ccie.security lab - other vms, part I - Cisco ISE, ACS and vWLC
official blueprint of ccie.sec contains a lot of things and features they're not related to standard routing/switching or firewall services. It's about the secure access - identity management, AAA (authentication, authorization, accounting) and many other features like using 802.1x, using AD to authenticate the network users or administrators etc. all these systems can be easily deployed as a standalone virtual machines within the ESXi hypervizor and be inter-connected with all the devices from the UNL (routers, switches, ASA FWs, IPS ...).
Cisco ISE 1.2altough Cisco has released the new major version (2.0) already, let's use the 1.2 as it's noted to be enough for current ccie.sec exam. I have downloaded the ISO image from the Cisco download section (ise-126.96.36.199.x86_64.iso) and uploaded this file to my ESXi for faster deployment. will be much easier to boot and install the ISE from CD media. so let's start ...
1. Create the VMjust create the new VM in vSphere by clicking on new VM menu and follow these steps - select "Custom" configuration method because there is few extended options we can adjust.
use any name for your ISE vm, it will be name of the virtual machine within the ESXi environment.
let's use default settings for VM version - v8
Select the Linux version and specify the Red Hat 5 64-bit version.
following four steps depend on your possibilities as it's about CPU, RAM, storage and network options. I' using 2 CPU cores, at least 4GB of RAM (don't assign less), and using one NIC card as it's enough. no need to use separated networks or any kind of backend net. There is strictly said we must use at least 60G for evaluation version but it failed several times because the storage wasn't set to 80G or 100G, therefor I'm using 100G for ISE with Thin provisioning, so the real size of the ISE VM disk isn't so high.
let's check the summary if we don't miss anything important and create the VM.
2. run the VMafter we create the VM, start it and click on the console icon (or access the terminal console with other method), then you'll be able to assign the ISO image from local datastore to the CD media
3. install the ISE enginethen click CTRL+ALT+INSERT to reboot the guest OS (ISE VM) and wait for the ISE boot menu where you can choose the action - select number 1 - ISE installation (KB/Monitor) and wait till blue installer will start and install all necessary files to the VM's disk.
the copy process is not so long, it may take approx 10 minutes, then the reboot is initiated and don't be afrais if you see the following screen with no other activity for several minutes. I thought it had failed but it resumed suddenly. if you hit the login prompt as depicted below, just type "setup" to log into the ISE and run the interactive configuration setup utility.
then follow the guide and configure all the requested details - the most important are the IP address, mask and default gateway. all other information can be set later through the web interface.
after setting the password, the installation procedure begins and although there is stated it will take 15 minutes, it took me approx 70 minutes to complete the whole installation! After it's completed, you should see the Cisco ISE login prompt
4. use ISEthere is no need to login to the ISE CLI, but it's possible with the admin account that was created during the installation. same access credentials if you login to ISE VM via the SSH. the most user friendly access method is web-gui, just go to https://IP and you should see the web login screen
the last thing is just to check the licenses to be sure it's full evaluation version, that is valid for 90 days from the deployment. It's up to you if you spend the time by creating this VM via this way or just create the snapshot and deploy the ISE VM after youe eval lic expires.
Cisco ACS 5.3the second security system is Cisco Access Control Server that can be also obtained as an ISO archive from the official Cisco download section. let's use the same approach - copy ISO file to the local datastore on ESXi to have better performance during the installation ....
1. Create the VMthe process is the same as with the ISE, let's summarize the VM overview only
2. Run the VM and install the ACSagain, very similar menu with the first option to install ACS. and again, eval license needs at least 60G disk space, I'm using 80G because when I was trying to deploy the ACS to 60G disk, the main service didn't start and ACS wasn't working at all. the same is the memory - if you use less than 4G, install process will not fail but the main app won't start.
after the installation process, let's wait for login prompt and login into the ACS with the username "setup", that will cause the interactive setup will be executed and the configuration will be much easier. Follow the instructions and see what is required
3. use ACSand we are done. as with the ISE console, we can use directly the web-gui, so in case you see login prompt, all is done and system is ready to use.
just use the https://IP in your browser and try to login. the default web username/password is ACSadmin/default ... so don't try to login into the web gui with the user you created during the setup.
and finally apply and check the license. the evaluation (90 Days) license can be obtained from the Cisco License Portal and applied by selecting the lic file. Then, you'll see the ACS Logo with the eval license information
Cisco vWLC 7.4the wireless portion in the ccie security track is not so significant, mostly the connection of wireless controller and ISE/ACS is important. I have got one Cisco AIR 1131 so it's mandatory to use some earlier version of controller, esp. 7.x ... that's the reason I'm deploying the vWLC 7.4 here. I downloaded AIR-CTVM-7-4-140-0.ova from Cisco download section and it's doing my life much easier as it's the OVA package, that will be automatically deployed in the ESXi server.
let's click on file and deploy the OVA/OVF image, select the AIR.ova then and click on NEXT in almost all steps.
then just start the VM, wait for first boot screen with the menu (one option only) and wait till the installation is completed. then, terminate the autoinstall process and follow the configuration guide
The most important is to know that there is a service interface and management interface and these interfaces have to be in the different subnets, so I assigned 10.0.0.63 (my management LAN) to the management interface and some dummy IP address (192.168.1.1/24) to the service interface. all these information can be changed through the web-gui. when the config is done, the web-gui is normally reachable via the management IP
again as with the ISE this eval license is automatically enabled and no additional action is needed (as we must download and activate the eval veersion of ACS). let's login to the web-gui with the credentials you set during the config wizard and check the licensing
last note about FirefoxI'm using Mozila Firefox for most of my tasks - and talking about the work and also the personal stuff, so I was disapointed the ISE and ACS were not compatible with FF. But, I have found I can just disable the SSL.rsa.aes ... just go to about:config and set
That's it! how easy ... enjoy and good luck!
add your own note here: