identity management and access control for security ccie...
TRANSCRIPT
Identity Management and Access Control for Security CCIE Candidates
Mark Bernard
BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
Cisco Spark spaces will be available until July 3, 2017.
cs.co/ciscolivebot#BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
cisco16
<response>
22333
Polling
Our Questions for You We will using polling a few times to get some information from attendees
1. Send a text to 22333 with cisco16 as the body
2. Respond to all the polls as we get to them
3. No need to send the cisco16 again
How
pollev.com/cisco16
4
• Introduction
• CCIE Security Program Overview
• Cisco Identity Services Engine (ISE) Overview
• Configure, Verify & Troubleshoot Profiling Using Device Sensor
• Configure, Verify & Troubleshoot pxGrid with ISE & WSA
• Conclusion
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
About Me
• Security Consulting Systems Engineer supporting Enterprise South Operation
• Joined Cisco in 2005
• Based out of Tennessee, USA
• CCIE Mentor for Cisco Employees
• Cisco Live Speaker since 2006
• CCIE #23864, CISSP, [email protected]
@bernarmn
6BRKCCIE-3222
CCIE Security Program Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCCIE-3222
CCIE Security TopicsDomain Written Exam Lab Exam
1.0 Perimeter Security and Intrusion
Prevention
21% 23%
2.0 Advanced Threat Protection and
Content Security
17% 19%
3.0 Secure Connectivity and
Segmentation
17% 19%
4.0 Identity Management, Information
Exchange, and Access Control
22% 24%
5.0 Infrastructure Security, Virtualization,
and Automation
13% 15%
6.0 Evolving Technologies 10% N/A
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCCIE-3222
Identity Management Topics in CCIE Exam4.1 Describe, implement, and troubleshoot various personas of
ISE in a multinode deployment
4.10 Describe, implement, verify, and troubleshoot provisioning of
AnyConnect with ISE and ASA
4.2 Describe, implement, and troubleshoot network access device
(NAD), ISE, and ACS configuration for AAA
4.11 Describe, implement, verify, and troubleshoot posture
assessment with ISE
4.3 Describe, implement, and troubleshoot AAA for administrative
access to Cisco network devices using ISE and ACS
4.12 Describe, implement, verify, and troubleshoot endpoint
profiling using ISE and Cisco network infrastructure including
device sensor
4.4 Describe, implement, verify, and troubleshoot AAA for network
access with 802.1X and MAB using ISE.
4.13 Describe, implement, verify, and troubleshoot integration of
MDM with ISE
4.5 Describe, implement, verify, and troubleshoot cut-through
proxy/auth-proxy using ISE as the AAA server
4.14 Describe, implement, verify, and troubleshoot certificate based
authentication using ISE
4.6 Describe, implement, verify, and troubleshoot guest life cycle
management using ISE and Cisco network infrastructure
4.15 Describe, implement, verify, and troubleshoot authentication
methods such as EAP Chaining and Machine Access Restriction
(MAR)
4.7 Describe, implement, verify, and troubleshoot BYOD on-
boarding and network access flows with an internal or external CA
4.16 Describe, implement, and troubleshoot identity mapping on
ASA, ISE, WSA and FirePOWER
4.8 Describe, implement, verify, and troubleshoot ISE and ACS
integration with external identity sources such as LDAP, AD, and
external RADIUS
4.17 Describe the functions and security implications of AAA
protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-
PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-TEAP, EAP- MD5, EAP-
GTC), PAP, CHAP, and MS-CHAPv2
4.9 Describe ISE and ACS integration with external identity
sources such as RADIUS Token, RSA SecurID, and SAML
4.18 Describe, implement, and troubleshoot pxGrid between
security devices such as WSA, ISE, and Cisco FMC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKCCIE-3222
Identity Management Topics in CCIE Exam4.1 Describe, implement, and troubleshoot various personas of
ISE in a multinode deployment
4.10 Describe, implement, verify, and troubleshoot provisioning of
AnyConnect with ISE and ASA
4.2 Describe, implement, and troubleshoot network access device
(NAD), ISE, and ACS configuration for AAA
4.11 Describe, implement, verify, and troubleshoot posture
assessment with ISE
4.3 Describe, implement, and troubleshoot AAA for administrative
access to Cisco network devices using ISE and ACS
4.12 Describe, implement, verify, and troubleshoot endpoint
profiling using ISE and Cisco network infrastructure including
device sensor
4.4 Describe, implement, verify, and troubleshoot AAA for network
access with 802.1X and MAB using ISE.
4.13 Describe, implement, verify, and troubleshoot integration of
MDM with ISE
4.5 Describe, implement, verify, and troubleshoot cut-through
proxy/auth-proxy using ISE as the AAA server
4.14 Describe, implement, verify, and troubleshoot certificate based
authentication using ISE
4.6 Describe, implement, verify, and troubleshoot guest life cycle
management using ISE and Cisco network infrastructure
4.15 Describe, implement, verify, and troubleshoot authentication
methods such as EAP Chaining and Machine Access Restriction
(MAR)
4.7 Describe, implement, verify, and troubleshoot BYOD on-
boarding and network access flows with an internal or external CA
4.16 Describe, implement, and troubleshoot identity mapping on
ASA, ISE, WSA and FirePOWER
4.8 Describe, implement, verify, and troubleshoot ISE and ACS
integration with external identity sources such as LDAP, AD, and
external RADIUS
4.17 Describe the functions and security implications of AAA
protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-
PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-TEAP, EAP- MD5, EAP-
GTC), PAP, CHAP, and MS-CHAPv2
4.9 Describe ISE and ACS integration with external identity
sources such as RADIUS Token, RSA SecurID, and SAML
4.18 Describe, implement, and troubleshoot pxGrid between
security devices such as WSA, ISE, and Cisco FMC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Appliances Core Devices Others Physical Machines
Cisco Identity Services
Engine (ISE): 2.1.0
IOSv L2: 15.2 Test PC: Microsoft
Windows 7
Cisco Catalyst Switch
C3850-12S: 16.2.1
Cisco Secure Access
Control System (ACS):
5.8.0.32
IOSv L3: 15.5(2)T Active Directory:
Microsoft Windows
Server 2008
Cisco ASA 5512-X:
9.6.1
Cisco Web Security
Appliance (WSA): 9.2.0
Cisco CSR 1000V Series Cloud
Services Router: 3.16.02.S
Cisco Application Policy
Infrastructure Controller
Enterprise Module : 1.2
Cisco 2504 WLC 2504:
8.0.133.0
Cisco Email Security
Appliance (ESA): 9.7.1
Cisco Adaptive Security
Virtual Appliance (ASAv): 9.6.1
Cisco Unified
Communications
Manager: 8.6.(1)
Cisco Aironet 1602E:
15.3.3-JC
Cisco Wireless Controller
(WLC): 8.0.133
FireAMP Private Cloud Cisco Unified IP Phone
7965: 9.2(3)
Cisco Firepower
Management Center Virtual
Appliance: 6.0.1 and/or 6.1
AnyConnect: 4.2
Cisco Firepower NGIPSv:
6.0.1
Cisco Firepower Threat
Defense: 6.0.1
11BRKCCIE-3222
Cisco Gear Used on CCIE Security
*Device Authentication only, provisioning of IP phones is NOT
required.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12BRKCCIE-3222
CCIE Security Exam Changes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13BRKCCIE-3222
CCIE Security v5.0 Lab Exam Format
The 5.0 Lab is now comprised of three modules:1.Troubleshooting Module
2.Diagnostic Module
3.Configuration Module
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCCIE-3222 14
ISE Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role-Based Access
BRKCCIE-3222
Introducing Cisco Identity Services Engine
A centralized security solution that automates context-aware access to
network resources and shares contextual data
Network
Door
Identity Profiling
and Posture
Who
What
When
Where
How
Compliant
Context
Traditional Cisco TrustSec®
Role-Based Policy Access
Guest Access
BYOD Access
Secure Access
16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying ISE
pXGrid Controller
- Facilitates sharing of context
Policy Services Node (PSN)
- Makes policy decisions
- RADIUS / TACACS+ Servers
Policy Administration Node (PAN)
- Single plane of glass for ISE admin
- Replication hub for all database config changes
Monitoring and Troubleshooting Node (MnT)
- Reporting and logging node
- Syslog collector from ISE Nodes
Single Node (Virtual / Appliance)
Up to 20,000 concurrent endpoints
STANDALONE ISE
Multiple Nodes (Virtual / Appliance)
Up to 500,000 concurrent endpoints
Network
MULTI-NODE ISE
17BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCCIE-3222 18
Endpoint Profiling &
Device Sensor
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Does ISE Get All That Information ?Cisco ISE Profiling
Feed Service
(Online/Offline)
Netflow DHCP DNS HTTP RADIUS NMAP SNMP
CDP LLDP DHCP HTTP H323 SIP MDNS
ACTIVE PROBES
DEVICE SENSOR
1.5 million
550+
250+
devices with ‘50’ attributes
each can be stored
High-level canned
profiles. +Periodic feeds
Medical device profiles
Cisco ISE
Cisco Network
ACIDEX AD
ACIDex
DS
DS
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)20BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Distributed collection on Network Devices. Cache, CDP, LLDP, DHCP, HTTP (Wireless only), etc.
• Centralized collection over RADIUS protocol
ISE
Profile Conditions PROFILED+ =
Example:MAC OUI + Lexmark
If DHCP Class ID
Contains E260dn
It’s a Lexmark
E260n Printer
Data From Device Sensor
RADIUS Accounting
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
HTTPDHCPMAC
Just One Type of Probe
BRKCCIE-3222
Profiling with ‘Device Sensor’ Doesn’t require packet
redirections (DHCP Helper)
and SPAN sessions
for profiling
Highly scalable and efficient
ISE runs only “RADIUS”
probe
Profiling based on:
• CDP/LLDP
• DHCP
• HTTP (WLC only)
• mDNS,
• H323,
• MSI-Proxy (4k only)
21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Construction of Profiles
Create conditions
based on data sent by
Cat3K switches
Link one or more conditions
together to identify a new
device
22BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCCIE-3222
Certainty Factors
We Must Meet This Threshold
Before Assigning Profile
Multiple Conditions May
Be Required
23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Sensor for WirelessRADIUS Accounting
ISE
Per WLAN Enable/Disable
device profiling
DHCP (WLC 7.2.110.0)
– Hostname, Class ID
HTTP / Both (WLC 7.3)
– User Agent
FlexConnect with Central
Switching supported
DHCP
WLC
DHCPHTTP
BRKCCIE-3222 24
Lets Configure Device Sensor & Profiling
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure ISE
Add Device Name
Add IP Address
Add the Shared
Secret Key
26BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure ISE – Turn on Radius Profiling
Edit PSN
Enable Radius Profiling* After this Step, you may want to go to switch & ping & aaa test the ISE Server to ensure connectivity
27BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKCCIE-3222
Verify the endpoint is profiled & view attributes
Click on Endpoint
Select Endpoint
Classification
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify endpoint is profiled & view attributes (cont.)
Endpoint Profile
Endpoint Source
29BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lets Configure the Switch Branch3-3650(config)#aaa new-model Branch3-3650(config)#aaa authentication dot1x default radius Branch3-3650(config)#aaa accounting dot1x default start-stop group radius
Branch3-3650(config)#radius server ISEBranch3-3650(config-radius-server)# address ?
address ? ipv4 IPv4 Addressipv6 IPv6 Address
Branch3-3650Branch3-3650(config-radius-server)# address 172.16.110.140Branch3-3650Branch3-3650(config-radius-server)# key Cisco123Branch3-3650(config)# dot1x system-auth-control
Branch3-3650(config)# int g1/1/24 Branch3-3650(config-if)# switchport mode accessBranch3-3650(config-if)# switchport voice vlan 25 Branch3-3650(config-if)# authentication order mabBranch3-3650(config-if)# authentication port-control autoBranch3-3650(config-if)# mabBranch3-3650(config-if)# dot1x pae authenticatorBranch3-3650(config-if)#authen host-mode multi-auth // if 2 devices on port
Configure the AAA Framework
Configure the Radius Settings &
Enable dot1x framework globally
Configure the interface
30BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Device Sensor on the SwitchBranch3-3650(config)#device-sensor accounting Branch3-3650(config)#device-sensor notify ?
all-changes Trigger identity update when TLVs are added/modified/removednew-tlvs Trigger identity update only when TLVs are added
Branch3-3650(config)#device-sensor notify all-changes Branch3-3650(config)#radius-server vsa send accounting //(VSA)vendor specific attribute
Branch3-3650#sh device-sensor cache ?all Shows All dsensor cacheinterface Client interfacemac Shows dsensor cache details by MAC
Branch3-3650#sh device-sensor cache all
Branch3-3650# debug radius accounting packetsBranch3-3650# conf tBrandch3-3560# (config) int g2/1/1Brandch3-3560# (conf-if)shutBrandch3-3560# (conf-if) no shut
Configure the
device sensor
feature
Verify that you are getting
Device sensor information
verify what is being sent to ISE
31BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Sensor Information ElementsExamples
Branch3-3650(config)#device-sensor filter-list ?cdp CDP Filter Listdhcp DHCP Filter Listh323 H323 Filter Listlldp LLDP Filter Listmdns MDNS Filter Listsip SIP Filter List
Branch3-3650(config)#device-sensor filter-list mdns list APPLEBranch3-3650(config-sensor-mdnslist)#tlv name ?
device-version MDNS Device Versionpointer-records MDNS PTR Recordssrv-records MDNS SRV Recordstext-records MDNS TXT Records
Branch3-3650(config)#device-sensor filter-list h323 list PHONEBranch3-3650(config-sensor-h323list)#tlv name ?
device-name H323 device namedevice-vendor H323 device vendordevice-version H323 device version
Branch3-3650(config)#device-sensor filter-list dhcp list Branch3-3650(config-sensor-dhcplist)#option name ?
all-subnets-local All Subnets Localarp-cache-timeout ARP Cache Timeoutauthentication Authenticationauto-configure Autoconfigurationbcmcs-servers-a BCMCS Controller IPv4 address listbcmcs-servers-d BCMCS Controller Domain Name listboot-file Boot File Nameboot-size Boot Size
[clip]
Example records and options for
protocol sensors
100+ option fields for
DHCP including vendor
specific attributes
32BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Test and Debug AAA on the SwitchBranch3-3650 #sh run | inc aaaaaa new-modelaaa authentication dot1x default group radiusaaa accounting dot1x default group radiusaaa session-id common
Branch3-3650#sh run | sect radiusaaa authentication dot1x default group radiusaaa accounting dot1x default start-stop group radiusradius server ISEaddress IPV4 172.16.110.140 auth-port 1645 acct-port 1646key Cisco123
Branch3-3650#sh run int g1/1/24 interface GigabitEthernet1/1/4switchport access vlan 20switchport mode accessswitchport voice vlan 25shutdownauthentication order mabauthentication port-control automabdot1x pae authenticatorspanning-tree portfastend
// sample Test and Debug commandsBranch3-3650# ping 172.16.110.140Branch3-3650# show IP interface BriefBranch3-3650# test AAA group radius blahuser blahpassword legacy Attempting authentication test to server-group radius using radiusUser authentication request was rejected by server.Branch3-3650# debug radius accounting packetsBranch3-3650# debug device-sensor {errors | events}
Verify the AAA Framework
Test ISE connectivity (Do this after
configuring the device in ISE)
Verify the Radius Settings
Verify the interface Settings
* don’t forget to bring up the access port interface33BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify Device Attributes (cont)
Verify Endpoint
Source
Navigate to
Attributes
BRKCCIE-3222 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure The Authorization Policy in ISE
35BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure the Authorization Policy (Cont)
Rule added in Authorization Policy
Choose a
Rule Name
Choose Condition
Based on Profiles and
Connectivity Attributes
Assign
Appropriate
Policy
BRKCCIE-3222 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
You Have Completed Profiling with Device Sensor
37BRKCCIE-3222
PxGrid Deployment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
n
Cisco Platform Exchange Grid (PxGrid)Enable Unified Threat Response by Sharing Contextual Data
Cisco® ISE collects
contextual data from network1
Context is shared via
pxGrid technology2
Context improves visibility to
detect threats3
Devices can direct ISE to rapidly
contain threats or apply policy4
ISE uses partner data to update
context and refine access policy5
When
Where
Who
How
What
Cisco and Partner
Ecosystem
ISE
pxGrid
Controller
Context
32
1
45 Cisco Network
39BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PxGrid Use Cases
Use-Case Description Partner
Cloud Access Monitoring: User/Device-
Aware Cloud-Hosted Resource
Monitoring
ISE user, group, access, device context to enhance monitoring and reporting of access to cloud
services by end-users.
SkyHigh, Elastica
Network/App Performance
Monitoring: User/device-aware network
topology and performance management
ISE IP:user:device binding and related context to network data system to attribute user, device,
role, etc. to visualization and performance management data.
Savvius
Threat Defense: User-behavior anomaly
(UBA) detection
Assess typical behavior of individual and groups of users and then look for anomalous behavior.
Utilizes ISE user/device context in analytics and event reporting.
FortScale,
Rapid 7, E8
WSA+ISE: User-aware web security
policies
Web access decisions based on ISE user/device context. Enables customers to differentiate web
content access policies based on real-time user and device situational awareness.
Cisco WSA
DNS, DHCP and IP Address
Management: User, Group and Device
Based DDI Monitoring and Reporting
Associate users and user network privileges with DHCP leases, IP address assignments and
domain name access by using ISE user/network context.
Infoblox
SIEM/TD: User/Device-Aware
SIEM/ThreatDefense Integration
Same use-cases as existing SIEM/TD ecosystem, but utilizing pxGrid for context and Rapid Threat
Containment.
NetIQ, Lancope,
Splunk, FireSIGHT
Management
Center 5.4,
LogRhythm
40BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web Filtering with pxgrid & Passive ID through ISE
41BRKCCIE-3222
Lets Configure pxGrid with ISE & WSA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43BRKCCIE-3222
Sample Lab Topology
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure the WSACertificates
Network >
Certificate Management
Manage trusted Root Certificate
44BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure the WSA
Add your certificate
45BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure the WSA: Add ISE to the WSA
Network >
Identity Service Engine
47BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure the WSA Add ISE
Run Test to ensure DNS,
Certificates are valid & SGTs are imported
Add the pxGrid node
& Certficiates
48BRKCCIE-3222
Add the Monitor ISE nodes
& Certificates
Add the WSA Certificates
Now Configure ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ensure that you are connected to the AD Controller
Select the Node
Click “join”
50BRKCCIE-3222
AD should show
“Operational” status
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure ISE certificates for pxGrid clients
51BRKCCIE-3222
For complete certificate steps see:
https://communities.cisco.com/community/technology/security/pa/ise/blog/2016/07/27/ise-21-and-wsa-via-pxgrid-and-ca-signed-certificates
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable pxGrid Services in ISE
Enable pxgrid services
Edit the Node
52BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable Auto Registration in ISE
Enable auto approve new accounts
Ensure admin & mnt are showing
53BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verifying WSA is registered pxGrid Client
Ensure the WSA client is online
54BRKCCIE-3222
Ensure pxGrid is connected
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Security Group Tags in ISE
Add SGT tag
SGT tag gets
propagated to WSA
55BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure The Authorization Policy
56BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure the Authorization Policy (Cont)
Rule added in Authorization Policy
Choose a
Rule Name
Choose Condition
Based on Profiles and
Connectivity Attributes
Assign
Appropriate SGT
BRKCCIE-3222 57
Now Configure WSA (again)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add an Identity Profile
Create a New Ident. Profile
59BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add an Identity Profile (Cont)
Select “Identify Users with ISE”
Select Block Transactions
60BRKCCIE-3222
Type in the name of the profile
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add an Access Policy
Create a New Access Policy
61BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add an Access Policy (cont)
Select SGT to use
62BRKCCIE-3222
Type in Access Policy Name
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add an Access Policy (cont)
Search for your SGT
Check the box next to your SGT
Click the “add” button
63BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add an Access Policy (cont)
Now that your SGT is assigned
Click Done
64BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure URL Filtering
65BRKCCIE-3222
Configure URL Filter here
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create URL Filter List (cont)
Select Categories to Block
66BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Web Redirection
Select WCCP for our Example
Configure WCCP on the WSA
67BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Web Redirection
Match the Service ID on the
Network Device
Configure WCCP on the WSA (cont)
68BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Web Redirection on the Switch
69BRKCCIE-3222
Verify Your Configuration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Turn up Logging for Troubleshooting
Use %m for troubleshooting ISE
71BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Telnet into the WSA and verify via CLI
72BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Browse to the WSA and verify with Policy Trace
73BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Browse to the WSA and verify with Policy Trace (Cont)
74BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify on the Switch via CLI
75BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
You Have Completed Pxgrid ISE and WSA Integration
76BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• CCIE Security Program Overview
• Cisco Identity Services Engine (ISE) Overview
• Configure, Verify & Troubleshoot Profiling Using
Device Sensor
• Configure, Verify & Troubleshoot pxGrid with ISE &
WSA
BRKCCIE-3222
Summary
77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
79BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80BRKCCIE-3222
Security Beta Programs
To participate in Beta:
http://cs.co/security-beta-nomination
or email
[email protected]“I've been involved in many beta programs … I must
say that this one has been the best organized. This
beta has taken a very active, hands-on approach.” -
Liberal Arts College Customer
Security Beta Products Customer Benefits
• Free test hardware
• Early experience with and training on new
features and functionality
• Demos and feedback sessions on product
usability, design, and roadmaps
• Risk-free testing in the customer environment
prior to FCS
• Beta customer S1-3 issues fixed in GA release
ASAFirepower
NGFW/NGIPS
Firepower
Platforms
AMP for
EndpointsISR ESA
ISE OpenDNS
Stealthwatch
Learning
Networks
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification
Understanding Cisco Cybersecurity
Fundamentals (SFUND)
The SECFND course provides understanding of
cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
CCNA® Cyber Ops
Implementing Cisco Cybersecurity
Operations (SECOPS)
This course prepares candidates to begin a career within a
Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
CCNA® Cyber Ops
Securing Cisco Networks with Threat
Detection and Analysis (SCYBER)
Designed for security analysts who work in a Security
Operations Center, the course covers essential areas of
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Cybersecurity
Specialist
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
81BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network Security
Solutions (SENSS)
Implementing Cisco Threat Control
Solutions (SITCS) v1.5
Implementing Cisco Secure Access
Solutions (SISAS)
Implementing Cisco Secure Mobility
Solutions (SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco
Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure
network access
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
CCNP® Security
Implementing Cisco Network Security
(IINS 3.0)
Focuses on the design, implementation, and monitoring of a
comprehensive security policy, using Cisco IOS security features
CCNA® Security
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
82BRKCCIE-3222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83BRKCCIE-3222
Thank you
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Glossary of Acronyms• AAA - Authentication Authorization Accounting
• ASAv - Adaptive Security Virtual Appliance
• APIC-EM - Application Policy Infrastructure Controller Enterprise Module
• CSR – Cloud Services Router
• MAB - Machine Authentication Bypass
• MAR - Machine Access Restriction
• ISE – Identity Services Engine
• MAB – MAC Authentication Bypass
• ACL – Access Control List
• SGT – Security Group Tag
• SGACL – Security Group Access Control List
• ACI – Application Centric Infrastructure
• EPG – EndPoint Group
• BYOD – Bring Your Own Device
86BRKCCIE-3222