You are previewing CCNP Security SISAS 300-208 Official Cert Guide.
O'Reilly logo
CCNP Security SISAS 300-208 Official Cert Guide

Book Description

CCNP Security SISAS 300-208 Official Cert Guide

CCNP Security SISAS 300-208 Official Cert Guide from Cisco Press enables you to succeed on the exam the first time and is the only self-study resource approved by Cisco. Cisco security experts Aaron Woland and Kevin Redmon share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills.

This complete study package includes

  • A test-preparation routine proven to help you pass the exam

  • “Do I Know This Already?” quizzes, which enable you to decide how much time you need to spend on each section

  • The powerful Pearson IT Certification Practice Testsoftware, complete with hundreds of well-reviewed, exam-realistic questions, customization options, and detailed performance reports

  • A final preparation chapter, which guides you through tools and resources to help you craft your review and test-taking strategies

  • Study plan suggestions and templates to help you organize and optimize your study time

  • Well regarded for its level of detail, study plans, assessment features, challenging review questions and exercises, video instruction, and hands-on labs, this official study guide helps you master the concepts and techniques that ensure your exam success.

    Aaron T. Woland, CCIE No. 20113, is a Principal Engineer and works with the largest Cisco customers all over the world. His primary job responsibilities include Secure Access and Identity deployments with ISE, solution enhancements, standards development, and futures. Aaron is the author of Cisco ISE for BYOD and Secure Unified Access (Cisco Press) and many published white papers and design guides. He is one of the first six members of the Hall of Fame for Distinguished Speakers at Cisco Live, and is a security columnist for Network World, where he blogs on all things related to Identity.

    Kevin Redmon is a Systems Test Engineer with the Cisco IoT Vertical Solutions Group, specializing in all things security.  Previously with the Cisco Systems Development Unit, Kevin supported several iterations of the Cisco Validated Design Guide for BYOD and is the author of Cisco Bring Your Own Device (BYOD) Networking Live Lessons (Cisco Press).  Since joining Cisco in October 2000, he has worked closely with several Cisco design organizations, and as Firewall/VPN Customer Support Engineer with the Cisco Technical Assistance Center (TAC).  He holds several Cisco certifications and has an issued patent with the U.S. Patent and Trademark Office.

    The official study guide helps you master topics on the CCNP Security SISAS 300-208 exam, including the following:

  • Identity management/secure access

  • Threat defense

  • Troubleshooting, monitoring and reporting tools

  • Threat defense architectures

  • Identity management architectures

  • The CD contains 150 practice questions for the exam and a study planner tool.

    Includes Exclusive Offer for 70% Off Premium Edition eBook and Practice Test

    Pearson IT Certification Practice Test minimum system requirements:

    Windows Vista (SP2), Windows 7, or Windows 8.1; Microsoft .NET Framework 4.5 Client; Pentium-class 1GHz processor (or equivalent); 512MB RAM; 650MB disk space plus 50MB for each downloaded practice exam; access to the Internet to register and download exam databases

    Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. About the Authors
    5. About the Technical Reviewers
    6. Dedications
    7. Acknowledgments
    8. Contents at a Glance
    9. Contents
    10. Icons
    11. Command Syntax Conventions
    12. Introduction
      1. Goals and Methods
      2. How This Book Is Organized
    13. Part I: The CCNP Certification
      1. Chapter 1. CCNP Security Certification
        1. CCNP Security Certification Overview
        2. Contents of the CCNP-Security SISAS Exam
        3. How to Take the SISAS Exam
        4. Who Should Take This Exam and Read This Book?
        5. Format of the CCNP-Security SISAS Exam
        6. CCNP-Security SISAS 300-208 Official Certification Guide
        7. Book Features and Exam Preparation Methods
    14. Part II: “The Triple A” (Authentication, Authorization, and Accounting)
      1. Chapter 2. Fundamentals of AAA
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Triple-A
          2. Compare and Select AAA Options
            1. Device Administration
            2. Network Access
          3. TACACS+
            1. TACACS+ Authentication Messages
          4. RADIUS
            1. AV-Pairs
            2. Change of Authorization
          5. Comparing RADIUS and TACACS+
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      2. Chapter 3. Identity Management
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. What Is an Identity?
          2. Identity Stores
            1. Internal Identity Stores
          3. External Identity Stores
            1. Active Directory
            2. LDAP
            3. Two-Factor Authentication
            4. One-Time Password Services
            5. Smart Cards
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      3. Chapter 4. EAP Over LAN (Also Known As 802.1X)
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Extensible Authentication Protocol
            1. EAP over LAN (802.1X)
            2. EAP Types
            3. Network Access Devices
            4. Supplicant Options
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      4. Chapter 5. Non-802.1X Authentications
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Devices Without a Supplicant
          2. MAC Authentication Bypass
          3. Web Authentication
            1. Local Web Authentication
            2. Local Web Authentication with a Centralized Portal
            3. Centralized Web Authentication
          4. Remote Access Connections
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      5. Chapter 6. Introduction to Advanced Concepts
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Change of Authorization
          2. Automating MAC Authentication Bypass
          3. Posture Assessments
          4. Mobile Device Managers
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
    15. Part III: Cisco Identity Services Engine
      1. Chapter 7. Cisco Identity Services Engine Architecture
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. What Is Cisco ISE?
          2. Personas
            1. Administration Node
            2. Policy Service Node
            3. Monitoring and Troubleshooting Node
            4. Inline Posture Node
          3. Physical or Virtual Appliance
          4. ISE Deployment Scenarios
            1. Single-Node Deployment
            2. Two-Node Deployment
            3. Four-Node Deployment
            4. Fully Distributed Deployment
            5. Communication Between Nodes
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      2. Chapter 8. A Guided Tour of the Cisco ISE Graphical User Interface
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Logging In to ISE
            1. Initial Login
            2. Administration Dashboard
            3. Administration Home Page
          2. Organization of the ISE GUI
            1. Operations
            2. Policy
            3. Administration
          3. Type of Policies in ISE
            1. Authentication
            2. Authorization
            3. Profiling
            4. Posture
            5. Client Provisioning
            6. Security Group Access
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      3. Chapter 9. Initial Configuration of Cisco ISE
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Cisco Identity Services Engine Form Factors
          2. Bootstrapping Cisco ISE
            1. Where Are Certificates Used with the Cisco Identity Services Engine?
          3. Network Devices
            1. Network Device Groups
            2. Network Access Devices
          4. Local User Identity Groups
          5. Local Endpoint Groups
          6. Local Users
          7. External Identity Stores
            1. Active Directory
            2. Certificate Authentication Profile
            3. Identity Source Sequences
        3. Exam Preparation Tasks
          1. Review All Key Topics
      4. Chapter 10. Authentication Policies
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. The Relationship Between Authentication and Authorization
          2. Authentication Policy
            1. Goals of an Authentication Policy
            2. Goal 1—Accept Only Allowed Protocols
            3. Goal 2—Select the Correct Identity Store
            4. Goal 3—Validate the Identity
            5. Goal 4—Pass the Request to the Authorization Policy
          3. Understanding Authentication Policies
            1. Conditions
            2. Allowed Protocols
            3. Identity Store
            4. Options
          4. Common Authentication Policy Examples
            1. Using the Wireless SSID
            2. Remote Access VPN
            3. Alternative ID Stores Based on EAP Type
          5. More on MAB
          6. Restore the Authentication Policy
        3. Exam Preparation Tasks
          1. Review All Key Topics
      5. Chapter 11. Authorization Policies
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Authentication Versus Authorization
          2. Authorization Policies
            1. Goals of Authorization Policies
            2. Authorization Policy Example
          3. Saving Conditions for Reuse
            1. Combining AND with OR Operators
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
    16. Part IV: Implementing Secure Network Access
      1. Chapter 12. Implement Wired and Wireless Authentication
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Authentication Configuration on Wired Switches
            1. Global Configuration AAA Commands
            2. Global Configuration RADIUS Commands
            3. Interface Configuration Settings for All Cisco Switches
          2. Authentication Configuration on WLCs
            1. Configuring the AAA Servers
            2. Creating the Dynamic Interfaces for the Client VLANs
            3. Creating the Wireless LANs
          3. Verifying Dot1X and MAB
            1. Endpoint Supplicant Verification
            2. Network Access Device Verification
            3. Cisco ISE Verification
          4. Live Sessions Log
          5. Looking Forward
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      2. Chapter 13. Web Authentication
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Web Authentication Scenarios
            1. Local Web Authentication
            2. Centralized Web Authentication
            3. Device Registration WebAuth
          2. Configuring Centralized Web Authentication
            1. Cisco Switch Configuration
            2. Cisco WLC Configuration
            3. Captive Portal Bypass
            4. Configuring ISE for Centralized Web Authentication
          3. Building CWA Authorization Policies
            1. Creating the Rule to Redirect to CWA
            2. Creating the Rules to Authorize Users Who Authenticate via CWA
          4. Configuring Device Registration Web Authentication
            1. Creating the Endpoint Identity Group
            2. Creating the DRW Portal
            3. Creating the Authorization Profile
            4. Creating the Rule to Redirect to DRW
            5. Creating the Rule to Authorize DRW-Registered Endpoints
          5. Verifying Centralized Web Authentication
            1. Checking the Experience from the Client
            2. Checking on ISE
            3. Checking the NAD
        3. Exam Preparation Tasks
          1. Review All Key Topics
      3. Chapter 14. Deploying Guest Services
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Guest Services Overview
            1. Guest Services and WebAuth
            2. Configuring the Web Portal Settings
            3. Configuring the Sponsor Portal Policies
            4. Managing Guest Portals
            5. Building Guest Authorization Policies
            6. Provisioning Guest Accounts from a Sponsor Portal
            7. Verifying Guest Access on the WLC/Switch
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      4. Chapter 15. Profiling
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. ISE Profiler
          2. Cisco ISE Probes
            1. Probe Configuration
          3. Infrastructure Configuration
            1. DHCP Helper
            2. SPAN Configuration
            3. VLAN Access Control Lists
            4. Device Sensor
            5. VMware Configurations to Allow Promiscuous Mode
          4. Profiling Policies
            1. Profiler Feed Service
            2. Endpoint Profile Policies
            3. Logical Profiles
          5. ISE Profiler and CoA
            1. Global CoA
            2. Per-profile CoA
            3. Global Profiler Settings
          6. Profiles in Authorization Policies
            1. Endpoint Identity Groups
            2. EndPointPolicy
          7. Verify Profiling
            1. The Dashboard
            2. Endpoint Identities
            3. Device Sensor Show Commands
        3. Exam Preparation Tasks
          1. Review All Key Topics
    17. Part V: Advanced Secure Network Access
      1. Chapter 16. Certificate-Based User Authentications
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Certificate Authentication Primer
            1. Determine Whether a Trusted Authority Has Signed the Digital Certificate
            2. Examine Both the Start and End Dates to Determine Whether the Certificate Has Expired
            3. Verify Whether the Certificate Has Been Revoked
            4. Validate That the Client Has Provided Proof of Possession
          2. A Common Misconception About Active Directory
          3. EAP-TLS
          4. Configuring ISE for Certificate-Based Authentications
            1. Validate Allowed Protocols
            2. Certificate Authentication Profile
            3. Verify That the Authentication Policy Is Using CAP
            4. Authorization Policies
            5. Ensuring the Client Certificates Are Trusted
          5. Verifying Certificate Authentications
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      2. Chapter 17. Bring Your Own Device
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. BYOD Challenges
          2. Onboarding Process
            1. BYOD Onboarding
          3. Configuring NADs for Onboarding
            1. Configuring the WLC for Dual-SSID Onboarding
          4. ISE Configuration for Onboarding
            1. The End User Experience
            2. Configuring ISE for Onboarding
          5. BYOD Onboarding Process Detailed
            1. iOS Onboarding Flow
            2. Android Flow
            3. Windows and Mac OSX Flow
          6. Verifying BYOD Flows
            1. Live Log
            2. Reports
            3. Identities
          7. MDM Onboarding
            1. Integration Points
            2. Configuring MDM Integration
            3. Configuring MDM Onboarding Rules
          8. Managing Endpoints
            1. Self Management
            2. Administrative Management
          9. The Opposite of BYOD: Identify Corporate Systems
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      3. Chapter 18. TrustSec and MACSec
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Ingress Access Control Challenges
            1. VLAN Assignment
            2. Ingress Access Control Lists
          2. What Is TrustSec?
          3. What Is a Security Group Tag?
          4. Defining the SGTs
          5. Classification
            1. Dynamically Assigning SGT via 802.1X
            2. Manually Assigning SGT at the Port
            3. Manually Binding IP Addresses to SGTs
            4. Access Layer Devices That Do Not Support SGTs
          6. Transport: Security Group Exchange Protocol
            1. SXP Design
            2. Configuring SXP on IOS Devices
            3. Configuring SXP on Wireless LAN Controllers
            4. Configuring SXP on Cisco ASA
            5. Verifying SXP Connections in ASDM
          7. Transport: Native Tagging
            1. Configuring Native SGT Propagation (Tagging)
            2. Configuring SGT Propagation on Cisco IOS Switches
            3. Configuring SGT Propagation on a Catalyst 6500
            4. Configuring SGT Propagation on a Nexus Series Switch
          8. Enforcement
            1. SGACL
            2. Security Group Firewalls
          9. MACSec
            1. Downlink MACSec
            2. Uplink MACSec
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      4. Chapter 19. Posture Assessment
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Posture Service Overview
          2. Posture Flow
          3. Agent Types
          4. Posture Conditions
          5. CoA with Posture
          6. Configuring Posture
            1. Downloading CPP Resources
            2. Client Provisioning Policy
            3. Posture Policy Building Blocks
            4. Modifying the Authorization Policy for CPP
            5. Modifying the Authorization Policy for Compliance
            6. Verifying Posture and Redirect
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
    18. Part VI: Safely Deploying in the Enterprise
      1. Chapter 20. Deploying Safely
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Why Use a Phased Approach?
          2. A Phased Approach
            1. Comparing Authentication Open to Standard 802.1X
            2. Preparing ISE for a Staged Deployment
            3. Monitor Mode
            4. Low-Impact Mode
            5. Closed Mode
          3. Transitioning from Monitor Mode to Your End State
          4. Wireless Networks
        3. Exam Preparation Tasks
          1. Review All Key Topics
      2. Chapter 21. ISE Scale and High Availability
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Configuring ISE Nodes in a Distributed Environment
          2. Making the First Node a Primary Device
          3. Registering an ISE Node to the Deployment
            1. Ensuring the Personas of All Nodes Are Accurate
          4. Licensing in a Multinode ISE Cube
          5. Understanding the HA Options Available
            1. Primary and Secondary Nodes
            2. Node Groups
          6. Using Load Balancers
            1. General Guidelines
            2. Failure Scenarios
          7. IOS Load Balancing
          8. Maintaining ISE Deployments
            1. Patching ISE
            2. Backup and Restore
        3. Exam Preparation Tasks
          1. Review All Key Topics
          2. Define Key Terms
      3. Chapter 22. Troubleshooting Tools
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Logging
            1. Live Log
            2. Live Sessions Log
            3. Logging and Remote Logging
            4. Debug Logs
          2. Diagnostics Tools
            1. Evaluate Configuration Validator
            2. RADIUS Authentication Troubleshooting Tool
            3. TCP Dump
            4. Ensuring Live Log Displays All Events (Bypassing Suppression)
          3. Troubleshooting Outside of ISE
            1. Endpoint Diagnostics
            2. Network Device Troubleshooting
        3. Exam Preparation Tasks
          1. Review All Key Topics
    19. Part VII: Final Preparation
      1. Chapter 23. Final Preparation
        1. Advice About the Exam Event
          1. Learning the Question Types Using the Cisco Certification Exam Tutorial
          2. Thinking About Your Time Budget Versus Number of Questions
          3. A Suggested Time-Check Method
          4. Miscellaneous Pre-Exam Suggestions
          5. Exam-Day Advice
        2. Exam Review
          1. Taking Practice Exams
            1. Practicing Taking the SISAS Exam
            2. Advice on How to Answer Exam Questions
            3. Taking Other Practice Exams
          2. Finding Knowledge Gaps Through Question Review
          3. Other Study Tasks
          4. Final Thoughts
    20. Part VIII: Appendixes
      1. Appendix A. Answers to the “Do I Know This Already?” Quizzes
        1. Chapter 2
        2. Chapter 3
        3. Chapter 4
        4. Chapter 5
        5. Chapter 6
        6. Chapter 7
        7. Chapter 8
        8. Chapter 9
        9. Chapter 10
        10. Chapter 11
        11. Chapter 12
        12. Chapter 13
        13. Chapter 14
        14. Chapter 15
        15. Chapter 16
        16. Chapter 17
        17. Chapter 18
        18. Chapter 19
        19. Chapter 20
        20. Chapter 21
        21. Chapter 22
      2. Appendix B. Configuring the Microsoft CA for BYOD
        1. CA Requirements
          1. Other Useful Information
          2. Microsoft Hotfixes
          3. AD Account Roles
        2. Configuration Steps
          1. Installing the CA
          2. Adding the Remaining Roles
          3. Configuring the Certificate Template
          4. Publishing the Certificate Template
          5. Editing the Registry
        3. Useful Links
      3. Appendix C. Using the Dogtag CA for BYOD
        1. What Is Dogtag, and Why Use It?
          1. Prerequisites
            1. Installing 32-bit Fedora 15
            2. Configuring Networking
            3. Note
          2. Installing Packages with yum
          3. Configuring Proxy (if Needed)
        2. Updating System Packages with yum
        3. Installing and Configuring the NTP Service
        4. Installing the LDAP Server
        5. Installing the PHP Services
        6. Installing and Configuring Dogtag
          1. Modifying the Firewall Rules (iptables)
          2. Creating a New CA Instance
            1. Note
          3. Enabling and Configuring SCEP
          4. Preparing Apache
        7. Configuring ISE to Use the New Dogtag CA
          1. Adding Dogtag to the SCEP RA Profiles
      4. Appendix D. Sample Switch Configurations
        1. Catalyst 2960/3560/3750 Series, 12.2(55)SE
        2. Catalyst 3560/3750 Series, 15.0(2)SE
        3. Catalyst 4500 Series, IOS-XE 3.3.0/15.1(1)SG
        4. Catalyst 6500 Series, 12.2(33)SXJ
    21. Glossary
    22. Index
    23. Code Snippets