ISE Exam Preparation - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCRT-2208.pdf · ISE Exam Preparation ... •The SISAS exam is one of the 4 exams

ISE Exam Preparation

BRKCRT-2208

Rafael Leiva-Ochoa (Education Specialist)

CCIE# 19322

© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2208 Cisco Public

Agenda

• Overview of SISE Security v1.1 and SISAS v1.0 Exam

• Preparing for Exam

• Building an ISE Lab

• Demo Lab

• Lab Ideas

• Quiz

• Q&A

3

Overview of SISE Security v1.1 and SISAS v1.0 Exam


Disclaimer / Warning

5

• This session will strictly adhere to Cisco’s rules of confidentiality

• We may not be able to address specific questions due to the possibly of exposing the test questions.

• If you have taken the exam please refrain from asking questions from the exam. (This is a protection from disqualification from this exam and others)

• We will be available after the session to direct you to resources to assist with specific questions or to provide clarification.


SISE 1.1 Security Requirements

6

• No prior certifications are needed to quality for this exam.

• One exam only SISE - 500-254

• Based on ISE v1.1 code

• Recommended Trainings before taking the SISE exam:

– 802.1x • S802DT1X - 650-472

– SISE - Implementing Cisco Identity Services Engine Secure Solutions v1.1


SISAS 1.0 Security Requirements

7

• The SISAS exam is one of the 4 exams that is required to be CCNP Security

• Based on ISE v1.2 code

• CCNP Security • SISAS 1.0 - 300-208

• SENSS 1.0 - 300-206

• SIMOS 1.0 - 300-209

• SITCS 1.0 - 300-207


500-254 SISE v1.1 Exam

8

• Approximately 60 minute exam

• 60 – 65 questions possible

• Register with Person Vue

– http://www.vue.com/cisco

• Exam cost is $200.00 US

http://www.vue.com/cisco


500-254 (SISE) Implementing and Configuring Cisco Identify Service Engine

1.0 Building a network Design for ISE Platform

Introducing the TrustSec Solution and ISE Platform

Architecture

2.0 Deploying the Cisco Identity Service Engine

Installing the ISE Software

Intergrading the ISE into Microsoft Active Directory

Configuring the ISE for Redundancy and Scaling

3.0 Implementing Classification and Policy Enforcement

Configuring the ISE for MAC Address Bypass (MAB)

Configuring the ISE for wired and wireless 802.1X

authentication

Deploying VPN-based services using the Cisco ASA and Inline

Posturing

Configuring Web Authentication using the ISE

Using the ISE for policy enforcement

4.0 Configuring and verifying Profiling, Posturing, and

Guest Services

Configuring ISE profiling services

Configuring ISE posture services

Configuring ISE guest services

5.0 TrustSec Fundamentals

Introducing TrustSec fundamentals

6.0 Creating a Low-Level Design for the ISE

Creating a high level and low-level design for the ISE


300-208 SISAS v1.0 Exam

10

• Approximately 90 minute exam

• 60 – 75 questions possible

• Register with Person Vue

– http://www.vue.com/cisco

• Exam cost is $200.00 US

http://www.vue.com/cisco


300-208 (SISAS) Implementing Cisco Secure Access Solutions Exam Topics

1.0 Identity Management/Secure Access

Implement Device Administration – AAA, TACACS+, RADIUS,

Describe Identity Management

Implement Wired/Wireless 802.1X

Implement MAB

Implement Network Authorization Enforcement

Implement Central Web Authorization

Implement Profiling

Implement Guest Services

Implement BYOD access

2.0 Threat Defense

Describe SGA Access Control Lists

3.0 Troubleshooting, Monitoring, and Reporting Tools

Troubleshoot identity management solutions

4.0 Threat Defense Architectures

Design secure wireless management solutions

5.0 Identity Management Architectures

Design AAA security solutions

Design Profiling security solution

Design Posturing security solution

Design BYOD security solution

Design Device administration security solutions

Design Guest services security solution


Comparing the SISE 1.1 and SISAS 1.0

12

SISE SISAS

Product Training Focus Technology Focus

Very detailed from start to finish Provides detail on some key topics,

and overview on others

ISE Version 1.1 ISE Version 1.2

Overview on TrustSec More details on TrustSec


Which Exam is Best for Me? SISE v1.1 or SISAS v1.0 Exam?

13

• Questions you should ask your self:

– Do I want to learn the product for Implementation, or how it fits in the security structure?

– Is the CCNP Security what I am after?

– Do I want a full product understanding from start to finish?

Preparing for Exam


Preparing for the SISE v1.1 and SISAS v1.0 Exam

15

• Recommended Training via Cisco Learning Partners

– SISE - Implementing Cisco Identity Services Engine Secure Solutions v1.1

– SISAS – Implementing Cisco Secure Access Solutions v1.0

• Cisco Learning Network

– www.cisco.com/go/learnnetspace

– CCNP Group – learningnetwork.cisco.com/groups/ccnp-security-study-group

• Practical Experience

– Real Equipment

– ISE 90 day Evaluation

– Client and Server Machines on VMware

http://www.cisco.com/go/learnnetspace


Basic Video’s on ISE Solutions


Cisco dot com resources

• No CCO login required to download the command references and configuration guides.

• No need to read these documents cover to cover, but they are essential as reference material during exam preparation.

• ‘Overview’ or ‘Information About’ section very helpful for each of the many topics and features covered on the exams.

• Topics from 300-208 exam that you can locate in the config guides or technotes

Policies Central Web Authentication Guest Posture MACsec Posture etc


ISE Design Guides

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-

implementation-design-guides-list.html

Part 2 of the list


Cisco Identity Services Engine 1.2 User Guide

http://www.cisco.com/c/en/us/td/docs/security/ise/1-

2/user_guide/ise_user_guide.html


Search, search, and search again!

• Many YouTube VODs out on the Internet contain good insight into Cisco ISE technologies. Search beyond CCNP material, for example:

• Not every document out on the Internet is 100% correct, so verify your findings, then share!!!

• Cisco Validated Design documents are a good reference resource.

– These documents provide valuable information into the theory behind different Data Center design fundamental concepts.

“ISE introduction” “802.1X introduction”


Cisco Learning Network – Study Portal


Additional Reading Material

• Cisco ISE for BYOD and Secure Unified Access- (ISBN-10: 1-58714-325-9)

http://www.ciscopress.com/bookstore/product.asp?isbn=1587050234










Forming a Good Study Plan

23

• Break things down

– Form a list of things that are needed to pass the exam, and start the process of learning them • Read about the technology required in the exam.

Try to understand the reasoning behind it. – White Papers “TrustSec”

– Cisco.com Documentation

– Learning@cisco forums

• Labs – Learning Partner Labs

– Example configurations form Cisco.com Documentation

– Create your own to better understand key technologies that are required to pass the exam


ISE Architecture


Time Requirements - Estimate

• Everyone studies at a different levels – set a pace you can commit to. Start with small manageable sections of a particular course.

• Expect approx. 40 - 50 hours of reading per exam to achieve a firm understanding on concepts

• Reading study material and books

• Watching technical VoDs & Webinars

• Plan for min. 20 - 30 hours of hands on lab practice

• Initial Setup, Configuration, Troubleshooting specific devices


Before taking the Exam

26

• Question Styles

– Multiple-choice single answer

– Multiple-choice multiple answer

– Drag-and-drop

– Fill-in-the-blank

– Simulations

– Verification

• Rule out the questions that are rubbish

• Look for the BEST answer when multiple is used

• Narrow down your choices

• Understand the relationship to the device or technology

• MANAGE YOUR TIME!!!!

Building an ISE Lab


What do I need to build a good ISE lab?

28

• A Server or Desktop computer that is running the following Spec’s

– Intel Quad-Core; 2.13 GHz or faster

– 32 GB RAM

– 60 to 600 GB of disk storage (Recommend 600 GB)

– 2 GB NIC interface required (3 NICs are recommended)

– Hypervisor • Supported VMware versions include:

– VMware ESXi 4.x

– VMware ESXi 5.x

• A Cisco Switch that supports MAB, 802.1x, and CWA, and LWA

• ISE ISO image

• Client ISO images (Windows Clients recommended)

• Wireless Dongle (Any Manufacture will do)

• Wireless Controller, and some AP’s

• iPad or iPhone (Not required, but a good bonus)


Supported NADs

Devices Minimum

OS Version MAB 802.1X

Web Auth

Session

CoA VLAN dACL

Secure

Group

Access

Cisco IOS

Sensor MACsec

CWA LWA

Access Switches

Catalyst 3560-E,

ISR EtherSwitch

ES3

IOS v12.2(52)SE X X X X X X X X X X

Catalyst 3560-X IOS v12.2(52)SE X X X X X X X X X X

Catalyst 3750 IOS v12.2(52)SE X X X X X X X X X X

• Complete list: http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/compatibility/ise_sdt.html

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/compatibility/ise_sdt.html







Supported NADs (Cont.)

Devices Minimum

OS Version MAB 802.1X

Web Auth

Session

CoA VLAN dACL

Secure

Group

Access

Cisco IOS

Sensor MACsec

CWA LWA

Wireless

WLAN Controller

(WLC) 2100, 4400

7.0.116.0 X X X X X

WLAN Controller

(WLC) 2500, 5500

7.2.103.0 X X X X X X X X

• Complete list: http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/compatibility/ise_sdt.html








Which Wireless Controller would I recommend?

31

• Cisco 2106, 2504, or a vWLC

• The vWLC supports both CWA, and LWA.

– EVAL supports up to 200 AP’s, but you only need 1 for a lab setup.

– The EVAL is good for 8 weeks, and 3 days.

– How to guild for setting up vWLC • http://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/113677-virtual-wlan-dg-00.html

• Recommend AP model: AIR-AP1142N-A-K9, but others will work fine.

http://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/113677-virtual-wlan-dg-00.html
















Ideal Lab Setup


More Ideal Lab Setup

ise-2

(10.1.10.21)

ise-1

(10.1.10.20)

ise-psn

(10.1.11.25)

ad1

(10.1.3.10)

ap (DHCP)

W7-PC1

(DHCP)

W7-PC2 (DHCP)

Printer (DHCP)

3k-access

(10.1.1.2)

3k-data

(10.1.1.1)

wlc-1

(10.1.7.10)


Sample Switch Configuration

34

AAA aaa new-model ! ! Creates an 802.1X port-based authentication method list aaa authentication dot1x default group radius ! ! Required for VLAN/ACL assignment aaa authorization network default group radius ! ! Authentication & authorization for webauth transactions aaa authorization auth-proxy default group radius ! ! Enables accounting for 802.1X and MAB authentications aaa accounting dot1x default start-stop group radius ! aaa session-id common ! ! Update AAA accounting periodically every 5 minutes aaa accounting update periodic 5 ! aaa accounting system default start-stop group radius ! ! Configure switch for ISE CoA (Change of Authorization) aaa server radius dynamic-author client 10.1.10.20 server-key cisco

Radius

! Include VSAs in access requests radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include ! ! Wait 3 x 30 seconds before marking server as dead

radius-server dead-criteria time 30 tries 3 ! ! Use RFC-standard ports (1812/1813)

radius-server host 10.1.10.20. auth-port 1812 acct-port 1813 test username test-radius key 0 cisco !

radius-server vsa send accounting radius-server vsa send authentication ! ! send RADIUS requests from a specific VLAN

ip radius source-interface 100

Dot1x

Interface GigabitEthernet 1/0/x switchport mode access switchport access vlan <data> switchport voice vlan <voice> spanning-tree portfast ip access-group ACL_LOWI in authentication open authentication host-mode authentication periodic authentication event fail action next-method authentication order mab dot1x authentication priority dot1x mab authentication violation restrict mab authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 10


Sample Wireless Controller Setup

35

Demo Lab


My Lab Setup for Demo

ise-1

(10.1.10.110)

ad1

(10.1.3.10)

ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.7.100)

Jump PC

Lab Ideas


Laboratory Equipment Description

Cisco Catalyst 3750 Switch

Cisco 1140N Access Point, and PoE injector, or Power Supply

Cisco UCS Server Running 1, or 2 CPU, and 32 Gigs of RAM, 600GB HDD, and 3 NIC’s

Wireless USB Dongle


Software List Description

Windows 2008 Enterprise Server 64bit

Windows 7 Pro 32bit for 1, or 2 Clients

Cisco ISE 1.1.1 ISO (Cisco.com Download)

Cisco vWLC 7.x OVA (Cisco.com Download)

Cisco AnyConnect NAM Software (Cisco.com Download)

Wireless USB Dongle Driver Software


Labs • Lab 1-1: Lab IP Setup

• Lab 1-2: Setup ISE for Operation

• Lab 1-3: Certificate Operations

• Lab 1-4: Cisco ISE Deployment

• Lab 1-5: GUI Operation

• Lab 1-6: Add NAS Devices to Cisco ISE

• Lab 1-7: Join ISE to AD

• Lab 1-8: Basic Policy Setup 1

• Lab 1-9: Basic Policy Setup 2

• Lab 1-10: Multiple Policy Setup

• Lab 1-11: Guest Services

• Lab 1-12: BYOD

• Lab 1-13: Cisco ISE Profiling

• Lab 1-14: Cisco ISE Posture Setup


Lab 1-1: Lab IP Setup

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)


Lab 1-2: Setup ISE for Operation

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

Interface setup,

NTP, and DB

passwords

Interface setup,

NTP, and DB

passwords

Primary

NTP

Server

Secondary

NTP Server vwlc-1

(10.1.3.100) Deploying the Cisco Identity Service Engine

Installing the ISE Software


Lab 1-3: Certificate Operations

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

Configure for

Certificate

Operation MNT,

and EAP

Configure for

Certificate

Operation MNT,

and EAP

AD

Certificate

Server

vwlc-1

(10.1.3.100) Implementing Classification and Policy Enforcement

Configuring the ISE for wired and wireless 802.1X authentication


Lab 1-4: Cisco ISE Deployment

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

PAN, MnT

PAN, PSN, MnT

vwlc-1

(10.1.3.100) Deploying the Cisco Identity Service Engine

Configuring the ISE for Redundancy and Scaling


Lab 1-5: GUI Operation

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

Understand all

the Options,

and where they

are.

vwlc-1

(10.1.3.100) All Areas


Lab 1-6: Add NAS Devices to Cisco ISE

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Add NAS

Devices that

will do

AuthC/AuthZ,

and Logging

Implementing Classification and Policy Enforcement



Lab 1-7: Join ISE to AD

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Join to AD

AD Server;

Time Sync

Critical with

ISE

Deploying the Cisco Identity Service Engine

Intergrading the ISE into Microsoft Active Directory


Lab 1-8: Basic Policy Setup 1

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Configure

AnyConnect

NAM setup

for EAP-

FAST

AD

Server

Configure One

Basic EAP-

FAST Policy

using AD, and

Internal

Database






Lab 1-9: Basic Policy Setup 2

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Configure

using OS

Native

Supplicate for

EAP-TLS

Disable

AnyConnect

Client on

Windows

Services






Lab 1-10: Multiple Policy Setup

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Configure more

then one policy on

Cisco ISE using

EAP-FAST, and

EAP TLS using

different conditions

you can test on the

W7-PC1

Make Changes to

PC as needed to

match conditions

configured for EAP-

TLS, and EAP-

FAST






Lab 1-11: Guest Services

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Setup CoA, and

other Guest

Services

Requirements

Test Guest Services

using EAP-FAST,

and PEAP

Configure Guest

Services

Setup CoA, and

other Guest

Services

Requirements

Configuring and verifying Profiling, Posturing, and Guest

Services

Configuring ISE guest services


Lab 1-12: BYOD

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Test Provisioning

using configured

SSID on vWLC, and

make sure you get a

certificate.

Configure Client

Provisioning,

and SCEP

setup

Configure

Provisioning SSID.



Configuring Web Authentication using the ISE



Lab 1-13: Cisco ISE Profiling

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Authenticate to ISE,

and see if profiling is

working

Configure HTTP,

NMAP, SNMP,

and Radius

profiling

Configure Profiling

requirements


Services

Configuring ISE profiling services


Lab 1-14: Cisco ISE Posture Setup

ise-2

(10.1.3.120)

ise-1

(10.1.3.110)

ad1

(10.1.3.10) ap (DHCP)

W7-PC1

(DHCP)

3750 SW

vwlc-1

(10.1.3.100)

Test Posturing setup

using Native OS

Supplicate

Configure

Posture setup,

and Download

NAC client for

supported OS

Configure Posture

requirements


Services

Configuring ISE posture services

Quiz


Quiz

57

1. How many personas does the ISE box have?

3

2. What are the names of the ISE personas?

PAN, PSN, MnT

3. 802.1x phase deployment: What is the difference between closed, and low-impact mode?

Low Impact Mode: • Ingress ACL applied to a port configured in open mode

– ACL allows basic connectivity for unauthenticated hosts

– Example: permit DHCP/DNS, and block access to internal resources

• After authentication, dACL is applied to permit appropriate traffic

Closed Mode: • Default behavior, traditional 802.1X method

• Dynamic VLAN or dACL assignment ensures differentiated access


Quiz

58

4. What are the names of the Profiling probes that the ISE box supports? Radius, HTTP, DNS, NetFlow, NMAP, DNS, DHCP, SNMP Query, and SNMP Trap

5. What features in ISE support CoA?

WebAuth(Guest Services), Profiling, Posture

6. 802.1x Authentication Mode: What are the 4 authentication modes

supported on a Cisco Switch?

Single Host mode

Multiple Host mode

Multiple Domain Authentication (MDA) mode

Multiple Authentication mode

End…: (


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

60

https://www.ciscolive.com/online


Other ISE sessions, TrustSec Sessions

• BRKCRS-2891 - Deploying Secure Converged Wired, Wireless Campus

• BRKSEC-3699 - Designing ISE for Scale & High Availability

• BRKEWN-2014 - Deploying Wireless Guest Access

• BRKSEC-3045 - Getting the most out of your BYOD Investment - A Deep Dive of ISEBYOD Policy

61

https://www.ciscolive2014.com/connect/sessionDetail.ww?SESSION_ID=2159
































Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

62

Documents

ISE Exam Preparation - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCRT-2208.pdf · ISE Exam Preparation ... •The SISAS exam is one of the 4 exams