Security

The video demonstrate steps to integrate Cisco ISE with Windows Active Directory to access user information for authentication and authorization. This is very similar to joining a computer to a domain, where ISE will become a domain computer. Once joined, ISE will have access to user attributes particularly information on group membership that is usually heavily used to determine user access privilege. Identity Source Sequence, on the other hand, is a list of Identity Sources in order of preference, which we also look at in this video.

The video serves as an introduction to Cisco ISE web and CLI interface. Some general configurations will be performed without getting into detail of policy configuration. By the end of the video, you should be fairly familiar and are able navigate around ISE web interface.

• ISE Command Line Interface
• ISE GUI Walkthrough
• ISE Basic Configuration
• Client Provisioning Auto-Update

The video demonstrates how to register a Policy Service node to a primary Admin node using CA-signed certificate. The same process applies to registering a secondary Admin node. This step is required when implementing an ISE distributed design for high scalability. This method is preferable over self-signed certificate.

The video demonstrates how to register a Policy Service node to a primary Admin node using self-signed certificate. The same process applies to registering a secondary Admin node. This step is required when implementing an ISE distributed design for high scalability. The other option is to use trusted CA-signed certificate, which will be looked at in a separate video.

The video walks you through steps to deploy user and computer digital certificates from Windows 2008 Certificate Authority (CA) server through auto-enrollment and Group Policy. This method allows you to automatically distribute certificates to your Windows users, which is very effective for a large scale security deployment that requires either or both user and machine authentication using client-based certificate such as EAP-TLS. This lab assumes you have existing Windows certificate server and Active Directory (AD) infrastructure.

The video walks you through an installation of Cisco Identity Services Engine (ISE) (we use 1.1.1 for our demonstration) on VMware. We will guide you step-by-step through the installation process. At the end of this lab, you should have a working ISE server that you can use for future labs. No configuration, other than the setup process, is performed in this video. The video assumes that you have basic working knowledge of VMware ESXi.

The video demonstrates configuration of remote access IPSec VPN with Windows software client on Cisco ASA firewall. We will look at both simple pre-shared key authentication as well as using client certificate. The client is placed behind a NAT router to demonstrate the significance of NAT Transparency, and compare it to raw IPSec, IPSec over UDP and IPSec over TCP. The order of precedence on encapsulation types will be investigated when they are all enabled simultaneously. 

The video takes the site-to-site L2L IPSec VPN to the next level by combining what we have learnt from the previous videos with the concept of Virtual Routing Forwarding (VRF). We will look at how you can segregate different type of L2L VPN into their own logical routing domain, while they all share the same physical hardware. Basic understanding of VRF is recommended before viewing this video

The video walks you through configuring site-to-site (L2L) IPSec VPN tunnel between Cisco router and ASA firewall using certificate authentication. You will see that choosing the type of identity to send and match becomes very important as the certificate does not get exchanged until later in Phase 1 negotiation. Using aggressive mode allows the device identity contained in the certificate to be revealed sooner but at a risk of identity exposure. Aggressive mode will also be reviewed in this video.