My ISE Lab | Initial Setup
Jonas Resende
Network and Security Specialist || Cisco ISE || Umbrella-SIG || Cisco SD-WAN and Meraki || Cisco Designated VIP 2024
Hello community, here we are for a new article.
As you know, on my last article I wrote about RADIUS and TACACS protocol and commented that we would have a series of three articles, first with theory, second and third with RADIUS and TACACS configuration. It’s not a break of promise.
However before I proceed with RADIUS and TACACS, or any other ISE configuration, I must take a few steps back, that is to show the initial LAB setup, in order to make sense what will come in the future.
These articles are not only to attend a selective public who have extensive experience in the technoly, but also for those who are in the beginning of journey. Also, the idea is to have
So, it will be demonstrated the configuration in step by step, from scratch, as I started my lab, then after completing the initial configuration, you will have a ready environment to apply all the concepts related to ISE.
VLANs
Three VLANs have been separated for this.
VLAN 10
- Subnet: 192.168.10.0/24
- Name: transit
VLAN 20
- subnet: 192.168.20.0/24
- name: mgmt (management)
VLAN 30
- subnet: 192.168.30.0/24
- name: lan-corp
Let’s go to the device’s configuration.
CORE Switch
config t
!
hostname CORE
!
vlan 10
name transit
!
vlan 20
name mgmt
!
vlan 30
name lan-corp
!
interface vlan 10
description transit
ip address 192.168.10.1 255.255.255.0
no shut
!
You can repeat the same process for interfaces VLAN 20 and 30, changing the third octet based on the VLAN number and always using the first available IP address for each interface.
For interface vlan 30 there is an additional command to include, that is ip helper-address 192.168.20.50. This command is to forward all DHCP request to DHCP server coming from devices connected to the interfaces with VLAN 30 configured.
At this moment, all the physical interfaces will be in host mode, that is access mode, and with VLAN configured as per indicated in the topology.
!
interface ethernet0/0
switchport host
switchport access vlan 10
!
interface ethernet0/1
switchport host
switchport access vlan 20
!
interface ethernet0/2
switchport host
switchport access vlan 20
!
interface ethernet0/3
switchport host
switchport access vlan 30
!
At last, but not least, a username with password, and enable password.
!
enable password Cisco123
username Admin password Cisco123
!
The default route below is using as default gateway/next-hop the Firewall interface IP address and this is to allow the communication to Internet.
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
!
note: all the commands above are issued in global configuration mode.
Do not forget to save the configuration with copy running-config startup-config or only write.
FIREWALL
The first configuration of firewall are the two interfaces, inside and outside.
The inside one will be configured in transit subnet and outside it’s configured with DHCP address, due to my lab, but it can also be configured with an IP address for the default gateway.
!
conf t
!
interface GigabitEthernet0/0
?nameif inside
?security-level 100
?ip address 192.168.10.2 255.255.255.0
!
interface GigabitEthernet0/6
?nameif outside
?security-level 0
?ip address dhcp
!
After configuring the interfaces, it’s time to setup the object network.
These network objects are essential for the communication from the internal network to external world, Internet, and in order to stablish this flow, it's also need apply the NAT configuration (in this case we are using dynamic NAT).?
!
object network lan-corp
? subnet 192.168.30.0 255.255.255.0
nat (inside,outside) dynamic interface
object network mgmt
? subnet 192.168.20.0 255.255.255.0
? nat (inside,outside) dynamic interface
!
Also, apply the default route (route to Internet) and static routes (to internal subnets).
!
route outside 0.0.0.0 0.0.0.0 172.29.129.254
route inside 192.168.20.0 255.255.255.0 192.168.10.1
route inside 192.168.30.0 255.255.255.0 192.168.10.1
!
Just note, that after applying all these configurations, let’s enable icmp inspect in the firewall, because in case this protocol is not being inspected in the policy-map global_policy, no icmp packets will be allowed in the network.
!
policy-map global_policy
领英推è
?class inspection_default
?inspect icmp
!
Then, firewall-ASA configuration Is ready.
Note: All the configurations above are applied in global configuration mode.
WINDOWS SERVER - AD, DNS, DHCP and NTP
The first configuration for Windows Server, of course is the IP address.
After the IP address configuration is completed, let's jump to configure the features that will be used in this lab.
NTP
To configure the NTP server, open the Windows Registry Editor (type regedit in the Windows menu) and change the value of Enable register to 1. Below is the path to get into the register.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled
AD, DNS and DHCP
To configure these three services, let’s follow the setup below.
On the Windows menu open Server Manager and click on Add roles and features.Add roles and features.
After that click on Add Roles and Features, click on Next>Next>Next in the next three windows.
Then click, Next until the Confirm installation selections window, then click install. After that, the installation process will start. If want, you can mark the check box Restart the destination... or leave unchecked and later restart the device.
After the message Installation succeeded on the server, click on the close button and restart the server.
After this configuration is completed, two Post-deployment Configuration alarm will pop up, that is to complete DHCP setup and to promote the server as domain-controller. So, let’s go to apply those.
?First, let’s promote the server to a domain controller, selecting Add a new forest, and root domain name as labise.com, the click on Next.
Insert a new password, as your preference.
Click on Next button until you get Prerequisites Check completed, then click on install. It will be a little time consuming, time to do a break and get a cup of coffee. Have in mind that the server will automatically restart to during the configuration deployment.
After the installation, login again in the server and complete the DHCP configuration.
On the top right side, click on Complete DHCP Configuration, as you did to Promote the server in domain controller.
Click on next, then commit and after close.
Now that DHCP configuration is completed, let’s create a DHCP scope for lan-corp.
Click on DHCP at the right corner, then right mouse button on DHCP IP address and click on DHCP Manager.
In the new window, click with the right button on IPv4 and New Scope, then click on next.
Insert the name of scope, on this case lan-corp, click next.
Type the first and last IP address from range, click next.
Create an exclusion. This is to avoid the DHCP server leasing there range of IP addresses that is static configured in the subnet, as the address for interface VLAN 30 in the CORE switch. Click next until the window Configure DHCP Options, and select Yes, I want to configure this option now.
DNS configuration will come automatically, as DNS server is the same then DHCP. WINS server, there is no need to be configured on this lab.
Configure the Router (Default Gateway) that is the IP address in the interface VLAN 30 in CORE switch, then click Next and finish button. Also, select Yes to activate the scope now.
After this configuration, you can see on the right side that there is a new scope created.
That way, windows server is also configured and ready for the lab.
ISE
The initial ISE setup is a little different than we have for switch and firewall.
After ISE boot, you will issue the command setup and press <Enter>.
Then, after setup command it will be needed to fill up all the information as per below.
Look that, DNS domain will be the name of our DNS, primary name server and NTP server will be IP address of the server.
Have in mind that ISE setup is also a time consuming, so this is the time for second break and gain more energy with a cup of coffee.
After finishing the setup, you should be able to login into the ISE server using the username and password previously configured.
WINDOWS-PC
For the Windows PC, the only configuration that needs to be confirmed is the DHCP configuration in the NIC. It needs to be as automatically/DHCP.
Tests and validation
After the configuration is completed, is the time to test our lab.
Internet connectivity from ASA and CORE
From CORE switch I have used as source VLAN 20, because is one of the VLANs which has a return route configured in the firewall. If we use only ping without source interface, the traffic will get out by default over Interface VLAN 10, and in the firewall there is no static route configured for VLAN 10 subnet.
Tests from AD-Server
From AD server, will be test:
- Internet connectivity
- ISE connectivity, over HTTPS, ICMP and SSH
Tests on ISE
With the test above, was possible to validate the connectivity to ISE using ICMP and SSH protocol. Now, we will validate ISE via HTTPS and also check the services.
From AD Server, open a web browser and type https://192.168.20.100.
After that, login in the ISE using the credentials configured in ISE setup and accept the trial license. It has 90 days evaluation license, containing all the features.
After accept the license terms, make a tour in the ISE dashboard.
Also, as last checking validate ISE health conditions, through SSH session. Issue the command show application status ise and also validate the NTP synchronization.
The time sync between ISE and NTP server cannot exceed 5 minutes.
Windows PC
For Windows PC, just validate that it has received an IP address from DHCP server, with the command ipconfig /all from cmd prompt.
The results above show that the computer is right receiving the correct DNS server, Default Gateway, IP address, Mask, etc.
So, we finished our setup and now it is ready to apply the next configurations.
I hope you enjoyed this read, and any doubt, leave your comments.
Thank you!
GRC CISSP, CISM, PMP, ITILv3
2 å¹´Hey there, while we did not necessarily use it the way you intended, I wanted to thank you for your drawing which I found doing a quick search while explaining Identity Management to my boss. Cheers!
Network and Security Specialist || Cisco ISE || Umbrella-SIG || Cisco SD-WAN and Meraki || Cisco Designated VIP 2024
2 å¹´Dana Yanch , one of the articles.
Senior IP Operations Engineer @ DIL Technology | Networking & Technical Consulting Specialist
2 å¹´Well formed and informative article Jonas. ??
IT Infrastructure Engineer en Continental
2 å¹´Gracias por compartir amigo ??