Jump to content
MrR0b0t

CCIE Security v5 Lab Exam Strategy

Recommended Posts

BUCKLE UP GUYS! THIS IS GOING TO BE A DOOZY RIDE!

 

 

Many parts of this will not exactly be compulsory requirements or instructions but rather suggested method used for attempting exam. There are several things that one can change or use a method however they see fit or comfortable with.

 

This is based oo TS1/Diag1 and Config is still same everywhere.

 

I believe every location has very minor changes in Config but thats solely dependent upon the rack setup specific location has. Minor changes like interface mapping or devices preconfigured with something. Some locations might have preconfigured a particular while others might not have but nothing alarming. You should be able to figure that part out easily if you know what you are doing.

 

Troubleshooting:

 

This section is pretty straight forward and does not seem like there has been any major updates in questions or topology. I f you have practiced the workbooks, you should be able to finish TS within an hour.

 

In fact, your strategy should be to finish TS within an hour and start the next Diag section immediately because you will need that saved 1 hour in Config later.

 

 

Regarding the questions and configurations:

 

The question will definitely be same unless you get new version of TS BUT the number of breaks or configurations provided can be different from what you get in workbooks so they are very small changes. For e.g in lab devices might have interfaces "administratively down" but that might have not been mentioned in the workbook.

 

1. I would suggest that whichever device question is asking you to troubleshoot, ALWAYS start your attempt by running "show ip int brief" or "sh int ip brief" for ASAs and verify that all the configured interfaces are UP.

 

2. I noticed that many of the questions in TS actually involve troubleshooting dynamic routing so second should be quick look of neighbor relation on particular device based on the topology.

 

3. Many of he routers will have diagnostic messages popping up complaining about authentication failure so even if in your lab the diagnostics are off, verify that dynamic routing config matches on both ends. There will be 2 or 3 questions with either password mismatch or password not defined at all at one end. Refer the workbook for exact number.

 

OR better yet, to save time even more just when you have realized that you got TS1, start fixing the breaks as per the workbook you are following (For e.g Rahul Kashyap or PSL etc). If you have practiced workbooks enough, you should be able to do it from your memory.

 

 

Diagnostics:

 

Important Note:

 

 

The only important thing that you should do in this section is that since this section is fixed 1 hour, as soon as you have realized the diag version you have received, mark you answers accordingly. The Diag questionnaire will be opened on one screen Fullscreen view but you will have other one available and soon as you are done with marking answers, open notepad and start writing commands needed in Config section from your memory. For example ASAv tasks 1.1a and 1.1b, those should be easy to memorize and if you do it for one question the second one is same command but changing IP addresses or required command set of any other questions that you can from memory.

 

Utilize your remaining Diag time doing that. You can later in config section just start copy pasting but offcourse it goes without saying PLEASE do double check your commands match to questions requirement for e.g IP addresses or interface names.

 

 

BUT do not just mark answers blindly, refer the material provided. If you have practiced and worked enough with all the topics and especially practiced alot with Config section, you should easily be able to figure out the problem from data provided.

 

Although i must say there are several questions for which provided data do not make any sense and you have to go with the memorized answer from Diag dump.

 

Let me break down Diag1 questions:

 

1. The answer is "Radius Shared key is Incorrect."

Reason: The question metioned that Auth failing with "Radius Request Dropped" error and in the Email Exchange provided, there will be Error Statement along with code "Radius attribute not accepted" or something along those lines. If you test this in lab with mismatch radius key between ISE and SW you should see these diagnostics on SW CLI

 

2. Another easily identifiable question from data provided. The Redirect ACL will have line "deny udp any any eq ...."so basically the redirect ACL not allowing DNS UDP traffic at all so no redirection occuring to ISE guest portal site.

 

3. This can also be tested in lab, if you enable the option under Dot1x Windows Machine Interface Adapter --> Authentication --> Settings --> "Verify the server's identity by validating the certificate" then in ISE live logs, open the log report, you should see that 5400 Authentication Error. This problem will occurr if you have this option enabled and the client machine does not have ISE self signed CA certificate imported under its Trusted Root CA repository. Its same to the Config section Dot1x task where its instructed to turn that option off.

 

4. This can also be verified from the Authorization Policy Screenshot provided in exam, for refernce refer to this Configuration Example Article:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Take a look at authorization policy and the rules. The first rule "2nd Auth" is the one required assign actual vlan to user after that have authenticated on Guest portal which was done via Redirection in the third Rule "MAC not known".

 

BUT in exam, the authorization rule which would match to "Network Access:Use EQUALS Guest Flow" condition has permistion set as "Workstation" group and CWA Profile again which is causing the Redirection over and over again.

 

5. The screenshot will be provided of ISE --> Profiling Configuration tab which will have only Radius type probes enabled which are obviously not enough to profile Windows Machine.

 

6. There will screenshot of Commands set which will have arguement "all" defined for command "show" which is wrong because well there is no such command "show all".

 

7. Now this question i find most troubling because from provided data, different output of commands and processes details do not really indicate what the problem is so this one i memorized "L4 Traffic Monitoring Feature is on....".

I think the reason why this answer is correct because there is only one more likely answer which is "One of the DNS servers might be issue" but in the logs/output provided in question show that device is able to resolve site name. It shows nslookup output.

 

8. I believe the hint for this answer "Configure Default decryption policy pass-through" is actually provided in error output, where there is Certificate Bitmap Error which i believe is caused if there is MIM-scenario or in other words some intermediate device doing TLS inspection/ Decryption/Encryption. This is also mentioned in one of the cisco documents that Web Servers for e.g some of Micrsoft Sites do not like some firewall decrypting and encrypting traffic and one need to defined Decryotion Pass through or exceptions.

 

9. Also visible in logs output where it says that the first certificate is not verified. You will seee there is only one certificate coming in and nother intermediate one.

 

10. The config outputs provided will show that Snrs score is included in the Blacklist and should be in suspectlist. And the reason why is here:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

"Note: Cisco does not recommend that you reject or drop connections from SBRS "none" senders. If there were an issue that prevents a connection to the highly redundant farm of SBRS servers, your Cisco Email Security Appliance (ESA) would drop all of your inbound mail. In most cases, you should either use an ACCEPT or THROTTLE mail flow policy instead"

 

Basically NONE score does not mean that the sender is bad its just that it has not been classified so blacklisting/dropping is not the right approach.

>>>>>>>>>>>>>>>

 

I have not seen data from other diag versions (Diag2 and variants) so cannot really define logic of answers in those but i am sure the logic should be same. If you look at the data provided in questions carefully then match every answer provided to it, you should be able to identify the right answer unless offcourse you are sure about received diag version then go crazy and mark answers based on your memory.

 

 

Configuration:

 

Allright so this is the fun part. I am going to share the method and order that i would highly recommend.

 

First, as soon as you see that you got the same config and everything which is highly likely since there is only one version of config yet, Start with ISE first. All the questions that involve ISE are as follow:

 

3.5

4.1

4.2

4.3

4.4

5.2

 

Doing everything on ISE in one go and first hand will save you alot of time because otherwise doing ISE config separately for every question you encounter will require unnecessary back and forth navigation.

 

Step 1:

 

As mentioned in Rahul config WB, disable password policy settings if needed, disable profiling probes, disable Vmware-Device Profle policy, Disable supression of authentication attempts under Protocol Radius. Refer Rahul WB, you will see what options i am referring above.

 

Now start reading and verifying all those 6 questions if the details are same.

 

Step 2:

 

Define join AD point based on details in question 4.3 and also add your AD point under Identity Source Sequence "All_user_ID_Stores". The Internal Users should be first in order and second should be your defined AD point.

 

Note: Most likely there will be one AD point already defined on ISE, check if it already points to cisco.com AD domain otherwise just do not touch it and add your own AD point.

 

Step 3:

 

Define Security Groups --> PC1 and PC2 based on questions 4.2 and 4.4

 

Step 4:

 

Define Authorization profiles. Essentially you will need total 5 profiles --> MAB_PC, Dot1x_PC, R1_SSH, AP_Prof and the fifth one (questions 4.2, 4.3, 4.4 5.2) needed is for IP Phone but for that you can use system default Cisco_IP_Phones as it already has required settings asked in question which is DACL permit ALL traffic plus it has Voice domain attribute selected. Offcourse if question asks you to add something else then create your own accordingly. Also, it would still be good idea to verify the system defined profile has all the settings needed as mentioned above.

 

Step 5:

 

Define Networ Devices. Refer questions 3.5, 4.1, 4.2, 4.3, 4.4, 5.2 for details and verify IP addresses from topology (MGMT vlan 150). You will need total 4 devices ASA1V, SW2_P, R1 and ASA3 (do not forget to generate PAC file before saving).

 

Step 6:

 

Define Identity Groups.

3 User ID groups --> Anyconnect_Group, Dot1x_group, Lab_Admin (questions 4.1, 4.2 and 4.3 respectively)

 

You will need total 3 Endpoint ID Groups --> MAB_PC Group, Cisco-IP-Phone, Cisco-Air AP. Two of these, you can use the default system elements. For e.g Cisco-IP-Phone will already be there but for AP group you can either create your own OR if you navigate to Policy --> Profiling --> enable corresponding Group for Cisco AIR AP, it will become available in the list. The instructions are mentioned to do this in Rahul's WB.

 

Now, the MAB PC MAc address you can get right away by logging into MAB PC machine and check under interface adapter.

 

NOTE: some people might face the issue where MAB_PC MAC address is already profled and listed end Endpoints list and if you try to add new endpoint there then it will throw an error "endpoint already defined" Or if you try to edit the current endpoint then it will throw an error "You are not authorized to edit this endpoint". Also deleting the endpoint might not work so workaround is to Open the defined MAB_PC Endpoint Identity Group and add the MAC from there.

 

Even if this does not work, then simple use Vmware-Device group element in authorization rule later because the mac address will be profile as Vmware-Device.

 

 

For AP and IP phone MAC addresses, you will get those after you enable authentication on SW interface and turn it on. First auth attempt will fail but that will get you the MAc addresses. You can also run show CDP neighbor command and see the phone ID "SEP<mac address>" that will help help you identify the MAc address of device. Also you can see it under "show auth session" the failed addresses.

 

Shutdown the interface --> disable the MAB PC adapter --> Add MAC addresses under MAB PC and Cisco-IP-Phone groups. Do not turn the interface back up until you have configured Authentication and Authorization rules. Basically adding these mac addresses step you can do once you have configured the SW configuration when you get to that question.

 

I would suggest keeping the MAB PC adapter disabled and let the IP Phone gets authenticated also recieve IP address first.

 

Similar for Dot1x PC, do the adapter authentication settings first before enabling SW interface and keep it disabled. Enable the adapter once you have done SW config.

 

Step 7:

 

Define users. Total 3 users --> admin1 (question 4.3 and assign it to Lab_Admin ID group DO NOT forget to chose ADpoint for the password), ccie (4.2 and assign it to dot1x Group), cisco (4.1 anyconnect ID group).

 

Step 8:

Define Authentication Rules. Essentially total 4 rules will be needed. Check screenshots attached for reference.

 

Step 9:

 

Define Authorization rules. You will need total 6 rules. Check screenshots attached for reference.

 

 

NOW ORDER OF ATTEMPTING QUESTIONS and TIPS:

 

1. 1.4 (you can verify right away that EIGRP between R1 and R2 goes up)

 

2. 2.1 (do all the config need on WSA first which includes 2.2 question as well and do Router side config)

 

3. 2.2

 

4. 1.1a

 

NOTE: perform all basic network config as per requirement on ASA1v but do not ENABLE FAILOVER YET. Assign only single IP address on ASA11V management interface (150.1.7.54), this will be needed to copy files onto ASA11V node.

 

5. 4.1

 

NOTE: Once you are done with Anyconnect config, retrieve the client profle XML file via tftp and copy it to the Anyconnect client_PC and also to ASA11v node. In some locations, you might also need to copy Anyconnect image file onto ASA11v node. ASA1v might already have it. Otherwise it will be on Candidate PC, so copy on both nodes.

Once you are done with Anyconnect config, and XML file plus anyconnct image uploaded to ASA11V, Enable Failover now.

The reason behind enabling failover after Anyconnect config and copying XML file onto ASA11v node because without those files, ASA11v node will not apply "anyconnect image and profile" commands under webvpn because it cannot reference files which are not there. EVEN if you copy the files afterwards, the wr mem replication will still not add those two lines, you will need to run "write standby" on active node to do full replication.

 

Now for connecting Anyconnect, make ASA11v active first and connect anyconnect, in order to verify that it connects to ASA11v node as well. Once tested and Server1 Server2 redirection verified (question 2.1 and 2.2). Disconnect anyconnect, make the ASA1v active and then connect anyconnect. This will basically save you one round of connecting Anyconnect to ASA1v then to test on ASA11v and then back on ASA1v as it should left connected on ACTIVE ASA1V node.

 

!!!!!!!!!!!!!!!!!! Around the time you are performig above tasks, if there is something loading or you are waiting idle then ennable Multiple Mode on ASA1, ASA2, ASA3, ASA4 as that will require reboot so the nodes will be ready by the time you get to their question !!!!!!!!!!!!!!!!!!!!!!!!!!!

 

6. 1.1b

 

NOTE: Same logic here, do network config but not enable failover. Also no need to assign IP on ASA22V as this does not require copying anything on nodes.

 

7. 3.1

 

Once you are done with this task, enable failover from question 1.1b. And same connecting to SSL VPN site logic order as above. Make ASA22v active first to test and then back to ASA2v. MORE IMPORTANT thing, make sure that both nodes have created gateway certificate "Show crypto ca certificates". Sometimes if you enable failover before doing SSL config, the nodes might not replicate the gateway certificate. So when you connect SSL portal with ASA22V, it would still work with default system Self Signed certificate but one would not notice it unless checked. So verifying certificates presence on both nodes is important.

 

 

8. 1.2

 

9. 3.4 (because you can verify task 1.2 and 3.4 right away)

 

10. 5.3 (do this task now because its better to synchronize clocks before generating certificates for task 3.2 )

 

11. 3.2

 

12. 3.3

 

13. 1.3

 

14. 3.5

NOTE: Before starting this task, run following commands

 

On ASA3:

 

"clear cts pac"

"clear cts environment-data"

 

oN SW2_P:

 

"clear cts pac"

"clear cts environment-data"

"clear cts credentials"

 

15. 4.4

Note: As mentioned above, disable MAB_PC adapter after getting MAC address and add it to MAb_PC group on ISE. Enable adapter after you have done SW2_P config and authenticated phone.

 

16. 4.2

 

17. 5.2

 

18. 4.3

 

19. 5.1

 

20. 2.3

 

 

Note: The last 3 tasks are independent and small tasks so you can do them whenever you see fit.

 

 

In order to make sense of most of the details above, you will need resources provided here on this post by Rahul:

 

Hidden Content

    Give reaction to this post to see the hidden content.

Hidden Content

    Give reaction to this post to see the hidden content.

Hidden Content

    Give reaction to this post to see the hidden content.

Hidden Content

    Give reaction to this post to see the hidden content.

Hidden Content

    Give reaction to this post to see the hidden content.

Hidden Content

    Give reaction to this post to see the hidden content.

Hidden Content

    Give reaction to this post to see the hidden content.

Hidden Content

    Give reaction to this post to see the hidden content.

Edited by MrR0b0t
  • Like 17
  • Thanks 3

Share this post


Link to post
Share on other sites

Stupendous effort in writing down the details. This is as good as it will ever get guys. This will definitely help you to get your number. Thank you.

Share this post


Link to post
Share on other sites

Solid post, the idea of configure ISE all in once is great. Saves a lot of time.

In regards to Authentication Polices & Authorization Polices.

The instructions are really vague.

I believe that the RADIUS-NAS-IP attribute is required only to the Authorization policy.

 

Also, Task 1.3 for ASA Clustering is missing from you list

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">

  • Like 4

Share this post


Link to post
Share on other sites

Solid post, the idea of configure ISE all in once is great. Saves a lot of time.

In regards to Authentication Polices & Authorization Polices.

The instructions are really vague.

I believe that the RADIUS-NAS-IP attribute is required only to the Authorization policy.

 

Also, Task 1.3 for ASA Clustering is missing from you list

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">

Hye I think sequence 13 he means 1.3 instead of 1.4

  • Like 1

Share this post


Link to post
Share on other sites

Solid post, the idea of configure ISE all in once is great. Saves a lot of time.

In regards to Authentication Polices & Authorization Polices.

The instructions are really vague.

I believe that the RADIUS-NAS-IP attribute is required only to the Authorization policy.

 

Also, Task 1.3 for ASA Clustering is missing from you list

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">

Hye I think sequence 13 he means 1.3 instead of 1.4

 

Yeah thats correct i mistyped number 13. it should be 1.3. I will update.

 

And regarding authorization rules, thats correct that most of the questions only ask for authorization based on NAS IP address except question 4.3 where it asks to check group as well. For others, its really up to you if you want to use additional condition elements or not.

  • Like 1

Share this post


Link to post
Share on other sites

Amazing Post and effort in laying out the Details. Thanks a ton and thanks for helping all the SEcurity folks here in the community.

Share this post


Link to post
Share on other sites

Thank you so much for this great post !

Just one thing for this part : Step 7: Define users. Total 3 users --> admin1 (question 4.3 and assign it to Anyconnect ID group DO NOT forget to chose ADpoint for the password), ccie (4.2 and assign it to dot1x Group), cisco (4.1 anyconnect ID group).

I assume that you wanted to write Lab_Admin instead of Anyconnect group for the user called admin1.

Share this post


Link to post
Share on other sites

Thank you so much for this great post !

Just one thing for this part : Step 7: Define users. Total 3 users --> admin1 (question 4.3 and assign it to Anyconnect ID group DO NOT forget to chose ADpoint for the password), ccie (4.2 and assign it to dot1x Group), cisco (4.1 anyconnect ID group).

I assume that you wanted to write Lab_Admin instead of Anyconnect group for the user called admin1.

 

Yes thats correct. I will update that.

Share this post


Link to post
Share on other sites

still confused regarding WSA "system setup wizard" configuration in real lab. Do i nee to configure it or it will be pre-configured?

Share this post


Link to post
Share on other sites

still confused regarding WSA "system setup wizard" configuration in real lab. Do i nee to configure it or it will be pre-configured?

 

You do need to run wizard. Its pre-comfigured. Network and route config already done but it would hurt to verify that routes are in place. Essentially it needs one default route pointing towardsR2.

 

And also under “Web Proxy” you need to add 8080 along with default 80 there already. The rest of config is asked in tasks.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...