SISE v4.0 - Implementing and Configuring Cisco® Identity Services Engine **Includes Extra BYOD Content** Course Outline
Overview
This course discusses the Cisco Identity Services Engine (ISE), a an identity and access control policy platform that provides a single policy plane across the entire organization,combining multiple services, including authentication, authorization, and accounting (AAA), posture, profiling, device on-boarding, and guest management, into a single context-aware identity-based platform. The training provides learners with the knowledge and skills to enforce security posture compliance for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE.
To participate in the hands-on labs in this class, you need to bring a laptop
computer with the following:
• Windows 7 or 8.1 or 10 is recommended. Mac OSX 10.6 or greater is supported as well.
• Intel Celeron or better processors are preferred.
• 1 GB or more of RAM
• Browser Requirements: Internet Explorer 10 or greater or Mozilla Firefox. (Safari and Mozilla Firefox for Mac OSX)
• All students are required to have administrator rights to their PCs and cannot be logged in to a domain using any Group Policies that will limit their machine's capabilities. If you do not have administrator rights to your PC, you at least need permissions to download, install, and run Cisco Any Connect Client.
• If you are participating in a WebEx event, it is highly recommended to take this class at a location that has bandwidth speeds at a minimum of 1 Mbps bandwidth speeds.
Note: Students registering for this course will be receiving their course kit in a digital format. To be able to view your digital kit you will need to bring a laptop PC and/or a compatible iPad or Android tablet. Please be aware that this digital version is designed for online use, not for printing. You can print up to 10 pages only in each guide within a course. Please note that every time you click the Print button in the book, this counts as one page printed, whether or not you click OK in the Print dialog.
Objective:
Upon completing this course, the learner will be able to meet these overall objectives:
• Describe Cisco ISE architecture, installation, and distributed deployment options.
• Configure Network Access Devices (NADs), policy components, and basic
authentication and authorization policies in Cisco ISE - Implement Cisco ISE web authentication and guest services.
• Deploy Cisco ISE profiling, posture and client provisioning services.
• Describe administration, monitoring, troubleshooting, and TrustSec SGA security.
• Configure device administration using TACACS+ in Cisco ISE
Prerequisites:
The learner is expected to have the following skills and knowledge before attending this course:
• Familiarity with Cisco IOS CLI
• Familiarity with Cisco ASA
• Familiarity with Cisco VPN clients
• Familiarity with MicroSoft Windows Operating Systems
• Familiarity with 802.1X
Who Should Attend:
The audience for this course is as follows:
ISE Administrators/Engineers
Wireless Administrators/Engineers
Consulting Systems Engineers
Technical/Wireless/BYOD/Security Solutions Architects
ATP partner systems and field engineers
Systems Integrators who install and implement the Cisco Identity Service Engine version 2.1
COURSE OUTLINE
Module 1: Introducing Cisco ISE Architecture and Deployment
Lesson 1: Using Cisco ISE as a Network Access Policy Engine
Cisco Identity Services Overview
Cisco Identity Solution Benefits
The Attack Continuum
Controlling Access to the Network
Security Challenges for IT Organizations
Centralized Policy Management
Cisco Identity Solution Guest Use Case
Cisco Identity Solution BYOD Use Case
Cisco Identity Solution Profiling Use Case
Cisco Identity Solution Compliance Use Case
Cisco Identity Solution Security Group Access Use Case
Introducing the Components of a Cisco ISE Deployment
Secure Access Control
Describing Cisco ISE Functions
Summary
Lesson 2: Introducing Cisco ISE Deployment Models
Introducing the Components of an ISE Deployment
Cisco ISE Nodes and Personas
Implementing Nodes, Personas, and Roles
Admin Node
Policy Service Node
Monitoring Node
pxGrid Services
Collector Agent
Policy Synchronization
Deployment Options
Cisco ISE Communication Model
Introducing Context Visibility
Context Visibility Benefits
Context Visibility Wizard
Streamline Visibility Wizard
Summary
Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage
Task 1: Verify Cisco ISE setup using CLI
Task 2: Initial GUI login and Familiarization
Task 3: Disable Profiling
Task 4: Certificate enrollment
Module 2: Cisco ISE Policy Enforcement
Lesson 1: Introducing 802.1X and MAB
Access: Wired and Wireless
IEEE 802.1X Primer
MAC Authentication Bypass
Overview: Configure 802.1X and MAB
Summary
Lab 2: Integrate Cisco ISE with Active Directory
Task 1: Configure Active Directory Integration
Task 2: Configure LDAP Integration
Lesson 2: Introducing Identity Management
Identity Sources Overview
Internal Identity Sources
External Identity Sources
Multi-AD Overview and Configuration
Lightweight Directory Access Protocol
RADIUS
SAMLv2
Identity Source Sequence
Summary
Lesson 3: Configuring Certificate Services
Certificate Overview and Implementation
Certification Authority Services
Summary
Lesson 4: Introducing Cisco ISE Policy
Authentication and Authorization Process
Dictionaries, Identity Sources, and ISSs
Authentication and Its Components
Authorization and Its Components
Exception Policies and Policy Sets
Sessions in Cisco ISE
Summary
Lab 3: Configure Basic Policy on Cisco ISE
Task 1: Policy Configuration for AD Employees and AD Contractors
Task 2: Client Access – Wired
Task 3: Client Access – Wireless
Task 4: Network visibility with Context Visibility
Lesson 5: Configuring Cisco ISE Policy Sets
Cisco ISE Policy Sets Overview
Global versus Local Exception Processing
Lab 4: Configure Conversion to Policy Sets
Task 1: Convert to Policy Set
Task 2: Create Wired and Wireless Policy Sets
Task 3: Creating a Global Exception
Task 4: Testing Client Access Using Policy Sets
Lesson 6: Implementing Third-Party Network Access Device Support
Third-Party NAD Support: Features and Workflows
Summary
Lesson 7: Introducing Cisco TrustSec
Introducing Cisco TrustSec
Lesson 8: Introducing EasyConnect
Easy Connect Overview
EasyConnect Modes and Flows
EasyConnect Configuration
Summary
Lab 5: Configure Access Policy for Easy Connect
Task 1: Configure Cisco ISE to Support Easy Connect
Task 2: Create Easy Connect Policy Sets
Task 3: Test the Easy Connect Connection
Module 3: Web Auth and Guest Services
Lesson 1: Introducing Web Access with
Cisco ISE Web Authentication Overview
ISE Web Authentication Configuration Overview
Web Authentication Verification Overview
Summary
Lab 6: Configure Guest Access
Task 1: Configure Guest Settings.
Task 2: Configure Guest Locations.
Lesson 2: Introducing ISE Guest Access Components
Guest Access Services Overview
Summary
Lesson 3: Configuring Guest Access Settings
Review Guest Access Settings
Guest Types Overview
Summary
Lab 7: Configure Guest Access Operations
Task 1: Configure Cisco ISE guest access with a hotspot portal.
Task 2: Configure Cisco ISE guest access for guest self-registration.
(Optional)
Task 3: Enable self-registration with sponsor approval.
Task 4: Create the accounts as a sponsor (Optional).
Task 5: Perform guest account management via the sponsor portal.
Lesson 4: Configuring Portals: Sponsors and Guests
Cisco ISE Sponsor Components and Configuration
Lab 8: Create Guest Reports
Task 1: Running Reports from Cisco ISE Dashboard
Module 4: Cisco ISE Profiler
Lesson 1: Introducing Cisco ISE Profiler
Introduction to the Profiler Service
Cisco ISE Probes
Profiling Policies
Summary
Lesson 2: Configuring Cisco ISE Profiling
Configure Profiling on Cisco ISE Overview
Prepare for Profiling
Enable the Profiling Service
Profiling Probe Configuration
Configuring the Profiler Feed Service
Profiling Settings
Define Profiling Parameters
Configure Profile Policies and Logical Profiles
NMAP Scan Actions
Go Live and Monitor
Summary
Lab 9: Configure Profiling
Task 1: Configuring Profiling in Cisco ISE
Task 2: Configure the Feed Service
Task 3: Configuring Profiling in Cisco ISE
Task 4: NAD Configuration for Profiling
Lab 10: Customize the Cisco ISE Profiling Configuration
Task 1: Examine Endpoint Data
Task 2: Create a Logical Profile
Task 3: Creating a New Authorization Policy Using a Logical Profile
Task 4: Create a Custom Profile Policy
Task 5: Testing Authorization Policies with Profiling Data
Lab 11: Create Cisco ISE Profiling Reports
Task 1: Run Cisco ISE Profiler Feed Reports
Task 2: Endpoint Profile Changes Report
Task 3: Context Visibility Dashlet Reports
Module 5: Cisco ISE BYOD
Lesson 1: Introducing the Cisco ISE BYOD Process
BYOD Problem and Solutions
BYOD Design
Lesson 2: Describing BYOD Flow
Summary
Lesson 3: Configuring My Devices Portal Settings
My Devices Portal Configuration
My Devices Portal End-User Experience
Lesson 4: Configuring Certificates in BYOD Scenarios
Local ISE CA Server and Local Certificates
Cisco ISE Certificates Set Up Walk-through
Lab 12: Configure BYOD
Task 1: Portal Provisioning
Task 2: Provisioning Configuration
Task 3: Configuring Policy
Task 4: Employee iPad Registration
Lab 13: Blacklisting a Device
Task 1: Blacklisting a Device
Task 2: Lost Access Verification.
Task 3: Endpoint Record Observations
Task 4: UnBlacklist the Device
Task 5: Verify Access Capability
Task 6: Blacklisting a Stolen Device
Module 6: Cisco ISE Endpoint Compliance Services
Lesson 1: Introducing Endpoint Compliance
Endpoint Compliance
Posture Service
Posture Conditions
Compliance Module
Posture Flow
Cisco ISE Posture Agents
Posture Operational Modes
Posture Service Deployment and Licensing
Summary
Lab 14: Configure Compliance Services on Cisco ISE
Task 1: Posture Preparation
Task 2: Authorization Profiles
Task 3: Adjusting Authorization Policy for Compliance
Lesson 2: Configuring Client Posture Services and Provisioning in Cisco ISE
Client Provisioning
Posture Configuration Procedure
Prepare
Client Provisioning Resources
Posture General Settings
Posture Policy
Client Provisioning Portal
Client Provisioning Policy
Additional Configuration Tasks
Summary
Lab 15: Configure Client Provisioning
Task 1: Client Updates
Task 2: Client Resources
Task 3: Client Provisioning Policies
Lab 16: Configure Posture Policies
Task 1: Configure Posture Conditions
Task 2: Configuring Posture Remediation
Task 3: Configuring Posture Requirements
Task 4: Configuring Posture Policies
Lab 17: Test and Monitor Compliance Based Access
Task 1: AnyConnect Unified Agent Access
Task 2: Web Agent Access (Optional)
Lab 18: Test Compliance Policy
Task 1: Configure a Faulty Policy
Task 2: Use Posture Reports for Troubleshooting
Task 3: Using the Posture Troubleshooter
Task 4: Policy Correction and Testing
Module 7: Cisco ISE with AMP and VPN-Based Services
Lesson 1: Introducing VPN Access Using Cisco ISE
AAA – External Authentication
Using Cisco ASA for VPN Authentication
VPN Access Configuration Overview
Summary
Lab 19: Configure Cisco ISE for VPN Access
Task 1: Preparing the Lab
Task 2: Testing VPN Client Access
Lesson 2: Configuring Cisco AMP for ISE
Threat Centric NAC Overview
Threat Centric NAC Configuration
Summary
Lab 20: Configure Threat-Centric NAC using Cisco AMP
Task 1: Configuring the Cisco AMP Cloud
Task 2: Configuring Posture Policies and Conditions
Task 3: Configuring Posture, AMP and AnyConnect Profiles
Task 4: Enabling and Provisioning TC-NAC Services
Task 5: Verify Provisioning of AMP for Endpoints (Optional)
Module 8: Cisco ISE Integrated Solutions with APIs
Lesson 1: Introducing Location-Based Authorization
Introducing Location-Based Authorization
Lesson 2: Introducing Cisco ISE 2.x pxGrid
pxGrid Framework
pxGrid on Cisco ISE
Setting Up the Topic
Use Case: pxGrid for Rapid Threat Detection
Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration
Task 1: Configuring Cisco ISE System Certificates for REST and pxGrid
Task 2: Preparing the Cisco WSA
Task 3: Configuring Security Groups, Authorization Policy, and Enabling
pxGrid on ISE
Task 4: Enabling pxGrid on WSA
Task 5: WSA Identity and Access Policies (Optional)
Task 6: Testing Corporate PC (Optional)
Module 9: Working with Network Access Devices
Lesson 1: Configuring TACACS+ for Cisco ISE Device Administration
Review TACACS+
Cisco ISE TACACS+ Device Administration
Configure TACACS Device Administration
TACACS Device Administration Guidelines and Best Practices
Migrating from Cisco ACS to Cisco ISE
Summary
Lab 22: Configure Cisco ISE for Basic Device Administration
Task 1: Policy Configuration for AD Employees and AD Contractors
Lab 23: Configure TACACS+ Command Authorization
Task 1: Configure Command Sets
Task 2: TACACS+ Features
Module 10: Cisco ISE Design (Self-Study)
Lesson 1: Designing and Deployment Best Practices
Cisco ISE Planning and Pre-deployment
Cisco ISE Sizing and Scaling Practices
Lesson 2: Performing Cisco ISE Installation and Configuration Best Practices
Cisco ISE Deployment Best Practices
ISE Certificates Best Practices
ISE Profiling Best Practices
Web Portals Best Practices
Logging and Troubleshooting Best Practices
Lesson 3: Deploying Failover and High-Availability
PSN HA or Load Sharing
Deploying Monitoring Personas
Preparing the Network Infrastructure
Module 11: Configuring Third Party NAD Support (Optional/Self-Study/Reference)
Lesson 1: Configuring Third-Party NAD Support (Optional, Self-Study, or Reference)
Configuring Third-Party NAD Support
Summary
View outline in Word
CSSISE