SISE - Implementing and Configuring Cisco Identity Services Engine v2.1

5 days

Please contact FMC to schedule.

Course Description

This course is geared toward individuals who have no prior knowledge of ISE and 802.1X. The ISE product is Cisco's flagship security product, intended to replace several major current products, including NAC Servers and Managers, NAC Profiler, Guest Server, Profiler, and the Cisco Secure Access Control Server (ACS).

In this course with enhanced hands-on labs, you will cover the Cisco Identity Services Engine (ISE) version 1.2 (labs), a next-generation identity and access control policy platform that provides a single policy plane across the entire organization combining multiple services, including authentication, authorization, and accounting (AAA), posture, profiling, device on-boarding, and guest management. You will gain the knowledge and skills needed to enforce security posture compliance for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE.

You will learn how to perform a fundamental installation of ISE and how to configure identity-based networks using 802.1X for both wired and wireless clients, using a Windows 8 client. You will also learn to use many of the new features, including AnyConnect 3.1, EAP-FAST, PEAP, BYOD, and EAP Chaining. You'll also see how the new Virtual Wireless Controller (vWLC) works to integrate with ISE along with advanced features within ISE.

Why this course?
The Lab Guide was written by an author who actively performs and supports ISE architectures and deployments. It is your field guide to deploying and supporting ISE. Highlights include:

Labs are written for ISE version 1.2
You perform a patch upgrade and standard upgrade (1.2.1) in a distributed deployment
EAP-FAST using Machine Authentication (EAP-TLS) and User Authentication (MSCHAPv2 aka Active Directory) configured
Custom web pages configured for Quarantined users to indicate they are cut from the network
NAM and Windows supplicant both configured in our labs
You configure profiling feeds and profiling Logical Groups
All our pods have been upgraded to Windows 2012 servers, Windows 8 VMs , ASA 5515-X, 3560X switch and much more
This course includes both wired and wireless configurations and is therefore, by far the most detailed fundamental to advanced course offered on ISE
We have production notes spread throughout the guide to assist with deployments based on personal experiences with large channel partners

A Global Knowledge Exclusive: You Get...

An enhanced lab topology based on our Flexible Security Architecture that represents a real-world network
10 extra e-Lab credits, good for 30 days, so you can practice and refine your skills
Enhanced content that exceeds standard authorized Cisco content
World-class Certified Cisco Systems instructors

What You'll Learn

ISE deployment options including node types, personas, and licensing
Install certificates into ISE using a Windows 2012 certificate authority (CA)
Configure a distributed deployment
Configure AAA clients and network device groups
Configure local and remote identity store and use of sequence lists
802.1X for wired and wireless networks using the latest dot1x commands on a switch and version 7.6 of the vWLC:
- PEAP Authentication (GPO configuration)
- EAP-FAST Authentication (using EAP-TLS and MSCHAPv2 as inner methods)
- Extensible authentication protocol (EAP) chaining
- Service set identifier (SSID) matching in authorization policies using WLAN numbers and regular expressions
Configure authorization and authentication policies to allow MAC Authentication Bypass endpoints
Use central web authentication (CWA) for redirection of legitimate domain users who need to register devices on the network using MAC addresses (device registration)
Configure sponsored guest access
Configure profiler services in ISE and use newer probes available in IOS switch code 15.x
Profiling Feeds, Logical Profiles and building profiling conditions to match network endpoints
Configure posture assessments using the Cisco next available agent (NAA) and live updates in ISE
Configure web agent assessment for non-corporate assets
Bring your own device (BYOD) for wired
Maintenance, upgrading, and logging

Who Should Attend

End users (Cisco customers) desiring the knowledge to install, configure, and deploy Cisco ISE
Cisco channel partners and field engineers who need to meet the educational requirements to attain Authorized Technology Partner (ATP) authorization to sell and support the ISE product

Prerequisites

CCNA certification or equivalent level of experience configuring Cisco routers and switches
Basic knowledge of IOS commands
LAN security related concepts

Course Outline

Lessons

Lesson 1: Cisco ISE Product

Cisco ISE
- Cisco TrustSec
- Cisco ISE Architecture
- Cisco ISE Deployment Options
Getting Started with Cisco ISE
- Installing Cisco ISE
- Network Time Protocol
- Cisco ISE Certificates
- Monitoring Basics
- Configuring and Verifying Cisco ISE for Distributed Deployment

Lesson 2: Cisco ISE Authentication and Authorization

Configuring Basic Access
- Network Access Device (NAD)
- IEEE 802.1X Primer
- Cisco Switch Configuration
- Cisco WLC Configuration
- Cisco ASA Appliance Configuration
- Cisco ISE Authentication Process
- Internal Databases
- Simple Authentication
- Rule-Based Authentication
- Sessions in Cisco ISE
External Authentication
- External Authentication Process
- Active Directory
- Lightweight Directory Access Protocol (LDAP)
- RADIUS
- Certificates
- Identity Source Sequencing
- Authentication Support and Performance
Using Cisco ISE Dictionaries
- Cisco ISE Dictionaries
- Read-Only Dictionaries
- Administrable Dictionaries
- RADIUS Vendor Dictionaries
Configuring Authorization
- Authorization Policies and Components
- Authorization Policy Configuration
- Exception Policies

Lesson 3: Web Authentication and User Access Management

Implementing Web Authentication
- Web Authentication
- Configure Cisco ISE Web Authentication
- Verifying Web Authentication
Implementing Guest Services
- Guest Services
- Preparing the Deployment
- Configuring Sponsor Portal
- Configuring Guest Portal
- Creating Guest Accounts
- Verifying Guest Accounts

Lesson 4: Cisco ISE Profiler, Posture, and Endpoint Protection Services

Implementing Cisco ISE Profiler Service
- Profiler Service
- Configuring Profiling on Cisco ISE
- Verifying Profiling
Implementing Cisco ISE Posture Service
- Posture Service
- Configuring Cisco ISE for Client Provisioning
- Adapting the Authorization Policy for Posture Compliance
- Configuring the Posture System Settings
- Configuring the Posture Policy
- Verifying the Posture Service
Implementing Cisco ISE Endpoint Protection Services (EPS)
- EPS
- Configuring EPS
- Monitoring EPS
Implementing BYOD
- BYOD
- Designing BYOD
- Dual SSID BYOD Design
- Device Onboarding User Experience

Lesson 5: Reports, Monitoring, Troubleshooting, and Security

Implementing Inline Posture and TrustSec Security
- Inline Posture
- Security Group Access
- MAC Security
Cisco ISE Architecture
- Cisco ISE Deployment Types
- Deploying Monitoring Personas
- Preparing the Network Infrastructure
Performing Cisco ISE Administration and Maintenance
- Role-Based Access Control
- Cisco ISE Licensing
- Backing Up and Restoring the System Configuration
Using Cisco ISE Reporting, Monitoring, and Troubleshooting
- Cisco ISE Dashboard Monitoring
- Implementing Logging
- Managing Alarms
- Cisco ISE Reports
- Troubleshooting the Network
- Backing Up and Restoring the Monitoring Database