certificate

The video presents one of possible methods to tag an iDevice (eg. iPhone, iPad) as a corporate asset using a certificate. We will walk through a profile creation using an iPhone Configuration Utility and installation on an iDevice. We will be observing a device requesting a certificate through SCEP, and, once obtained, perform wireless authentication using EAP-TLS against Cisco ISE. Authorization conditions will be constructed to look for a specific Common Name (CN) on the certificate, and appropriate access will be granted upon a match. iPhone will be used for testing in this video.

The video walks you through configuration of wireless 802.1X using EAP-TLS on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from both domain, non-domain computers, and iPhone, and observe the authentication results.

The video walks you through configuration of wired 802.1X using EAP-TLS on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from both domain and non-domain computers and observe the authentication results.

The video demonstrates how to register a Policy Service node to a primary Admin node using CA-signed certificate. The same process applies to registering a secondary Admin node. This step is required when implementing an ISE distributed design for high scalability. This method is preferable over self-signed certificate.

The video demonstrates how to register a Policy Service node to a primary Admin node using self-signed certificate. The same process applies to registering a secondary Admin node. This step is required when implementing an ISE distributed design for high scalability. The other option is to use trusted CA-signed certificate, which will be looked at in a separate video.

The video walks you through steps to deploy user and computer digital certificates from Windows 2008 Certificate Authority (CA) server through auto-enrollment and Group Policy. This method allows you to automatically distribute certificates to your Windows users, which is very effective for a large scale security deployment that requires either or both user and machine authentication using client-based certificate such as EAP-TLS. This lab assumes you have existing Windows certificate server and Active Directory (AD) infrastructure.

The video demonstrates configuration of remote access IPSec VPN with Windows software client on Cisco ASA firewall. We will look at both simple pre-shared key authentication as well as using client certificate. The client is placed behind a NAT router to demonstrate the significance of NAT Transparency, and compare it to raw IPSec, IPSec over UDP and IPSec over TCP. The order of precedence on encapsulation types will be investigated when they are all enabled simultaneously. 

The video walks you through configuring site-to-site (L2L) IPSec VPN tunnel between Cisco router and ASA firewall using certificate authentication. You will see that choosing the type of identity to send and match becomes very important as the certificate does not get exchanged until later in Phase 1 negotiation. Using aggressive mode allows the device identity contained in the certificate to be revealed sooner but at a risk of identity exposure. Aggressive mode will also be reviewed in this video.

The video demonstrates configuration of remote access IPSec VPN with Windows software client on Cisco router. We will look at both simple pre-shared key authentication as well as using client certificate. The client is placed behind a NAT router to demonstrate the significance of NAT Transparency, and compare it to raw IPSec and cTCP (IPSec over TCP). The video finishes off by showing how client can be allowed access to local subnet when a non-split tunnel is used.

The video walks you through configuration of Easy VPN (EZVPN) with Pre-shared key and certificate authentication on a Cisco headend ASA firewall. The hardware client router is running Client Mode and configured to automatically connect using a locally stored credential. This video is a counterpart of SEC0015 and SEC0016 with the headend router. Here we introduce the concept of 'group-policy' and 'tunnel-group' that are unique to the ASA, while most crypto command syntax is very similar to those on a router.