SISE v2.1 - Implementing and Configuring Cisco Identity Services Engine

Networking/Server/Operating Systems
Schedules
Optional
  LearnITAnytime Online Subscription (1 Year Subscription - $195.00)
  IT Online Library (1 Year Subscription - $1595.00)
  Private Mentoring 3 Hours ($225)
Quantity
If quantity is more than 1, Please add all Attendees' Names /Voucher #/ Learning Credit below separated with a comma. If not specified, we will contact you prior to the class start date. Special Instructions

Description

This course discusses the Cisco Identity Services Engine (ISE), a an identity and access control policy platform that provides a single policy plane across the entire organization, combining multiple services, including authentication, authorization, and accounting (AAA), posture, profiling, device on-boarding, and guest management, into a single context-aware identity-based platform. The training provides learners with the knowledge and skills to enforce security posture compliance for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE.

To participate in the hands-on labs in this class, you need to bring a laptop computer with the following:

  • Windows 7 or 8.1 or 10 is recommended. Mac OSX 10.6 or greater is supported as well.
  • Intel Celeron or better processors are preferred.
  • 1 GB or more of RAM
  • Browser Requirements: Internet Explorer 10 or greater or Mozilla Firefox. (Safari and Mozilla Firefox for Mac OSX)
  • All students are required to have administrator rights to their PCs and cannot be logged in to a domain using any Group Policies that will limit their machine's capabilities.
  • If you do not have administrator rights to your PC, you at least need permissions to download, install, and run Cisco Any Connect Client.
  • If you are participating in a WebEx event, it is highly recommended to take this class at a location that has bandwidth speeds at a minimum of 1 Mbps bandwidth speeds.

Objectives

Upon completing this course, the learner will be able to meet these overall objectives:

  • Describe Cisco ISE architecture, installation, and distributed deployment options.
  • Configure Network Access Devices (NADs), policy components, and basic authentication and authorization policies in Cisco ISE - Implement Cisco ISE web authentication and guest services.
  • Deploy Cisco ISE profiling, posture and client provisioning services.
  • Describe administration, monitoring, troubleshooting, and TrustSec SGA security.
  • Configure device administration using TACACS+ in Cisco ISE

Prerequisites

The learner is expected to have the following skills and knowledge before attending this course:

  • Familiarity with Cisco IOS CLI
  • Familiarity with Cisco ASA
  • Familiarity with Cisco VPN clients
  • Familiarity with MicroSoft Windows Operating Systems
  • Familiarity with 802.1X

Who Should Attend

The audience for this course is as follows:

  • ISE Administrators/Engineers
  • Wireless Administrators/Engineers
  • Consulting Systems Engineers
  • Technical/Wireless/BYOD/Security Solutions Architects
  • ATP partner systems and field engineers
  • Systems integrators who install and implement the Cisco Identity Service Engine version 2.1

Outline

Module 1: Introducing Cisco ISE Architecture and Deployment

Lesson 1: Using Cisco ISE as a Network Access Policy Engine

  • Cisco Identity Services Overview
  • Cisco Identity Solution Benefits
  • The Attack Continuum
  • Controlling Access to the Network
  • Security Challenges for IT Organizations
  • Centralized Policy Management
  • Cisco Identity Solution Guest Use Case
  • Cisco Identity Solution BYOD Use Case
  • Cisco Identity Solution Profiling Use Case
  • Cisco Identity Solution Compliance Use Case
  • Cisco Identity Solution Security Group Access Use Case
  • Introducing the Components of a Cisco ISE Deployment
  • Secure Access Control
  • Describing Cisco ISE Functions
  • Summary

Lesson 2: Introducing Cisco ISE Deployment Models

  • Introducing the Components of an ISE Deployment
  • Cisco ISE Nodes and Personas
  • Implementing Nodes, Personas, and Roles
  • Admin Node
  • Policy Service Node
  • Monitoring Node
  • pxGrid Services
  • Collector Agent
  • Policy Synchronization
  • Deployment Options
  • Cisco ISE Communication Model
  • Introducing Context Visibility
  • Context Visibility Benefits
  • Context Visibility Wizard
  • Streamline Visibility Wizard
  • Summary
  • Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage
    • Task 1: Verify Cisco ISE setup using CLI
    • Task 2: Initial GUI login and Familiarization
    • Task 3: Disable Profiling
    • Task 4: Certificate enrollment

Module 2: Cisco ISE Policy Enforcement

Lesson 1: Introducing 802.1X and MAB Access: Wired and Wireless

  • IEEE 802.1X Primer
  • MAC Authentication Bypass
  • Overview: Configure 802.1X and MAB
  • Summary
  • Lab 2: Integrate Cisco ISE with Active Directory
    • Task 1: Configure Active Directory Integration
    • Task 2: Configure LDAP Integration

Lesson 2: Introducing Identity Management

  • Identity Sources Overview
  • Internal Identity Sources
  • External Identity Sources
  • Multi-AD Overview and Configuration
  • Lightweight Directory Access Protocol
  • RADIUS
  • SAMLv2
  • Identity Source Sequence
  • Summary

Lesson 3: Configuring Certificate Services

  • Certificate Overview and Implementation
  • Certification Authority Services
  • Summary

Lesson 4: Introducing Cisco ISE Policy

  • Authentication and Authorization Process
  • Dictionaries, Identity Sources, and ISSs
  • Authentication and Its Components
  • Authorization and Its Components
  • Exception Policies and Policy Sets
  • Sessions in Cisco ISE
  • Summary
  • Lab 3: Configure Basic Policy on Cisco ISE
    • Task 1: Policy Configuration for AD Employees and AD Contractors
    • Task 2: Client Access ? Wired
    • Task 3: Client Access ? Wireless
    • Task 4: Network visibility with Context Visibility

Lesson 5: Configuring Cisco ISE Policy Sets

  • Cisco ISE Policy Sets Overview
  • Global versus Local Exception Processing
  • Lab 4: Configure Conversion to Policy Sets
    • Task 1: Convert to Policy Set
    • Task 2: Create Wired and Wireless Policy Sets
    • Task 3: Creating a Global Exception
    • Task 4: Testing Client Access Using Policy Sets

Lesson 6: Implementing Third-Party Network Access Device Support

  • Third-Party NAD Support: Features and Workflows
  • Summary

Lesson 7: Introducing Cisco TrustSec

  • Introducing Cisco TrustSec

Lesson 8: Introducing EasyConnect

  • Easy Connect Overview
  • EasyConnect Modes and Flows
  • EasyConnect Configuration
  • Summary
  • Lab 5: Configure Access Policy for Easy Connect
    • Task 1: Configure Cisco ISE to Support Easy Connect
    • Task 2: Create Easy Connect Policy Sets
    • Task 3: Test the Easy Connect Connection

Module 3: Web Auth and Guest Services

Lesson 1: Introducing Web Access with Cisco ISE

  • Web Authentication Overview
  • ISE Web Authentication Configuration Overview
  • Web Authentication Verification Overview
  • Summary
  • Lab 6: Configure Guest Access
    • Task 1: Configure Guest Settings.
    • Task 2: Configure Guest Locations.

Lesson 2: Introducing ISE Guest Access Components

  • Guest Access Services Overview
  • Summary

Lesson 3: Configuring Guest Access Settings

  • Review Guest Access Settings
  • Guest Types Overview
  • Summary
  • Lab 7: Configure Guest Access Operations
    • Task 1: Configure Cisco ISE guest access with a hotspot portal.
    • Task 2: Configure Cisco ISE guest access for guest self-registration. (Optional)
    • Task 3: Enable self-registration with sponsor approval.
    • Task 4: Create the accounts as a sponsor (Optional).
    • Task 5: Perform guest account management via the sponsor portal.

Lesson 4: Configuring Portals: Sponsors and Guests

  • Cisco ISE Sponsor Components and Configuration
  • Lab 8: Create Guest Reports
    • Task 1: Running Reports from Cisco ISE Dashboard

Module 4: Cisco ISE Profiler

Lesson 1: Introducing Cisco ISE Profiler

  • Introduction to the Profiler Service
  • Cisco ISE Probes
  • Profiling Policies
  • Summary

Lesson 2: Configuring Cisco ISE Profiling

  • Configure Profiling on Cisco ISE Overview
  • Prepare for Profiling
  • Enable the Profiling Service
  • Profiling Probe Configuration
  • Configuring the Profiler Feed Service
  • Profiling Settings
  • Define Profiling Parameters
  • Configure Profile Policies and Logical Profiles
  • NMAP Scan Actions
  • Go Live and Monitor
  • Summary
  • Lab 9: Configure Profiling
    • Task 1: Configuring Profiling in Cisco ISE
    • Task 2: Configure the Feed Service
    • Task 3: Configuring Profiling in Cisco ISE
    • Task 4: NAD Configuration for Profiling
  • Lab 10: Customize the Cisco ISE Profiling Configuration
    • Task 1: Examine Endpoint Data
    • Task 2: Create a Logical Profile
    • Task 3: Creating a New Authorization Policy Using a Logical Profile
    • Task 4: Create a Custom Profile Policy
    • Task 5: Testing Authorization Policies with Profiling Data
  • Lab 11: Create Cisco ISE Profiling Reports
    • Task 1: Run Cisco ISE Profiler Feed Reports
    • Task 2: Endpoint Profile Changes Report
    • Task 3: Context Visibility Dashlet Reports

Module 5: Cisco ISE BYOD

Lesson 1: Introducing the Cisco ISE BYOD Process

  • BYOD Problem and Solutions
  • BYOD Design

Lesson 2: Describing BYOD Flow

  • Summary

Lesson 3: Configuring My Devices Portal Settings

  • My Devices Portal Configuration
  • My Devices Portal End-User Experience

Lesson 4: Configuring Certificates in BYOD Scenarios

  • Local ISE CA Server and Local Certificates
  • Cisco ISE Certificates Set Up Walk-through
  • Lab 12: Configure BYOD
    • Task 1: Portal Provisioning
    • Task 2: Provisioning Configuration
    • Task 3: Configuring Policy
    • Task 4: Employee iPad Registration
  • Lab 13: Blacklisting a Device
    • Task 1: Blacklisting a Device
    • Task 2: Lost Access Verification.
    • Task 3: Endpoint Record Observations
    • Task 4: UnBlacklist the Device
    • Task 5: Verify Access Capability
    • Task 6: Blacklisting a Stolen Device

Module 6: Cisco ISE Endpoint Compliance Services

Lesson 1: Introducing Endpoint Compliance

  • Endpoint Compliance
  • Posture Service
  • Posture Conditions
  • Compliance Module
  • Posture Flow
  • Cisco ISE Posture Agents
  • Posture Operational Modes
  • Posture Service Deployment and Licensing
  • Summary
  • Lab 14: Configure Compliance Services on Cisco ISE
    • Task 1: Posture Preparation
    • Task 2: Authorization Profiles
    • Task 3: Adjusting Authorization Policy for Compliance

Lesson 2: Configuring Client Posture Services and Provisioning in Cisco ISE

  • Client Provisioning
  • Posture Configuration Procedure
  • Prepare
  • Client Provisioning Resources
  • Posture General Settings
  • Posture Policy
  • Client Provisioning Portal
  • Client Provisioning Policy
  • Additional Configuration Tasks
  • Summary
  • Lab 15: Configure Client Provisioning
    • Task 1: Client Updates
    • Task 2: Client Resources
    • Task 3: Client Provisioning Policies
  • Lab 16: Configure Posture Policies
    • Task 1: Configure Posture Conditions
    • Task 2: Configuring Posture Remediation
    • Task 3: Configuring Posture Requirements
    • Task 4: Configuring Posture Policies
  • Lab 17: Test and Monitor Compliance Based Access
    • Task 1: AnyConnect Unified Agent Access
    • Task 2: Web Agent Access (Optional)
  • Lab 18: Test Compliance Policy
    • Task 1: Configure a Faulty Policy
    • Task 2: Use Posture Reports for Troubleshooting
    • Task 3: Using the Posture Troubleshooter
    • Task 4: Policy Correction and Testing

Module 7: Cisco ISE with AMP and VPN-Based Services

Lesson 1: Introducing VPN Access Using Cisco ISE

  • AAA ? External Authentication
  • Using Cisco ASA for VPN Authentication
  • VPN Access Configuration Overview
  • Summary
  • Lab 19: Configure Cisco ISE for VPN Access
    • Task 1: Preparing the Lab
    • Task 2: Testing VPN Client Access

Lesson 2: Configuring Cisco AMP for ISE

  • Threat Centric NAC Overview
  • Threat Centric NAC Configuration
  • Summary
  • Lab 20: Configure Threat-Centric NAC using Cisco AMP
    • Task 1: Configuring the Cisco AMP Cloud
    • Task 2: Configuring Posture Policies and Conditions
    • Task 3: Configuring Posture, AMP and AnyConnect Profiles
    • Task 4: Enabling and Provisioning TC-NAC Services
    • Task 5: Verify Provisioning of AMP for Endpoints (Optional)

Module 8: Cisco ISE Integrated Solutions with APIs

Lesson 1: Introducing Location-Based Authorization

  • Introducing Location-Based Authorization

Lesson 2: Introducing Cisco ISE 2.x pxGrid

  • pxGrid Framework
  • pxGrid on Cisco ISE
  • Setting Up the Topic
  • Use Case: pxGrid for Rapid Threat Detection
  • Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration
    • Task 1: Configuring Cisco ISE System Certificates for REST and pxGrid
    • Task 2: Preparing the Cisco WSA
    • Task 3: Configuring Security Groups, Authorization Policy, and Enabling pxGrid on ISE
    • Task 4: Enabling pxGrid on WSA
    • Task 5: WSA Identity and Access Policies (Optional)
    • Task 6: Testing Corporate PC (Optional)

Module 9: Working with Network Access Devices

Lesson 1: Configuring TACACS+ for Cisco ISE Device Administration

  • Review TACACS+
  • Cisco ISE TACACS+ Device Administration
  • Configure TACACS Device Administration
  • TACACS Device Administration Guidelines and Best Practices
  • Migrating from Cisco ACS to Cisco ISE
  • Summary
  • Lab 22: Configure Cisco ISE for Basic Device Administration
    • Task 1: Policy Configuration for AD Employees and AD Contractors
  • Lab 23: Configure TACACS+ Command Authorization
    • Task 1: Configure Command Sets
    • Task 2: TACACS+ Features

Module 10: Cisco ISE Design (Self-Study)

Lesson 1: Designing and Deployment Best Practices

  • Cisco ISE Planning and Pre-deployment
  • Cisco ISE Sizing and Scaling Practices

Lesson 2: Performing Cisco ISE Installation and Configuration Best Practices

  • Cisco ISE Deployment Best Practices
    • ISE Certificates Best Practices
  • ISE Profiling Best Practices
  • Web Portals Best Practices
    • Logging and Troubleshooting Best Practices

Lesson 3: Deploying Failover and High-Availability

  • PSN HA or Load Sharing
  • Deploying Monitoring Personas
  • Preparing the Network Infrastructure

Module 11: Configuring Third Party NAD Support

(Optional/Self-Study/Reference)

Lesson 1: Configuring Third-Party NAD Support (Optional, Self-Study, or Reference)

  • Configuring Third-Party NAD Support
  • Summary