MAB authentication policy to continue if the user was not
found.
ISE
Name : CWA-PRE-AUTH
o permit udp any any eq 67
o permit udp any any eq 68
o permit udp any any eq 53
o permit ip any host 192.168.100.35
Name : CWA-POST-AUTH-ADMIN
o deny tcp any any eq 23
o permit ip any any
Name : CWA-POST-AUTH-SELF
o deny tcp any any eq 23
o deny icmp any any
o permit ip any any
ISE
Task 4
Configure a Authorization Profile for based on the following:
Name : CWA-PRE-AUTH
o DACL : PRE_AUTH
o VLAN : 100
o Web Authentication: Centralized
o ACL : REDIR
o Redirection : Default
Name : CWA-POST-AUTH-ADMIN
o DACL : CWA-POST-AUTH-ADMIN
o VLAN : 20
Name : CWA-POST-AUTH-SELF
o DACL : CWA-POST-AUTH-SELF
o VLAN : 30
ISE
Task 5
Configure the Redirection ACL called REDIR on the Switch based on the
following entries:
Redirection REDIR
o deny udp any any eq 67
o deny udp any any eq 68
o deny udp any any eq 53
o deny ip any host 192.168.100.35
o permit ip any any
SW
Task 6
Configure the Authorization Policy for CWA-PRE-AUTH based on the following:
Name : CWA-PRE-AUTH
o Authentication Type : Wired_MAB
o Auth. Profile : CWA-PRE-AUTH
ISE
Task 7
Configure a End User Groups called CWA-ADMIN, CWA-USER-ADMIN & CWA-
USER-SELF. Configure the following User Identity and assign them to the CWA
Group. This user will be used to manage the guest accounts.
ISE
Solution on AVI File
Task 8
Configure the following Authorization Policies for Guest Users:
Name : CWA-ADMIN-Created
o Group : CWA-USER-ADMIN
o Auth. Profile : CWA-POST-AUTH-ADMIN
Name : CWA-SELF-Created
o Group : CWA-USER-SELF
o Auth. Profile : CWA-POST-AUTH-SELF
ISE
General
o Name : MY_CUSTOM
Operations
o Acceptable Use Policy : First Login
o Self-Provisioning Flow : Enable
o VLAN DHCP Release : Enable
ISE
Task 10
Configure the Guest Default Policy to allow the following fields:
ISE
Task 11
Configure the Username and Password Policies based on the following:
ISE
Task 12
Configure a new Sponsor Group setting Configuration under Administration ->
Web Portal Management -> Sponsor Groups based on the following:
General
o Name : CWA_ADMINS
Guest Roles
o CWA-USER-ADMIN
o Guest
Time Profiles
o DefaultFirstLogin
ISE
Task 13
Configure a new Sponsor Group Policy setting Configuration under
Administration -> Web Portal Management -> Sponsor Group Policy based on
the following:
Name : MYSPONSORPOLICY
o Group : CWA-ADMINS
o Sponsor Groups : CWA_ADMINS
ISE
Task 14
Configure the following users from the sponsor portal. Login into
https://192.168.100.35:8443/sponsorportal as CWA1 with a password of
Cisco123. Create the following User and save the passwords.
Username : Plaban
o E-mail : plaban@hotmail.com
o Group : CWA-USER-ADMIN
o Time-Profile : DefaultFirstLogin
Username : Talmeez
o E-mail : talmeez@gmail.com
o Group : CWA-USER-ADMIN
o Time-Profile : DefaultFirstLogin
ISE
Task 15
Change the CWA-PRE-AUTH authorization profile redirect option to the
MY_CUSTOM Portal that created in this lab.
ISE
PC
Task 17
Let's change to allow Self Service Accounts for our Custom Portal. Configure
the MY_CUSTOM policy under Administration -> Web Portal Management ->
Settings -> Guest based on the following:
General
o Name : MY_CUSTOM
Operations
o Guests should be allowed to do Self Service: Enable
ISE
ISE
Task 19
Bounce the LAN Adapter. (Disable and Enable). Browse to http://r1.demo.in. It
should redirect to the CWA Login Page. Click on the New Self Service Link to
create your own account based on the following:
PC
Task 20
Login using the credentials created in the previous step. What VLAN does it out
you into?
PC