Cisco Identity Services Engine (ISE) 2.7 Training Part-2/2

Explore guest access in Cisco ISE 2.7, defining temporary external users and isolation from the core network, with three portal options: guest portal, sponsor portal, and self-registration portal.

Explore hotspot guest access in Cisco ISE, where guests connect through a portal with no credentials, accept a policy, optionally enter an access code, and are stored in Cisco's database.

Understand sponsored-guest access in ISE: a sponsor creates a guest account and credentials via the sponsor portal, then the guest logs in through the guest portal to access internet resources.

Self-registered guest access lets visitors create their own guest account via the guest portal by entering details (name, email, phone) and logging in to access the internet without sponsor approval.

Explore the three Cisco ISE guest portals—sponsored, self-registered, and hotspot—and how each portal enables guest access, credential management, and portal customization.

Explain how Cisco ISE uses sponsor portals and sponsor groups to create and manage guest accounts for temporary access, including contractor, daily, and weekly types with expirations.

Configure and verify a wireless LAN controller from scratch, detailing the virtual gateway IP address, management and service interfaces, mobility group, and AP server settings to centrally manage access points.

Register the access point to the wireless local area network controller by activating an evaluation license, then accept the end user license agreement and set the access point count.

Configure radius authentication and accounting on a wireless LAN controller by adding radius servers, setting shared secrets, enabling change authorization, and applying the configuration.

Configure and verify a WLAN SSID on the wireless LAN controller, enable the management interface, configure WPA/WPA2 security, and use a RADIUS server for authentication and accounting with Active Directory.

Add a wireless LAN controller to Cisco ISE network devices by entering its name, IP address, and type, using the same password and shared secret; optionally enable SNMP and submit.

Configure a policy set in Cisco ISE 2.7 for 802.1x, using wireless conditions such as radius NAS and radius service frame, authenticate via Active Directory, and authorize employees by group.

Connect a physical access point to the EVE-NG lab topology and wireless LAN controller, using a power injector and console setup in the 192.168.x network ranges, for lab integration.

Configure and verify a wireless AP in eve-ng by using the console to join it to the wlc, check ip configuration, and use static or automatic join.

Configure the Windows native wireless 802.1x client for WPA2-Enterprise by enabling wireless services, creating a profile, and setting user authentication with an Active Directory account.

Enable USB debugging on an Android phone, connect via USB, and use a screen-sharing app to verify wireless connectivity with Cisco Identity Services Engine (ISE) 2.7 and the wireless controller.

Configure and verify hotspot guest access using Cisco ISE 2.7, including RADIUS authentication, guest ACLs, Flex Connect, policy sets, and guest portal redirection.

Demonstrates configuring and testing hotspot guest access with captive portal redirects, certificate handling, policy enforcement, and verification via ISE, ACLs, and logs.

Explore the theory and practical flow of web authentication in Cisco ISE 2.7, including central web authentication, redirects to portals, and change of authorization for guest, BYOD, and employee access.

Configure central web authentication in Cisco ISE 2.7 with a wireless LAN controller, set up authentication, accounting, ACLs, a guest CWA portal, and test self-registration.

Identify and classify network endpoints using profiling in Cisco ISE by collecting attributes with probes, comparing to predefined signatures, and applying policies for authentication, authorization, visibility, and reporting.

Explore profiling probes in Cisco ISE 2.7 that collect endpoint attributes to identify devices and operating systems, and learn how to enable probes including net flow, DHCP, DNS, and radius.

Update and verify profiling feed services to keep profiling policies current as new devices appear. Use online or offline updates—manual or scheduled—test connectivity, and notify administrators when updates finish.

Verify profiling services are enabled on every PSN before labs, and ensure a valid license. Learn to check deployments and enable profiling services on each device for proper configuration.

Configure and verify a radius probe in Cisco ISE 2.7 across switches and wireless LAN controller. Validate radius configuration on network devices and enable the probe to profile Windows endpoints.

Enable and verify the DHCP probe in Cisco ISE, configure IP helper addresses on interfaces, and observe DSP and DCP attribute collection from captured packets.

Configure and verify the SNMP probes in Cisco ISE by enabling SNMP probes and traps on PSN, radius, and wireless controllers, then test with keys and restart.

Learn how to create and use logical profiles in Cisco ISE to group devices, including mobile phones, printers, and cameras, and apply policy actions through profiling policies.

Examine key probe attributes for radius authentication, including username, calling station ID, Mac address, NAS IP address, and frame IP address, revealing device identity and network connections.

Explore posture theory in Cisco ISE, assessing endpoint health before network access by checking antivirus, firewall, anti-malware, encryption, and essential services.

Explore posture conditions in Cisco ISE, defining compliant versus non-compliant endpoints and using file, registry, application, service, dictionary, firewall, and compound conditions to enforce security posture.

Learn how posture remediation activates automatic or manual actions by Cisco AnyConnect to restore endpoint health, applying firewall, updates, antivirus, and other remediation tasks.

Define posture requirement by linking posture conditions and remediation actions to a policy, enabling compliance enforcement for operating systems, compliance modules, and agent types.

Define posture policy as a rule-based configuration that groups posture requirements and identity groups to determine compliant versus non-compliant systems in Cisco ISE 2.7, including conditions and remediation plans.

Explore posture provisioning theory, including how client provisioning resources, agent profiles, and OS-specific supplicant configurations enable automatic onboarding of endpoints with Cisco AnyConnect and health checks.

Learn the theory and configuration of access policy in Cisco ISE 2.7, covering authentication and authorization conditions, posture remediation, posture policy, and client provisioning with predefined or custom policy sets.

Define endpoints and posture-based compliance: compliant devices meet all rules and access network resources, noncompliant devices receive minimal privileges or denial, and unknown devices lack posture data.

Explore the theory of Cisco AnyConnect, a security and access agent installed on endpoints to provide VPN access, posture checks, network visibility, and diagnostic and reporting tools through modular components.

Configure and verify a Cisco AnyConnect profile for wireless and wired access using the profile editor, focusing on WPA2 enterprise, machine and user authentication, and the EAP method.