Security PoC Firepower 6.3.0 PxGrid Lab with ISE Created by UD
Posted: Sun Dec 23, 2018 6:36 pm
PoC Security lab for free time. PxGrid studies. Firepower FMC integration with AD and ISE.
Used nodes in Lab:
IOL L2 i86bi_LinuxL2-AdvEnterpriseK9-M_152_May_2018.bin
IOL L3 i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin
Firepower FTD 6.3.0
Firepower FMC 6.3.0
ISE 2.4
Linux Docker hosts as www servers and Mgmt station
Windows Server 2019 Standard as AD, CA, DNS
Tasks:
1. Integrate PxGrid Secure connection between ISE and FMC using Server 2019 CA. Realm is AD for FMC.
2. Establish CTS SXP connection between SW1 and ISE, CTS PAC
3. Configure SW1 interface e1/2 for MAB_PC authentication
4. Configure SW1 interface 1/3 for Corporate user using dot1x
5. MAB_PC acting like guest and should be tagged in SGT MAB_GROUP
6. DOT1X represents Corporate user and must receive SGT DOT1X_GROUP
7. Both user groups are assigned in VLAN 11. VLAN 11 is received after successful authentication with ISE.
8. Configure FTD policy:
8.1. MAB users’ group are allowed access using http protocol to the dmz1.eve.lab ONLY
8.2. DOT1X Group users must have access to all destinations except dmz1.eve.lab
Used nodes in Lab:
IOL L2 i86bi_LinuxL2-AdvEnterpriseK9-M_152_May_2018.bin
IOL L3 i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin
Firepower FTD 6.3.0
Firepower FMC 6.3.0
ISE 2.4
Linux Docker hosts as www servers and Mgmt station
Windows Server 2019 Standard as AD, CA, DNS
Tasks:
1. Integrate PxGrid Secure connection between ISE and FMC using Server 2019 CA. Realm is AD for FMC.
2. Establish CTS SXP connection between SW1 and ISE, CTS PAC
3. Configure SW1 interface e1/2 for MAB_PC authentication
4. Configure SW1 interface 1/3 for Corporate user using dot1x
5. MAB_PC acting like guest and should be tagged in SGT MAB_GROUP
6. DOT1X represents Corporate user and must receive SGT DOT1X_GROUP
7. Both user groups are assigned in VLAN 11. VLAN 11 is received after successful authentication with ISE.
8. Configure FTD policy:
8.1. MAB users’ group are allowed access using http protocol to the dmz1.eve.lab ONLY
8.2. DOT1X Group users must have access to all destinations except dmz1.eve.lab