Authentication
20 December 2021

ISE work if you can get it…to work

By admin@labtinker.net

I’ve decided to have a stab at CCNP Security and to this end thought a lab with an ISE server would be useful. This post is how I set up the lab (nothing on doing anything with it!) as I found fewer resources available than I expected detailing this. There may be better solutions available this is just the one I found.

You’ll need a powerful machine. I’m using a fairly beefy laptop, (Lenovo W530):

This is running VMware Workstation 16, and GNS3. The ISE server itself is available as ‘ova’ file that you can download from Cisco (You get a 90 days evaluation licence)

When you import this into Workstation it creates a VM which needs 16GB memory! With all my labbing going cloudy recently I never thought I’d stretch this laptop’s resources again but this lab certainly has.

This is the GNS3 topology:

There are two virtual machines running Linux Mint: Mint10 and Mint20 spun up in VMWare and attached to the Cisco L2 Switch (switch l2). Mint20 is to serve as client to be used with the ISE server for authentication testing and Mint10 is to the provide admin access to the ISE server and switch-l2 (which is actually routing between VLANs so we’ll pretend the l didn’t stand for ‘layer’). These two Mint machines have been imported into GNS3 following the procedure outlined here:

https://docs.gns3.com/docs/emulators/adding-vmware-vms-to-gns3-topologies/

(Having done this, it was subsequently necessary to run GNS3 as administrator when starting it up otherwise there were errors creating the links between the virtual machines and the switch)

Within VMWare these two machines show as connected to VMNet2 and VMNet3 adaptors respectively (though GNS3 adds about dozen more than the ones already defined!)

I judged that the ISE VM, being so resource-hungry, was best de-coupled from GNS3 as far as possible so I didn’t import it but instead I created a LAN segment within VMWare and put an interface of the ISE and the GNS3 VM on to the segment. (Confusingly, this segment is called Mint – you can detect a little re-use and repurposing going on here)

…and then within GNS3 I added a cloud connection to the GNS3 VM itself (not the local host) on the relevant interface

A couple of other notes: I had to boost the Cisco L2 switch’s memory to get it start without errors.

…and then I had to start GNS3 (run as administrator – don’t forget) and wait for the laptop and GNS3 VM to go green…

…before opening the map above. Once this has started OK, I booted up the ISE VM and went and made (and drank) a cup of tea as it takes a good 10-15 minute to be usable!!

So we are effectively running four virtual machines: GNS3 runs on one, ISE on another, and two Linux boxes on the remaining two. The Linux boxes and ISE connect to each through the GNS3 L2 switch rather than VMware or the host itself. Below shows the VMs and a browser on Mint10 connecting to the ISE server.

Taking a capture to confirm that…

…the https managment traffic is going over the above link in GNS3

…and doing the same on the other link…

I’ve lost the magnifying glass for some reason but pinging from Mint20, I see the icmp traffic over the link.

OK, I’m now ready to start playing with this lab.