SISAS Implementing Cisco Security Access Solutions Version 1.0 Lab GuideSoeosyaters ne Geo aon UsAyPe te. Caen Sse remeron 5V CISCO See Steve ‘este The Neher CGesohaenoathen 20 fens won, Acresso. ohonsnimbei, nd faxrunbarr ee on ne Gea ata st sna sonst (Gian Glass ge ae vats er gstrediavenata cee or Shr snuides Toon alstorCro acer Sot icon sero srscorator=tce Pad ery tata rersored wee pope'y ctr eepecive curs The eal he woot does fetinslya carne rastonobeeon ls ond any er cory (1708) ‘CONTENT PRONOED HEREUNDER, EXPRESS, NPLED, STATUTORY OR WANY OTHER PAOVISONOF TH CONTENT CGeamiswa Frew a COURSE OF SEALING USAGEOR TRADE PRACTICE, Talesing produ hay cnn eal ‘Seiontanfune Geestaliwer a be amie, alestes eit secur to (©2014 is BystasTable of Contents Lab 1-1: Bootstrap Identity System Visual ObpcWve Requied Resources CCemasand List| kb Aids Task *: Define Local Userin Gio IS ut “Task 2:Dafna the svitch as a NADin Cisco ISE La Task 3: Configure AAA Setings on Swich La Task 4: Conigure RADIUS Setings on Setch Le “Task 5: Configure Seth for 802.1X’Monitor Mode L6 Task 6: Enable Windows 802.1 Suppieant cn Employes-PC Lag Lab 2-1: Enroll Cisco ISE in PKI 1.25 Visual Objective 28 ‘Task 1: Tes 1: Very IE Operation Before ISE PKI Enrolment Las Task2: Task 2: Very the Supplicant Operaton Before ISE PKIEnralirent Lao Task: Task 3: Enel io ISE in PKI 33 “Task d Tes 4: Explore System Behavior afer ISE PKI Enrolment Le Lab 2-2: Implement MAB and Internal Authentication Lt Visual Obpctve Laz (Command List| La ‘Task 1: Dopley MAC Authentication Bypass La Task 2: Deploy AnyConnect Suppizant Lo Task 3: Configure CA Trust with he AnyComect Profie Eator Ls3 Lab 2.3: Implement External Authentication 1-59 Visual Obpcve Leo Task 1: Join I$ to the Active Diectory Leo “Task 2: Configure Authantcafon Against the Active Directory Lez Task 3: Test Autnenteaton of Domain Users Lee asi: Join the Worksation to the Act rectory 68 Taek 5: Test User and Machine Authentication Using Windows Credentials Lea Lab 3-1: Implement EAP-TLS Lzt Visual Objective “72 ‘Task 1: Confgura Employes-PC for EAP-TLS L72 Task 2: Configure ISE for CertfcateBased Gient Authentication L76 Task3: Test EAP-TLS 73 Lab 3-2: Implement Authorization Let ‘Visual Objective 82 (Command List| Laz Taek 1: Enable EAP Chaining Lee Task 2: Configure Sitch for AAA Authorizaton and 802.1% Low-impect Mode Les‘Task 3: Reeve User Groups ftom Acive Directory Ls? Tasle4: Configure utorizaton fr IT Users and Domain Computers Leo Task 6: Configure Authorization or Remaining Employses se Task 6: Configare Authorization for Domain Administrators L100 Task 7: Configure Authorization or Local ISE Users Ls02 Task 8: Configure Authorization for Pint Servers L104 (Eels ss ppp tC fepno rhs Ba Sere Wi see, _H9ap) Visual Objective Lnt0 Command List Lento Task 1: Prepare ISE for TrustSac communication vth the HO-SW Lat Task 2: Configure the Swich to Actas SGA Device Ltt Task 3: Dynamically Apply SGT during 802.1 Authorization Lat Task 4: Implement Egress Fiterng on Switch L109 ‘Task 5: Provision @ PAC for he ASA (Optional) L128 Task 6: Implement SXP and SGFW (Optenal Lat ‘Task 7: Implement Downlink MACSec (Optional) Le Lab 4-1: Implement WebAuth for Employees L143 Visual Objective Las Task 1: Confgure Switch for Central Web Auth Lega Task 2: Configure ISE Authentication for WebAuth Las Task 3: Configure SE Authorzation to Ente Tra Redection Lo Task 4: Confgure ISE Authorization Ruls for Employees Autrenticated via WebAuth L868 Gam simprennoinoirest Ser Visual Objective L162 Task 1: Configure Access tothe Sponsor Porat Lea ‘Task 2: Provision Guest User in ha Sponsor Portal L104 Task 3: Configure Authorization for Guest Users 68 Lab 5-1: Implement Posture Service L173 Visual Objective Lr4 ‘Task 1: Prepare inital Components Ls Task 2: Configure Cient Provisioning Policy ar ‘Task 3: Configure Authorizaton for Complant, Noncompiiant, and Unknown Status L790 Task 4: Deploy Antirus nstaaion Remediation Le9 Task 5: Deploy Automate Antspyware Deion Remediaton (Optonal) L198 ‘Task 6: Provision Wi Agent on GuestPC (Optional) 1-200 Lab 5.2: Implement Profiler Service. 1-209 Visual Objective L210 Task 1: Observe Profing without Probes L210 ask 2: Deploy DHCP, RADIUS, and HI 1» Probes Lars Task 3: Configure Print Server Profling Lar Lab 6-1: (Optional) Troubleshooting Prep 4-225 ‘Task 1: Restore Broken Backup Configurations on Switeh and 1SE L226 Wiener Cae Seewiy Remsen SSCLab 6-2: (Optional) Troubleshoot Network Access Controls 4-229 ‘Visual Objective L229 “Task 1 Troubleshoot 892.4X Autnantioaon Against Local ISE Database Lazo Task 2: Guide for Troubleshooting 802.1X Authentication Against Local ISE Database Last Task 3: Troubleshoot 82 1X AuPienteaton Against Active Dietary Last “Task 4: Guide For Troubleshooting 82 1X Authentication Against Active Directory Lzsa Task 5: Troubleshoot EAP-TLS Authentication Lent Task 6: Guide For Tovblesieoting EAP-TLS Las, “Task 7: Troubleshoot Authorization Lar Task 8: Guide For Trxbleshooting Authorization Lae Task: Troubleshoot Central WebAut L239) ‘Task 10: Guide For Troubleshooting Central WebAuth L250 Task 11: Troubleshoot Pasture L266 Task 12: Guide For Troublestooting Posiue L258 Lab Answer Keys 1-259 Lab t+: Bootstra Identty System L259 Lab 2-1: Enrol Gisca ISE in PKI L259 Lab 2-2: Implement MAB and internal Autentcation L259) Lab 2: implement External Authentication L260 Lab 21: Imploment EAP-TLS L260 Lab 22: Imperent Authorization L260) Lab 25: Implement Cieco Truster and MACsec L260 Lab 4-1: Implement WebAut for Employees L260 Lab 42: Implement Guest Service Last Lab £1: Imparrent Posture Service Lot Lab £2: Implement Protier Service Last Lab €7:(Optonai) Troublesnoctna Prep Let Lab €2:(Optonal) Troubleshoot Nework Accass Contos Laz Por are Fe ToneWiemann Cae Seewiy Remsen SSCLab 1-1: Bootstrap Identity System Activity Objective In this ab exercise you wil jump start the switoh and the Ciseo Identity Services Engine to deploy 802.1X in maniter mode. You will even a user inthe local ISE detabace and define the ewiteh a a NAD onthe ISE. You will configure the switch with the necessary AAA, RADIUS, and $02.1X settings ta enable the swvite to act asa $02.1X authenticator, You wil test 802.1 operations using the Windows native $02,1X supplicant oa the Employes-PC. Upon complain this exercise, you will be able to Define lca users in ISE loel user darabase Define NADs in the ISE, Configuse Ciseo 10S switeh to ac as 802.1X authenticator. Enable Windows native 802.1X supplicant Deploy PEAP. ify basic 802.1% auteatiatins aginst Cisco ISE.Visual Objective ‘The figueillstats what you will accomplish in thie astivty. Lab 1-1: Bootstrap Identity System aig wesw eng Required Resources ‘The fellosing resources and equipment are required o complete this sii Cast switch Windows 7 workstation CiscoISE Command List ‘Thotable describes de commands tha are used inthis avy. The commands ae listed in alphabedeal orders that you ean ewsly locate the information that you need. Refer to this ist i yu need configuration ‘couninand assistance during the lab activity. Commands [Bevcrinton Enables accounng fr 2.1K and MAB. Slop moons re uted or sisson closing en rlegainglcense aunts, [resica an EEE bua 1portbosed aufenizaton wanes ee ‘aa authorization network default group | Enales VLAN ard ACI assignment eduCommer 1s nawemodel| Tatheniiation open suheniiation port control ato dot pas eutereator dot system-auth-contrel ip device wacking ‘adlusaerveraltbute Ban faiagh-auih Tadlusserver attribute Seuppor-mutiie Tadlus server albu 8 included ecese-g radius server atibute 35 eoo0 request include Tadlusaerver ves eondaccounting Tadlusaerver van send euthensication Job Aids Deserinion rabies ABA rable presentation open access [ow ipa or manitoing rote. Enables prt based aubertcaon onthe iace| Eabl 2X aherion on th arta (Gal eatles 002 1K por-ased ashton. rable IP evi aking lable as equredio use ACLS ‘Sends he sees ype aib acess equesls ‘Sippors mulipe Service Type values or each RADIUS poi ‘Geode be ramediP-adiaes atria acca wueae ‘onde be clase albus cows reavent Enables Vike tobe sentinaoourtng mam ‘Govigur oa the NAD a ecogize ord use uertton VERS ‘Thesejob ad are wilable to help you complete the ab activity Bee WePod Information “The table shows the dovics that ar uscd in te lab and the operating systems that are running om the ovis ‘Bevice | eraware ‘Opealing syatem and Plena, Parner ISR | Gaco2s01 SR BOD univer @- me SPAS. T.bin ec ROD univer me SPAS Tin ee oe iD univerahS-ne SPAS Tin EASA | Gaco ASRESIE-X wth Gano PS ar Gao ASh | watt tame K8.bn (Cxettvae modus PSSSP_SSISKOs/e1-271-468aip taadt tampa bin esc S8Goacbooh 11-149 OSH | GscoGanyar wScaseoxae ete unieralkne, KO2SED Parner SAV | vrualzed race Windows Server S008 R2 Standard Sa ‘rant Windows Server A008 R2 Standard eanch-GRY | vials ron Wintows Server A008 R2 Sanda ‘DESAY _| vialend ‘Una Ubon HoeRy | viaes ‘ran Windows Server A008 R2 Sandan amnPo_ | viwalee irae Windows 7 Wivalzed rae Windows 7 Viuaized Torasok Window 7 Viuained UnacKar ‘ialees GacoiSEvemon 12 “Vials (GacoCDA version LOGIT ‘vals ‘eymeOS vemion 800-560, wawisa | valeed ‘esncS vorion 775-085, The table shows de usernames and passwords that re used 0 acess the equipment in this lb, Davies Username Fasaword WOASA amin ‘iscoadnin Enable: eco OWS oae0 eiseodnin SaRY ainatator eibeondmin amen SRV ‘ainistrator eiécokdnin DRESRV ‘dinstator Cifeodnin Ta iparening nc Sty Roa Soe Sao Saea eDevice eername Paeword HO-SAY ‘rinistator cifcoadmin ‘amieP wudeot iécondnin Guest PC dent CikcoAdmin Eneiyae-PC student eigeoadmin ache PC Toot iScondnin HOISE ‘imin Cifeoadmin HO-GOA ‘iin ilcoxdnin HOESA ‘ean iscondnin HOSA ‘min eiseoadmin Tiaona yaa re oryTopology and IP Addressing “The figure shows the topology and interface identifications that arc used in this lab setup, g rooney case py] ‘The figueshows the IP adesses that reused in hs ab stp. 2oso13.004 ‘oroso0z nua Ta pane Om Setup RemsenTask 1: Define Local User in Cisco ISE In this ask you will define a user named student with the pasewerd CiScoAdimin in the lees wer database of Cisco ISE. Activity Procedure Complete the following sep: Stop 4 Acoess the ISE GUI: Connect to Admin-PC (student/CiSeaAdmin). Open te Interact Explorer browser tnd connect to mttpsifise eeure-sJoeal. Log in as user admin withthe password CiScoadmin. ‘step 2 Create a oval username student withthe password CiSoo Admin in Cseo ISE: A) lithe Cisoo ISE GUI, choose Administration > Identity Management > Identities and cick the Users folder inthe Identioe pane cn the left side of the window. BB) nthe Network Acoess Users pane, click Add. The New Network Acoess User pan is spayed ©) Define dhe users atributs as follows: ‘Name: student Password and Re-Enter Password: CicoAdmin User Groups: Em 1) Click Submit to apply the changes. ) Verify that the user named student is now defined in the Network Access Users tebe athe stats is Enabled. TeamTask 2: Define the switch as a NAD in Cisco ISE [eforea RADIUS server and a RADIUS client can communicate, they must he defined to each aes. At ‘minimum they need tobe configured with each othe’ IP addresses and with shared sere that suse 10 secure commiicatons betwocn te two systems. In ISE, the RADIUS clisats are NADs. ISE allows the ‘reation and use of Network Device Groups fr the purpose of organising NADs. inthis task you will fatine a Network Device Group for the headquarters location snl you wil define the HO-SW as a NAD in that locaton Activity Procedure Complete following steps: Step 4 In the Ciseo SE GLI, configure « Network Device Group named HQ 88 a child othe deta Newwork Device Group named All Locations A). Navigate to Administration >Network Resources > Network Device Groups, 1B) Inthe Network Device Groups pane on hs Left, expend Groups and choose AM Locations. An empty ‘Newark Device Groups table willbe displayed. (C) Click Add shove the empty table, Define group named HQ snd lick Submit. 1D). Verify tha the location 11Q is now inthe Network Device Group table Ta pane One Setup esse SSC‘Stop 2 Define the HQ-SW as aNAD in the ISE. 4) 5) 9 D) [Navigate ro Administration >Netwvork Resources >Network Devices Inthe Nensorke Devises pane on the lft side ofthe windows, choose Network Deviees if asessiy The empiy Network Devices Table shouldbe displayed. Above the Network Doviees tale, lick Add. Define the NAD with thse tributes: Name: HQ-SW IP Address: 10.10.2.292 Device Type: 1OS-SW Location: HQ Authesteation Settings: IX Checked Shard Secret: radius-key Task 3: Configure AAA Settings on Switch Inthis task you will configure AA seins on the HQ-SW, Activity Procedure Compete the allowing steps Te aae OSStep 4 Connect to the H-SW's console pot. ‘Step 2 Before any AAA authentication, authorization or accounting commands canbe configured, AAA must be ‘enabled globally onthe switch, Stop 3 Enabling AAA globally cages tho atentication behavioe a the console and she VTY lines Set the ‘sable seert to eseo and st the default authentication method for logins to use the enable seers. Step 4 ‘On he sie, configure the global AAA seitags required for proper 802.1X operaton: A) Define default method for authentication of 802.1X access requests, speci¥ing the group ISE- RADIUS asthe AAA server group. 'B) Defines default mettiod of ahoriing nctwork acces sessions, specifying the proup ISE-RADIUS asthe AAA server group. (C) Define th default mathod of accountng t be wsod for 802.1X sessions, specifying the group ISE- RADIUS asthe AAA server group. Note Cipact a message hAAAA-SERVUNDEF The earergroup “SETEST not dened Ps net. You wl dino ts serv groxp tho rant task Task 4: Configure RADIUS Settings on Switch Inthis ask you will configure RADIUS setings on the HQ-SW. Activity Procedure Complete te fliowing steps Tt Wena Cae Seewiy Reese SSCStep 1 Define the ISE appliance as @ RADIUS serve, include itn the AAA server group ISE-RADIUS, and set ‘he dead criteria for RADIUS serves A) Create a RADIUS server instance named ISE-KEY withthe IP address 10,102.20 using UDP pons 1812and 1813, and specify the shared key radus-key. 2) Create an AAA server group named ISE-RADIUS and assign the RADIUS serve aamod ISE-KEY to ‘he group. ©) Setthe RADIUS tinaout 0 10 ssconds witha 3 atm fale iit Note AAA server goups area consi tat alows afore sts cf servers tobe specie ior erent, ‘AkA cplcalona. Fr example, one sl con bs sod for S02 X ANA and enater fot ‘sirinsratve access AAA Youarecefring an AAA server gun tis ab prepare fora ‘teearun ns intarab.Thewepanaton wll pacoma cae ine fe tre imlamart the ‘rkarund ‘Stop 2 Configue he aditional RADIUS atibuts that are required by ISE: A) Include the RADIUS Servce-Type atribue inthe authentication equssts 'B) Include the endpon IP address inthe framed-tP-adaressateibute inthe authentication requests. ©) Include the class atvibuts in RADIUS authentication requests. Step 3 Contigute the switeho use RADIUS vender specific wtibues: A) Gonfigure the switch to use VSAs in authensiation requests, 1B) Configure the sitch to use VSAA in accousting updates Tapas ayer re ord‘Stop 4 1P dovice tacking is roquiced to allow the switch to learn endpoint IP adresses and populate the Framed- [P-Adress field inthe RADIUS authentication requests. Enable IP device tracking step 5 ‘Before going any further, use tbe test aaa command to verify communications beteen the switch and 1SE (group ISE-RADILS). Testing withthe credentials you defined in IE (studen/CiSeoAdwin) should be succesful Its nt, ou most likely havea typographical errr in the RADIUS proshared key on either the swith or in SE. Task 5: Configure Switch for 802.1X Monitor Mode {nthis task you will enable $02.1X and configure 802.IX stings the switch interface to which the EnployeePC us coanested. Atthis poe in tae depioyinent you wll configure $02.1X manitoeasode. “Monitor made allows acces even when authentication fils. This allows the sdministatr to perform suthenication aus without disrupting nenwork availablity. fer autbericaton sues are addressed, the systems ean migrate las impact mode or closed made. Monitor mode is implemented an & port using the suthcntication open command without the use ofa pre-auth ACL on the por. Activity Procedure Complete te following steps: Step 4 Enable 802.1 globally on these: A) Enable 802.1% globally oa the switch ig Oat Sealy Fa‘Stop 2 Configure the interface supporting the Employes-PC (GigsbitEtheri0/) fr $02.1X monitor mode: A) Gonfigure maltple autnenticaton (roti-auth) mode, 1B) Configure the imterface ofthe Employes-PC for $02.1X open mode. Do not use any local ances lists. ©) Enable recuring re-autenseaton 1) Allow the RADIUS server to specify the re-ahenisstion interval E) Enable the $02.1 authenticator role on the pot. FF) Secthe 802 LX timeout for supplicant retries to 10 seconds G) Allow $02.1 authetietan ro contol Ha pots tans Activity Verification ‘Youve completed this task wien you verify the 02.1X configuration an the switch using this procedure: ‘Stop 4 Cn te wits, view the overall 802, 1X stans using the show dathx all comand. You should ses tha the stom authentication oontel is enabled and he pat type om interface GigabitEarast lis eet to suthestieson Tapas ayer re ord‘Stop 2 On the swish console, observe the filed acces attmpts through th intrface GigabitEthornt 0! t may take 90 secands before the messages are displayed. You should see that the authentication fils because there fs no supplicant and there fs no failover authentication method. Stop 3 (On the switch, view the sttus of authentication sessions onthe interface using the show authentication seusions interface pignbitethernot O/1 command. Vou cloud eo thatthe ttut ix Auth Falled. Note that the endpoint IP address is defined because IP device tracking is enabled. The IP adres thet you see may ifr from the sample asthe adres is assigned via DHCP. ahow authentication sssaiaaa intertace gigabitethemet 0/1 Task 6: Enable Windows 802.1X Supplicant on Employee-PC nti ask you nab the Windows native 802.1X supliou on the Employee: PC Note Having sortguedhe access nen for602 an he RADIUS communists wie SE you wih ren ensla te ative Windevs evplcrt on he reployenPC. Inti sxnaio you wil $851 Polected EXP (PEAP) whichis bo cau method. Tra ipenetng tae ecmActivity Procedure Complete the falling sep Stop 4 CConnee othe Employee-PC by using the appropriate shortcut on your springbosrd PC. Login as lace! sdministetor Student with pasword CiScoAdmin, Enable tae Wired AutoConfig sorvice, which enables "he 802.1 supplies: |A) Click Start and rype services.se, Click sersfesans under Programs. The Services console opens. £8) Scroll dowa and find Wired AutoConfig, (©) Open he properies and change the Startup Type Automatic. Also click Start, then click OK, D) Close the Services console Tapas ayer re ory‘Stop 2 Enable the native Windows $02.1 supplicant and configure itt bypass server estifeate validation: A) Right-click the Network icon inzhe system tray, Select Open Network and Sharing Center. 1B) Click Change adapter stings. The aavigates you tothe Network Conaestions list. ) Double-click Local Area Connection, Click Properties, selec: the Authentication eb, 1D) Chick the Enable IEEE 902.1X authentication checkbox. Vesifytha the supplicant defaults 9 “Microsoft Protectad EAP (PEAP), Sek! hs eplntoprovieetencted raw acces fo ieeanaadte (Wi Ena lEEE 602 1% authentication hoor anon uetiaon tied Cae [Remar ny cedar ft is onto each ‘etinenpedon [WiFabaccta unahoiondrabk acces Aaionl Sates Caneel 1) Click Settings. The Protected EAP Properties window apens. Clear the Validate server certificate checkbox. Since the ISE has nat yet been enrolled int the PKI, the supplicant will nat be able to validate he ISE eit. Ta pane Oa Setup eoslvakie sever cette (Cleon so thes sav aSace = estiore Cer Rok clas Pubic Primary Cesta sath Sl iacer ch smvance ey Rot Sete Sere Cotte try Ey orm bala © soar Clas 2 cetiteeion tory E “ a , [Do promt ue to auhate new servers or tated ‘enfeston ahora Sache len Foe Recnnet| [Flenerenetneck access Peecsn [loscomeet f serve oes na preset opting MY [Elena desty Piracy Goon) emotes) F) Click Configure and verify the the Windows supplicant uses Windows eradentials by default When conan: utes ue ny Wiens ogo name an paswosland coment 2 G) Click OK twivete close the two most vent windows. 1H) Onthe Local Area Connection Properties window, click Additional Settings. Verify that the Windows supplicant defaults usr or machine stahentcaion. aaspety eehetestion nace tte rari For alae [Plena sre tn on forts ret L@ Petree before vr ngan Pefrmidiely ter act oan Sl alyn abel Slo: ove payed rg sng Soon his ewer uses separate vata AN fo machine {eer utereaten 1) Click OK owice to close the tra most recent windows and then clse all remaining open windows ‘Activity Verification may not be obvious, bur 802, 1X authentication should have completed in the background. The Employee PCs eased ie login credentials (sudert/CiSe0 Admin) and wil offer the credentials in the suthestication procses which wll kick off as soon all ofthe eomponsats sre configured. You have ‘competed this ask shen you se recrd of sceestul 802.1 X aathensiemtion atempt on the ISE and view status onthe switch, Follow this verticstion procedure Stop 4 In the Cisco SE GLI, navigateto Operations > Authentications. You should sce sucessful acess attempt of user student. ‘Step 2 Click the Add or Remove Columns biton, Choose options tha you want to display ad elok Save, The key information is shown below: = Thane gharibonenie 9 Ta Diniettnen itoheeim” Bhat Ofte ay seuss ses rey Pie ne aoa i a ipaneng One Setup emo‘Stop 3 Click the Deas button in ho third column. Examine te information inthe Overview, Autenticatin Deals, Other Atribites, Result, and Session Events sections, step 4 On tne switch, verify te authentication stats onthe port GigabitEthernet 01, where the Employes-PC is omected. This time, you should sec that the authontcation and authorization status of user student is fepored as sucecss. You should se the cadpoint IP addses because IP tracking has been enabled on the sovtch, The IP address in your pod may ifr Irom the oui below, bocaase IP addresses are obiained Aynamially. BELEK chow authantiastion aassions intarfaoe gigahitetharat 6/2 Tapas ayer re TeenTa pane One Setup eosLab 2-1: Enroll Cisco ISE in PKI Activity Objective In this tab exereise you wil first observe thatthe 802. 1X rejets te self-signed Ciseo Kdenity Services Engine cetfieate and thatthe HTTPS setsin tothe ISE is witusted. Then you wil enol the ISE withthe Public Key Infrasructure (PKI) and examine the rst established through the PI infrastructure {Upon completing this exercise, you wll beable to: Enroll Cisco ISE to PKL ‘Verify server-side ceitiete in PEAPVisual Objective ‘The fig illustrates wh ‘ou wil aceounplish i this activity Lab 2-1: Enroll Cisco ISE in PKI = setpousouns Task 1: Task 1: Verify IE Operation Before ISE PKI Enrollment pon inital setup, ISE creates a sel signa certificate tacit uses for both HTTPS and EAP. Systems that use PKI have astoreof trusted eatifcate authority oot etiieats. Each of those oot cnificees documents the public key used by the CA t sign identity ceitieates. Ths allows systams to Verify the sali of the deni certfistss of emote pers. Tey uth public Key af the CA to verify the signarre Df the remote prs identity carseat. In this tarkyou will explore how Internet Explorer when ts sed for an adinistaive sesion to ISE and ISE is wsingaselesigned crits Activity Procedure Complete allowing steps ‘Stop 1 Acts the desktop ofthe Admin-PC. If any laternet Explorer windows are currently open, clos the IE windows Step 2 Open Internet Explorer snd connect fo the ISE (itpsi/iseseeure-.toca, Note thatthe URL entry field i rod and a Cotfcae Erzor is indiestod. Ta penning Ce cy ae‘Stop 3 Click oa the Certficate Error. dosription ofthe ssus is displayed. It indicates thatthe certificate presented by the SSL server (Cisco ISE) was not issued by a trusted eetfcate thority, Tone‘Stop 4 Click oa the View certificates link. A cutficate window opsns. Note that both the Issuod to: and Issued by Fields aro ise seouro- eal This isa self signed cenienta ‘This CA Rook certificate isnot rusted. To enable trust, Installs certicate inte Trusted Root Lertcation ‘athoities store. Ieswedt. pe acacia erwed by: eesncecies! atid from 1) 12} 2013 tw 1) 30) 2028 Stop § Close the cerificate window. Stop 6 4 LE, navigate to Tools > Internet Options. ln the Interact Options wincow, select the Content tab and ‘hen cick the Certificates button. Tas Cerfcates windaw will open, displaying the contents af the Windows coitiete store Ta pane One Setup emcee