implementing cisco secure access solutions … · sunset learning institute cloud technology...
TRANSCRIPT
SUNSET LEARNING INSTITUTE CLOUD TECHNOLOGY TRAINING PROVIDER - EDUCATE. INNOVATE. OPTIMIZE.
888.888.5251 | www.sunsetlearning.com
IMPLEMENTING CISCO SECURE ACCESS SOLUTIONS V1.0
(SISAS)
COURSE OVERVIEW: Implementing Cisco Secure Access Solutions (SISAS) v1.0 is a newly created five-day instructor-led training (vILT) course is part of the curriculum path leading to the Cisco Certified Network Professional Security (CCNP© Security) certification. Additionally, it is designed to prepare security engineers with the knowledge and hands-on experience so that they can deploy Cisco’s Identity Services Engine and 802.1X secure network access. The goal of the course is to provide students with foundational knowledge and the capabilities to implement and managed network access security by utilizing Cisco ISE appliance product solution. The student will gain hands-on experience with configuring various advance Cisco security solutions for mitigating outside threats and securing devices connecting to the network. At the end of the course, students will be able to reduce the risk to their IT infrastructures and applications using Cisco’s ISE appliance feature and provide operational support identity and network access control.
WHO WILL BENEFIT FROM THIS COURSE? Network Security Engineers
PREREQUISITES: To fully benefit from this course, students should have the following prerequisite skills and knowledge:
Cisco Certified Network Associate (CCNA®) certification
Cisco Certified Network Associate (CCNA®) Security certification
Knowledge of Microsoft Windows operating system
RELATED COURSES: SIMOS
SITCS
SENSS
COURSE OBJECTIVES: After completion of this course, students will be able to...
Understand Cisco Identity Services Engine architecture and access control capabilities
Understand 802.1X architecture, implementation and operation
Understand commonly implemented Extensible Authentication Protocols (EAP)
Implement Public-Key Infrastructure with ISE
Understand the implement Internal and External authentication databases
Implement MAC Authentication Bypass
Implement identity based authorization policies
Understand Cisco TrustSec features
Implement Web Authentication and Guest Access
Implement ISE Posture service
Implement ISE Profiling
Understand Bring Your Own Device (BYOD) with ISE
Troubleshoot ISE
SUNSET LEARNING INSTITUTE CLOUD TECHNOLOGY TRAINING PROVIDER - EDUCATE. INNOVATE. OPTIMIZE.
888.888.5251 | www.sunsetlearning.com
COURSE OUTLINE:
Module 1: Threat Mitigation through Identity Services Lesson 1: Identity Services
Secure Access Solution Portfolio
Access Control in Cisco SAFE
Authentication
Authorization
Accounting
Change of Authorization
Identity Sources
RADIUS
TACACS+
Lesson 2: 802.1X and EAP
IEEE 802.1X Overview
802.1X Message Flow
802.1X Authorization
802.1X VLAN Assignment
802.1X Downloadable ACLs
802.1X Host Modes
VC Poll Question: 802.1X Host Mode Granularity
802.1X Phased Deployment
802.1X Monitor Mode
802.1X Low Impact Mode
802.1X Closed Mode
802.1X Deployment Mode Comparison
802.1X Phased Deployment Guidelines
VC Poll Question: Security of 802.1X Deployment Modes
Change of Authorization
MAC Authentication Bypass
Extensible Authentication Protocol
Tunnel and Non-Tunnel EAP
Non-Tunnel EAP Types
Tunnel EAP Types
Traditional User and Machine Authentication
EAP Chaining
EAP Chaining Operation
EAP Chaining: Corporate Asset and User
EAP Chaining: Corporate Asset, User Logged Off
EAP Chaining: Personal Asset with NAM
EAP Chaining: Personal 3rd Party Asset
Cisco AnyConnect 3.x Supplicant
Lesson 3: Identity System Quick Start
Logging In to Cisco ISE
Organization of Cisco ISE GUI
Local User Database
Network Access Devices in Cisco ISE
Cisco ISE Default Authentication Policy
Switch Configuration Procedure
Configure Global AAA Parameters
Configure RADIUS Peering
Configure Switch for 802.1X Monitor Mode
Windows Native Supplicant
Verify Authentication on ISE
Verify Authentication on Switch
Module 2: Cisco Identity Services Engine (ISE) Fundamentals Lesson 1: Cisco ISE Overview
Cisco ISE Operational Components
Cisco ISE as Policy Platform
Cisco ISE High-Level Flow
Cisco ISE Personas
Cisco ISE Deployment Examples
Lesson 2: Cisco ISE with PKI
Server Authentication in EAP
TLS-Protected Communication
X.509v3 Certificates
Use of Server Certificate
First Validation: Verify Server Certificate
Second Validation: Verify Server Signature
PKI Enrollment Procedure
Verify PKI Enrollment
SUNSET LEARNING INSTITUTE CLOUD TECHNOLOGY TRAINING PROVIDER - EDUCATE. INNOVATE. OPTIMIZE.
888.888.5251 | www.sunsetlearning.com
Lesson 3: Cisco ISE Authentication
Cisco ISE Authentication
Policy Elements in Cisco ISE
Cisco ISE Authentication Policy Example
Cisco ISE Rule-Based Authentication
Authentication Conditions
Tune Rule-Based Authentication (Situational)
Define Simple Conditions (Optional)
Create or Tune Compound Conditions (Optional)
Define Allowed Protocols (Optional)
Tune or Create Authentication Rules (Optional)
Tune Default Authentication Rule (Optional)
Cisco Network Access Manager
Networks and Network Groups in Cisco NAM
Network Settings in Cisco NAM
Lesson 4: Configuring Cisco ISE for External Authentication
External Authentication
Active Directory
Authentication Methods with Active Directory
VC Poll Question: AD Support for Tunnel EAP methods
AD-Derived Group Membership
Active Directory Integration Methods
Active Directory Integration Procedure
Configure AD Domain and Store
Test AD Connection
Join Active Directory
Select Groups from Directory
VC Poll Question: AD Connection Failures
Cisco ISE Identity Source Sequence
Configure Identity Source Sequence
Apply Identity Source Sequence
Verify External Authentication
Module 3: Advanced Access Control Lesson 1: Certificate-based User Authentication
EAP-TLS Bidirectional Authentication
Verification of Client Certificates
Implementation Procedure for EAP-TLS in Cisco ISE Deployment
Select CA Certificate for EAP Verification
Deploy Certificates on Clients
Configure 802.1X Supplicant to Use EAP-TLS
Configure Supplicant to Use Certificates
Configure Certificate Authentication Profile
Apply Certificate Authentication Profile to Identity Source Sequence
Verify EAP-TLS Operation
Lesson 2: Authorization
Cisco Cloud Web Security Traffic Redirection Overview
Authorization in Cisco ISE
Authorization Policy Element Overview
Downloadable ACLs
Authorization Profiles
Authorization Policy
Building Compound Conditions
Authorization Policy Configuration
Verify Authentication and Authorization Lesson 3: Security Group Access (SGA) and MACsec Implementation
Cisco Switch Configuration
Cisco ISE Authentication
Cisco ISE Internal Databases
Cisco ISE Rule-Based Authentication
Configure Cisco ISE Rule-Based Authentication
External Authentication
Active Directory Integration Procedure
Cisco ISE Identity Source Sequence
Configure Cisco ISE Identity Source Sequence
Cisco ISE Authorization Policy Overview
Cisco ISE Authorization Policy Elements
Authorization Policy Configuration
Verify Authentication and Authorization
Summary
SUNSET LEARNING INSTITUTE CLOUD TECHNOLOGY TRAINING PROVIDER - EDUCATE. INNOVATE. OPTIMIZE.
888.888.5251 | www.sunsetlearning.com
Module 4: Web Authentication and Guest Access Lesson 1: Describe the Cisco Email Security Solutions
WebAuth process
WebAuth operation
Configure WebAuth
Verify WebAuth Lesson 2: Guest Access Services
WebAuth and guest access
Guest access applications
Portal placement
Configuration scopes
Configuration procedures
Summary
Module 5: Endpoint Access Control Enhancements Lesson 1: Posture
NAC Agents
Client provisioning
Posture conditions, requirements, remediation actions, and policy
Configure posture
Verify posture
Summary
Lesson 2: Profiler
Profiler service
Probes
Profiling without Probes
Profiling policies
Configure profiling
Verify profiling
Summary
Lesson 3: BYOD
BYOD feature
Single and dual SSID design
Dual SSID flow
Authorization in dual SSID design
BYOD process
Summary
Module 6: Troubleshooting Network Access Control Lesson 1: Troubleshooting Network Access Control
Troubleshooting procedure
Troubleshooting tools
Failure Reason Editor
Connectivity tests
General Diagnostic Tools
Evaluate Configuration Validator
Posture Troubleshooting
Troubleshooting 802.1X Authentication
Troubleshoot 802.1x on a Switch
Troubleshoot RADIUS Peering
Troubleshoot Peering with the User Database
Troubleshoot Server-Side Certificate Issues
Troubleshoot Client-Side Certificate Issues
Troubleshoot Disallowed Authentication Protocol
Troubleshoot Machine Authentication
Troubleshooting MAB
Troubleshoot Missing Endpoint MAC Address
Troubleshooting Central Web Authentication
Troubleshoot Mismatch of ACL Name
Troubleshooting Posture
Troubleshoot Profiling
Summary
LABS: Lab 1-1: Bootstrap Identity System
Task 1: Jump start the switch and the ISE to deploy 802.1X in monitor mode
Task 2: Create a user in the local ISE database and define the switch as a NAD on the ISE
Task 3: Configure the switch with the necessary AAA, RADIUS, and 802.1X settings to enable the switch to act as a 802.1X authenticator
Task 4: Test 802.1X operations using the Windows native 802.1X supplicant on the Employee-PC
SUNSET LEARNING INSTITUTE CLOUD TECHNOLOGY TRAINING PROVIDER - EDUCATE. INNOVATE. OPTIMIZE.
888.888.5251 | www.sunsetlearning.com
Lab 2-1: Enroll Cisco ISE in PKI
Task 1: Observe that the 802.1X rejects the self-signed ISE certificate and that the HTTPS session to the ISE is untrusted
Task 2: Enroll the ISE with the Public Key Infrastructure (PKI) and examine the trust established through the PKI infrastructure
Lab 2-2: Implement MAC Authentication Bypass (MAB) and Internal ISE Authentication
Task 1: Deploy PEAP with native supplicant (in monitor mode)
Task 2: Switch to 802.1X Low-Impact Mode
Task 3: Deploy EAP-FAST(EAP-MSCHAPv2) with AnyConnect supplicant
Task 4: Deploy MAB (static IP on print server) Lab 2-3: Implement External Authentication
Task 1: Join ISE to Active Directory
Task 2: Configure Authentication Against the Active Directory
Task 3: Join Employee-PC to Active Directory Lab 3-1: Implementing EAP-TLS with Identity Services Engine (ISE)
Task 1: Enroll User and Machine with PKI
Task 2: Configure AnyConnect Supplicant for EAP-TLS Lab 3-2: Implementing Authorization
Task 1: Configure authorization for local accounts
Task 2: Configure authorization for EAP-chaining
Task 3: Verify domain employee access using AnyConnect supplicant
Task 4: Verify domain employee access using native supplicant (non-enterprise owned) Lab 4-1: Configuring Cisco ASA Access Policy
Task 1: Configure Switch for Central WebAuth
Task 2: Configure WebAuth Lab 4-2: Implement Guest Access
Task 1: Deploy the Sponsor Portal
Task 2: Configure Authorization for Guest Users Lab 5-1: Implement Posture
Task 1: Configure Client Provisioning
Task 2: Deploy Automatic Antivirus Installation Remediation
Task 3: Deploy Automatic Antispyware Definition Remediation (optional) Lab 5-2: Profiler
Task 1: Deploy recommended profiler probes
Task 2: Configure Print Server Profiling
Task 3: Deploy the Profiler Without Probes (Optional) Lab 6-1: Troubleshooting Network Access Control (Optional)
Task 1: Troubleshoot 802.1X Authentication Against Local ISE Database
Task 2: Troubleshoot 802.1X Authentication Against Active Directory
Task 3: Troubleshoot EAP-TLS Authentication
Task 4: Troubleshoot Authorization
Task 5: Troubleshoot MAB
Task 6: Troubleshoot Central WebAuth
Task 7: Troubleshoot Profiling
SUNSET LEARNING INSTITUTE CLOUD TECHNOLOGY TRAINING PROVIDER - EDUCATE. INNOVATE. OPTIMIZE.
888.888.5251 | www.sunsetlearning.com
SUNSET LEARNING INSTITUTE (SLI) DIFFERENTIATORS: Sunset Learning Institute (SLI) has been an innovative leader in developing and delivering authorized technical training since 1996. Our goal is to help our customers optimize their cloud technology investments by providing convenient, high quality technical training that our customers can rely on. We empower students to master their desired technologies for their unique environments. What sets SLI apart is not only our immense selection of trainings options, but our convenient and consistent delivery system. No matter how complex your environment is or where you are located, SLI is sure to have a training solution that you can count on! Premiere World Class Instruction Team
All SLI instructors have a four-year technical degree, instructor level certifications and field
consulting work experience.
Sunset Learning has won numerous Instructor Excellence and Instructor Quality Distinction awards
since 2012
Enhanced Learning Experience
The goal of our instructors during class is ensure students understand the material, guide them
through our labs and encourage questions and interactive discussions.
Convenient and Reliable Training Experience
You have the option to attend at any of our established training facilities or from the convenience of
your home or office with the use of our HD-ILT network (High Definition Instructor Led Team)
All Sunset Learning Institute classes are guaranteed to run – you can count on us to deliver the
training you need when you need it!
Outstanding Customer Service
Dedicated account manager to suggest the optimal learning path for you and your team
Enthusiastic Student Services team available to answer any questions and ensure a quality training
experience during your week at Sunset Learning Institute