CCNP Security

Identity Management
SISE 300-715
Official Cert Guide
Enhance Your Exam Preparation

Save 80% on Premium Edition eBook

and Practice Test
The CCNP Security Identity Management SISE 300-715
Official Cert Guide Premium Edition and Practice Test
provides three eBook files (PDF, EPUB, and MOBI/Kindle)
to read on your preferred device and an enhanced edition
of the Pearson Test Prep practice test software. You also
receive two additional practice exams with links for every
question mapped to the PDF eBook.

See the card insert in the back of the book for your Pearson
 CCNP Security Identity Management SISE
300-715 Official Cert Guide

Table of Contents

Cover
Title Page
Copyright Page
Contents at a Glance
Contents
Introduction
Part I: Authentication, Authorization, and Accounting
Chapter 1 Fundamentals of AAA
Do I Know This Already? Quiz
Foundation Topics
Comparing and Selecting AAA Options
Device Administration AAA
Network Access AAA

TACACS+
TACACS+ Authentication Messages
TACACS+ Authorization and Accounting Messages

RADIUS
AV Pairs
Change of Authorization (CoA)

Comparing RADIUS and TACACS+

Exam Preparation Tasks
Review All Key Topics
Define Key Terms
 Table of Contents
Q&A
Chapter 2 Identity Management
Do I Know This Already? Quiz
Foundation Topics
What Is an Identity?
Identity Stores
Internal Identity Stores
Internal User Identities
User Identity Groups
Endpoint Groups
External Identity Stores
Active Directory
LDAP
Multifactor Authentication
One-Time Password (OTP) Services
Smart Cards
Certificate Authorities
Has the Digital Certificate Been Signed by a Trusted CA?
Has the Certificate Expired?
Has the Certificate Been Revoked?

Identity Source Sequences

Special Identity Sources
SAML IdPs
Social Login

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A
Chapter 3 Extensible Authentication Protocol (EAP) over LAN: 802.1X
Do I Know This Already? Quiz
Foundation Topics
 Table of Contents
Extensible Authentication Protocol
EAP over LAN (802.1X)
EAP Types
Native EAP Types (Non-Tunneled EAP)
Tunneled EAP Types
All Tunneled EAP Types
EAP Authentication Type Identity Store Comparison
Network Access Devices

Supplicant Options
Windows Native Supplicant
User Authentication
Machine Authentication (Computer Authentication)
Cisco AnyConnect NAM Supplicant
Client Policy
Authentication Policy
Networks
Network Groups
Implementing AnyConnect NAM Profiles
EAP Chaining

Exam Preparation Topics

Review All Key Topics
Define Key Terms
Q&A
Chapter 4 Non-802.1X Authentication
Do I Know This Already? Quiz
Foundation Topics
Devices Without a Supplicant
MAC Authentication Bypass
Web Authentication
Local Web Authentication
Local Web Authentication with a Centralized Portal
Centralized Web Authentication
 Table of Contents
Centralized Web Authentication with Third-Party Network Device Support

Remote-Access Connections
EasyConnect
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Q&A
Chapter 5 Introduction to Advanced Concepts
Do I Know This Already? Quiz
Foundation Topics
Change of Authorization
Automating MAC Authentication Bypass (MAB)
Posture Assessment
Mobile Device Management (MDM)
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Q&A

Part II: Cisco Identity Services Engine

Chapter 6 Cisco Identity Services Engine Architecture
Do I Know This Already? Quiz
Foundation Topics
What Is Cisco ISE?
Personas
Administration Persona
Monitoring Persona
Policy Services Persona
pxGrid Persona

Physical or Virtual Appliances

ISE Deployment Scenarios
 Table of Contents
Single-Node Deployment
Two-Node Deployment
Distributed Deployments

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A
Chapter 7 A Guided Tour of the Cisco ISE Graphical User Interface (GUI)
Do I Know This Already? Quiz
Foundation Topics
Logging in to ISE
Initial Login
ISE Home Dashboards
Administration Portal
Global Search for Endpoints
Help Menu
ISE Setup Wizards
Settings Menu

Organization of the ISE GUI

Context Visibility
Operations
RADIUS
Threat-Centric NAC Live Logs
TACACS Live Log
Troubleshoot
Adaptive Network Control
Reports
Policy
Policy Sets
Profiling
Posture
Client Provisioning
 Table of Contents
Policy Elements
Administration
System
Identity Management
Network Resources
Device Portal Management
pxGrid Services
Feed Service
Threat Centric NAC
Work Centers

Types of Policies in ISE

Authentication
Authorization
Profiling
Posture
Client Provisioning
TrustSec

Exam Preparation Tasks

Review All Key Topics
Define Key Term
Q&A
Chapter 8 Initial Configuration of Cisco ISE
Do I Know This Already? Quiz
Foundation Topics
Cisco Identity Services Engine Form Factors
Bootstrapping Cisco ISE
Where Are Certificates Used with Cisco Identity Services Engine?
Self-Signed Certificates
CA-Signed Certificates

Network Devices
Network Device Groups
Network Access Devices
 Table of Contents

ISE Identity Stores

Local User Identity Groups
Local Endpoint Groups
Local Users
External Identity Stores
Active Directory
Prerequisites for Joining an Active Directory Domain
Joining an Active Directory Domain
Certificate Authentication Profile (CAP)
Identity Source Sequences

Exam Preparation Topics

Review All Key Topics
Define Key Terms
Q&A
Chapter 9 Authentication Policies
Do I Know This Already? Quiz
Foundation Topics
The Relationship Between Authentication and Authorization
Authentication Policy
Goal 1: Accept Only Allowed Protocols
Goal 2: Select the Correct Identity Store
Goal 3: Validate the Identity
Goal 4: Pass the Request to the Authorization Policy

Understanding Policy Sets

Allowed Protocols

Understanding Authentication Policies

Conditions
Identity Store
Options

Common Authentication Policy Examples

Using the Wireless SSID
Remote Access VPN
 Table of Contents
Alternative ID Stores Based on EAP Type

More on MAB
Restore the Authentication Policy
Exam Preparation Tasks
Review All Key Topics
Q&A
Chapter 10 Authorization Policies
Do I Know This Already? Quiz
Foundation Topics
Authentication Versus Authorization
Authorization Policies
Goals of Authorization Policies
Understanding Authorization Policies
Role-Specific Authorization Rules
Authorization Policy Example
Employee Full Access Rule
Internet Only for Smart Devices Rule
Employee Limited Access Rule

Saving Conditions for Reuse

Combining AND with OR Operators

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A

Part III: Implementing Secure Network Access

Chapter 11 Implement Wired and Wireless Authentication
Do I Know This Already? Quiz
Foundation Topics
Authentication Configuration on Wired Switches
Global Configuration AAA Commands
 Table of Contents
Global Configuration RADIUS Commands
IOS 12.2.x
IOS 15.x and IOS XE
IOS 12.2.x, 15.x, and IOS XE
Global 802.1X Commands
Device Tracking in IOS XE 16.x and Later
Creating Local Access Control Lists
Interface Configuration Settings for All Cisco Switches
Configure Interfaces as Switch Ports
Configure Flexible Authentication and High Availability
Host Mode of the Switch Port
Configure Authentication Settings
Configure Authentication Timers
Apply the Initial ACL to the Port and Enable Authentication

Authentication Configuration on WLCs

Configure the AAA Servers
Add the RADIUS Authentication Servers
Add the RADIUS Accounting Servers
Configure RADIUS Fallback (High Availability)
Configure the Airespace ACLs
Create the Web Authentication Redirection ACL
Add Google URLs for ACL Bypass
Create the Posture Agent Redirection ACL
Create the Dynamic Interfaces for the Client VLANs
Create the Employee Dynamic Interface
Create the Guest Dynamic Interface
Create the Wireless LANs
Create the Guest WLAN
Create the Corporate WLAN

Verifying Dot1x and MAB

Endpoint Supplicant Verification
Network Access Device Verification
Verifying Authentications with Cisco Switches
 Table of Contents
Sending Syslog to ISE
Verifying Authentications with Cisco WLCs
Cisco ISE Verification
RADIUS Live Log

Live Sessions
Looking Forward
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Q&A
Chapter 12 Web Authentication
Do I Know This Already? Quiz
Foundation Topics
Web Authentication Scenarios
Local Web Authentication (LWA)
Centralized Web Authentication (CWA)

Configuring Centralized Web Authentication

Cisco Switch Configuration
Configure Certificates on the Switch
Enable the Switch HTTP/HTTPS Server
Verify the URL-Redirect ACL
Cisco WLC Configuration
Validate That MAC Filtering Is Enabled on the WLAN
Validate That ISE NAC Is Enabled on the WLAN
Validate That the URL-Redirection ACL Is Configured
Configure ISE for Centralized Web Authentication
Configure MAB Continue for the Authentication
Verify the Web Authentication Identity Source Sequence
Configure a dACL for Pre-WebAuth Authorization
Configure an Authorization Profile

Building CWA Authorization Policies

Create the Rule to Redirect Users to the CWA Portal
 Table of Contents
Create the Rules to Authorize Users Who Authenticate via CWA

Verifying Centralized Web Authentication

Check the Experience from the Client
Verify CWA Through the ISE UI
Check Live Log
Check the NAD
show Commands on the Wired Switch
Viewing the Client Details on the WLC

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A
Chapter 13 Guest Services
Do I Know This Already? Quiz
Foundation Topics
Guest Services Overview
Portals, Portals, and More Portals!
Guest Portal Types
Hotspot Guest Portal
Self-Registered Guest Portal
Sponsored Guest Portal
Guest Types
Contractor
Daily
Weekly
Social
Guest Portals and Authorization Policy Rules

Configuring Guest Portals and Authorization Rules

Configuring a Hotspot Guest Portal
Portal Behavior and Flow Settings
Portal Page Customization
Authorization Rule Configuration
 Table of Contents
Configuring a Self-Registered Guest Portal
Portal Settings
Login Page Settings
Registration Form Settings
Self-Registration Success
Guest Change Password Settings and Guest Device Registration Settings
BYOD Settings
Guest Device Compliance Settings
Authorization Rule Configuration
Configuring a Sponsored Guest Portal

Sponsors
Sponsor Groups
Sponsor Portals
Portal Settings
Login Settings and AUP Page Settings
The Remaining Settings
Notification Services
SMTP Servers
SMS Gateway Providers
Provisioning Guest Accounts from a Sponsor Portal

SAML Authentication
Call to Action

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A
Chapter 14 Profiling
Do I Know This Already? Quiz
Foundation Topics
ISE Profiler
Anomalous Behaviour
Cisco ISE Probes
 Table of Contents
Probe Configuration
DHCP and DHCPSPAN
RADIUS
Network Scan (Nmap)
DNS
SNMPQUERY and SNMPTRAP
NETFLOW
HTTP Probe
Active Directory Probe
pxGrid Probe

Infrastructure Configuration
DHCP Helper
SPAN Configuration
VLAN Access Control Lists (VACLs)
Device Sensor
VMware Configurations to Allow Promiscuous Mode

Profiling Policies
Profiling Feed Service
Configuring the Profiler Feed Service
Verifying the Profiler Feed Service
Endpoint Profile Policies
Logical Profiles

ISE Profiler and CoA

Global CoA
Per-Profile CoA
Global Profiler Settings
Configure SNMP Settings for Probes
Endpoint Attribute Filtering
Custom Attributes for Profiling
Publishing Endpoint Probe Data on pxGrid

Profiles in Authorization Policies

Endpoint Identity Groups
EndPointPolicy
 Table of Contents

Verify Profiling
The Dashboard
Global Search
Endpoint Identities
Device Sensor show Commands

Exam Preparation Topics

Review All Key Topics
Define Key Terms
Q&A

Part IV: Advanced Secure Network Access

Chapter15 Certificate-Based Authentication
Do I Know This Already? Quiz
Foundation Topics
Certificate Authentication Primer
Determine If a Trusted Authority Has Signed the Digital Certificate
Examine Both the Start and End Dates to Determine If the Certificate Has Expired
Verify If the Certificate Has Been Revoked
Validate That the Client Has Provided Proof of Possession

A Common Misconception About Active Directory

EAP-TLS
Configuring ISE for Certificate-Based Authentications
Validate Allowed Protocols
Certificate Authentication Profile
Verify the Authentication Policy Is Using the CAP
Authorization Policies
Ensure the Client Certificates Are Trusted
Import the Certificate Authoritys Public Certificate
Configure Certificate Status Verification (Optional)

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
 Table of Contents
Q&A
Chapter 16 Bring Your Own Device
Do I Know This Already? Quiz
Foundation Topics
BYOD Challenges
Onboarding Process
BYOD Onboarding
Dual SSID
Single SSID

Configuring NADs for Onboarding

Configuring a WLC for Dual SSID Onboarding
Review of the WLAN Configuration
Verify the Required ACLs

ISE Configuration for Onboarding

The End-User Experience
Single SSID with Apple iOS Example
Dual SSID with Android Example
Unsupported Mobile Device: BlackBerry Example
Configuring ISE for Onboarding
Creating the Native Supplicant Profile
Configure the Client Provisioning Policy
Configure the WebAuth
Verify Default Unavailable Client Provisioning Policy Action
Create the Authorization Profiles
Create the Authorization Rules for Onboarding
Create the Authorization Rules for the EAP-TLS Authentications
ISE as a Certificate Authority
Configuring SCEP
Configuring ISE as an Intermediate CA

BYOD Onboarding Process Detailed

iOS Onboarding Flow
Phase 1: Device Registration
 Table of Contents
Phase 2: Device Enrollment
Phase 3: Device Provisioning
Android Flow
Phase 1: Device Registration
Phase 2: NSP App Download App
Phase 3: Device Provisioning
Windows and macOS Flow
Phase 1: Device Registration
Phase 2: Device Provisioning

Verifying BYOD Flows

RADIUS Live Logs
Reports
Identity Group

MDM Onboarding
Integration Points
Configuring MDM Integration
Configuring MDM Onboarding Rules
Create the Authorization Profile
Create the Authorization Rules

Managing Endpoints
Self-Management
Administrative Management

The Opposite of BYOD: Identify Corporate Systems

Exam Preparation Topics
Review All Key Topics
Define Key Terms
Q&A
Chapter 17 TrustSec and MACsec
Do I Know This Already? Quiz
Foundation Topics
Ingress Access Control Challenges
VLAN Assignment
 Table of Contents
Ingress Access Control Lists
EastWest Segmentation

What Is TrustSec?
What Is a Security Group Tag?
What Is the TrustSec Architecture?
TrustSec-Enabled Network Access Devices
Defining the TrustSec Settings for a Network Access Device
Configuring an IOS XE Switch for TrustSec
Configuring an ASA for TrustSec

Network Device Admission Control (NDAC)

Configuring the Seed Device
Configuring the Non-Seed Device

Defining the SGTs

Classification
Dynamically Assigning SGT via 802.1X
Manually Assigning SGTs to a Port
Manually Binding IP Addresses to SGTs in ISE
Access-Layer Devices That Do Not Support SGTs
Mapping a Subnet to an SGT
Mapping a VLAN to an SGT

Transport: SGT Exchange Protocol (SXP)

SXP Design
Configuring SXP on ISE
Configuring SXP on IOS Devices
Configuring SXP on Wireless LAN Controllers
Configuring SXP on Cisco ASA
Verifying SXP Connections in ASDM

Transport: Native Tagging

Configuring Native SGT Propagation (Tagging)
Configuring Manual SGT Propagation on Cisco IOS XE Switches

Enforcement
SGACL
 Table of Contents
Configuring Security Group ACLs
TrustSec Policy Matrix
Configuring the TrustSec Policy Matrix
Security Group Firewalls
Security Group Firewall on the ASA
Security Group Firewall on the Firepower
Security Group Firewall on the ISR and ASR

Software-Defined Access (SD-Access)

MACsec
Downlink MACsec
Switch Configuration Modes
ISE Configuration
Uplink MACsec
Manually Configuring Uplink MACsec
Verifying the Manual Configuration

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A
Chapter 18 Posture Assessment
Do I Know This Already? Quiz
Foundation Topics
Posture Assessment with ISE
A Bit of a History Lesson
ISE Posture Flows

Configuring Posture
Update the Compliance Modules
Configure Client Provisioning
Protect Your Sanity
Download AnyConnect
Upload AnyConnect Headend Deployment Packages to ISE
Configure the Client Provisioning Portal
 Table of Contents
Configure the Client Provisioning Policy
Configuring Posture Policy Elements
Conditions
Remediations
Requirements
Configure Posture Policies
Other Important Posture Settings
Posture Lease
Cache Last Known Posture Compliant Status
Reassessment Configurations
Authorization Rules
Create an Authorization Profile for Redirection
Create the Authorization Rules

The Endpoint Experience

Scenario 1: AnyConnect Not Installed on Endpoint Yet
Scenario 2: AnyConnect Already Installed, Endpoint Not Compliant
Scenario 3: Stealth Mode
Scenario 4: Temporal Agent and Posture Compliant

Mobile Posture
Create Mobile Posture Authorization Conditions
Create Mobile Posture Authorization Rules

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A

Part V: Safely Deploying in the Enterprise

Chapter 19 Deploying Safely
Do I Know This Already? Quiz
Foundation Topics
Why Use a Phased Approach?
Comparing authentication open to Standard 802.1X
 Table of Contents
Prepare ISE for a Staged Deployment
Monitor Mode
Low-Impact Mode
Closed Mode
Transitioning from Monitor Mode to Your End State
Wireless Networks
Exam Preparation Tasks
Review All Key Topics
Q&A
Chapter 20 ISE Scale and High Availability
Do I Know This Already? Quiz
Foundation Topics
Configuring ISE Nodes in a Distributed Environment
Make the First Node a Primary Device
Registering an ISE Node to the Deployment
Ensure That the Persona of Each Node Is Accurate

Understanding the High Availability Options Available

Primary and Secondary Nodes
Monitoring and Troubleshooting Nodes
Policy Administration Nodes
Promoting the Secondary PAN to Primary
Auto PAN Switchover
Configuring Automatic Failover for the Primary PAN
Licensing in a Multi-Node ISE Cube
Node Groups
Add the Policy Services Nodes to the Node Group

Using Load Balancers

General Guidelines
Failure Scenarios
Anycast High Availability for ISE PSNs
IOS Load Balancing

Maintaining ISE Deployments

 Table of Contents
Patching ISE
Backup and Restore

Exam Preparation Tasks

Review All Key Topics
Define Key Term
Q&A
Chapter 21 Troubleshooting Tools
Do I Know This Already? Quiz
Foundation Topics
Logging
Live Log
Advanced Filtering
Authentication Details Report
The Blank Lines
Live Sessions
Logging and Remote Logging
Logging Targets
Logging Categories
Debug Logs
Downloading Debug Logs from the GUI
Viewing Log Files from the CLI
Support Bundles

Diagnostic Tools
RADIUS Authentication Troubleshooting Tool
Execute Network Device Command
Evaluate Configuration Validator
Posture Troubleshooting
Endpoint Debug
TCP Dump
Session Trace Tests

Troubleshooting Methodology
Log De-duplication
 Table of Contents
The USERNAME User

Troubleshooting Outside of ISE

Endpoint Diagnostics
Cisco AnyConnect Diagnostics and Reporting Tool (DART)
Supplicant Provisioning Logs
Network Device Troubleshooting
Show Authentication Session Interface
Viewing Client Details on the WLC
Debug Commands

Exam Preparation Tasks

Review All Key Topics
Q&A

Part VI: Extending Secure Access Control

Chapter 22 ISE Context Sharing and Remediation
Do I Know This Already? Quiz
Foundation Topics
Integration Types in the ISE Ecosystem
MDM Integration
Rapid Threat Containment
Platform Exchange Grid

pxGrid
pxGrid in Action
Context-In
Configuring ISE for pxGrid
Configuring pxGrid Participants
Configuring Firepower Management Center for Identity with pxGrid
Configuring the Web Security Appliance
Integrating Stealthwatch and ISE

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
 Table of Contents
Q&A
Chapter 23 Threat Centric NAC
Do I Know This Already? Quiz
Foundation Topics
Vulnerabilities and Threats, Oh My!
Integrating Vulnerability Assessment Sources
TC-NAC Flows
Enable TC-NAC
Configure the Integration with a Vulnerability Assessment Vendor
Authorization Profile and Authorization Rules
Seeing TC-NAC with Vulnerability Scanners in Action
Verifying What Happened

Integrating with Threat Sources

Cognitive Threat Analytics (CTA)
Create a CTA STIX/TAXII API Account
Create a CTA Integration for TC-NAC
Using CTA with Authorization
AMP for Endpoints
Normalized Events
Configuring the AMP Adapter

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A

Part VII: Device Administration AAA

Chapter 24 Device Administration AAA with ISE
Do I Know This Already? Quiz
Foundation Topics
Device Administration AAA Refresher
Device Administration in ISE
Device Administration Design
 Table of Contents
Large Deployments
Medium Deployments
Small Deployments
Enabling TACACS+ in ISE
Network Devices

Device Administration Global Settings

Connection Settings
Password Change Control
Session Key Assignment

Device Administration Work Center

Identities
Network Resources
Policy Elements
TACACS Command Sets
TACACS Profiles
Policy Sets
Reports

Exam Preparation Tasks

Review All Key Topics
Q&A
Chapter 25 Configuring Device Administration AAA with Cisco IOS
Do I Know This Already? Quiz
Foundation Topics
Overview of IOS Device Administration AAA
TACACS Profile
TACACS+ Command Sets

Configure ISE and an IOS Device for Device Administration AAA

Prepare ISE for IOS Device Administration AAA
Ensure That the Device Administration Service Is Enabled
Prepare the Network Device
Prepare the Policy
Configure the TACACS Profiles
 Table of Contents
Configure the TACACS Command Sets
Configure the Policy Set
IOS Configuration for TACACS+
Configure TACACS+ Authentication and Fallback
Configure TACACS+ Command Authorization
Configure TACACS+ Command Accountings

Testing and Troubleshooting

Testing and Troubleshooting in ISE
Troubleshooting at the IOS Command Line

Exam Preparation Tasks

Review All Key Topics
Define Key Terms
Q&A
Chapter 26 Configuring Device Admin AAA with the Cisco WLC
Do I Know This Already? Quiz
Foundation Topics
Overview of WLC Device Administration AAA
Configure ISE and the WLC for Device Administration AAA
Prepare ISE for WLC Device Administration AAA
Prepare the Network Device
Prepare the Policy Results
Configure the Policy Set
Adding ISE to the WLC TACACS+ Servers

Testing and Troubleshooting

Exam Preparation Tasks
Review All Key Topics
Q&A

Part VIII: Final Preparation

Chapter 27 Final Preparation
Hands-on Activities
Suggested Plan for Final Review and Study
 Table of Contents
Summary

Part IX: Appendixes

Glossary of Key Terms
Appendix A: Answers to the Do I Know This Already? Quizzes and
Q&A Sections
Appendix B: CCNP Security Implementing and Configuring Cisco
Identity Services Engine (SISE 300-715) Exam Updates
Appendix C: Sample Switch Configurations
Index
Appendix D: Study Planner