Now as I’ve mentioned before ice is a pretty involved piece of equipment in your network there’s a lot of things to configure a lot of tweaking a lot of tuning that you have to do and what we’re going to take a look at in this lesson which is the final lesson of this module is identity system QuickStart basically.
Give you guys an understanding of some of the basic configurations that are necessary to get things like 802 dot 1x running and monitor mode using a native window supplicant what do we do on the cisco switch to act as the Authenticator and what do.
We do on ice to set up the basic authentication server functions we’ll talk about in this lesson how to configure the switch for Triple A we’ll take a look at the radius and 802 dot.
1 X components as well and then the configuration of local users and network access devices in ice and then we’ll look at ice and 802 dot 1x configured in monitor mode and then.
We’ll build on this as we go on to future lessons we will we will build on to this discussion by looking at some of the more advanced configurations as well so we’re going to talk about how we log into the ice platform describe the organization of the ice GUI the graphical user interface how to use internal user database on ice later on we’ll learn.
How to integrate ice with LDAP and Active Directory describe our nads which is our network access devices that allow us to act as authenticators the default authentication policy that exists in cisco ice we’ll take a look at 802 dot 1x Authenticator configuration procedures describe basic.
Global triple-a settings describe how to configure radius peering if we want to incorporate.
Additional radius components take a look at the 802 dot 1x global import settings for monitor mode the windows native supplicant and then describe how to verify both authentication on the ice platform as well as.
Authentication on the switch itself all right all right the GUI the graphical user interface is essentially the primary way that we actually configure it and Minister the ice platform you access the GUI using HTTP.
And then of course prior to logging into the GUI you have to have.
The basic configuration settings there’s a in the CLI when you boot up a nice appliance for the first time there’s a basic wizard that you walk through it’s like.
A setup script that allows you to identify you know DNS NTP gateway IP address information and so.
On of the ice platform very very basic command-line interface.
To get the get the basic configurations established for Ice before you can access it through the GUI there are separate administrator accounts for the CLI and for the GUI the setup script allows us to define those two accounts we can actually establish identical credentials for those accounts as well all right but any changes to the account.
After that initial assignment do not automatically get reflected to the other.
Accounts so if I change the CLI account login information at one one after the establishment of the.
Accounts through the initial wizard setup that only affects that account it doesn’t affect a GUI account as well if you want to synchronize or keep those identities synchronized you have to change them both manually all right so you just simply go to the URL of the platform you can access.
The IP address you don’t actually.
Have to type in the admin slash login dot JSP if you just simply go HTTP colon slash slash and then the IP address of the Ice server or Ice appliance then you’ll be redirected to that URL that’s basically the default URL to.
Login to ice all right and we’re going to be doing some labs a.
Little later on maybe not today but first thing tomorrow we’ll probably jump into a couple of different labs where you guys get to configure this stuff all right now.
Once you get in the GUI itself has essentially four major functions you’ve got your home screen which is like your little dashboard and it can kind of give you a you.
Know the status of the platform you know what’s going on with the platform at that particular time how many guests you have how many total endpoints have been authenticated how many profiled endpoints you know posture compliance etc just like any security appliance we have the the.
GUI that provides us that functionality and then we have different operations.
We’ve got an Operations menu basically monitoring reporting troubleshooting tools etc you’ve got a policy menu excuse-me policy menu provides really everything that you.
Essentially do on the system right all the ice policies authentication authorization profiling posture assessment policies and so on and then you have your administration menu right basically providing configuration components for the actual ice deployment relevant parameters right licensing certificates backup and restore this is where we also add all of our network resources our radius server sequence external radius servers and so on so.
Basically the components that the platform itself is going to use to perform all of its policy functions are going to be defined under the administrator screen as well all right in ice we have the ability to integrate with radius as a back-end server for I mean that radius LDAP excuse me as a back-end authentication credential data store but we can also maintain a local data store what we call internal internal user database.
Internally right and that provides us a way of having kind of a basic repository of users initially you may want to deploy ice in this way that’s typically the way that we will deploy ice we’ll implement some of the most basic functions.
First test the validity and test of the functionality of those.
Particular functions and then start to layer on or incorporate additional functions beyond that after we’ve gone through and verified successful operations of some of those critical functions in the beginning right.
So look a local user database is a way to.
Do that so that we’re not relying on integration to LDAP or Active Directory or whatnot and having another point of troubleshooting and testing beyond that obviously for easier management of user accounts it’s probably better to use some sort of.
External database but we can do this internally as well eeep TLS peep TLS they don’t actually use password-based authentication so the internal.
Database itself does not support those particular protocols right in that case we need certificate based authentication and we’ll take a look at that later on as well all right Nats and ADEs basically these are our network access devices these are radius.
Clients ice obviously provides the radius server functionality basically any type of NAT or network access devices any device that performs the role of authenticators remember you have three major components in the 802 2.
The supplicants you have the authenticators and you have the backend authentication server so these authenticators act as a proxy between.
The supplicants themselves and the cisco ice platform being the authentication server they’re responsible for enforcing authorization policies like VLAN assignments downloadable ecl’s etc we apply those.
To these network access devices as well ice decides whether the client.
Traffic should be permitted into the enterprise network what different enforcement mechanisms are applied but ice doesn’t actually facilitate that restriction right it simply defines the policy it might even store some.
Of the policy parameters like downloadable ACLs and whatnot but then it pushes out those policies to the network access device and the network access device is then directly responsible for implementing and enforcing those options could include the dynamic VLAN assignment downloadable ACLs of the application of security group tags.
And and so on all right some different types of network access devices could include your switches in your network ASA’s wireless LAN controllers and so on alright a lot of the settings as you can see here are optional there very few settings within the actual NAG configuration that are.
Required you can tell what’s required with a little.
Symbol next to the configuration some of the other components are not necessarily required you guys are going to be doing a lab exercise where you’re going to be setting up these various components in the.
Lab you’re going to be adding a switch for example as a network access device the device name the IP address the.
Network device group settings these are all required settings based on the asterisks that you see there but.
Things like SNMP the security group access parameters which is used for trust SEC these are all optional and it just depends on what you’re doing in your enterprise as to whether.
Or not you decide to actually configure these components the actual network device groups can be helpful because you can actually identify different types of device groups in the organization and then based on that association apply different.
Properties to those device groups ice actually utilizes two different device group hierarchies device.
Type and device location and then based on that based on those components we can apply different parameters to the devices themselves all right so we’ll take a look at that a little bit later on and see how that plays into the role of configuration by assigning the device type.