Implementing Cisco Security Access Solutions (SISAS) v1.0 Global Knowledge European n Remote Labs Student Lab Notes

Transcription

1 Implementing Cisc co Security Acc esss Solutions (SISAS) v1.0 Global Knowledge European Remote Labs Student Lab Notes Revisionn Release September 2014

2 1. Contents 1. Contents Introduction Lab Topology Lab Exercisess... 7 Page 2

3 2. Introduction This guide has been produced to assist the Student in completing c the lab exercises of the training course, using Global Knowledge European Remote Labs equipment. It is intended to complement the Cisco documentation and a should only be used in conjunctionn with the Cisco Student Lab Guide. 3. Lab Topology Page 3

4 Page 4

5 Each Pod consists of a C3560E HQ-Switch, 3 x C2901 Routers (HQ, Branch & Partner), a C2811 Router (Internet) and a ASA5515X, connected as shown above. The Serverr PC s are all Windowss 2008 R2 Servers, the Client PC ss are Windows 7, except for the Attacker PC, whichh is Kali Linux. Each pod connects to the Internet, via a shard Backbone Router, too support certain live security lab tests. Page 5

6 PC Accesss using VNC tool The lab Employee, Guest and Attacker PC s are accessed using a VNC tool. Largely this will behave the same as a normal RDP session, however there are some points to note: 1. Keyboard mapping the keyboard mapping for thee VNC app is fixed and set to UK keyboard. It may be that local keyboard mappings are translated throughh the remotee app but, for certain keys, it may bee necessary to consult a local to UK keyboard mapping diagram (e.g. ). 2. During certain labs, there is a requirement to specify the domain name as well as the user name for PC login. This requires issuing CTRL+ALT+DEL. The VNC tool ONLY supports this key sequence through a Menu option. To access the menu, press F88 and then select the Ctrl+Alt+Del option. Page 6

7 4. Lab Exercises Lab 1-1: Bootstrap Identity System Task 6 Activity Verification Step 3: Click the Show Live Authentications button this will bring up the screen with the third column Details button. Lab 2-1: Enrolll Cisco ISE in PKI Task 2 Step 2:C): Double-Click k the Local Area Connection link. Step 2:B): C:\CCNP-SEC\ca-cert.cer Step 3:E): folder. Change the Friendly Name to something else (e.g. ise-ssc.secure-x.local ) and click Save. Task 3 Step 1:C): Click Save As and save the file as ca-cert.cer in the c:\ccnp- sec folder. Click Save As and save the file as ise-csr.pem in the c:\ccnp-sec Step 4:C): Open WordPad and open the c:\ \ccnp-sec\ise-csr.pemm file. Step 4:G): Save the file as c:\ccnp-sec\ise-cert.cer file. Step 5: The lab steps require youu to install the new certificate using the same Friendly Name as the original self-signed certificate. This will cause a conflict and error. First, change the Friendly Name of the original certificate: From the ISE web page, click Local Certificates from the left-handd pane, click the checkbox next to the original certificate and click Edit Step 5:C): Certificate File: c:\ccnp-sec\ise-cert.cer Page 7

8 Lab 2-2: Implement MAB and Internal Authentication Task 2 Step 2: Use Windows Explorer and navigate to t the C:\CCNP- ct supplicantt employs Single Sign-On, which means thatt it will attempt use the Windows Login credentials to authenticate the network connection. The Student user used to login too the Employee PC is already a configured in the ISE SEC\AnyConnect folder. Task 2 Activity Verification Step 1: By default, the AnyConnecA identity database, hence the AnyConnect supplicant attempts authentication without the pop-up login box. In the next Task (Task 3) the AnyConnect Profile Editorr is installedd and can be used to modify this default behaviour. Task 3 Step 1:A): Use Windows Explorer and navigate to the C: :\CCNP- SEC\AnyConnect folder. Task 3 Step 2:D): Click Add and browse to the CA-root-Base64.cer file in the C:\CCNP-SEC\Cert folder. Task 3 Step 2:E): To skip to the end of the wizard, click the Credentials tab. Now enable the Pop-up login box as follows: Under User Credentials click the Prompt for Credentials radioo button and then click Done. Page 8

9 Lab 2-3: Implement External Authentication Task 5 Step 1: As the Employee PC is now a domainn member, itt will requiree the Ctrl+Alt_Del key sequence to bring up the login windoww remember, within the t VNC client this must be input from the F8 menu option. Click Switch User then Other User and login with user sales1 and password cisco. The lab steps suggestt that the AnyConnect supplicant will w now auto sign-on using the Windows credentials. However, recall that we amended this default behaviour earlier, with the Profile Editor tooll (adding the PC to a domain doess NOT automatically reset this parameter). So, we now need to reset the supplicant as follows: Click Windows Start > All Programs > Cisco > Cisco AnyConnect Profile Editor and launch the editor. Within the Editor, click Networks, select Wired and click Edit Click on the last box on the right-hand section, ensuree that the Use Single Sign-On Credentials radio button is selected. Click Done and thenselect File, Save As Save the file in the default folder, with the name configuration.xml Close the Editor and right-click the AnyConnect toolbar icon and select Network Repair pane Credentials Under the User Credentials The supplicant should now use Single Sign-On and authenticate the network connection. Lab 3-1: Implement EAP-TLS All tasks complete as written in the Cisco Lab Guide. Page 9

10 Lab 3-2: Implement Authorization Task 2 Activity Verification: Login to the Employee PC as secure-x\administrator with password Ci5coAdmin and try to access. Task 4 Activity Verification Step 3 dacl output shown in Labb Guide is incorrect. The dacl entries are interpreted to have host source specific s addressing. e.g: Original configured dacl deny icmp any host permit ip any any when applied to the switch port, becomes: deny icmp host host permit ip host any Lab 3-3: Implement Cisco TrustSec and MACSec Task 2 Step 1: Define ISE as a RADIUS server named ISE-PAC, using ports 1645 and 1646 for authentication and accounting. e.g. radius server ISE-PAC address ipv auth-port 1645 acct-port 1646 (The values of auth-port 1812 andd acct-port 1813 were used for thee original radius server setup, in Lab 1-1, Task 4). Task 4 Step 8: The DMZ server URL for ping, FTP and HTTP is: dmz-srv.secure-x.public Task 5 Step 2: Save the PAC as C:\CCNP-SEC\ASA.pac Task 6 Step 6: The DMZ server URL for FTP is: dmz-srv.secure-x.public Task 6 Step 7:C): Set the Action: to Deny Page 10

11 Lab 4-1: Implement WebAuth forr Employees Task 2 Step 3:B): Although thee lab result of Deny Access will be obtained,, the detail failure reason steps will differ from those documented in the lab guide. The reason for this is due to the default MAB Authentication sequence settings. To obtain the lab guide results, configure the ISE with the following: f Policy > Authentication Edit the MAB policy. Click the + by Internal Endpointss and amend the values of If authentication failed and If user not found to Continue Click Done and Save Re-check the Operations > Authentications window andd the resultss screen to compare output. Note: You output. may need to t shut / no shut the Switch G0/22 port to obtain a refreshed Task 4 Step 1:E): Value: secure-x.local/domaingroups/employees Lab 4-2: Implement Guest Service Task 3 Activity Verification Step 3: The DMZ server URL for HTTP is: dmz-srv. secure-x.public The SP server URL for HTTP is: sp-srv.sp.public Page 11

12 Lab 5-1: Implement Posture Service Task 3 Activity Verification Step 5: If you initially receive the HQ-SRV web page, press F5 to refresh the page and clear the cached page. The portal page will now appear. Task 4 Step 10:D): Populate the Existing Program table by entering the Program Executablee value C:\CCNP-SEC\ \ClamAV\clamwin setup.exe and clicking Add. Task 6 Activity Verification Step 1: It may necessary to shut / no shut the Switch G0/ 2 port to reset the portt authentication before the portal will open in the Guest PC web browser. Task 6 Activity Verification Step 6:A): Use Windows Explorer to browse the C:\CCNP-SEC\ClamAV directoryy and launch the clamwin setup.exe installer. Task 6 Activity Verification Step 7: During testing it was found that the webauth dacl is no longer applied to the Switch port, once the PC P has an Identity registered with the ISE. To perform the next t lab steps as written, do d the following: Identify the MAC address of the Guest PC (from the PCC or via the Switch CLI) ) On the Switch, shutdown the GigabitEthernet0/2 interface. Go to the ISE web page Administration > Identity Management > Identities and remove the entry that corresponds to the Guest PC macc address. On the Switch, no shutdown the GigabitEthernet0/2 interface. Thee dacl will now be correctly applied and can be confirmed via the switch CLI. Page 12

13 Lab 5-2: Implement Profiler Service Task 1 Step 1:B): The third device will be classified as a TP-Link-Device (used instead of the Linksys Device (TP-Link OUI is c0:4a:00) ). Task 2 Step 3:A): Login to the Guest PC with the user student and password Ci5coAdmin. Step 4:B): Verify that the print server is profiled using the TP-Link-Device profile. Step 4:C): Examine the policy that profiled the print server as a TP-Link-Device profile. Use Quick Filter to search for TP-Link. Step 4:D): Examine the TP-LinkOUICheck definition. Search S for TP-Link in the t Quick Filter search. Step 4:E): Additional Rule Checkk conditions have not been b configured for these devices, please ignore this step. Task 3 Step 4:B): Select the TP-Link-Device policy and a Duplicate it. Step 4:C): Modify the cloned policy: Step 6:B): Profiled > Name: TP-Link-PrintServer Parent Policy: TP-Link-Device Addd a second condition of PrintServer-above-min-IP and,, if met, increase the certainty factor by 10 ( Insert new rule below and Select Existing Condition from Library ). Change the identity group selection to Endpoint Identity Groups > TP-Link-PrintServer Page 13

14 Lab 6-1: (Optional) Troubleshooting Prep Task 1 Step 1: Not required. The ISE file is already in the correct folder on the HQ-SRV. The HQ-SW file will be loaded using the Config Management tool from the Lab Access page. Step 2: Use the Config Management tool on the pod lab access s page to load the HQ-Switch trouble configuration. Launch the tool and select the config from the drop-down menu. Leave the page open and observe the process. Wait for the Ready message, then close the Config Managementt window, access the HQ-SW console and confirm it is back up and running before starting Step 3 (reboot will take a little while bee patient at the console screen). Lab 6-2: (Optional) Troubleshoot Network Accesss Controlss Page 14