Network Access Control with Cisco ISE

IEEE 802.1X, Guest Access and Trust Sec

Due to the increasingly dynamic nature of end devices and users, LAN and WLAN networks can no longer be considered sufficiently secure. Additional measures are required to secure access to these (NAC) and to segment the networks based on context. The Cisco ISE enables administrators to decide centrally who (authentication) is assigned which rights (authorization) under certain conditions (context).

Authentication in LAN/WLAN environments can be carried out via MAB or IEEE 802.1X, but also via WebAuth. The latter plays a particularly important role in connection with guest access and BYOD.

A wide range of rights can be assigned to users via RADIUS. Communication can be controlled via static or dynamic access lists, for example. Segmentation can be carried out via VLANs or SGTs. In the latter case, the ISE works closely with the Cisco DNA Center.

In addition to the Cisco ISE, this course also includes the necessary peripherals such as an Active Directory and a Microsoft PKI. The possibilities of profiling and posture assessment for further control are presented.

Course Contents

Insight into IEEE 802.1X, components and protocols
Insight into different EAP methods (PEAP, EAP-TLS etc.)
Password and certificate-based authentication
Overview of the Identity Service Engine
Licensing and smart licensing
Installation and basic configuration of an ISE
Node types in ISE deployments
NAC configuration of LAN and WLAN components (IEEE 802.1X MAB and WebAuth)
Possibilities of guest access in the network
Policy-based control on the ISE
Authentication and authorization rules
Background to the use of SGTs
Profiling and posture assessment
Bring Your Own Devices

The detailed digital documentation package, consisting of an e-book and PDF, is included in the price of the course.

Premium Course Documents

In addition to the digital documentation package, the exclusive Premium Print Package is also available to you.

High-quality color prints of the ExperTeach documentation
Exclusive folder in an elegant design
Document pouch in backpack shape
Elegant LAMY ballpoint pen
Practical notepad

The Premium Print Package can be added during the ordering process for € 200,- plus VAT (only for classroom participation).

Target Group

The course is intended for those who want to use the Cisco ISE and need know-how for the implementation and operation of NAC solutions.

Knowledge Prerequisites

In addition to basic network and IP knowledge, you should have a basic understanding of operating a Cisco network. Background knowledge of RADIUS and 802.1X is advantageous - this can be acquired with the help of the course Security with 802.1X - Security for LAN and WLAN.

1	Network Access, IEEE 802.1X und AAA
1.1	Network Access Control im Überblick
1.2	Hintergründe zu IEEE 802.1X
1.2.1	EAP-Methoden
1.2.2	RADIUS – EAP und weitere Attribute
1.3	Den Authenticator einrichten
1.3.1	Switches als Network Access Device
1.3.2	Konfiguration im WLAN
1.4	Der Supplicant als Client
1.4.1	Anyconnect NAM
1.4.2	Native Windows Supplicant
1.5	TACACS+

2	ISE Grundkonfiguration
2.1	ISE-Konzept
2.1.1	Das ISE 2.x-Lizenzmodell (1/3)
2.1.2	Das ISE 3.x Lizenzmodell
2.2	Installation der ISE (1/3)
2.2.1	ADE OS-Konfiguration
2.2.2	Die ISE über die CLI verwalten
2.3	ISE-Access
2.3.1	ISE GUI
2.3.2	Launch Menü
2.3.3	Zertifikate und ISE
2.3.4	Admin Access
2.4	Maintenance
2.4.1	Backup
2.4.2	Policy Export
2.5	ISE– Basic Settings
2.6	Deployments
2.6.1	Node Registration
2.6.2	Zertifikatsverwaltung im Deployment
2.6.3	Redundanz in ISE-Deployments
2.7	Network Access Devices
2.7.1	Network Device Groups
2.7.2	Im- und Export von Network Devices

3	Radius Authentication und Authorization Policies
3.1	Das ISE AAA-Konzept
3.2	Policy Sets
3.2.1	Regelwerke
3.2.2	Allowed Protocols
3.3	Die Authentication Policy
3.3.1	Authentication Condition Elements
3.3.2	Neue Authentication Policies
3.3.3	Fallback-Szenarien
3.4	User Stores
3.4.1	Interne User
3.4.2	Interne Endpoints
3.4.3	Externe Datenbanken
3.4.4	RADIUS Proxy-Konfiguration
3.4.5	Identity Source Sequence
3.4.6	Certificate Authentication Profiles
3.4.7	Identity Stores in der Authentication Policy
3.4.8	Authorization Policy
3.4.9	Authorization Condition
3.4.10	Authorization Profiles
3.5	Maschinen und User-Authentisierung
3.5.1	Chaining mit EAP-FASTv2
3.5.2	Chaining Results
3.6	pxGrid
3.6.1	pxGrid – Zentraler Informationsaustausch
3.6.2	pxGrid aktivieren
3.6.3	ISE als pxGrid Controller

4	Logging, Monitoring und Diagnostic Tools
4.1	Operationen im Überblick
4.2	Radius Live Authentications
4.2.1	Details der Authentisierung (1/3)
4.2.2	Abgleich mit dem NAD
4.3	Radius Reports
4.3.1	Diagnostic Reports
4.3.2	Audit Reports
4.4	Troubleshooting – Authentisierung
4.4.1	TCP Dumps
4.4.2	Endpoint Debugs
4.4.3	Konfiguration der NADs
4.4.4	Optimierung des Loggings
4.4.5	NAD – Log-Timer
4.4.6	Aggregation der Logs
4.4.7	Collection Filter
4.4.8	Log Targets
4.5	Alarme

5	Security Group Access
5.1	SGT – Ein Einblick
5.1.1	Security Groups – Klassifizierung
5.1.2	Die Arbeitsweise von SGTs
5.1.3	SGTs – Die Übermittlung
5.1.4	SGT Exchange Protocol (SXP)
5.1.5	Zuweisung der SGTs
5.2	SGT-Konfiguration auf der ISE
5.2.1	Anlegen von Security Groups auf der ISE
5.2.2	PACs einrichten
5.3	Zuweisung von SGTs
5.3.1	Statisches Mapping der SGTs
5.3.2	SXP einrichten
5.4	Access Control mit SGTs
5.4.1	SGACLs auf der ISE
5.4.2	Die TrustSec Policy
5.4.3	SGACLs auf dem Switch
5.4.4	SGTs zur Network Segmentation im SD-Access
5.5	MACSec

6	Guest Access
6.1	Web Access als Dot1X-Alternative
6.2	Gast-Zugang – Möglichkeiten
6.2.1	Local Web Auth (LWA)
6.2.2	Central Web Auth (CWA)
6.3	Guest Access – Konfiguration der ISE
6.3.1	Den Gast kontaktieren
6.3.2	Weitere Guest Settings
6.3.3	Zertifikate für die Portale
6.3.4	Guest Types
6.4	Gästeportale
6.4.1	Konfiguration des Portals
6.4.2	Portal-Customization
6.4.3	Ein neues Portal einrichten
6.5	Guest Access Policies
6.5.1	Authorization – Redirect zum Portal
6.5.2	Authorization Redirect Profile
6.5.3	Redirect ACl
6.6	Die Switch-Konfiguration
6.7	Guest Access im Einsatz
6.7.1	Aus Sicht der ISE
6.7.2	Kontrolle am Switch
6.7.3	Auf dem WLCs
6.8	Guest Accounts – Die Möglichkeiten
6.8.1	Self Registration
6.8.2	Das Sponsorportal
6.9	Reports über Gäste (1/2)

7	BYOD
7.1	Bring your own Device – Das Prinzip
7.1.1	Single SSID
7.1.2	Dual-SSID
7.2	BYOD-Konfiguration der ISE
7.2.1	Die Portale für BYOD
7.2.2	Das BYOD Device Portal
7.2.3	Das My Device Portal (1/3)
7.3	Device Registration
7.3.1	Client Provisioning
7.3.2	Native Supplicant Provisioning
7.4	ISE und Zertifikate
7.4.1	SCEP Proxy
7.4.2	ISE als CA
7.5	BYOD aus Sicht des Users (1/3)
7.5.1	Certificate Provisioning Portal
7.6	MDM Integration

8	Profiling
8.1	Profiling Services
8.2	Konfiguration der Sensoren
8.2.1	Device Sensoren
8.2.2	Erfassung der wichtigsten Attribute
8.3	Analyzer – Konfiguration der Endpoint Policies
8.3.1	Regeln festlegen
8.3.2	Profiling Conditions definieren
8.3.3	Scan Actions als Result
8.3.4	Exception Actions
8.3.5	Konfiguration von CoA
8.4	Profiling Ergebnisse (1/3)
8.4.1	Logical Profiles
8.4.2	Endpoint Profiler Summary
8.5	Profiling und Authorization
8.6	Feed Service

9	Posture Assessment
9.1	Posture Assessment
9.2	Client Provisioning
9.2.1	Provisioning Policies
9.2.2	Provisioning Profiles
9.2.3	Provisioning Portal
9.2.4	Provisioning in der Authorization Policy
9.2.5	Provisioning im Authorization Profile
9.3	Ablauf des Posture Assessments
9.3.1	Posture Conditions
9.3.2	Posture Requirement
9.3.3	Remediation
9.3.4	Posture Policies
9.3.5	Das Monitoring auf der ISE
9.4	Anyconnect 4.0 als NAC Client

Classroom training: Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
Hybrid training: Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
Online training: You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
Tailor-made courses: You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.

You can find the complete description of this course with dates and prices ready for download at as PDF.

Authentication in LAN/WLAN environments can be carried out via MAB or IEEE 802.1X, but also via WebAuth. The latter plays a particularly important role in connection with guest access and BYOD.

Course Contents

Insight into IEEE 802.1X, components and protocols
Insight into different EAP methods (PEAP, EAP-TLS etc.)
Password and certificate-based authentication
Overview of the Identity Service Engine
Licensing and smart licensing
Installation and basic configuration of an ISE
Node types in ISE deployments
NAC configuration of LAN and WLAN components (IEEE 802.1X MAB and WebAuth)
Possibilities of guest access in the network
Policy-based control on the ISE
Authentication and authorization rules
Background to the use of SGTs
Profiling and posture assessment
Bring Your Own Devices

The detailed digital documentation package, consisting of an e-book and PDF, is included in the price of the course.

Premium Course Documents

In addition to the digital documentation package, the exclusive Premium Print Package is also available to you.

High-quality color prints of the ExperTeach documentation
Exclusive folder in an elegant design
Document pouch in backpack shape
Elegant LAMY ballpoint pen
Practical notepad

The Premium Print Package can be added during the ordering process for € 200,- plus VAT (only for classroom participation).

Target Group

The course is intended for those who want to use the Cisco ISE and need know-how for the implementation and operation of NAC solutions.

Knowledge Prerequisites

1	Network Access, IEEE 802.1X und AAA
1.1	Network Access Control im Überblick
1.2	Hintergründe zu IEEE 802.1X
1.2.1	EAP-Methoden
1.2.2	RADIUS – EAP und weitere Attribute
1.3	Den Authenticator einrichten
1.3.1	Switches als Network Access Device
1.3.2	Konfiguration im WLAN
1.4	Der Supplicant als Client
1.4.1	Anyconnect NAM
1.4.2	Native Windows Supplicant
1.5	TACACS+

2	ISE Grundkonfiguration
2.1	ISE-Konzept
2.1.1	Das ISE 2.x-Lizenzmodell (1/3)
2.1.2	Das ISE 3.x Lizenzmodell
2.2	Installation der ISE (1/3)
2.2.1	ADE OS-Konfiguration
2.2.2	Die ISE über die CLI verwalten
2.3	ISE-Access
2.3.1	ISE GUI
2.3.2	Launch Menü
2.3.3	Zertifikate und ISE
2.3.4	Admin Access
2.4	Maintenance
2.4.1	Backup
2.4.2	Policy Export
2.5	ISE– Basic Settings
2.6	Deployments
2.6.1	Node Registration
2.6.2	Zertifikatsverwaltung im Deployment
2.6.3	Redundanz in ISE-Deployments
2.7	Network Access Devices
2.7.1	Network Device Groups
2.7.2	Im- und Export von Network Devices

3	Radius Authentication und Authorization Policies
3.1	Das ISE AAA-Konzept
3.2	Policy Sets
3.2.1	Regelwerke
3.2.2	Allowed Protocols
3.3	Die Authentication Policy
3.3.1	Authentication Condition Elements
3.3.2	Neue Authentication Policies
3.3.3	Fallback-Szenarien
3.4	User Stores
3.4.1	Interne User
3.4.2	Interne Endpoints
3.4.3	Externe Datenbanken
3.4.4	RADIUS Proxy-Konfiguration
3.4.5	Identity Source Sequence
3.4.6	Certificate Authentication Profiles
3.4.7	Identity Stores in der Authentication Policy
3.4.8	Authorization Policy
3.4.9	Authorization Condition
3.4.10	Authorization Profiles
3.5	Maschinen und User-Authentisierung
3.5.1	Chaining mit EAP-FASTv2
3.5.2	Chaining Results
3.6	pxGrid
3.6.1	pxGrid – Zentraler Informationsaustausch
3.6.2	pxGrid aktivieren
3.6.3	ISE als pxGrid Controller

4	Logging, Monitoring und Diagnostic Tools
4.1	Operationen im Überblick
4.2	Radius Live Authentications
4.2.1	Details der Authentisierung (1/3)
4.2.2	Abgleich mit dem NAD
4.3	Radius Reports
4.3.1	Diagnostic Reports
4.3.2	Audit Reports
4.4	Troubleshooting – Authentisierung
4.4.1	TCP Dumps
4.4.2	Endpoint Debugs
4.4.3	Konfiguration der NADs
4.4.4	Optimierung des Loggings
4.4.5	NAD – Log-Timer
4.4.6	Aggregation der Logs
4.4.7	Collection Filter
4.4.8	Log Targets
4.5	Alarme

5	Security Group Access
5.1	SGT – Ein Einblick
5.1.1	Security Groups – Klassifizierung
5.1.2	Die Arbeitsweise von SGTs
5.1.3	SGTs – Die Übermittlung
5.1.4	SGT Exchange Protocol (SXP)
5.1.5	Zuweisung der SGTs
5.2	SGT-Konfiguration auf der ISE
5.2.1	Anlegen von Security Groups auf der ISE
5.2.2	PACs einrichten
5.3	Zuweisung von SGTs
5.3.1	Statisches Mapping der SGTs
5.3.2	SXP einrichten
5.4	Access Control mit SGTs
5.4.1	SGACLs auf der ISE
5.4.2	Die TrustSec Policy
5.4.3	SGACLs auf dem Switch
5.4.4	SGTs zur Network Segmentation im SD-Access
5.5	MACSec

6	Guest Access
6.1	Web Access als Dot1X-Alternative
6.2	Gast-Zugang – Möglichkeiten
6.2.1	Local Web Auth (LWA)
6.2.2	Central Web Auth (CWA)
6.3	Guest Access – Konfiguration der ISE
6.3.1	Den Gast kontaktieren
6.3.2	Weitere Guest Settings
6.3.3	Zertifikate für die Portale
6.3.4	Guest Types
6.4	Gästeportale
6.4.1	Konfiguration des Portals
6.4.2	Portal-Customization
6.4.3	Ein neues Portal einrichten
6.5	Guest Access Policies
6.5.1	Authorization – Redirect zum Portal
6.5.2	Authorization Redirect Profile
6.5.3	Redirect ACl
6.6	Die Switch-Konfiguration
6.7	Guest Access im Einsatz
6.7.1	Aus Sicht der ISE
6.7.2	Kontrolle am Switch
6.7.3	Auf dem WLCs
6.8	Guest Accounts – Die Möglichkeiten
6.8.1	Self Registration
6.8.2	Das Sponsorportal
6.9	Reports über Gäste (1/2)

7	BYOD
7.1	Bring your own Device – Das Prinzip
7.1.1	Single SSID
7.1.2	Dual-SSID
7.2	BYOD-Konfiguration der ISE
7.2.1	Die Portale für BYOD
7.2.2	Das BYOD Device Portal
7.2.3	Das My Device Portal (1/3)
7.3	Device Registration
7.3.1	Client Provisioning
7.3.2	Native Supplicant Provisioning
7.4	ISE und Zertifikate
7.4.1	SCEP Proxy
7.4.2	ISE als CA
7.5	BYOD aus Sicht des Users (1/3)
7.5.1	Certificate Provisioning Portal
7.6	MDM Integration

8	Profiling
8.1	Profiling Services
8.2	Konfiguration der Sensoren
8.2.1	Device Sensoren
8.2.2	Erfassung der wichtigsten Attribute
8.3	Analyzer – Konfiguration der Endpoint Policies
8.3.1	Regeln festlegen
8.3.2	Profiling Conditions definieren
8.3.3	Scan Actions als Result
8.3.4	Exception Actions
8.3.5	Konfiguration von CoA
8.4	Profiling Ergebnisse (1/3)
8.4.1	Logical Profiles
8.4.2	Endpoint Profiler Summary
8.5	Profiling und Authorization
8.6	Feed Service

9	Posture Assessment
9.1	Posture Assessment
9.2	Client Provisioning
9.2.1	Provisioning Policies
9.2.2	Provisioning Profiles
9.2.3	Provisioning Portal
9.2.4	Provisioning in der Authorization Policy
9.2.5	Provisioning im Authorization Profile
9.3	Ablauf des Posture Assessments
9.3.1	Posture Conditions
9.3.2	Posture Requirement
9.3.3	Remediation
9.3.4	Posture Policies
9.3.5	Das Monitoring auf der ISE
9.4	Anyconnect 4.0 als NAC Client

Classroom training: Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
Hybrid training: Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
Online training: You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
Tailor-made courses: You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.

You can find the complete description of this course with dates and prices ready for download at as PDF.

ExperTeach Identifier: CTRU

Duration & Prices

Prices excl. V.A.T.

Classes in Germany

5 days

€ 2,995

Online training

5 days

€ 2,995

+ Premium Print Package (Optional)

€ 200

			Date	City
20250714	0	3	07/14/-07/18/25	Düsseldorf
20250714	0	3	07/14/-07/18/25	Live Online
20250825	1	3	08/25/-08/29/25	Frankfurt
20250825	1	3	08/25/-08/29/25	Live Online
20251124	2	3	11/24/-11/28/25	Düsseldorf
20251124	2	3	11/24/-11/28/25	Live Online