Home > Store

CCNP Security SISAS 300-208 Official Cert Guide

Register your product to gain access to bonus material or receive a coupon.

CCNP Security SISAS 300-208 Official Cert Guide


  • Sorry, this book is no longer in print.
Not for Sale

Premium Edition eBook

  • Your Price: $55.99
  • List Price: $69.99
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson Test Prep practice tests.

    Your purchase will deliver:

    • Link to download the Pearson Test Prep exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    PDF The popular standard, which reproduces the look and layout of the printed page.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    eBook FAQ

    eBook Download Instructions



  • Assessment, review, and practice for the CCNP Security SISAS exam (Implementing Cisco Secure Access Solutions), fully updated to align to the new exam objectives
  • Book and CD are packed with features to help candidates master more difficult testing methods on the actual exams
  • Practice tests contain exam-realistic questions that closely mimic the difficulty of the actual exam
  • In-depth expert explanations of all protocols, commands, and technologies on the new cert exam


  • Copyright 2015
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 928
  • Edition: 1st
  • Book
  • ISBN-10: 1-58714-426-3
  • ISBN-13: 978-1-58714-426-4

CCNP Security SISAS 300-208 Official Cert Guide

CCNP Security SISAS 300-208 Official Cert Guide from Cisco Press enables you to succeed on the exam the first time and is the only self-study resource approved by Cisco. Cisco security experts Aaron Woland and Kevin Redmon share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills.

This complete study package includes

  • A test-preparation routine proven to help you pass the exam
  • “Do I Know This Already?” quizzes, which enable you to decide how much time you need to spend on each section
  • The powerful Pearson IT Certification Practice Testsoftware, complete with hundreds of well-reviewed, exam-realistic questions, customization options, and detailed performance reports
  • A final preparation chapter, which guides you through tools and resources to help you craft your review and test-taking strategies
  • Study plan suggestions and templates to help you organize and optimize your study time

Well regarded for its level of detail, study plans, assessment features, challenging review questions and exercises, video instruction, and hands-on labs, this official study guide helps you master the concepts and techniques that ensure your exam success.

Aaron T. Woland, CCIE No. 20113, is a Principal Engineer and works with the largest Cisco customers all over the world. His primary job responsibilities include Secure Access and Identity deployments with ISE, solution enhancements, standards development, and futures. Aaron is the author of Cisco ISE for BYOD and Secure Unified Access (Cisco Press) and many published white papers and design guides. He is one of the first six members of the Hall of Fame for Distinguished Speakers at Cisco Live, and is a security columnist for Network World, where he blogs on all things related to Identity.

Kevin Redmon is a Systems Test Engineer with the Cisco IoT Vertical Solutions Group, specializing in all things security.  Previously with the Cisco Systems Development Unit, Kevin supported several iterations of the Cisco Validated Design Guide for BYOD and is the author of Cisco Bring Your Own Device (BYOD) Networking Live Lessons (Cisco Press).  Since joining Cisco in October 2000, he has worked closely with several Cisco design organizations, and as Firewall/VPN Customer Support Engineer with the Cisco Technical Assistance Center (TAC).  He holds several Cisco certifications and has an issued patent with the U.S. Patent and Trademark Office.

The official study guide helps you master topics on the CCNP Security SISAS 300-208 exam, including the following:

  • Identity management/secure access
  • Threat defense
  • Troubleshooting, monitoring and reporting tools
  • Threat defense architectures
  • Identity management architectures

The CD contains 150 practice questions for the

Premium Edition

The exciting new CCNP Security SISAS 300-208 Official Cert Guide Premium Edition and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:

  • The CCNP Security SISAS 300-208 Official Cert Guide Premium Edition and Practice Test, including four complete practice exams and enhanced practice test features
  • PDF and EPUB formats of the CCNP Security SISAS 300-208 Official Cert Guidefrom Cisco Press, which are accessible via your PC, tablet, and Smartphone

About the Premium Edition Practice Test

This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with four complete practice exams. This integrated learning package:

  • Allows you to focus on individual topic areas or take complete, timed exams
  • Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
  • Provides unique sets of exam-realistic practice questions
  • Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most

Pearson IT Certification Practice Test minimum system requirements:

Windows XP (SP3), Windows Vista (SP2), or Windows 7;

Microsoft .NET Framework 4.0 Client;

Microsoft SQL Server Compact 4.0;

Pentium class 1GHz processor (or equivalent);

512 MB RAM;

650 MB disc space plus 50 MB for each downloaded practice exam

Sample Content

Online Sample Chapter

CCNP Security SISAS 300-208 Official Cert Guide: Authentication Policies

Sample Pages

Download the sample pages (includes Chapter 10 and Index)

Table of Contents



Introduction xxxi

Part I The CCNP Certification

Chapter 1 CCNP Security Certification 3

CCNP Security Certification Overview 3

Contents of the CCNP-Security SISAS Exam 4

How to Take the SISAS Exam 5

Who Should Take This Exam and Read This Book? 6

Format of the CCNP-Security SISAS Exam 9

CCNP-Security SISAS 300-208 Official Certification Guide 10

Book Features and Exam Preparation Methods 13

Part II “The Triple A” (Authentication, Authorization, and Accounting)

Chapter 2 Fundamentals of AAA 17

“Do I Know This Already?” Quiz 18

Foundation Topics 21

Triple-A 21

Compare and Select AAA Options 21

    Device Administration 21

    Network Access 22


    TACACS+ Authentication Messages 25

        TACACS+ Authorization and Accounting Messages 26


    AV-Pairs 31

    Change of Authorization 31

Comparing RADIUS and TACACS+ 32

Exam Preparation Tasks 33

Review All Key Topics 33

Define Key Terms 33

Chapter 3 Identity Management 35

“Do I Know This Already?” Quiz 35

Foundation Topics 38

What Is an Identity? 38

Identity Stores 38

    Internal Identity Stores 39

External Identity Stores 41

    Active Directory 42

    LDAP 42

    Two-Factor Authentication 43

    One-Time Password Services 44

    Smart Cards 45

        Certificate Authorities 46

        Has the Certificate Expired? 47

        Has the Certificate Been Revoked? 48

Exam Preparation Tasks 51

Review All Key Topics 51

Define Key Terms 51

Chapter 4 EAP Over LAN (Also Known As 802.1X) 53

“Do I Know This Already?” Quiz 53

Foundation Topics 56

Extensible Authentication Protocol 56

    EAP over LAN (802.1X) 56

    EAP Types 58

        Native EAP Types (Nontunneled EAP) 58

        Tunneled EAP Types 59

        Summary of EAP Authentication Types 62

        EAP Authentication Type Identity Store Comparison Chart 62

    Network Access Devices 63

    Supplicant Options 63

        Windows Native Supplicant 64

        Cisco AnyConnect NAM Supplicant 75

        EAP Chaining 89

Exam Preparation Tasks 90

Review All Key Topics 90

Define Key Terms 90

Chapter 5 Non-802.1X Authentications 93

“Do I Know This Already?” Quiz 93

Foundation Topics 97

Devices Without a Supplicant 97

MAC Authentication Bypass 98

Web Authentication 100

    Local Web Authentication 101

    Local Web Authentication with a Centralized Portal 102

    Centralized Web Authentication 104

Remote Access Connections 106

Exam Preparation Tasks 107

Review All Key Topics 107

Define Key Terms 107

Chapter 6 Introduction to Advanced Concepts 109

“Do I Know This Already?” Quiz 109

Foundation Topics 113

Change of Authorization 113

Automating MAC Authentication Bypass 113

Posture Assessments 117

Mobile Device Managers 118

Exam Preparation Tasks 120

Review All Key Topics 120

Define Key Terms 120

Part III Cisco Identity Services Engine

Chapter 7 Cisco Identity Services Engine Architecture 123

“Do I Know This Already?” Quiz 123

Foundation Topics 127

What Is Cisco ISE? 127

Personas 129

    Administration Node 129

    Policy Service Node 129

    Monitoring and Troubleshooting Node 130

    Inline Posture Node 130

Physical or Virtual Appliance 131

ISE Deployment Scenarios 133

    Single-Node Deployment 133

    Two-Node Deployment 135

    Four-Node Deployment 136

    Fully Distributed Deployment 137

    Communication Between Nodes 138

Exam Preparation Tasks 148

Review All Key Topics 148

Define Key Terms 148

Chapter 8 A Guided Tour of the Cisco ISE Graphical User Interface 151

“Do I Know This Already?” Quiz 151

Foundation Topics 155

Logging In to ISE 155

    Initial Login 155

    Administration Dashboard 161

    Administration Home Page 162

        Server Information 162

        Setup Assistant 163

        Help 163

Organization of the ISE GUI 164

    Operations 165

        Authentications 165

        Reports 169

        Endpoint Protection Service 170

        Troubleshoot 171

    Policy 173

        Authentication 173

        Authorization 173

        Profiling 174

        Posture 175

        Client Provisioning 175

        Security Group Access 176

        Policy Elements 177

    Administration 178

        System 178

        Identity Management 183

        Network Resources 186

        Web Portal Management 189

        Feed Service 191

Type of Policies in ISE 192

    Authentication 192

    Authorization 193

    Profiling 193

    Posture 193

    Client Provisioning 193

    Security Group Access 193

Exam Preparation Tasks 195

Review All Key Topics 195

Define Key Terms 195

Chapter 9 Initial Configuration of Cisco ISE 197

“Do I Know This Already?” Quiz 197

Foundation Topics 201

Cisco Identity Services Engine Form Factors 201

Bootstrapping Cisco ISE 201

    Where Are Certificates Used with the Cisco Identity Services Engine? 204

        Self-Signed Certificates 206

        CA-Signed Certificates 206

Network Devices 216

    Network Device Groups 216

    Network Access Devices 217

Local User Identity Groups 218

Local Endpoint Groups 219

Local Users 220

External Identity Stores 220

    Active Directory 221

        Prerequisites for Joining an Active Directory Domain 221

        Joining an Active Directory Domain 222

    Certificate Authentication Profile 226

    Identity Source Sequences 227

Exam Preparation Tasks 230

Review All Key Topics 230

Chapter 10 Authentication Policies 233

“Do I Know This Already?” Quiz 233

Foundation Topics 237

The Relationship Between Authentication and Authorization 237

Authentication Policy 237

    Goals of an Authentication Policy 238

    Goal 1–Accept Only Allowed Protocols 238

    Goal 2–Select the Correct Identity Store 238

    Goal 3–Validate the Identity 239

    Goal 4–Pass the Request to the Authorization Policy 239

Understanding Authentication Policies 239

    Conditions 241

    Allowed Protocols 243

        Extensible Authentication Protocol Types 245

        Tunneled EAP Types 245

    Identity Store 247

    Options 247

Common Authentication Policy Examples 248

    Using the Wireless SSID 248

    Remote Access VPN 251

    Alternative ID Stores Based on EAP Type 253

More on MAB 255

Restore the Authentication Policy 257

Exam Preparation Tasks 258

Review All Key Topics 258

Chapter 11 Authorization Policies 261

“Do I Know This Already?” Quiz 261

Foundation Topics 265

Authentication Versus Authorization 265

Authorization Policies 265

    Goals of Authorization Policies 265

        Understanding Authorization Policies 266

        Role-specific Authorization Rules 271

    Authorization Policy Example 272

        Employee Full Access Rule 272

        Internet Only for Smart Devices 274

        Employee Limited Access Rule 277

Saving Conditions for Reuse 279

    Combining AND with OR Operators 281

Exam Preparation Tasks 287

Review All Key Topics 287

Define Key Terms 287

Part IV Implementing Secure Network Access

Chapter 12 Implement Wired and Wireless Authentication 289

“Do I Know This Already?” Quiz 290

Foundation Topics 293

Authentication Configuration on Wired Switches 293

    Global Configuration AAA Commands 293

    Global Configuration RADIUS Commands 294

        IOS 12.2.X 294

        IOS 15.X 295

        Both IOS 12.2.X and 15.X 296

        Global 802.1X Commands 297

        Creating Local Access Control Lists 297

    Interface Configuration Settings for All Cisco Switches 298

        Configuring Interfaces as Switchports 299

        Configuring Flexible Authentication and High Availability 299

        Host Mode of the Switchport 302

        Configuring Authentication Settings 303

        Configuring Authentication Timers 305

        Applying the Initial ACL to the Port and Enabling Authentication 305

Authentication Configuration on WLCs 306

    Configuring the AAA Servers 306

        Adding the RADIUS Authentication Servers 306

        Adding the RADIUS Accounting Servers 308

        Configuring RADIUS Fallback (High-Availability) 309

        Configuring the Airespace ACLs 310

        Creating the Web Authentication Redirection ACL 310

        Creating the Posture Agent Redirection ACL 313

    Creating the Dynamic Interfaces for the Client VLANs 315

        Creating the Guest Dynamic Interface 317

    Creating the Wireless LANs 318

        Creating the Guest WLAN 319

        Creating the Corporate SSID 324

Verifying Dot1X and MAB 329

    Endpoint Supplicant Verification 329

    Network Access Device Verification 329

        Verifying Authentications with Cisco Switches 329

        Sending Syslog to ISE 332

        Verifying Authentications with Cisco WLCs 334

    Cisco ISE Verification 336

        Live Authentications Log 336

Live Sessions Log 337

Looking Forward 338

Exam Preparation Tasks 339

Review All Key Topics 339

Define Key Terms 339

Chapter 13 Web Authentication 341

“Do I Know This Already?” Quiz 341

Foundation Topics 345

Web Authentication Scenarios 345

    Local Web Authentication 346

    Centralized Web Authentication 346

    Device Registration WebAuth 349

Configuring Centralized Web Authentication 350

    Cisco Switch Configuration 350

        Configuring Certificates on the Switch 350

        Enabling the Switch HTTP/HTTPS Server 350

        Verifying the URL-Redirection ACL 351

    Cisco WLC Configuration 352

        Validating That MAC Filtering Is Enabled on the WLAN 352

        Validating That Radius NAC Is Enabled on the WLAN 352

        Validate That the URL-Redirection ACL Is Configured 353

    Captive Portal Bypass 354

    Configuring ISE for Centralized Web Authentication 355

        Configuring MAB for the Authentication 355

        Configuring the Web Authentication Identity Source Sequence 356

        Configuring a dACL for Pre-WebAuth Authorization 357

        Configuring an Authorization Profile 359

Building CWA Authorization Policies 360

    Creating the Rule to Redirect to CWA 360

    Creating the Rules to Authorize Users Who Authenticate via CWA 361

        Creating the Guest Rule 361

        Creating the Employee Rule 362

Configuring Device Registration Web Authentication 363

    Creating the Endpoint Identity Group 363

    Creating the DRW Portal 364

    Creating the Authorization Profile 365

    Creating the Rule to Redirect to DRW 367

    Creating the Rule to Authorize DRW-Registered Endpoints 368

Verifying Centralized Web Authentication 369

    Checking the Experience from the Client 369

    Checking on ISE 372

        Checking the Live Log 372

        Checking the Endpoint Identity Group 373

Checking the NAD 374

        show Commands on the Wired Switch 374

        Viewing the Client Details on the WLC 375

Exam Preparation Tasks 377

Review All Key Topics 377

Chapter 14 Deploying Guest Services 379

“Do I Know This Already?” Quiz 379

Foundation Topics 383

Guest Services Overview 383

    Guest Services and WebAuth 383

        Portal Types 384

    Configuring the Web Portal Settings 389

        Port Numbers 390

        Interfaces 391

        Friendly Names 391

    Configuring the Sponsor Portal Policies 392

        Sponsor Types 393

        Mapping Groups 396

        Guest User Types 398

    Managing Guest Portals 398

        Portal Types 399

    Building Guest Authorization Policies 400

    Provisioning Guest Accounts from a Sponsor Portal 416

        Individual 416

        Random 417

        Import 418

    Verifying Guest Access on the WLC/Switch 419

        WLC 419

Exam Preparation Tasks 439

Review All Key Topics 439

Define Key Terms 439

Chapter 15 Profiling 441

“Do I Know This Already?” Quiz 441

Foundation Topics 445

ISE Profiler 445

Cisco ISE Probes 447

    Probe Configuration 447

        DHCP and DHCPSPAN 449

        RADIUS 452

        Network Scan 453

        DNS 454

        SNMPQUERY and SNMPTRAP 455

        NETFLOW 457

        HTTP Probe 457

        HTTP Profiling Without Probes 459

Infrastructure Configuration 459

    DHCP Helper 459

    SPAN Configuration 460

    VLAN Access Control Lists 461

    Device Sensor 462

    VMware Configurations to Allow Promiscuous Mode 463

Profiling Policies 464

    Profiler Feed Service 464

        Configuring the Profiler Feed Service 465

        Verifying the Profiler Feed Service 465

    Endpoint Profile Policies 467

    Logical Profiles 478

ISE Profiler and CoA 478

    Global CoA 479

    Per-profile CoA 480

    Global Profiler Settings 481

        Endpoint Attribute Filtering 482

Profiles in Authorization Policies 482

    Endpoint Identity Groups 483

    EndPoint Policy 486

Verify Profiling 486

    The Dashboard 486

        Endpoints Drill-down 487

        Global Search 488

    Endpoint Identities 489

    Device Sensor Show Commands 491

Exam Preparation Tasks 492

Review All Key Topics 492

Part V Advanced Secure Network Access

Chapter 16 Certificate-Based User Authentications 495

“Do I Know This Already?” Quiz 495

Foundation Topics 499

Certificate Authentication Primer 499

    Determine Whether a Trusted Authority Has Signed the Digital Certificate 499

    Examine Both the Start and End Dates to Determine Whether the Certificate Has Expired 501

    Verify Whether the Certificate Has Been Revoked 502

    Validate That the Client Has Provided Proof of Possession 504

A Common Misconception About Active Directory 505


Configuring ISE for Certificate-Based Authentications 506

    Validate Allowed Protocols 507

    Certificate Authentication Profile 508

    Verify That the Authentication Policy Is Using CAP 509

    Authorization Policies 511

    Ensuring the Client Certificates Are Trusted 512

        Importing the Certificate Authority’s Public Certificate 513

        Configuring Certificate Status Verification (optional) 515

Verifying Certificate Authentications 516

Exam Preparation Tasks 520

Review All Key Topics 520

Define Key Terms 520


Chapter 17 Bring Your Own Device 523

“Do I Know This Already?” Quiz 524

Foundation Topics 528

BYOD Challenges 528

Onboarding Process 529

    BYOD Onboarding 529

        Dual SSID 530

        Single SSID 531

Configuring NADs for Onboarding 532

    Configuring the WLC for Dual-SSID Onboarding 532

        Reviewing the WLAN Configuration 532

        Verifying the Required ACLs 535

ISE Configuration for Onboarding 538

    The End User Experience 539

        Single-SSID with Apple iOS Example 539

        Dual SSID with Android Example 549

        Unsupported Mobile Device–Blackberry Example 555

    Configuring ISE for Onboarding 557

        Creating the Native Supplicant Profile 557

        Configuring the Client Provisioning Policy 559

        Configuring the WebAuth 561

        Verifying Default Unavailable Client Provisioning Policy Action 562

        Creating the Authorization Profiles 563

        Creating the Authorization Rules for Onboarding 565

        Creating the Authorization Rules for the EAP-TLS Authentications 566

        Configuring SCEP 567

BYOD Onboarding Process Detailed 570

    iOS Onboarding Flow 570

        Phase 1: Device Registration 570

        Phase 2: Device Enrollment 571

        Phase 3: Device Provisioning 572

    Android Flow 573

        Phase 1: Device Registration 573

        Phase 2: Download SPW 575

        Phase 3: Device Provisioning 576

    Windows and Mac OSX Flow 577

        Phase 1: Device Registration 578

        Phase 2: Device Provisioning 579

Verifying BYOD Flows 581

    Live Log 581

    Reports 581

    Identities 582

MDM Onboarding 583

    Integration Points 583

    Configuring MDM Integration 584

    Configuring MDM Onboarding Rules 586

        Creating the Authorization Profile 586

        Creating the Authorization Rules 588

Managing Endpoints 590

    Self Management 590

    Administrative Management 593

The Opposite of BYOD: Identify Corporate Systems 593

Exam Preparation Tasks 595

Review All Key Topics 595

Define Key Terms 595

Chapter 18 TrustSec and MACSec 597

“Do I Know This Already?” Quiz 597

Foundation Topics 601

Ingress Access Control Challenges 601

    VLAN Assignment 601

    Ingress Access Control Lists 603

What Is TrustSec? 605

What Is a Security Group Tag? 606

Defining the SGTs 607

Classification 609

    Dynamically Assigning SGT via 802.1X 610

    Manually Assigning SGT at the Port 611

    Manually Binding IP Addresses to SGTs 611

    Access Layer Devices That Do Not Support SGTs 612

        Mapping a Subnet to an SGT 613

        Mapping a VLAN to an SGT 613

Transport: Security Group Exchange Protocol 613

    SXP Design 614

    Configuring SXP on IOS Devices 615

    Configuring SXP on Wireless LAN Controllers 617

    Configuring SXP on Cisco ASA 619

    Verifying SXP Connections in ASDM 620

Transport: Native Tagging 621

    Configuring Native SGT Propagation (Tagging) 622

    Configuring SGT Propagation on Cisco IOS Switches 623

    Configuring SGT Propagation on a Catalyst 6500 625

    Configuring SGT Propagation on a Nexus Series Switch 627

Enforcement 628

    SGACL 629

    Security Group Firewalls 631

        Security Group Firewall on the ASA 632

        Security Group Firewall on the ISR and ASR 632

MACSec 632

    Downlink MACSec 634

        Switch Configuration Modes 636

        ISE Configuration 637

    Uplink MACSec 638

        Manually Configuring Uplink MACSec 638

        Verifying the Manual Configuration 640

Exam Preparation Tasks 642

Review All Key Topics 642

Define Key Terms 642

Chapter 19 Posture Assessment 645

“Do I Know This Already?” Quiz 645

Foundation Topics 648

Posture Service Overview 648

Posture Flow 649

Agent Types 650

Posture Conditions 652

CoA with Posture 654

Configuring Posture 655

    Downloading CPP Resources 656

    Client Provisioning Policy 657

    Posture Policy Building Blocks 658

        Condition 659

        Remediation 661

        Requirement 662

    Modifying the Authorization Policy for CPP 663

    Modifying the Authorization Policy for Compliance 666

    Verifying Posture and Redirect 667

Exam Preparation Tasks 675

Review All Key Topics 675

Define Key Terms 675

Part VI Safely Deploying in the Enterprise

Chapter 20 Deploying Safely 677

“Do I Know This Already?” Quiz 677

Foundation Topics 680

Why Use a Phased Approach? 680

A Phased Approach 681

    Comparing Authentication Open to Standard 802.1X 682

    Preparing ISE for a Staged Deployment 683

    Monitor Mode 685

    Low-Impact Mode 689

    Closed Mode 692

Transitioning from Monitor Mode to Your End State 695

Wireless Networks 695

Exam Preparation Tasks 696

Review All Key Topics 696

Chapter 21 ISE Scale and High Availability 699

“Do I Know This Already?” Quiz 699

Foundation Topics 702

Configuring ISE Nodes in a Distributed Environment 702

Making the First Node a Primary Device 702

Registering an ISE Node to the Deployment 703

    Ensuring the Personas of All Nodes Are Accurate 706

Licensing in a Multinode ISE Cube 706

Understanding the HA Options Available 707

    Primary and Secondary Nodes 707

        Monitoring and Troubleshooting Nodes 707

        Policy Administration Nodes 709

    Node Groups 710

Using Load Balancers 713

    General Guidelines 713

    Failure Scenarios 714

IOS Load Balancing 715

Maintaining ISE Deployments 716

    Patching ISE 716

    Backup and Restore 718

Exam Preparation Tasks 720

Review All Key Topics 720

Define Key Terms 720

Chapter 22 Troubleshooting Tools 723

“Do I Know This Already?” Quiz 723

Foundation Topics 726

Logging 726

    Live Log 726

    Live Sessions Log 728

    Logging and Remote Logging 729

        Logging Targets 729

        Logging Categories 730

    Debug Logs 731

        Downloading Debug Logs from the GUI 732

        Viewing Log Files from the CLI 733

        Support Bundles 734

Diagnostics Tools 735

    Evaluate Configuration Validator 735

    RADIUS Authentication Troubleshooting Tool 739

    TCP Dump 741

    Ensuring Live Log Displays All Events (Bypassing Suppression) 746

        Disabling Suppression 747

Troubleshooting Outside of ISE 748

    Endpoint Diagnostics 748

        AnyConnect Diagnostics and Reporting Tool 748

        AnyConnect NAM Extended Logging 751

        Microsoft Native Supplicant 752

        Supplicant Provisioning Logs 753

    Network Device Troubleshooting 753

        The Go-To: show authentication session interface 753

        Viewing Client Details on the WLC 754

        Debug Commands 755

Exam Preparation Tasks 756

Review All Key Topics 756

Part VII Final Preparation

Chapter 23 Final Preparation 759

Advice About the Exam Event 759

    Learning the Question Types Using the Cisco Certification Exam Tutorial 759

    Thinking About Your Time Budget Versus Number of Questions 760

    A Suggested Time-Check Method 761

    Miscellaneous Pre-Exam Suggestions 762

    Exam-Day Advice 762

Exam Review 763

    Taking Practice Exams 763

        Practicing Taking the SISAS Exam 764

        Advice on How to Answer Exam Questions 765

        Taking Other Practice Exams 766

    Finding Knowledge Gaps Through Question Review 767

    Other Study Tasks 769

    Final Thoughts 770

Part VIII Appendixes

Appendix A Answers to the “Do I Know This Already?” Quizzes 773

Appendix B Configuring the Microsoft CA for BYOD 795

CA Requirements 795

    Other Useful Information 795

    Microsoft Hotfixes 796

    AD Account Roles 796

Configuration Steps 796

    Installing the CA 796

    Adding the Remaining Roles 804

    Configuring the Certificate Template 809

    Publishing the Certificate Template 814

    Editing the Registry 816

Useful Links 819

Appendix C Using the Dogtag CA for BYOD 821

What Is Dogtag, and Why Use It? 821

    Prerequisites 821

        Installing 32-bit Fedora 15 821

        Configuring Networking 823

    Installing Packages with yum 825

    Configuring Proxy (if Needed) 825

Updating System Packages with yum 826

Installing and Configuring the NTP Service 826

Installing the LDAP Server 827

Installing the PHP Services 828

Installing and Configuring Dogtag 829

    Modifying the Firewall Rules (iptables) 830

    Creating a New CA Instance 830

    Enabling and Configuring SCEP 840

    Preparing Apache 841

Configuring ISE to Use the New Dogtag CA 842

    Adding Dogtag to the SCEP RA Profiles 843

Appendix D Sample Switch Configurations 845

Catalyst 2960/3560/3750 Series, 12.2(55)SE 845

Catalyst 3560/3750 Series, 15.0(2)SE 848

Catalyst 4500 Series, IOS-XE 3.3.0/15.1(1)SG 852

Catalyst 6500 Series, 12.2(33)SXJ 856

Glossary 861

Index 868



We've made every effort to ensure the accuracy of this book and its companion content. Any errors that have been confirmed since this book was published can be downloaded below.

Download the errata (52 KB .doc)

Submit Errata

More Information

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020