SISE: Implementing and Configuring Cisco Identity Services Engine v2.1

Code: 3972

5 days

List Tuition : $3,995.00 USD

Course Overview

    Download PDF 

In this course, you will learn about the Cisco Identity Services Engine (ISE)—a next-generation identity and access control policy platform that provides a single policy plane across the entire organization combining multiple services, including authentication, authorization, and accounting (AAA) using 802.1x, MAB, web authentication, posture, profiling, device on-boarding, guest services, and VPN access into a single context-aware identity-based platform. The training provides learners with the knowledge and skills to enforce security compliance for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE.

This course is an intensive hands-on experience. With enhanced hands-on labs, you will cover all facets of Cisco ISE version 2.1. You will learn how to configure fundamental elements of ISE and how to secure identity-based networks using 802.1X for both wired and wireless clients, using Windows 8 and Apple iPad endpoints. You will integrate the Cisco Virtual Wireless LAN Controller (vWLC) with advanced ISE features. You will also learn to use the following advanced features of Cisco ISE: Active Directory Integration, Policy Sets, EasyConnect, EAP-FAST with EAP Chaining, BYOD, AnyConnect 4.x Posture Module for LAN and VPN compliance, Threat Centric NAC using AMP, PxGrid, TACACS+ Device Management, and TrustSec Security Group Access.

  • Consulting systems engineers
  • Technical solutions architects
  • Integrators who install and implement the Cisco ISE version 2.1
  • End users (Cisco customers) desiring the knowledge to install, configure, and deploy Cisco ISE 2.1
  • Cisco channel partners and field engineers who need to meet the educational requirements to attain Authorized Technology Partner (ATP) authorization to sell and support the ISE product
  • ISE deployment options including node types, personas, and licensing
  • Install certificates into ISE using a Windows 2012 Certificate Authority (CA)
  • Configure the Local and Active Directory Based Identity Store and use of Identity Source Sequences
  • Configure AAA clients and network device groups
  • Implement Policy Sets to streamline Authentication and Authorization in the organization
  • Deploy EasyConnect as an alternative to 802.1X port based authentication
  • Implement 802.1X for wired and wireless networks using the AnyConnect 4.x NAM module, the latest dot1x commands on a catalyst switch, and version 7.4 of the vWLC
  • Configure policies to allow MAC Authentication Bypass (MAB) of endpoints
  • Use central web authentication (CWA) for redirection of legitimate domain users who need to register devices on the network using MAC addresses (device registration)
  • Configure hotspot guest access, self-registration guest access, and sponsored guest access
  • Configure profiler services in ISE and use newer probes available in IOS switch code 15.x as well as vWLC 7.4 code
  • Work with Profiling feeds, logical profiles, and building profiling conditions to match network endpoints
  • Configure posture assessments using the new Cisco AnyConnect Secure Mobility 4.x posture module
  • Implement Threat Centric NAC using Cisco AMP for Endpoint and Adaptive Network Control (ANC)
  • Integrate the Cisco WSA with Cisco ISE using PxGrid technology to share contextual information about authenticated users
  • Configure Cisco ISE as a TACACS+ Server for Device Administration with Command Authorization
  • Configure Cisco ISE to integrate with a 5500-X ASA and a Catalyst Switch for TrustSec and implement end-to-end Security Group Tagging (SGT) and Security Group Access Control (SGACL)
  • Integrate Cisco ISE with MobileIron for Mobile Device Management MDM
  • Configure a high availability distributed deployment
  • Third Party Network Access Device Support
  • Maintenance, best practices, and logging

Module 1: Introducing Cisco ISE Architecture and Deployment

Lesson 1: Using Cisco ISE as a Network Access Policy Engine

  • Cisco Identity Services Overview
  • Cisco Identity Solution Benefits
  • The Attack Continuum
  • Controlling Access to the Network
  • Security Challenges for IT Organizations
  • Centralized Policy Management
  • Cisco Identity Solution Guest Use Case
  • Cisco Identity Solution BYOD Use Case
  • Cisco Identity Solution Profiling Use Case
  • Cisco Identity Solution Compliance Use Case
  • Cisco Identity Solution Security Group Access Use Case
  • Introducing the Components of a Cisco ISE Deployment
  • Secure Access Control
  • Describing Cisco ISE Functions
  • Summary

Lesson 2: Introducing Cisco ISE Deployment Models

  • Introducing the Components of an ISE Deployment
  • Cisco ISE Nodes and Personas
  • Implementing Nodes, Personas, and Roles
  • Admin Node
  • Policy Service Node
  • Monitoring Node
  • pxGrid Services
  • Collector Agent
  • Policy Synchronization
  • Deployment Options
  • Cisco ISE Communication Model
  • Introducing Context Visibility
  • Context Visibility Benefits
  • Context Visibility Wizard
  • Streamline Visibility Wizard
  • Summary
  • Lab 1: Configure Initial Cisco ISE setup, GUI Familiarization, system certificate usage
    • Task 1: Verify Cisco ISE setup using CLI
    • Task 2: Initial GUI login and Familiarization
    • Task 3: Disable Profiling
    • Task 4: Certificate enrollment

Module 2: Cisco ISE Policy Enforcement

Lesson 1: Introducing 802.1X and MAB Access: Wired and Wireless

  • IEEE 802.1X Primer
  • MAC Authentication Bypass
  • Overview: Configure 802.1X and MAB
  • Summary
  • Lab 2: Integrate Cisco ISE with Active Directory
    • Task 1: Configure Active Directory Integration
    • Task 2: Configure LDAP Integration

Lesson 2: Introducing Identity Management

  • Identity Sources Overview
  • Internal Identity Sources
  • External Identity Sources
  • Multi-AD Overview and Configuration
  • Lightweight Directory Access Protocol
  • SAMLv2
  • Identity Source Sequence
  • Summary

Lesson 3: Configuring Certificate Services

  • Certificate Overview and Implementation
  • Certification Authority Services
  • Summary

Lesson 4: Introducing Cisco ISE Policy

  • Authentication and Authorization Process
  • Dictionaries, Identity Sources, and ISSs
  • Authentication and Its Components
  • Authorization and Its Components
  • Exception Policies and Policy Sets
  • Sessions in Cisco ISE
  • Summary
  • Lab 3: Configure Basic Policy on Cisco ISE
    • Task 1: Policy Configuration for AD Employees and AD Contractors
    • Task 2: Client Access – Wired
    • Task 3: Client Access – Wireless
    • Task 4: Network visibility with Context Visibility

Lesson 5: Configuring Cisco ISE Policy Sets

  • Cisco ISE Policy Sets Overview
  • Global versus Local Exception Processing
  • Lab 4: Configure Conversion to Policy Sets
    • Task 1: Convert to Policy Set
    • Task 2: Create Wired and Wireless Policy Sets
    • Task 3: Creating a Global Exception
    • Task 4: Testing Client Access Using Policy Sets

Lesson 6: Implementing Third-Party Network Access Device Support

  • Third-Party NAD Support: Features and Workflows
  • Summary

Lesson 7: Introducing Cisco TrustSec

  • Introducing Cisco TrustSec

Lesson 8: Introducing EasyConnect

  • Easy Connect Overview
  • EasyConnect Modes and Flows
  • EasyConnect Configuration
  • Summary
  • Lab 5: Configure Access Policy for Easy Connect
    • Task 1: Configure Cisco ISE to Support Easy Connect
    • Task 2: Create Easy Connect Policy Sets
    • Task 3: Test the Easy Connect Connection

Module 3: Web Auth and Guest Services

Lesson 1: Introducing Web Access with Cisco ISE

  • Web Authentication Overview
  • ISE Web Authentication Configuration Overview
  • Web Authentication Verification Overview
  • Summary
  • Lab 6: Configure Guest Access
    • Task 1: Configure Guest Settings.
    • Task 2: Configure Guest Locations.

Lesson 2: Introducing ISE Guest Access Components

  • Guest Access Services Overview
  • Summary

Lesson 3: Configuring Guest Access Settings

  • Review Guest Access Settings
  • Guest Types Overview
  • Summary
  • Lab 7: Configure Guest Access Operations
    • Task 1: Configure Cisco ISE guest access with a hotspot portal.
    • Task 2: Configure Cisco ISE guest access for guest self-registration. (Optional)
    • Task 3: Enable self-registration with sponsor approval.
    • Task 4: Create the accounts as a sponsor (Optional).
    • Task 5: Perform guest account management via the sponsor portal.

Lesson 4: Configuring Portals: Sponsors and Guests

  • Cisco ISE Sponsor Components and Configuration
  • Lab 8: Create Guest Reports
    • Task 1: Running Reports from Cisco ISE Dashboard

Module 4: Cisco ISE Profiler

Lesson 1: Introducing Cisco ISE Profiler

  • Introduction to the Profiler Service
  • Cisco ISE Probes
  • Profiling Policies
  • Summary

Lesson 2: Configuring Cisco ISE Profiling

  • Configure Profiling on Cisco ISE Overview
  • Prepare for Profiling
  • Enable the Profiling Service
  • Profiling Probe Configuration
  • Configuring the Profiler Feed Service
  • Profiling Settings
  • Define Profiling Parameters
  • Configure Profile Policies and Logical Profiles
  • NMAP Scan Actions
  • Go Live and Monitor
  • Summary
  • Lab 9: Configure Profiling
    • Task 1: Configuring Profiling in Cisco ISE
    • Task 2: Configure the Feed Service
    • Task 3: Configuring Profiling in Cisco ISE
    • Task 4: NAD Configuration for Profiling
  • Lab 10: Customize the Cisco ISE Profiling Configuration
    • Task 1: Examine Endpoint Data
    • Task 2: Create a Logical Profile
    • Task 3: Creating a New Authorization Policy Using a Logical Profile
    • Task 4: Create a Custom Profile Policy
    • Task 5: Testing Authorization Policies with Profiling Data
  • Lab 11: Create Cisco ISE Profiling Reports
    • Task 1: Run Cisco ISE Profiler Feed Reports
    • Task 2: Endpoint Profile Changes Report
    • Task 3: Context Visibility Dashlet Reports

Module 5: Cisco ISE BYOD

Lesson 1: Introducing the Cisco ISE BYOD Process

  • BYOD Problem and Solutions
  • BYOD Design

Lesson 2: Describing BYOD Flow

  • Summary

Lesson 3: Configuring My Devices Portal Settings

  • My Devices Portal Configuration
  • My Devices Portal End-User Experience

Lesson 4: Configuring Certificates in BYOD Scenarios

  • Local ISE CA Server and Local Certificates
  • Cisco ISE Certificates Set Up Walk-through
  • Lab 12: Configure BYOD
    • Task 1: Portal Provisioning
    • Task 2: Provisioning Configuration
    • Task 3: Configuring Policy
    • Task 4: Employee iPad Registration
  • Lab 13: Blacklisting a Device
    • Task 1: Blacklisting a Device
    • Task 2: Lost Access Verification.
    • Task 3: Endpoint Record Observations
    • Task 4: UnBlacklist the Device
    • Task 5: Verify Access Capability
    • Task 6: Blacklisting a Stolen Device

Module 6: Cisco ISE Endpoint Compliance Services

Lesson 1: Introducing Endpoint Compliance

  • Endpoint Compliance
  • Posture Service
  • Posture Conditions
  • Compliance Module
  • Posture Flow
  • Cisco ISE Posture Agents
  • Posture Operational Modes
  • Posture Service Deployment and Licensing
  • Summary
  • Lab 14: Configure Compliance Services on Cisco ISE
    • Task 1: Posture Preparation
    • Task 2: Authorization Profiles
    • Task 3: Adjusting Authorization Policy for Compliance

Lesson 2: Configuring Client Posture Services and Provisioning in Cisco ISE

  • Client Provisioning
  • Posture Configuration Procedure
  • Prepare
  • Client Provisioning Resources
  • Posture General Settings
  • Posture Policy
  • Client Provisioning Portal
  • Client Provisioning Policy
  • Additional Configuration Tasks
  • Summary
  • Lab 15: Configure Client Provisioning
    • Task 1: Client Updates
    • Task 2: Client Resources
    • Task 3: Client Provisioning Policies
  • Lab 16: Configure Posture Policies
    • Task 1: Configure Posture Conditions
    • Task 2: Configuring Posture Remediation
    • Task 3: Configuring Posture Requirements
    • Task 4: Configuring Posture Policies
  • Lab 17: Test and Monitor Compliance Based Access
    • Task 1: AnyConnect Unified Agent Access
    • Task 2: Web Agent Access (Optional)
  • Lab 18: Test Compliance Policy
    • Task 1: Configure a Faulty Policy
    • Task 2: Use Posture Reports for Troubleshooting
    • Task 3: Using the Posture Troubleshooter
    • Task 4: Policy Correction and Testing

Module 7: Cisco ISE with AMP and VPN-Based Services

Lesson 1: Introducing VPN Access Using Cisco ISE

  • AAA – External Authentication
  • Using Cisco ASA for VPN Authentication
  • VPN Access Configuration Overview
  • Summary
  • Lab 19: Configure Cisco ISE for VPN Access
    • Task 1: Preparing the Lab
    • Task 2: Testing VPN Client Access

Lesson 2: Configuring Cisco AMP for ISE

  • Threat Centric NAC Overview
  • Threat Centric NAC Configuration
  • Summary
  • Lab 20: Configure Threat-Centric NAC using Cisco AMP
    • Task 1: Configuring the Cisco AMP Cloud
    • Task 2: Configuring Posture Policies and Conditions
    • Task 3: Configuring Posture, AMP and AnyConnect Profiles
    • Task 4: Enabling and Provisioning TC-NAC Services
    • Task 5: Verify Provisioning of AMP for Endpoints (Optional)

Module 8: Cisco ISE Integrated Solutions with APIs

Lesson 1: Introducing Location-Based Authorization

  • Introducing Location-Based Authorization

Lesson 2: Introducing Cisco ISE 2.x pxGrid

  • pxGrid Framework
  • pxGrid on Cisco ISE
  • Setting Up the Topic
  • Use Case: pxGrid for Rapid Threat Detection
  • Lab 21: Configure Cisco ISE pxGrid and Cisco WSA Integration
    • Task 1: Configuring Cisco ISE System Certificates for REST and pxGrid
    • Task 2: Preparing the Cisco WSA
    • Task 3: Configuring Security Groups, Authorization Policy, and Enabling pxGrid on ISE
    • Task 4: Enabling pxGrid on WSA
    • Task 5: WSA Identity and Access Policies (Optional)
    • Task 6: Testing Corporate PC (Optional)

Module 9: Working with Network Access Devices

Lesson 1: Configuring TACACS+ for Cisco ISE Device Administration

  • Review TACACS+
  • Cisco ISE TACACS+ Device Administration
  • Configure TACACS Device Administration
  • TACACS Device Administration Guidelines and Best Practices
  • Migrating from Cisco ACS to Cisco ISE
  • Summary
  • Lab 22: Configure Cisco ISE for Basic Device Administration
    • Task 1: Policy Configuration for AD Employees and AD Contractors
  • Lab 23: Configure TACACS+ Command Authorization
    • Task 1: Configure Command Sets
    • Task 2: TACACS+ Features

Module 10: Cisco ISE Design (Self-Study)

Lesson 1: Designing and Deployment Best Practices

  • Cisco ISE Planning and Pre-deployment
  • Cisco ISE Sizing and Scaling Practices

Lesson 2: Performing Cisco ISE Installation and Configuration Best Practices

  • Cisco ISE Deployment Best Practices
    • ISE Certificates Best Practices
  • ISE Profiling Best Practices
  • Web Portals Best Practices
    • Logging and Troubleshooting Best Practices

Lesson 3: Deploying Failover and High-Availability

  • PSN HA or Load Sharing
  • Deploying Monitoring Personas
  • Preparing the Network Infrastructure

Module 11: Configuring Third Party NAD Support


Lesson 1: Configuring Third-Party NAD Support (Optional, Self-Study, or Reference)

  • Configuring Third-Party NAD Support
  • Summary
  • Consulting systems engineers
  • Technical solutions architects
  • Integrators who install and implement the Cisco ISE version 2.1

Request a Discounted Quote

Bring Training to You

Request schedule for this course

Request a Quote for this Class

We provide government and government contractor discounts, please request a quote


total option: 0

Hotel and Travel can be included on your quote.
For immediate response, you can call 1-855-515-2170 or we will provide a quote within 4 business hours. Travel must be booked 14 days before training for rate to apply.

Learn How to Become a Managed Learning Member

Request a Quote

Thank you for requesting a quote, we will be in touch shortly with a quote. If you need immediate assistance, please call 855-515-2170.

Request Other Date

Request date or location you need

Don’t see the date or location you need? Contact us and let us know, we are adding dates and locations daily.