CCIE Security v5.0 - Configuration - Question - Final Release - 10-03-2018 - Lab 1

www.passsecuritylabs.
com Final Release LAB 1:10-Mar-2018
Configuration Lab
Lab 1
Real Labs
v5.0
www.passsecuritylabs.com
www.passseclabs.com 1 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
THIS PAGE IS INTENTIONALLY LEFT BLANK
Pass Security Labs Policies:
1. We highly discourage sharing of the workbook hence the workbooks are mapped to Laptop/Desktop
MAC address. If one tries to open the workbook on other desktop or laptop than the registered MAC
address; account will get locked and we will not unlock it for any reasons.
2. The workbook does not have print access; kindly do not request to enable to print access.
3. One will be provided with free updates up to 90 days from the date of purchase, post that one need
to renew his/her account to access the latest update. Post 90 days the workbooks will cease to open.
4. If one wish to renew their subscription/account, you need to renew within 90 days or before the
account gets expired. Post 90 days one can renew their account however the renewal will be
considered has a new purchase. Hence we encourage one to renew within 90 days of the purchase.
5. The renewal cost is 1999 USD if one pay within 90 days, if one fail to renew then the cost will be
equivalent of a new purchase. (The renewal price can be changed at any time, without informing the
client)
6. Every workbook is uniquely identified for each user with hidden words. If one shares his/her
workbooks with others, and if the system detects the share, the account will be banned and we will not
entertain any explanation of any sort.
7. For any queries regarding Questions/Solutions, you can contact us on email @

support@passsecuritylabs.com or skype @ cciesecuritylabs. Response time to any of the queries is 24
hours.
8. We do require CSCO ID, CCIE number and Official email id for security purposes. One should have
CCIE written passed and CCIE lab should be booked within 90 days. We do not sell without these
details. We do background verification of the details provided, so request to give us the correct CSCO
ID and official email id.
9. The workbooks are in secured pdf format and delivered via email.
10. License is provided for only one Device. And we don’t give license again if the device crashes or
company security policies. Please install license on the device cautiously as the license will not be
provided again.
11. We do support devices running Windows OS, Mac OS, Android and Mac iOS only
12. We do not provide Refund in any circumstances once the product is sold.
13. This policy is in effect from 23 November 2016 and in immediate effect for new clients and new
renewals. Old clients will continue with the old Policies until the accounts get expired.
14. If there is any update, one will receive the update automatically on their registered email-id.
15. For any future update you can check our update page on www.passsecuritylabs.com
Task 1.1a: Configure ASA1_V and ASA11_V For Active: Standby

Your configuration should meet the following requirements:
ASA1_V
Interface Gi0/0:
Address Primary Standby: 20.1.1.1/24 - 20.1.1.2/24
Name: outside
Interface Gi0/1:
Name: inside
Interface Management 0/0:

Name: mgmt.
Security Level: 100
Failover:
Unit: Primary
Lan-Link interfaces: Gi0/2
Primary Standby: 10.10.11.1/24 - 10.10.11.2/24
Name: FO
EIGRP Routing:
Autonomous System: 12
Network: 10.1.11.0/24
EIGRP Authentication:
Mode: MD5
Key-ID: 1
Password: cisco
ASA11_V
Failover:
Unit: Secondary
Lan-Link Interfaces: Gi0/2
Primary Standby: 10.10.11.1/24 - 10.10.11.2/24
Name: FO
Note:
Make sure that all the interfaces are being monitored for this failover implementation.
Task 1.1b: Configure ASA2_V and ASA22_V For Active-Standby Failover.

Your Configuration should meet the following requirements:
ASA2_V
Interface Gi0/0:
Address Primary-Standby: 20.1.2.1/24-20.1.2.2/24
Name: Outside
Interface Gi0/1:
Name: Inside
Interface Management 0/0:

Name: mgmt.
Security Level: 100
Failover:
Unit: Primary
Lan-Link Interface: Gi0/2
Primary-Standby: 10.10.22.1/24-10.10.22.2/24
Name: FO
EIGRP Routing:
Autonomous System: 12
Network: 10.1.22.0/24
EIGRP Authentication:
Mode: MD5
Key-ID: 1
Password: cisco
ASA22_V
Failover:
Unit: Secondary
Lan-Link interface: Gi0/2
Primary-Standby: 10.10.22.1/24- 10.10.22.2/24
Name: FO
Note:
Task 1.2: Configure ASA1 and ASA2 for the Active-Active Failover
ASA1-System
Interface Gi0/0.1:
vlan: 2
Interface Gi0/0.2:
vlan: 3
Interface Gi0/1.1:
vlan: 4
Interface Gi0/1.2:
vlan: 5
Interface Gi0/2.1:
vlan: 6
Interface Gi0/2.2:
vlan: 7
Failover:
Unit: Primary
Lan Interface: Gi0/3
Primary-Standby: 10.100.201.1/24-10.100.201.2
Name: LAN
Link Interface: Gi0/4

Primary-Standby: 10.100.202.1/24- 10.100.202.2
Name: STATE
Failover Group 1: Primary

Failover Group 2: Secondary
Contexts:
Name: admin
Allocate Interface: Management 0/0
URL:admin.cfg
Name: c1
Allocate Interfaces: GigabitEthernet0/0.1, GigabitEthernet0/1.1, GigabitEthernet0/2.1
Labels Respectively: inside_c1, dmz_c1, outside_c1
Join Failover Group: 1
URL: c1.cfg
Name: c2
Allocate Interfaces: GigabitEthernet0/0.2, GigabitEthernet0/1.2, GigabitEthernet0/2.2
Labels Respectively: inside_c2, dmz_c2, outside_c2
Join Failover Group: 2
URL: c2.cfg
ASA1-Admin
Interface Management0/0:
Address Primary-Standby: 150.1.7.57/24-150.1.7.58
Name: Management
Security Level: 100
ASA1-c1
Interface inside_c1:
Name: inside
Interface dmz_c1:
Name: dmz
Security Level: 50
Interface outside_c1:
Name: outside
Address Translation:
Server5 should be accessible from outside using outside interface.
Network object used for the translation should be named “server5_c1”
Traffic Filtering:
Server5 should be accessible only from 192.168.10.0/24 network for the HTTP traffic at port 80 and
ICMP Echo message.
ACL for the traffic filtering should be named “server5_c1”
ACL should be network and host specific.
Static Routes:
Server5 network accessible via next hop R7
192.168.10.0/24 network accessible via next hop R9
ASA1-c2
Interface inside_c2:
Name: inside
Interface dmz_c2:
Name: dmz
Security Level: 50
Interface outside_c2:
Name: outside
Server6 should be accessible from outside using outside interface. Network object used for the
translation should be named “server6_c2”.
Traffic Filtering:
Server6 should be accessible only from 192.168.11.0/24 network for the HTTP at port 80 and ICMP
Echo messages.
ACL for the traffic filtering should be named “server6_c2”
ACL should be network and host specific.
Static Routes:
Server6 network accessible via next hop R8.
192.168.11.0/24 network accessible via next hop R9.
ASA2-system
Failover:
Unit: Secondary
Lan Interface: Gi0/3

Primary-Standby: 10.100.201.1/24- 10.100.201.2
Name: LAN
Link Interface: Gi0/4

Primary-Standby: 10.100.202.1/24-10.100.202.2
Name: STATE
Note:
Task 1.3: Configure ASA3 And ASA4 For Clustering.

ASA3-System
Interface Mode:
Spanned
Interface: Port-channel1:
Subinterface: 1.8
Under: vlan 8
Subinterface: 1.9
Under: vlan 9
Subinterface:1.10
Under: vlan 10
Interface: Gi0/0
Member of Channel-group: 1
Interface: Gi0/1
Member of Channel-group: 1
Cluster Group: ccie

Interface: Gi0/2
Address: 10.100.203.1/24
Unit Name: ASA3
Role: Master
ASA3-admin
Cluster Management Pool:

Name: mgmt.-pool
Range: 150.1.7.60-150.1.7.61
Management Interface:
Name: mgmt
Address: 150.1.7.59/24
Interface Port-channel 1.8

Address: 10.100.8.1/24
Name: inside

Address: 10.100.9.1/24
Name: outside

Address: 10.100.10.1/24
Name: dmz
Security Level: 50
Server3 should be accessible from inside via 19.16.103.14
Network objects used for the translation should be named “server3” and “server3_t” for and to
translated addresses respectively.
Server4 should be accessible from inside via 19.16.104.14

Network objects used for the translation should be named “server4” and “server4_t” for and to
translated addresses respectively.
Traffic Filtering:
Server3 192.168.103.14 should be accessible only from security- group name “PC1” for the HTTP traffic
at port 80.
Server4 192.168.104.14 should be accessible only from security-group name “PC2” for the HTTP traffic
at port 80.
ACL for the traffic filtering should be named “server3-4”.
ACL should be host specific.
Static Routes:
ASA4-System
Cluster Group: ccie

Interface: Gi0/2
Address: 10.100.203.2/24
Unit Name: ASA4
Role: Slave
Task 1.4: Configure Access Policy On NGIPS
Rule1: Permit EIGRP routing process between R1 and R2.

R1 should be in the External Zone.
R2 should be in the Internal Zone.
Enable logging for the rules at the beginning of the connection.
Rule2: Allow HTTP traffic at port 8080 from 172.16.1.0/24 network to “Server1” and “Server2”
172.16.0.1/24 should be in the external zone
“Server1” and “Server2” should be in the internal zone.
Rule 3: Allow HTTP traffic at port 8080 from 10.1.22.0/24 network to “Server1” and “Server2”
10.1.22.1/24 should be in the external zone
“Server1” and “Server2” should be in the internal Zone.
Note:
Any information not provided to implement this task can be assumed by the candidate.
Task 2.1: Configure WCCP Redirection On R2 For Server1 and Server2 HTTP
Traffic Originated From “client_pc1”.
Your Configuration should meet the following requirements
1) Traffic should be redirected to WSA at 150.1.7.213

2) WCCP communication between R2 and WSA should be authenticated using password “cisco”
3) Any traffic filtering applied should be network and host specific for the HTTP port 8080
4) Use Gre as forwarding and return method
Note:
This task can only be verified after the successful implementation of task 1.1a, task 1.4 and Task 4.1 (To
be able to perform end-to-end connectivity test)
Task 2.2: Configure HTTP Traffic Access Policy On WSA

Your Configuration should meet the following requirements
HTTP Traffic at port 8080 originated from 172.16.1.0/24 network directed to Server1 and Server2
should be allowed if FireFox as a browser is used but dropped if originated from the Internet Explorer,
all the other traffic should be allowed.
Identification Profile 1:
Name: Monitor Profile
Check for source 172.16.1.0/24
Check for browser Type – Version: FireFox-Any
Identification Profile 2:
Name: Block Profile
Check for source 172.16.1.0/24
Check for browser Type – Version: IE-Any
URL Category should be named as “CCIE Lab Rule ” monitoring for “server1.cisco.com”and
“server2.cisco.com” .
Corresponding access policies should be named as “Monitor Policy” and “Block Policy” respectively and
referencing “CCIE Lab Rule”.
Note:
This task can only be verified after the successful implementation of Task1.1a, Task 1.4, Task 2.1 and
Task 4.1 (To be able to perform end-to-end connectivity test)
Task 2.3: Install FireAMP Connection on “Candidate PC” and Configure

FireAMP Cloud.
The PC should be part of group called “ccielab” in the FireAMP cloud.

The Group should have the description of “For Lab Window”
The Group should be part of system “Protect Policy”
Make sure the FireAMP Connection on “Candidate PC” shows up as connected with the FireAMP Cloud.
Task 3.1: Configure Clientless SSL VPN Between ASA2_V and “client_pc2”.
Your Configuration should meet the following requirements on ASA 2_V:
VPN access credentials should be Username: ccie, Password: ccie

Connection banner should be “Enjot The Lab!”
Group alias should be named “cciesecurity”
The ca truspoint should be configured as follows:

Name: ccietrust
Enrollement: self
RSA Key: cciekey
Session idle time: 48 hours
The Web acl implementation should only allow the following URLs:
http://server1.cisco.com:8080
http://server2.cisco.com:8080
The bookmarks for the above servers should appear in the WebVPN portal as “Server1” and “Server2”
respectively.
Notes:
On “client_pc2” connection stub “ssl_vpn” has been created in the FireFox to test the implementation.
The verification of this task depends on the successful implementation of task 1.1b and Task 1.4
VPN session should be in established state and you are able to open the sessions to Server1 and
Server2 when you have ended your lab.
The VPN session should terminate on ASA2_v being the an Active ASA in the pair.
Make sure that even when you close the RDP connection to “cient_pc2”, that should not tear down the
established VPN session. The DNS server is at 150.1.7.200
Any information not provided for this task can be assumed by the candidate.
Task 3.2: Configure Site-To-Site Certificate Based VPN Between R15,R16

and R17
The VPN session should secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks.
Configure trustpoint by the name of “ccier15” on R15 as follows

Common Name as “r15”
Organization as “cisco.com”
Certificate should include R15 loopback 0 interface.
Enroll using Loopback 0 as the source interface.
Enroll with CA running at R17 using it’s loopback 0 interface.
RSA key pair should be “ccier15”
Configure trustpoint by the name of “ccie16” on R16 as follows:

Common Name as “r16”
Organization as “cisco.com”
Certificate should include R16 Loopback 0 interface.
Enroll using Loopback 0 as the source interface.
Enroll with CA running at R17 using it’s Loopback 0 interface.
RSA key pair should be “ccier16”
Note:
Task 3:3: Configure VRF-Aware GETVPN Between R3, R4 and R5

VRF for site_a should be “site_a”

VRF for site_b should be “site_b”
Registration link should be in vrf “mgmt”
Preshared key between the sites should be “cisco”

ISAKMP policy should have encryption “3des” and DH Group “2”
Identity number for site_a should be “100”

Identity number for site_b should be “200”
Rekeying authentication should use RSA key “cciekey” for both sites.
The implementation should secure traffic for site_a between 192.168.4.0/24 and 192.168.5.0/24
networks.
The implementation should secure traffic for site_b between 192.168.4.0/24 and 192.168.5.0/24
networks.
EIGRP routing process for site_a and site_b should be authenticated using mode MD5 and password
“ccie”
Notes:
Refer to the topology for addressing, VLAN and EIGRP routing information.
Sw1_V is preconfigured for this task.
Task 3.4: Configure FLEXVPN Between R9,R10 and R11

Configure Hub-Spoke FLEXVPN setup between R9 HUB, R10-R11 SPOKES.
Preshared key between R9 and R10 should be ccier10

Preshared key between R9 and R11 should be ccier11
IPSec protected Tunnel Tu34 should be established between R9 and R10.

IPSec protected Tunnel Tu35 should be established between R9 and R11.
Loopback1 interfaces on R9,R10 and R11 should be included in the EIGRP routing domain.
Tu34 should secure the traffic between 192.168.10.0/24 and host 10.100.6.1
Tu35 should secure the traffic between 192.168.11.0/24 and host 10.100.7.1
Notes:
The verification of this task depend on the successful implementation of Task 1.2
Refer to the Topology for addressing and EIGRP routing information. Any Information not provided for
this task can be assumed by the candidate.
Task 3.5: Configure SXP between SW2_P and ASA3
The SXP session between SW2_P and ASA3 should be authenticated using password “ccie”
ASA3 should download the CTS enviroment data from ISE.
Note:
TFTP Server is available on Candidate_PC.
Use Vlan 8 network for SXP
SW2 will receive supplicant authentication/authorization request.
Any information not provided in this task can be assumed by the candidate.
Task 4.1: Configure Anyconnect IKEv2 Between ASA1_V and “client_pc1”

Your configuration should meet the following requirements on ASA1_V:
The tunnel should negotiate IKEv2 policy and IPSec proposal for AES-256 encryption.
The tunnel should only secure traffic for Server1 and Server2
The client address pool should be 172.16.1.0-172.16.10.0/24
The session tunnel should remain connected for 48 hours even without any activity.
The Group alias for the session should be “ccieprofile”
The trustpoint for the implementation should be named “ccietrust” using RSA key pair “cciekey”
ASA should authenticate the session using AAA with ISE at 150.1.7.212.
Credentials should be Username: cisco, Password: Midhumo2
User “cisco” should be part of ISE internal database.
ISE should check for NAS IP address to authorize the session.
Note:
The verification of this task depends on successful implementation of Task 1.1a, Task 1.4, Task 2.1 and
Task 2.2
Tunnel destination “asa1.cisco.com” resolves to ASA1 outside address.
VPN session should be terminated on ASA1_V being the an Active ASA in the pair.
VPN session should be in established state when you have ended the Configuration module.
Use the FireFox browser to test your connectivity with Server1 and Server2.
Task 4.2: Configure SW2_P Gig1/0/9 To Authenticate Dot1x Session From

“dot1x_pc”.
Dot1x session should DHCP IP address from the SW2_P local pool in VLAN 8.
ISE should authenticate Dot1x user “ccie”, password should be set to “Ccie123”. User “ccie” should be
part of ISE internal database.
ISE should authorize session based on the NAS IP address.
On successful authorization ISE should assign the session VLAN 8, SGT of “PC2” and push DACL to
permit IP traffic from any source to any destination.
From “dot1x_pc” you should be able to only browse Server4 to verify the implementation.
Notes:
The verification of this task depends on the successful
Implementation of Task 1.3 and Task 3.5
Make sure your implementation of AAA should not impact SW2_P console access.
Dot1x session should be in established state when you have ended your lab.
Task 4.3: Configure R1 for the SSH Authentication
The authentication request should be forwarded to RADIUS server ISE.

ISE should check SSH user in the Active Directory database. Active Directory is preconfigure for SSH
user credentials
“admin1/Cisco123” ”0” “Not Zero”.
Make sure that user “admin1” belongs to user group “Lab_Admin” in ISE.
To authorize the session ISE should check SSH user belongs to “Lab_Admin” and the NAS IP address.
The user “admin1” should be assigned privilege level 15 on successful authorization.
The session should not timeout for 48 hours even without any activity.
Notes:
You need to test the SSH from candidate PC where “r1.csisco.com”
Connection profile has been created in Putty client.
SSH session should be in the established state when you have ended your configuration module.
If required, use account ccie/Cisco123 to join ISE with AD.
Task 4.4: Configure SW2_P Gig1/0/9 To Authenticate And Authorize PC

“mab_pc” And IP Phone
The “mab-pc” should DHCP address from the SW2_P local pool in VLAN 8
IP Phone should DHCP address from the SW2_P local pool in vlan 215 and assign TFTP address of
150.1.7.215
ISE should authenticate and authorize “”mab_pc” and IP Phone.

ISE authorization for both the supplicants should be based on NAS IP address.
On successful authorization ISE should assign “mab_pc” VLAN 8, SGTof “PC1” and push DACL to permit
ip traffic from any source to any destination.
On successful authorization ISE should push the DACL to permit IP traffic from any source to any
destination for the IP phone.
From “mab_pc” you should be able to only browse Server3 to verify the implementation.
From SW2 you should be able to ping IP Phone IP address and CUCM IP address to verify the
implementation.
Notes:
The verification of this task depends on the successful implementation of Task 1.3 and Task 3.5
Make sure your implementation of AAA should not impact SW2_P console access.
MAB sessions should be in the established state when you have ended the Lab
Task 5.1: Configure Syslog on R1 and R17
R1 should send information level messages to Syslog server setup at the Candidate PC.
Message seen from R1 on the Syslog server are marked with R1 hostname.
R17 should send debug level messages to Syslog server setup at the Candidate PC.
Messages seen from on R17 on the Syslog server are marked with string “CA”.
Notes:
Candidate PC is preconfigured with Kiwi Syslog server for this task.
Task 5.2: Configure Secure Wireless Deployment Between WLC, ISE ,

SW2_P,AP and “Wireless_Client”
Your Implementation should meet the following requirements:
WLC:
Management interface should have address of 10.100.102.1
Configure the WLAN 1 with SSID “podYY”. “YY” is your pod number that can be seen in your
commserver hostname.
Layer 2 Security should be WPA with ASCII format PSK and having string “Cisco123” “0”Not Zero.
Encryption type should be AES.
SW2_P:
AP should be authenticated on port Gi1/0/7 using MAB with ISE as the RADIUS server.
ISE:
On successful authorization of AP ISE should push DACL to permit IP traffic from any source to any
destination.
ISE should authorize the session based on the NAS IP address.
AP:
Candidate may need to configure the following on AP if not pre-configured:
AP IP address: 10.100.102.33/24
AP Default-Gateway: 10.100.102.1
Primary Controller Name: cciewlc
Primary Controller IP: 10.100.102.1
Wireless_Client:
Candidate needs to configure the following for the “Wireless_Client”
Wireless NIC:
IP Address: 10.100.102.1YY/24. “YY” is your pod number that can be seen in your commserver
hostname.
Default Gateway: 10.100.102.33
Notes:
AP Username/Password/Enable is Cisco/Cisco/Cisco and this should NOT be changed.
AP hostname “ccieap” should not be changed.
The “Wireless_Client” should be able to associate with SSID
“podYY”. “YY” is your pod number that can be seen in your commserver hostname.!!!DO NOT
associate with any other SSID!!! As a task verification, you should be able to ping 10.100.102.11 and
10.100.102.22 from “Wireless_Client” after you are able connect to “podYY” SSID.
Task 5.3: Configure NTP Between R1,R2, R15,R16 and R17.

Reference NTP server R1.

R1,R2,R15,R16 and R17 clocks should be setup to show ccie as time Zone
THANKS FOR USING www.passsecuritylabs.com WORKBOOKS

CCIE Security v5.0 - Configuration - Question - Final Release - 10-03-2018 - Lab 1

Uploaded by

Copyright:

Available Formats

You might also like

CCIE Security v5.0 - Configuration - Question - Final Release - 10-03-2018 - Lab 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE Security v5.0 - Configuration - Question - Final Release - 10-03-2018 - Lab 1

Uploaded by

Copyright:

Available Formats

www.passsecuritylabs.

com Final Release LAB 1:10-Mar-2018

THIS PAGE IS INTENTIONALLY LEFT BLANK

Pass Security Labs Policies:

7. For any queries regarding Questions/Solutions, you can contact us on email @

Task 1.1a: Configure ASA1_V and ASA11_V For Active: Standby

Interface Management 0/0:

Task 1.1b: Configure ASA2_V and ASA22_V For Active-Standby Failover.

Interface Management 0/0:

Link Interface: Gi0/4

Failover Group 1: Primary

ACL should be network and host specific.

Lan Interface: Gi0/3

Link Interface: Gi0/4

Task 1.3: Configure ASA3 And ASA4 For Clustering.

Cluster Group: ccie

Cluster Management Pool:

Interface Port-channel 1.8

Interface Port-channel 1.9

Interface Port-channel 1.10

Server4 should be accessible from inside via 19.16.104.14

Cluster Group: ccie

Task 1.4: Configure Access Policy On NGIPS

Your configuration should meet the following requirements:

Rule1: Permit EIGRP routing process between R1 and R2.

Your Configuration should meet the following requirements

1) Traffic should be redirected to WSA at 150.1.7.213

Task 2.2: Configure HTTP Traffic Access Policy On WSA

Task 2.3: Install FireAMP Connection on “Candidate PC” and Configure

Your Configuration should meet the following requirements:

The PC should be part of group called “ccielab” in the FireAMP cloud.

VPN access credentials should be Username: ccie, Password: ccie

The ca truspoint should be configured as follows:

Task 3.2: Configure Site-To-Site Certificate Based VPN Between R15,R16

Configure trustpoint by the name of “ccier15” on R15 as follows

Configure trustpoint by the name of “ccie16” on R16 as follows:

Task 3:3: Configure VRF-Aware GETVPN Between R3, R4 and R5

VRF for site_a should be “site_a”

Preshared key between the sites should be “cisco”

Identity number for site_a should be “100”

Task 3.4: Configure FLEXVPN Between R9,R10 and R11

Configure Hub-Spoke FLEXVPN setup between R9 HUB, R10-R11 SPOKES.

Preshared key between R9 and R10 should be ccier10

IPSec protected Tunnel Tu34 should be established between R9 and R10.

Task 3.5: Configure SXP between SW2_P and ASA3

Your Configuration should meet the following requirements:

Task 4.1: Configure Anyconnect IKEv2 Between ASA1_V and “client_pc1”

Task 4.2: Configure SW2_P Gig1/0/9 To Authenticate Dot1x Session From

Task 4.3: Configure R1 for the SSH Authentication

Your configuration should meet the following requirements:

The authentication request should be forwarded to RADIUS server ISE.

Task 4.4: Configure SW2_P Gig1/0/9 To Authenticate And Authorize PC

Your configuration should meet the following requirements:

ISE should authenticate and authorize “”mab_pc” and IP Phone.

Task 5.1: Configure Syslog on R1 and R17

Your configuration should meet the following requirements:

Task 5.2: Configure Secure Wireless Deployment Between WLC, ISE ,

Task 5.3: Configure NTP Between R1,R2, R15,R16 and R17.