Describing and Implementing Cisco Wireless Network Architecture Introduction ‘The architecture that you deploy can make or break your instalation. Cisco has multiple options forthe wireloss engineer. t's important to be ble to distinguish between the architectures and the platforms that they support. ‘You will got an overview of Cisco Prime infrastructure and Cisco Identity Services Engine (ISE). Your actual servers may be ofa diferent version, therefore, screen shots and actual operation may difr trom the content provided here. Cisco Wireless Network Deployment Options Cisco Unified Wireless Access Architecture sco Unified Wireless Access isan intaligent network platlorm that enables new connected experiences and new operational ficiency. itis the business foundation for BYOD intaives and the IDE, and intelligently connects people, processes, data, and things, + One Network ~ One intastructure for wired and wireless + One Policy ~ One place to define policy + One Management ~ One pane of glass oy ore aUas [omer Sales ‘The Cisco United Access solution delivers an integrated and simpified ineligent network platform that allows IT to spend less tme running the ‘network and mora fimo focusing on innovations that can diflerentiato and transform the business. (Cisco Unified Access gives IT the unifled policy, management, and network platform it needs to adapt to rapidly changing business needs, {echnologies, and user expectations. Cisco Uniled Access accomplishes these goals by employing a single network infrastructure with central policy and management across wired and wireless networks and VPNS.The threo pillars of Cisco Unified Access are as follows: + One Network: Wired and wireless networks are combined into a single untied infrastructure. + One Policy: The platform provides @ world-class unified palicy platform and distributed enforcement, + One Management: A sinole solution offers comprehensive life-cycle management and visibly. Cisco Wireless Policy Overview Building on the Cisco One Network is Cisco One Policy which Cisco Identity Services Engine (ISE) delivers. Cisco ISE combines many network policy and security sorvers into a single platform isco ISE- Combines many functions into one platform The path to next-generation secure network access ISE transforms your network with the capabilities needed to handle today’s digital demands @ oS @ Asset visibility Guest and secure BYOD Secured wired access wireless access @ @ © Segmentation Compliance and Security ecosystems Threat containment posture integrations Cisco ISE can provide the following + Visibilly into all users and connected devices (endpoints, mobile devices, security cameras, printers) on a network allows for more accurate Identiicaton of users and devices and easier user and device onboarding. + Unified secure access control centralizes and streamlines network access policy creation and management within Cisco ISE to permit consistent socure network access for ond users, ragardloss of how they connect (wired, wireless, or VPN) + Tho robust context sharing platform collects large amounts of contextual information from wide and varied sources (fr example, MOM, SIEM, entity stores, and device agents), which allows Cisco ISE to prevent inappropriate access and detect and minimize the spread of threats across the network. Cisco ISE combines the folowing platforms + Access Control Server: This platiorm used for identity and access contol + NAC Manager and NAC Server: This platform is used for identity contro, accoss control, and posture. + NAC Profiler: This platform i used for device profiling, device provisioning, and identity monitoring + NAC Guest Server: Ths platform is used for guest life-cycle management Cisco Wireless Management Overview Building on the Cisco One Network and One Policy is Cisco One Management, which Cisco Prime Infrastructure delivers. Cisco Prime Infrastructure is a network management tool thal supports ife-cycle management ofthe entre network inrastncturefrem one ‘graphical interface. Cisco Prime Infrastructure provides network administrators with @ single soluton for provisioning, monitoring, optimizing, and troubleshooting both wired and wireless devices. Cisco Prime Infastnucture ~ one pane of glass for wired and wireless.Location, Spectrum Prime Infrastructure Deviee, Client Intelligence ISE User Intelligence MSE Network Intelligence Application Intelligence: WLAN Controller Router! Firewall PN atm ate Wired Network Wireless Network Remote Access Switches (Cisco Prime Infrastructure includes these features += You can configure and monitor ne or more controllers, switches, and associated APS, + The same configuration, performance montoring, securty, faut management, and accounting options that are used atthe controller level are available, plus 2 graphical vow of mutiple controllers and managed APS + Enhanced automated workilows and integrated best practices for easy deployment and management of Cisco advanced technologies and ‘Services, including Cisco Wireless intrusion Prevention System (wiPS), Cisco Clean tectviology, VPN, zone based firewall, Cisco ScanSafe, and Cisco Application Visiiliy and Contol (AVC) Cisco Wireless One Network Overview Cisco Unified Access gives IT the unified policy, management, and network platform that itneeds to adapt to rapidly changing business needs, technologies, and user expectations, by employing a single network infastructure with central policy and management across wired and wireless networks, “The three pillars of Cisco Unified Access are as follows: + Cisco One Network + Converged wired and wireless network infastructur, using new Cisco Catalyst access switches “+ Consistent networkwide inteligence and operations: One common set of network capabilities and context-aware inteligance fr policy, visibly, analytics, and granular GoS across the entie wored-wireless infastructure «+ Integration inta Cisco ONE, which allows customers to connect, sacure, and manage their network inastructure + Cisco One Policy + Contra plcy platform for wired and wirsless + Uses Cisco ISE + Cisco One Management + Single platform for wired and wireless management + Two forms of implementation: + Premises.managed: Cisco Prime Infrastructure + Cloud-managed. Cisco Meraki Dashboard Wireless Management Architectures Cisco has several architsctues that can be deployed today The main diference in these architectures s how they run three architecture pianos. ‘+ Management Plane. Administretion,conigutetion, monitoring + Control plane: Coordination, channel and power selection (RRM), roaming + Data plane: Gient dats packet fow Management Plane “The management plane deats with al aspects of adminstation and configuration Adding @ WLAN, or configuring WWPA2 on a WLAN would be done here.Control Plane “Tho control plana deals with a running network, and it may change channels or power settings 2s nooded It acts as a coordinator to keep things running smootny and also dea with RRM and roaming Data Plane The data plane deals wih the trafic fow fo and fiom the clients between the air and the wired side. Cisco Wireless Management Architectures Cisco has several vtiatons of architectures that you can deploy. The main difference between these architectures is the location of each ofthe tive plane components. Cisco One Network allows for several deployment options: + Autonomous, standalone + Centralized wireless LAN controler + Centralized wireless LAN controler with Cisco FlexConnect + Cisco Mobily Express + Embedded + Cloud ‘Autonomous or Standalone Inthe autonomous model, al ree planes exist on the AP. So, you have 100 APS, and you want to add a WLAN, you must manage (configure) all 100 APS. Because the autonomous AP has its own contol plane, its very dificult to synchronize this AP with othr APs Roaming between Auionomous APS s not normally done. The data plane is local. wich usually mess that the AP puts dala onto or takes data ‘rom the wired network. Therefore it needs to have access fo multiple VLANs and is usually connocted toa trunk link. Centralized Wireless LAN Controller ‘The centralized wireless LAN controller is the classic model Allee planes run on the wireless LAN controller Because the management plane runs onthe wireless LAN controle, the entire network (of mayve 100 APs) can be configured diecty from the controller and tie Configuration can be sent out to all ne APs onthe sito. This modes trly a singie-pane-of glass configuration Because the control plans runs ‘onthe wireless LAN controler roaming is Simple to configure and operate. The dala plane also exsts on the wireless LAN controll The Wirolass LAN controlar is usually connectod toa trunk lnk, and the APs connect toa standard access port In tis model, you should be aware thatthe data plano exists only on tho wireless LAN controller This centralized data-forwarding model roquies that all data trafic must pass through the wireless LAN controler, even iit s between two stations on the same AP. The data must fw through the wireless LAN controller Centralized Wireless LAN Controller with Cisco FlexConnect. Forcing the data to flow tothe wireless LAN controller may not seem significant in a fast LAN, but once a remote office or branch gets involved, becomes a burden. To salve this problem, Cisco invented the FlexConnect model. n is simplest form, Cisco FlexConnect allows the data plane to un on he AP. The AP is usually connected fo a trunk, and puts data trafic onthe relevant VLAN. This model s known as distibuled data forwarding. ‘Ona benef of having a Cisco FlexConnect model, is that you can dasign and build for WAN resiiency; ithe WAN link goes dow, the APS can Continue to function. Cisco Mobility Express ‘This mode! has a special version of code that runs on one ofthe APS, so the APs become a mini-uareless LAN controller their own right. For 4 small network ora standalone branch, this preach can be good enough unt more features are provided with Cisco FlexConnect, or local wireless LAN controler can be added Embedded ‘This mode! has wireless LAN controller software running inside a switch. The full wireless LAN contolle software s virtualized in the switch. Cloud In this model, the management and control planes run inthe cloud, and the data plane runs on the AP. There are three variations ofthis model + Alocal cloud platiorm (virtualztion) that runs wireless LAN controller software + A clouc-based platform that runs wirsless LAN controlar software + A Cisco Meraki Cloud platform (unique APS, switches, and security appliances) Cisco WLAN Deployment Advantages Each ofthe models has its own advantages,- §e eeu eceruuecs tralized Cloud-based: + Turnkey instalation end management + Scales from small branches to large networks + Can reduce operating costs + Can reduce IT staf size ‘Autonomous: + Used for notspots or smaller enterprises + Individual APS: + Simple to deploy and cost-effective Centralized: + Campus environments where trafic is centralized + APs connect to switches, which connect 1 centralized wireless LAN controllers Cisco FlexConnect: + Enterprises that have branch or remote offices, + Locations witha relatively small number of APs whore deployment ofa wireless LAN controlloisnct justified or dosirod + During Cisco FlexCannect oparation, WLAN data traffic is either tunnelad back toa central wiraloss LAN controler (central switching), or the ‘data trafic is broken out locally atthe wired interace (cal switching) of the AP Cisco Mobility Express: + Subset of features found on the centralized mode, without the need fora full wireless LAN controller + One AP runs wialess LAN controler code: othar APS connect toi in the same made as the centralized modal Embedded + Wireless LAN controller can run onthe switch architecture + Alternative to Cisco Mobilty Express and FlexConnect, bu ofers features ofa local wireless LAN controller Cisco Unified Access Premises and Cloud Management ‘You have to decide which approach is best in your particular circumstances. If you view your network as a platform for imovation, prefer fo own and customize it and execute new iniatves as they arise, then you mey want a premises-managed solution. However, you view your network as @ service where you subscribe fo the sofware, ov the hareware, and operationally demand simpified depioyment and managoment as a primary requirement, thon you may want a cloud. managed solution, Unified Access: Two ApproachesEnterprise Unified Access Cloud-Based Unified Access 3 Hardware and software both owned by the customer One Policy, One Management, One Network Granular control and highly customizable Simplified deployment and management Portfolio that can say “yes’ to any use case Targeted portfolio for midmarket use cases + Hardware owned by customer, software is not Optimized for scale and high performance + Subscription-based feature delivery One Policy, One Management, One Network Extensibility through APIs and SDKs Cloud-based out-of-band management Advanced troubleshooting tools Integrated mobile device management Every certification imaginable High-velocity feature development = 2 qr Ley — The premises-based solution uses Cisco Prime Infrastructure. The cloud.based solution uses the Cisco Meraki dashboard, and can also use (Cisco Prime Infrastructure Premises management offers these features: + Hardware end software are both owned by the customer + One Policy, One Management, One Network + Granular control and highly customizable + Optimized for control and high performance + Extensibility through APIs and SDKs + Advanced troubleshooting tools Cloud management ofers these features + The customer owns the hardware; the software is provided by subscription + One Policy, One Management, One Network + Simpliied deployment and management + Portfolio that i focused on mainstream use cases + Subscription-based feature delivery + Cloud-based OOB management + Integrated mobile device management + High-veloaly feature development (Clous-based management ofles which three festures? (Choose three.) hardware owned by customer, software by subscription ssubscripion-based feature delivery optimized for control and high performance 1 high-velooty feature development ‘granular contol and highly customizable always cheaper ‘alvays more expensiveCisco Wireless Management Cisco Prime Instucture empowes IT departments o more etectvely manage hac networks andthe sarvices thal thay deve. This Scaiabo.intgratd soliton thy combnos ond usr avaronoss and appicaton perfomance visit wih comprononeie fo yo management of vied and wreless access, campus, and branch networks “The ability to view basic information on cloud-based APs has been added to Cisco Prime Infastructure. Administrators can also directly ‘manage ther clous.-based WLANS withthe Cisco Meraki dashboard Cisco Prime Infrastructure CCisco Prime infrastructure 's network management that connects the network, the device, the user, and the application end-to-end, ellin one system ‘Wireless Management Plug and Play ee raed Sree CCisco Prime Infrastructure permits the following + Single-pane-of-glass management: Cisco Prime Infiastucture delvers a single, unified platform for day zero and day 1 provisioning and day-nassurance, + Simplified deployment of Cisco value-added features: Suppor for technologies such as Cisco lnteligant WAN (WAN), Cisco Application Visibiity and Control (AVC), Cisco Zone-Based Firewall (ZBFW), and Cisco TrustSec Identiy-Based Networking Services (IBNS) + Application visibility: Technology includes NetFlow, NBAR2, Medianet, SNMP, and more + Management of mobile collaboration: Mobile collaboration management includes IEEE 802.11ec suppor, correlated wired and wireless cent visibility, unified access infrastructure visibity spatial maps, converged secunty, and policy montoring and toublestooting with Cisco ISE integration. This feature also includes location-based tracking of interferers, gues, and Wi-Fi clients with Cisco Mobility Services, Engine (MSE) and C:sco CleanA\r integration, life-cycle management, and RF prediction tools + Management across network and compute: important capabilies are provided such as discovery, inventory, coniguration, monitoring, ‘troubleshooting, reporting, and administration wih a single view and point of control + Centralized visibility of distributed networks: The Cisco Prime Infrastructure Operations Center allows you to visualize upto 10 Prime Infrastructure instances when scaling your network management infrastructure + IPv8 support: |Pv6 support helps with device discovery, configuration services (TFTP, HTTP, and so on), and configuration deployment functions End-to-End Life-Cycle Management (Cisco Prime Infrastructure gives you end-to-end lifecycle management + Extensive discovery protocol support ‘+ Network topology maps + Monitoring poices + Customzeble configuration templates + Plug.and play for automated deployment + Integration with Cisco ISE and Cisco MSE + Integrated workiows and tools + Third-party device support5 =x —) {| Connguration / Network / Network Devices ecu a et Pn 7 = se 2 » wa wth fo 98 —_— Face tian welfoneaty 2 (CPU Uettin( Hou) eno Viator (thout) 0.00% 0.00% Seong > Soum Ttenp tmp om, © aA. vse 185249 Por 3 Oc NetRae. Cat © wd. nie tema4s Port Duin Nath’ Ca ee Lifecycle suppor for wired and wireless inftastucture includes the following. + Extansive discovery protocol support helps mprove accuracy and completeness, including ping, Cisco Discovery Protocol, LLP, ARP, BGP, (OSPF, and route table lookups. + Network topology maps display icons that represent the network devices in inventory and ther interconnections. Maps also show alarm badging and inks to indicate the current alarm state “Monitoring policies help you monitor network devices and inlerfaces. They can be activated or deactivated through an intuitive workflow and push changes to devices without dstupting service. ‘+ Customizable predefined Cisco best practices and validated design configuration templates help enable quick and easy device and service deployment Flexible pig-anc.-play functionality simpliies he rollout of new devices and sites, accelerating service avail. «+ Integration with Cisco ISE and Cisco Secure Access Conttol Server (ACS) view provides a simple way to collect and snalyze data thatis relevant to endponis. Integration with Cisco MSE provides location-bacad tracking services for discovered endpoints, \ntograted worktfows and tools allow IT administrators to quickly assoss servic disruptions, receive notices about performance degradation, research resolutions, and take remedial acton ‘Assurance: Application Visibility and End-User Experience Assurance les you know how your network is performing, using actual feedback from the network itselt + Simplified instrumentation configuration ++ Network Monitoring = Network availabilty and devies perfomance ~ NetFlow monitoring = Cisco AVC monitoring = QoS monitoring ~ Integration with Cisco Prime Network Analysis Module (NAM)+ Automatic basolining * Rapid service-level restoration ‘| Dashboard J Overview eve "Gees cris | Glare Nework Gensee Netorkintace | Serie Aesuance 2 sesae 2. Tre Genera cashiboara hes been migrated tothe Network Summary dashboard, Plese traverse to Dashboard / Network Summary for ‘an erhence experienc. a one Poe| Pt ons tenance ey wer tation @ smear Sree Monson MON MLO CIDR ae TopN semery Uiizavan @ ‘Chere Cour By Associator/aathertcation ® ‘Assurance for application visibility and endl user experiance includes the folowing ‘+ Simpitied instrumentation configuration with streamlined templates ease the configuration of embedded performance instrumentation to reduce data collection complextly and acoslerate time fo valus ++ Networkivide monitoring + Network avallatilty and device performance monitoring allow operators to improve network operstions + NetFlow mentoring provides valusble nsighs into who s using the network, which eppications are being used, and how much bbandwidin the applications are using. NetFlow monitring is colloction and monitoring of network trafic fow data that NetFlow-cnabled routers and switches generate, ‘+ Cisco AVC monitoring helps identify potential issues that can affect committed service levels and the user experience, ‘+ QoS monitoring provides important information about defined GoS poles that are epplied to mterlaces and class-based trafic pattems. «+ Integration with the Cisco Prime NAM permits the collection and correlation of granular flow. and packel-based data, which helps in rapidly solving challenging application and network problems. ‘Automated baselining wih tend information for important network and application performance indicators automatically builds a baseline to facta planning and operations tasks ‘+ Rapid service-level restoration that integrates with control capabilites, such as QoS and Cisco Performance Routing (PR), delivers, infeligent path contol for application-aware routing across the WAN, which permits network changes to be made quickly Cisco Prime Infrastructure Site Profiles and Maps “The IT support person can view the "heat map" to determine RF coverage.Hops Tee View 3] Foor View i Ss > © Datamay be claad upto 1 minder mee copending on background lrg er ddr > 05 mii) 20 m6 FS SHER ; 4 (aronge 5 mi , Bana Thais > Gy: Beemer ey < 7 ae Rei) Perea taco Perse Sees Pena) ons stow "| use (Correrty Detected 8) Active La Rogue APs | Save Settings | The newer maps give better visbilly of the RF space. They also alow pan-and-zoom features. Maps can be created in @ hierarchy of campus, bigs, and Hoots Planning: RF Prediction Tool Assistance in Designing WLANS. Cisco Prime Infrastructure can help you plan your network. It can help you optimize and operate your network Easily visualize the ideal RF environment + Integrated planning tool = Import floor plans from third-party tools, ~ Configure AP placement, coverage, and other variables, ~ Generate en equipment proposal + Hierarchical maps ~ Design mutiple buildings, floors, and regions + Location and voice readiness tools ~ View performance and coverage estimates. Cisco Prime Infrastructure planning tool features: + Helps eliminate improper RF designs and coverage problems. + Performs site surveys, RF reassessment, and RF readiness evaluation, Enhanced Alarm and Events ‘Alarm information for the network can be viewed from a single console “The support person can use the predefined filers or create their own and than take appropriate actions on alarms.'8)| Monitor Monitoring Tools / Alarms and Events / Alarms ‘Showing Active Alams Show Alarm History cna) Mattern, tween. Winans) Omnis conse SO cma) swscmn win ones frwinnaea ) peemt 83 come SO ons © fwevconma ik joni. usta) beet 82 omar © 8 cms © hte ak ie HHH © Dee OH come ee ee ocala caer © as a: ff muse “Cats Ocean ne ‘Ansotations see mea Nostale Events are detections or occurrences of conditions in the network and include the folowing: + Port satus changos + Device resets + Devices that aro unroachablo by managoment station ‘The following options can be taken with alarms: ++ Change Status: You can acknowlodge, unacknowledged, or clear the alarm «+ Assign: You can assign the alarm + Annotate: You can add a note tothe alarm «+ Delete: You can deloto the alarm. — Cisco Prime Infrastructure: Cisco Meraki Support Cisco Meraki support is now part ofthe latest version of Cisco Prime intasttucure, With this update Cisco Prime infastructue can monitor ‘Meraki APS, security appliances, and switches. SNMP gathers information about Cisco Meraki devices from the cloud contrller for monitoring and inventory purposes. Cisco Prime Infrastructure also offers one-click inks to manage and run futher diagnostics forall Cisco Merak devices, Device Visibility ‘There are several information elements that are displayed on the Network Devices page in the Cisco Prime Infrastructure Console’ = Device Name + Reachability Status «+ IP Address/DNS Name = Device Type = MAC Address ‘= Client Count + Serial Number = Mesh Status “+ Network NameDevice Configuration “The Cisco Meraki dashboard remains the single point of configuration for etek’ devices. Cisco Prime Infastructue includes a device ink next to the IP address ofthe device (Device Detai's page). These inks wil launch a browser window that wil bring the administrator right tothe device in the Cisco Meraki dashboard, Cisco Meraki Cloud Management ‘Cisco Merak cloud-based management provides centvalized vsibity and control over Metak’ wired and wireless networking hardware th ! Management 4 _Data (1 kbps) «+ Scalable = High throughput ~ Add devices or sites easily «+ Reliable = Highly available cloud with multiple data centers ~ Network functions even if connection to cloud is interrupted = 99.99% uptime SLA + Secure ~ No user traffic passes through cloud ~ HIPAA and PCI compliant ~ Third-party security aucits, daily penetration testing Management data (configuration, statistics, monitoring, and so on) fows from Cisco Moraki devices (wireless APs, switches, and security appliances) tothe Mrakt cloud over a secure Internet connection. User data (web browsing, internal applications, and so on) does not flow through the cloud, and instead flows directly to its destination on the LAN or across the WAN, + Scale + ign throughput due to no cenfaized conrllts and lon-bandth management + Devices (APs, siches, and securty appances) ave quickly added hough the browser-based sco Merah dashboard, + Relate “+ Mutige datacenters inthe cloud and 99.09 porcent uptime SLA, + Natwork inetions even management connsctn is intoupted + Secure + User atic snot sent hrough the coud + HIPPA. and PCl Fepcaton Pray AAA » comecton + Logging connection‘A Cisco ISE node can provide various services, which are based on the persona that assumes, Each node in a deployment, except the Inine Posture node, can assume the Administration, Policy Service, and Monitoring personas, ‘The three personas are as follows, *+ PAN: A Cisco /SE node withthe Admnistration persona alows you to perform all administrative operations on Cisco ISE_ It manages al system-elated functionally configurations such as authentication, authorzation, auditing, and so on. Ina dstibuted environment, you can have @ maximum of two nodes that run the administration persona, + PSN: A Cisco ISE node with the Policy Service persona provides network access, posture, quest access, client provisioning, and profiling services. This persona evaluates the polices and mskes all the decisions. You can have more than one node assume ths persona, ‘Typically thore would be more than one Policy Service node in a distibutod deployment. + Mn. Cisco ISE node with the Monitaring persona functions as the log collector and stores lag messages from all the administration and PSN in your netwotk. This persona provides advanced monitoring and troubleshooting tools that you can use lo effectively manage your network and resources. A node wilh this persona agoregates and correlates the data that it collects to provide you with meaningful information in the form of reports How do all hese personas work together? First, the administrators wil fg info the PAN, where they will configure Cisco ISE with the deployment infrastructure and deployment policies, (Once the policies are completed, the policies are synced tothe PSNs and passed on tothe MaT. ‘The user connects to the NAD. which is tha switch or wireless LAN controller The NAD, whichis the RADIUS client, gonerates @ RADIUS Authentication request to the PSN and the RADIUS server “Tho PSN chacks the authentication rules and queries tne appropriate user database, intemal Active Directory, or LDAP to verity tho. ‘authentication credentials. ‘Based on the response from the user database, the PSN will locale the correct authorization profie that isto be applied tothe user. These policies may include dACLs, VLANs, voice domains, and even SGI via RADIUS response fo the NADS. ‘The NADs will put the policies into action by applying the GAC, VLAN, of SGT tothe user trafic via sossion numbers. The NAD will also sond RADIUS accounting messages to the PSN. The PSN will correlate the messages and forward all he session audit and syslogs to the MT Important note for NAD configuration: For specific services (RADIUS), point the NAD to the IP address ofthe Cisco ISE if itis an “all-in-one” orto the specific persona (point the airless LAN controller tothe IP of the Cisco ISE with PAN). Cisco ISE Features Here is an overview of the features of Cisco ISE. ‘+ Business policy enforcement + Access control + Guest ife-cycle management + AAAprotocols + Internal cortiicate authority + Device profiing + Monitoring and troubleshooting ‘The following Cisco ISE features partain to wireless and policy contro: + Business policy enforcement: Ths feature provides a rules-based, attrbutodriven policy model fo creating flexible and business-relovant ‘access contol policies. It offers tne ably fo integrate wth multple extemal identity repostones, such as Active Directory, LDAP, RADIUS, RSA. and cortificate authorties for both authentication and authorization, + Access control: This feature provides a range of access control options, including 4ACLs, VLAN assignments, URL redirections, named ACLS, and SGTS using the advanced capabilies of Cisco TrustSeC tectnology-enabled netvork devices + Guest life-cycle management: This feature provides an alle, steamiined experience for enabling and customizing guest network ‘access. With bullin support for hotspot, sponsored, sel-service, and numerous other access workows, + Streamlined device onboarding: This feature delivers fuily customzable and branded user experiences wih themes It offers predefined ‘workflows that walk users through the onboarding process and provides end users with their own self-service portals to add and manage their devices. + AAA protocols: This feature uses the standard RADIUS protocol for AAA and supports a wide range of authentication protocols, + Internal Certificate Authority: Ths feature offers an easy-to-deploy internal certificate authonty within Cisco ISE to simply certificate management for personal devioas without adding the signicant complexiy of an external certficate authonty appicaion+ Device profiling: C:sco ISE has predefined device templates for many types of endpoints, such as IP phones, printers, IP cameres, smart Phones, and tablets. Administrators can also create their own device templates. These templates can be used to automatically detect, ‘lassify, and associate administratively defined identities when endpoints connect to the network + Endpoint posture: Ths feature allows you to create powerful polices that include, bul are not limited to, checks forthe atest operating ‘system patches, antivirus, and antispyware software packages with current definition file variables (version, dato, and so on), registries (key value, and so on), and applications. + Cisco pxGrid and the Cisco ISE ecosystem: Cisco pxGrid is robust context sharing platform within Cisco ISE that delivers a deeper lavel of contextual data. Ths data is collected on Cisco ISE, and is available to extemal and internal acosystem partner solutions to accelerate the capabilies ofthese soiuions actoss the network. + Cisco ISE ecosystem—SIEM and TD: Intogration wih Cisco ISE enables SIEM and threat defense partners to supplement their networkwide securty event visibility with Cisco ISE contextual information about user and device identities, network authorization levels, and ssecunty posture. “+ Monitoring and troubleshooting: This featuro includes a builtin wab console for monitaring, reporting, and troubleshooting to assist helpdesk and network operators in quicky identiying and resolving issues. (Jeweenanerome Cisco ISE Basic Supported Guest Flows \Withwiteless comes the need to include vistors, contractors, and employees. A guast flow descnbes a way that end users experience ‘onboarding for guest access. + Hotspot + SeltService + SeltService Sponsor Approved + Sponsored “There are four basic quest lows + Hotspot: Guests receive network access without requiring @ username and pessword. This guest lows also called noncredentaled access because the guest user does not have credentials. + Self-Service: This flow sa form of credentialed access. Guests provide information in a web-based registration step. They are then sent a Usemame and password over email, SMS, or on the screen. Guests use that usemame and password to log into the network. + Self-Service Sponsor-Approved: Similar to sel-servce, the guest user registers on a web page. Alter registration, a message is sent to ‘sponsor asking ifit's acceptable to give credentia's to this quest The quest only receives credentials ifthe sponsor approves. + Sponsored: A guest asks a sponsor to crete an account for them. The sponsor logs in fo the sponsor portal and creates an account forthe ‘guest. Guest credentials are provided via emai, SMS, of printout Cisco ISE Internal Certificate Authority Cisco ISE Intomnal Cortficate Authority (CA) simplifies certificate provisioning and deployment for BYOD and MDM endpoints. The Cisco ISE CCA .capabiily elminates the previous complexily that was required to integrate with an external PKI cerifcate aulhonty infstructure + Cisco ISE CA works with your existing PKI to simply BY OD deployments + Asingle management console manages endpoints and ther cortficatas. + Simplified deployment supports standalone and subordinate deployments.(Si Enterprise Certificate Authority Subordinate Optional Cisco ISE Certificate Authority “The management console allows the administrator to delete an endpoint, andthe certificate will be deleted as well. Endpoint certficates can also be viewed and revoked (cisco ISE CA can be deployed as se. contained or can be integrated into an exsting enterprise certificate authonty environment if stil required Cisco ISE provides an OCSP responder to check forthe validly ofthe certificates. Which thee options are Cisco ISE personas? (Choose three.) Management Node ‘Administration Node Poly Service Node Monitor Moda Content Ned SGisco ISE Node Monitoring Node Summary Challenge ‘Which throe servr functions are combined into the Cisco ISE platform? (Choose thre) ‘Access Contol Sener NAC Manager Firewall 3 Content security NAG Guest Sonver 2 Polcy Conto! Node Manager wisMatch the type of WLAN deployment wih its charactenstic Premise-based controler oud based {deal for small campus or eistrbuted branch Contraizes Comnon Operating System, lean IT Embedded Intended for static installations Autonomous Match the operational piane with its description. Management Plane Coordination, channel and power selection (RRM), and roaming Control Plane ‘Administration, configuration, and monitoring Data Plane Client data packet flow ‘Which three options are actions that can be taken on an art within Cisco Prime Infrastructure? (Choose three.) Assign Classity Annotate Change status Ignore Update Allocate ‘Which three principles are are Cisco DNA guiding principles? (Choose three ) Open 1 Remote ‘Assurance Intent ready oo Extont-oady 1 Secunty for wireless only Match the Cisco ISE node to is functon, Monitoring Node Handles all system-related configurations that are related to functionality, such as AAA ‘Aciministratin Node Functions asthe log collector and stores log messages Policy Service Node Provides network access, posture, guest access, cent provisioning, and profiling services‘Which of the following statements describes the Cisco ISE Sel Service guest flow?