CCNP security sisas 300-208 official cert guide /

By: Woland, AaronContributor(s): Redmon, KevinMaterial type: TextTextPublication details: Noida : Pearson, 2016Edition: 1st editionDescription: xxxiii, 892 pages : illustrations ; CD-ROM (4 3/4 in.)ISBN: 9781587144264 (hardcover with cd/rom : alk. paper)Subject(s): Computers -- Access control | Computer networks - Electronic data processing personnel | Electronic data processing personnelDDC classification: 005.8
Contents:
Contents Introduction xxxi Part I The CCNP Certification Chapter 1 CCNP Security Certification 3 CCNP Security Certification Overview 3 Contents of the CCNP-Security SISAS Exam 4 How to Take the SISAS Exam 5 Who Should Take This Exam and Read This Book? 6 Format of the CCNP-Security SISAS Exam 9 CCNP-Security SISAS 300-208 Official Certification Guide 10 Book Features and Exam Preparation Methods 13 Part II "The Triple A" (Authentication, Authorization, and Accounting) Chapter 2 Fundamentals of AAA 17 "Do I Know This Already?" Quiz 18 Foundation Topics 21 Triple-A 21 Compare and Select AAA Options 21 Device Administration 21 Network Access 22 TACACS+ 23 TACACS+ Authentication Messages 25 TACACS+ Authorization and Accounting Messages 26 RADIUS 28 AV-Pairs 31 Change of Authorization 31 Comparing RADIUS and TACACS+ 32 Exam Preparation Tasks 33 Review All Key Topics 33 Define Key Terms 33 Chapter 3 Identity Management 35 "Do I Know This Already?" Quiz 35 Foundation Topics 38 What Is an Identity? 38 Identity Stores 38 Internal Identity Stores 39 External Identity Stores 41 Active Directory 42 LDAP 42 Two-Factor Authentication 43 One-Time Password Services 44 Smart Cards 45 Certificate Authorities 46 Has the Certificate Expired? 47 Has the Certificate Been Revoked? 48 Exam Preparation Tasks 51 Review All Key Topics 51 Define Key Terms 51 Chapter 4 EAP Over LAN (Also Known As 802.1X) 53 "Do I Know This Already?" Quiz 53 Foundation Topics 56 Extensible Authentication Protocol 56 EAP over LAN (802.1X) 56 EAP Types 58 Native EAP Types (Nontunneled EAP) 58 Tunneled EAP Types 59 Summary of EAP Authentication Types 62 EAP Authentication Type Identity Store Comparison Chart 62 Network Access Devices 63 Supplicant Options 63 Windows Native Supplicant 64 Cisco AnyConnect NAM Supplicant 75 EAP Chaining 89 Exam Preparation Tasks 90 Review All Key Topics 90 Define Key Terms 90 Chapter 5 Non-802.1X Authentications 93 "Do I Know This Already?" Quiz 93 Foundation Topics 97 Devices Without a Supplicant 97 MAC Authentication Bypass 98 Web Authentication 100 Local Web Authentication 101 Local Web Authentication with a Centralized Portal 102 Centralized Web Authentication 104 Remote Access Connections 106 Exam Preparation Tasks 107 Review All Key Topics 107 Define Key Terms 107 Chapter 6 Introduction to Advanced Concepts 109 "Do I Know This Already?" Quiz 109 Foundation Topics 113 Change of Authorization 113 Automating MAC Authentication Bypass 113 Posture Assessments 117 Mobile Device Managers 118 Exam Preparation Tasks 120 Review All Key Topics 120 Define Key Terms 120 Part III Cisco Identity Services Engine Chapter 7 Cisco Identity Services Engine Architecture 123 "Do I Know This Already?" Quiz 123 Foundation Topics 127 What Is Cisco ISE? 127 Personas 129 Administration Node 129 Policy Service Node 129 Monitoring and Troubleshooting Node 130 Inline Posture Node 130 Physical or Virtual Appliance 131 ISE Deployment Scenarios 133 Single-Node Deployment 133 Two-Node Deployment 135 Four-Node Deployment 136 Fully Distributed Deployment 137 Communication Between Nodes 138 Exam Preparation Tasks 148 Review All Key Topics 148 Define Key Terms 148 Chapter 8 A Guided Tour of the Cisco ISE Graphical User Interface 151 "Do I Know This Already?" Quiz 151 Foundation Topics 155 Logging In to ISE 155 Initial Login 155 Administration Dashboard 161 Administration Home Page 162 Server Information 162 Setup Assistant 163 Help 163 Organization of the ISE GUI 164 Operations 165 Authentications 165 Reports 169 Endpoint Protection Service 170 Troubleshoot 171 Policy 173 Authentication 173 Authorization 173 Profiling 174 Posture 175 Client Provisioning 175 Security Group Access 176 Policy Elements 177 Administration 178 System 178 Identity Management 183 Network Resources 186 Web Portal Management 189 Feed Service 191 Type of Policies in ISE 192 Authentication 192 Authorization 193 Profiling 193 Posture 193 Client Provisioning 193 Security Group Access 193 Exam Preparation Tasks 195 Review All Key Topics 195 Define Key Terms 195 Chapter 9 Initial Configuration of Cisco ISE 197 "Do I Know This Already?" Quiz 197 Foundation Topics 201 Cisco Identity Services Engine Form Factors 201 Bootstrapping Cisco ISE 201 Where Are Certificates Used with the Cisco Identity Services Engine? 204 Self-Signed Certificates 206 CA-Signed Certificates 206 Network Devices 216 Network Device Groups 216 Network Access Devices 217 Local User Identity Groups 218 Local Endpoint Groups 219 Local Users 220 External Identity Stores 220 Active Directory 221 Prerequisites for Joining an Active Directory Domain 221 Joining an Active Directory Domain 222 Certificate Authentication Profile 226 Identity Source Sequences 227 Exam Preparation Tasks 230 Review All Key Topics 230 Chapter 10 Authentication Policies 233 "Do I Know This Already?" Quiz 233 Foundation Topics 237 The Relationship Between Authentication and Authorization 237 Authentication Policy 237 Goals of an Authentication Policy 238 Goal 1-Accept Only Allowed Protocols 238 Goal 2-Select the Correct Identity Store 238 Goal 3-Validate the Identity 239 Goal 4-Pass the Request to the Authorization Policy 239 Understanding Authentication Policies 239 Conditions 241 Allowed Protocols 243 Extensible Authentication Protocol Types 245 Tunneled EAP Types 245 Identity Store 247 Options 247 Common Authentication Policy Examples 248 Using the Wireless SSID 248 Remote Access VPN 251 Alternative ID Stores Based on EAP Type 253 More on MAB 255 Restore the Authentication Policy 257 Exam Preparation Tasks 258 Review All Key Topics 258 Chapter 11 Authorization Policies 261 "Do I Know This Already?" Quiz 261 Foundation Topics 265 Authentication Versus Authorization 265 Authorization Policies 265 Goals of Authorization Policies 265 Understanding Authorization Policies 266 Role-specific Authorization Rules 271 Authorization Policy Example 272 Employee Full Access Rule 272 Internet Only for Smart Devices 274 Employee Limited Access Rule 277 Saving Conditions for Reuse 279 Combining AND with OR Operators 281 Exam Preparation Tasks 287 Review All Key Topics 287 Define Key Terms 287 Part IV Implementing Secure Network Access Chapter 12 Implement Wired and Wireless Authentication 289 "Do I Know This Already?" Quiz 290 Foundation Topics 293 Authentication Configuration on Wired Switches 293 Global Configuration AAA Commands 293 Global Configuration RADIUS Commands 294 IOS 12.2.X 294 IOS 15.X 295 Both IOS 12.2.X and 15.X 296 Global 802.1X Commands 297 Creating Local Access Control Lists 297 Interface Configuration Settings for All Cisco Switches 298 Configuring Interfaces as Switchports 299 Configuring Flexible Authentication and High Availability 299 Host Mode of the Switchport 302 Configuring Authentication Settings 303 Configuring Authentication Timers 305 Applying the Initial ACL to the Port and Enabling Authentication 305 Authentication Configuration on WLCs 306 Configuring the AAA Servers 306 Adding the RADIUS Authentication Servers 306 Adding the RADIUS Accounting Servers 308 Configuring RADIUS Fallback (High-Availability) 309 Configuring the Airespace ACLs 310 Creating the Web Authentication Redirection ACL 310 Creating the Posture Agent Redirection ACL 313 Creating the Dynamic Interfaces for the Client VLANs 315 Creating the Guest Dynamic Interface 317 Creating the Wireless LANs 318 Creating the Guest WLAN 319 Creating the Corporate SSID 324 Verifying Dot1X and MAB 329 Endpoint Supplicant Verification 329 Network Access Device Verification 329 Verifying Authentications with Cisco Switches 329 Sending Syslog to ISE 332 Verifying Authentications with Cisco WLCs 334 Cisco ISE Verification 336 Live Authentications Log 336 Live Sessions Log 337 Looking Forward 338 Exam Preparation Tasks 339 Review All Key Topics 339 Define Key Terms 339 Chapter 13 Web Authentication 341 "Do I Know This Already?" Quiz 341 Foundation Topics 345 Web Authentication Scenarios 345 Local Web Authentication 346 Centralized Web Authentication 346 Device Registration WebAuth 349 Configuring Centralized Web Authentication 350 Cisco Switch Configuration 350 Configuring Certificates on the Switch 350 Enabling the Switch HTTP/HTTPS Server 350 Verifying the URL-Redirection ACL 351 Cisco WLC Configuration 352 Validating That MAC Filtering Is Enabled on the WLAN 352 Validating That Radius NAC Is Enabled on the WLAN 352 Validate That the URL-Redirection ACL Is Configured 353 Captive Portal Bypass 354 Configuring ISE for Centralized Web Authentication 355 Configuring MAB for the Authentication 355 Configuring the Web Authentication Identity Source Sequence 356 Configuring a dACL for Pre-WebAuth Authorization 357 Configuring an Authorization Profile 359 Building CWA Authorization Policies 360 Creating the Rule to Redirect to CWA 360 Creating the Rules to Authorize Users Who Authenticate via CWA 361 Creating the Guest Rule 361 Creating the Employee Rule 362 Configuring Device Registration Web Authentication 363 Creating the Endpoint Identity Group 363 Creating the DRW Portal 364 Creating the Authorization Profile 365 Creating the Rule to Redirect to DRW 367 Creating the Rule to Authorize DRW-Registered Endpoints 368 Verifying Centralized Web Authentication 369 Checking the Experience from the Client 369 Checking on ISE 372 Checking the Live Log 372 Checking the Endpoint Identity Group 373 Checking the NAD 374 show Commands on the Wired Switch 374 Viewing the Client Details on the WLC 375 Exam Preparation Tasks 377 Review All Key Topics 377 Chapter 14 Deploying Guest Services 379 "Do I Know This Already?" Quiz 379 Foundation Topics 383 Guest Services Overview 383 Guest Services and WebAuth 383 Portal Types 384 Configuring the Web Portal Settings 389 Port Numbers 390 Interfaces 391 Friendly Names 391 Configuring the Sponsor Portal Policies 392 Sponsor Types 393 Mapping Groups 396 Guest User Types 398 Managing Guest Portals 398 Portal Types 399 Building Guest Authorization Policies 400 Provisioning Guest Accounts from a Sponsor Portal 416 Individual 416 Random 417 Import 418 Verifying Guest Access on the WLC/Switch 419 WLC 419 Exam Preparation Tasks 439 Review All Key Topics 439 Define Key Terms 439 Chapter 15 Profiling 441 "Do I Know This Already?" Quiz 441 Foundation Topics 445 ISE Profiler 445 Cisco ISE Probes 447 Probe Configuration 447 DHCP and DHCPSPAN 449 RADIUS 452 Network Scan 453 DNS 454 SNMPQUERY and SNMPTRAP 455 NETFLOW 457 HTTP Probe 457 HTTP Profiling Without Probes 459 Infrastructure Configuration 459 DHCP Helper 459 SPAN Configuration 460 VLAN Access Control Lists 461 Device Sensor 462 VMware Configurations to Allow Promiscuous Mode 463 Profiling Policies 464 Profiler Feed Service 464 Configuring the Profiler Feed Service 465 Verifying the Profiler Feed Service 465 Endpoint Profile Policies 467 Logical Profiles 478 ISE Profiler and CoA 478 Global CoA 479 Per-profile CoA 480 Global Profiler Settings 481 Endpoint Attribute Filtering 482 Profiles in Authorization Policies 482 Endpoint Identity Groups 483 EndPoint Policy 486 Verify Profiling 486 The Dashboard 486 Endpoints Drill-down 487 Global Search 488 Endpoint Identities 489 Device Sensor Show Commands 491 Exam Preparation Tasks 492 Review All Key Topics 492 Part V Advanced Secure Network Access Chapter 16 Certificate-Based User Authentications 495 "Do I Know This Already?" Quiz 495 Foundation Topics 499 Certificate Authentication Primer 499 Determine Whether a Trusted Authority Has Signed the Digital Certificate 499 Examine Both the Start and End Dates to Determine Whether the Certificate Has Expired 501 Verify Whether the Certificate Has Been Revoked 502 Validate That the Client Has Provided Proof of Possession 504 A Common Misconception About Active Directory 505 EAP-TLS 506 Configuring ISE for Certificate-Based Authentications 506 Validate Allowed Protocols 507 Certificate Authentication Profile 508 Verify That the Authentication Policy Is Using CAP 509 Authorization Policies 511 Ensuring the Client Certificates Are Trusted 512 Importing the Certificate Authority's Public Certificate 513 Configuring Certificate Status Verification (optional) 515 Verifying Certificate Authentications 516 Exam Preparation Tasks 520 Review All Key Topics 520 Define Key Terms 520 Chapter 17 Bring Your Own Device 523 "Do I Know This Already?" Quiz 524 Foundation Topics 528 BYOD Challenges 528 Onboarding Process 529 BYOD Onboarding 529 Dual SSID 530 Single SSID 531 Configuring NADs for Onboarding 532 Configuring the WLC for Dual-SSID Onboarding 532 Reviewing the WLAN Configuration 532 Verifying the Required ACLs 535 ISE Configuration for Onboarding 538 The End User Experience 539 Single-SSID with Apple iOS Example 539 Dual SSID with Android Example 549 Unsupported Mobile Device-Blackberry Example 555 Configuring ISE for Onboarding 557 Creating the Native Supplicant Profile 557 Configuring the Client Provisioning Policy 559 Configuring the WebAuth 561 Verifying Default Unavailable Client Provisioning Policy Action 562 Creating the Authorization Profiles 563 Creating the Authorization Rules for Onboarding 565 Creating the Authorization Rules for the EAP-TLS Authentications 566 Configuring SCEP 567 BYOD Onboarding Process Detailed 570 iOS Onboarding Flow 570 Phase 1: Device Registration 570 Phase 2: Device Enrollment 571 Phase 3: Device Provisioning 572 Android Flow 573 Phase 1: Device Registration 573 Phase 2: Download SPW 575 Phase 3: Device Provisioning 576 Windows and Mac OSX Flow 577 Phase 1: Device Registration 578 Phase 2: Device Provisioning 579 Verifying BYOD Flows 581 Live Log 581 Reports 581 Identities 582 MDM Onboarding 583 Integration Points 583 Configuring MDM Integration 584 Configuring MDM Onboarding Rules 586 Creating the Authorization Profile 586 Creating the Authorization Rules 588 Managing Endpoints 590 Self Management 590 Administrative Management 593 The Opposite of BYOD: Identify Corporate Systems 593 Exam Preparation Tasks 595 Review All Key Topics 595 Define Key Terms 595 Chapter 18 TrustSec and MACSec 597 "Do I Know This Already?" Quiz 597 Foundation Topics 601 Ingress Access Control Challenges 601 VLAN Assignment 601 Ingress Access Control Lists 603 What Is TrustSec? 605 What Is a Security Group Tag? 606 Defining the SGTs 607 Classification 609 Dynamically Assigning SGT via 802.1X 610 Manually Assigning SGT at the Port 611 Manually Binding IP Addresses to SGTs 611 Access Layer Devices That Do Not Support SGTs 612 Mapping a Subnet to an SGT 613 Mapping a VLAN to an SGT 613 Transport: Security Group Exchange Protocol 613 SXP Design 614 Configuring SXP on IOS Devices 615 Configuring SXP on Wireless LAN Controllers 617 Configuring SXP on Cisco ASA 619 Verifying SXP Connections in ASDM 620 Transport: Native Tagging 621 Configuring Native SGT Propagation (Tagging) 622 Configuring SGT Propagation on Cisco IOS Switches 623 Configuring SGT Propagation on a Catalyst 6500 625 Configuring SGT Propagation on a Nexus Series Switch 627 Enforcement 628 SGACL 629 Security Group Firewalls 631 Security Group Firewall on the ASA 632 Security Group Firewall on the ISR and ASR 632 MACSec 632 Downlink MACSec 634 Switch Configuration Modes 636 ISE Configuration 637 Uplink MACSec 638 Manually Configuring Uplink MACSec 638 Verifying the Manual Configuration 640 Exam Preparation Tasks 642 Review All Key Topics 642 Define Key Terms 642 Chapter 19 Posture Assessment 645 "Do I Know This Already?" Quiz 645 Foundation Topics 648 Posture Service Overview 648 Posture Flow 649 Agent Types 650 Posture Conditions 652 CoA with Posture 654 Configuring Posture 655 Downloading CPP Resources 656 Client Provisioning Policy 657 Posture Policy Building Blocks 658 Condition 659 Remediation 661 Requirement 662 Modifying the Authorization Policy for CPP 663 Modifying the Authorization Policy for Compliance 666 Verifying Posture and Redirect 667 Exam Preparation Tasks 675 Review All Key Topics 675 Define Key Terms 675 Part VI Safely Deploying in the Enterprise Chapter 20 Deploying Safely 677 "Do I Know This Already?" Quiz 677 Foundation Topics 680 Why Use a Phased Approach? 680 A Phased Approach 681 Comparing Authentication Open to Standard 802.1X 682 Preparing ISE for a Staged Deployment 683 Monitor Mode 685 Low-Impact Mode 689 Closed Mode 692 Transitioning from Monitor Mode to Your End State 695 Wireless Networks 695 Exam Preparation Tasks 696 Review All Key Topics 696 Chapter 21 ISE Scale and High Availability 699 "Do I Know This Already?" Quiz 699 Foundation Topics 702 Configuring ISE Nodes in a Distributed Environment 702 Making the First Node a Primary Device 702 Registering an ISE Node to the Deployment 703 Ensuring the Personas of All Nodes Are Accurate 706 Licensing in a Multinode ISE Cube 706 Understanding the HA Options Available 707 Primary and Secondary Nodes 707 Monitoring and Troubleshooting Nodes 707 Policy Administration Nodes 709 Node Groups 710 Using Load Balancers 713 General Guidelines 713 Failure Scenarios 714 IOS Load Balancing 715 Maintaining ISE Deployments 716 Patching ISE 716 Backup and Restore 718 Exam Preparation Tasks 720 Review All Key Topics 720 Define Key Terms 720 Chapter 22 Troubleshooting Tools 723 "Do I Know This Already?" Quiz 723 Foundation Topics 726 Logging 726 Live Log 726 Live Sessions Log 728 Logging and Remote Logging 729 Logging Targets 729 Logging Categories 730 Debug Logs 731 Downloading Debug Logs from the GUI 732 Viewing Log Files from the CLI 733 Support Bundles 734 Diagnostics Tools 735 Evaluate Configuration Validator 735 RADIUS Authentication Troubleshooting Tool 739 TCP Dump 741 Ensuring Live Log Displays All Events (Bypassing Suppression) 746 Disabling Suppression 747 Troubleshooting Outside of ISE 748 Endpoint Diagnostics 748 AnyConnect Diagnostics and Reporting Tool 748 AnyConnect NAM Extended Logging 751 Microsoft Native Supplicant 752 Supplicant Provisioning Logs 753 Network Device Troubleshooting 753 The Go-To: show authentication session interface 753 Viewing Client Details on the WLC 754 Debug Commands 755 Exam Preparation Tasks 756 Review All Key Topics 756 Part VII Final Preparation Chapter 23 Final Preparation 759 Advice About the Exam Event 759 Learning the Question Types Using the Cisco Certification Exam Tutorial 759 Thinking About Your Time Budget Versus Number of Questions 760 A Suggested Time-Check Method 761 Miscellaneous Pre-Exam Suggestions 762 Exam-Day Advice 762 Exam Review 763 Taking Practice Exams 763 Practicing Taking the SISAS Exam 764 Advice on How to Answer Exam Questions 765 Taking Other Practice Exams 766 Finding Knowledge Gaps Through Question Review 767 Other Study Tasks 769 Final Thoughts 770 Part VIII Appendixes Appendix A Answers to the "Do I Know This Already?" Quizzes 773 Appendix B Configuring the Microsoft CA for BYOD 795 CA Requirements 795 Other Useful Information 795 Microsoft Hotfixes 796 AD Account Roles 796 Configuration Steps 796 Installing the CA 796 Adding the Remaining Roles 804 Configuring the Certificate Template 809 Publishing the Certificate Template 814 Editing the Registry 816 Useful Links 819 Appendix C Using the Dogtag CA for BYOD 821 What Is Dogtag, and Why Use It? 821 Prerequisites 821 Installing 32-bit Fedora 15 821 Configuring Networking 823 Installing Packages with yum 825 Configuring Proxy (if Needed) 825 Updating System Packages with yum 826 Installing and Configuring the NTP Service 826 Installing the LDAP Server 827 Installing the PHP Services 828 Installing and Configuring Dogtag 829 Modifying the Firewall Rules (iptables) 830 Creating a New CA Instance 830 Enabling and Configuring SCEP 840 Preparing Apache 841 Configuring ISE to Use the New Dogtag CA 842 Adding Dogtag to the SCEP RA Profiles 843 Appendix D Sample Switch Configurations 845 Catalyst 2960/3560/3750 Series, 12.2(55)SE 845 Catalyst 3560/3750 Series, 15.0(2)SE 848 Catalyst 4500 Series, IOS-XE 3.3.0/15.1(1)SG 852 Catalyst 6500 Series, 12.2(33)SXJ 856 Glossary 861 Index 868
Summary:
Tags from this library: No tags from this library for this title. Log in to add tags.
Star ratings
    Average rating: 0.0 (0 votes)
No physical items for this record

Originally Published in Indianapolis, IN by Cisco Press, [2015] ©2015

Contents Introduction xxxi Part I The CCNP Certification Chapter 1 CCNP Security Certification 3 CCNP Security Certification Overview 3 Contents of the CCNP-Security SISAS Exam 4 How to Take the SISAS Exam 5 Who Should Take This Exam and Read This Book? 6 Format of the CCNP-Security SISAS Exam 9 CCNP-Security SISAS 300-208 Official Certification Guide 10 Book Features and Exam Preparation Methods 13 Part II "The Triple A" (Authentication, Authorization, and Accounting) Chapter 2 Fundamentals of AAA 17 "Do I Know This Already?" Quiz 18 Foundation Topics 21 Triple-A 21 Compare and Select AAA Options 21 Device Administration 21 Network Access 22 TACACS+ 23 TACACS+ Authentication Messages 25 TACACS+ Authorization and Accounting Messages 26 RADIUS 28 AV-Pairs 31 Change of Authorization 31 Comparing RADIUS and TACACS+ 32 Exam Preparation Tasks 33 Review All Key Topics 33 Define Key Terms 33 Chapter 3 Identity Management 35 "Do I Know This Already?" Quiz 35 Foundation Topics 38 What Is an Identity? 38 Identity Stores 38 Internal Identity Stores 39 External Identity Stores 41 Active Directory 42 LDAP 42 Two-Factor Authentication 43 One-Time Password Services 44 Smart Cards 45 Certificate Authorities 46 Has the Certificate Expired? 47 Has the Certificate Been Revoked? 48 Exam Preparation Tasks 51 Review All Key Topics 51 Define Key Terms 51 Chapter 4 EAP Over LAN (Also Known As 802.1X) 53 "Do I Know This Already?" Quiz 53 Foundation Topics 56 Extensible Authentication Protocol 56 EAP over LAN (802.1X) 56 EAP Types 58 Native EAP Types (Nontunneled EAP) 58 Tunneled EAP Types 59 Summary of EAP Authentication Types 62 EAP Authentication Type Identity Store Comparison Chart 62 Network Access Devices 63 Supplicant Options 63 Windows Native Supplicant 64 Cisco AnyConnect NAM Supplicant 75 EAP Chaining 89 Exam Preparation Tasks 90 Review All Key Topics 90 Define Key Terms 90 Chapter 5 Non-802.1X Authentications 93 "Do I Know This Already?" Quiz 93 Foundation Topics 97 Devices Without a Supplicant 97 MAC Authentication Bypass 98 Web Authentication 100 Local Web Authentication 101 Local Web Authentication with a Centralized Portal 102 Centralized Web Authentication 104 Remote Access Connections 106 Exam Preparation Tasks 107 Review All Key Topics 107 Define Key Terms 107 Chapter 6 Introduction to Advanced Concepts 109 "Do I Know This Already?" Quiz 109 Foundation Topics 113 Change of Authorization 113 Automating MAC Authentication Bypass 113 Posture Assessments 117 Mobile Device Managers 118 Exam Preparation Tasks 120 Review All Key Topics 120 Define Key Terms 120 Part III Cisco Identity Services Engine Chapter 7 Cisco Identity Services Engine Architecture 123 "Do I Know This Already?" Quiz 123 Foundation Topics 127 What Is Cisco ISE? 127 Personas 129 Administration Node 129 Policy Service Node 129 Monitoring and Troubleshooting Node 130 Inline Posture Node 130 Physical or Virtual Appliance 131 ISE Deployment Scenarios 133 Single-Node Deployment 133 Two-Node Deployment 135 Four-Node Deployment 136 Fully Distributed Deployment 137 Communication Between Nodes 138 Exam Preparation Tasks 148 Review All Key Topics 148 Define Key Terms 148 Chapter 8 A Guided Tour of the Cisco ISE Graphical User Interface 151 "Do I Know This Already?" Quiz 151 Foundation Topics 155 Logging In to ISE 155 Initial Login 155 Administration Dashboard 161 Administration Home Page 162 Server Information 162 Setup Assistant 163 Help 163 Organization of the ISE GUI 164 Operations 165 Authentications 165 Reports 169 Endpoint Protection Service 170 Troubleshoot 171 Policy 173 Authentication 173 Authorization 173 Profiling 174 Posture 175 Client Provisioning 175 Security Group Access 176 Policy Elements 177 Administration 178 System 178 Identity Management 183 Network Resources 186 Web Portal Management 189 Feed Service 191 Type of Policies in ISE 192 Authentication 192 Authorization 193 Profiling 193 Posture 193 Client Provisioning 193 Security Group Access 193 Exam Preparation Tasks 195 Review All Key Topics 195 Define Key Terms 195 Chapter 9 Initial Configuration of Cisco ISE 197 "Do I Know This Already?" Quiz 197 Foundation Topics 201 Cisco Identity Services Engine Form Factors 201 Bootstrapping Cisco ISE 201 Where Are Certificates Used with the Cisco Identity Services Engine? 204 Self-Signed Certificates 206 CA-Signed Certificates 206 Network Devices 216 Network Device Groups 216 Network Access Devices 217 Local User Identity Groups 218 Local Endpoint Groups 219 Local Users 220 External Identity Stores 220 Active Directory 221 Prerequisites for Joining an Active Directory Domain 221 Joining an Active Directory Domain 222 Certificate Authentication Profile 226 Identity Source Sequences 227 Exam Preparation Tasks 230 Review All Key Topics 230 Chapter 10 Authentication Policies 233 "Do I Know This Already?" Quiz 233 Foundation Topics 237 The Relationship Between Authentication and Authorization 237 Authentication Policy 237 Goals of an Authentication Policy 238 Goal 1-Accept Only Allowed Protocols 238 Goal 2-Select the Correct Identity Store 238 Goal 3-Validate the Identity 239 Goal 4-Pass the Request to the Authorization Policy 239 Understanding Authentication Policies 239 Conditions 241 Allowed Protocols 243 Extensible Authentication Protocol Types 245 Tunneled EAP Types 245 Identity Store 247 Options 247 Common Authentication Policy Examples 248 Using the Wireless SSID 248 Remote Access VPN 251 Alternative ID Stores Based on EAP Type 253 More on MAB 255 Restore the Authentication Policy 257 Exam Preparation Tasks 258 Review All Key Topics 258 Chapter 11 Authorization Policies 261 "Do I Know This Already?" Quiz 261 Foundation Topics 265 Authentication Versus Authorization 265 Authorization Policies 265 Goals of Authorization Policies 265 Understanding Authorization Policies 266 Role-specific Authorization Rules 271 Authorization Policy Example 272 Employee Full Access Rule 272 Internet Only for Smart Devices 274 Employee Limited Access Rule 277 Saving Conditions for Reuse 279 Combining AND with OR Operators 281 Exam Preparation Tasks 287 Review All Key Topics 287 Define Key Terms 287 Part IV Implementing Secure Network Access Chapter 12 Implement Wired and Wireless Authentication 289 "Do I Know This Already?" Quiz 290 Foundation Topics 293 Authentication Configuration on Wired Switches 293 Global Configuration AAA Commands 293 Global Configuration RADIUS Commands 294 IOS 12.2.X 294 IOS 15.X 295 Both IOS 12.2.X and 15.X 296 Global 802.1X Commands 297 Creating Local Access Control Lists 297 Interface Configuration Settings for All Cisco Switches 298 Configuring Interfaces as Switchports 299 Configuring Flexible Authentication and High Availability 299 Host Mode of the Switchport 302 Configuring Authentication Settings 303 Configuring Authentication Timers 305 Applying the Initial ACL to the Port and Enabling Authentication 305 Authentication Configuration on WLCs 306 Configuring the AAA Servers 306 Adding the RADIUS Authentication Servers 306 Adding the RADIUS Accounting Servers 308 Configuring RADIUS Fallback (High-Availability) 309 Configuring the Airespace ACLs 310 Creating the Web Authentication Redirection ACL 310 Creating the Posture Agent Redirection ACL 313 Creating the Dynamic Interfaces for the Client VLANs 315 Creating the Guest Dynamic Interface 317 Creating the Wireless LANs 318 Creating the Guest WLAN 319 Creating the Corporate SSID 324 Verifying Dot1X and MAB 329 Endpoint Supplicant Verification 329 Network Access Device Verification 329 Verifying Authentications with Cisco Switches 329 Sending Syslog to ISE 332 Verifying Authentications with Cisco WLCs 334 Cisco ISE Verification 336 Live Authentications Log 336 Live Sessions Log 337 Looking Forward 338 Exam Preparation Tasks 339 Review All Key Topics 339 Define Key Terms 339 Chapter 13 Web Authentication 341 "Do I Know This Already?" Quiz 341 Foundation Topics 345 Web Authentication Scenarios 345 Local Web Authentication 346 Centralized Web Authentication 346 Device Registration WebAuth 349 Configuring Centralized Web Authentication 350 Cisco Switch Configuration 350 Configuring Certificates on the Switch 350 Enabling the Switch HTTP/HTTPS Server 350 Verifying the URL-Redirection ACL 351 Cisco WLC Configuration 352 Validating That MAC Filtering Is Enabled on the WLAN 352 Validating That Radius NAC Is Enabled on the WLAN 352 Validate That the URL-Redirection ACL Is Configured 353 Captive Portal Bypass 354 Configuring ISE for Centralized Web Authentication 355 Configuring MAB for the Authentication 355 Configuring the Web Authentication Identity Source Sequence 356 Configuring a dACL for Pre-WebAuth Authorization 357 Configuring an Authorization Profile 359 Building CWA Authorization Policies 360 Creating the Rule to Redirect to CWA 360 Creating the Rules to Authorize Users Who Authenticate via CWA 361 Creating the Guest Rule 361 Creating the Employee Rule 362 Configuring Device Registration Web Authentication 363 Creating the Endpoint Identity Group 363 Creating the DRW Portal 364 Creating the Authorization Profile 365 Creating the Rule to Redirect to DRW 367 Creating the Rule to Authorize DRW-Registered Endpoints 368 Verifying Centralized Web Authentication 369 Checking the Experience from the Client 369 Checking on ISE 372 Checking the Live Log 372 Checking the Endpoint Identity Group 373 Checking the NAD 374 show Commands on the Wired Switch 374 Viewing the Client Details on the WLC 375 Exam Preparation Tasks 377 Review All Key Topics 377 Chapter 14 Deploying Guest Services 379 "Do I Know This Already?" Quiz 379 Foundation Topics 383 Guest Services Overview 383 Guest Services and WebAuth 383 Portal Types 384 Configuring the Web Portal Settings 389 Port Numbers 390 Interfaces 391 Friendly Names 391 Configuring the Sponsor Portal Policies 392 Sponsor Types 393 Mapping Groups 396 Guest User Types 398 Managing Guest Portals 398 Portal Types 399 Building Guest Authorization Policies 400 Provisioning Guest Accounts from a Sponsor Portal 416 Individual 416 Random 417 Import 418 Verifying Guest Access on the WLC/Switch 419 WLC 419 Exam Preparation Tasks 439 Review All Key Topics 439 Define Key Terms 439 Chapter 15 Profiling 441 "Do I Know This Already?" Quiz 441 Foundation Topics 445 ISE Profiler 445 Cisco ISE Probes 447 Probe Configuration 447 DHCP and DHCPSPAN 449 RADIUS 452 Network Scan 453 DNS 454 SNMPQUERY and SNMPTRAP 455 NETFLOW 457 HTTP Probe 457 HTTP Profiling Without Probes 459 Infrastructure Configuration 459 DHCP Helper 459 SPAN Configuration 460 VLAN Access Control Lists 461 Device Sensor 462 VMware Configurations to Allow Promiscuous Mode 463 Profiling Policies 464 Profiler Feed Service 464 Configuring the Profiler Feed Service 465 Verifying the Profiler Feed Service 465 Endpoint Profile Policies 467 Logical Profiles 478 ISE Profiler and CoA 478 Global CoA 479 Per-profile CoA 480 Global Profiler Settings 481 Endpoint Attribute Filtering 482 Profiles in Authorization Policies 482 Endpoint Identity Groups 483 EndPoint Policy 486 Verify Profiling 486 The Dashboard 486 Endpoints Drill-down 487 Global Search 488 Endpoint Identities 489 Device Sensor Show Commands 491 Exam Preparation Tasks 492 Review All Key Topics 492 Part V Advanced Secure Network Access Chapter 16 Certificate-Based User Authentications 495 "Do I Know This Already?" Quiz 495 Foundation Topics 499 Certificate Authentication Primer 499 Determine Whether a Trusted Authority Has Signed the Digital Certificate 499 Examine Both the Start and End Dates to Determine Whether the Certificate Has Expired 501 Verify Whether the Certificate Has Been Revoked 502 Validate That the Client Has Provided Proof of Possession 504 A Common Misconception About Active Directory 505 EAP-TLS 506 Configuring ISE for Certificate-Based Authentications 506 Validate Allowed Protocols 507 Certificate Authentication Profile 508 Verify That the Authentication Policy Is Using CAP 509 Authorization Policies 511 Ensuring the Client Certificates Are Trusted 512 Importing the Certificate Authority's Public Certificate 513 Configuring Certificate Status Verification (optional) 515 Verifying Certificate Authentications 516 Exam Preparation Tasks 520 Review All Key Topics 520 Define Key Terms 520 Chapter 17 Bring Your Own Device 523 "Do I Know This Already?" Quiz 524 Foundation Topics 528 BYOD Challenges 528 Onboarding Process 529 BYOD Onboarding 529 Dual SSID 530 Single SSID 531 Configuring NADs for Onboarding 532 Configuring the WLC for Dual-SSID Onboarding 532 Reviewing the WLAN Configuration 532 Verifying the Required ACLs 535 ISE Configuration for Onboarding 538 The End User Experience 539 Single-SSID with Apple iOS Example 539 Dual SSID with Android Example 549 Unsupported Mobile Device-Blackberry Example 555 Configuring ISE for Onboarding 557 Creating the Native Supplicant Profile 557 Configuring the Client Provisioning Policy 559 Configuring the WebAuth 561 Verifying Default Unavailable Client Provisioning Policy Action 562 Creating the Authorization Profiles 563 Creating the Authorization Rules for Onboarding 565 Creating the Authorization Rules for the EAP-TLS Authentications 566 Configuring SCEP 567 BYOD Onboarding Process Detailed 570 iOS Onboarding Flow 570 Phase 1: Device Registration 570 Phase 2: Device Enrollment 571 Phase 3: Device Provisioning 572 Android Flow 573 Phase 1: Device Registration 573 Phase 2: Download SPW 575 Phase 3: Device Provisioning 576 Windows and Mac OSX Flow 577 Phase 1: Device Registration 578 Phase 2: Device Provisioning 579 Verifying BYOD Flows 581 Live Log 581 Reports 581 Identities 582 MDM Onboarding 583 Integration Points 583 Configuring MDM Integration 584 Configuring MDM Onboarding Rules 586 Creating the Authorization Profile 586 Creating the Authorization Rules 588 Managing Endpoints 590 Self Management 590 Administrative Management 593 The Opposite of BYOD: Identify Corporate Systems 593 Exam Preparation Tasks 595 Review All Key Topics 595 Define Key Terms 595 Chapter 18 TrustSec and MACSec 597 "Do I Know This Already?" Quiz 597 Foundation Topics 601 Ingress Access Control Challenges 601 VLAN Assignment 601 Ingress Access Control Lists 603 What Is TrustSec? 605 What Is a Security Group Tag? 606 Defining the SGTs 607 Classification 609 Dynamically Assigning SGT via 802.1X 610 Manually Assigning SGT at the Port 611 Manually Binding IP Addresses to SGTs 611 Access Layer Devices That Do Not Support SGTs 612 Mapping a Subnet to an SGT 613 Mapping a VLAN to an SGT 613 Transport: Security Group Exchange Protocol 613 SXP Design 614 Configuring SXP on IOS Devices 615 Configuring SXP on Wireless LAN Controllers 617 Configuring SXP on Cisco ASA 619 Verifying SXP Connections in ASDM 620 Transport: Native Tagging 621 Configuring Native SGT Propagation (Tagging) 622 Configuring SGT Propagation on Cisco IOS Switches 623 Configuring SGT Propagation on a Catalyst 6500 625 Configuring SGT Propagation on a Nexus Series Switch 627 Enforcement 628 SGACL 629 Security Group Firewalls 631 Security Group Firewall on the ASA 632 Security Group Firewall on the ISR and ASR 632 MACSec 632 Downlink MACSec 634 Switch Configuration Modes 636 ISE Configuration 637 Uplink MACSec 638 Manually Configuring Uplink MACSec 638 Verifying the Manual Configuration 640 Exam Preparation Tasks 642 Review All Key Topics 642 Define Key Terms 642 Chapter 19 Posture Assessment 645 "Do I Know This Already?" Quiz 645 Foundation Topics 648 Posture Service Overview 648 Posture Flow 649 Agent Types 650 Posture Conditions 652 CoA with Posture 654 Configuring Posture 655 Downloading CPP Resources 656 Client Provisioning Policy 657 Posture Policy Building Blocks 658 Condition 659 Remediation 661 Requirement 662 Modifying the Authorization Policy for CPP 663 Modifying the Authorization Policy for Compliance 666 Verifying Posture and Redirect 667 Exam Preparation Tasks 675 Review All Key Topics 675 Define Key Terms 675 Part VI Safely Deploying in the Enterprise Chapter 20 Deploying Safely 677 "Do I Know This Already?" Quiz 677 Foundation Topics 680 Why Use a Phased Approach? 680 A Phased Approach 681 Comparing Authentication Open to Standard 802.1X 682 Preparing ISE for a Staged Deployment 683 Monitor Mode 685 Low-Impact Mode 689 Closed Mode 692 Transitioning from Monitor Mode to Your End State 695 Wireless Networks 695 Exam Preparation Tasks 696 Review All Key Topics 696 Chapter 21 ISE Scale and High Availability 699 "Do I Know This Already?" Quiz 699 Foundation Topics 702 Configuring ISE Nodes in a Distributed Environment 702 Making the First Node a Primary Device 702 Registering an ISE Node to the Deployment 703 Ensuring the Personas of All Nodes Are Accurate 706 Licensing in a Multinode ISE Cube 706 Understanding the HA Options Available 707 Primary and Secondary Nodes 707 Monitoring and Troubleshooting Nodes 707 Policy Administration Nodes 709 Node Groups 710 Using Load Balancers 713 General Guidelines 713 Failure Scenarios 714 IOS Load Balancing 715 Maintaining ISE Deployments 716 Patching ISE 716 Backup and Restore 718 Exam Preparation Tasks 720 Review All Key Topics 720 Define Key Terms 720 Chapter 22 Troubleshooting Tools 723 "Do I Know This Already?" Quiz 723 Foundation Topics 726 Logging 726 Live Log 726 Live Sessions Log 728 Logging and Remote Logging 729 Logging Targets 729 Logging Categories 730 Debug Logs 731 Downloading Debug Logs from the GUI 732 Viewing Log Files from the CLI 733 Support Bundles 734 Diagnostics Tools 735 Evaluate Configuration Validator 735 RADIUS Authentication Troubleshooting Tool 739 TCP Dump 741 Ensuring Live Log Displays All Events (Bypassing Suppression) 746 Disabling Suppression 747 Troubleshooting Outside of ISE 748 Endpoint Diagnostics 748 AnyConnect Diagnostics and Reporting Tool 748 AnyConnect NAM Extended Logging 751 Microsoft Native Supplicant 752 Supplicant Provisioning Logs 753 Network Device Troubleshooting 753 The Go-To: show authentication session interface 753 Viewing Client Details on the WLC 754 Debug Commands 755 Exam Preparation Tasks 756 Review All Key Topics 756 Part VII Final Preparation Chapter 23 Final Preparation 759 Advice About the Exam Event 759 Learning the Question Types Using the Cisco Certification Exam Tutorial 759 Thinking About Your Time Budget Versus Number of Questions 760 A Suggested Time-Check Method 761 Miscellaneous Pre-Exam Suggestions 762 Exam-Day Advice 762 Exam Review 763 Taking Practice Exams 763 Practicing Taking the SISAS Exam 764 Advice on How to Answer Exam Questions 765 Taking Other Practice Exams 766 Finding Knowledge Gaps Through Question Review 767 Other Study Tasks 769 Final Thoughts 770 Part VIII Appendixes Appendix A Answers to the "Do I Know This Already?" Quizzes 773 Appendix B Configuring the Microsoft CA for BYOD 795 CA Requirements 795 Other Useful Information 795 Microsoft Hotfixes 796 AD Account Roles 796 Configuration Steps 796 Installing the CA 796 Adding the Remaining Roles 804 Configuring the Certificate Template 809 Publishing the Certificate Template 814 Editing the Registry 816 Useful Links 819 Appendix C Using the Dogtag CA for BYOD 821 What Is Dogtag, and Why Use It? 821 Prerequisites 821 Installing 32-bit Fedora 15 821 Configuring Networking 823 Installing Packages with yum 825 Configuring Proxy (if Needed) 825 Updating System Packages with yum 826 Installing and Configuring the NTP Service 826 Installing the LDAP Server 827 Installing the PHP Services 828 Installing and Configuring Dogtag 829 Modifying the Firewall Rules (iptables) 830 Creating a New CA Instance 830 Enabling and Configuring SCEP 840 Preparing Apache 841 Configuring ISE to Use the New Dogtag CA 842 Adding Dogtag to the SCEP RA Profiles 843 Appendix D Sample Switch Configurations 845 Catalyst 2960/3560/3750 Series, 12.2(55)SE 845 Catalyst 3560/3750 Series, 15.0(2)SE 848 Catalyst 4500 Series, IOS-XE 3.3.0/15.1(1)SG 852 Catalyst 6500 Series, 12.2(33)SXJ 856 Glossary 861 Index 868


There are no comments on this title.

to post a comment.

© University of Vavuniya

---