Implementing Cisco Secure Access Solutions

Implementing Cisco Secure Access Solutions (SISAS) v1.0 is a newly created 5 day instructor-led training (vILT) course that is part of the curriculum path leading to the Cisco Certified Network Professional Security (CCNP© Security) certification. Additionally, it is designed to prepare security engineers with the knowledge and hands-on experience so that they can deploy Cisco`s Identity Services Engine and 802.1X secure network access.

Upon completing this course, the learner will be able to meet these overall objectives:

• Understand Cisco Identity Services Engine architecture and access control capabilities
• Understand 802.1X architecture, implementation and operation
• Understand commonly implemented Extensible Authentication Protocols (EAP)
• Implement Public-Key Infrastructure with ISE
• Understand the implement Internal and External authentication databases
• Implement MAC Authentication Bypass
• Implement identity based authorization policies
• Understand Cisco TrustSec features
• Implement Web Authentication and Guest Access
• Implement ISE Posture service
• Implement ISE Profiling
• Understand Bring Your Own Device (BYOD) with ISE
• Troubleshoot ISE

• Secure Access Solution Portfolio
• Access Control in Cisco SAFE
• Authentication
• Authorization
• Accounting
• Change of Authorization
• Identity Sources
• RADIUS
• TACACS+

• IEEE 802.1X Overview
• 802.1X Message Flow
• 802.1X Authorization
• 802.1X VLAN Assignment
• 802.1X Downloadable ACLs
• 802.1X Host Modes
• VC Poll Question: 802.1X Host Mode Granularity
• 802.1X Phased Deployment
• 802.1X Monitor Mode
• 802.1X Low Impact Mode
• 802.1X Closed Mode
• 802.1X Deployment Mode Comparison
• 802.1X Phased Deployment Guidelines
• VC Poll Question: Security of 802.1X Deployment Modes
• Change of Authorization
• MAC Authentication Bypass
• Extensible Authentication Protocol
• Tunnel and Non-Tunnel EAP
• Non-Tunnel EAP Types
• Tunnel EAP Types
• Traditional User and Machine Authentication
• EAP Chaining
• EAP Chaining Operation
• EAP Chaining: Corporate Asset and User
• EAP Chaining: Corporate Asset, User Logged Off
• EAP Chaining: Personal Asset with NAM
• EAP Chaining: Personal 3rd Party Asset
• Cisco AnyConnect 3.x Supplicant

Lesson 3: Identity System Quick Start

• Logging In to Cisco ISE
• Organization of Cisco ISE GUI
• Local User Database
• Network Access Devices in Cisco ISE
• Cisco ISE Default Authentication Policy
• Switch Configuration Procedure
• Configure Global AAA Parameters
• Configure RADIUS Peering
• Configure Switch for 802.1X Monitor Mode
• Windows Native Supplicant
• Verify Authentication on ISE
• Verify Authentication on Switch

• Cisco ISE Operational Components
• Cisco ISE as Policy Platform
• Cisco ISE High-Level Flow
• Cisco ISE Personas
• Cisco ISE Deployment Examples

• Server Authentication in EAP
• TLS-Protected Communication
• X.509v3 Certificates
• Use of Server Certificate
• First Validation: Verify Server Certificate
• Second Validation: Verify Server Signature
• PKI Enrollment Procedure
• Verify PKI Enrollment

• Cisco ISE Authentication
• Policy Elements in Cisco ISE
• Cisco ISE Authentication Policy Example
• Cisco ISE Rule-Based Authentication
• Authentication Conditions
• Tune Rule-Based Authentication (Situational)
• Define Simple Conditions (Optional)
• Create or Tune Compound Conditions (Optional)
• Define Allowed Protocols (Optional)
• Tune or Create Authentication Rules (Optional)
• Tune Default Authentication Rule (Optional)
• Cisco Network Access Manager
• Networks and Network Groups in Cisco NAM
• Network Settings in Cisco NAM

• External Authentication
• Active Directory
• Authentication Methods with Active Directory
• VC Poll Question: AD Support for Tunnel EAP methods
• AD-Derived Group Membership
• Active Directory Integration Methods
• Active Directory Integration Procedure
• Configure AD Domain and Store
• Test AD Connection
• Join Active Directory
• Select Groups from Directory
• VC Poll Question: AD Connection Failures
• Cisco ISE Identity Source Sequence
• Configure Identity Source Sequence
• Apply Identity Source Sequence
• Verify External Authentication

• EAP-TLS Bidirectional Authentication
• Verification of Client Certificates
• Implementation Procedure for EAP-TLS in Cisco ISE Deployment
• Select CA Certificate for EAP Verification
• Deploy Certificates on Clients
• Configure 802.1X Supplicant to Use EAP-TLS
• Configure Supplicant to Use Certificates
• Configure Certificate Authentication Profile
• Apply Certificate Authentication Profile to Identity Source Sequence
• Verify EAP-TLS Operation

Lesson 2: Authorization

• Cisco Cloud Web Security Traffic Redirection Overview
• Authorization in Cisco ISE
• Authorization Policy Element Overview
• Downloadable ACLs
• Authorization Profiles
• Authorization Policy
• Building Compound Conditions
• Authorization Policy Configuration
• Verify Authentication and Authorization

• Cisco Switch Configuration
• Cisco ISE Authentication
• Cisco ISE Internal Databases
• Cisco ISE Rule-Based Authentication
• Configure Cisco ISE Rule-Based Authentication
• External Authentication
• Active Directory Integration Procedure
• Cisco ISE Identity Source Sequence
• Configure Cisco ISE Identity Source Sequence
• Cisco ISE Authorization Policy Overview
• Cisco ISE Authorization Policy Elements
• Authorization Policy Configuration
• Verify Authentication and Authorization
• Summary

• WebAuth process
• WebAuth operation
• Configure WebAuth
• Verify WebAuth

• WebAuth and guest access
• Guest access applications
• Portal placement
• Configuration scopes
• Configuration procedures
• Summary

• NAC Agents
• Client provisioning
• Posture conditions, requirements, remediation actions, and policy
• Configure posture
• Verify posture
• Summary

• Profiler service
• Probes
• Profiling without Probes
• Profiling policies
• Configure profiling
• Verify profiling
• Summary

• BYOD feature
• Single and dual SSID design
• Dual SSID flow
• Authorization in dual SSID design
• BYOD process
• Summary

• Troubleshooting procedure
• Troubleshooting tools
• Failure Reason Editor
• Connectivity tests
• General Diagnostic Tools
• Evaluate Configuration Validator
• Posture Troubleshooting
• Troubleshooting 802.1X Authentication
• Troubleshoot 802.1x on a Switch
• Troubleshoot RADIUS Peering
• Troubleshoot Peering with the User Database
• Troubleshoot Server-Side Certificate Issues
• Troubleshoot Client-Side Certificate Issues
• Troubleshoot Disallowed Authentication Protocol
• Troubleshoot Machine Authentication
• Troubleshooting MAB
• Troubleshoot Missing Endpoint MAC Address
• Troubleshooting Central Web Authentication
• Troubleshoot Mismatch of ACL Name
• Troubleshooting Posture
• Troubleshoot Profiling
• Summary

• Task 1: Jump start the switch and the ISE to deploy 802.1X in monitor mode
• Task 2: Create a user in the local ISE database and define the switch as a NAD on the ISE
• Task 3: Configure the switch with the necessary AAA, RADIUS, and 802.1X settings to enable the switch to act as a 802.1X authenticator
• Task 4: Test 802.1X operations using the Windows native 802.1X supplicant on the Employee-PC

• Task 1: Observe that the 802.1X rejects the self-signed ISE certificate and that the HTTPS session to the ISE is untrusted
• Task 2: Enroll the ISE with the Public Key Infrastructure (PKI) and examine the trust established through the PKI infrastructure

• Task 1: Deploy PEAP with native supplicant (in monitor mode)
• Task 2: Switch to 802.1X Low-Impact Mode
• Task 3: Deploy EAP-FAST(EAP-MSCHAPv2) with AnyConnect supplicant
• Task 4: Deploy MAB (static IP on print server)

• Task 1: Join ISE to Active Directory
• Task 2: Configure Authentication Against the Active Directory
• Task 3: Join Employee-PC to Active Directory

• Task 1: Enroll User and Machine with PKI
• Task 2: Configure AnyConnect Supplicant for EAP-TLS

• Task 1: Configure authorization for local accounts
• Task 2: Configure authorization for EAP-chaining
• Task 3: Verify domain employee access using AnyConnect supplicant
• Task 4: Verify domain employee access using native supplicant (non-enterprise owned)

• Task 1: Configure Switch for Central WebAuth
• Task 2: Configure WebAuth

• Task 1: Deploy the Sponsor Portal
• Task 2: Configure Authorization for Guest Users

• Task 1: Configure Client Provisioning
• Task 2: Deploy Automatic Antivirus Installation Remediation
• Task 3: Deploy Automatic Antispyware Definition Remediation (optional)

• Task 1: Deploy recommended profiler probes
• Task 2: Configure Print Server Profiling
• Task 3: Deploy the Profiler Without Probes (Optional)

• Task 1: Troubleshoot 802.1X Authentication Against Local ISE Database
• Task 2: Troubleshoot 802.1X Authentication Against Active Directory
• Task 3: Troubleshoot EAP-TLS Authentication
• Task 4: Troubleshoot Authorization
• Task 5: Troubleshoot MAB
• Task 6: Troubleshoot Central WebAuth
• Task 7: Troubleshoot Profiling

• Cisco Certified Network Associate (CCNA©_) certification
• Cisco Certified Network Associate (CCNA©_) Security certification
• Knowledge of Microsoft Windows operating system

• Network Security Engineers