Q&A Session for

ISE Bootstrapping Lab Walk-Thru 10/17/11 1PM-4PM EASTERN

Session number: 209741182 Date: Monday, October 17, 2011 Starting time: 12:01 PM ________________________________________________________________ Q: Will the e-laerning that is coming soon be based on the ILT? A: Some of the material will be incorporated. 50 hours of ILT content is diffiicult to fully incorporate into an e-learning session. ________________________________________________________________ Q: Are we going to get into any sizing details during these sessions? A: This session is be focused on post-sales configuration of the product. For design and architecture questions, refer to the 'Creating an HLD' session that we did earlier this month. you go into PEC (www.cisco.com/go/pec) and search for HLD you'll find ________________________________________________________________ Q: Does the Help function require Internet access, or is it all local? A: Feedback survey is a hosted web page so it would require Internet access from the console. ________________________________________________________________ Q: Does "Standalone" mean than all personas are installed in this server? A: The Administration, Policy Service, and Monitoring personas will be enabled by default in a standalone ISE node. So since we don't have a primary or secondary we are just using standalone and we have all personas on it ________________________________________________________________ Q: How does one "re-initialize the database" after changing the timezone after initial install? A: 'application reset-config ise' from CLI. http://www.cisco.com/en/US/docs/security/ise/1.0/ cli_ref_guide/ise10_cli_app_a.html ________________________________________________________________ Q: Are there VM OVF templates to avoid these hardware issues on intitial builds? A: Not currently but let me check with the team to see if posting one is planned. ________________________________________________________________ Q: How provides the CA? Does the customer provide the CA A: CA can either be public or locally hosted. It depends on what functions will require certificates that will dictate which to use. Guest portal should probably be public so the cert is trusted. ________________________________________________________________ Q: Do you delete the local cert after loading the CA cert? A: You can after you choose to use the imported cert for auth protocols and administration. http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html#wpxref88008 ________________________________________________________________ Q: so web-auth for guest access uses the same cert as the web server admin page? A: It can, it depends on the architecture. If you have a standalone install then one appliance provides all of the functions. If you split the functions to seperate appliances then the Policy Services Node will handle guest authentication. ________________________________________________________________ Q: is replacing the certificate (example in case if it expire) cause any interruption? A: If you don't delete the existing certificate it won't. If you do, you'll have to close and reopen your browser to renegotiate the SSL session with the new cert. ________________________________________________________________

If

Q: And it is important to generate and get your certificates working correctly before trying to do a distributed deployment, because they are used for communications between devices... A: Absolutely. Nail down your certs on all your devices as you roll them out to get them working properly. ________________________________________________________________ Q: What would be a more practical way to add devices? Can we import information from LAN mgmt products? A: No direct import, but you can import from CSV, so if you export from managment platform you can import into ISE. http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ ise10_man_network_devices.html ________________________________________________________________ Q: Is there XML import also, or just CSV? Or more generally, are there any XML interfaces to ISE? A: Just CSV that i am aware of today according to this guide: http://www.cisco.com/en/US/docs/ security/ise/1.0/user_guide/ise10_man_network_devices.html A: No device XML import. You may be able to do something through the APIs. http://www.cisco.com/ en/US/docs/security/ise/1.0/api_ref_guide/ise10_api_ref_guide_ch1.html ________________________________________________________________ Q: How many AD can an ISE join? A: One using the AD bind. As long as there are trusts with the other domains it works fine. can also use LDAP if you have multiple forests. ________________________________________________________________

You

Q: How do you configure secure ldap? 636 A: Under External Identity Stores and the connection tab for LDAP you can specify LDAP over TLS (636) that will allow you to do LDAPS ________________________________________________________________ Q: What are the configuration properties of The user used to join domain. A: See the user guide for the required permissions... http://www.cisco.com/en/US/docs/security/ise/ 1.0/user_guide/ise10_man_id_stores.html ________________________________________________________________ Q: What if your AD structure has one domain with each entity as an OU with thousands of groups? Would you lean toward using ldap to point directly at the OU you need? A: It may be easier to manage that way. The benefit of AD bind is that you can also use additional attributes to define policy in addition to group membership. ________________________________________________________________ Q: Given the examples in the lab - the use of KTpass is a thing of the past? A: Yes, thank goodness. :) Much easier with the way ACS 5.X and ISE can be added into AD. ________________________________________________________________ Q: Are there any examples for CA authentication? A: For users? Such as EAP-TLS? If so, the user guide has configuration examples for some of these scenarios. http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ ise10_auth_pol.html#wp1146222 ________________________________________________________________ Q: How does multi-auth work with dACLs? Does it merge ACLs for multiple hosts, or replace the "any" source with the source IP of the authenticating device? A: Yes, 'any' will be replaced with the source of the authenticating device. http://www.cisco.com/ en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html ________________________________________________________________ Q: Can the ACLs be sent to the switch from ISE? A: Yep, dACLs (downloadable ACLs) can provide central policy. future labs.

You'll see these used heavily in

________________________________________________________________ Q: do you know when will it be available ? A: Tests are availabe now if you go to www.cisco.com/go/isepartner and click on Partner Resources you'll see links to the tests. A: FE ISE Test (ISE-650-473) is here: http://www.cisco.com/web/learning/le3/current_exams/ 650-473.html FE 802.1x Test ( S802DOT1X 650-472) is here: http://www.cisco.com/web/learning/le3/current_exams/ 650-472.html SE Into ISE exam ( PAISESE 650-474) http ________________________________________________________________ Q: Can ISE authenicate to multiple LDAP instances forests? A: You bet. ________________________________________________________________ Q: So If I don't have a AD trust between DCs but I am in the same forest I can authenicate those users by independant GCs A: I guess you would have to use LDAp then to each AD ________________________________________________________________ Q: is there a posibility to make the pods available for cisco parteners ? A: Partners currently have access to these pods through PEC. www.cisco.com/go/pec and all of the labs will come up. _______________________________________________________________

search for ISE