My ISE Lab | Initial Setup

My ISE Lab | Initial Setup

Hello community, here we are for a new article.

As you know, on my last article I wrote about RADIUS and TACACS protocol and commented that we would have a series of three articles, first with theory, second and third with RADIUS and TACACS configuration. It’s not a break of promise.

However before I proceed with RADIUS and TACACS, or any other ISE configuration, I must take a few steps back, that is to show the initial LAB setup, in order to make sense what will come in the future.

These articles are not only to attend a selective public who have extensive experience in the technoly, but also for those who are in the beginning of journey. Also, the idea is to have

So, it will be demonstrated the configuration in step by step, from scratch, as I started my lab, then after completing the initial configuration, you will have a ready environment to apply all the concepts related to ISE.

No alt text provided for this image

VLANs

Three VLANs have been separated for this.

VLAN 10

  • Subnet: 192.168.10.0/24
  • Name: transit

VLAN 20

  • subnet: 192.168.20.0/24
  • name: mgmt (management)

VLAN 30

  • subnet: 192.168.30.0/24
  • name: lan-corp

Let’s go to the device’s configuration.

CORE Switch

config t

!

hostname CORE

!

vlan 10

name transit

!

vlan 20

name mgmt

!

vlan 30

name lan-corp

!

interface vlan 10

description transit

ip address 192.168.10.1 255.255.255.0

no shut

!

You can repeat the same process for interfaces VLAN 20 and 30, changing the third octet based on the VLAN number and always using the first available IP address for each interface.

For interface vlan 30 there is an additional command to include, that is ip helper-address 192.168.20.50. This command is to forward all DHCP request to DHCP server coming from devices connected to the interfaces with VLAN 30 configured.

At this moment, all the physical interfaces will be in host mode, that is access mode, and with VLAN configured as per indicated in the topology.

!

interface ethernet0/0

switchport host

switchport access vlan 10

!

interface ethernet0/1

switchport host

switchport access vlan 20

!

interface ethernet0/2

switchport host

switchport access vlan 20

!

interface ethernet0/3

switchport host

switchport access vlan 30

!

At last, but not least, a username with password, and enable password.

!

enable password Cisco123

username Admin password Cisco123

!

The default route below is using as default gateway/next-hop the Firewall interface IP address and this is to allow the communication to Internet.

!

ip route 0.0.0.0 0.0.0.0 192.168.10.2

!

note: all the commands above are issued in global configuration mode.

Do not forget to save the configuration with copy running-config startup-config or only write.

FIREWALL

The first configuration of firewall are the two interfaces, inside and outside.

The inside one will be configured in transit subnet and outside it’s configured with DHCP address, due to my lab, but it can also be configured with an IP address for the default gateway.

!

conf t

!

interface GigabitEthernet0/0

?nameif inside

?security-level 100

?ip address 192.168.10.2 255.255.255.0

!

interface GigabitEthernet0/6

?nameif outside

?security-level 0

?ip address dhcp

!

After configuring the interfaces, it’s time to setup the object network.

These network objects are essential for the communication from the internal network to external world, Internet, and in order to stablish this flow, it's also need apply the NAT configuration (in this case we are using dynamic NAT).?

!

object network lan-corp

? subnet 192.168.30.0 255.255.255.0

nat (inside,outside) dynamic interface

object network mgmt

? subnet 192.168.20.0 255.255.255.0

? nat (inside,outside) dynamic interface

!

Also, apply the default route (route to Internet) and static routes (to internal subnets).

!

route outside 0.0.0.0 0.0.0.0 172.29.129.254

route inside 192.168.20.0 255.255.255.0 192.168.10.1

route inside 192.168.30.0 255.255.255.0 192.168.10.1

!

Just note, that after applying all these configurations, let’s enable icmp inspect in the firewall, because in case this protocol is not being inspected in the policy-map global_policy, no icmp packets will be allowed in the network.

!

policy-map global_policy

?class inspection_default

?inspect icmp

!

Then, firewall-ASA configuration Is ready.

Note: All the configurations above are applied in global configuration mode.

WINDOWS SERVER - AD, DNS, DHCP and NTP

The first configuration for Windows Server, of course is the IP address.

No alt text provided for this image

After the IP address configuration is completed, let's jump to configure the features that will be used in this lab.

NTP

To configure the NTP server, open the Windows Registry Editor (type regedit in the Windows menu) and change the value of Enable register to 1. Below is the path to get into the register.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled

No alt text provided for this image

AD, DNS and DHCP

To configure these three services, let’s follow the setup below.

On the Windows menu open Server Manager and click on Add roles and features.Add roles and features.

No alt text provided for this image

After that click on Add Roles and Features, click on Next>Next>Next in the next three windows.

No alt text provided for this image
No alt text provided for this image
No alt text provided for this image
No alt text provided for this image

Then click, Next until the Confirm installation selections window, then click install. After that, the installation process will start. If want, you can mark the check box Restart the destination... or leave unchecked and later restart the device.

No alt text provided for this image

After the message Installation succeeded on the server, click on the close button and restart the server.

No alt text provided for this image

After this configuration is completed, two Post-deployment Configuration alarm will pop up, that is to complete DHCP setup and to promote the server as domain-controller. So, let’s go to apply those.

No alt text provided for this image

?First, let’s promote the server to a domain controller, selecting Add a new forest, and root domain name as labise.com, the click on Next.

No alt text provided for this image

Insert a new password, as your preference.

No alt text provided for this image

Click on Next button until you get Prerequisites Check completed, then click on install. It will be a little time consuming, time to do a break and get a cup of coffee. Have in mind that the server will automatically restart to during the configuration deployment.

No alt text provided for this image

After the installation, login again in the server and complete the DHCP configuration.

On the top right side, click on Complete DHCP Configuration, as you did to Promote the server in domain controller.

No alt text provided for this image

Click on next, then commit and after close.

Now that DHCP configuration is completed, let’s create a DHCP scope for lan-corp.

Click on DHCP at the right corner, then right mouse button on DHCP IP address and click on DHCP Manager.

No alt text provided for this image

In the new window, click with the right button on IPv4 and New Scope, then click on next.

No alt text provided for this image

Insert the name of scope, on this case lan-corp, click next.

No alt text provided for this image

Type the first and last IP address from range, click next.

No alt text provided for this image

Create an exclusion. This is to avoid the DHCP server leasing there range of IP addresses that is static configured in the subnet, as the address for interface VLAN 30 in the CORE switch. Click next until the window Configure DHCP Options, and select Yes, I want to configure this option now.

No alt text provided for this image

DNS configuration will come automatically, as DNS server is the same then DHCP. WINS server, there is no need to be configured on this lab.

Configure the Router (Default Gateway) that is the IP address in the interface VLAN 30 in CORE switch, then click Next and finish button. Also, select Yes to activate the scope now.

No alt text provided for this image

After this configuration, you can see on the right side that there is a new scope created.

No alt text provided for this image

That way, windows server is also configured and ready for the lab.

ISE

The initial ISE setup is a little different than we have for switch and firewall.

After ISE boot, you will issue the command setup and press <Enter>.

No alt text provided for this image

Then, after setup command it will be needed to fill up all the information as per below.

Look that, DNS domain will be the name of our DNS, primary name server and NTP server will be IP address of the server.

Have in mind that ISE setup is also a time consuming, so this is the time for second break and gain more energy with a cup of coffee.

No alt text provided for this image

After finishing the setup, you should be able to login into the ISE server using the username and password previously configured.

No alt text provided for this image

WINDOWS-PC

For the Windows PC, the only configuration that needs to be confirmed is the DHCP configuration in the NIC. It needs to be as automatically/DHCP.

No alt text provided for this image

Tests and validation

After the configuration is completed, is the time to test our lab.

Internet connectivity from ASA and CORE

No alt text provided for this image
No alt text provided for this image

From CORE switch I have used as source VLAN 20, because is one of the VLANs which has a return route configured in the firewall. If we use only ping without source interface, the traffic will get out by default over Interface VLAN 10, and in the firewall there is no static route configured for VLAN 10 subnet.

Tests from AD-Server

From AD server, will be test:

  • Internet connectivity
  • ISE connectivity, over HTTPS, ICMP and SSH

No alt text provided for this image
No alt text provided for this image
No alt text provided for this image

Tests on ISE

With the test above, was possible to validate the connectivity to ISE using ICMP and SSH protocol. Now, we will validate ISE via HTTPS and also check the services.

From AD Server, open a web browser and type https://192.168.20.100.

No alt text provided for this image

After that, login in the ISE using the credentials configured in ISE setup and accept the trial license. It has 90 days evaluation license, containing all the features.

No alt text provided for this image

After accept the license terms, make a tour in the ISE dashboard.

No alt text provided for this image

Also, as last checking validate ISE health conditions, through SSH session. Issue the command show application status ise and also validate the NTP synchronization.

No alt text provided for this image
No alt text provided for this image

The time sync between ISE and NTP server cannot exceed 5 minutes.

Windows PC

For Windows PC, just validate that it has received an IP address from DHCP server, with the command ipconfig /all from cmd prompt.

No alt text provided for this image

The results above show that the computer is right receiving the correct DNS server, Default Gateway, IP address, Mask, etc.

So, we finished our setup and now it is ready to apply the next configurations.

I hope you enjoyed this read, and any doubt, leave your comments.

Thank you!

Scott Wagner

GRC CISSP, CISM, PMP, ITILv3

2 å¹´

Hey there, while we did not necessarily use it the way you intended, I wanted to thank you for your drawing which I found doing a quick search while explaining Identity Management to my boss. Cheers!

赞
回复
Jonas Resende

Network and Security Specialist || Cisco ISE || Umbrella-SIG || Cisco SD-WAN and Meraki || Cisco Designated VIP 2024

2 å¹´

Dana Yanch , one of the articles.

Ali Doski

Senior IP Operations Engineer @ DIL Technology | Networking & Technical Consulting Specialist

2 å¹´

Well formed and informative article Jonas. ??

Edhane Medrano

IT Infrastructure Engineer en Continental

2 å¹´

Gracias por compartir amigo ??

要查看或添加评论,请登录

Jonas Resende的更多文章

  • ThousandEyes - Web Application Troubleshooting

    ThousandEyes - Web Application Troubleshooting

    Hi community, at this article I would like to bring some real troubleshoting case with ThousandEyes (part of Cisco)…

    13 条评论
  • Error to perform packet captures using Wireshark in EVE-NG

    Error to perform packet captures using Wireshark in EVE-NG

    Introduction Hi Community, This article today is for everyone who enjoys EVE-NG tool to play with your labs. The…

    6 条评论
  • Cisco ISE Users and How to configure Them

    Cisco ISE Users and How to configure Them

    The Cisco ISE tool is one of the fewer platforms which has different user accounts for different purposes. In the Cisco…

    12 条评论
  • Cisco ISE and Active Directory Integration

    Cisco ISE and Active Directory Integration

    Cisco ISE + Active Directory The integration between these tools is one of the most important steps for ISE…

    1 条评论
  • Cisco ISE Certificates. How to deploy?

    Cisco ISE Certificates. How to deploy?

    The last article, it was shown the initial and the prerequisites to accomplish a minimum ISE lab setup. It was…

    7 条评论
  • 1/3 - RADIUS vs TACACS+, who wins this battle?

    1/3 - RADIUS vs TACACS+, who wins this battle?

    You have probably thought, which is the best protocol to use, RADIUS or TACACS? In fact, for this question there is not…

    2 条评论
  • My ISE Setup

    My ISE Setup

    Hey community, I am back with a new article. The idea of my articles is to provide you detailed information about ISE…

    9 条评论
  • My path to Cisco ISE Certification

    My path to Cisco ISE Certification

    What is Cisco ISE 300-715 Certification? Implementing and Configuring Cisco Identity Services Engine (SISE) – 300-715…

    20 条评论

社区洞察

其他会员也浏览了