Post on 17-May-2018
SISE21
Implementing and Configuring
Cisco Identity Services Engine
(SISE) v2.1
Remote Lab Administration Guide
1X
2X
3X
4X
5X
6X
7X
8X
9X
10X
11X
12X
2 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1
Contents
1. Overview .................................................................................................................... 3
2. Course Version ........................................................................................................... 3
3. Students per Pod........................................................................................................ 3
4. Remote Lab Description ............................................................................................. 3
5. Remote Lab Topology ................................................................................................ 5
6. Lab Exercise Tips ........................................................................................................ 6
6.1. General Guidelines .......................................................................................... 6
6.2. Controlling iPad Via iPad Viewer ..................................................................... 6
6.3. IP Addressing and Access Details ..................................................................... 7
Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage. ............................................................................................. 8
Lab 2: Integrate Cisco ISE with Active Directory .......................................................... 8
Lab 3: Configure Basic Policy on Cisco ISE ................................................................... 8
Lab 4: Configure Conversion to Policy Sets .................................................................. 8
Lab 5: Configure Access Policy for Easy Connect ......................................................... 8
Lab 6: Configure Guest Access .................................................................................... 8
Lab 7: Configure Guest Access Operations .................................................................. 8
Lab 8: Create Guest Reports ........................................................................................ 9
Lab 9: Configuring Profiling ......................................................................................... 9
Lab 10: Customize the Cisco ISE Profiling Configuration .............................................. 9
Lab 11: Run Cisco ISE Profiler Feed Reports ................................................................ 9
Lab 12: Configure BYOD .............................................................................................. 9
Lab 13: Blacklisting a Device ........................................................................................ 9
Lab 14: Configure Compliance Services on Cisco ISE ................................................... 9
Lab 15: Configure Client Provisioning .......................................................................... 9
Lab 16: Configure Posture Policies ............................................................................ 10
Lab 17: Test and Monitor Compliance Based Access ................................................. 10
Lab 18: Test Compliance Policy ................................................................................. 10
Lab 19: Configure Cisco ISE for VPN Access ............................................................... 10
Lab 20: Configure Threat-Centric NAC using Cisco AMP ............................................ 10
Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration ................................. 11
Lab 22: Configure Cisco ISE for Basic Device Administration ..................................... 11
Lab 23: Configure TACACS+ Command Authorization ............................................... 11
7. Remote Lab Support ................................................................................................ 12
Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 3
1. Overview
The purpose of the Remote Lab Administration Guide is to assist in the setup and configuration of the classroom for connecting to the Remote Lab for Implementing and Configuring Cisco Identity Service Engine (SISE) v2.1 This guide is not a substitute for Cisco Course Administration Guide (CAG). It’s imperative that Instructor goes through the entire guide to familiarize himself with the remote lab setup. This guide does not include any access details. All access details will be included in the Remote Lab Administrator’s email.
2. Course Version
This is the original release of the course named Implementing and Configuring Cisco Identity Services Engine (SISE) v2.1.
3. Students per Pod
Each Pod can accommodate 2 students.
4. Remote Lab Description
The remote lab is accessed via RDP to the following location.
rlabs.globalknowledge.ae:443 Login using the credentials provided in the access details email from Remote Lab Support Team. Please refer the attached GK MEA Remote Lab Access Procedure for connecting to the remote lab. Upon successful authentication, a new window opens up the lab topology for this lab. You can gain access to the consoles of the different devices in the lab by simply clicking (left Click) the device that you would like to access. Once a device is clicked, a new tab is added to the lab interface which gives access to the selected device.
4 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1
Access to the console connections is exclusive. If you are unable to access the console of a particular device you can always clear the console lines to that device by selecting Clear line of the device option obtained by right clicking the (tab name)/(device from topology) . General administrative tasks listed below can be carried out by right clicking the respective Device from the topology/tab name. For Devices
Close console connection to the device
Change font of the terminal
Clear line of the device
Send Ctrl Break
Power Management
For Server/Client PC’s
Send Ctrl Alt Del to Server/PC
Close console connection to Server/PC
Power Management
A helpful tips section is also provided towards the bottom right corner of the topology that lists the Known issues/work around that the remote lab developer has come across during the preparation of this lab.
Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 5
5. Remote Lab Topology
The network topology diagram for Implementing and Configuring Cisco Identity Service Engine (SISE) v2.1remote lab is shown below.
Each Pod is provided with the following equipment:
Cisco ISE v2.1 VM 1
AD Server 1 1
W7PC-Corp 1
W7PC-Guest 1
W7PC-CoA 1
vWLC 1
WSA 1
ASAv-941 1
iPad mini 1
3702I LWAP 1
Catalyst 3850 Switch 1
6 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1
6. Lab Exercise Tips
The lab set up is exactly same as standard Cisco SISE v2.1 course.
6.1. General Guidelines
The switch port connectivity for the PCs are different from the ones mentioned in the Cisco Lab Guide. Please refer to the switch-port details provided in the Lab Topology Tab of the Remote Lab Interface
SMS service might not work since the Service Provide may block such communication.
Device Management (Powering on or Off or Power reset ) for the VMs/Devices can be done by right-clicking on the respective tab for the device.
iPad access is provided through vnc. The iPad can be accessed from the Admin-PC by clicking the "iPad Viewer" icon.
6.2. Controlling iPad Via iPad Viewer
Below are some tips for controlling the iPad UI via iPad Viewer that will be useful for the lab:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with a trackpad) Touch with two fingers on the Trackpad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll. (On Mac with a trackpad) Use three-finger scrolling.
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.
Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 7
The tab key is not available on the iPad’s virtual keyboard so you will have to move the pointer to the text field you want to input text, and click on it.
When interacting with the iPad VNC session, US keyboard is preferred. If you have a mouse attached to your computer you will find it easier to navigate the iPad session also.
6.3. IP Addressing and Access Details
IP Addressing
This table lists the internal IP addresses that are used in the labs.
Device Hostname IP Address
ISE-1 ise-1 10.1.100.21
AD Server-1 AD 10.1.100.10
AdminPC Admin-PC 10.1.100.6
W7PC-Corp w7pc-corp DHCP
W7PC-Guest w7pc-Guest DHCP
W7PC-CoA w7pc-coa 10.1.60.100
WSA wsa.demo.local 10.1.100.30
vWLC ##-vWLC 10.1.100.61
ASAv ciscoasa 10.1.100.4
3k-Access Switch 3k-Access 10.1.100.1
Accounts and Passwords
The below table lists the accounts and passwords that are used in the labs.
Device Username Password
ISEBootSrap admin ISEisC00L
AD Demo administrator ISEisC00L
AdminPC admin ISEisC00L
W7PC-Corp admin ISEisC00L
W7PC-Guest admin ISEisC00L
W7PC-CoA admin ISEisC00L
WSA admin ISEisC00L
vWLC admin ISEisC00L
ASAv admin ISEisC00L
3k-Access Switch admin ISEisC00L
8 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1
Active Directory Accounts (ad.demo.local)
Group Users Password
demo.local\employees employee1,employee2 ISEisC00L
demo.local\contractors contractor1,contractor2 ISEisC00L
Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage.
No change
Lab 2: Integrate Cisco ISE with Active Directory
No change
Lab 3: Configure Basic Policy on Cisco ISE
No change
Lab 4: Configure Conversion to Policy Sets
No change
Lab 5: Configure Access Policy for Easy Connect
No change
Lab 6: Configure Guest Access
No change
Lab 7: Configure Guest Access Operations
Task 2 Step 44: To clear all existing browser cache, delegate need to clear the Safari Cache in iPad. For the same delegate may follow these steps in iPad : Settings >> Safari >> Clear History and Website Data
Task 4 Step 1: If the delegates are doing the optional lab they need to delete the existing account “sholmes” from the sponsor portal as it is already authenticated. For managing the accounts delegates may
Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 9
follow these steps: Work Centre >> Guest Access >> Manage Accounts.
Lab 8: Create Guest Reports
No change
Lab 9: Configuring Profiling
No change
Lab 10: Customize the Cisco ISE Profiling Configuration
No change
Lab 11: Run Cisco ISE Profiler Feed Reports
No change
Lab 12: Configure BYOD
Task 4 Step 2: To remove any existing traces of the iPad from the previous labs. Please ensure to remove all the Wireless Clients from the WLC. For managing the wireless Clients delegates may follow these steps : Monitor >> Clients
Lab 13: Blacklisting a Device
Task 6 Step 8: For reflecting the stolen status at the Live Logs, the delegates might have to reconnect the iPad from ##wpa2e.This will evoke the logs show in screen shot attached.
Lab 14: Configure Compliance Services on Cisco ISE
No change
Lab 15: Configure Client Provisioning
Task 2 Step 8: For downloading the xml files delegates may right click on the link mentioned in the lab guide and select the option ‘Save Link As’.
10 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1
Task 3 Step 3: In the screenshot AC Employee Win All policy is wrongly shown as enabled. It should be in disabled state
Lab 16: Configure Posture Policies
No changes
Lab 17: Test and Monitor Compliance Based Access
No changes
Lab 18: Test Compliance Policy
No changes
Lab 19: Configure Cisco ISE for VPN Access
Task 2 Step 3: Delegates need to enable the check box for Enabling Cisco Anyconnect VPN Client access on the interfaces. While doing this delegate will be asked to select the Anyconnect image file. Delegates may use ‘Browse Flash’>> and select anyconnect-win-4.3.01095-k9.pkg file
Task 2 Step 23: In between the installation process it might prompt for the trusting the server connection. Delegates may go ahead and check the checkbox to continue trusting and done certificate.
Procedure may also prompt for changing the setting for the connection. Delegates may click the option ‘change settings’.
Lab 20: Configure Threat-Centric NAC using Cisco AMP
Task 1 Step 1:For carryout the AMP lab exercises the each delegate need to have individual AMP Cloud account. For the AMP Cloud account delegates may contact the instructor.
For the AMP lab, the Cisco Learning Partners will need to request in advance an AMP Cloud account for each student and instructor.
Please take the following steps:
At least 3 business days prior to the class start please request accounts.
Send email request to amp-learning-accounts@cisco.com indicating the number of accounts required, name of the delegates, email ID and the start and end dates of the class during which the accounts
Copyright © 2016-2017, Global Knowledge Remote Lab Administration Guide 11
will be used. Cisco AMP team will be sending the AMP Account credentials to the delegate’s email account directly, which they will have to use for carrying out the lab exercises.
This account will active for 6 months and delegates could use this account for further practice sessions.
Task 3 Step 5: For the Windows Installer URL delegates need to use the following URL: ad.demo.local/Audit_FireAMPSetup.exe
Task 3 Step 10: Delegates need to use ACL_WEBAUTH_REDIRECT instead of ACL_INTERNET_ONLY. Its rightly mentioned in the screen shot included for reference in lab guide.
Task 5 Step 1: Delegates need to use the following credentials as in lab guide its wrongly mentioned. ‘W7pc-corp\admin’ and ‘ISEisC00L’
Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration
Task 1 Step 2: In Lab Guide its wrongly mentioned to use the root certificate named aaa.demo.local Delegates need to use the ise-1 root certificate in this task.
Task 1 Step 10: Login credentials for CertSrv are wrongly mentioned in lab Guide. Delegates may use Administrator/ISEisC00L
Task 3 Step 4: Since policy set is enabled the delegates need to navigate Policy >> Policy Sets >> in the left pane select ‘Default’ then in right pane scroll down to Authorization.
Task 6 Step 4: Delegates may access the console of w7pc-corp from the pod topology by clicking on the VM icon.
Lab 22: Configure Cisco ISE for Basic Device Administration
Task 1 Step 2: The ISE may take a while to reflect the new TACACS feature in its GUI after enabling it.
Task 1 Step 23: The delegates may use the commands in the file named “SISE21 TACAC Switch Configs” placed at the Admin PC Desktop.
Lab 23: Configure TACACS+ Command Authorization
No changes
12 Implementing andConfiguring Cisco Identity Service Engine (SISE) v2.1
7. Remote Lab Support
Please note that our primary form of support is through email. Our email id is remotelabsupport@globalknowledge.ae
In order to have an interactive communication with the instructors, we are also available on Skype and our Skype name isgkrlsmea . In case you cannot find us on Skype, please send an email onremotelabsupport@globalknowledge.ae, we will login in Skype at the earliest for you.