SISAS10

Implementing Cisco Security

Access Solutions (SISAS) v1.0

Remote Lab Administration Guide

1X

2X

3X

4X

5X

6X

7X

8X

9X

10X

11X

12X

2 Implementing Cisco Security Access Solutions (SISAS) v1.0

Contents

1. Overview ....................................................................................................................... 3

2. Course Version .............................................................................................................. 3

3. Students per Pod ........................................................................................................... 3

4. Remote Lab Description ................................................................................................ 3

5. Remote Lab Topology ................................................................................................... 5

6. Lab Exercise Tips ........................................................................................................... 6

6.1. General Guidelines ............................................................................................ 6

6.2. IP Addressing and Access Details ...................................................................... 6

6.3. Lab 1-1: Bootstrap Identity System .................................................................. 7

6.4. Lab 2-1: Enroll Cisco ISE in PKI .......................................................................... 7

6.5. Lab 2-2: Implement MAB and Internal Authentication .................................... 7

6.6. Lab 2-3: Implement External Authentications .................................................. 8

6.7. Lab 3-1: Implement EAP-TLS ............................................................................. 8

6.8. Lab 3-2: Implement Authorization .................................................................... 9

6.9. Lab 3-3: Implement Cisco Trustsec and MACsec .............................................. 9

6.10. Lab 4-1: Implement WebAuth for Employees .................................................. 9

6.11. Lab 4-2: Implement Guest Service .................................................................. 10

6.12. Lab 5-1: Implement Posture Service ............................................................... 10

6.13. Lab 5-2: Implement Profiler Service ............................................................... 10

6.14. Lab 6-1: (Optional) Troubleshooting Prep ...................................................... 11

6.15. Lab 6-2: (Optional) Troubleshoot Network Access Controls .......................... 11

7. Remote Lab Support ................................................................................................... 12

Copyright © 2014-2015, Global Knowledge Remote Lab Administration Guide 3

1. Overview

The purpose of the Remote Lab Administration Guide is to assist in the setup and configuration of the classroom for connecting to the Remote Lab for Implementing Cisco Security Access Solutions (SISAS) v1.0. This guide is not a substitute for Cisco Course Administration Guide (CAG) and should be used in conjunction with CAG. It’s imperative that Instructor goes through the entire guide to familiarize himself with the remote lab setup. This guide does not include any access details. All access details will be included in the Remote Lab Administrator’s email.

2. Course Version

This course is the original release of SISAS v1.0 .

3. Students per Pod

Each Pod can accommodate 2 students.

4. Remote Lab Description

The remote lab is accessed via RDP to the following location.

rlabs.globalknowledge.ae:443 Login using the credentials provided in the access details email from Remote Lab Support Team. Please refer the attached GK MEA Remote Lab Access Procedure for connecting to the remote lab. Upon successful authentication, a new window opens up the lab topology for this lab. You can gain access to the consoles of the different devices in the lab by simply clicking (left Click) the device that you would like to access. Access to the console connections is exclusive. If you are unable to access the console of a particular device you can always clear the console lines to that device by selecting Clear line of the device option obtained by right clicking the (tab name)/(device from topology) .

4 Implementing Cisco Security Access Solutions (SISAS) v1.0

General administrative tasks listed below can be carried out by right clicking the respective Device from the topology/tab name. For Devices

Close console connection to the device

Change font of the terminal

Clear line of the device

Send Ctrl Break

Power Management

For Server/Client PC’s

Send Ctrl Alt Del to Server/PC

Close console connection to Server/PC

Power Management

A helpful tips section is also provided towards the bottom right corner of the topology that lists the Known issues/work around that the remote lab developer has come across during the preparation of this lab.

Copyright © 2014-2015, Global Knowledge Remote Lab Administration Guide 5

5. Remote Lab Topology

The network topology diagram for Implementing Cisco Security Access Solutions (SISAS) v1.0 remote lab is as per Cisco Topology mentioned in the lab guide.

Each Pod is provided with the following equipment:

Cisco ISE VM - 1 No. HQ- ASA ( ASA 5510 ) - 1 No. HQ- Switch (3560X -PoE) - 1 No. HQ Server - 1 No. DMZ Server - 1 No. SP Server - 1 No Admin PC - 1 No. Employee PC - 1 No. Guest PC - 1 No. Iomega Iconnect Data Station - 1 No.

6 Implementing Cisco Security Access Solutions (SISAS) v1.0

6. Lab Exercise Tips

This section provides additional tips/workaround for certain tasks mentioned in the Cisco Lab guide. Please refer to these tips before contacting the remote lab support team.

6.1. General Guidelines

Each Pod is provided with the following equipment:

Cisco ISE VM - 1 No. HQ- ASA ( ASA 5510 ) - 1 No. HQ- Switch (3560X -PoE) - 1 No. HQ Server - 1 No. DMZ Server - 1 No. SP Server - 1 No. Admin PC - 1 No. Employee PC - 1 No. Guest PC - 1 No. Iomega Iconnect Data Station - 1 No.

Note : Iomega Iconnect Data Station is used instead of Linksys Print Server used in Cisco’s official lab guide.

6.2. IP Addressing and Access Details

IP Addressing

This table lists the internal IP addresses that are used in the labs.

Device Name or Hostname IP Address

HQ -ISE ise.secure-x.local 10.10.2.20

HQ-Server( Microsoft Active Directory Server (CA, DNS, and DHCP)

hq-srv.secure-x.local 10.10.3.20

DMZ Server DMZ Server 172.16.1.50

Admin PC Admin-PC 10.10.2.40

NTP Server Hq-srv.secure-x.local 10.10.3.20

Copyright © 2014-2015, Global Knowledge Remote Lab Administration Guide 7

Accounts and Passwords

The below table lists the accounts and passwords that are used in the labs.

Access To Account (Username and Password)

HQ-ASA admin / Ci5coAdmin ,

HQ-ISE admin and Ci5coAdmin

HQ-Server (Active Directory Server NS, DHCP, and DNS )

Secure-x.local\administrator and Ci5coAdmin

DMZ Server administrator and Ci5coAdmin

Admin PC student and Ci5coAdmin

Employee PC student and Ci5coAdmin

Guest PC student and Ci5coAdmin

6.3. Lab 1-1: Bootstrap Identity System

Task 5: : Activity verification Step 3 : If the IP address is showing Unknown then navigate to Employee PC- Click Network icon from system tray and select Open Network and Sharing Center - click Change adapter settings -Right click and disable and then re enable the NIC.

6.4. Lab 2-1: Enroll Cisco ISE in PKI

No change..

6.5. Lab 2-2: Implement MAB and Internal Authentication

Task 1: As mentioned earlier, The device connected to Port Fa0/19 and is from the Vendor “Iomega Corporation”. The MAC Address of the vendor starts with 00:d0:b8. Instead of Linksys Print Server Iomega Wireless Data station has been used.

Task 1: Step 8 B): Create an endpoint identity group as "IomegaDatastation" with no parent group.

Task 3: Activity verification Step 2: During the testing phase, it has been noticed that at certain instances the user authentication using EAP-FAST with inner MS-CHAPv2 Protocol fails even after configuring the supplicant to trust HQ-SRV-CA certificate. A communication issue between ISE & the supplicant of the Client PC prevents the certificate verification process . To resolve this, as a work around stop and restart the ISE services. using the below commands. SSH to ISE console (10.10.2.20) from the AdminPC

8 Implementing Cisco Security Access Solutions (SISAS) v1.0

using the credentials admin/Ci5coAdmin and apply the below commands.

application stop ise

Once all the services are stopped, restart the services using

application start ise

Retry authentication after all services are up

6.6. Lab 2-3: Implement External Authentications

Task 3: Activity verification Step 1: B) Since the username is cached in the AnyConnect supplicant, authentication will successful without popping up authentication window. In order for the AnyConnect authentication window to popup, carry out the following

Launch Network Access manager profile editor- go to Network Access manager > Networks. In the menu select Wired and click edit. Select the second certificate tab ( one on the below user Auth Tab) . In the Certificate trusted authority section , select Include Root Certificate Authority ( CA) certificates , click add and browse CA-root- Base64.cer file on D :\drive . You will have to specify files of All type .After selecting CA-root-Base64.cer skip to the end of wizard by click the credentials tab . Under user credentials select Prompt for credentials option and click done. then use File Save as to save the profile. Save the profile as configuration.xml. You must use this naming convention without changing the path to which the file is saved. After saving the profile, try network repair again it will pop up user auth window.

Task 5: Activity Procedure Step 1: If Anyconnect user authentication window pops up then carry out the same step mentioned above till click on credentials tab and in the credentials tab under user credentials select Single Sign on Credentials and click done and save the profile . Then try logging-in with sales1 account in Employee PC.

6.7. Lab 3-1: Implement EAP-TLS

No Change

Copyright © 2014-2015, Global Knowledge Remote Lab Administration Guide 9

6.8. Lab 3-2: Implement Authorization

Task 4: Step 6 : Activity verification step 2: if ACL is not applied to gig0/1 ensure the command " radius-server vsa send" is present in the switch, if not apply the above command.

Task 8: Step 5 A): Create rule name as IomegaDatastation

6.9. Lab 3-3: Implement Cisco Trustsec and MACsec

Task 2: Step 1 : auth-port and acct-port is erroneously mentioned in Lab guide. Use the below command instead of mentioned in the lab guide.

radius server ISE-PAC

address ipv4 10.10.2.20 auth-port 1645 acct-port 1646

pac key radius-key

Task 2: Activity verification step 1: E) If environment data is empty then clear cts credentials and apply cts credentials id HQ-SW password radius-key then try show cts environment-data

Task 6: Activity Procedure step 6: ftp.secure-x.public IP address is wrongly mentioned as 172.15.1.50 instead of 172.16.1.50

Task 6: Activity Procedure step 7: C) It is erroneously mentioned in the lab guide to select Action Permit. You should select action Deny

in this step to block ftp traffic ftp.secure-x.public server.

6.10. Lab 4-1: Implement WebAuth for Employees

Task 2: In order to obtain exact result as mentioned in the lab guide for the MAB authentication in lab 2-2 task 1, Advanced option of Authentication policy setting of Internal End points was set to Reject for options 'if user not found' and 'if authentication failed'. Before start of Task2 change this option to "Continue" on both cases. To change this option go to Policy- Authentication then Edit MAB- Click the + symbol on right hand side of Internal End Points - Select drop down menu under Options and select 'Continue' for 'If Authentication Failed' and for 'If user not found' options and click done then Save .

Task 3: Activity verification step 1: During the testing phase, it has been noticed that the traffic redirection policy was not pushing to the switch port even after enforcing WEBAUTH authorization policy in ISE. To resolve this, as a work around stop and restart the ise services. using the below commands from the CLI of ISE.

10 Implementing Cisco Security Access Solutions (SISAS) v1.0

application stop ise

Once all the services are stopped, restart the services using

application start ise

try toggle the interface gig0/2 once all services of ISE are up.

Task 3: Activity verification step 4: open Internet explorer and connect to HQ Server (http://hq-srv.secure-x.local)

Task 4: Activity verification step 1: open Internet explorer and connect to HQ Server (http://hq-srv.secure-x.local)

6.11. Lab 4-2: Implement Guest Service

No Change

6.12. Lab 5-1: Implement Posture Service

Task 2: Activity Procedure Step 1 : We also have provided required resource files for Client provisioning in c:\repository directory of AdminPC. So while carrying out Step:1 C, you can select Agent Resources from local disk and upload required files one by one( instead of From Cisco Web site).

nacagent-4.9.0.1013-isebundle

webagent-4.9.0.1007-isebundle

Task 6: Activity Verification Step 7 : During testing of the lab, It was noticed that the Webauth redirect dACL is not in place even after toggle the interface gig0/2 and it directly applies default deny authorization policy. In order to place Webauth redirect dACL on gig0/2 remove the MAC address of the Gust PC from Identity store and toggle the switch port. To remove the MAC address- go to Administration- Identity Management- identities- Endpoints -Select Window7 Workstation with MAC address of Guest PC- click delete and then delete selected.

6.13. Lab 5-2: Implement Profiler Service

Task2: Activity Procedure: step 4: A) As mentioned earlier, the device connected to Port Fa0/19 and is from Vendor “Iomega Corporation”. The MAC Address of the vendor starts with 00:d0:b8. Instead of Linksys Print Server Iomega Wireless Data station is used .

Task2: Activity Procedure: step 4: C) using quick filter display option starts with Iomega

Copyright © 2014-2015, Global Knowledge Remote Lab Administration Guide 11

Task2: Activity Procedure: step 4: D) examine IomegaOUI check condition

Task3: Activity Procedure: step 2: B) Name : IomegaDatastation-above-min-IP

Task3: Activity Procedure: step 3: B) Name : IomegaDatastation-network-prefix

Task3: Activity Procedure: step 4: B) Select IomegaDatastation

6.14. Lab 6-1: (Optional) Troubleshooting Prep

Task 1: Restore Procedure Step 4: B) After ISE configuration restoration is completed. You will see a message "Please rejoin AD domain from the Administrative GUI". But please do not rejoin ISE to AD now . As part of trouble ticket disjoined AD state is required and It will be rectified in the proceeding section of the trouble ticket.

6.15. Lab 6-2: (Optional) Troubleshoot Network Access Controls

Task 2: Activity Procedure Step 3: A) During testing phase we have noticed that there was an issue with Internet Explorer browser while using Evaluate Configuration Validator of ISE. While clicking "User Input Required , Click here" box , a white blank popup window appears without any user input field. As an alternative, we have also provided Mozilla Firefox on the Admin PC . It is recommended to use Mozilla Firefox to carry out this lab task.

12 Implementing Cisco Security Access Solutions (SISAS) v1.0

7. Remote Lab Support

Please note that our primary form of support is through email. Our email id is remotelabsupport@globalknowledge.ae

In order to have an interactive communication with the instructors, we are also available on Skype and our Skype name is gkrlsmea . In case you cannot find us on Skype, please send an email on remotelabsupport@globalknowledge.ae, we will login in Skype at the earliest for you.