book

Cisco ISE for BYOD and Secure Unified Access

Name: Cisco ISE for BYOD and Secure Unified Access
ISBN: 9780133103632

by Jamey Heary, Aaron Woland

June 2013

Intermediate to advanced

752 pages

17h 59m

English

Cisco Press

Read now

Unlock full access

About This eBook
Title Page
Copyright Page
About the Authors
About the Technical Reviewers
Dedications
Acknowledgments
Contents at a Glance
Contents
Command Syntax Conventions

Introduction
Objectives of This BookWho Should Read This Book?How This Book Is Organized
Section I: The Evolution of Identity Enabled Networks
Chapter 1. Regain Control of Your IT Security
Security: A Weakest-Link Problem with Ever More LinksCisco Identity Services EngineSummary
Chapter 2. Introducing Cisco Identity Services Engine
Systems Approach to Centralized Network Security PolicyWhat Is the Cisco Identity Services Engine?ISE Authorization RulesSummary
Section II: The Blueprint, Designing an ISE Enabled Network
Chapter 3. The Building Blocks in an Identity Services Engine Design
ISE Solution Components ExplainedISE PersonasISE Licensing, Requirements, and PerformanceISE Policy-Based Structure ExplainedSummary
Chapter 4. Making Sense of All the ISE Deployment Design Options
Centralized Versus Distributed DeploymentSummary
Chapter 5. Following a Phased Deployment
Why Use a Phased Deployment Approach?Monitor ModeChoosing Your End-State ModeTransitioning from Monitor Mode into an End-State ModeSummary
Section III: The Foundation, Building a Context-Aware Security Policy
Chapter 6. Building a Cisco ISE Network Access Security Policy
What Makes Up a Cisco ISE Network Access Security Policy?Involving the Right People in the Creation of the Network Access Security PolicyDetermining the High-Level Goals for Network Access SecurityCommon High-Level Network Access Security GoalsDefining the Security DomainsUnderstanding and Defining ISE Authorization RulesEstablishing Acceptable Use PoliciesDefining Network Access PrivilegesSummary
Chapter 7. Building a Device Security Policy
Host Security Posture Assessment Rules to ConsiderISE Device ProfilingSummary
Chapter 8. Building an ISE Accounting and Auditing Policy
Why You Need Accounting and Auditing for ISEUsing PCI DSS as Your ISE Auditing FrameworkCisco ISE User AccountingSummary
Section IV: Configuration
Chapter 9. The Basics: Principal Configuration Tasks for Cisco ISE
Bootstrapping Cisco ISEUsing the Cisco ISE Setup Assistant WizardConfiguring Network Devices for ISECompleting the Basic ISE SetupInstalling ISE Behind a FirewallRole-Based Access Control for AdministratorsSummary
Chapter 10. Profiling Basics
Understanding Profiling ConceptsExamining Profiling PoliciesUsing Profiles in Authorization PoliciesFeed ServiceSummary
Chapter 11. Bootstrapping Network Access Devices
Bootstrap WizardCisco Catalyst SwitchesCisco Wireless LAN ControllersSummary
Chapter 12. Authorization Policy Elements
Authorization ResultsSummary
Chapter 13. Authentication and Authorization Policies
Relationship Between Authentication and AuthorizationAuthentication PoliciesUnderstanding Authentication PoliciesAuthorization PoliciesSaving Attributes for Re-UseSummary
Chapter 14. Guest Lifecycle Management
Guest Portal ConfigurationGuest Sponsor ConfigurationAuthentication and Authorization Guest PoliciesGuest Sponsor Portal ConfigurationGuest Sponsor Portal UsageConfiguration of Network Devices for Guest CWASummary
Chapter 15. Device Posture Assessment
ISE Posture Assessment FlowConfigure Global Posture and Client Provisioning SettingsConfigure the NAC Agent and NAC Client Provisioning SettingsConfigure Posture ConditionsConfigure Posture RemediationConfigure Posture RequirementsConfigure Posture PolicyEnabling Posture Assessment in the NetworkSummary
Chapter 16. Supplicant Configuration
Comparison of Popular SupplicantsConfiguring Common SupplicantsSummary
Chapter 17. BYOD: Self-Service Onboarding and Registration
BYOD ChallengesOnboarding ProcessManaging EndpointsThe Opposite of BYOD: Identify Corporate SystemsSummary
Chapter 18. Setting Up a Distributed Deployment
Configuring ISE Nodes in a Distributed EnvironmentUnderstanding the HA Options AvailableNode GroupsUsing Load BalancersSummary
Chapter 19. Inline Posture Node
Use Cases for the Inline Posture NodeSummary
Section V: Deployment Best Practices
Chapter 20. Deployment Phases
Why Use a Phased Approach?Monitor ModeLow-Impact ModeClosed ModeTransitioning from Monitor Mode to Your End StateWireless NetworksSummary
Chapter 21. Monitor Mode
Endpoint DiscoveryUsing Monitoring to Identify Misconfigured DevicesSummary
Chapter 22. Low-Impact Mode
Transitioning from Monitor Mode to Low-Impact ModeConfiguring ISE for Low-Impact ModeMonitoring in Low-Impact ModeTightening SecuritySummary
Chapter 23. Closed Mode
Transitioning from Monitor Mode to Closed ModeConfiguring ISE for Closed ModeMonitoring in Closed ModeTightening SecuritySummary
Section VI: Advanced Secure Unified Access Features
Chapter 24. Advanced Profiling Configuration
Creating Custom Profiles for Unknown EndpointsAdvanced NetFlow Probe ConfigurationProfiler COA and ExceptionsProfiler Monitoring and ReportingSummary
Chapter 25. Security Group Access
Ingress Access Control ChallengesWhat Is Security Group Access?Transport: Security Group eXchange Protocol (SXP)Transport: Native TaggingEnforcementSummary
Chapter 26. MACSec and NDAC
MACSecNetwork Device Admission ControlSummary
Chapter 27. Network Edge Authentication Topology
NEAT ExplainedConfiguring NEATSummary
Section VII: Monitoring, Maintenance, and Troubleshooting
Chapter 28. Understanding Monitoring and Alerting
ISE MonitoringISE ReportingISE AlarmsSummary
Chapter 29. Troubleshooting
Diagnostics ToolsTroubleshooting MethodologyCommon Error Messages and AlarmsISE Node CommunicationSummary
Chapter 30. Backup, Patching, and Upgrading
RepositoriesBackupRestoreSummary
Appendix A. Sample User Community Deployment Messaging Material
Sample Identity Services Engine Requirement Change Notification EmailSample Identity Services Engine Notice for a Bulletin Board or PosterSample Identity Services Engine Letter to Students
Appendix B. Sample ISE Deployment Questionnaire
Appendix C. Configuring the Microsoft CA for BYOD
CA RequirementsOther Useful InformationMicrosoft HotfixesAD Account RolesConfiguration StepsConfigure the Certificate TemplateUseful Links
Appendix D. Using a Cisco IOS Certificate Authority for BYOD Onboarding
Set Hostname, Domain Name, and HTTP ServerGenerate and Export the RSA Key Pair for the Certificate ServerConfigure the CA Server on the RouterImportant Notes
Appendix E. Sample Switch Configurations
Catalyst 3000 Series, 12.2(55)SECatalyst 3000 Series, 15.0(2)SECatalyst 4500 Series, IOS-XE 3.3.0 / 15.1(1)SGCatalyst 6500 Series, 12.2(33)SXJ
Index

Content preview from Cisco ISE for BYOD and Secure Unified Access

Chapter 6. Building a Cisco ISE Network Access Security Policy

In order for any network-centric security solution to be successful, a solid network access security policy (NASP) must first be employed. Once a policy is in place, ISE will enforce the policy network wide. A network access security policy defines, in as much detail as is practical, the type of network access that will be given to users and device types. Because network and device security threats are constantly changing, a network access security policy must also be a living, changeable document. This book does not attempt to assemble an all-encompassing network access security policy; instead, it focuses on showing you how to build policies that are relevant to the Cisco ISE solution. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cisco ISE for BYOD and Secure Unified Access, 2nd Edition

Publisher Resources

ISBN: 9780133103632Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cisco ISE for BYOD and Secure Unified Access

by Jamey Heary, Aaron Woland

Chapter 6. Building a Cisco ISE Network Access Security Policy

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.