Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
LAB 3.2
REAL LABS
www.cciesecuritylabs.com
CCIE
voicelabs.com1
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
Initial Guidelines
1. Read all of the questions in a section before you start the configuration. It is even recommended that
you read the entire lab exam before you proceed with any configuration.
2. Exam questions have dependencies on others. Read through the entire workbook to help identify
these
questions and the best order of configuration. Section do not have to be completed in the
order presented in the workbook.
3. Most questions include verification output that can be used to check your solutions.
Highlighted section in output verification displays MUST be matched to ensure correctness.
4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware
issues in your equipment, contact the onsite lab proctor as soon as possible.
5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before
starting the exam, confirm that all devices in you rack are in working order. During the exam, if any
device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure
that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot
be marked and may cause you to lose substantial points.
6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.
7. Points are awarded only for working configurations. Towards the end of the exam, you should test the
functionality of all sections of the exam.
8. You will be presented with preconfigured routers and switches in your topology. The routers and
switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP,
VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the
pre configurations at any time, unless the change is specified in a question.
9. Throughout the exam, assume these values for variables if required:
- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11
- SS is your Site ID for the lab exam location, Read the next page for your location.
- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the
following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are
instructed to do so.
- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8
respectively
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
- Z is any number.
10. You are allowed to add static and default routes (if required) on any device.
11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure
that additional addressing does not conflict with a network that is already used in your topology. Routing
Protocols preconfigured are shown in the Lab Routing Diagram.
12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin
and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS,
Test-PC and Cisco ISEs as required in the question.
13. All device names, access information and username/password combinations are summarized on the
following pages. Do NOT change these settings.
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
Software Versions
Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release
12.2SE/15.0(x)SE
Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x,
8.6x
Cisco IPS Software Release 7.x
Cisco VPN Client Software for Windows, Release 5.x
Cisco Secure ACS System software version 5.3x
Cisco WLC 2500 Series software 7.2x
Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
Cisco WSA S-series software version 7.1x
Cisco ISE 3300 series software version 1.1x
Cisco NAC Posture Agent v4.X
Cisco AnyConnect Client v3.0X
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
Username
cisco
cisco
cisco
admin
cisco
ciscoAP
admin
admin
admin
Password
Cisco
Cisco
123cisco123
ironport
Cisco123
CCie123
Cisco
Cisco123
Cisco123
Test-PC
Cisc0123
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
Topology 4 : layer 2
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
Topology 5 : LOGICAL
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
OUR CCIE SECURITY ENGINEERS ARE AVAILABLE ON GOOGE TALK CHAT for support any
questions related to our workbooks at (sales@cciesecuritylabs.com)
Launched !!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
points 2
Complete each task to provide basic connectivity and routing capabilities on ASA3.
1) ASA3 should be in single-context routed mode and configured using the information
in the table below:
Interface
Gi 0/0
Gi 0/2
Gi 0/3
Nameif
outside
inside
dmz
Switch Vlans
3
4
8
Sec Level
0
100
50
IP Address
7.7.3.8/24
7.7.4.10/24
7.7.8.12/24
Network
Default Route
7.7.11.16/28
7.7.11.32/28
7.7.0.0/16
Next Hop
7.7.4.1
7.7.8.3
7.7.8.3
7.7.3.2
Allow NTP access for 7.7.0.0/16 network from outside and dmz
ASA3 should sync its NTP from SW1.
Verification:
ASA3#ping 7.7.3.2
ASA3#ping 7.7.4.1
ASA3#ping 7.7.5.3
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
1.2
Final Release
03-JUNE-2014
points 2
Config URL
c1.cfg
c2.cfg
admin.cfg
You can modify the Catalyst switch configuration to complete this task.
When the task is completed, ensure that you are able to ping from ASA1
ASA1/C1#ping 7.7.8.3
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
ASA1/C1#ping 7.7.4.1
ASA1/C1#ping 150.1.7.20
Use exact names and numbers as shown in the table
Context c1 initialization details:
Interface
Gi 0/2
Gi 0/0
Type
Physical
Physical
Nameif
inside
outside
Switch Vlans
3
55 (diagram=33)
Sec
Level
100
0
IP Address
7.7.3.10/24
7.7.55.10/24
Network
0.0.0.0/0
7.7.0.0/16
7.7.4.0/24
Next Hop
7.7.3.2
7.7.55.3
7.7.3.2
Type
Physical
Physical
Nameif
inside
outside
Switch Vlans
8
5
Sec Level
100
0
IP Address
7.7.8.10/24
7.7.5.10/24
1.3
Network
7.7.0.0/16
0.0.0.0
7.7.11.0/24
Next Hop
7.7.5.3
7.7.5.3
7.7.8.3
points 2
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
1.4
Final Release
03-JUNE-2014
points 2
Configure ASA4 as a single-mode firewall and is to be deployed between SW3 and SW6.
You are required to complete the three tasks outlined below
1) Initialize ASA4 using the following parameters
Interface
Nameif
Switch Vlans
Sec Level
Gi 0/2
Inside
99
100
Gi 0/0
Outside
14
0
Gi 0/1
Backup
15
0
Enable OSPF on the inside interface and outside interface.
IP Address
7.7.99.10/24
7.7.14.10/24
7.7.15.10/24
Ensure that networks 10.10.110.0 and 10.10.120.0 are added to the routing table on ASA4 but
are not propagated into area 0 ,Verify by checking the routing table on R3.
Verify your solution by pinging from ASA4 as follows:
ASA4# ping 7.7.99.1
ASA4# ping 7.7.14.1
ASA4# ping 7.7.15.1
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
On R6, shut down interface gig0/1.2 and verify that the route to the server now points out
the backup interface on ASA4.
Bring Gig0/1.2 up and verify that the route is restored via the outside interface.
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
points 2
Configure network address translation (NAT) on the cisco ASA4 using the info given below.
NAT control is required.
Configure address translation for traffic from host 7.7.7.2 such that traffic leaving either the
backup or the outside interface is mapped to the interface address.
Ensure that traffic sourced from the 7.7.0.0/16 network and destined to 7.7.0.0/16 or
150.1.0.0/16 is not translated, but is still able to transit ASA4
Verify your solution using packet-tracer command
ASA4(config)# packet-tracer input inside icmp 7.7.7.2 0 8 7.7.15.1
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
Configure network address translation (NAT) on the cisco ASA3 using the info given below.
Configure NAT so that the HTTP and Telnet services running on SW1 via 20.20.20.1/24 are
statically port mapped to 7.7.3.20 on the outside and 7.7.8.20 on the dmz.
Verify your solution using packet-tracer command
ASA3(config)# packet-tracer input dmz tcp 7.7.8.3 1234 7.7.8.20 23
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
points 5
R4 and R5 should be configured for zone-based firewall with their outside interface being on
the 7.7.2.0/24 subnet. Allow the following protocols:Protocol
Ospfv4
Ospfv6
AH
ESP
Telnet
ICMP
Action
Allow
Allow
Allow
Allow
Allow
Allow
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
2) OSPFv3 is configured between R4, and R5, however the ospf neigbhorship is not being
established between them. Troubleshoot the issue so neigbhorship is established.
Verify your solution using:
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
points 5
R1 is configured for NTP with SW1 however R1 is not able to synchronize its time with SW1.
Note: There are 2 breaks in this questions caused either by misconfig, not configured or both.
Verify your solution using:
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
points 3
Settings
RACKYYIPS where YY is our two-digital rack number (for example for
Rack 01,Rack01IPS or for RACK 40, Rack40IPS
Configure the Command and control Management 0/0 interface in vlan 4
7.7.4.100/24
7.7.4.1
7.7.0.0/16, 150.100.1.0/24, 151.ss.1.0/24, 150.1.7.0/24
Enable telnet Management
The username/password for the IPS console is cisco and 123cisco123. DO NOT CHANGE THEM.
Use the console to initialize the Cisco IPS sensor appliance using the details in this table.
Ensure that the Management0/0 interface is up and functioning (refer to the Lab Topology
diagram). You can modify Cisco Catalyst switches configuration if required.
Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:
IPS# ping 7.7.4.1
IPS# ping 150.1.7.100
Ensure that the following ping and telnet connection is successful from SW1
SW1# ping 7.7.4.100
SW1# telnet 7.7.4.100
2.2
points 8
Configure the Cisco IPS sensor appliance for the inline interface pair as shown in Lab Topology.
Use the information on the table below to complete the task:
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Parameter
Interface pair
Name
C1
Final Release
Settings
G0/2
G0/3
Vlans
55
33
03-JUNE-2014
You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to the lab diagram for the required information.
You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate
PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall
and/or routing configuration to ensure that this works.
After configuring Interface Pairing SW1 is not able to Reach R6. Troubleshoot the faults so SW1
is able to reach R6.
Note: There are 2 breaks in this questions caused either by misconfig, not configured or both.
For testing ensure that these-pings are successful from R6.
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
2.3
Final Release
03-JUNE-2014
points 2
Virtual Sensor
Signature Definition
Gi0/0
vs0
sig0
2.4
points 3
Alert-severity High
Signature-Definition 2
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
2.5
Final Release
03-JUNE-2014
points 6
The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.
Using the Test-PC or Candidate PC, connect to WSA and configure as following
Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport
Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:
Parameters
Hostname
Interface
Ip Address
Default Gateway
System Information
NTP Server
DNS
L4 Traffic Monitoring
Settings
Wsa.cisco.com
M1 to be used for for data and management
7.7.4.150/24
7.7.4.1
Admin:ironport, foobar@cisco.com, time:US/America/LA
7.7.4.1
150.1.7.10
Duplex: T1 (in/out)
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
You may have to reboot the WSA after configuring wccp, if show ip wccp shows
"Router identifier undetermined"
Using the following to verify your solution from the Test-PC
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
points 6
An IPsec VPN has been partially configured between ASA3 and R6 using IKEV2.
Complete the configuration and troubleshoot the connection to ensure that IPV4 traffic
between SW1 interface lo0(20.20.20.1) and R6 interface lo0(192.168.6.1).
Use the following outputs to verify your solution
Verify using following output
R6#show crypto session
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
3.2
Final Release
03-JUNE-2014
points 6
In this question R2 has been partially configured as key-server(KS) and R1, R4, R5 are the group
members(GMs) that participate in a VRF-aware GETVPN deployment.
Complete the configuration of the spokes and troubleshoot the solution using the following
outputs to verify your solution (the highlight sections are particularly important)
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
IPSec
SA Number :1
IPSec
SA Rekey Lifetime : 600 secs
Profile Name
: Profile1
Replay method
: Count Based
Replay Windows Size : 64
SA Rekey
Remaining Lifetime : xxx secs
ACL Configured : access-list VPNA
Group Server list
: Local
Group Name
: GET-GROUP2(Unicast)
Group Identity
:246
Group Members
:3
IPSec SA Direction : Both Group
Rekey Lifetime : 500 secs Group Rekey
Remaining Lifetime : XX secs Rekey
Retransmit Period :
10 secs
Rekey Retransmit Attempts : 3
Group Retransmit
Remaining Lifetime
: 0 secs
IPSec
SA Number :1
IPSec
SA Rekey Lifetime : 600 secs
Profile Name
: Profile2
Replay method
: Count Based
Replay Windows Size : 64
SA Rekey
Remaining Lifetime : xxx secs
ACL Configured
: access-list VPNB
Group Server list
: Local
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
3.3
Final Release
03-JUNE-2014
points 4
The cisco WLC 2504 has been bootstrapped with the following settings.
Complete basic wireless configuration that is enabled for two groups users (admin & guest).
Parameters
Vlan Name
SSID
Dynamic-Interface Name
Dynamic-Interface Address
Subnet
Gateway
Local Username/Password
Guest
guest
guest
dyint2
10.10.120.2
/24
10.10.120.1
Guest/ cisco
Admin
admin
admin
dyint1
10.10.110.2
/24
10.10.110.1
NOTE: To complete this question you may use the CLI / GUI whichever is accessible
Match the following OUTPUT:
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ dynint1
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
points 4
Enable MD5 authentication for OSPF in area 1. Use the following key cisco123
Match the Following OUTPUT:
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
4.2
Final Release
03-JUNE-2014
points 5
The Cisco IPS sensor appliance should be configured in promiscuous mode on interface gi0/0.
A 10 gig interface 1/1/1 is configured between SW5 and SW6 as trunk.
Monitor transmit traffic sourced from SW6 gig 1/0/1-2 & gig 1/0/5 that enters SW5 via Gi1/1/1
You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to Diagram Lab Topology for the requested information.
Ensure that the sensor is seeing traffic successfully.
Match the Following OUTPUT:
For testing the following command show traffic being monitored to this sensor.
IPS# packet display gigabitethernet0/0
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
4.3
Final Release
03-JUNE-2014
points 5
Allow only web traffic from SW3 loopback (63.63.63.0/24) to R3 (36.36.36.1) which is a
web-server. Make sure other traffic is dropped. Use the acces-list Transit_ACL already
preconfigured on R3. Ensure that packets matching the Transit_ACL are logged.
Match the Following OUTPUT:
points 4
Implement a solution on SW3 that restricts IP traffic on untrusted port Fa0/2 and Fa0/3 to the addresses
of R4 and R5 respectively, Do not use DHCP snooping.
Verification:
SW3# show ip source binding aaaa.bbbb.cccc (active is highlighted)
5.2
CCIESECURITYLABS.COM
points 6
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
The Cisco WLC should be configured to learn the IP address of attackers that have been shuned
by the
Cisco IPS appliance. The WLC can then prevent these clients from joining any wireless network.
The following information should be used to complete this task:
Attribute
IPS Sensor IP address
Port
WLC/IPS username
WLC/IPS password
WLC wps index value
Value
7.7.4.100
443
Wlc
123cisco123
1
Verification:
5.3
points 4
Ensure Strict uRPF is configured for web traffic sourced from SW3 Loopback(63.63.63.1) to R3
Loopback(36.36.36.1) and Ensure you log the drop packets using the preconfigured ACL on R3.
Make sure this does not affect the 4.3 question.
Match the Following OUTPUT:
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
The requirement is to add security to this connection through authentication and authorization
on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to
move the phone into the voice VLAN.
Use the following information to complete this task:
- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)
- Verify that you have an authentication rule for MAB on the Cisco ISE.
- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a
permit on all traffic on ISE1.
- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)
- Voice VLAN will support MAB for authentication
- Data VLAN will provide support for the Test-PC that must connect through Phone using
802.1X.
- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.
- If MAB is not successful, 802.1X endpoints should be allowed to connect.
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Part B:
Final Release
03-JUNE-2014
(5 points)
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
using the following info
Attribute
Group Name
Username/Password
Access Type
Common Tasks
DACL Name
DACL Policy
Vlan
CCIESECURITYLABS.COM
Value
Test-PC_Group
test-PC/Cisc0123
Access_Accept
DATA_VLAN_DACL
Permit ip any any
99
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
6.2
Final Release
03-JUNE-2014
points 6
You are required to configure support for the Test-PC behind the Cisco IP phone via Local Web
Auth on SW6 (RADIUS Source interface 7.7.99.1/vlan99) and ISE1 (150.1.7.20).
This builds on the solution Q6.1
The following tasks outline the requirement for this question
Create an identity for a guest user on ISE1 that will be userd for authentication and the
Web Auth should be added to the existing MAB and 802.1X policies from Q6.1 and used
as the fallback method
Configure an Authorization profile and Authorization Plicy rule for Web Auth as follows:
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Attribute
Name
Description
Access Type
Common Tasks
DACL Name
DACL Policy
Vlan
Username
Password
Pre-Web-Auth ACL (already on sw6)
Final Release
03-JUNE-2014
Value
WEB_AUTH
Policy For Local Web Auth
Acces_Accept
WEB_AUTH_DACL
Permit icmp any any
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
99
Web Authentication (Local Web Auth)
guest
Cisco123
PRE-WEB-AUTH
Note :
Do not lock yourself out of SW6 ,take care with the default method.
To verify your solution you must disable 802.1X supplicant functionality on the Test-PC as
shown below :
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
: Authz Success
Domain
: DATA
: 99
: xACSACLx-IP-WEB_AUTH_ACL-5043b6tf
: N/A
Failed over
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
LAUNCHED!!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM
Final Release
03-JUNE-2014
CCIESECURITYLABS.COM
CCIESECURITYLABS.COM