SISE – Implementing and Configuring Cisco Identity Services Engine v1.1

Duration:

5 Days

Audience:

Employees of federal, state and local governments; and businesses working with the government.

Course Description:

This course is geared toward individuals who have no prior knowledge of ISE and 802.1X. The ISE product is Cisco’s flagship security product, intended to replace several major current products, including NAC Servers and Managers, NAC Profiler, Guest Server, Profiler, and the Cisco Secure Access Control Server (ACS).

In this course with enhanced hands-on labs, you will cover the Cisco Identity Services Engine (ISE) version 1.2 (labs), a next-generation identity and access control policy platform that provides a single policy plane across the entire organization combining multiple services, including authentication, authorization, and accounting (AAA), posture, profiling, device on-boarding, and guest management. You will gain the knowledge and skills needed to enforce security posture compliance for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE.

You will learn how to perform a fundamental installation of ISE and how to configure identity-based networks using 802.1X for both wired and wireless clients, using a Windows 8 client. You will also learn to use many of the new features, including AnyConnect 3.1, EAP-FAST, PEAP, BYOD, and EAP Chaining. You’ll also see how the new Virtual Wireless Controller (vWLC) works to integrate with ISE along with advanced features within ISE.

Why this course?

The Lab Guide was written by an author who actively performs and supports ISE architectures and deployments. It is your field guide to deploying and supporting ISE. Highlights include:

  • Labs are written for ISE version 1.2
  • You perform a patch upgrade and standard upgrade (1.2.1) in a distributed deployment
  • EAP-FAST using Machine Authentication (EAP-TLS) and User Authentication (MSCHAPv2 aka Active Directory) configured
  • Custom web pages configured for Quarantined users to indicate they are cut from the network
  • NAM and Windows supplicant both configured in our labs
  • You configure profiling feeds and profiling Logical Groups
  • All our pods have been upgraded to Windows 2012 servers, Windows 8 VMs , ASA 5515-X, 3560X switch and much more
  • This course includes both wired and wireless configurations and is therefore, by far the most detailed fundamental to advanced course offered on ISE
  • We have production notes spread throughout the guide to assist with deployments based on personal experiences with large channel partners

What You’ll Learn

  • ISE deployment options including node types, personas, and licensing
  • Install certificates into ISE using a Windows 2012 certificate authority (CA)
  • Configure a distributed deployment
  • Configure AAA clients and network device groups
  • Configure local and remote identity store and use of sequence lists
  • 802.1X for wired and wireless networks using the latest dot1x commands on a switch and version 7.6 of the vWLC:
    • PEAP Authentication (GPO configuration)
    • EAP-FAST Authentication (using EAP-TLS and MSCHAPv2 as inner methods)
    • Extensible authentication protocol (EAP) chaining
    • Service set identifier (SSID) matching in authorization policies using WLAN numbers and regular expressions
  • Configure authorization and authentication policies to allow MAC Authentication Bypass endpoints
  • Use central web authentication (CWA) for redirection of legitimate domain users who need to register devices on the network using MAC addresses (device registration)
  • Configure sponsored guest access
  • Configure profiler services in ISE and use newer probes available in IOS switch code 15.x
  • Profiling Feeds, Logical Profiles and building profiling conditions to match network endpoints
  • Configure posture assessments using the Cisco next available agent (NAA) and live updates in ISE
  • Configure web agent assessment for non-corporate assets
  • Bring your own device (BYOD) for wired
  • Maintenance, upgrading, and logging

Who Needs to Attend

  • End users (Cisco customers) desiring the knowledge to install, configure, and deploy Cisco ISE
  • Cisco channel partners and field engineers who need to meet the educational requirements to attain Authorized Technology Partner (ATP) authorization to sell and support the ISE product

Prerequisites

  • CCNA certification or equivalent level of experience configuring Cisco routers and switches
  • Basic knowledge of IOS commands
  • LAN security related concepts

Course Outline

1. Cisco ISE Product

  • Cisco ISE
    • Cisco TrustSec
    • Cisco ISE Architecture
    • Cisco ISE Deployment Options
  • Getting Started with Cisco ISE
    • Installing Cisco ISE
    • Network Time Protocol
    • Cisco ISE Certificates
    • Monitoring Basics
    • Configuring and Verifying Cisco ISE for Distributed Deployment

2. Cisco ISE Authentication and Authorization

  • Configuring Basic Access
    • Network Access Device (NAD)
    • IEEE 802.1X Primer
    • Cisco Switch Configuration
    • Cisco WLC Configuration
    • Cisco ASA Appliance Configuration
    • Cisco ISE Authentication Process
    • Internal Databases
    • Simple Authentication
    • Rule-Based Authentication
    • Sessions in Cisco ISE
  • External Authentication
    • External Authentication Process
    • Active Directory
    • Lightweight Directory Access Protocol (LDAP)
    • RADIUS
    • Certificates
    • Identity Source Sequencing
    • Authentication Support and Performance
  • Using Cisco ISE Dictionaries
    • Cisco ISE Dictionaries
    • Read-Only Dictionaries
    • Administrable Dictionaries
    • RADIUS Vendor Dictionaries
  • Configuring Authorization
    • Authorization Policies and Components
    • Authorization Policy Configuration
    • Exception Policies

3. Web Authentication and User Access Management

  • Implementing Web Authentication
    • Web Authentication
    • Configure Cisco ISE Web Authentication
    • Verifying Web Authentication
  • Implementing Guest Services
    • Guest Services
    • Preparing the Deployment
    • Configuring Sponsor Portal
    • Configuring Guest Portal
    • Creating Guest Accounts
    • Verifying Guest Accounts

4. Cisco ISE Profiler, Posture, and Endpoint Protection Services

  • Implementing Cisco ISE Profiler Service
    • Profiler Service
    • Configuring Profiling on Cisco ISE
    • Verifying Profiling
  • Implementing Cisco ISE Posture Service
    • Posture Service
    • Configuring Cisco ISE for Client Provisioning
    • Adapting the Authorization Policy for Posture Compliance
    • Configuring the Posture System Settings
    • Configuring the Posture Policy
    • Verifying the Posture Service
  • Implementing Cisco ISE Endpoint Protection Services (EPS)
    • EPS
    • Configuring EPS
    • Monitoring EPS
  • Implementing BYOD
    • BYOD
    • Designing BYOD
    • Dual SSID BYOD Design
    • Device Onboarding User Experience

5. Reports, Monitoring, Troubleshooting, and Security

  • Implementing Inline Posture and TrustSec Security
    • Inline Posture
    • Security Group Access
    • MAC Security
  • Cisco ISE Architecture
    • Cisco ISE Deployment Types
    • Deploying Monitoring Personas
    • Preparing the Network Infrastructure
  • Performing Cisco ISE Administration and Maintenance
    • Role-Based Access Control
    • Cisco ISE Licensing
    • Backing Up and Restoring the System Configuration
  • Using Cisco ISE Reporting, Monitoring, and Troubleshooting
    • Cisco ISE Dashboard Monitoring
    • Implementing Logging
    • Managing Alarms
    • Cisco ISE Reports
    • Troubleshooting the Network
    • Backing Up and Restoring the Monitoring Database

Labs

Lab 1: ISE Installation and Web Console Familiarization

Lab 2: Install a Certificate in ISE

Lab 3: Configure an ISE Distributed Deployment

Lab 4: Local and Remote Identity Stores using Active Directory and Sequence Lists

Lab 5: 802.1X: Examining and Configuring Supplicants

Lab 6: 802.1X: Wired Networks

Lab 7: 802.1X: MAR and EAP Chaining

Lab 8: 802.1X: Wireless Networks

Lab 9: 802.1X: MAC Authentication Bypass (MAB)

Lab 10: CWA for Wired and Wireless Networks and My Device Portal

Lab 11: Provide Guest Access Using Self-Registration

Lab 12: Configure Profiler Services

Lab 13: Configure Posture Services

Lab 14: Endpoint Protection Services

Lab 15: BYOD

Lab 16: Maintenance and Monitoring of ISE