Cisco DoD Comply-to-Connect v1.0 (C2C-GOV)

The Cisco DoD Comply-to-Connect (C2C) training teaches you how to implement and deploy a Department of Defense (DoD) Comply-to-Connect network architecture using Cisco Identity Services Engine (ISE). This training covers implementation of 802.1X for both wired and wireless devices and how Cisco ISE uses that information to apply policy control and enforcement. Additionally, other topics like supplicants, non-supplicants, ISE profiler, authentication, authorization, and accounting (AAA) and public key infrastructure (PKI) support, reporting and troubleshooting are covered. Finally, C2C specific use case scenarios are covered. 

How You'll Benefit

This training will help you: 

• Learn how to operate, manage, configure, and troubleshoot the Cisco C2C solution
• Gain an understanding of how the Cisco ISE security components relate to the C2C architecture
• Earn 32 CE credits towards recertification

Key Components of C2C:

• Device Discovery and Identification: Automatically identifying and categorizing all devices trying to connect to the network.
• Security Posture Assessment: Evaluating the security status of these devices to ensure they meet predetermined security policies.
• Access Control: Allowing or denying device access based on compliance with security standards.
• Continuous Monitoring: Regularly checking the security posture of connected devices to respond to new vulnerabilities or non-compliance issues.

Cisco's Role in C2C with 802.1X, ISE, and Splunk:
802.1X:

• Role: Acts as a network access control protocol.
• Function: Provides authentication to devices trying to connect to a LAN or WLAN. It ensures that only authenticated users and devices can access network resources, aligning with C2C’s goal to verify and secure each connection.

Cisco Identity Services Engine (ISE):

• Role: Centralized policy management platform.
• Function: Works with 802.1X for device authentication and integrates policies for access control. Cisco ISE helps enforce compliance by applying dynamic access control policies based on the user, device, and location, supporting C2C’s need for strict access control and continuous monitoring.

Splunk:

• Role: Software platform for searching, monitoring, and analyzing machine-generated data.
• Function: Integrates with Cisco ISE to collect and analyze data from network devices. Splunk helps in identifying trends, generating security alerts, and providing actionable insights into network health and security. It’s a vital tool for the continuous monitoring aspect of C2C, enabling the DoD to quickly respond to security incidents and maintain compliance across its networks.

How They Work Together:

• Authentication: When a device tries to connect to the network, 802.1X helps authenticate it, ensuring it’s a recognized and authorized device.
• Policy Enforcement: Post-authentication, Cisco ISE checks if the device complies with security policies. If compliant, ISE permits access, otherwise, it restricts network entry or limits capabilities.
• Monitoring and Compliance: Splunk continuously analyzes data from Cisco ISE and other network elements to monitor compliance and alert for any deviations or potential security threats.

In summary, Cisco’s 802.1X, ISE, and Splunk are integral to the C2C framework, ensuring that all devices on the DoDIN are authenticated, comply with security policies, and are continuously monitored for threats and vulnerabilities. This integrated approach helps the DoD maintain a robust security posture as part of its move towards a Zero Trust Architecture.
 

• Define DoD C2C, including its steps and alignment with ISE features/functions and Zero Trust
• Describe Cisco Identity-Based Networking Services
• Explain 802.1X extensible authentication protocol (EAP)
• Configure devices for 802.1X operation
• Configure access for non-supplicant devices
• Describe the Cisco Identity Services Engine
• Explain Cisco ISE deployment
• Describe Cisco ISE policy enforcement concepts
• Describe Cisco ISE policy configuration
• Explain PKI fundamentals, technology, components, roles, and software supplicants
• Troubleshoot Cisco ISE policy and third-party network access device (NAD) support
• Describe Cisco ISE TrustSec configurations
• Describe the Cisco ISE profiler service
• Describe profiling best practices and reporting
• Configure endpoint compliance
• Configure client posture services
• Configure Cisco ISE device administration
• Describe the four main use cases within C2C

This training is a Department of Defense mandate, ensuring compliance with cybersecurity protocols and procedures. The target audience includes individuals seeking the knowledge and skills involved in deploying, operating, and verifying Cisco DoD C2C network architecture, such as: 

• Network Security Engineers
• Network Administrators
• Security Administrators

There are no prerequisites for this training. However, the knowledge and skills you are recommended to have before attending this training are: 

• Familiarity with 802.1X
• Familiarity with Microsoft Windows Operating Systems
• Familiarity with Cisco IOS CLI for wired and wireless network devices
• Familiarity with Cisco Identity Service Engine

The following recommended Cisco offering may help you meet these prerequisites:  

• Implementing and Operating Cisco Security Core Technologies (SCOR)

Module 1: C2C Fundamentals 

Module 2: Cisco Identity-Based Networking Services  

Module 3: 802.1X EAP Authentication  

Module 4: Configure Devices for 802.1X Operation 

Module 5: Configure Access for Non-Supplicant Devices  

Module 6: Introducing Cisco ISE Architecture 

Module 7: Introducing Cisco ISE Deployment 

Module 8: Introducing Cisco ISE Policy Enforcement Components  

Module 9: Introducing Cisco ISE Policy Configuration  

Module 10: PKI and Advanced Supplicants 

Module 11: Troubleshooting Cisco ISE Policy and Third-Party NAD Support  

Module 12: Exploring Cisco TrustSec  

Module 13: Introducing the Cisco ISE Profiler  

Module 14: Introducing Profiling Best Practices and Reporting 

Module 15: Introducing Cisco ISE Endpoint Compliance Services 

Module 16: Configuring Client Posture Services and Compliance 

Module 17: Working with Network Access Devices 

Module 18: C2C Use Cases

LAB OUTLINE

• Configure and Test 802.1X Operations
• Configure Initial Cisco ISE Configuration and System Certificate Usage
• Integrate Cisco ISE with Active Directory
• Configure Cisco ISE Policy for MAB
• Configure Cisco ISE Policy for 802.1X
• TEAP on Windows
• Configure Cisco TrustSec
• Configure Profiling
• Customize the Cisco ISE Profiling Configuration
• Create Cisco ISE Profiling Reports
• Configure Cisco ISE Compliance Services
• Configure Client Provisioning
• Configure Posture Policies
• Test and Monitor Compliance-Based Access
• Configure Cisco ISE for Basic Device Administration
• Configure Cisco ISE Command Authorization
• DISA Reports
• Certificate-Based Authentication for Cisco ISE Administration