This course discusses the Cisco Identity Services Engine (ISE), an identity and access control policy platform that provides a single policy plane across the entire organization,combining multiple services, including authentication, authorization, and accounting (AAA), posture, profiling, device on-boarding, and guest management, into a single context-aware identity-based platform. The training provides learners with the knowledge and skills to enforce security posture compliance for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE.
To participate in the hands-on labs in this class, you need to bring a laptop
computer with the following:
Windows 7 or 8.1 or 10 is recommended. Mac OSX 10.6 or greater is supported as well.
Intel Celeron or better processors are preferred.
1 GB or more of RAM
Browser Requirements: Internet Explorer 10 or greater or Mozilla Firefox. (Safari and Mozilla Firefox for Mac OSX)
All students are required to have administrator rights to their PCs and cannot be logged in to a domain using any Group Policies that will limit their machine's capabilities.
If you do not have administrator rights to your PC, you at least need permissions to download, install, and run Cisco Any Connect Client.
If you are participating in a WebEx event, it is highly recommended to take this class at a location that has bandwidth speeds at a minimum of 1 Mbps bandwidth speeds.
Note: Students registering for this course will be receiving their course kit in a digital format. To be able to view your digital kit you will need to bring a laptopPC and/or a compatible iPad or Android tablet. The recommended system requirements and instructions to access the course kit content can be found at the following link: Digital Course Kit Requirements and Instructions
Please be aware that this digital version is designed for online use, not for printing. You can print up to 10 pages only in each guide within a course. Please note that every time you click the Print button in the book, this counts as one page printed, whether or not you click OK in the Print dialog.
Objective:
Upon completing this course, the learner will be able to meet these overall objectives:
- Describe Cisco ISE architecture, installation, and distributed deployment options.
- Configure Network Access Devices (NADs), policy components, and basic
- authentication and authorization policies in Cisco ISE - Implement Cisco ISE web authentication and guest services.
- Deploy Cisco ISE profiling, posture and client provisioning services.
- Describe administration, monitoring, troubleshooting, and TrustSec SGA security.
- Configure device administration using TACACS+ in Cisco ISE
Prerequisites:The learner is expected to have the following skills and knowledge before attending this
course:
- Familiarity with Cisco IOS CLI
- Familiarity with Cisco ASA
- Familiarity with Cisco VPN clients
- Familiarity with MicroSoft Windows Operating Systems
- Familiarity with 802.1X
Who Should Attend:The audience for this course is as follows:
- ISE Administrators/Engineers
- Wireless Administrators/Engineers
- Consulting Systems Engineers
- Technical/Wireless/BYOD/Security Solutions Architects
- ATP partner systems and field engineers
- Systems integrators who install and implement the Cisco Identity Service Engine version 2.1
Course OutlineModule 1: Introducing Cisco ISE Architecture and DeploymentLesson 1: Using Cisco ISE as a Network Access Policy Engine
- Cisco Identity Services Overview
- Cisco Identity Solution Benefits
- The Attack Continuum
- Controlling Access to the Network
- Security Challenges for IT Organizations
- Centralized Policy Management
- Cisco Identity Solution Guest Use Case
- Cisco Identity Solution BYOD Use Case
- Cisco Identity Solution Profiling Use Case
- Cisco Identity Solution Compliance Use Case
- Cisco Identity Solution Security Group Access Use Case
- Introducing the Components of a Cisco ISE Deployment
- Secure Access Control
- Describing Cisco ISE Functions
- Summary
Lesson 2: Introducing Cisco ISE Deployment Models
- Introducing the Components of an ISE Deployment
- Cisco ISE Nodes and Personas
- Implementing Nodes, Personas, and Roles
- Admin Node
- Policy Service Node
- Monitoring Node
- pxGrid Services
- Collector Agent
- Policy Synchronization
- Deployment Options
- Cisco ISE Communication Model
- Introducing Context Visibility
- Context Visibility Benefits
- Context Visibility Wizard
- Streamline Visibility Wizard
- Summary
- Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage
- Task 1: Verify Cisco ISE setup using CLI
- Task 2: Initial GUI login and Familiarization
- Task 3: Disable Profiling
- Task 4: Certificate enrollment
Module 2: Cisco ISE Policy EnforcementLesson 1: Introducing 802.1X and MAB
- Access: Wired and Wireless
- IEEE 802.1X Primer
- MAC Authentication Bypass
- Overview: Configure 802.1X and MAB
- Summary
- Lab 2: Integrate Cisco ISE with Active Directory
- Task 1: Configure Active Directory Integration
- Task 2: Configure LDAP Integration
Lesson 2: Introducing Identity Management
- Identity Sources Overview
- Internal Identity Sources
- External Identity Sources
- Multi-AD Overview and Configuration
- Lightweight Directory Access Protocol
- RADIUS
- SAMLv2
- Identity Source Sequence
- Summary
Lesson 3: Configuring Certificate Services
- Certificate Overview and Implementation
- Certification Authority Services
- Summary
Lesson 4: Introducing Cisco ISE Policy
- Authentication and Authorization Process
- Dictionaries, Identity Sources, and ISSs
- Authentication and Its Components
- Authorization and Its Components
- Exception Policies and Policy Sets
- Sessions in Cisco ISE
- Summary
Lab 3: Configure Basic Policy on Cisco ISE
- Task 1: Policy Configuration for AD Employees and AD Contractors
- Task 2: Client Access – Wired
- Task 3: Client Access – Wireless
- Task 4: Network visibility with Context Visibility
Lesson 5: Configuring Cisco ISE Policy Sets
- Cisco ISE Policy Sets Overview
- Global versus Local Exception Processing
- Lab 4: Configure Conversion to Policy Sets
- Task 1: Convert to Policy Set
- Task 2: Create Wired and Wireless Policy Sets
- Task 3: Creating a Global Exception
- Task 4: Testing Client Access Using Policy Sets
Lesson 6: Implementing Third-Party Network Access Device Support
- Third-Party NAD Support: Features and Workflows
- Summary
Lesson 7: Introducing Cisco TrustSec
- Introducing Cisco TrustSec
- Lesson 8: Introducing EasyConnect
- Easy Connect Overview
- EasyConnect Modes and Flows
- EasyConnect Configuration
- Summary
- Lab 5: Configure Access Policy for Easy Connect
- Task 1: Configure Cisco ISE to Support Easy Connect
- Task 2: Create Easy Connect Policy Sets
- Task 3: Test the Easy Connect Connection
Module 3: Web Auth and Guest ServicesLesson 1: Introducing Web Access with
Cisco ISE Web Authentication Overview
ISE Web Authentication Configuration Overview
Web Authentication Verification Overview
Summary
- Lab 6: Configure Guest Access
- Task 1: Configure Guest Settings.
- Task 2: Configure Guest Locations.
- Lesson 2: Introducing ISE Guest Access Components
- Guest Access Services Overview
- Summary
Lesson 3: Configuring Guest Access Settings
Review Guest Access Settings
Guest Types Overview
Summary
- Lab 7: Configure Guest Access Operations
- Task 1: Configure Cisco ISE guest access with a hotspot portal.
- Task 2: Configure Cisco ISE guest access for guest self-registration.
- (Optional)
- Task 3: Enable self-registration with sponsor approval.
- Task 4: Create the accounts as a sponsor (Optional).
- Task 5: Perform guest account management via the sponsor portal.
Lesson 4: Configuring Portals: Sponsors and Guests
- Cisco ISE Sponsor Components and Configuration
- Lab 8: Create Guest Reports
- Task 1: Running Reports from Cisco ISE Dashboard
Module 4: Cisco ISE ProfilerLesson 1: Introducing Cisco ISE Profiler
- Introduction to the Profiler Service
- Cisco ISE Probes
- Profiling Policies
- Summary
Lesson 2: Configuring Cisco ISE Profiling
- Configure Profiling on Cisco ISE Overview
- Prepare for Profiling
- Enable the Profiling Service
- Profiling Probe Configuration
- Configuring the Profiler Feed Service
- Profiling Settings
- Define Profiling Parameters
- Configure Profile Policies and Logical Profiles
- NMAP Scan Actions
- Go Live and Monitor
- Summary
- Lab 9: Configure Profiling
- Task 1: Configuring Profiling in Cisco ISE
- Task 2: Configure the Feed Service
- Task 3: Configuring Profiling in Cisco ISE
- Task 4: NAD Configuration for Profiling
- Lab 10: Customize the Cisco ISE Profiling Configuration
- Task 1: Examine Endpoint Data
- Task 2: Create a Logical Profile
- Task 3: Creating a New Authorization Policy Using a Logical Profile
- Task 4: Create a Custom Profile Policy
- Task 5: Testing Authorization Policies with Profiling Data
Lab 11: Create Cisco ISE Profiling Reports
- Task 1: Run Cisco ISE Profiler Feed Reports
- Task 2: Endpoint Profile Changes Report
- Task 3: Context Visibility Dashlet Reports
Module 5: Cisco ISE BYODLesson 1: Introducing the Cisco ISE BYOD Process
- BYOD Problem and Solutions
- BYOD Design
Lesson 2: Describing BYOD Flow
Lesson 3: Configuring My Devices Portal Settings
- My Devices Portal Configuration
- My Devices Portal End-User Experience
Lesson 4: Configuring Certificates in BYOD Scenarios
- Local ISE CA Server and Local Certificates
- Cisco ISE Certificates Set Up Walk-through
- Lab 12: Configure BYOD
- Task 1: Portal Provisioning
- Task 2: Provisioning Configuration
- Task 3: Configuring Policy
- Task 4: Employee iPad Registration
- Lab 13: Blacklisting a Device
- Task 1: Blacklisting a Device
- Task 2: Lost Access Verification.
- Task 3: Endpoint Record Observations
- Task 4: UnBlacklist the Device
- Task 5: Verify Access Capability
- Task 6: Blacklisting a Stolen Device
Module 6: Cisco ISE Endpoint Compliance ServicesLesson 1: Introducing Endpoint Compliance
- Endpoint Compliance
- Posture Service
- Posture Conditions
- Compliance Module
- Posture Flow
- Cisco ISE Posture Agents
- Posture Operational Modes
- Posture Service Deployment and Licensing
- Summary
- Lab 14: Configure Compliance Services on Cisco ISE
- Task 1: Posture Preparation
- Task 2: Authorization Profiles
- Task 3: Adjusting Authorization Policy for Compliance
- Lesson 2: Configuring Client Posture Services and Provisioning in Cisco ISE
- Client Provisioning
- Posture Configuration Procedure
- Prepare
- Client Provisioning Resources
- Posture General Settings
- Posture Policy
- Client Provisioning Portal
- Client Provisioning Policy
- Additional Configuration Tasks
- Summary
- Lab 15: Configure Client Provisioning
- Task 1: Client Updates
- Task 2: Client Resources
- Task 3: Client Provisioning Policies
- Lab 16: Configure Posture Policies
- Task 1: Configure Posture Conditions
- Task 2: Configuring Posture Remediation
- Task 3: Configuring Posture Requirements
- Task 4: Configuring Posture Policies
- Lab 17: Test and Monitor Compliance Based Access
- Task 1: AnyConnect Unified Agent Access
- Task 2: Web Agent Access (Optional)
- Lab 18: Test Compliance Policy
- Task 1: Configure a Faulty Policy
- Task 2: Use Posture Reports for Troubleshooting
- Task 3: Using the Posture Troubleshooter
- Task 4: Policy Correction and Testing
Module 7: Cisco ISE with AMP and VPN-Based ServicesLesson 1: Introducing VPN Access Using Cisco ISE
- AAA – External Authentication
- Using Cisco ASA for VPN Authentication
- VPN Access Configuration Overview
- Summary
- Lab 19: Configure Cisco ISE for VPN Access
- Task 1: Preparing the Lab
- Task 2: Testing VPN Client Access
Lesson 2: Configuring Cisco AMP for ISE
- Threat Centric NAC Overview
- Threat Centric NAC Configuration
- Summary
- Lab 20: Configure Threat-Centric NAC using Cisco AMP
- Task 1: Configuring the Cisco AMP Cloud
- Task 2: Configuring Posture Policies and Conditions
- Task 3: Configuring Posture, AMP and AnyConnect Profiles
- Task 4: Enabling and Provisioning TC-NAC Services
- Task 5: Verify Provisioning of AMP for Endpoints (Optional)
Module 8: Cisco ISE Integrated Solutions with APIs- Lesson 1: Introducing Location-Based Authorization
- Introducing Location-Based Authorization
Lesson 2: Introducing Cisco ISE 2.x pxGrid
- pxGrid Framework
- pxGrid on Cisco ISE
- Setting Up the Topic
- Use Case: pxGrid for Rapid Threat Detection
- Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration
- Task 1: Configuring Cisco ISE System Certificates for REST and pxGrid
- Task 2: Preparing the Cisco WSA
- Task 3: Configuring Security Groups, Authorization Policy, and Enabling
- pxGrid on ISE
- Task 4: Enabling pxGrid on WSA
- Task 5: WSA Identity and Access Policies (Optional)
- Task 6: Testing Corporate PC (Optional)
Module 9: Working with Network Access DevicesLesson 1: Configuring TACACS+ for Cisco ISE Device Administration- Review TACACS+
- Cisco ISE TACACS+ Device Administration
- Configure TACACS Device Administration
- TACACS Device Administration Guidelines and Best Practices
- Migrating from Cisco ACS to Cisco ISE
- Summary
- Lab 22: Configure Cisco ISE for Basic Device Administration
- Task 1: Policy Configuration for AD Employees and AD Contractors
- Lab 23: Configure TACACS+ Command Authorization
- Task 1: Configure Command Sets
- Task 2: TACACS+ Features
Module 10: Cisco ISE Design (Self-Study)Lesson 1: Designing and Deployment Best Practices
- Cisco ISE Planning and Pre-deployment
- Cisco ISE Sizing and Scaling Practices
Lesson 2: Performing Cisco ISE Installation and Configuration Best Practices- Cisco ISE Deployment Best Practices
- ISE Certificates Best Practices
- ISE Profiling Best Practices
- Web Portals Best Practices
- Logging and Troubleshooting Best Practices
Lesson 3: Deploying Failover and High-Availability
- PSN HA or Load Sharing
- Deploying Monitoring Personas
- Preparing the Network Infrastructure
Module 11: Configuring Third Party NAD Support (Optional/Self-Study/Reference)Lesson 1: Configuring Third-Party NAD Support (Optional, Self-Study, or Reference)
- Configuring Third-Party NAD Support
- Summary