Version 4.1 - 5.6 Cisco Identity Services Engine (ISE) Part 2
IOS Device Sensor requires a multipart configuration.
1. Create a list for DHCP
2. Create a list for CDP
3. Create a list for LLDP
4. Include the lists in the device-sensor
5. Enable the device sensor
Flex-Auth allows you to set an authentication order and priority on the switch port (see 802.1x section).
ISE Policy Elements
# Dictionaries
# Conditions
# Results
Authentication Policies can:
- Accept only allowed protocols
- Route to the correct Identity Store
- Validate the Identity
- Pass the request to the Authorization Policy
Authorization Policies examine conditions in order to send an authorization result to the NAD.
IF conditions THEN AssignThesePermissions
Portals on the PSNs:
* Guest Web Portal
* Sponsor Web Portal
* Device Registration Portal
Know what each one does and its purpose.
Guest Time Profiles
Built In : DefaultEightHours | DefaultFirstLoginEight | DefaultStartEnd
Custom: StartEnd | FromCreation | FromFirstLogin
Guest Sponsor Groups:
# SponsorAllAccounts
# SponsorGroupGrpAccounts
# SponsorGroupOwnAccounts
Know how to create a dACL on the ISE. There is some limited syntax checking, but it's not very reliable. Know that dACLs are not supported on WLCs. Instead, configure an Airespace ACL name instead and preposition the ACL on the WLC.
High-Level Steps for ISE posture assessment (requires advanced license)
1. Configure global posture settings
2. Configure the posture agent and client provisioning settings
3. Configure posture conditions
4. Configure posture remediation
5. Configure posture requirements
6. Configure posture policies
7. Enable posture assessment in the network
Three major types of ISE Agents for posture assessment:
# NAC agent for Windows
# NAC agent for Macs
# NAC web agent
Know which remediation is supported for each agent.
Native supplicant provisioning only works with : Android | Mac OS X | Apple iOS | Microsoft Windows.
Know what EAP-chaining is and how it works.
Know BYOD onboarding and integration of ISE with MDM solutions.
Know management of devices in the MyDevices portal:
** Registered Device Options **
Lost
Reinstate
Delete
Full Wipe
Corporate Wipe
PIN Lock