CCNP SISE 300-715
What is a Security Group Tag (SGT)
A 16-bit value that ISE assigns to a user's or an endpoint's session upon login. Sometimes referred to as a Scalable Group Tag
What is TrustSec?
A Cisco solution that simplifies the provisioning and management of secure access to network services and applications. By classifying traffic based on the contextual identity of the endpoint versus its IP address, Cisco TrustSec enables more flexible access controls for dynamic networking environments and data centers. MACsec is also grouped into TrustSec as an option to encrypt at Layer 2, hop by hop.
What is Endpoint Protection Services (EPS)
A Cisco tool that provided an API that allowed other applications to initiate a quarantine action against an endpoint based on IP address or MAC address.
What is CDP Second Port Disconnect
A Cisco-proprietary method by which an IP Phone uses Cisco Discovery Protocol (CDP) to communicate when the endpoint connected behind the phone disconnects from the network. This method works for MAB, dot1x, and WebAuth.
What is FlexAuth (Flexible Authentication)
A capability of a Cisco switch interface that allows a network administrator to set an authentication order and priority on a switch port, thereby allowing the port to attempt 802.1X, MAB, and WebAuth, in this order. All these functions are provided while maintaining the same configuration on all access ports, so this is a simpler operational model for customers than traditional 802.1X deployments
What is TrustSec domain
A chain of trust in which the Security Group Tags and security group ACLs are all downloaded from the same trusted source, well-known authentication methods are used, and SGTs are propagated throughout.
What is a non-seed device
A device that acts as a supplicant in a TrustSec domain. Such a device does not initially require direct IP connectivity to ISE and enrolls and authenticates to the seed device
What is an authenticator in SISE?
A device that is communicating with a supplicant using the EAP over LAN protocol. It is the device responsible for sending the EAP authentication request to the authentication server via RADIUS. Network access devices are authenticators.
What is Context-In
A feature that enables ISE to receive contextual information through pxGrid to help ISE with its own profiling policies
What is Context-Out
A feature that enables the sharing of contextual information about an endpoint or user to external pxGrid participants
What is global CoA
A form of CoA that is sent automatically when a device transitions from unknown to any known profile.
What is Structured Threat Information Expression (STIX)
A language format used to share cyber threat intelligence (CTI) (that is, threat data). STIX is a format, not a transport protocol. It requires a protocol, such as TAXII or pxGrid, to carry it between consumers and producers of the STIX data.
What is Identity Source Sequence (ISS)
A list of multiple identity sources combined in a top-to-bottom sequence list for ISE authentication or authorization processes
What is MAC Authentication Bypass (MAB)
A method by which a NAD sends a RADIUS authentication on behalf of an endpoint, using the endpoint's MAC address as the identity credential.
What is a Security Group Exchange Protocol (SXP)
A peering protocol that allows network devices to communicate their databases of IP address-to-SGT mappings to one another. This provides support for retagging a frame after it reenters a TrustSec domain.
What is a compound condition
A policy object that contains multiple attributes along with an operator such as AND or OR
What is Simple Certificate Enrollment Protocol (SCEP)
A protocol used to broker the provisioning of a certificate to an endpoint.
What is the Trusted Automated Exchange of Intelligence Information (TAXII)
A protocol used to exchange CTI over secure communication (HTTPS). TAXII is designed specifically to carry STIX CTI. TAXII follows a pub/sub model, much like pxGrid
What is a pxGrid
A scalable pub/sub communication bus that is used for the sharing of large amounts of security data at scale.
What is certificate revocation list (CRL)
A signed list of revoked certificates' serial numbers. The CA publishes the CRL via a website that can be retrieved by a device or an application that needs to validate whether a digital certificate has been revoked by the certificate authority administrator
What is EAPoL-Proxy-Logoff
A standards-based method an IP Phone uses to send an EAP logoff message on behalf of the 802.1X authenticated endpoint that is connected to the phone. This method does not work for non-802.1X-authenticated endpoints.
What is a Common Vulnerabilities and Exposures (CVE)
A system to track, monitor, and describe publicly known security vulnerabilities.
What is a temporal agent?
A temporary executable file that is run on a client to check compliance status. The Cisco temporal agent is run at the time of connection to the network and is removed after the login session is terminated.
What is Protected Access Credential (PAC)
A unique shared credential between a server (ISE) and a client (network access device). The PAC allows the server and the client to authenticate via a secure tunnel and enables the client to download control data such as the SGACL policy and environment data
What is ANC?
Adaptive Network Control (ANC) The successor to EPS, which added different custom labels that can be used in authorization policies.
What is tunneled EAP
An EAP method that involves building a secure tunnel between the supplicant and the authentication server. Native EAP communication occurs within the secure tunnel.
What is a internal endpoint database
An ISE database that is used to store information about all the endpoint devices that have connected to the ISE infrastructure. This database stores the endpoints' attributes, including MAC address, IP address, and various other attributes learned using the ISE profiling probes
What is ISE profiling
An advance subscription license feature of ISE that is used to identify endpoints based on network data obtained from a number of enabled probes. With profiling, you can build an authorization policy that combines a user's identity with the classification result and invoke specific authorization results
What is Multiple-Domain Authentication (MDA)
An enhancement to the default mode of 802.1X that allows for two MAC addresses, one in the voice domain and the other in the Data domain.
What is external identity store
An identity store that is configured to use an external database server for authentication and/or authorization policies. Examples include Active Directory, LDAP, RADIUS token servers, RSA SecureID, and certificate authentication profiles.
what is Common Vulnerability Scoring System (CVSS)
An open standard for assessing the severity of security vulnerabilities. CVSS assigns severity scores of 0 to 10 to vulnerabilities to enable incident responders to prioritize their responses.
What is ABD (Anomalous Behavior Detection)
An optional feature in ISE for mitigating some of the attempts at MAC address spoofing
What is a ISE cube (hahaha this one threw me off)
Another name used to refer to an ISE deployment.
What is AnyConnect NAM
AnyConnect NAM (Network Access Manager) Cisco's enterprise-class supplicant, which is an evolution of a Meeting House acquisition that became the Cisco Security Services Client (CSSC) and is now a module in AnyConnect
Define vendor-specific attributes (VSAs)
Attributes that developers and various network access device vendors use to extend RADIUS to perform other functions and carry information within RADIUS.
What is dual SSID onboarding
BYOD onboarding in which a user joins an open SSID first, and the credentials from the CWA are used to authenticate and authorize the end user for onboarding. After the device is onboarded, the closed SSID is used with the provisioned supplicant
What does CTI stand for?
Cyber threat intelligence (CTI) Information about threats related to the computer and networking world. Basically, CTI is data about existing threats
What is MACsec
IEEE 802.1AE, a standard for authenticating and encrypting packets between two MACsec-capable devices
What is EAP over LAN (EAPoL)
IEEE 802.1X, a standard for port-based network access control for local-area and metropolitan-area networks
What is context brokering
ISE brokering in which pxGrid participants share data exchanged between other members of the security system.
What is Native-EAP
Specific methods of Extensible Authentication Protocol, including EAP-MD5, EAP-MSCHAPv2,and EAP-TLS.
What is a seed device
The authenticator to network devices for the TrustSec domain. This device is configured manually and has connectivity to ISE initially
What is a supplicant?
The software on an endpoint that understands how to communicate with EAP over LAN (802.1X).
What is a SAML assertion?
When a user attempts to access a service, the service provider sends a request to the identity provider asking whether the user should have access. The identity returns an ASSERTION saying that the user is authorized. (From Cisco) A packet of security info that contains the identity and attributes of a user and the user's authorization for a service that is passed from the IdP to the SP
What needs to be configured when using EAP-TLS protocol for authentication with certificates?
You need to configure CAP to define what certificate field to use as the username attribute for the ISE authentication process.
1. Which of the following best describes the difference between authentication and authorization? a. There is no difference between authentication and authorization. b. Authorization determines what a user may do, while authentication determines what devices the user may interact with. c. Authentication is used with both network access and device administration, while authorization only applies to device administration. d. Authentication involves validating a user's identity, while authorization involves determining what a user is permitted to do.
d. Explanation: Authentication involves validating someone's identity credentials. Authorization involves determining what is allowed or not allowed, based on those credentials