Let's Install ISE

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so hello everyone I'm hoseok one I help my customers deploy identities engine to secure their networks and today I'm going to do something very interesting which is installing the identity service engine from scratch meaning I'm going to install the ISE on a with a new ISO image onto a VM configuring the VM to make sure that it's configured correctly and then I'm going to configure the virus controller and also the IAC policies and test out the endpoints to make sure that the guest access employee access and BYOD is working so let's look at how the lab is set up so come on looking from the left we have two SSIDs that's going to be configured one is called open mainly in the use case for the open SSID is for guest users and also have an SSID called ice it's going to be used for employee users and the single sida vio do boarding on the switch i have matching villains for the SSID so I have V 930 that's four employees you have 48 for the open SSID and I also have been an ad that's going to be used for ap management I also have your like 201 and 202 201 is going to be used for the ISE self and the ad server that's also going to be doing DNS and DHCP I also have a v-line 202 that's going to be the management network for wireless controller so what are some of the use cases that we're testing today so the main one is going to be around the admin users so if you're a member of a domain admin group which is going to let these are in without any restrictions if it's a regular employee user we're going to make the user go through the onboarding process and then once the device has been on-boarded you're going to give it full access and lastly we'll have guest users so guess your users will go through the hotspot access and why user enters the a entity passcode and accepts the IEP the user will get internet only access so what are the high level configuration steps so first one is the baseline network setup this part is not something I'm going to go over in detail I my lab is already set up with the routing you know DNS and DHCP server is already set up and the AP discovery setting is already in place using the PHP server we are going to validate the configuration but we are not going to set it up from scratch and then we'll move on to the ISC setups so this is about priming the VM for the is installation and we'll make sure that the IP connectivity is there with the ISE well the IAC is is being installed we are going to configure the wireless controller so we're going to configure the radius servers ACLs that's we and thus they'll be used for guest users and the redirect and we also configure the 2w lens once open and the secure one called ISE by the time that you're done with the virus controller setup the ISC should be back up so we'll configure the best practices on it such as setting up topology said adding it to the ad and also some other settings related to the profiling after that we're going to move on to the actual policy setup we are going to be creating two policy sets one for the open SSID and the other one for the secure SSID we're also going to configure the guest portals so that you can key in the pass codes that's used for the hotspot one other thing that you need to do is make sure that the controller is in the netlist within the IAC so we'll you ain't doing that as well and once that's done we're going to test the endpoints to make sure that our policy is set up correctly okay so this is my lab setup so first I'll show you what the settings are on the ad server so the ad name is example calm and it's hosting the DHCP server and the DNS server let's need it for the IAC to function for the DHCP I have the V 930 that's going to be used for employees errs and if you like 40 that's going to be used for guest users and I also have VLAN 80 that's going to be used for the AP discovery so one of the settings that you need on the AP discovery VLAN is that the APS needs to find where the controller is so if you're going to go to the scope options I have a option 43 which is set up to a IP address of the controller in there so it's in the hexadecimal format but this allows the AP to find where the controllers are when it's put it up and gets an IP address the other settings that you need is the DNS so on the example comm DNS zone I have the IAC to that with the IP address already in there I also configure the reverse look up zone but for the PTR so that when you click the IP address you can also get the name back so the other things that you I recommend if you're configuring the ISC is adding the hostname for the my devices and the sponsor portal you can point to the same ip address as the IAC self so I have non 92168 to 1.88 for sponsor my devices and the ISC to that o itself okay so some of the other things that you need is the is ISO file I also have the the patch file that you can install last year ISO has been installed the reason I'm using the ISO file instead of the OVA is because it's a more lightweight and I want to kind of show you what other settings are needed to configure the VM correctly when you're using the ISO file now I'm using a VMware fusion here but the in case you're using the VMware ESXi or other flavor of the VMware server the steps are very family out very similar to what I'm doing here so first I'm going to create a new VM so I'm going to select the custom virtual machine and on the links you'll be selecting the links as an option and for the ISE to that o is going to be Red Hat Enterprise Linux 6 64-bit you're going to create a new virtual disk and these default settings are not it doesn't work for the ISE self so we are going to customize it to our needs ok so I'm going to install it on the ISC folder here and I'm going to name it is c2o 2.0 install demo ok so let's look at some of the settings that we need so I'm going to go to each settings to make sure that they're all set up correctly so processors you need at least 4 cores for the is to install and for the memory RAM you need 4 gigabytes at Baima so for a proof of concept and demo this is enough if you need to have a production environment so obviously you need to increase it depending on your needs so if you have if you need to have more endpoints that's connecting you may want to increase it to 16 cores and also the ramp to be much higher is actually such as 32 gigabytes there's other documentation that shows how to scale the VM so I'm not going to go into detail about those on network settings I'm going to be using the Thunderbolt ease on it on in this case because that's where the 201 subnet is and the hard disk I'm going to be giving it 200 gigabytes 200 gigabyte is kind of minimum here that you need to install the ISE the good thing about ISE is that it supports thin provisioning so it's not going to actually consume the 200 gigabytes on your hard drive unless it's really needed I'm going to map this to the ISO image that I downloaded okay so here's the ISO file and I'm going to remove anything that I don't need so soundcard I know I don't need USB I don't need it either so I'm going to remove that printer is something I don't need so that looks pretty good so at this point I'm going to close this out and let's get on with the is install okay so I'm going to select the number one which is when you're using the keyboard and monitor in the case of VM dies if you're using console that's the option that you want okay so it looks like it's going moving pretty good so the idea about this demo is to show you what the experience is like when you're installing the ISC from scratch so I'm going to I'm going to try my best not to skip you know any parts but if it's going to be a part where we're just kind of waiting for the screen to refresh I may come fast for the video so that you don't have to you know just look at the screen and refreshing at the same time I'll try to you know squeeze in some other activities in between so that you're not waiting on the screen to refresh as well so in this case I'm going to jump to the wireless controller settings and I'll show you what we need to configure on different rollers and then once hopefully once we come back the is installed will be progressed through where we can equate in for our inputs okay so I have the screen here so we can look at it oh you're configuring the controller okay perfect so if you focus on the the serial port here so I have a wireless controller the Cisco Controller 2504 that's you know reset in terms of configuration so I'm going to configure this controller to work with the IAC so I'm going to terminate the auto install and the let's name is you will see that one and admin name is going to be admin give it a good password and though I only have one interface so I'm not going to use like measure my IP address is going to be 2 2016 1 netmask okay I actually have trunky enabled on the the interface that controller connects to the switch so I'm going to be using tagging for the management interface and I'm using the interface one the DSP server is going to be the ad server so it's going to be 72 and for the virtual gateway I'm just going to give it one one one one and I'm not really going to be using that feature but so I'm going to give a IP address for multicast and also going to name the mobility group name as main and this SSID is going to be used the first Society configures and as a default the controller is going to make it a secure SSID so I'm going to name it is C okay and this is really optional you can do bridging or proxying it really doesn't matter both works with the ISE in this case I'm just going to use the DSP proxying feature on the controller or some with signal here and the static IP address for the endpoints really does matter you're actually not going to be using static IP but I'll say yes for now for the radius server I'm just going to say no I'm going to show you how to configure it on the GUI so I'll just skip this and once we get access to GUI of the controller will configure the radius server from there okay the country code is us I'm not going to be using 11b I'm just going to do 11a sure Auto RF yes I'm not going to be using ipv6 some let's say no all right so once this the controller comes back on there is one command that requires it to reload again the command is called the config network where boss kept table total bypass enable so what that setting does is it disables the Mini browser pop up on the apple devices the reason that we need to disable the Mini browser on the Apple Apple device is because that browser is very limited in in terms of what it can do and part of our BYOD process you require some functionality on the browser that the mini browser cannot do so that is why we're disabling the mini browser running the command okay looks like the ISE self is moving along pretty good in terms of the installation and I also have the controller putting up okay which log has admin user okay so I'm going to run the command and reload the your controller again so as you can see it says you must read us you set the system for this setting to take effect so save the configuration so once the controller comes back online we will configure rest of the settings such as W lands and the radio server settings now quick note about that the command that I just ran the capital portal bypass enable if you have a deployment that you're just purely doing guest access you may be able to do without the command so fully simple guest access we can leverage the Mini browser and it generally works okay with our central web off so if you are purely just doing the guest access without key BYOD then um you can try setting the controller up without enabling the captive portal bypass you you so once the ISE node comes back online I'm going to give it an IP address set up the admin user ok so it looks like the controller's back online so I'm going to connect to it via GUI now you all right perfect so looks like an AP is already associated and at this point I can go to the security and let's configure the radio server so I'm going to add the IP address of the is e and this support for RFC three 576 this is what enables the change of authorization so if you're installing the ISC with controller you're tough in what enable this and the server timeout is e sorry - is really short so you want to increase it to 5 or higher and the unless you're doing it for management you can uncheck the management so it's only used for the users and you also want to create the same accounting server with the same ip address again increase the timeout to 5 seconds we're also going to create the access control list the first one is for the redirect ACL so this is the name that's used on the default settings of within degree is e so you want to call the same name and I'm going to create a new rule that's going to be for ice any traffic from the ISC is going to be permitted traffic to IOC is also provided and minimally you need to add DNS so that when the user is trying to go to a homepage such as Google that also gets allowed so I'm going to say UDP yes is allowed can you pee the source of this nation okay this is same so let me modify this real quick I need to TNS alright perfect so uh in reality if you are sending this out for production government you don't want to give a full IP access to the IAC you can limit it to few ports that ISE needs if you're doing guest access it's going to be eight four four three now if you're doing v yd there are some additional ports that you may need to allow but for the purpose of this demo I'm just going to allow IP access so that I can show you the setup much quicker now I'm going to create a ACL for the internet agers so I can name it in write only and it's going to be my internal network is going to be 1 0 0 switch bi okay so anything that's going to 19026 series or zero is going to be died okay so I need to modify these to be like that okay and I need to allow DNS so all right and let's add a new rule that allows everything else okay so hopefully this works for the other limiting internal access but allowing DNS and the internet so at this point me to configure the W lands for guest users right before we do that let's go back to the ISE and see if it's waiting on anything for from us okay so let me do this first before I go back to the D controller so setup is c2 no hungry and for the NTP and we'd use a switch which set up as a central time zone and yes I want to SSH okay so it's going to test the network settings to make sure that we have the default gateway set up correctly and all that and once it's done it's going to prime the database and the fully install the ISE and then once it comes back online it will have we all have IP connectivity to the GUI to the server so let's hop back to the switch the wireless controller and let's validate the the first SSID is configured correctly so here's the ISE SSID okay so it's enabled okay okay so it's using management interface that means that we need to configure the other interfaces on the switch on the controller you haven't done that so let's go back and on the interfaces okay so I'm going to create a and if you can I use computer D okay and the port number is going to be one okay good looks good okay I'm going to create Y for open okay okay looks good so I got the employee interface in the open interface okay so let's go back so for the the is CSS ID we're going to use the employee interface and it's using wpa wpa2 and we don't want any layer three security but let's make sure that it's using the radius server that we had to find even if you don't select one as long as it's enabled it's going to select the ones already configured on the integrated server list but here we're just going to define them manually and for the ISE to work on the controller running 800 and above you want to make sure that the interim update is checked and the interval is set to zero okay the other settings are going to be indeed advanced so you want to enable triplet override so that you can apply ACLs and redirect details for the user and you also want to make sure that the radio snack is enabled and for the purpose of profiling you can enable the radius client profiling and if you also want the look of profiling with the controller you can also do that as well okay so these are the settings that you want enable I'm going to click apply okay now I'm going to create a new SSID called open and this one is going to be enabled interface is going to be open and we are going to be using no dirty security but we are going to be using Mac filtering okay same settings for the radius and advanced fully oppress ID you may want to disable this EHD here and erin at ie and what other settings are the same you want enable the radius nag and also the profiling okay so this is all set up I'm going to save the config for the controller and let's go back to the ISE okay looks like it's installing and once i AC node is up and running we can go to the GUI of the ISE and then configure the rest of the ISE settings okay so just in time it's rebooting by the way once the ISU reloads it takes about 10 to 15 minutes to for all the services come up so what I'm going to do is I'm going to let the demo run but I'm going to kind of fast forward so that you don't have to wait for the ISE install screen to come up and here we go okay so this is really nice but even after you get the prompt for admin user that does not necessarily mean that the service is up and running so let me just quickly show you what it's needed to confirm whether the ISU service is up and running or not you okay so it looks like it's still initializing the application server is the one that you need for to get the GUI okay let's try this again okay so it looks like the application server is up and running so at this point we can log on to the is e GUI and then configure wrestle viz settings okay so I'm going to open up ok looks good you okay so at this point I'm going to do some baseline configuration such as adding the ISC to the ad setting up the policy said enabling the pump profiling so let me go to the settings okay so for profiling I'm going to enable we are I'm also going to enable the attribute filter so attribute filter is what controls Y attribute gets replicated between the IAC nodes this is a single deployment so you don't really have to but this is going to be the best practice if you have a distributed deployment okay and I'm going to enable the policy set this will make me disconnect from the window and make me real login okay okay so let's add the ISC to the ad so it's going to be the external IDs or tsa's okay and active directory ad yes let's go and join this okay so the ad has been joined and this one only has one domain within the forest so it's going to be one if you have multiple domains within a forest you may want to select the ones that's going to be used for authentication so that's much quicker in terms of finding the user but in this case I only have one domain so I'm going to leave it as default I'm going to add some groups I'll be using in the policy okay so the two groups that I'll be using is the domain users and the domain admins so here's the domain users or domain admins and the win users and I'm going to click on save okay at this point I can add the network device okay so the network device has been added and I'm going to configure the guest portal so that we can configure the password for the other guest settings so here I'm going to be using the hotspot gas bottle okay so here I'm going to make it provide a password it's going to be Cisco one two three okay that's good so when they connect to the hotspot portal they're getting an AEP along with the passcode once they provide a passcode they'll be redirected to a success page okay now let's move on to creating the actual policies okay so this one is going to be the SSID open and to match against an SSID you might what you want to look up the radius attribute called called station ID it just depends on many spend on the vendors in the case of Cisco controllers it sends the it says the the SSID name in the cult station ID field and it's a kind of combinational be a ap name ap interface Mac and the SSID name so you want to set this as ends would open so this will match against the openness society and since this is for guest users you want to map it against the internal endpoints and the sense there can be unknown devices I'm setting the policy to continue when there's unknown user okay so I'm going to configure this to be our Cisco levels and I'm going to configure a rule valve that says cast and point so whenever end point goes through this photo it's going to be added to the gas endpoints group and then I'm going to give it a okay I forgot to create the the policies but I'm just going to say permit access for now I will come back to modify to secure it a little bit more okay and I'm going to create a new one above okay this one is going to be the SSID is see in this case inside the internal users will going to be D all user ID stores in this case your reject if the user is not found for security reasons and here if the user falls back to the default rule we want to do the go through the NSP onboarding process once the NSP onboarding is successful that means that the end point has been registered and hopefully they are using a pls st network access method so we'll do that and then you have full network access okay so we need to create a new one for the admin users right so we're going to say admin users if you are part of the ad group called domain admins you don't have to go through the NSC onboarding or it's going to allow you in without any restrictions okay so let me go back and make sure that I have the results here configure correctly so authorization okay so the cisco web loss let's make sure that it's set up as the hot spot okay so it's so as the self registered guest portal but so let's change that to use the hot spot that we created or we modify user defaults okay and say okay so here is the one computer for hot spot and let's see right create a new one for inner only access okay okay go back to the policy and let's review what default looks like so here I have the open SSID settings so if you come in and if we find out that you're not member the gas endpoints group because you have been connected before or your MAC address is not in the gas endpoints list then that means that you will get the Cisco levels this is going to redirect the user to a hotspot portal if the user gets into the guest and pinch group then the gas endpoints device will get into the permit access now we can change that to the one that we created right before which is in only access as well I'll just leave it as permit access for now just for testing okay now going to the a Cisco ISE SSID here if the user comes in and it's not part of the domain admin group to fall back and though if we find out the MAC address isn't something that's in the register device group it's going to fall into the entry onboarding group which means that it's going to get on boarded and get a certificate pushed down to the endpoint once the search period has been pushed down to the endpoint it's going to be configured to use a certain certificate for the network access and that is when the endpoint can connect using the registered network access here where device will get full network access so at this point let's see if we can connect the endpoint and test out all the settings that we have created okay so here I have a test endpoint so I'm just going to test out the first use case which is just access so let's associate to the SSID here so let's connect to the open SSID okay so I have the $40 address some means amongst four correct subnet and at this point I'm going to okay okay so I I'm in the hotspot portal it's asking for access code so I'm going to enter in D okay perfect so I can go back to the Apple and in this case I have network access okay so that works I'm going to disconnect this endpoint from the SSID okay so one of the things that you need to do when you're testing with one endpoint for different use cases is that you have to make sure that the endpoints are truly disconnected from the controller so if you go back to clients you see that this endpoint is still connected as into the open SSID so you need to come here remove and make sure that it's no longer connected okay and the other thing that you need to do on the is see is that this endpoint has been registered as a guest endpoint right so why you need to do is go to the identities and make sure that this device is removed from the database before you continue on with the other testing this is something that many engineers forget and they get some odd results when they're testing with a single endpoint so I want to make sure that you know how to clear these settings on the controller and the ISE okay so this time we're going to configure the or connect as a domain admin user and see if we can get the network access without getting redirected to you idea okay so I'm going to connect to the ISC okay so I have 30 that address so I'm good so hopefully I don't get redirected here when I try to go to let's see Disney okay perfect so I'm not getting redirected so let's review the live blog real quick to make sure that the erection is good so there must be some kind of a test thing going on so let me just filter out by anything that includes the MAC address okay much easier to see now right so yet to kind of look at this from the bottom up so when we collected as a guest end point it was getting a Cisco web board policy right so what that means is that the user was stuck on the hot spot photo but once the user provided a proper credentials the these green lines indicates the change of authorization one probably for the the profiling because he found out that it was an Apple iPhone so it wanted to make sure that it's on the proper network so that happened once and the second one is because the user authenticated by providing the good passcode and the accepting VAP so once that was done the endpoint guest user had the permit access and was able to go to the Apple comp site so again when we connect to the different SSID which was this SSID is see with the admin user the user was permitted accessed and again the change of authorization this blank line happens because it was first time the endpoint was seen on the is Seaside and the ISE sends a changeable revision because that's how we set it up in the profiling settings and then once it was in we get permit access okay so this time I'm going to connect to the same in society but with a employee username instead of a admin username and see if you can get rejected and go through the BYOD process so again before you do that make sure that you go to identities and remove the MAC address so I'm going to do the same thing on the endpoint I'm going to forget this and go to the EOC and rebuild the user okay and lastly you want to remove the endpoint from here okay so by the way there is a reason that I you know step through with the endpoint first and then the controller and then BIA see the thing is if you don't you know disconnect the endpoint from the SSID first it's going to reattach what we associate to the I society and the you end up with the MAC address populating into the is again as soon as you remove it so that is why I recommend you know deleting the Wi-Fi settings on the endpoint itself first and then remove the session from the controller and then remove the MAC address from the ISC so this only really happens when you have only one device that you are testing with for multiple use cases okay so at this point I'm going to connect as a employee user nice hopefully I remember the user ID on this one but we'll give it a try okay okay it looks like the I got the good IP address here so this time I want to make sure that I'm getting redirect it so let me open up the browser and I'm going to go to let's see back to Apple okay so it looks like I'm getting rejected to the BOE portal in this case because I'm using a regular employee user ID instead of the admin user ID on the ad so I'm going to click on start okay so what is doing is is generating this route to get on the phone itself sending it back to the ISC and the ISE is going to sign it and send it back to the end point and the end point is going to be configured with the Wi-Fi settings to connect back to the ISE SSID using the certificate that was the side okay so uh it says it's successful so what I can do is go to the Apple column website and as you can see I can browse the internet and just to show you what the setting looks like so these are the profiles that's been installed on the the phone itself so this is for the actual certificate of the is C and this is the the settings so there is the Wi-Fi settings you know SSID name encryption and there is the air certificate that's been issued to this end point so the common name is going to be my user ID and I haven't configured anything for the or you or other attributes in your certificate so it's showing these are the basic settings in there okay so I hope he was useful so this is basically how you configure the ISC with the Cisco wireless controller I'm going to show you some screens such as the resources that you can get so if you go to product page you can get all the links that you need for the ISC there is also a public community page that you can get to for any support if you are a partner there's also a partner related page for IAC as well so if you have any sales related questions and that's where you want to put in if it's any questions about the technology I recommend bringing to the public community forum these two forms are maintained by our tme team within the IAC team and we tried our best to respond as soon as possible there is also other documentation such as compatibility matrix to make sure that the network components and the operating system are compatible with the IAC there's also many design guides and how-to guys they can go to and get and if you are a partner and if you want to know how to order is C you can go to this file and there's also a tool that you can get to to find out how many licenses for is you node and endpoints are needed and there is also what's called a is a photo builder that you can log in to create a really nice-looking desk photos BYOD photos for your IAC deployments alright with that thank you very much for listening and watching my video
Info
Channel: Cisco ISE - Identity Services Engine
Views: 77,382
Rating: undefined out of 5
Keywords: ise, security
Id: h9rt4G4hLEE
Channel Id: undefined
Length: 61min 27sec (3687 seconds)
Published: Fri Apr 22 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.