802.1x

The video walks you through L2 security options of a WLAN on Cisco Wireless LAN Controller. We will emphasize on WPA/WPA2 with 802.1X and PSK options. Fast Transition (802.11r) will be tested, examined with packet capture, and discussed on why you may or may not want to have this enabled. Other less commonly used options such as WEP with and without 802.1X will also be reviewed.

The video walks you through L2 security options of a WLAN on Cisco Wireless LAN Controller. We will emphasize on WPA/WPA2 with 802.1X and PSK options. Fast Transition (802.11r) will be tested, examined with packet capture, and discussed on why you may or may not want to have this enabled. Other less commonly used options such as WEP with and without 802.1X will also be reviewed.

The video shows you how you can increase security with access point authentication. We will go through various approaches available on Cisco Wireless LAN Controller that allow an AP to be authenticated prior to joining including MIC and LSC certificate authentication, static local and RADIUS MAC address auth list, and 802.1x authentication. We will be able to see and realize which method would work best in your environment.

The video provide a method to enhance reliability of Cisco ASA CX Passive Authentication by integrating Cisco ISE with CDA. You will see how the caveats inherent to CDA can be solved by using realtime user and IP information provided by 802.1x identity-based authentication network. We will analyze RADIUS packets being communicated between Cisco ISE and CDA to try to understand the underlying mechanism. Testing will be performed on both domain and non-domain devices, that have been onboarded through ISE, and this includes both wired and wireless.

The video provide a method to enhance reliability of Cisco ASA CX Passive Authentication by integrating Cisco ISE with CDA. You will see how the caveats inherent to CDA can be solved by using realtime user and IP information provided by 802.1x identity-based authentication network. We will analyze RADIUS packets being communicated between Cisco ISE and CDA to try to understand the underlying mechanism. Testing will be performed on both domain and non-domain devices, that have been onboarded through ISE, and this includes both wired and wireless.

The video looks into Cisco ISE 1.2 wireless 802.1X authentication with FlexConnect AP. We will configure wireless AP and SSID to operate in central switching and local switching and compare authorization capability on ISE between the two modes. Since local switching mode does not support DACL, we will be configuring FlexConnect ACL and FlexConnect group and use dynamic VLAN assignment to place a wireless user on a VLAN with appropriate ACL.

The video looks into Cisco ISE 1.2 wireless 802.1X authentication with FlexConnect AP. We will configure wireless AP and SSID to operate in central switching and local switching and compare authorization capability on ISE between the two modes. Since local switching mode does not support DACL, we will be configuring FlexConnect ACL and FlexConnect group and use dynamic VLAN assignment to place a wireless user on a VLAN with appropriate ACL.

The video demonstrates the use of Endpoint Protection Service (EPS) on Cisco ISE 1.2 to quarantine undesired endpoints. Unlike manually removing an endpoint from the network by shutting down port and the endpoint can potentially be moved to a different port to regain access, although ISE also allow you to exactly this by issuing a port-shutdown CoA, placing host MAC address or IP into EPS quarantine ensures the endpoint remains denied from the network regardless of its point to attachment. A policy can be created to block endpoint traffic by ACL or/and placing them into a unusable VLAN.

The video demonstrates the use of Endpoint Protection Service (EPS) on Cisco ISE 1.2 to quarantine undesired endpoints. Unlike manually removing an endpoint from the network by shutting down port and the endpoint can potentially be moved to a different port to regain access, although ISE also allow you to exactly this by issuing a port-shutdown CoA, placing host MAC address or IP into EPS quarantine ensures the endpoint remains denied from the network regardless of its point to attachment. A policy can be created to block endpoint traffic by ACL or/and placing them into a unusable VLAN.