Cisco Identity

Service Engine 3.2

LAB 02
Configuracion Nodos
Distribuidos ISE
Tabla de contenido

1. Configuracion DNS WS2012 --------------------------------------------------------------------------------------3

2. Configuracion CA WS2012 -------------------------------------------------------------------------------------- 11
3. Generación CSR y firma (CA) ----------------------------------------------------------------------------------- 25
4. Configuracion HA ISE --------------------------------------------------------------------------------------------- 36
 Cisco Identity Service Engine 3.2

1. Configuracion DNS WS2012

Task 01: Crear los registros A en los Servidores DNS (DC)

1. Registrar el acceso remoto del DC al RemoteNG

a. Ingresar las siguientes credenciales

i. IP Add : 172.21.XX.35
ii. Username: LAB\Administrator
iii. Password: Pass123$

2. Creacion Zona Reversa ( Para registro PTR)

i. Click al Icono de Server Manager > Tools > DNS.

3
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

ii. Click DNS Manager > DC > Reverse Lookup Zones > Click Derecho (
New Zone)

4
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

5
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

6
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

7
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

3. Crear registro A
i. Click DNS Manager > DC > Forward Lookup Zones > lab.com

8
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

ii. Ingresar los siguientes registros

• Isepri (172.21.XX.33)
• Isecsec (172.21.XX.34)

9
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

OBS: No olvidar Seleccionar la creacion de registro PTR.

10
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

2. Configuracion CA WS2012
Task 01: Configurar CA ( Certificate Authority)

i. Click al Icono de Server Manager > Add Roles and Features

ii. Comenzar con el proceso de la configuración.

11
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

Username: stise-XX (01,02…)

12
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

13
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

14
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

15
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

16
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

17
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

18
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

Task 02: Configurar Active Directory Certificate

1. Click al Icono de Notificaciones > Post Deployment Configurations

2. Specificar las credenciales para configurar los roles

19
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

20
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

21
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

22
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

23
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

24
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

3. Generacion CSR y firma (CA)

Task 01: Generacion del CSR - ISE PRI

3. Ingresar al ISE primario ( https://172.21.XX.33) para generar el CSR.

Administration > System > Certificate > Certificate Signing Requests > Generate
Certificate Signing Requests (CSR).

4. Ingresar la siguiente informacion:

a. Usage: Multiuse
b. Node: Check (isepri)
c. Subject
i. Common Name: isepri.lab.com
ii. Organizational Unit (OU): IT
iii. Organization (O): LAB
iv. City (L): Lima
v. State (ST):Lima
vi. Country(C):PE
vii. Key Type: RSA
viii. Key Length: 4096
ix. Digest to Sign With: SHA-256

25
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

d. Click Aceptar > Export

26
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

Task 02: Firma de CSR ISE PRI

1. Ingresar a la siguiente URL http://172.21.XX.35/certsrv (Ingresar las credenciales

de Administrador Administrator/Pass123$)

2. Seleccionar la opción “Request a certificate”

27
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

3. Seleccionar la opción “Submit a certificate Request”.

4. Ingresar el CSR con el formato Base-64/PKCS#10/PKCS#7 en la sección Saved

Request, comenzando desde toda la cadena.
“-----BEGIN CERTIFICATE REQUEST-----”, hasta finalizar la cadena ----- “END
CERTIFICATE REQUEST-----“

• Seleccionar la opción Certificate Template “Web Server” y Click en Submit

28
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

5. Descargar el csr firmado “Download certificate” y renombrar el archivo como

ISEPRI

29
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

6. Ingresar nuevamente a la siguiente URL http://172.21.XX.35/certsrv (Ingresar las

credenciales de Administrador Administrator/Pass123$) y descargar el cerficado
del CA “Download a CA Certificate”

7. Seleccionar la opción “Download CA Certificate” y renombrar al archivo como CA.

30
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

Task 03: Importar el CA de Windows

1. Ingresar al nodo ISE PRI ( https://172.21.XX.33) y diriguirse hacia la sección

Administration > System > Certificates > Certificate Management > Trusted
Certificates

2. Seleccionar la opción Importar y cargar el certificado del CA de Windows

“certnew”
a. Friendly Name: CA-DC
b. Check : Trust for Authentication within ISE
i. Trust for client authentication and Syslog
ii. Trust for certificate-based admin authentication
c. Click Submit

31
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

Task 04: Importar el CSR ISE PRI Firmado por el CA

1. Diriguirse hacia Administration > System > Certificate Management > Certificate
Signing Requests > Seleccionar el CSR generado anteriormente.

32
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

2. Seleccionar la opcion Bind Certificate y cargar el certificado firmado por el CA.

a. Seleccionar las siguientes opciones

i. Admin
ii. EAP Authentication
iii. RADIUS TLS
iv. ISE Messaging Service
v. Portal
• Seleccionar Portal group Tag (Default Portal Certificate
Group).

OBS: Saldra una advertencia cuando se seleccione las opciones (Marcar OK).

b. Click Submit

33
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

34
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

OBS: Se reinician los procesos del ISE

Task 05: Importar el CSR ISE SEC firmado por el CA.

1. Realizar el mismo procedimiento para el nodo ISE SEC.

35
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

4. Configuracion HA ISE
Task 01: Validar resolucion de Dominios

• En el nodo ISE PRI validar la resolución del fqdn del ISE SEC (Ingresar mediante
CLI)

isepri/admin# ping isepri.lab.com

PING isepri (172.21.50.33) 56(84) bytes of data.
64 bytes from 172.21.XX.33: icmp_seq=1 ttl=64 time=0.102 ms
64 bytes from 172.21.XX.33: icmp_seq=2 ttl=64 time=0.119 ms
64 bytes from 172.21.XX.33: icmp_seq=3 ttl=64 time=0.070 ms
64 bytes from 172.21.XX.33: icmp_seq=4 ttl=64 time=0.156 ms

--- isepri ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 67ms
rtt min/avg/max/mdev = 0.070/0.111/0.156/0.033 ms

isepri/admin#

• En el nodo ISE SEC validar la resolución del fqdn del ISE PRI (Ingresar mediante
CLI)

isesec/admin# ping isesec.lab.com

PING isesec (172.21.50.34) 56(84) bytes of data.
64 bytes from 172.21.XX.34: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 172.21.XX.34: icmp_seq=2 ttl=64 time=0.066 ms
64 bytes from 172.21.XX.34: icmp_seq=3 ttl=64 time=0.072 ms
64 bytes from 172.21.XX.34: icmp_seq=4 ttl=64 time=0.170 ms

--- isesec ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 58ms
rtt min/avg/max/mdev = 0.066/0.107/0.170/0.042 ms

isesec/admin#

Task 02: Convertir Nodo Primario de Standalone a Primario

• Administration > System> Deployment > Edit (ISEPRI), Click Primary

• Click Save

36
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

Task 03: Registro de nodo Secundario en el nodo Primario.

• Administration > System> Deployment > Deployment Nodes >Click Register

• Click Next

37
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

• Habilitar los roles

o Administration
o Monitoring: Primary
o Policy Service
o Enable Profiling
• Click Submit

OBS: Este proceso puede llevar 15 min o mas (reinicio del nodo Secundario y sincronización).

38
Identity Service Engine 3.2
 Cisco Identity Service Engine 3.2

39
Identity Service Engine 3.2