Lab Overview
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 1 of 56
Cisco ISE 1.2 BYOD Lab Guide
Developers and Lab Proctors This lab was created by SAMPG TME teams.
Lab Overview This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine (ISE) in a
Bring Your Own Device (BYOD) environment. This lab covers the configuration of Cisco ISE 1.2 to
address the common requirements for BYOD and Integration with 3rd
party MDM servers. Students will be
introduced to the ISE My Devices Portal, which enables employees to self-manage their devices.
Students will experience ISE dual-SSID onboarding configuration and optional single-SSID configuration
to provision an Apple iPad. The students will learn how to manage their own devices in the My Devices
Portal by testing the blacklist and corporate wipe feature. The BYOD feature of ISE 1.2 requires an
Advanced License.
Lab participants should be able to complete the lab within the allotted time of 3 hours.
Lab Exercises This lab guide includes the following exercises:
Lab Exercise 1 : Configure My Devices Portal on ISE
Lab Exercise 2 : Configure ISE for Single SSID Wireless BYOD configuration
Lab Exercise 3 : Test and Verify the onboarding of a non-corporate Apple iPad
Lab Exercise 4 : Test and Verify the Device Blacklisting function of My Devices Portal
Lab Exercise 5 : Configure ISE for 3rd Party MDM integration.
Lab Exercise 6 : MDM policy configuration on 3rd Party MDM Server.
Lab Exercise 7 : Test and Verify 3rd
party MDM integration onboarding of a non-corporate Apple iPad
Lab Exercise 8 : Test and Verify the Corporate Wipe function on My Devices Portal
Product Overview: ISE
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 2 of 56
Optional Exercise A : Configure ISE for Wired MAB-to-PEAP Onboarding
Optional Exercise B : Test and Verify Wired MAB-to-PEAP Onboarding
Product Overview: ISE The Cisco Secure Access and TrustSec™ is the Borderless Network access control solution, providing
visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform that
gathers real-time information from the network, users, and devices. ISE then uses this information to
make proactive governance decisions by enforcing policy across the network infrastructure utilizing built
in standard based controls.
Lab Topology
Lab IP and VLANs
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 3 of 56
Lab IP and VLANs
Internal IP Addresses
Internal VLANs and IP Subnets
Device Name/Hostname IP Address
Access Switch (3650) 3k-access.demo.local 10.1.100.1
Data Center Switch (3560X) 3k-data.demo.local 10.1.129.3
Wireless LAN Controller (2504) wlc.demo.local 10.1.100.61
Wireless Access Point (2602i) ap.demo.local 10.1.90.x/24 (DHCP)
ASA (5515-X) asa.demo.local 10.1.100.2
ISE Appliance ise-1.demo.local 10.1.100.21
AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10
MobileIron VSP mobileiron.demo.local 10.1.100.15
NTP Server ntp.demo.local 128.107.212.175
LOB Web lob-web.demo.local
portal.demo.local, updates.demo.local
business.demo.local
it.demo.local
records.demo.local
10.1.129.12
10.1.129.8
10.1.129.9
10.1.129.10
10.1.129.11
LOB DB lob-db.demo.local 10.1.129.20
Admin (Management) Client
(also FTP Server)
admin.demo.local
ftp.demo.local
10.1.100.6
Windows 7 Client PC w7pc-guest.demo.local 10.1.50.x/24 (DHCP)
VLAN VLAN Name IP Subnet Description
10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs
20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3 segmentation)
(29) 10.1.29.0/24 Interconnect subnet between ASA and Access switch
30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L3 segmentation)
40 VOICE 10.1.40.0/24 Voice VLAN
50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users
90 AP 10.1.90.0/24 Wireless AP VLAN
100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)
129 WEB 10.1.129.0/24 Line-of-business Web servers
130 DB 10.1.130.0/24 Line-of-business Database servers
Connecting to Lab Devices
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 4 of 56
Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity, profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Accounts and Passwords
Connecting to Lab Devices
Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for access to all the other lab components
Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD Step 1 Launch the Remote Desktop application on your system.
a. In the LabOps student portal, click on the Topology tab
b. Click on the Admin PC, and then click on the RDP Client option that appears.
c. Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Access To Account (username/password)
Access Switch (3650) admin / ISEisC00L
Data Center Switch (3560X) admin / ISEisC00L
Wireless LAN Controller (2504) admin / ISEisC00L
ASA (5515-X) admin / ISEisC00L
ISE Appliances admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP) admin / ISEisC00L
Web Servers admin / ISEisC00L
Admin (Management) Client admin / ISEisC00L
Windows 7 Client
(Local = W7PC-guest or W7PC-corp)
(Domain = DEMO)
W7PC-guest\admin / ISEisC00L
DEMO\admin / ISEisC00L
DEMO\employee1 / ISEisC00L
Connecting to Lab Devices
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 5 of 56
Step 1 From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2 Click OK when the VMware vSphere Client starts.
Step 3 You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options:
Step 4 To access the VM console, select Open Console from the drop-down.
Step 5 To login to a Windows
VM, select Guest >
Send Ctrl+Alt+del
from the VM Console
menu:
Step 6 For this lab ensure that the following VMs are up and running.
p##_ad
p##_ise-1-base
p##_lob-web
p##_mobileiron
p##_w7pc-guest
## is the pod number that you are assigned to. E.g., For POD 2, p##_ad would be p02_ad. The
VM w7pc-guest may be power on manually during the exercises.
Connect to Lab Device Command-Line Terminal
Step 1 To access the lab switches and ISE servers using SSH:
Pre-Lab Setup Instructions
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 6 of 56
a. From the Admin client PC, the PUTTY shortcut is on the taskbar. Click on the PuTTY
shortcut from the taskbar and it shows a list of devices and ISE servers.
b. Select the device that you’d like to log into and double click on it.
c. If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
Pre-Lab Setup Instructions
Basic Connectivity Test To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from
the Windows desktop of the Admin client PC:
Verify that ping succeeds for all devices tested by the script.
Note: Failure of lob-db to respond to ping is fine for this lab.
Basic ISE Configuration Step 1 Access the ISE administrative web interface.
a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
Note: Accept/Confirm any browser certificate warnings if present.
Pre-Lab Setup Instructions
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 7 of 56
Login with username admin and password ISEisC00L
Step 2 Join to the Active Directory.
a. Go to Administration > Identity Management > External Identity Sources.
b. Pick Active Directory from the left-hand-side panel, and select ise-1 in the right-hand-side
connection tab.
c. Click Join with AD domain admin credentials: administrator / ISEisC00L
Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reboot of ise-1 or a reset the VM.
Step 3 Disable log collection suppression
The log suppression is on by default to reduce monitoring data storage. In order to see all log
entries during troubleshooting, it can be disabled either globally or selectively per collection
filters. In this lab, we will disable it globally, as shown in (a) below.
a. Disable suppression globally
i. Go to Administration > System >
Settings, expand on Protocols, and
select RADIUS.
ii. Clear the checkboxes Suppress
Anomalous Clients and Suppress
Repeated Successful
Authentications.
iii. Click Save when done.
b. (For reference only) Disable suppression per collection filter
i. Go to Administration > System > Logging, expand on Collection Filters, and click on
Add for a new filter.
ii. Select an attribute from the drop-down menu.
Pre-Lab Setup Instructions
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 8 of 56
iii. Enter a value to match the attribute in (ii).
iv. Select Disable Suppression from the drop-down menu.
v. Click Submit.
WLC Configuration Step 1 Load WLC configuration for the lab
a. Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L
b. Navigate to the top menu COMMANDS. Then, choose Download File from the left panel.
c. In Download file to Controller page, fill in the form as below:
Note: The “##” in p##-wlc-4hr.txt is two-digit to be replaced with the assigned pod number; e.g. p02-wlc-4hr.txt for Pod 02. Note: The ftp server is the admin PC itself. The wlc configuration file is in the folder C:\inetpub\ftproot\.
d. Click on the button Download to start the file transfer. The following will pop-up after the
clicking the Download button.
Click OK.
e. Wait for transfer to finish and reset to complete.
Note: WLC will reset after downloading configuration from an external file server. During the reset, use ping –t wlc to monitor.
Step 2 Using Browser (FireFox), Navigate to https://wlc.demo.local/. Log-in using Credential
User Name: admin
Password: ISEisC00L
Note: SSID names will change per POD; e.g. POD 01 = n-p01-TS-OPEN and n-p01-TS-WPA2e
Step 3 Click and then SSID number 11
Step 4 Click the CheckBox “Status”
Step 5 Click
Step 6 Repeat step 3 to step 5 for SSID number 10
File Type Configuration
Configuration File Encryption ☐ (unchecked)
Transfer Mode FTP
Server Details
IP Address 10.1.100.6
File Path /
File Name p##-wlc-4hr.txt
Server Login Username ftp
Server Login Password ftp
Server Port Number 21
Pre-Lab Setup Instructions
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 9 of 56
Controlling iPad via VNC Client Below are some tips for controlling the iPad UI via VNC client:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad)
Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Note: The tab key is not available on the iPad’s virtual keyboard so you will have to move the pointer to
the text field you want to input text, and click on it.
Lab Exercise 1: Configure the My Devices Portal on ISE
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 10 of
56
Lab Exercise 1: Configure the My Devices
Portal on ISE
Exercise Description This lab covers the ISE configuration requirements to enable and customize the My Devices
Portal. The My Devices Portal allows employees to manage the devices that they themselves
have on-boarded to the corporate network. Employees can add devices directly in this portal.
Employees can mark any device in their own lists as lost, which prevents others from
unauthorized network access when using the stolen device. Employees can reinstate a
blacklisted device in the My Devices Portal to grant it network access without re-registration.
Employees can also take any of their devices off the list temporarily, and later register them back
for network access.
Exercise Objective In this exercise, your goal is to familiarize with and configure the My Devices Portal on ISE. This
includes completion of the following tasks:
Verify My Devices Portal enablement
Customize the My Devices Portal
Modify the My Devices Portal authentication to include AD for user authentication
Launch the My Devices Portal and access it using AD user credentials
Step 4 Access the ISE administrative web interface.
a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
Note: Accept/Confirm any browser certificate warnings if present. Note: “Your browser is not supported” may be ignored.
b. Login with username admin and password ISEisC00L. The ISE Dashboard should display.
Navigate the interface using the multi-level menus.
Lab Exercise 1: Configure the My Devices Portal on ISE
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 11 of
56
Step 5 My Device Portal Settings
a. Navigate to Administration > Web Portal Management > Settings. From there, go to My
Devices > Portal Configuration.
b. Under the General section, verify
Enable My Devices Portal is
checked
c. Review the options to enable the
AUP link, setting the maximum
devices, email address and phone
number for Help Desk. The
maximum number of devices is set
to 5 by default.
d. Enter values of your choosing under Help Desk for Email and Phone number.
Step 6 Portal Theme
a. Go to Administration > Web Portal Management > Settings > General > Portal Theme.
Login page and banner logos as well as background images and colors can be customized.
Step 7 SSL and URL Settings for My Devices Portal
a. Go to Administration > Web Portal Management > Settings > General > Ports.
b. In My Devices Portal Settings, verify the HTTPS Port and Allowed Interfaces are set as
below:
c. Go down to Portal URLs and verify that
i. Default My Devices Portal URL is checked
ii. The text box is set to mydevices.demo.local
Note: By default, the friendly URL is not enabled. It’s preconfigured here in interest of time and avoiding a restart of ISE services. In
this setup, mydevices.demo.local is aliased to ise-1.demo.local in DNS.
Lab Exercise 1: Configure the My Devices Portal on ISE
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 12 of
56
Step 8 Identity Source Sequence for My Devices
a. Under Administration > Web Portal Management > Settings > My Devices, verify the
Authentication Source is set to
MyDevices_Portal_Sequence, which is the
default.
b. Go to Administration > Identity Management > Identity Source Sequences. Edit the
MyDevices_Portal_Sequence and select demoAD as the only identity source in the list of
Authentication Search List. Save once completed.
Step 9 Finally, verify My Devices Portal is working with the configured settings.
a. From the web browser, access http://mydevices.demo.local
Note: Please accept/confirm any browser certificate warnings if present, which mostly due to the browser not trusting the root CA
certificate that signs the SSL server certificate of the ISE.
b. Login with the AD user/password employee1 / ISEisC00L
Upon successful login, a page
similar to the right will show:
Note: The authentication events can be shown in Operations Audit reports.
It needs to turn ARP (My Devices Portal) to log INFO messages and add LogCollector as the targets.
Lab Exercise 1: Configure the My Devices Portal on ISE
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 13 of
56
c. There will be options available to add devices but do not add any devices at this time. This
will be performed in later lab exercises.
You are now familiar with the look-and-feel of My Devices Portal. You will use this portal in subsequent exercises.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD configuration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 14 of
56
Lab Exercise 2: Configure ISE for Single SSID
Wireless BYOD configuration
Exercise Description This exercise will show how to configure ISE for BYOD wireless deployment where only one
wireless SSID is required. Firstly you will confirm SSID settings on the Cisco WLC. Next you will
learn how to configure profiles for the SCEP CA and the Certificate Authentication Profile. Cisco
ISE uses Simple Certificate Enrollment Protocol (SCEP) to support the secure issuance of
certificates to network devices in a scalable manner. The SCEP in this lab is Microsoft Network
Device Enrollment Service on Windows Server 2008 R2 Enterprise. You will also learn how to
configure a client provisioning policy on Cisco ISE to allow the native supplicant provisioning.
Exercise Objective In this exercise, your goal is to configure ISE for single SSID Wireless BYOD, which includes the
completion of the following tasks in ISE:
Familiarize the WLC configuration needed for single SSID
Verify the Network Access Device configuration of the WLC
Configure the SCEP CA Profiles and the Certificate Authentication Profile
Modify the Identity Source Sequence to authenticate the user against AD
Modify the Authentication Policy to accept 802.1X authentication from wireless access
devices with EAP-TLS or PEAP (EAP-MSCHAPv2) protocols.
Modify the Authorization Policy to allow registration as well as supplicant provisioning and
to grant full access to registered devices.
Create Client Provisioning Policy to support native supplicant provisioning
Step 1 Open a new tab on the web browser and access the ISE administration web interface at
https://ise-1.demo.local using the credentials admin / ISEisC00L
Step 2 Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c. This network device is preconfigured with the values shown in the following table:
Attribute Value
Name wlc
Description -
IP Address 10.1.100.61 / 32
Model Name -
Software Version -
Device Type WLC
Location GOLD-Lab
Authentication Settings
Protocol RADIUS
Shared Secret ISEisC00L
Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD configuration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 15 of
56
d. Update as needed and click Save when finished.
Step 3 Configure a SCEP RA Profiles.
a. Navigate to Administration > System > Certificates.
b. Go to SCEP RA Profiles. Add a new profile as below
Attribute Value
Name mscep (or any unique id)
Description -
URL http://ad.demo.local/certsrv/mscep
Note: The URL may start with either http:// or https://. The latter needs AD with a valid certificate and the root-CA certificate imported into ISE certificate store beforehand.
c. Click Test Connectivity to verify the connection to the SCEP server.
Note: If this fails, please ask the proctor to check on the ad server VM.
MSCEP is hosted on the Microsoft AD Server in this lab. The Proctor can either stop and start service (NDES) or restart the AD VM (Power-off & Power-on)
d. Once Test Connectivity succeeds, click Submit to save the profile.
e. Under Administration > System > Certificates, go to Certificate Store, both the CA and
RA (registration authority) certificates of the certificate chain for the SCEP server should
have been retrieved, as a result of (d).
Step 4 Configure a Certificate Authentication Profile
Go to Administration > Identity Management > External Identity Sources > Certificate
Authentication Profile to create a new one with the following information:
Click Submit to save the changes.
Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD configuration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 16 of
56
Step 5 Add a new Identity Source Sequence
a. Go to Administration > Identity Management > Identity Source Sequences.
b. Click Add to create a new Identity Source Sequence.
Note: When using this identity source sequence in EAP-TLS authentications, it will pick the certificate authentication profile. In
password-based authentications, it will use the other identity sources in the authentication search list.
c. Click Submit to save the changes.
Step 6 Go to Policy > Policy Elements > Results > Authentication > Allowed Protocols, create a
new entry with the name PEAP_o_TLS and allow only two protocols:
a. EAP-TLS
b. PEAP with inner method EAP-MS-
CHAPv2
c. Click Submit to save changes
Step 7 Update Authentication Policy
a. Go to Policy > Authentication
b. Modify the rules Dot1X and Default Rule as below:
Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD configuration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 17 of
56
Below shows the resulting authentication policy. The modified objects are highlighted in Yellow.
Status Name Condition Protocols Identity Source Options
MAB IF Wired_MAB
OR Wireless_MAB
allow protocols
Default Network Access and use Internal Endpoints Reject Reject Drop
Dot1X IF Wired_802.1X
OR Wireless_802.1X
allow protocols
PEAP_o_TLS and use DOT1X_Sequence Reject Reject Drop
Default Rule (if no match)
allow protocols
Default Network Access and use DenyAccess
Reject Reject Drop
c. Click Save.
Step 8 Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Create
two Authorization Profiles that will be used in the Authorization Policy – one for full network
access and the other dedicated to supplicant provisioning.
a. Authorization Profile for allowing Full Network Access
Attribute Value
Name WLC_FullAccess
Description --
Access Type ACCESS_ACCEPT
Common Tasks
Airespace ACL Name PERMIT-ALL-TRAFFIC
Access Type = ACCESS_ACCEPT Airespace-ACL-Name = PERMIT-ALL-TRAFFIC
Click Submit to save the changes.
PERMIT-ALL-TRAFFIC is a
named ACL defined on the
WLC that permits all IP
traffic.
b. Authorization Profile for allowing Supplicant Provisioning
Click Submit to save the changes.
Attribute Value
Name WLC_SupplicantProvisioning
Description --
Access Type ACCESS_ACCEPT
Common Tasks
Web Redirection (CWA,DRW, MDM, NSP, CPP)
Drop-down menu: Supplicant Provisioning ACL: PERMIT-2-ISE-a-DNS
Attributes Details
Access Type = ACCESS_ACCEPT cisco-av-pair = url-redirect-acl=PERMIT-2-ISE-a-DNS cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionIdValue&action=nsp
Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD configuration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 18 of
56
PERMIT-2-ISE-a-DNS is
another named ACL at
WLC. It permits limited
accesses to ISE and DNS
only.
Step 9 Next, add two Authorization Policy rules under Policy > Authorization as shown below – the
Rule Name – Reg with ISE TLS and Employee Personal Device. Also, set the Default rule to
DenyAccess.
Note: Identity Group RegisteredDevices is one of the Endpoint Identity Groups. Note: ISE 1.2 introduced a new attribute EndPoints:BYODRegistration, which
may be used to validate registration status instead of RegistredDevices. And, endpoints keep their pre-registration identity groups, if any.
Note: To insert a new authorization rule, click Edit in the right end of a rule and select from the drop-down option menu.
Note: To add the first condition from Library, such as Wireless_802.1X, use Select Existing Condition from Library. Wireless_802.1X is a compound condition.
If the first condition with an attribute/value pair, such as Network Access:EapAuthention EQUALS EAP-TLS, use Create New Condition (Advance Option).
Then, pick Add Attribute/Value for more of such conditions in the same rule.
Status Rule Name Identity Groups Other Conditions Permissions
Wireless Black List Default ISE
Blacklist Wireless_Access_ISE Blackhole_Wireless_Access_ISE
Profiled Cisco IP Phones ISE
Cisco-IP-Phone - Cisco_ IP_Phones_ISE
Profiled Non Cisco IP Phones ISE
- Non_Cisco_Profiled_Phones_ISE Non_Cisco_IP_Phones_ISE
Employee Personal Device
Any Wireless_802.1X AND Network Access:EapAuthentication EQUALS EAP-MSCHAPv2
WLC_SupplicantProvisioning
Reg with ISE TLS RegisteredDevices Wireless_802.1X AND Network Access:EapAuthentication EQUALS EAP-TLS AND CERTIFICATE:Subject Alternative Name EQUALS Radius:Calling-Station-ID
WLC_FullAccess
Default (if no matches) DenyAccess
Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD configuration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 19 of
56
Click Save to save the changes.
Step 10 Go to Policy > Client Provisioning and create a new rule which will look like the following:
Status Rule Name Identity Groups
Operating Systems
Other Conditions
Results
Apple iOS Any Apple iOS All - iOS_WPA2e_TLS
Create a new Native Supplicant Profile in-line from within the Results cell.
Fill-in the native supplicant profile iOS_WPA2e_TLS as shown:
Attribute Value
Name iOS_WPA2e_TLS
Description -
Operating System Apple iOS All
Connection Type Wireless
SSID n-p##-TS-WPA2e
Security WPA2 Enterprise
Allowed Protocol TLS
Key Size 1024
Notes: SSID value is case-sensitive and needs to be exactly the same as the one defined in the WLC. To avoid any typos, copy the SSID name from the WLC and paste it onto the ISE GUI. To find SSID for your POD, Go to admin PC, launch a browser and login onto WLC (https://wlc.demo.local) with
Username = admin and Password = ISEisC00L.
Click and then copy the name of the Secure SSID e.g. n-p##-TS-WPA2e. If SSID is disabled,
Click on the SSID and Enable it.
DO NOT use OPEN SSID
Click Save to save the changes.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 20 of
56
Lab Exercise 3: Test and Verify the onboarding
of a non-corporate Apple iPad
Exercise Description In this exercise you will get the experience of onboarding an Apple iPad onto the network in a
BYOD use case. From the iPad you will connect over the wireless network to the single SSID you
configured in the earlier exercise. You will use your AD credentials to let Cisco ISE know that the
iPad is a personal device that belongs to you the employee. When you connect to the network
you will verify profile installation for the native supplicant on the iPad. Using Cisco ISE live logs
you will monitor the onboarding process and verify successful completion via the My Devices
Portal.
Warning: The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to configuration and limitations of remotely controlling an interactive device like the iPad in a lab environment please do not deviate from the exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual resetting and prevent you from experiencing the full potential of the lab.
Thank you for your cooperation.
Exercise Objective In this exercise, your goal is to complete the following tasks:
Connect to the iPad via VNC to test the wireless BYOD feature
Connect the iPad to the corporate SSID and check the onboarding of Apple iPad and
installation of the profiles for the native supplicant for the corporate user
Check the ISE Live Logs to monitor the process
Check the My Devices Portal to see the device registration
Step 1 Click on the short-cut VNC-to-iPad on the taskbar to start a VNC session to the iPad.
Step 2 Press any key to continue, once prompted to do so.
Tips on controlling the iPad UI via VNC client:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.
Note: The tab key is not available on the iPad’s virtual keyboard so you will have to move the pointer to the text field you want
to input text, and click on it.
Step 3 On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
Step 4 Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies and
Data.
Step 5 Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network n-p##-TS-WPA2e
a. Enter the username/password – AD credentials (employee1 / ISEisC00L) and click Join
b. Click to Accept the certificate.
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 21 of
56
Note: This certificate with a subject name aaa.demo.local shown as the certificate subject, it is a wild-card certificate. Note: Apple iOS prompts for the RADIUS server EAP-TLS certificate because it sees the certificate the first time and an ad-hoc connection.
c. Next click on the blue arrow of the connected network and verify the IP address assigned
Note: IP address for the iPad might be different depending on the DHCP scopes defined for the POD. Your iPad might get an IP address from 10.1.10.x subnet which is OK.
Step 6 Now launch the mobile Safari app and access the website www-int.demo.local.
You will receive a warning “Cannot Verify Server Identity”. Click Continue then be redirected to
the self-provisioning page.
Note: If a red error shown and the Register button is grey out, check if a Client Provisioning Policy rule has been created for the Apple iOS (Policy > Client Provisioning).
Also, run a Supplicant Provisioning Report (Operations > Reports > Endpoints and Users > Supplicant Provisioning > Run)
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 22 of
56
When prompted to install the CA certificate that signed the SSL server certificate of ISE, click
Install.
Accept any Warnings to complete this installation.
Step 7 Once back to the self-provisioning page in Safari, enter an optional description and click
Register.
At this time, the ISE Profile Service
pops up and prompts for Install.
Step 8 Click Install to start the Apple Over-
The-Air (OTA) enrollment process. This
will automatically generate the key,
enroll the identity certificate, and save
the resulting signed Wi-Fi profile to the
iPad.
Note: If errors occur when installing the profile, do the following:
Verify a SCEP RA profile has been created (Administration > System > Certificates > SCEP RA Profile)
Verify the CA and RA certificates have been downloaded to the Certificate Store (Administration > System > Certificates > Certificate Store)
Check the console output of the iPad using the iPhone Configuration Utility (iPCU) from Apple, which is installed on the admin PC (Start > All Programs > iPhone Configuration Utilities)
Step 9 Once profile Installed, click Done.
Step 10 Now back to the mobile Safari app, enter www-int.demo.local, which should take you to the
website.
Step 11 Verifying Settings > General > Profiles shows two profiles are installed
Notes: iOS_WPA2e_TLS is the name of the supplicant profile created in Step 10 of Exercise 2.
Step 12 Check the live authentication logs on ISE admin web console (Operations > Authentications)
to verify that the correct authorization profiles were applied. The sequence will look similar to the
following. Initially, the device will be authorized for WLC_SupplicantProvisioning. Once the
provision is done, another authentication occurs and the WLC_FullAccess profile will be applied.
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 23 of
56
Note: For detailed troubleshooting, enable DEBUG logging for relevant components -- client, guest and provisioning. (Admin>System>Logging>Debug Log > Config)
Step 13 Go to the My Devices Portal http://mydevices.demo.local and inspect the endpoint registration
states. Login as employee1 / ISEisC00L if the portal session expires.
a. The initial state of the device is Pending as shown below.
b. Once the newly installed Wi-Fi profile authenticates the device to the
network, this state will move to Registered.
This transition may take up to 20 minutes or not occur at all due to bug CSCtx94533
More Troubleshooting Tips
Helpful WLC CLI commands:
Debugging client traffic debug client <mac_address>
Debugging AAA authentication debug aaa events enable
Debugging 802.1x events debug dot1x events enable
Bypass captive portal config network web-auth captive-bypass enable
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 4: Test and Verify the Device Blacklisting function on My Devices Portal
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 24 of
56
Lab Exercise 4: Test and Verify the Device
Blacklisting function on My Devices Portal
Exercise Description This exercise will show you the device self-management features of Cisco ISE.
You will simulate losing your iPad and blacklisting the device as lost. Blacklisting the device
prevents it from being misused on the corporate network. Cisco ISE uses RADIUS CoA
messaging to interact with network access devices in enforcing restrictions on the user self-
provisioned device.
Exercise Objective In this exercise, your goal is to complete the following tasks:
Customize the Authorization Profile to Blacklist wireless endpoints
From the My Devices Portal mark the device as Lost to observe the Change of Authorization
(CoA) occur and restrict access from the device
When the device is reinstated on the My Devices Portal, Change of Authorization is again
triggered and the device should now be given a full network access
Step 1 Refer to Appendix A for the sample WLC configuration. Login to WLC web interface
https://wlc.demo.local as admin / ISEisC00L to review the WLAN (menu WLANs) and ACLs
(menu SECURITY; side Access Control List > Access Control List) used in this exercise.
a. WLAN: n-p##-TS-WPA2e
b. ACLs: PERMIT-ALL-TRAFFIC and BLACKHOLE
Note: The “#” in n-p##-TS-WPA2e is to be replaced with the assigned pod number; e.g. n-p22-TS-WPA2e
Step 2 Go to My Devices Portal. Select the iPad and click Lost? The device will now
be blocked from accessing the network. Note the icon change under the State.
Step 3 From the VNC session to
the IPad, switch to the
mobile Safari app. Reload
the page www-
int.demo.local and the
user will see a message
This device has been
marked as lost …
Step 4 Under Operations > Authentications, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Lost then a reauthorization matches the device to
the BlackList_Wireless_Access profile
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 25 of
56
Step 5 Back to My Devices Portal and click Reinstate. The iPad should now be
allowed to the network. Notice the change in the icon under State.
Step 6 The Live Authentications logs should show an entry Dynamic Authorization (CoA) succeeded
followed by a re-authentication, which put the device in WLC_FullAccess profile.
Step 7 On iPad, again try to access www-int.demo.local. The website should now be accessible.
Step 8 On iPad, go to Settings > Wi-Fi and slide the virtual switch to turn off Wi-Fi.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 5: Configure ISE for 3rd Party MDM integration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 26 of
56
Lab Exercise 5: Configure ISE for 3rd Party
MDM integration
Exercise Description
This lab covers the ISE configuration requirements to enable ISE integration with 3
rd Party MDM servers.
Mobile Device Management (MDM) software secures monitors, manages and supports mobile devices
deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a
policy server and an inline enforcement point that controls the use of applications (e.g. email) on a mobile
device in the deployed environment. Today Cisco Identity Services Engine (ISE) is the only entity that can
provide granular access to endpoints (based on ACL’s, trust sec SGT’s etc.). In this integration, ISE-
enabled network is the enforcement point while the MDM policy server serves as the policy decision
point. ISE expects specific data from MDM servers to provide a complete solution
The following are the high-level use cases in this solution.
Device registration- Non registered endpoints accessing the network on-premises will be redirected to registration page on MDM server for registration based on user role, device type, etc.
Remediation-Non compliant endpoints will be given restricted access based on compliance state
Periodic compliance check – Periodically check with MDM server for compliance
Ability for administrator in ISE to issue remote actions on the device through the MDM server (e.g.: remote wiping of the managed device)
Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full Wipe, Corporate Wipe and PIN Lock.
MDM Servers can be used as a cloud service or installed locally on premises. Once the installation, basic
setup and compliance checks are configured on the MDM server, it can then be added to ISE
Logical Network Topology
Lab Exercise 5: Configure ISE for 3rd Party MDM integration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 27 of
56
MDM Integration use-case overview
1. User associates device to SSID
2. If user device is not registered, user goes through the BYOD on-boarding flow, details listed in Appendix
3. ISE makes an API call to MDM server
4. This API call returns list of devices for this user and the posture status for the devices – Please note that we can pass MAC address of endpoint device as input parameter.
5. If user’s device is not in this list, it means device is not registered. ISE will send a change of authorization to NAD to redirect to ISE, Users will be re-directed to MDM server (home page or landing page)
6. ISE will know that this device needs to be provisioned using MDM and will present an appropriate page to user to proceed to registration.
7. User will be transferred to the MDM where registration will be done. Control will transfer back to ISE either through automatic redirection by MDM server or by user refreshing their browser again.
8. ISE will query MDM again to gain knowledge of Posture status
9. If the user device is not in compliant to the posture (compliance) policies configured on MDM, they will be notified that the device is out of compliance and need to be in compliance
10. Once user’s device becomes compliant, MDM server will update the device state in its internal tables.
11. At this stage user can refresh the browser at which point control would transfer back to ISE.
12. ISE would also poll the MDM server periodically to get compliance information and issue COA’s appropriately.
Exercise Objective
In this exercise student will add 3rd
party MDM server in to ISE and then configure ISE authorization polices to use MDM attributes.
The diagram below shows the main steps in configuring MDM Integration.
Lab Exercise 5: Configure ISE for 3rd Party MDM integration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 28 of
56
Step 1 MDM Server Certificate
Note: Certificate for the 3rd
party MDM server for step 1 is already downloaded into ISE. Step 1 is only to view the Certificate for the completeness of the configuration.
Go to Administration > System > Certificates > Certificate Store and verify that the Mobile Iron
Certificate is in Certificate Store as shown below.
Step 2 Add MDM Server, Go to Administration > Network Resources > MDM. Click Add, to add the
MDM server. Enter MDM Server details as below with credentials User name: admin
Password: ISEisC00L
Make sure that select the checkbox against Enable for the server to be enabled after adding.
Lab Exercise 5: Configure ISE for 3rd Party MDM integration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 29 of
56
Step 3 Click on “Test Connection” and an info dialog box will
pop up.
Step 4 Click on Submit. It will test the connectivity again and add the MDM server. Also, check the MDM status and ensure it is Active.
Step 5 Review the MDM dictionaries. Once the MDM server is added, the supported dictionaries show-
up on ISE, which could be later used in to ISE Authorization Policies. Go to Policy > Policy
Elements > Dictionaries > System > MDM > Dictionary Attributes and review all the
available attributes.
Step 6 Log on to the WLC. Navigate to Security > Access Control Lists > Access Control Lists.
Verify the ACL named “MDM_Quarantine_ACL” present on the Wireless LAN Controller. This
ACL was used in policy earlier to redirect clients selected for BYOD supplicant provisioning,
Certificate provisioning and will also be used for MDM Quarantine.
Lab Exercise 5: Configure ISE for 3rd Party MDM integration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 30 of
56
The Cisco Identity Services Engine IP address = 10.1.100.21
Internal Corporate Networks = 10.0.0.0, 255.0.0.0 (to redirect) (Allow ISE and MDM Server)
MDM Server = 10.1.100.15
Explanation of the MDM_Quarantine_ACL is as follows
1. Allow DNS traffic “inbound” for name resolution.
2. Allow all traffic “inbound” to ISE for Web Portal and supplicant and Certificate provisioning flows
3. Allow access “inbound” to MDM server for MDM device registration and compliance checks
4. Allow ICMP traffic for trouble shooting, it is optional
5. Deny all traffic “inbound” to corporate resources. Any 80/tcp access hits will redirect to ISE (As per company policy)
6. Permit all the rest of traffic, to allow remediation from Internet sites, such as Apple app store.
Step 7 Configure ISE Authorization Policies. Once MDM server is added in to ISE, we can configure
authorization polices in ISE to leverage the new dictionaries added for MDM servers.
a. Create an Authorization Profile named “MDM_Quarantine” for devices which are not in
compliant to MDM polices. In this case all non-compliant devices will be redirected to ISE
and presented with a message
b. Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles and
Click on Add to add the MDM_Quarantine as below :
Lab Exercise 5: Configure ISE for 3rd Party MDM integration
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 31 of
56
Step 8 Update ISE Authorization Policy
a. Go to Policy > Authorization.
b. Locate the Authorization policy rule Reg with ISE TLS and select Duplicate Above
c. Update the two policy rules (Reg with ISE TLS and its duplicate) as defined below, in turn:
Reg with ISE and MDM comp - Once the device is registered with both ISE and MDM, and is in
compliance to MDM policies, it will be granted full access to the network.
Reg with ISE NOT MDM - This Authorization Rule is added for devices which are registered with ISE but
either not yet with an MDM server or not in compliant to MDM policies. Once the device hits this rule, it
will be forwarded to ISE MDM landing page. If not yet registered with MDM, the “Register” button is
shown. If already registered but not yet compliant, it will inform the user about the compliance failure.
Note: Use Duplicate Above/Below to speed up creating rules with similar conditions.
Status Rule Name Identity Groups Other Conditions Permissions
…
Employee Personal Device
Any Wireless_802.1X AND Network Access:EapAuthentication EQUALS EAP-MSCHAPv2
WLC_SupplicantProvisioning
Reg with ISE and MDM compliant
RegisteredDevices
Wireless_802.1X AND Network Access:EapAuthentication EQUALS EAP-TLS AND CERTIFICATE:Subject Alternative Name EQUALS Radius:Calling-Station-ID AND MDM:MDMServerReachable EQUALS Reachable AND MDM:DeviceRegisterStatus EQUALS Registered AND MDM:DeviceCompliantStatus EQUALS Compliant
WLC_FullAccess
Reg with ISE not MDM
RegisteredDevices Wireless_802.1X AND Network Access:EapAuthentication EQUALS EAP-TLS AND CERTIFICATE:Subject Alternative Name EQUALS Radius:Calling-Station-ID AND MDM:MDMServerReachable EQUALS Reachable
MDM_Quarantine
Default (if no matches) DenyAccess
Do not forget to Save all the changes after updating the Authorization Policy rules.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 6: MDM policy configuration on 3rd Party MDM Server.
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 32 of
56
Lab Exercise 6: MDM policy configuration on 3rd
Party MDM
Server.
Exercise Description
This exercise will review MobileIron Policy Configuration for the corporate compliance policies
Note: Please DO NOT change any policies on the 3rd party MDM server as this could leave the iPad in an unusable state
Exercise Objective
In this exercise, your goal is to familiarize and review configuration of the MobileIron Server for
the corporate policies. This includes completion of the following tasks:
Verify admin account privileges for REST API, i.e. account used by ISE to send a REST
API call to MobileIron Server
Review the Default Security Policies
Review the iOS APP installation configuration (Quick Graph: Your Scientific Graphing
Calculator & Calculator for iPad Free)
Step 1 Access the MobileIron administrative web interface.
a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://mobileiron.demo.local/admin
Note: Accept/Confirm any browser certificate warnings if present.
b. Login with username admin and password ISEisC00L. Once you login, the USER &
DEVICES tab should display.
Step 2 User Management
a. Navigate to USERS & DEVICES > User Management. From there, click the checkbox
before admin user and click on Assign Roles.
Lab Exercise 6: MDM policy configuration on 3rd Party MDM Server.
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 33 of
56
b. Notice that API check box is selected for the user
c. Navigate to USERS & DEVICES > User Management. From there, click the checkbox
before employee1 user and click on Assign Roles.
d. Notice that API check box is NOT selected for the user
Step 3 Application Control Policies on MobileIron Server
a. Navigate to APPS & CONFIGS > App Control
b. Click the Edit button for Quick Graph: Your
Scientific Graphing Calculator
c. Verify the settings as below
Attribute Value
Name Quick Graph: Your Scientific Graphing Calculator
Type Required
App Name IS
App Search String Quick Graph: Your Scientific Graphing Calculator
Device Platform ALL
Comment Quick Graph: Your Scientific Graphing Calculator
Step 4 Default Security Policy on MobileIron Server
a. Navigate to POLICIES > All Policies Default Security
Policy. From there, click the Edit button on the right side
of the screen.
b. Review this Policy for Password, Type, Length, Data
Encryption etc.
c. Under “Access Control”, verify Quick Graph: Your Scientific Graphing Calculator &
Calculator for iPad Free are the only “Enabled” rules.
Lab Exercise 6: MDM policy configuration on 3rd Party MDM Server.
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 34 of
56
Update as needed. Then, click
Step 5 Application Distribution Policies on MobileIron Server
a. Navigate to APPS & CONFIGS > App Distribution.
b. From there, click the dropdown button and select iOS
c. Calculator for iPad Free has already been
imported into the MobileIron server from APP
store. Click the Edit button to review the details.
Note: Below is needed as the current value on the server is set to Yes.
Verify its Clicked on Yes for MobileIron VSP to send
an installation request to the endpoint at the time of
registration and click “Save”.
d. Quick Graph: Your Scientific Graphing Calculator
has already been imported into the MobileIron server
from APP store. Click the Edit button to review the
details.
Note: Below is needed as the current value on the server is set to No.
Click on Yes for MobileIron VSP to send an
installation request to the endpoint at the time of
registration and click “Save”.
You are now familiar with the basic configurations of 3rd-Party MDM server - MobileIron. You will use them in subsequent exercises.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 35 of
56
Lab Exercise 7: Test and Verify 3rd
party MDM
integration onboarding of a non-corporate
Apple iPad
Exercise Description In this exercise you will get the experience of MDM enrollment process, BYOD on-boarding on
the iPad was already completed in Lab Exercise 3 therefore this will be followed by MDM
enrollment. iPad’s native supplicant is already provisioned with the wireless SSID therefore this
will address the MDM enrollment. Using Cisco ISE live logs you will monitor the onboarding
process and verify successful completion via the My Devices Portal.
Warning:
The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to configuration and limitations of remotely controlling an interactive device like the iPad in a lab environment please do not deviate from the exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual resetting and prevent you from experiencing the full potential of the lab.
Thank you for your cooperation.
Exercise Objective In this exercise, your goal is to complete the following tasks:
Complete device enrollment with 3rd
party MDM, install corporate application
Check the ISE Live Logs to monitor the process
Check the My Devices Portal to see the device registration
Use My Devices Portal to issue a corporate wipe.
Step 1 On iPad, go to Settings > Wi-Fi and slide the virtual switch to turn on Wi-Fi.
Note-1: If the VNC to iPad is closed then, click on the short-cut VNC-to-iPad on the taskbar to restart a VNC session to the iPad.
Note-2: If the Wi-Fi is not turned off at the end of Lab Exercise 4, first turn it off and remove the client session from the wlc -- Use the Firefox browser on the admin-PC to go to https://wlc.demo.local, navigate to menu MONITOR > Clients, follow the client mac address hyperlink to drill into the session, and click the button “Remove”.
Step 2 Launch the mobile Safari app and access www.google.com. The endpoint will have access as
per corporate policies, as the iPad was previously registered with ISE in Lab Exercise 3.
Step 3 Now access the website www-int.demo.local (Corporate Resource), since the device is not
enrolled with MDM, as per configured policies the device will be redirected to the page hosted
on ISE to register with 3rd
Party MDM Server. To simplify end-user-experience, link to the
configured 3rd
party MDM Server will be presented where user can click on the link to get
redirected to install the MDM client.
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 36 of
56
Click on the link called “Step1: Enroll” but do NOT click on the “Step 2: Continue” button.
Note: In this lab the 3rd
party MDM agent is already downloaded so, DO NOT click
Go to iPad home screen by right click on iPad, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to the third page on iPad, click on to
launch the MobileIron Agent.
Note: If the third page has no MobileIron, right click once to go back to iPad home screen and right click again to launch search. Enter MobileIron as the search string to find and launch it.
If you get the “Application Reset” pop-up, click OK to continue
Step 4 Enter the following values and accept ALL certificates when prompted. If asked for Certificate,
Click Accept since this is the certificate from MobileIron Server to be installed on the iPad. The
certificate is later used to push MDM profile and Certificates from the MobileIron Server
a. Click Accept Certificate
Attribute Value
User Name employee1
Server mobileiron.demo.local
Password ISEisC00L
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 37 of
56
b. iPad will be prompted that its configuration will be
updated, click “OK” to continue
c. MobileIron will now push MDM profile on the
iPad. But, before it can push profile, iPad
needs certificate of the MobileIron server,
therefore MobileIron server will now
configure the iPad to initiate SCEP request
for the certificate, click “install” to download
the profile on iPad
d. iPad will prompt that the profile in unverified (since it
signed by the MobileIron server whose certificate chain
has not been installed on the iOS).
Click “Install Now”
e. iPad will prompt that MobileIron server is
installing the certificate name “PortalCA”
which is not a publically signed certificate.
Click “Install Now”
Once the profile and Certificates are downloaded on the
iPad, click “Done”
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 38 of
56
Notes: After clicking on “Done”, STOP and wait for the iPad to prompt for “App Installation”. If the
iPad does not prompt for “App Installation” please check with the Lab Administrator. This is to test non-compliance state of the iPad.
iPad is now registered with the MobileIron MDM server but is missing the corporate application therefore is NOT compliant with ISE as per configured Policies.
Step 5 As part of corporate compliance polices, the device needs to have the corporate applications. In
this LAB, MDM server will be pushing the Calculator for iPad Free application onto the iPad.
Notes: At this time Click Cancel for “Calculator for iPad Free”.
Step 6 As part of corporate compliance polices, the device needs to have the corporate applications. In
this LAB, MDM server will be pushing the Quick Graph: Your Scientific Graphing Calculator
application onto the iPad.
Notes: At this time Click Install for Quick Graph: Your Scientific
Graphing Calculator.
Enter Password = ISEisC00L when prompted
Please allow time for APP installation to complete
Step 7 Click on Safari to open the browser and access “www-int.demo.local” then click the Continue
button so ISE can send a COA-Reauth.
Once ISE sends a successful COA, it will refresh the iPad browser prompting the
user to access the original URL
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 39 of
56
Step 8 Type the original URL in the address bar “www-int.demo.local”.
iPad is non-compliant with the corporate polices as it’s missing
the Calculator for iPad Free application therefore ISE will
redirect the user to the MDM non-compliance page.
The explanation and recommendation text might be different from the screenshot, depending on
the MobileIron VSP server version.
Step 9 Go to iPad home screen by right click on iPad, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to a new page on iPad, click on
the MobileIron Agent to launch the application.
Note: If the page has no MobileIron, right click once to go back to iPad home screen and right click again to launch search. Enter
MobileIron as the search string to find and launch it.
Step 10 Re-Enroll with MDM
a. Click Settings > Check for Updates then
Re-Enroll Device
b. iPad will now go through the MDM Re-enrollment
process, the user will be prompted to Install the profile
so iPad can initiate SCEP request to MobileIron server
to get the certificates. Click Install
c. Click “Install Now” to accept the warnings
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 40 of
56
d. Click Install to install the MDM profile on the
iPad so MobileIron MDM server can manage
the device
e. Once profile is installed click Done
f. This time wait until prompted to install the “Calculator for iPad
Free” APP. Please click install
g. iPad will request APP Store password for the
[email protected] account, please enter “ISEisC00L”
h. Please wait for Calculator for iPad Free App installation to complete
i. Once the Calculator for iPad Free application
installation is complete, click on Safari to open the
browser and access “www-int.demo.local” then click
the Continue button so ISE can send a COA-Reauth.
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 41 of
56
j. Once ISE sends a successful COA, it will refresh the iPad
browser prompting the user to access the original URL
Step 11 Using the Admin PC, go to MobileIron Server.
Click on “USERS & DEVICES”
Step 12 Click on User “employee1”
Step 13 On the right section of the screen “Device Details” click on small arrow before “Apps” to expand.
Make sure all the APP’s are in compliance and NOT in RED
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 42 of
56
Notes: After clicking on “Apps” STOP if any of the APP is reported in RED. This means that the MobileIron MDM
Server has NOT received updates from the MobileIron Agent. To send another update from MobileIron Agent to MobileIron Server Go to iPad home screen by right click on iPad, Hold Down the click Key and move the mouse towards your left to Swipe on Screen, this will take you to a new page on iPad, click on the MobileIron Agent APP to launch the APP
Click Settings then Force Device Check-in
Click Check-in
Please note that this might need to be done multiple times depending on if the update from the MobileIron Agent gets to the MobileIron Server. Repeat from Step 10 to make sure APP’s are in compliance.
Step 14 Once the MobileIron Server shows employee1 as
compliant, click on Safari to open the browser and
access “www-int.demo.local” then click on the
Continue button so ISE can send a COA-Reauth.
Once ISE sends a successful COA, it will refresh the iPad
browser prompting the user to access the original URL
Please type the original URL in the address bar “www-int.demo.local”
Employee1 will now have access to the corporate
resources
Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 43 of
56
Step 15 Look at the live logs on ISE admin web console to verify that the correct authorization profiles
were applied. Initially, the device will be authorized for MDM_Quarantine. Once the provision is
done, another MDM registration process will start where first the user would be requested to
register and then comply with the corporate compliance policies, which would result in another
authentication, and then the WLC_FullAccess profile will be applied.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Lab Exercise 8: Test and Verify the Corporate Wipe function on My Devices Portal
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 44 of
56
Lab Exercise 8: Test and Verify the Corporate
Wipe function on My Devices Portal
Exercise Description This exercise will show you the device self-management features of Cisco ISE.
You will simulate losing your iPad and performing a Corporate Wipe action on the device.
Corporate Wipe will remove all the corporate data. In this case Quick Graph: Your Scientific
Graphing Calculator & Calculator for iPad Free applications were pushed as a corporate
application earlier so will be removed. Cisco ISE uses API’s to interact with the MDM Server in
enforcing restrictions on the user self-provisioned device.
Exercise Objective In this exercise, your goal is to complete the following tasks:
Review the MDM_Quarantine policy that was created earlier
From the My Devices Portal initiate the Corporate Wipe action on the device to observe the
Change of Authorization (CoA) occur and restrict access from the device
Step 1 Refer to Appendix A for the sample WLC configuration. Login to WLC web interface
https://wlc.demo.local as admin / ISEisC00L to review the WLAN (menu WLANs) and ACLs
(menu SECURITY; side Access Control List > Access Control List) used in this exercise.
a. WLAN: n-p##-TS-WPA2e
b. ACLs: PERMIT-ALL-TRAFFIC and MDM_Quarantine_ACL
Note: The “##” in n-p##-TS-WPA2e is to be replaced with the assigned pod number; e.g. n-p22-TS -WPA2e for POD 22
Step 2 Review the authorization profile MDM_Quarantine under Policy > Policy Elements > Results
> Authorization > Authorization Profiles.
Access Type = ACCESS_ACCEPT cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=mdm cisco-av-pair = url-redirect-acl=MDM_Quarantine_ACL
Step 3 Perform Corporate Wipe
a. From the iPad VNC session, verify iPad Wi-Fi is ON and connected to n-p##-TS-WPA2e.
b. Go to My Devices Portal and click Corporate Wipe for the iPad. The Quick Graph: Your
Scientific Graphing Calculator & Calculator for iPad Free applications will now be
removed from the iPad and the device will be blocked from accessing the corporate
network. Note the icon change under the State.
Lab Exercise 8: Test and Verify the Corporate Wipe function on My Devices Portal
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 45 of
56
Notes: Due to possible “Race Condition” (CSCui00582), ISE does not send a CoA to the controller after initiating the Corporate WIPE. Please initiate a CoA from ISE Live Session Log’s or toggle WiFi to see the change in authorization policy rule.
OR
Step 4 From the VNC session to the IPad, switch to the mobile Safari app. Reload the page www-
int.demo.local and the user will see a message
You must enroll your device …
Step 5 Under Operations > Authentications, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Corporate-Wiped then a reauthorization matches
the device to the MDM_Quarantine profile
Step 6 Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
c. Remove the two profiles installed by the ISE BYOD services on iPad under Settings >
General > Profiles.
d. Go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
Optional Exercise A: Configure ISE for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 46 of
56
Optional Exercise A: Configure ISE for Wired
MAB-to-PEAP Onboarding
Exercise Description This exercise showcases flexibility of Cisco ISE where an employee may provision a personal PC
onto a wired network.
Exercise Objective In this exercise, your goal is to configure the ISE for wired MAB-to-PEAP BYOD, which includes
the completion of the following tasks in ISE:
Modify the MAB Authentication Policy to allow fail-open on user-not-found
Modify the Authorization Policy to allow CWA. Then, grant full access to the users
authenticated using MSCHAPv2 and on registered devices.
Add Client Provisioning Policy to provision native supplicant for Windows PC
Step 1 Access the ISE web administration interface at https://ise-1.demo.local using the credentials
admin / ISEisC00L
Step 2 Update Guest_Portal_Sequence
a. Go to Administration > Identity Management > Identity Source Sequences
b. Edit Guest_Portal_Sequence to use demoAD in its Authentication Search list.
c. Hit Save and continue
Step 3 Under the Policy > Policy Elements > Results > Authentication > Allowed Protocols, add a
new allow protocols HostLookup_only. Enable only Process Host Lookup and disable all
other protocols.
Click Submit to save.
Optional Exercise A: Configure ISE for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 47 of
56
Step 4 Modify the Authentication Policy under Policy > Authentication as shown below in Yellow
Status Name Condition Protocols Identity Source Options
MAB IF Wired_MAB
OR Wireless_MAB
allow protocols
HostLookup_only and use Internal Endpoints Reject Continue Drop
Dot1X IF Wired_802.1X
OR Wireless_802.1X
allow protocols
PEAP_o_TLS and use DOT1X_Sequence Reject Reject Drop
Default Rule (if no match)
allow protocols
Default Network Access and use DenyAccess
Reject Reject Drop
For the Authentication Policy rule MAB
i. Change allowed protocols to
HostLookup_only, created in Step 3
ii. Expand the Identity Source selection
Internal Endpoints and modify its fail-open
option to Continue if user not found.
iii. Save changes
Step 5 Create Authorization Profile Wired_CWA
Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Create
an Authorization Profile as below:
Attribute Value
Name Wired_CWA
Description Redirect all traffic to WebAuth except ISE
Access Type ACCESS_ACCEPT
Common Tasks
Web Redirection (CWA, DRW, MDM, NSP, CPP)
Drop-down menu: Centralized Web Auth ACL: ISE-URL-REDIRECT Redirect (drop-down): Default
Attributes Details
Access Type = ACCESS_ACCEPT cisco-av-pair = url-redirect-acl=ISE-URL-REDIRECT cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionIdValue&action=cwa
Click Submit to save.
Step 6 Create Authorization Profile Wired_FullAccess
Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Create
an Authorization Profile as below:
Attribute Value
Name Wired_FullAccess
Description Allow All Traffic
Access Type ACCESS_ACCEPT
Common Tasks
DACL Name PERMIT_ALL_TRAFFIC
Attributes Details
Access Type = ACCESS_ACCEPT DACL = PERMIT_ALL_TRAFFIC
Optional Exercise A: Configure ISE for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 48 of
56
Click Submit to save.
Step 7 Modify the Authorization Policy under Policy > Authorization, insert two new rules after Reg
with ISE not MDM shown below as Registered MSCHAPv2 and Wired MAB and save changes
Status Rule Name Identity Groups Other Conditions Permissions
…
Reg with ISE not MDM
RegisteredDevices … MDM_Quarantine
Wired Registered MSCHAPv2
RegisteredDevices Wired_802.1X AND Network Access:EapAuthentication EQUALS EAP-MSCHAPv2
Wired_FullAccess
Wired MAB Any Wired_MAB Wired_CWA
Default (if no matches) DenyAccess
Step 8 Configure the Client Provisioning Policy.
Note: The resources for the client provisioning can be created either under Policy > Policy Elements > Results > Client Provisioning, or in-line while adding a client-provisioning rule without leaving the policy page. The latter is described here, but it has a known issue that the admin user needs to re-select the resources after creating them this way.
a. Go to Policy > Client Provisioning Policy and add a rule for Windows PC.
Status Rule Name Identity Groups
Operating Systems
Other Conditions Results
Apple iOS Any Mac iOS All - iOS_WPA2_TLS
Windows PEAP Any Windows All - Config Wizard: WinSPWizard 1.0.0.34
Wizard Profile: Windows_Wired_PEAP
b. Under Native Supplicant Configuration, expand the cell results to create the following two
resources inline
I. Config Wizard
a) Download the wizard bundle from the following location on the admin PC’s
http://tools.demo.local/cp/win_spw-1.0.0.34-isebundle.zip
Note: To in-line create Config Wizard and Wizard Profile, click on the gear icon
Note: Select the option Upload Resource for Config Wizard.
Optional Exercise A: Configure ISE for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 49 of
56
b) Upload the download from (a) to ISE. The upload is saved as WinSPWizard
1.0.0.n.
Note: This employs the offline-upload method for a wizard resource, such as win_spw-n.n.n.n-isebundle.zip. Such offline bundle files will be in the CCO download location for ISE. Alternatively, the resources can be fetched online from the Client Provisioning update feed, if the ISE has accesses to the feed URL.
II. Wizard Profile
Create it as shown:
Attribute Value
Name Windows_Wired_PEAP
Description -
Operating System Windows All
Connection Type Wired
Allowed Protocol PEAP
Optional Settings > Windows Settings
(Keep defaults)
c. After both the Profile and the Config Wizard are created, reselect them as the results and
Save the changes.
Note: The inline creation and Save only saves the newly created Wizard Profile and not the new policy. Hence, first "Save changes
for the new Wizard Profile or Config Wizard “ and then Save changes again for the new Client Provisioning Policy".
End of Exercise: You have successfully completed this exercise.
Optional Exercise B: Test and Verify for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 50 of
56
Optional Exercise B: Test and Verify for Wired
MAB-to-PEAP Onboarding
Exercise Description This exercise demonstrates how a wired PC is on-boarded from MAB/CWA to PEAP.
Step 1 From the Admin PC, using PUTTY, connect to the 3k-access using the credentials admin/
ISEisC00L
Issue the following CLI commands to bring up interface g0/1:
3k-access#terminal monitor
3k-access#conf t
3k-access(config)#interface GigabitEthernet 0/1
3k-access(config-if)#no shutdown
Step 2 Next connect to the w7pc-guest
a. vSphere Client and Power on p##-w7pc-guest
b. Connect to its console
c. Login with credentials : admin / ISEisC00L
Step 3 Enable the Wired LAN connection
In the w7pc-guest console, double click the desktop short-cut w7pc-guest Network
Connections. Then, enable the w7pc-guest-wired connection by double-clicking on the icon.
Step 4 The putty session to the 3k-access switch should now indicate the interface g0/1 MAB
authenticated with CWA redirect and the w7pc-guest has an IP address, by CLI command
“show auth sessions int g0/1”
Step 5 In w7pc-guest’s console, open Firefox and type in a website (e.g. www.google.com) to access.
If you receive a security warning, accept it.
Note: If at first you are not redirected, wait for a couple of minutes and try another site.
Step 6 Login the guest portal as employee1 / ISEisC00L
Step 7 Once presented with the Self-Provisioning Portal, click Register.
Step 8 Click Continue at the Security Warning dialog box. Click Run when asked “Do you want to run
this application? Name: CiscoSPWDownloadFacilitator”.
Step 9 Once the NSP window kicks in, click Start. Then, click Yes for the security warning on installing
root-CA certificate and for the UAC command windows.
Step 10 The windows native supplicant prompts the user to enter
the credentials (employee1 / ISEisC00L) to connect to it.
Note 1: The bubble is popped close to the Windows task bar, so it could be obscured from the view.
Note 2: You might need to enter the credentials more than once.
Step 11 The user now has Full Access. Check the Live logs (under Operations > Authentications) on
ISE to confirm this assignment.
Optional Exercise B: Test and Verify for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 51 of
56
End of Exercise: You have successfully completed this exercise.
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
Optional Exercise B: Test and Verify for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 52 of
56
Appendix A: WLC Configuration config location expiry tags 5
config interface address management 10.1.100.61 255.255.255.0 10.1.100.1
config interface dhcp management primary 10.1.100.10
config interface port management 1
config interface vlan management 100
config interface address virtual 1.1.1.1
config interface address dynamic-interface access 10.1.10.2 255.255.255.0 10.1.10.1
config interface create access 10
config interface port access 1
config interface vlan access 10
config interface address dynamic-interface guest 10.1.50.2 255.255.255.0 10.1.50.1
config interface create guest 50
config interface port guest 1
config interface vlan guest 50
config 802.11b 11gsupport enable
config 802.11b cac voice sip bandwidth 64 sample-interval 20
config 802.11b cac voice sip codec g711 sample-interval 20
config 802.11b channel global off
config 802.11b txpower global 1
config 802.11b cleanair alarm device enable 802.11-nonstd
config 802.11b cleanair alarm device enable jammer
config 802.11b cleanair alarm device enable 802.11-inv
config 802.11b cleanair enable
config 802.11b disable network
config sysname wlc
config database size 2048
config country US
config snmp community delete public
config snmp community delete private
config snmp community mode enable ISEisC00L
config snmp community ipaddr 10.1.100.0 255.255.255.0 ISEisC00L
config snmp community create ISEisC00L
config advanced probe limit 2 500
config advanced probe-limit 2 500
config advanced 802.11a channel add 36
config advanced 802.11a channel add 40
config advanced 802.11a channel add 44
config advanced 802.11a channel add 48
config advanced 802.11a channel add 52
config advanced 802.11a channel add 56
config advanced 802.11a channel add 60
config advanced 802.11a channel add 64
config advanced 802.11a channel add 149
config advanced 802.11a channel add 153
config advanced 802.11a channel add 157
config advanced 802.11a channel add 161
config advanced 802.11a channel noise enable
config advanced 802.11a channel device disable
config advanced 802.11a channel load disable
config advanced 802.11a channel foreign enable
config advanced 802.11b channel add 1
config advanced 802.11b channel add 6
config advanced 802.11b channel add 11
config advanced 802.11b channel noise enable
config advanced 802.11b channel device disable
config advanced 802.11b channel load disable
config advanced 802.11b channel foreign enable
config mdns service query enable AirPrint
config mdns service create AirPrint _ipp._tcp.local. query enable
config mdns service query enable AppleTV
config mdns service create AppleTV _airplay._tcp.local. query enable
config mdns service query enable HP_Photosmart_Printer_1
config mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. query enable
config mdns service query enable HP_Photosmart_Printer_2
config mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. query enable
config mdns service query enable Printer
config mdns service create Printer _printer._tcp.local. query enable
config mdns profile service add default-mdns-profile AirPrint
config mdns profile service add default-mdns-profile AppleTV
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_2
config mdns profile service add default-mdns-profile Printer
Optional Exercise B: Test and Verify for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 53 of
56
config mdns profile create default-mdns-profile
config acl rule add PERMIT-ALL-TRAFFIC 1
config acl rule destination port range PERMIT-ALL-TRAFFIC 1 0 65535
config acl rule source port range PERMIT-ALL-TRAFFIC 1 0 65535
config acl rule action PERMIT-ALL-TRAFFIC 1 permit
config acl rule add PERMIT-ALL-TRAFFIC 65
config acl rule destination port range PERMIT-ALL-TRAFFIC 65 0 65535
config acl rule source port range PERMIT-ALL-TRAFFIC 65 0 65535
config acl rule add PERMIT-2-ISE-a-DNS 1
config acl rule destination address PERMIT-2-ISE-a-DNS 1 10.1.100.21 255.255.255.255
config acl rule destination port range PERMIT-2-ISE-a-DNS 1 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS 1 0 65535
config acl rule direction PERMIT-2-ISE-a-DNS 1 in
config acl rule action PERMIT-2-ISE-a-DNS 1 permit
config acl rule add PERMIT-2-ISE-a-DNS 2
config acl rule destination port range PERMIT-2-ISE-a-DNS 2 0 65535
config acl rule source address PERMIT-2-ISE-a-DNS 2 10.1.100.21 255.255.255.255
config acl rule source port range PERMIT-2-ISE-a-DNS 2 0 65535
config acl rule direction PERMIT-2-ISE-a-DNS 2 out
config acl rule action PERMIT-2-ISE-a-DNS 2 permit
config acl rule add PERMIT-2-ISE-a-DNS 3
config acl rule destination address PERMIT-2-ISE-a-DNS 3 10.1.100.10 255.255.255.255
config acl rule destination port range PERMIT-2-ISE-a-DNS 3 53 53
config acl rule source port range PERMIT-2-ISE-a-DNS 3 0 65535
config acl rule direction PERMIT-2-ISE-a-DNS 3 in
config acl rule protocol PERMIT-2-ISE-a-DNS 3 17
config acl rule action PERMIT-2-ISE-a-DNS 3 permit
config acl rule add PERMIT-2-ISE-a-DNS 4
config acl rule destination port range PERMIT-2-ISE-a-DNS 4 0 65535
config acl rule source address PERMIT-2-ISE-a-DNS 4 10.1.100.10 255.255.255.255
config acl rule source port range PERMIT-2-ISE-a-DNS 4 53 53
config acl rule direction PERMIT-2-ISE-a-DNS 4 out
config acl rule protocol PERMIT-2-ISE-a-DNS 4 17
config acl rule action PERMIT-2-ISE-a-DNS 4 permit
config acl rule add PERMIT-2-ISE-a-DNS 5
config acl rule destination port range PERMIT-2-ISE-a-DNS 5 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS 5 0 65535
config acl rule protocol PERMIT-2-ISE-a-DNS 5 1
config acl rule action PERMIT-2-ISE-a-DNS 5 permit
config acl rule add PERMIT-2-ISE-a-DNS 6
config acl rule destination port range PERMIT-2-ISE-a-DNS 6 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS 6 0 65535
config acl rule add PERMIT-2-ISE-a-DNS 65
config acl rule destination port range PERMIT-2-ISE-a-DNS 65 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS 65 0 65535
config acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 1
config acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 1 10.1.100.10 255.255.255.255
config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 1 53 53
config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 1 0 65535
config acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 1 in
config acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 1 17
config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 1 permit
config acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 2
config acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 2 10.1.100.21 255.255.255.255
config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 2 8443 8443
config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 2 0 65535
config acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 2 in
config acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 2 6
config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 2 permit
config acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 3
config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 3 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 3 0 65535
config acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 3 1
config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 3 permit
config acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 4
config acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 4 10.1.0.0 255.255.0.0
config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 4 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 4 0 65535
config acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 4 in
config acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 5
config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 5 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 5 0 65535
config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 5 permit
config acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 65
Optional Exercise B: Test and Verify for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 54 of
56
config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 65 0 65535
config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 65 0 65535
config acl rule add BLACKHOLE 1
config acl rule destination address BLACKHOLE 1 10.1.100.21 255.255.255.255
config acl rule destination port range BLACKHOLE 1 8444 8444
config acl rule source port range BLACKHOLE 1 0 65535
config acl rule direction BLACKHOLE 1 in
config acl rule protocol BLACKHOLE 1 6
config acl rule action BLACKHOLE 1 permit
config acl rule add BLACKHOLE 2
config acl rule destination port range BLACKHOLE 2 0 65535
config acl rule source address BLACKHOLE 2 10.1.100.21 255.255.255.255
config acl rule source port range BLACKHOLE 2 8444 8444
config acl rule direction BLACKHOLE 2 out
config acl rule protocol BLACKHOLE 2 6
config acl rule action BLACKHOLE 2 permit
config acl rule add BLACKHOLE 3
config acl rule destination address BLACKHOLE 3 10.1.100.10 255.255.255.255
config acl rule destination port range BLACKHOLE 3 53 53
config acl rule source port range BLACKHOLE 3 0 65535
config acl rule direction BLACKHOLE 3 in
config acl rule protocol BLACKHOLE 3 17
config acl rule action BLACKHOLE 3 permit
config acl rule add BLACKHOLE 4
config acl rule destination port range BLACKHOLE 4 0 65535
config acl rule source address BLACKHOLE 4 10.1.100.10 255.255.255.255
config acl rule source port range BLACKHOLE 4 53 53
config acl rule direction BLACKHOLE 4 out
config acl rule protocol BLACKHOLE 4 17
config acl rule action BLACKHOLE 4 permit
config acl rule add BLACKHOLE 5
config acl rule destination port range BLACKHOLE 5 0 65535
config acl rule source port range BLACKHOLE 5 0 65535
config acl rule add BLACKHOLE 65
config acl rule destination port range BLACKHOLE 65 0 65535
config acl rule source port range BLACKHOLE 65 0 65535
config acl rule add MDM_Quarantine_ACL 1
config acl rule destination address MDM_Quarantine_ACL 1 10.1.100.10 255.255.255.255
config acl rule destination port range MDM_Quarantine_ACL 1 53 53
config acl rule source port range MDM_Quarantine_ACL 1 0 65535
config acl rule direction MDM_Quarantine_ACL 1 in
config acl rule protocol MDM_Quarantine_ACL 1 17
config acl rule action MDM_Quarantine_ACL 1 permit
config acl rule add MDM_Quarantine_ACL 2
config acl rule destination address MDM_Quarantine_ACL 2 10.1.100.21 255.255.255.255
config acl rule destination port range MDM_Quarantine_ACL 2 0 65535
config acl rule source port range MDM_Quarantine_ACL 2 0 65535
config acl rule direction MDM_Quarantine_ACL 2 in
config acl rule action MDM_Quarantine_ACL 2 permit
config acl rule add MDM_Quarantine_ACL 3
config acl rule destination address MDM_Quarantine_ACL 3 10.1.100.15 255.255.255.255
config acl rule destination port range MDM_Quarantine_ACL 3 0 65535
config acl rule source port range MDM_Quarantine_ACL 3 0 65535
config acl rule direction MDM_Quarantine_ACL 3 in
config acl rule action MDM_Quarantine_ACL 3 permit
config acl rule add MDM_Quarantine_ACL 4
config acl rule destination port range MDM_Quarantine_ACL 4 0 65535
config acl rule source port range MDM_Quarantine_ACL 4 0 65535
config acl rule direction MDM_Quarantine_ACL 4 in
config acl rule protocol MDM_Quarantine_ACL 4 1
config acl rule action MDM_Quarantine_ACL 4 permit
config acl rule add MDM_Quarantine_ACL 5
config acl rule destination address MDM_Quarantine_ACL 5 10.0.0.0 255.0.0.0
config acl rule destination port range MDM_Quarantine_ACL 5 0 65535
config acl rule source port range MDM_Quarantine_ACL 5 0 65535
config acl rule direction MDM_Quarantine_ACL 5 in
config acl rule add MDM_Quarantine_ACL 6
config acl rule destination port range MDM_Quarantine_ACL 6 0 65535
config acl rule source port range MDM_Quarantine_ACL 6 0 65535
config acl rule action MDM_Quarantine_ACL 6 permit
config acl rule add MDM_Quarantine_ACL 65
config acl rule destination port range MDM_Quarantine_ACL 65 0 65535
config acl rule source port range MDM_Quarantine_ACL 65 0 65535
config acl counter start
Optional Exercise B: Test and Verify for Wired MAB-to-PEAP Onboarding
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 55 of
56
config acl create PERMIT-ALL-TRAFFIC
config acl apply PERMIT-ALL-TRAFFIC
config acl create PERMIT-2-ISE-a-DNS
config acl apply PERMIT-2-ISE-a-DNS
config acl create PERMIT-2-ISE-a-DNS-a-INTERNET
config acl apply PERMIT-2-ISE-a-DNS-a-INTERNET
config acl create BLACKHOLE
config acl apply BLACKHOLE
config acl create MDM_Quarantine_ACL
config acl apply MDM_Quarantine_ACL
config mobility group domain n-pNN-TS
config network rf-network-name n-pNN-TS
config network usertimeout 120
config network fast-ssid-change enable
config network web-auth captive-bypass enable
config network multicast l2mcast disable service-port
config network multicast l2mcast disable virtual
config dhcp proxy disable bootp-broadcast disable
config license boot base
config license agent max-sessions 9
config 802.11a cac voice sip bandwidth 64 sample-interval 20
config 802.11a cac voice sip codec g711 sample-interval 20
config 802.11a channel global off
config 802.11a txpower global 4
config 802.11a cleanair alarm device enable 802.11-nonstd
config 802.11a cleanair alarm device enable jammer
config 802.11a cleanair alarm device enable 802.11-inv
config 802.11a cleanair enable
config radius fallback-test interval 180
config radius fallback-test mode passive
config radius acct add encrypt 11 10.1.100.21 1813 password 1 3516b7676b6e057cc60e6eab4c046415
1b48c2754113392979a8a99cb7bcb4fdcbe0fb4b 16
73599122aad031626b4beca7aac40c8f00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
config radius acct retransmit-timeout 11 30
config radius acct enable 11
config radius auth add encrypt 11 10.1.100.21 1812 password 1 548dafd9b3821b2c2dca6d5bc20709e5
755a8cad807da4a4f7718c0a09ad9ea41c4267dd 16
1d47e852fdaca9e6f95f734047dba5ef00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
config radius auth rfc3576 enable 11
config radius auth retransmit-timeout 11 30
config radius auth enable 11
config nmsp notification interval rssi rfid 2
config certificate generate webadmin
config certificate generate webauth
config wlan aaa-override enable 10
config wlan mfp client enable 10
config wlan aaa-override enable 11
config wlan mfp client enable 11
config wlan mac-filtering enable 10
config wlan security wpa wpa2 ciphers aes disable 10
config wlan security wpa wpa2 disable 10
config wlan security wpa akm 802.1x disable 10
config wlan security wpa disable 10
config wlan security web-auth server-precedence 10 radius
config wlan security ft over-the-ds disable 11
config wlan security wpa enable 11
config wlan security web-auth server-precedence 11 radius
config wlan broadcast-ssid enable 10
config wlan nac radius enable 10
config wlan interface 10 access
config wlan broadcast-ssid enable 11
config wlan nac radius enable 11
config wlan interface 11 access
config wlan radius_server acct add 10 11
config wlan radius_server auth add 10 11
config wlan create 10 n-pNN-TS-OPEN n-pNN-TS-OPEN
config wlan session-timeout 10 1800
config wlan radius_server acct add 11 11
config wlan radius_server auth add 11 11
config wlan create 11 n-pNN-TS-WPA2e n-pNN-TS-WPA2e
config wlan session-timeout 11 1800
config wlan exclusionlist 10 60
ISE_1.2_BYOD_Lab_Guide_2014-04-18 4/20/2014 9:59:00 PM Page 56 of
56
config wlan exclusionlist 11 60
config wlan wmm allow 10
config wlan wmm allow 11
config wlan radio 10 802.11ag
config wlan radio 11 802.11ag
config wlan enable 10
config wlan enable 11
config serial timeout 3600
config time ntp server 1 128.107.212.175
config ap packet-dump truncate 0
config ap packet-dump buffer-size 2048
config ap packet-dump capture-time 10
config mgmtuser add encrypt admin 1 805504344137354e5003ad13325f9323
469e02f8c530760e8ffe4d77c6b5a0316d357540 16
b506763bef0194ab7d1586d9a6b31e1b00000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000 read-write
config cts sxp default password encrypt 1 f411b972950230dab42dae3ba063a435
72331cb4b85a5203d6b36b4057a4ded020183fe1 16
2064f49e024f7fcf1412453adc7fbcc200000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
config cts sxp connection peer 10.1.29.1
config cts sxp enable
config rfid timeout 1200
config rfid status enable
config rfid mobility pango disable
transfer upload path /incoming
transfer upload datatype config
transfer upload serverip 10.1.100.6
transfer upload filename p01-wlc-4hr.txt
transfer upload encrypt password 1 c8fba9f060227ab99126aed7ef3e0440
723aefd4e4faa8fa6bd1b73b5d566ad354773c28 48
142cad12d46f5ca14bc01d589e7775465bb4812a28860f90a4a89569a23f4c0895edeee963b4fb3f7aa270d9657bed64
transfer upload port 21
transfer upload mode ftp
transfer upload username ftp
transfer download path /
transfer download datatype config
transfer download serverip 10.1.100.6
transfer download filename pNN-wlc-4hr.txt
transfer download mode ftp
transfer download encrypt password 1 c8fba9f060227ab99126aed7ef3e0440
723aefd4e4faa8fa6bd1b73b5d566ad354773c28 48
142cad12d46f5ca14bc01d589e7775465bb4812a28860f90a4a89569a23f4c0895edeee963b4fb3f7aa270d9657bed64
transfer download port 21
transfer download username ftp