Pass Cisco SISE 300-715 Exam in First Attempt Easily
Latest Cisco SISE 300-715 Practice Test Questions, SISE Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Check our Last Week Results!
- Premium File 256 Questions & Answers
Last Update: Sep 26, 2023
- Training Course 73 Lectures
- Study Guide 1897 Pages
Download Free Cisco SISE 300-715 Exam Dumps, SISE Practice Test
Free VCE files for Cisco SISE 300-715 certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest 300-715 Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) certification exam practice test questions and answers and sign up for free on Exam-Labs.
Cisco SISE 300-715 Practice Test Questions, Cisco SISE 300-715 Exam dumps
Introducing Cisco ISE Architecture and Deployment
1. Using Cisco ISE as a Network Access Policy Engine
As corporate networks have evolved in recent years, IT departments have had to adapt to security challenges that never existed before. Back in the 1980s, to access data, the terminal on your desk had to be hardwired into the mainframe. The only other way to access secure information was to use a phone modem, and even then, you still had to have a username and password, which were centrally controlled. The only problem back then was to ensure that the usernames and passwords were not compromised. Compare that to today's security challenges created by the new era of digitization. More organisations are accepting the bring your own device (BYOD) practice as a normal way of doing business in order to make employees more productive. The Internet of Things, or IoT, promises to gather and store huge amounts of data from thousands of endpoints and literally provide real-time analysis. This, coupled with wireless access, virtualization of services, and more organisations moving resources to the cloud, creates a security nightmare. It almost seems impossible to keep track of the infinite number of devices used to connect to the network in order to adequately provide secure access. This is where Cisco Identity Services Engine, or Cisco Ice, provides a centralised network access control and policy enforcement solution. Cisco ICE provides secure network access control for users and devices. It allows visibility into everything that occurs on the network. This includes information on who is connecting, what devices are being used, where they are connecting, what time of day it is, and how they are connecting, such as via wired, wireless, or VPN. Cisco Ice supports Cisco Trust SEC policy to implement software-defined segmentation in the network in order to help quickly detect and mitigate threats. Cisco Ice also makes use of the Cisco Platform Exchange Gridor PX Grid technology to share data with over 50 integrated technology partner solutions. This way, multiple security products can work together to contain threats quickly and efficiently. The Network Access Device, or NAD, is the point of access where users and devices connect to the network. This can be a wireless connection to an access point, a direct wired connection to a LAN switch, or access through a VPN tunnel via a firewall. This makes the NAD the key policy enforcement point for the Cisco Ice security solution. When using Radius for authentication, Cisco Ice acts as the Radius server and the NAD is the Radius client. The NAD sends the access request from the connecting device to Cisco Ice, which can use a local database for authentication or a back-end service such as Microsoft Access Directory or LDAP. When the users and devices connect, there are different mechanisms that can be used. Corporate users typically authenticate using the IA-two-dot-onex protocol. Guest users can use the Web off mechanism to authenticate, and network devices like printers can use Mac authentication, bypass, or maps to gain access, regardless of the mechanism used. In addition to Cisco Ice authenticating request for access, it can also provide access control for the device. This includes mapping traffic to a specific VLAN using a dynamic or named access list to restrict access or by deploying a security group access (SGA) solution to establish a cloud of trusted network devices using Cisco Ice as the network access policy engine to simplify the delivery of consistent and highly secure control across wired, wireless, and VPN connections.
2. Describing Cisco ISE Functions
Let's take a look at some functions available with Cisco identity services. engine or Cisco Ice We'll start off by examining the two aspects of authentication, authorization, and accounting, or the Triple A protocol supported. AAA is basically used to authenticate users, authorise what they can do when connected, and keep an accounting of what they're doing. The first AAA protocol is Radius, which is a distributed client-server solution designed to block unauthorised access to the network. The Radius client process runs on Cisco devices, which are designated as network access devices, or NADs. When a user or device attempts to access the network, the NAD challenges the device and sends the authentication request to the Radius server running on Cisco Ice, which in turn references an internal or external database. When the client successfully authenticates the network, access is granted to the client. There are three mechanisms that can be used when clients connect to the network: Mac authentication bypass, or MAB, and Web authentication, or WEBAUTH eight two one, which is the strongest method and should be used. However, administrators can configure MAB and WebOffice fallback mechanisms if the type of client to be connected is unknown. For example, a device can be configured so that if 802 one-time authentication times out, it can be used to authenticate. If Map authentication fails, then Web operations can be used. Let's take a closer look at each mechanism. 1st 802 One X is a client-server-based access control and authentication protocol designed to restrict unauthorised clients from connecting to publicly accessible land ports. This can be a wired, wireless, or VPN connection. A client or supplicant connects to an agent or authenticator that challenges and forwards the access request to an authentication server, which must validate the client's request before any services are offered to the land. Next, Map is used to authenticate the Macaddresses of endpoints that do not have the ability to perform 802.1X, such as printers. In order to use MAB, a centralised database of Mac addresses for all trusted endpoints in the network must be created and maintained. When an endpoint is connected, the NAD examines a single packet to learn the source Mac address and validate it as a defined trusted device. Once the Map authentication process has succeeded, the endpoint identity is now known, and all of the subsequent traffic from that Mac address is allowed. Lastly, WEBAUTH is a layer-three authentication mechanism that works with any client running a browser. This makes it easier for contractors, vendors, and others with unmanaged devices to gain access to the network without having to install any special software. For example, a guest portal could be configured for people who wish to use the company's network to gain access to the Internet or even access certain resources and services provided on the network. Moving On The second AAA protocol supported by Cisco Ice is Tactics Plus, which is typically used for device administrators who must access network devices when connecting to a network device. The administrator can use SSH telnet, http, httpS, or a direct serial port connection. When a network device is configured for TacxPlus, a username and password is requested, and the device queries the Cisco I server with the credentials provided, which in turn references an internal or external database to authenticate the device administrator. After a successful session has been established, only the authorized commands can be issued, and the activity can be logged by the accounting feature. A quick comparison of the two AAA protocols reveals that Radius uses UDP while Tack Express uses TCP. Radius encrypts the password only, and TacXPlus encrypts the entire body of the packet, adding a Tech X Plus header. And Radius combines authentication with authorization, while Package Plus follows the AAA architecture by separating all three AAA functions.
3. Describing Cisco ISE Functions 2
Let's look at some more Cisco Ice functions. First of all, Cisco ICE provides the ability to implement posture compliance. This means that it is possible to validate and maintain a level of security for any client that attempts to access the network. This is done by employing posture policies to make sure that the connecting client has the security updates or any required applications installed. If a device meets the requirements of the organization, further access can be granted with a change of authorization, or COA messaging. If devices are noncompliant, they can be forced to remediate the issues before access is granted. Posture compliance can also be integrated with mobile device management or MDM servers to manage mobile devices. When integrated, Cisco Ice can retrieve the policies from the MDM server and then enforce those policies when users register their devices. If the Cisco Ice Device Policy requires MDM and the mobile device is not compliant, then the user is just redirected to the MDM onboarding portal. Next, the profiling service in Cisco Ice is used to identify devices that connect to the network along with our location based on key characteristics. The devices are profiled using endpoint type profiling policies defined in Cisco Ice; granular permissions can be granted according to the results of this evaluation and determine what a user can do based on the device being used to access the network. Self-service device onboarding makes it easier for an organization supporting BYOD employees to manage their own devices according to the business policies defined by the IT administrators. By using a self-registration portal, employees can get their devices onto the network without requiring IT assistance. They also have the ability to blacklist and wipe out lost or stolen devices and then reinstate them if found. Guest management can be controlled using portals as well. For example, a sponsor portal allows sponsors to create temporary accounts for guests, visitors, contractors, or customers to gain HTTP or HTTPS access to the network. It's also possible for guests visiting the company to gain limited access to the network on their own using a guest portal, if provided. Finally, the Cisco Ice home page, also known as the Dashboard, is the landing page that provides a centralized interface to perform administration tasks as well as display real-time monitoring and troubleshooting data. The navigation tabs and menus at the top of the window provide point-and-click access to all of the other administration features. This interface is designed to make it easier to access the information needed to make critical decisions in a timely fashion.
4. Lab Demo Overview of the SISE Lab Environment
In this recording, I'll be providing an overview of the lab environment. I'll be utilising the series that goes over the labs accomplished within Cisco's SISE class implementing and configuring the Cisco Identity Services engine. The SIS class and its associated hands-on labs cover the principal capabilities of Ise, including its functions as a Radius server and its ability to integrate with network access devices to provide port level authentication over 820 X. MAB also provides a demonstration of centralised web authentication capabilities and demonstrates its ability to integrate with identity sources such as Active Directory and LDAP, among other things. The class also covers principal features of Ise, including Guest Access Services. The Ise profiler for BYOD, or Bring Your Own Device, also demonstrates compliance, also known as posture and device administration. Over taxibility. Act as a tacit server. As we're looking at the lab diagram here, we can see in the centre a starting off-device switch labelled "Three K access." The switch itself is providing multiple functions within the lab, including routing and segmentation. So we can easily see here, and then ultimately we'll utilise it as a wired network access device, a Radius client in conjunction with Ise, and it will provide the platform to demonstrate all wired endpoint access within the lab, primarily the PCs that we see listed there. Over to the right here, we see the IC-1 as a single note. It's initially set up in a standalone deployment, but we'll break that up into pieces so we can check out the modular capabilities of IC. It's running the latest version, IC Two Six, and is currently licenced in Demo Mode, which allows a demonstration of all the principal features of ISE. Then, mainly to the right there, we see AdOne, which will provide ultimate integration with Ad One will be an Active Directory joinpoint with IC, and we'll be able to authenticate using the user objects and groups within Active Directory and demonstrate those capabilities. Overall Integration: The ad server also provides basic functions for the lab itself, such as DNS and DHCP Multipurpose. Then down here, lower left, we see the wireless environment, a virtualized WLN controller, and a physical access point providing a wireless network access device. Again, from the perspective of Ise, the WLC will be a Radius peer and will provide all the wireless access, testing wireless endpoints, principally the iPad that we see over on the far right there. And then, mainly to the right of the WLM controller, there's a guest PC. The Guest PC is just as it says, indicating and providing demonstrations for guest-type access. The principal thing that makes us different from the other PCs is that we're not domain members. Then. as we get more into the interior of the environment. We see that the court PC is a domain member, and we'll be demonstrating all the port-level authentication capabilities using the Windows native 82 One X supplicant and demonstrating how Active Directory provides capabilities in conjunction with Ise to provide endpoint-level services and authorization. Our principal device that we'll be working with is labelled the Admin PC. It is not a domain member, but it is used as a jumpbox to provide administration, browser-based and SSH-based administration for the devices in the lab, as well as a physical USB connection to a physical iPad in the environment. The iPad will be our wireless endpoint and will demonstrate the capabilities of doing many of the labs on a wireless tablet-based device.
5. Lab Demo Access the SISE Lab and Install ISE
Hello. In this recording, I'll be providing a demonstration of the initial setup dialogue that's performed with the new install of any Ise node. That would be true of a node that's appliance- or VM-based, and then, of course, true of a brand new deployment or a node that's going to be integrated into an existing Ise deployment. Ultimately, the setup dialogue required setting up network access information on the G0 interface. The G-Zero interface and its IP are used as the node management interface ultimately required for Interlude communication in a larger deployment. It's regardless of which other interfaces may ultimately be active on this note later on, and then, of course, on the node that's representing the pan or policy administration node, this will be the IP address that we'll use for GUI base management. As we're looking here, we see the setup dialogue. Of course, this is only viewable by virtue of being able to access the Nodes console interface, whether that's the serial console or the VM-based console. And of course, the node is aware that no installation has been performed at this point. So it's prompting us to type Setup to configure the clients. It's not clear if they want us to use Setup as the login name. So we'll start that process. The first step is to enter the host name or the node name. This will be ultimately applied as an FQDN with the completed script. Then the IP address will be used for management within our lab environment. Notice that we can enter the control to start the script over again in the event of a typo. Also notice the support for IPV 6, which will not be demonstrated in this lab environment. The DNS server that we're utilising here is also our Active Directory domain controller. And then a quick note about time sync. Yeah, pretty important in anticipation of a larger deployment, and certainly in anticipation of integration with Active Directory time sync pretty important. So in this case, our lab NTP server is also our domain controller. And then a quick note about time zones. The default time zone, of course, is UTC or GMT. It is generally recommended that this is the time zone utilised in anticipation of a larger deployment. Then, of course, basic, consistent reference across the board reports and so on can always be run using your local time zone. And then of course, for this node that will want to activate SSH, that might be a discussion that you would not want to have based on where the node is ultimately going to be deployed and what management is required. A node that will ultimately be acting as a PSN or policy service node only may not need SSH-type access. Of course, this note will serve as our pan- and multi-persona node. So we want SSH here, and then the username that we're creating, Admin, is the default name. Ultimately, through this setup dialogue, two representations of Admin will be created. One for the command line and one for the GUI operate very similar to some of Cisco's other products. Like Cisco Call Manager, for example, there's a CLI user and a GUI-based user that have the same name. So we're creating that here. We're seeing the first steps of the setup dialogue performed, doing a quick test of the network interface and some other verifications to verify that it can reach the gateway. Ultimately, this setup dialogue will run through initialising the install process, including database setup and installation. Initialization ultimately—the overall set-up process, which we won't record the entirety of here—takes about 40 to 45 minutes approximately to accomplish the entire set up. And before we can begin GUI-based management
6. Verify ISE Setup Using CLI
Hello. And this recording will be used in the command line interface on Ise to verify the results of running through the initial setup dialogue as part of a new Ise installation. These commands will allow us to check the status of an Ise enode after installation as part of troubleshooting or whatever, and to access the command line rather than the console. This time we'll use SSH, which will allow us to verify network communication as well. We'll open a session on our admin PC. which has been set up with Putty as an SSH client and pre-arranged with bookmarks. And we'll double check the IP address in place for IC to verify it matches what we use in the setup dialogue. Then open a session, prompting for credentials. Verifying network communication and providing the credentials used as part of the script credentials correctly provided And we get some status information from Ise about failed login attempts, as well as when and where those failed login attempts may have occurred. And you'll notice the prompt looks very similar to an iOS command line. In fact, the general behaviour is very similar to Cisco's iOS command line, including abbreviations and what have you. Here we want to check the status of Ise itself, so we can issue a Show command, which can be abbreviated and ATAB applied there to fill out the full keyword if needed. And we're doing a Show application status, and you'll notice that, yeah, the application name is tied to a particular operating system keyword. This varies based on the application involved. In this case, we have to know the application name, which is ISE. It takes just a few moments to digest and run through the list of services, and then we see the list of services come back with a little warning there at the bottom relating to our lab-based setup here. The service that we're focused on is the application server. Ise is the application of the course. The application server running means that we've got good Internet communication, and if we're looking at a PAN or policy administration node, this means we can also access the GUI. up until the application server is running. We won't be able to access the GUI, but we would be able to access it via the command-line interface. In addition, based on the information we provided in the script, let's check the status of NTP, and we see a good current time source synchronised at stratum level, so that's good, and we've got good reachability to the NTP server. In addition, we could run some pink commands, but let's verify that we've got good DNS information with the Nslookup command. We'll look up the node name itself and get good resolution and results back, and then let's do, as required for a good ISC deployment, a check against the reverse lookup records or point of records. And yes, we see a couple of points of records for that IP one that we'll use in subsequent labs, but the one for Ise is the one that we're focused on right now, so there's a quick access to the command line with a very similar look and feel to the iOS command line interface, which is helpful. The show run output and the configuration of interfaces operate in a very similar fashion, with static routes and the like, and we've got a good running installation to be able to move forward with.
7. Initial GUI Login and Familiarization
In this session, we'll be doing our first login to the administrative GUI on our new Ise node and then spending a few moments to get familiar with the capabilities of that administrative GUI. Okay, let's go ahead and open this here on the admin PC. The admin PC in the lab has been preset with bookmarks to make life a little easier. Click on ISC 1 and we get a warning immediately regarding a security issue. And if we click on "advance," we see this is due to the self-signed certificate that is created at install for Ise. This is something that we'll work through in terms of trust issues in a subsequent session. For now, we'll accept the risk and continue, and we'll get prompted for credentials again. Although this is an identically named account, let's get the case correct there. This is an identically named account to the one that was created for the command line operations. This is a separate account for GUI administration. And with this being the first access to the GUI, we get some reminders from Cisco. This one is regarding Smart Call Home Telemetry, letting us know that Cisco is collecting information about our usage. And this is something that we can choose to opt out of if we want to later on. And then clicking next year, we get a licence warning. The ISC note that we've got in this lab environment is set up with a 90-day evaluation license, and we can see that all these are potentially expiring within the next 89 or 90 days. We'll accept that warning and close out. That should be the last time that we see those warnings, and then as defaulted as we arrive here in Ise, the first screen that we're looking at is the home tab. And within the home tab, we can see some general helpful summary information on the top and then, down below, dashboards or widgets if you wish, or helpful information applied to the home tab, and we can modify and add to these dashboards if we wish. The home tab is currently pretty empty because we have just set up our IAC node and haven't had any communications when an endpoint interacting with our ISE appears here. But up until the point where we get network devices established and authentication on behalf of the endpoint, the screen will remain pretty empty. I'm going to hide this little box here for the wireless setup invisibility so we can see the gear icon behind it. With the gear icon, we can add a new dashboard and also modify this existing dashboard by adding dashboards to it. By adding a new dashboard, we've got multiple options. In addition to the gear icon, we can also use this plus symbol to create a quick temporary dashboard, and then as we create that new dashboard, we can add dashboards to that dashboard and they will show up for us. And you can see our own, purpose-built dashboard for our purposes. Again, we can add to this dashboard, rename it, export it, and modify how the layout works within the dashboard itself and how widgets and dashboards align within the dashboard. Can we remove this temporary dashboard? We click on a little "X" there real quick. While we're in here, let's take a look through these top-layer menu options. There's context. visibility and endpoints. We've got different context visibility options for users, network devices, and applications. Endpoints gives us a quick view of the operating endpoints within our environment, the type of operating systems they have, the ones that are active and inactive, and the network devices that they've been interacting with. And we can customise these dashboards too. Then there's the Operations tab. We spend a lot of time looking at things like live logs and live sessions, and we separate the live blog for tack-on extra operations. And then this is also where we would do troubleshooting with troubleshooting tools and run reports. And then there's the Policy tab, which contains the configuration area for policy sets, which contain our authentication and authorization policy. For Brady's, there's a separate policy area for tax management. If you want, you can also configure General Policy and a posture or health policy compliance policy. Policy elements are the components that make up different parts of the policy. So Dictionary Elements tackles authorization profiles, et cetera. a distinct policy for the profiler so it can determine which devices are which by virtue of the profiling policy that's in there, and then as an optional component that we'll see applied later on. Client provisioning policy, which applies installation packages toward particular end points Client provisioning allows us to define which groups and which devices run which applications. And then there's the Administration tab, where we can control system elements: identity resources external identity and internal identity resources), network devices, network access devices, basic portal management, PX spread feed services such as the one needed for profiling, and then configuration areas for third-party vendors and threats and drag. We just got done doing our initial login to the administrative side. Lots of work has been done in your vice-presidency to try and provide quick and easy-to-use details. Notice that one aspect of the new and recent additions to version 2 is that we've got these quick search boxes, which are very helpful. You can type in just a few characters. Case and colons don't matter in terms of trying to find elements within these boxes. These views show up on virtually all the screens that we're looking at. So lots of work has been done to make this easier to use—to drill down and find additional details and search for that thing that you might be looking for in terms of identifying problems or potential issues.
Cisco SISE 300-715 Exam Dumps, Cisco SISE 300-715 Practice Test Questions and Answers
Do you have questions about our 300-715 Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) practice test questions and answers or any of our products? If you are not clear about our Cisco SISE 300-715 exam practice test questions, you can read the FAQ below.
Purchase Cisco SISE 300-715 Exam Training Products Individually