Cisco

Identity Services Engine

BootCamp
About this BootCamp
We are thrilled to have you joining us for this exciting and
informative program.

We will cover a variety of topics related to Cisco ISE, including RADIUS, 802.1x,
Profiling, Posture, BYOD, TrustSec and TACACS+. Our expert instructor has
designed this course with your needs in mind, and we are confident that you will find
the material engaging, thought-provoking, and applicable to your personal and
professional development.

As a participant in this course, you will have the opportunity to connect with other
like-minded individuals, engage in lively discussions and gain valuable insight from
our experienced and knowledgeable instructor.

Content and structure is designed to deliver value to any one of you choosing to
participate, regardless of your current level of knowledge on the presented topics.

Course is being delivered as a mixture of presentations, live drawings and

thoughtful explanations, live hands-on configurations on comand line interface of
network devices.

We are committed to providing a supportive and collaborative learning environment

that encourages growth, exploration, and innovation. We encourage you to come to
each session with an open mind and a willingness to participate.
About your Instructor
Cristian Matei is a veteran in the field of Network and Server System Infrastructure,
holding several expert and specialist level certifications from various vendors, most
notably CCIE Infrastructure and CCIE Security, #23684.

Aside from serving as a Subject Matter Expert throughout global large scale network
deployments in enterprise, service provider and security domains, he has been
authoring and contributing to development of expert level books and workbooks.

His passion is knowledge sharing, for which reason he’s constantly an active contributor
on public learning forums and was designated by Cisco as a VIP and Trusted Technical
Advisor.

He’s been a Certified Cisco Systems Instructor, #31390 and has been delivering official
Cisco courses for the last 15 years, receiving a 4.7 customer satisfaction rating.

Constantly pursuing excellence, he’s been mentoring, teaching and helping thousands
of students, including Cisco’s High Touch Engineering division to grow their skills,
knowledge, advance their careers and achieve their CCIE certification.
COURSE CURRICULUM
MODULE 1 MODULE 3
ISE Fundamentals: Directory Fundamentals:

- ISE VM Installation & Patching in KVM Environment - LDAP Standards (RFC2251, RFC2252, RFC2253, RFC2589, RFC2829,
- Optional (VM Installation in AWS Environment) RFC2830)
- Optional (VM Installation in Azure Environment) - LDAP vs. Active Directory
- Optional (VM Installation in GCP Environment) - LDAP Architecture
- Optional (VM ZTP Installation in Cloud Environment) - Active Directory Architecture
- ISE Basic Configuration (NTP, Repositories, Backups)
- ISE Upgrade & Recovery
MODULE 4
ISE Integrations:

MODULE 2 - ISE External CA Configuration

- ISE Active Directory Configuration ( Single & Multi Domain, Single &
PKI Fundamentals: Multi Forest)
- ISE Azure AD / Entra ID Configuration
- PKI Standards
- PKI Architecture
- Digital Certificates Framework MODULE 5
- Certificates Lifetime & Expiration & Renewal
- Certificates Verification & Enforcement (CRL & OCSP)
AAA Fundamentals:
- AAA Architecture
- Network Access vs. Device Administration
- RADIUS vs. TACACS+
COURSE CURRICULUM
MODULE 6
Network Access Deep Dive:

- RADIUS Framework (RFC2058, RFC2138, RFC2865) - EAP Methods

- RADIUS Accounting Framework (RFC2059, RFC2139, RFC2866) - EAP-PEAPv0 / EAP-PEAPv1 / EAP-PEAPv2
- RADIUS AAA Packet Structure & Messages - PAP-CHAP (RFC1334, RFC1994)
- RADIUS AVP (Attribute Value Pairs) - MSCHAPv1 (RFC2433) & MSCHAPv2 (RFC 2759)
- RADIUS VSA (Vendor Specific Attributes) (RFC2548, RFC5904, RFC6218) - EAP-TLS (RFC2716, RFC5216)
- RADIUS Security Extensions (RFC6613, RFC6614, RFC7360, RFC7930) - EAP-TTLS (RFC5281)
- RADIUS on ISE (Devices, Device Groups, Shared Secret Scheduled Change) - EAP-FAST (RFC4851, RFC5421, RFC5422)
- RADIUS AAA Policies on ISE - EAP-TEAP (RFC7170)
- Monitor Mode - Open Mode - EAP-PSK (RFC4764)
- Low Impact Mode - EAP-IKEv2 (RFC5106)
- Restricted Mode - Closed Mode - Optional (EAP-PAX RFC4746)
- RADIUS AAA Authorizations - Optional (EAP-SIM RFC4186)
- MAB - Optional (EAP-AKA RFC4187)
- Dynamic VLAN - Optional (EAP-POTP RFC4793)
- dACL and RADIUS Filter-ID Attribute (RFC4849) - PEAP (EAP-MSCHAPv2) with Native Supplicant & Cisco Secure Client
- RADIUS Attributes for IEEE 802.1x (RFC7268, RFC3580) - PEAP (EAP-TLS) with Native Supplicant & Cisco Secure Client
- EAP Framework (RFC2284, RFC3748, RFC5247, RFC7057, RFC8940, RFC4017) - EAP-FAST & EAP Chaining with Cisco Secure Client
- RADIUS Support for EAP (RFC2869, RFC3579) - TEAP & EAP Chaining with Native Supplicant
- Cisco Secure Client VPN Termination on FTD
- Optional (Cisco Secure Client VPN Termination on ASA)
COURSE CURRICULUM
MODULE 7 MODULE 9
Guest Access Deep Dive: Profiling Deep Dive:

- Guest Access Architecture - Profiling Architecture

- Understanding Guest Flow - Profiling Probes Implementation and Policies:
- RADIUS Change of Authorization (RFC3576, RFC5176, RFC8559) - HTTP Probes
- WLC Configuration For Guest Access - DHCP Probes
- Switch Configuration For Guest Access - RADIUS Probes
- ISE Configuration For Guest Access - DNS Probes
- Guest Access with Hotspot - SNMP & Netflow Probes
- Guest Access with Sponsored Guest - Device Sensor
- Guest Access with Self-Registration
- Guest Access with Social Login
- ISE Guest Access Advanced Features MODULE 10
Posture Deep Dive:
MODULE 8
BYOD Deep Dive: - Posture Architecture
- Posture Implementation
- BYOD Architecture - Updates
- Optional (MDM / EMM Overview) - Conditions
- BYOD For Wired - Requirements
- BYOD For Wireless via Single SSID - Reassessments
- BYOD For Wireless via Dual SSID - Remediations
- Optional ( Integration with MDM / EMM) - Posture Assessment For Wired
- Optional ( BYOD for VPN Cisco Secure Client) - Posture Assessment For Wireless
- Posture Assessment for VPN
COURSE CURRICULUM

MODULE 11 MODULE 12
TrustSec Deep Dive (Optional): Device Administration Deep Dive:

- TrustSec/Group Policy Architecture - Evolution of TACACS to TACACS+ (RFC927, RFC1492, RFC8907)

- SGT & SGACL - TACACS+ AAA Packet Structure & Messages
- SXP - TACACS+ AVP (Attribute Value Pairs)
- SAP ( 802.11i-2007) - TACACS+ Cisco VSA (Vendor Specific Attributes)
- MACsec (IEEE 802.1AE-2018) - TACACS+ Single Connection & Security
- WLC Configuration - TACACS+ on ISE (Devices, Device Groups, Shared Secret Scheduled Change)
- Switch Configuration - TACACS+ AAA Implementation on ISE (Policy Sets, Command Sets)
- ISE Configuration - TACACS+ with ISE & Cisco IOS-XE
- NGFW Configuration - Optional (TACACS+ with ISE & Cisco WLC)
- Dynamically Classify Endpoints with SGT via MAB - Optional (TACACS+ with ISE & Cisco IOS-XR)
- Dynamically Classify Endpoints with SGT via 802.1x - Optional (TACACS+ with ISE & Cisco NX-OS)
- Dynamically Classify Endpoints with SGT via WebAuth - Optional (TACACS+ with ISE & Cisco ASA)
- Dynamically Classify Endpoints with SGT via VPN - Optional (TACACS+ with ISE & Juniper JunOS)
- Statically Classify Traffic by VLAN or Subnet - Optional (TACACS+ AAA with ISE & Palo Alto PAN-OS)
- Statically Classify Traffic by L2 or L3 Interface - Optional (TACACS+ AAA with ISE & Fortinet FortiOS)
- Enforcement via SGACL & SGFW - Optional (TACACS+ AAA with ISE & CheckPoint Gaia)
Thank you for
choosing to
participate in our
course
Can’t wait to see you there!