Cisco ISE Training

Course Overview

In this course, you will learn about the Cisco Identity Services Engine (ISE) a next-generation identity and access control policy platform that provides a single policy plane across the entire organization combining multiple services, including authentication, authorization, and accounting (AAA) using 802.1x and MAB. The training provides learners with the knowledge and skills to implement 802.1X and MAB for wired and wireless endpoints. The class focuses on configuring Network Access Devices (IOS switches, and Wireless Lan Controllers) with commands necessary for ISE integration. The class also covers configuration of endpoints to use the native Microsoft supplicant with PEAP and EAP-TLS, as well as the Cisco NAM supplicant with EAP-FAST. Time is taken to explore Microsoft Active Directory group policy for endpoint configuration, and to cover integration of an enterprise CA for certificate based authentication.

This course is an intensive hands-on experience. With enhanced hands-on labs, you will setup and patch an ISE node, and use and enterprise CA to configure certificate services for use in a distributed deployment. You will integrate ISE with Active Directory and configure Group Policy to automatically enroll endpoints with an enterprise CA for TLS based authentication. You will configure and test AAA and 802.1X on an IOS switch using classical commands to integrate with ISE. You will migrate and test an IOS switch configuration to use the new-mode IBNS 2.0 Cisco Common Classification Policy Language (C3PL). You will configure and test a Cisco Wireless LAN Controller (WLC) with advanced ISE features. The class also covers the new ISE 2.3 conditions studio and its use in Policy Sets for Authentication/Authorization rules, Profiling of endpoints on the network, and Device Administration using TACACS+.

What will I Learn?

  • Implement Best Practices for Designing and Deploying a Distributed Cisco ISE Solution
  • Install certificates into ISE using a Windows 2012 Certificate Authority (CA)
  • Configure the Local and Active Directory Based Identity Store and use of Identity Source Sequences
  • Implement Best Practices for configuring a Cisco IOS Switch for use with ISE
  • Migrate an existing Cisco IOS Switch configuration to New-Mode Cisco Common Classification Policy Language (C3PL)
  • Implement Best Practices for configuring a Cisco Wireless LAN Controller (WLC) for use with ISE
  • Configure Policy Sets and Network Access Devices in ISE
  • Implement & Test 802.1X in ISE for wired PEAP, EAP-FAST & EAP-TLS Supplicants
  • Implement & Test 802.1X in ISE for wireless EAP-FAST & EAP-TLS Supplicants
  • Implement & Test MAC Authentication Bypass (MAB) in ISE for wired and wireless endpoints
  • Turn on Endpoint Profiling and use it to identify popular endpoints such as Windows and Apple iOS devices.
  • Implement TACACS+ for Switch and WLC Device Administration

Course Outline

  • Cisco ISE Features Overview
  • PKI in an ISE deployment
  • Cisco ISE Deployment Models
  • Configuring Cisco ISE Internal Identity Sources
  • Configuring Cisco ISE External Identity Sources
  • Configuring Endpoints for Certificate Based Authentication
  • Registering Network Access Devices in Cisco ISE
  • Working with ISE Dictionaries
  • Configuring Cisco ISE Policy Sets
  • Using the Cisco ISE Conditions Studio to Configure Policy Elements
  • Creating Downloadable ACLs and Authorization Profiles
  • Configuring Authentication Policy Rules including Identity Source and Allowed Protocols
  • Configuring Authorization Policy Rules including conditions and authorization profiles
  • Overview of 802.1X Including Commonly implemented Extensible Authentication Protocols (EAPs)
  • Configuring a Cisco IOS Switch using Identity-Based Network Services (IBNS) commands for integration with ISE including
  • Configure & Test 802.1x supplicant parameters on a wired endpoint using PEAP and EAP-TLS
  • Migrating to IBNS 2.0 Cisco Common Classification Policy Language (C3PL) commands on a Cisco Switch
  • Configure & Test 802.1x supplicant parameters on a wired endpoint using EAP-FAST
  • Configuring a Cisco WLC for integration with ISE from the WLC CLI and GUI
  • Configure & Test 802.1x supplicant parameters on a wireless endpoint using EAP-FAST & EAP-TLS
  • Implement & Test MAC Authentication Bypass in ISE for non-supplicant Endpoints
  • Configuring Profiler Probes
  • Working with the Profiler Feed Service
  • Implementing Profiler Policy and Identity Groups
  • Using Profiler Logical Profiles
  • Configuring TACACS Policy Sets
  • Working with Identity Sources for Authentication
  • Configuring Shell Profiles & Command Sets for Authorization
  • Performing Wired and Wireless Device Administration

Lab Outline

  • Lab01 – Setup an ISE Node and Configure Certificates
  • Lab02 – Register an ISE Node in a Distributed Deployment
  • Lab03 – Integrate ISE with Active Directory
  • Lab04 – Configure Endpoints for Certificate Based Authentication
  • Lab05 – Register NADs and Configure ISE Policy
  • Lab06 – Configure an IOS Switch and Test Wired PEAP and EAP-TLS
  • Lab07 – Migrate a Switch to IBNS 2.0 (C3PL) and Test Wired EAP-FAST
  • Lab08 – Configure a WLC and Test Wireless EAP-FAST
  • Lab09 – Implement MAC Authentication Bypass (MAB)
  • Lab10 – Configure and Test Endpoint Profiling
  • Lab11 – Implement TACACS+ for Switches and WLCs

Who should attend

  • Consulting systems engineers
  • Technical solutions architects
  • Integrators who install and implement the Cisco ISE version 2.3
  • End users (Cisco customers) desiring the knowledge to install, configure, and deploy Cisco ISE 2.3
  • Cisco channel partners and field engineers who need to meet the educational requirements to attain Authorized Technology Partner (ATP) authorization to sell and support the ISE product

Prerequisites

The learner is expected to have the following skills and knowledge before attending this course:

  • CCNA Security or equivalent level of experience with Cisco devices
  • Foundation-level wireless knowledge and skills
  • Familiarity with Microsoft Windows and Microsoft Active Directory
  • Familiarity with 802.1X
  • Familiarity with Cisco ASA
  • Familiarity with Cisco AnyConnect Secure Mobility Client
Enquire Now