ISE Exam Preparation -...
Transcript of ISE Exam Preparation -...
ISE Exam Preparation
BRKCRT-2208
Rafael Leiva-Ochoa (Education Specialist)
CCIE# 19322
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Agenda
• Overview of SISE Security v1.1 and SISAS v1.0 Exam
• Preparing for Exam
• Building an ISE Lab
• Demo Lab
• Lab Ideas
• Quiz
• Q&A
3
Overview of SISE Security v1.1 and SISAS v1.0 Exam
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Disclaimer / Warning
5
• This session will strictly adhere to Cisco’s rules of confidentiality
• We may not be able to address specific questions due to the possibly of exposing the test questions.
• If you have taken the exam please refrain from asking questions from the exam. (This is a protection from disqualification from this exam and others)
• We will be available after the session to direct you to resources to assist with specific questions or to provide clarification.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
SISE 1.1 Security Requirements
6
• No prior certifications are needed to quality for this exam.
• One exam only SISE - 500-254
• Based on ISE v1.1 code
• Recommended Trainings before taking the SISE exam:
– 802.1x • S802DT1X - 650-472
– SISE - Implementing Cisco Identity Services Engine Secure Solutions v1.1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
SISAS 1.0 Security Requirements
7
• The SISAS exam is one of the 4 exams that is required to be CCNP Security
• Based on ISE v1.2 code
• CCNP Security • SISAS 1.0 - 300-208
• SENSS 1.0 - 300-206
• SIMOS 1.0 - 300-209
• SITCS 1.0 - 300-207
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
500-254 SISE v1.1 Exam
8
• Approximately 60 minute exam
• 60 – 65 questions possible
• Register with Person Vue
– http://www.vue.com/cisco
• Exam cost is $200.00 US
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
500-254 (SISE) Implementing and Configuring Cisco Identify Service Engine
1.0 Building a network Design for ISE Platform
Introducing the TrustSec Solution and ISE Platform
Architecture
2.0 Deploying the Cisco Identity Service Engine
Installing the ISE Software
Intergrading the ISE into Microsoft Active Directory
Configuring the ISE for Redundancy and Scaling
3.0 Implementing Classification and Policy Enforcement
Configuring the ISE for MAC Address Bypass (MAB)
Configuring the ISE for wired and wireless 802.1X
authentication
Deploying VPN-based services using the Cisco ASA and Inline
Posturing
Configuring Web Authentication using the ISE
Using the ISE for policy enforcement
4.0 Configuring and verifying Profiling, Posturing, and
Guest Services
Configuring ISE profiling services
Configuring ISE posture services
Configuring ISE guest services
5.0 TrustSec Fundamentals
Introducing TrustSec fundamentals
6.0 Creating a Low-Level Design for the ISE
Creating a high level and low-level design for the ISE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
300-208 SISAS v1.0 Exam
10
• Approximately 90 minute exam
• 60 – 75 questions possible
• Register with Person Vue
– http://www.vue.com/cisco
• Exam cost is $200.00 US
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
300-208 (SISAS) Implementing Cisco Secure Access Solutions Exam Topics
1.0 Identity Management/Secure Access
Implement Device Administration – AAA, TACACS+, RADIUS,
Describe Identity Management
Implement Wired/Wireless 802.1X
Implement MAB
Implement Network Authorization Enforcement
Implement Central Web Authorization
Implement Profiling
Implement Guest Services
Implement BYOD access
2.0 Threat Defense
Describe SGA Access Control Lists
3.0 Troubleshooting, Monitoring, and Reporting Tools
Troubleshoot identity management solutions
4.0 Threat Defense Architectures
Design secure wireless management solutions
5.0 Identity Management Architectures
Design AAA security solutions
Design Profiling security solution
Design Posturing security solution
Design BYOD security solution
Design Device administration security solutions
Design Guest services security solution
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Comparing the SISE 1.1 and SISAS 1.0
12
SISE SISAS
Product Training Focus Technology Focus
Very detailed from start to finish Provides detail on some key topics,
and overview on others
ISE Version 1.1 ISE Version 1.2
Overview on TrustSec More details on TrustSec
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Which Exam is Best for Me? SISE v1.1 or SISAS v1.0 Exam?
13
• Questions you should ask your self:
– Do I want to learn the product for Implementation, or how it fits in the security structure?
– Is the CCNP Security what I am after?
– Do I want a full product understanding from start to finish?
Preparing for Exam
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Preparing for the SISE v1.1 and SISAS v1.0 Exam
15
• Recommended Training via Cisco Learning Partners
– SISE - Implementing Cisco Identity Services Engine Secure Solutions v1.1
– SISAS – Implementing Cisco Secure Access Solutions v1.0
• Cisco Learning Network
– www.cisco.com/go/learnnetspace
– CCNP Group – learningnetwork.cisco.com/groups/ccnp-security-study-group
• Practical Experience
– Real Equipment
– ISE 90 day Evaluation
– Client and Server Machines on VMware
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Basic Video’s on ISE Solutions
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Cisco dot com resources
• No CCO login required to download the command references and configuration guides.
• No need to read these documents cover to cover, but they are essential as reference material during exam preparation.
• ‘Overview’ or ‘Information About’ section very helpful for each of the many topics and features covered on the exams.
• Topics from 300-208 exam that you can locate in the config guides or technotes
Policies Central Web Authentication Guest Posture MACsec Posture etc
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
ISE Design Guides
http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-
implementation-design-guides-list.html
Part 2 of the list
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Cisco Identity Services Engine 1.2 User Guide
http://www.cisco.com/c/en/us/td/docs/security/ise/1-
2/user_guide/ise_user_guide.html
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Search, search, and search again!
• Many YouTube VODs out on the Internet contain good insight into Cisco ISE technologies. Search beyond CCNP material, for example:
• Not every document out on the Internet is 100% correct, so verify your findings, then share!!!
• Cisco Validated Design documents are a good reference resource.
– These documents provide valuable information into the theory behind different Data Center design fundamental concepts.
“ISE introduction” “802.1X introduction”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Cisco Learning Network – Study Portal
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Additional Reading Material
• Cisco ISE for BYOD and Secure Unified Access- (ISBN-10: 1-58714-325-9)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Forming a Good Study Plan
23
• Break things down
– Form a list of things that are needed to pass the exam, and start the process of learning them • Read about the technology required in the exam.
Try to understand the reasoning behind it. – White Papers “TrustSec”
– Cisco.com Documentation
– Learning@cisco forums
• Labs – Learning Partner Labs
– Example configurations form Cisco.com Documentation
– Create your own to better understand key technologies that are required to pass the exam
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
ISE Architecture
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Time Requirements - Estimate
• Everyone studies at a different levels – set a pace you can commit to. Start with small manageable sections of a particular course.
• Expect approx. 40 - 50 hours of reading per exam to achieve a firm understanding on concepts
• Reading study material and books
• Watching technical VoDs & Webinars
• Plan for min. 20 - 30 hours of hands on lab practice
• Initial Setup, Configuration, Troubleshooting specific devices
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Before taking the Exam
26
• Question Styles
– Multiple-choice single answer
– Multiple-choice multiple answer
– Drag-and-drop
– Fill-in-the-blank
– Simulations
– Verification
• Rule out the questions that are rubbish
• Look for the BEST answer when multiple is used
• Narrow down your choices
• Understand the relationship to the device or technology
• MANAGE YOUR TIME!!!!
Building an ISE Lab
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
What do I need to build a good ISE lab?
28
• A Server or Desktop computer that is running the following Spec’s
– Intel Quad-Core; 2.13 GHz or faster
– 32 GB RAM
– 60 to 600 GB of disk storage (Recommend 600 GB)
– 2 GB NIC interface required (3 NICs are recommended)
– Hypervisor • Supported VMware versions include:
– VMware ESXi 4.x
– VMware ESXi 5.x
• A Cisco Switch that supports MAB, 802.1x, and CWA, and LWA
• ISE ISO image
• Client ISO images (Windows Clients recommended)
• Wireless Dongle (Any Manufacture will do)
• Wireless Controller, and some AP’s
• iPad or iPhone (Not required, but a good bonus)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Supported NADs
Devices Minimum
OS Version MAB 802.1X
Web Auth
Session
CoA VLAN dACL
Secure
Group
Access
Cisco IOS
Sensor MACsec
CWA LWA
Access Switches
Catalyst 3560-E,
ISR EtherSwitch
ES3
IOS v12.2(52)SE X X X X X X X X X X
Catalyst 3560-X IOS v12.2(52)SE X X X X X X X X X X
Catalyst 3750 IOS v12.2(52)SE X X X X X X X X X X
• Complete list: http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/compatibility/ise_sdt.html
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Supported NADs (Cont.)
Devices Minimum
OS Version MAB 802.1X
Web Auth
Session
CoA VLAN dACL
Secure
Group
Access
Cisco IOS
Sensor MACsec
CWA LWA
Wireless
WLAN Controller
(WLC) 2100, 4400
7.0.116.0 X X X X X
WLAN Controller
(WLC) 2500, 5500
7.2.103.0 X X X X X X X X
• Complete list: http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/compatibility/ise_sdt.html
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Which Wireless Controller would I recommend?
31
• Cisco 2106, 2504, or a vWLC
• The vWLC supports both CWA, and LWA.
– EVAL supports up to 200 AP’s, but you only need 1 for a lab setup.
– The EVAL is good for 8 weeks, and 3 days.
– How to guild for setting up vWLC • http://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/113677-virtual-wlan-dg-00.html
• Recommend AP model: AIR-AP1142N-A-K9, but others will work fine.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Ideal Lab Setup
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
More Ideal Lab Setup
ise-2
(10.1.10.21)
ise-1
(10.1.10.20)
ise-psn
(10.1.11.25)
ad1
(10.1.3.10)
ap (DHCP)
W7-PC1
(DHCP)
W7-PC2 (DHCP)
Printer (DHCP)
3k-access
(10.1.1.2)
3k-data
(10.1.1.1)
wlc-1
(10.1.7.10)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Sample Switch Configuration
34
AAA aaa new-model ! ! Creates an 802.1X port-based authentication method list aaa authentication dot1x default group radius ! ! Required for VLAN/ACL assignment aaa authorization network default group radius ! ! Authentication & authorization for webauth transactions aaa authorization auth-proxy default group radius ! ! Enables accounting for 802.1X and MAB authentications aaa accounting dot1x default start-stop group radius ! aaa session-id common ! ! Update AAA accounting periodically every 5 minutes aaa accounting update periodic 5 ! aaa accounting system default start-stop group radius ! ! Configure switch for ISE CoA (Change of Authorization) aaa server radius dynamic-author client 10.1.10.20 server-key cisco
Radius
! Include VSAs in access requests radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include ! ! Wait 3 x 30 seconds before marking server as dead
radius-server dead-criteria time 30 tries 3 ! ! Use RFC-standard ports (1812/1813)
radius-server host 10.1.10.20. auth-port 1812 acct-port 1813 test username test-radius key 0 cisco !
radius-server vsa send accounting radius-server vsa send authentication ! ! send RADIUS requests from a specific VLAN
ip radius source-interface 100
Dot1x
Interface GigabitEthernet 1/0/x switchport mode access switchport access vlan <data> switchport voice vlan <voice> spanning-tree portfast ip access-group ACL_LOWI in authentication open authentication host-mode authentication periodic authentication event fail action next-method authentication order mab dot1x authentication priority dot1x mab authentication violation restrict mab authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Sample Wireless Controller Setup
35
Demo Lab
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
My Lab Setup for Demo
ise-1
(10.1.10.110)
ad1
(10.1.3.10)
ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.7.100)
Jump PC
Lab Ideas
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Laboratory Equipment Description
Cisco Catalyst 3750 Switch
Cisco 1140N Access Point, and PoE injector, or Power Supply
Cisco UCS Server Running 1, or 2 CPU, and 32 Gigs of RAM, 600GB HDD, and 3 NIC’s
Wireless USB Dongle
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Software List Description
Windows 2008 Enterprise Server 64bit
Windows 7 Pro 32bit for 1, or 2 Clients
Cisco ISE 1.1.1 ISO (Cisco.com Download)
Cisco vWLC 7.x OVA (Cisco.com Download)
Cisco AnyConnect NAM Software (Cisco.com Download)
Wireless USB Dongle Driver Software
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Labs • Lab 1-1: Lab IP Setup
• Lab 1-2: Setup ISE for Operation
• Lab 1-3: Certificate Operations
• Lab 1-4: Cisco ISE Deployment
• Lab 1-5: GUI Operation
• Lab 1-6: Add NAS Devices to Cisco ISE
• Lab 1-7: Join ISE to AD
• Lab 1-8: Basic Policy Setup 1
• Lab 1-9: Basic Policy Setup 2
• Lab 1-10: Multiple Policy Setup
• Lab 1-11: Guest Services
• Lab 1-12: BYOD
• Lab 1-13: Cisco ISE Profiling
• Lab 1-14: Cisco ISE Posture Setup
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-1: Lab IP Setup
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-2: Setup ISE for Operation
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
Interface setup,
NTP, and DB
passwords
Interface setup,
NTP, and DB
passwords
Primary
NTP
Server
Secondary
NTP Server vwlc-1
(10.1.3.100) Deploying the Cisco Identity Service Engine
Installing the ISE Software
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-3: Certificate Operations
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
Configure for
Certificate
Operation MNT,
and EAP
Configure for
Certificate
Operation MNT,
and EAP
AD
Certificate
Server
vwlc-1
(10.1.3.100) Implementing Classification and Policy Enforcement
Configuring the ISE for wired and wireless 802.1X authentication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-4: Cisco ISE Deployment
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
PAN, MnT
PAN, PSN, MnT
vwlc-1
(10.1.3.100) Deploying the Cisco Identity Service Engine
Configuring the ISE for Redundancy and Scaling
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-5: GUI Operation
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
Understand all
the Options,
and where they
are.
vwlc-1
(10.1.3.100) All Areas
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-6: Add NAS Devices to Cisco ISE
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Add NAS
Devices that
will do
AuthC/AuthZ,
and Logging
Implementing Classification and Policy Enforcement
Configuring the ISE for wired and wireless 802.1X authentication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-7: Join ISE to AD
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Join to AD
AD Server;
Time Sync
Critical with
ISE
Deploying the Cisco Identity Service Engine
Intergrading the ISE into Microsoft Active Directory
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-8: Basic Policy Setup 1
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Configure
AnyConnect
NAM setup
for EAP-
FAST
AD
Server
Configure One
Basic EAP-
FAST Policy
using AD, and
Internal
Database
Implementing Classification and Policy Enforcement
Configuring the ISE for MAC Address Bypass (MAB)
Configuring the ISE for wired and wireless 802.1X authentication
Using the ISE for policy enforcement
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-9: Basic Policy Setup 2
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Configure
using OS
Native
Supplicate for
EAP-TLS
Disable
AnyConnect
Client on
Windows
Services
Implementing Classification and Policy Enforcement
Configuring the ISE for MAC Address Bypass (MAB)
Configuring the ISE for wired and wireless 802.1X authentication
Using the ISE for policy enforcement
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-10: Multiple Policy Setup
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Configure more
then one policy on
Cisco ISE using
EAP-FAST, and
EAP TLS using
different conditions
you can test on the
W7-PC1
Make Changes to
PC as needed to
match conditions
configured for EAP-
TLS, and EAP-
FAST
Implementing Classification and Policy Enforcement
Configuring the ISE for MAC Address Bypass (MAB)
Configuring the ISE for wired and wireless 802.1X authentication
Using the ISE for policy enforcement
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-11: Guest Services
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Setup CoA, and
other Guest
Services
Requirements
Test Guest Services
using EAP-FAST,
and PEAP
Configure Guest
Services
Setup CoA, and
other Guest
Services
Requirements
Configuring and verifying Profiling, Posturing, and Guest
Services
Configuring ISE guest services
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-12: BYOD
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Test Provisioning
using configured
SSID on vWLC, and
make sure you get a
certificate.
Configure Client
Provisioning,
and SCEP
setup
Configure
Provisioning SSID.
Implementing Classification and Policy Enforcement
Configuring the ISE for wired and wireless 802.1X authentication
Configuring Web Authentication using the ISE
Using the ISE for policy enforcement
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-13: Cisco ISE Profiling
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Authenticate to ISE,
and see if profiling is
working
Configure HTTP,
NMAP, SNMP,
and Radius
profiling
Configure Profiling
requirements
Configuring and verifying Profiling, Posturing, and Guest
Services
Configuring ISE profiling services
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Lab 1-14: Cisco ISE Posture Setup
ise-2
(10.1.3.120)
ise-1
(10.1.3.110)
ad1
(10.1.3.10) ap (DHCP)
W7-PC1
(DHCP)
3750 SW
vwlc-1
(10.1.3.100)
Test Posturing setup
using Native OS
Supplicate
Configure
Posture setup,
and Download
NAC client for
supported OS
Configure Posture
requirements
Configuring and verifying Profiling, Posturing, and Guest
Services
Configuring ISE posture services
Quiz
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Quiz
57
1. How many personas does the ISE box have?
3
2. What are the names of the ISE personas?
PAN, PSN, MnT
3. 802.1x phase deployment: What is the difference between closed, and low-impact mode?
Low Impact Mode: • Ingress ACL applied to a port configured in open mode
– ACL allows basic connectivity for unauthenticated hosts
– Example: permit DHCP/DNS, and block access to internal resources
• After authentication, dACL is applied to permit appropriate traffic
Closed Mode: • Default behavior, traditional 802.1X method
• Dynamic VLAN or dACL assignment ensures differentiated access
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Quiz
58
4. What are the names of the Profiling probes that the ISE box supports? Radius, HTTP, DNS, NetFlow, NMAP, DNS, DHCP, SNMP Query, and SNMP Trap
5. What features in ISE support CoA?
WebAuth(Guest Services), Profiling, Posture
6. 802.1x Authentication Mode: What are the 4 authentication modes
supported on a Cisco Switch?
Single Host mode
Multiple Host mode
Multiple Domain Authentication (MDA) mode
Multiple Authentication mode
End…: (
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
60
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Other ISE sessions, TrustSec Sessions
• BRKCRS-2891 - Deploying Secure Converged Wired, Wireless Campus
• BRKSEC-3699 - Designing ISE for Scale & High Availability
• BRKEWN-2014 - Deploying Wireless Guest Access
• BRKSEC-3045 - Getting the most out of your BYOD Investment - A Deep Dive of ISEBYOD Policy
61
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
62