implementing cisco secure access solutions … · sunset learning institute cloud technology...

SUNSET LEARNING INSTITUTE CLOUD TECHNOLOGY TRAINING PROVIDER - EDUCATE. INNOVATE. OPTIMIZE.

888.888.5251 | www.sunsetlearning.com

IMPLEMENTING CISCO SECURE ACCESS SOLUTIONS V1.0

(SISAS)

COURSE OVERVIEW: Implementing Cisco Secure Access Solutions (SISAS) v1.0 is a newly created five-day instructor-led training (vILT) course is part of the curriculum path leading to the Cisco Certified Network Professional Security (CCNP© Security) certification. Additionally, it is designed to prepare security engineers with the knowledge and hands-on experience so that they can deploy Cisco’s Identity Services Engine and 802.1X secure network access. The goal of the course is to provide students with foundational knowledge and the capabilities to implement and managed network access security by utilizing Cisco ISE appliance product solution. The student will gain hands-on experience with configuring various advance Cisco security solutions for mitigating outside threats and securing devices connecting to the network. At the end of the course, students will be able to reduce the risk to their IT infrastructures and applications using Cisco’s ISE appliance feature and provide operational support identity and network access control.

WHO WILL BENEFIT FROM THIS COURSE? Network Security Engineers

PREREQUISITES: To fully benefit from this course, students should have the following prerequisite skills and knowledge:

Cisco Certified Network Associate (CCNA®) certification

Cisco Certified Network Associate (CCNA®) Security certification

Knowledge of Microsoft Windows operating system

RELATED COURSES: SIMOS

SITCS

SENSS

COURSE OBJECTIVES: After completion of this course, students will be able to...

Understand Cisco Identity Services Engine architecture and access control capabilities

Understand 802.1X architecture, implementation and operation

Understand commonly implemented Extensible Authentication Protocols (EAP)

Implement Public-Key Infrastructure with ISE

Understand the implement Internal and External authentication databases

Implement MAC Authentication Bypass

Implement identity based authorization policies

Understand Cisco TrustSec features

Implement Web Authentication and Guest Access

Implement ISE Posture service

Implement ISE Profiling

Understand Bring Your Own Device (BYOD) with ISE

Troubleshoot ISE



COURSE OUTLINE:

Module 1: Threat Mitigation through Identity Services Lesson 1: Identity Services

Secure Access Solution Portfolio

Access Control in Cisco SAFE

Authentication

Authorization

Accounting

Change of Authorization

Identity Sources

RADIUS

TACACS+

Lesson 2: 802.1X and EAP

IEEE 802.1X Overview

802.1X Message Flow

802.1X Authorization

802.1X VLAN Assignment

802.1X Downloadable ACLs

802.1X Host Modes

VC Poll Question: 802.1X Host Mode Granularity

802.1X Phased Deployment

802.1X Monitor Mode

802.1X Low Impact Mode

802.1X Closed Mode

802.1X Deployment Mode Comparison

802.1X Phased Deployment Guidelines

VC Poll Question: Security of 802.1X Deployment Modes

Change of Authorization

MAC Authentication Bypass

Extensible Authentication Protocol

Tunnel and Non-Tunnel EAP

Non-Tunnel EAP Types

Tunnel EAP Types

Traditional User and Machine Authentication

EAP Chaining

EAP Chaining Operation

EAP Chaining: Corporate Asset and User

EAP Chaining: Corporate Asset, User Logged Off

EAP Chaining: Personal Asset with NAM

EAP Chaining: Personal 3rd Party Asset

Cisco AnyConnect 3.x Supplicant

Lesson 3: Identity System Quick Start

Logging In to Cisco ISE

Organization of Cisco ISE GUI

Local User Database

Network Access Devices in Cisco ISE

Cisco ISE Default Authentication Policy

Switch Configuration Procedure

Configure Global AAA Parameters

Configure RADIUS Peering

Configure Switch for 802.1X Monitor Mode

Windows Native Supplicant

Verify Authentication on ISE

Verify Authentication on Switch

Module 2: Cisco Identity Services Engine (ISE) Fundamentals Lesson 1: Cisco ISE Overview

Cisco ISE Operational Components

Cisco ISE as Policy Platform

Cisco ISE High-Level Flow

Cisco ISE Personas

Cisco ISE Deployment Examples

Lesson 2: Cisco ISE with PKI

Server Authentication in EAP

TLS-Protected Communication

X.509v3 Certificates

Use of Server Certificate

First Validation: Verify Server Certificate

Second Validation: Verify Server Signature

PKI Enrollment Procedure

Verify PKI Enrollment



Lesson 3: Cisco ISE Authentication

Cisco ISE Authentication

Policy Elements in Cisco ISE

Cisco ISE Authentication Policy Example

Cisco ISE Rule-Based Authentication

Authentication Conditions

Tune Rule-Based Authentication (Situational)

Define Simple Conditions (Optional)

Create or Tune Compound Conditions (Optional)

Define Allowed Protocols (Optional)

Tune or Create Authentication Rules (Optional)

Tune Default Authentication Rule (Optional)

Cisco Network Access Manager

Networks and Network Groups in Cisco NAM

Network Settings in Cisco NAM

Lesson 4: Configuring Cisco ISE for External Authentication

External Authentication

Active Directory

Authentication Methods with Active Directory

VC Poll Question: AD Support for Tunnel EAP methods

AD-Derived Group Membership

Active Directory Integration Methods

Active Directory Integration Procedure

Configure AD Domain and Store

Test AD Connection

Join Active Directory

Select Groups from Directory

VC Poll Question: AD Connection Failures

Cisco ISE Identity Source Sequence

Configure Identity Source Sequence

Apply Identity Source Sequence

Verify External Authentication

Module 3: Advanced Access Control Lesson 1: Certificate-based User Authentication

EAP-TLS Bidirectional Authentication

Verification of Client Certificates

Implementation Procedure for EAP-TLS in Cisco ISE Deployment

Select CA Certificate for EAP Verification

Deploy Certificates on Clients

Configure 802.1X Supplicant to Use EAP-TLS

Configure Supplicant to Use Certificates

Configure Certificate Authentication Profile

Apply Certificate Authentication Profile to Identity Source Sequence

Verify EAP-TLS Operation

Lesson 2: Authorization

Cisco Cloud Web Security Traffic Redirection Overview

Authorization in Cisco ISE

Authorization Policy Element Overview

Downloadable ACLs

Authorization Profiles

Authorization Policy

Building Compound Conditions

Authorization Policy Configuration

Verify Authentication and Authorization Lesson 3: Security Group Access (SGA) and MACsec Implementation

Cisco Switch Configuration

Cisco ISE Authentication

Cisco ISE Internal Databases

Cisco ISE Rule-Based Authentication

Configure Cisco ISE Rule-Based Authentication

External Authentication

Active Directory Integration Procedure

Cisco ISE Identity Source Sequence

Configure Cisco ISE Identity Source Sequence

Cisco ISE Authorization Policy Overview

Cisco ISE Authorization Policy Elements

Authorization Policy Configuration

Verify Authentication and Authorization

Summary



Module 4: Web Authentication and Guest Access Lesson 1: Describe the Cisco Email Security Solutions

WebAuth process

WebAuth operation

Configure WebAuth

Verify WebAuth Lesson 2: Guest Access Services

WebAuth and guest access

Guest access applications

Portal placement

Configuration scopes

Configuration procedures

Summary

Module 5: Endpoint Access Control Enhancements Lesson 1: Posture

NAC Agents

Client provisioning

Posture conditions, requirements, remediation actions, and policy

Configure posture

Verify posture

Summary

Lesson 2: Profiler

Profiler service

Probes

Profiling without Probes

Profiling policies

Configure profiling

Verify profiling

Summary

Lesson 3: BYOD

BYOD feature

Single and dual SSID design

Dual SSID flow

Authorization in dual SSID design

BYOD process

Summary

Module 6: Troubleshooting Network Access Control Lesson 1: Troubleshooting Network Access Control

Troubleshooting procedure

Troubleshooting tools

Failure Reason Editor

Connectivity tests

General Diagnostic Tools

Evaluate Configuration Validator

Posture Troubleshooting

Troubleshooting 802.1X Authentication

Troubleshoot 802.1x on a Switch

Troubleshoot RADIUS Peering

Troubleshoot Peering with the User Database

Troubleshoot Server-Side Certificate Issues

Troubleshoot Client-Side Certificate Issues

Troubleshoot Disallowed Authentication Protocol

Troubleshoot Machine Authentication

Troubleshooting MAB

Troubleshoot Missing Endpoint MAC Address

Troubleshooting Central Web Authentication

Troubleshoot Mismatch of ACL Name

Troubleshooting Posture

Troubleshoot Profiling

Summary

LABS: Lab 1-1: Bootstrap Identity System

Task 1: Jump start the switch and the ISE to deploy 802.1X in monitor mode

Task 2: Create a user in the local ISE database and define the switch as a NAD on the ISE

Task 3: Configure the switch with the necessary AAA, RADIUS, and 802.1X settings to enable the switch to act as a 802.1X authenticator

Task 4: Test 802.1X operations using the Windows native 802.1X supplicant on the Employee-PC



Lab 2-1: Enroll Cisco ISE in PKI

Task 1: Observe that the 802.1X rejects the self-signed ISE certificate and that the HTTPS session to the ISE is untrusted

Task 2: Enroll the ISE with the Public Key Infrastructure (PKI) and examine the trust established through the PKI infrastructure

Lab 2-2: Implement MAC Authentication Bypass (MAB) and Internal ISE Authentication

Task 1: Deploy PEAP with native supplicant (in monitor mode)

Task 2: Switch to 802.1X Low-Impact Mode

Task 3: Deploy EAP-FAST(EAP-MSCHAPv2) with AnyConnect supplicant

Task 4: Deploy MAB (static IP on print server) Lab 2-3: Implement External Authentication

Task 1: Join ISE to Active Directory

Task 2: Configure Authentication Against the Active Directory

Task 3: Join Employee-PC to Active Directory Lab 3-1: Implementing EAP-TLS with Identity Services Engine (ISE)

Task 1: Enroll User and Machine with PKI

Task 2: Configure AnyConnect Supplicant for EAP-TLS Lab 3-2: Implementing Authorization

Task 1: Configure authorization for local accounts

Task 2: Configure authorization for EAP-chaining

Task 3: Verify domain employee access using AnyConnect supplicant

Task 4: Verify domain employee access using native supplicant (non-enterprise owned) Lab 4-1: Configuring Cisco ASA Access Policy

Task 1: Configure Switch for Central WebAuth

Task 2: Configure WebAuth Lab 4-2: Implement Guest Access

Task 1: Deploy the Sponsor Portal

Task 2: Configure Authorization for Guest Users Lab 5-1: Implement Posture

Task 1: Configure Client Provisioning

Task 2: Deploy Automatic Antivirus Installation Remediation

Task 3: Deploy Automatic Antispyware Definition Remediation (optional) Lab 5-2: Profiler

Task 1: Deploy recommended profiler probes

Task 2: Configure Print Server Profiling

Task 3: Deploy the Profiler Without Probes (Optional) Lab 6-1: Troubleshooting Network Access Control (Optional)

Task 1: Troubleshoot 802.1X Authentication Against Local ISE Database

Task 2: Troubleshoot 802.1X Authentication Against Active Directory

Task 3: Troubleshoot EAP-TLS Authentication

Task 4: Troubleshoot Authorization

Task 5: Troubleshoot MAB

Task 6: Troubleshoot Central WebAuth

Task 7: Troubleshoot Profiling



SUNSET LEARNING INSTITUTE (SLI) DIFFERENTIATORS: Sunset Learning Institute (SLI) has been an innovative leader in developing and delivering authorized technical training since 1996. Our goal is to help our customers optimize their cloud technology investments by providing convenient, high quality technical training that our customers can rely on. We empower students to master their desired technologies for their unique environments. What sets SLI apart is not only our immense selection of trainings options, but our convenient and consistent delivery system. No matter how complex your environment is or where you are located, SLI is sure to have a training solution that you can count on! Premiere World Class Instruction Team

All SLI instructors have a four-year technical degree, instructor level certifications and field

consulting work experience.

Sunset Learning has won numerous Instructor Excellence and Instructor Quality Distinction awards

since 2012

Enhanced Learning Experience

The goal of our instructors during class is ensure students understand the material, guide them

through our labs and encourage questions and interactive discussions.

Convenient and Reliable Training Experience

You have the option to attend at any of our established training facilities or from the convenience of

your home or office with the use of our HD-ILT network (High Definition Instructor Led Team)

All Sunset Learning Institute classes are guaranteed to run – you can count on us to deliver the

training you need when you need it!

Outstanding Customer Service

Dedicated account manager to suggest the optimal learning path for you and your team

Enthusiastic Student Services team available to answer any questions and ensure a quality training

experience during your week at Sunset Learning Institute

implementing cisco secure access solutions … · sunset learning institute cloud technology...

Documents