Maxtrain.com - [email protected] - 513-322-8888 - 866-595-6863


Implementing Cisco Secure Access Solutions

Alert Me


Implementing Cisco Secure Access Solutions (SISAS) v1.0 is a newly created 5 day instructor-led training (vILT) course that is part of the curriculum path leading to the Cisco Certified Network Professional Security (CCNP© Security) certification. Additionally, it is designed to prepare security engineers with the knowledge and hands-on experience so that they can deploy Cisco`s Identity Services Engine and 802.1X secure network access.

The goal of the course is to provide students with foundational knowledge and the capabilities to implement and managed network access security by utilizing Cisco ISE appliance product solution.
The student will gain hands-on experience with configuring various advance Cisco security solutions for mitigating outside threats and securing devices connecting to the network. At the end of the course, students will be able to reduce the risk to their IT infrastructures and applications using Cisco`s ISE appliance feature and provide operational support identity and network access control

Upon completing this course, the learner will be able to meet these overall objectives:

  • Understand Cisco Identity Services Engine architecture and access control capabilities
  • Understand 802.1X architecture, implementation and operation
  • Understand commonly implemented Extensible Authentication Protocols (EAP)
  • Implement Public-Key Infrastructure with ISE
  • Understand the implement Internal and External authentication databases
  • Implement MAC Authentication Bypass
  • Implement identity based authorization policies
  • Understand Cisco TrustSec features
  • Implement Web Authentication and Guest Access
  • Implement ISE Posture service
  • Implement ISE Profiling
  • Understand Bring Your Own Device (BYOD) with ISE
  • Troubleshoot ISE


Module 1: Threat Mitigation through Identity Services Lesson 1: Identity Services
  • Secure Access Solution Portfolio
  • Access Control in Cisco SAFE
  • Authentication
  • Authorization
  • Accounting
  • Change of Authorization
  • Identity Sources
Lesson 2: 802.1X and EAP
  • IEEE 802.1X Overview
  • 802.1X Message Flow
  • 802.1X Authorization
  • 802.1X VLAN Assignment
  • 802.1X Downloadable ACLs
  • 802.1X Host Modes
  • VC Poll Question: 802.1X Host Mode Granularity
  • 802.1X Phased Deployment
  • 802.1X Monitor Mode
  • 802.1X Low Impact Mode
  • 802.1X Closed Mode
  • 802.1X Deployment Mode Comparison
  • 802.1X Phased Deployment Guidelines
  • VC Poll Question: Security of 802.1X Deployment Modes
  • Change of Authorization
  • MAC Authentication Bypass
  • Extensible Authentication Protocol
  • Tunnel and Non-Tunnel EAP
  • Non-Tunnel EAP Types
  • Tunnel EAP Types
  • Traditional User and Machine Authentication
  • EAP Chaining
  • EAP Chaining Operation
  • EAP Chaining: Corporate Asset and User
  • EAP Chaining: Corporate Asset, User Logged Off
  • EAP Chaining: Personal Asset with NAM
  • EAP Chaining: Personal 3rd Party Asset
  • Cisco AnyConnect 3.x Supplicant

Lesson 3: Identity System Quick Start

  • Logging In to Cisco ISE
  • Organization of Cisco ISE GUI
  • Local User Database
  • Network Access Devices in Cisco ISE
  • Cisco ISE Default Authentication Policy
  • Switch Configuration Procedure
  • Configure Global AAA Parameters
  • Configure RADIUS Peering
  • Configure Switch for 802.1X Monitor Mode
  • Windows Native Supplicant
  • Verify Authentication on ISE
  • Verify Authentication on Switch
Module 2: Cisco Identity Services Engine (ISE) Fundamentals Lesson 1: Cisco ISE Overview
  • Cisco ISE Operational Components
  • Cisco ISE as Policy Platform
  • Cisco ISE High-Level Flow
  • Cisco ISE Personas
  • Cisco ISE Deployment Examples
Lesson 2: Cisco ISE with PKI
  • Server Authentication in EAP
  • TLS-Protected Communication
  • X.509v3 Certificates
  • Use of Server Certificate
  • First Validation: Verify Server Certificate
  • Second Validation: Verify Server Signature
  • PKI Enrollment Procedure
  • Verify PKI Enrollment
Lesson 3: Cisco ISE Authentication
  • Cisco ISE Authentication
  • Policy Elements in Cisco ISE
  • Cisco ISE Authentication Policy Example
  • Cisco ISE Rule-Based Authentication
  • Authentication Conditions
  • Tune Rule-Based Authentication (Situational)
  • Define Simple Conditions (Optional)
  • Create or Tune Compound Conditions (Optional)
  • Define Allowed Protocols (Optional)
  • Tune or Create Authentication Rules (Optional)
  • Tune Default Authentication Rule (Optional)
  • Cisco Network Access Manager
  • Networks and Network Groups in Cisco NAM
  • Network Settings in Cisco NAM
Lesson 4: Configuring Cisco ISE for External Authentication
  • External Authentication
  • Active Directory
  • Authentication Methods with Active Directory
  • VC Poll Question: AD Support for Tunnel EAP methods
  • AD-Derived Group Membership
  • Active Directory Integration Methods
  • Active Directory Integration Procedure
  • Configure AD Domain and Store
  • Test AD Connection
  • Join Active Directory
  • Select Groups from Directory
  • VC Poll Question: AD Connection Failures
  • Cisco ISE Identity Source Sequence
  • Configure Identity Source Sequence
  • Apply Identity Source Sequence
  • Verify External Authentication
Module 3: Advanced Access Control Lesson 1: Certificate-based User Authentication
  • EAP-TLS Bidirectional Authentication
  • Verification of Client Certificates
  • Implementation Procedure for EAP-TLS in Cisco ISE Deployment
  • Select CA Certificate for EAP Verification
  • Deploy Certificates on Clients
  • Configure 802.1X Supplicant to Use EAP-TLS
  • Configure Supplicant to Use Certificates
  • Configure Certificate Authentication Profile
  • Apply Certificate Authentication Profile to Identity Source Sequence
  • Verify EAP-TLS Operation

Lesson 2: Authorization

  • Cisco Cloud Web Security Traffic Redirection Overview
  • Authorization in Cisco ISE
  • Authorization Policy Element Overview
  • Downloadable ACLs
  • Authorization Profiles
  • Authorization Policy
  • Building Compound Conditions
  • Authorization Policy Configuration
  • Verify Authentication and Authorization
Lesson 3: Security Group Access (SGA) and MACsec Implementation
  • Cisco Switch Configuration
  • Cisco ISE Authentication
  • Cisco ISE Internal Databases
  • Cisco ISE Rule-Based Authentication
  • Configure Cisco ISE Rule-Based Authentication
  • External Authentication
  • Active Directory Integration Procedure
  • Cisco ISE Identity Source Sequence
  • Configure Cisco ISE Identity Source Sequence
  • Cisco ISE Authorization Policy Overview
  • Cisco ISE Authorization Policy Elements
  • Authorization Policy Configuration
  • Verify Authentication and Authorization
  • Summary
Module 4: Web Authentication and Guest Access Lesson 1: Describe the Cisco Email Security Solutions
  • WebAuth process
  • WebAuth operation
  • Configure WebAuth
  • Verify WebAuth
Lesson 2: Guest Access Services
  • WebAuth and guest access
  • Guest access applications
  • Portal placement
  • Configuration scopes
  • Configuration procedures
  • Summary
Module 5: Endpoint Access Control Enhancements Lesson 1: Posture
  • NAC Agents
  • Client provisioning
  • Posture conditions, requirements, remediation actions, and policy
  • Configure posture
  • Verify posture
  • Summary
Lesson 2: Profiler
  • Profiler service
  • Probes
  • Profiling without Probes
  • Profiling policies
  • Configure profiling
  • Verify profiling
  • Summary
Lesson 3: BYOD
  • BYOD feature
  • Single and dual SSID design
  • Dual SSID flow
  • Authorization in dual SSID design
  • BYOD process
  • Summary
Module 6: Troubleshooting Network Access Control Lesson 1: Troubleshooting Network Access Control
  • Troubleshooting procedure
  • Troubleshooting tools
  • Failure Reason Editor
  • Connectivity tests
  • General Diagnostic Tools
  • Evaluate Configuration Validator
  • Posture Troubleshooting
  • Troubleshooting 802.1X Authentication
  • Troubleshoot 802.1x on a Switch
  • Troubleshoot RADIUS Peering
  • Troubleshoot Peering with the User Database
  • Troubleshoot Server-Side Certificate Issues
  • Troubleshoot Client-Side Certificate Issues
  • Troubleshoot Disallowed Authentication Protocol
  • Troubleshoot Machine Authentication
  • Troubleshooting MAB
  • Troubleshoot Missing Endpoint MAC Address
  • Troubleshooting Central Web Authentication
  • Troubleshoot Mismatch of ACL Name
  • Troubleshooting Posture
  • Troubleshoot Profiling
  • Summary
Lab 1-1: Bootstrap Identity System
  • Task 1: Jump start the switch and the ISE to deploy 802.1X in monitor mode
  • Task 2: Create a user in the local ISE database and define the switch as a NAD on the ISE
  • Task 3: Configure the switch with the necessary AAA, RADIUS, and 802.1X settings to enable the switch to act as a 802.1X authenticator
  • Task 4: Test 802.1X operations using the Windows native 802.1X supplicant on the Employee-PC
Lab 2-1: Enroll Cisco ISE in PKI
  • Task 1: Observe that the 802.1X rejects the self-signed ISE certificate and that the HTTPS session to the ISE is untrusted
  • Task 2: Enroll the ISE with the Public Key Infrastructure (PKI) and examine the trust established through the PKI infrastructure
Lab 2-2: Implement MAC Authentication Bypass (MAB) and Internal ISE Authentication
  • Task 1: Deploy PEAP with native supplicant (in monitor mode)
  • Task 2: Switch to 802.1X Low-Impact Mode
  • Task 3: Deploy EAP-FAST(EAP-MSCHAPv2) with AnyConnect supplicant
  • Task 4: Deploy MAB (static IP on print server)
Lab 2-3: Implement External Authentication
  • Task 1: Join ISE to Active Directory
  • Task 2: Configure Authentication Against the Active Directory
  • Task 3: Join Employee-PC to Active Directory
Lab 3-1: Implementing EAP-TLS with Identity Services Engine (ISE)
  • Task 1: Enroll User and Machine with PKI
  • Task 2: Configure AnyConnect Supplicant for EAP-TLS
Lab 3-2: Implementing Authorization
  • Task 1: Configure authorization for local accounts
  • Task 2: Configure authorization for EAP-chaining
  • Task 3: Verify domain employee access using AnyConnect supplicant
  • Task 4: Verify domain employee access using native supplicant (non-enterprise owned)
Lab 4-1: Configuring Cisco ASA Access Policy
  • Task 1: Configure Switch for Central WebAuth
  • Task 2: Configure WebAuth
Lab 4-2: Implement Guest Access
  • Task 1: Deploy the Sponsor Portal
  • Task 2: Configure Authorization for Guest Users
Lab 5-1: Implement Posture
  • Task 1: Configure Client Provisioning
  • Task 2: Deploy Automatic Antivirus Installation Remediation
  • Task 3: Deploy Automatic Antispyware Definition Remediation (optional)
Lab 5-2: Profiler
  • Task 1: Deploy recommended profiler probes
  • Task 2: Configure Print Server Profiling
  • Task 3: Deploy the Profiler Without Probes (Optional)
Lab 6-1: Troubleshooting Network Access Control (Optional)
  • Task 1: Troubleshoot 802.1X Authentication Against Local ISE Database
  • Task 2: Troubleshoot 802.1X Authentication Against Active Directory
  • Task 3: Troubleshoot EAP-TLS Authentication
  • Task 4: Troubleshoot Authorization
  • Task 5: Troubleshoot MAB
  • Task 6: Troubleshoot Central WebAuth
  • Task 7: Troubleshoot Profiling


To fully benefit from this course, students should have the following prerequisite skills and knowledge:
  • Cisco Certified Network Associate (CCNA©_) certification
  • Cisco Certified Network Associate (CCNA©_) Security certification
  • Knowledge of Microsoft Windows operating system


The primary audience for this course is as follows:
  • Network Security Engineers
$3895.00 List Price

5 Days Course

Class Dates

Request a Date or a Private Class below.

MAX Educ. Savings
Categories: , Tags: ,
Loading ...