Passed Exam Today 350-701

accomplish the task is to install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence within Cisco ISE. This will allow the engineer to integrate Cisco ISE with Cisco DUO for TACACS+ device administration using Active Directory as the primary authentication source and Cisco DUO as the secondary authentication source for multi-factor authentication (MFA). The steps to configure this solution are as follows12:

• Install and configure the Cisco DUO Authentication Proxy on a Windows or Linux machine. The proxy will act as a RADIUS server that communicates with Cisco ISE and a RADIUS client that communicates with Cisco DUO cloud. The proxy will also connect to Active Directory for the primary authentication of the users.
• Configure the proxy by editing the authproxy.cfg file. The file should include the following sections:
• Restart the proxy service after saving the authproxy.cfg file.
• Configure Cisco ISE as a TACACS+ server and add the proxy as an external RADIUS server. The steps are as follows:
• Configure the network devices to use TACACS+ for device administration and specify Cisco ISE as the TACACS+ server and the proxy as the RADIUS server. The configuration commands may vary depending on the device type and model, but the general syntax is as follows:
• aaa new-model
• aaa authentication login default group tacacs+ local
• aaa authorization exec default group tacacs+ local
• aaa accounting exec default start-stop group tacacs+
• tacacs server ISE
• address ipv4
• key
• radius server DUO
• address ipv4 auth-port
• key
• Test the solution by logging into the network devices using Active Directory credentials. The user should receive a Cisco DUO prompt for the second factor authentication, such as a push notification, a phone call, or a passcode. After approving the second factor authentication, the user should be granted access to the device with the appropriate privileges based on the TACACS profile and the Active Directory attributes.

References := 1: Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users - Cisco Community 2: Protecting Access to Network devices with ISE TACACS+ and DUO MFA - Cisco Community

The Cisco Identity Services Engine (ISE) posture module provides several actions that ensure endpoint security. Two of these actions are:

• Assignments to endpoint groups are made dynamically, based on endpoint attributes. This means that ISE can assign endpoints to different identity groups or roles, depending on the results of the posture assessment. For example, ISE can assign an endpoint to a compliant group if it meets all the posture requirements, or to a quarantine group if it fails the posture assessment. This allows ISE to enforce granular access policies based on the endpoint’s posture status and attributes, such as operating system, device type, location, etc.
• The latest antivirus updates are applied before access is allowed. This means that ISE can check if the endpoint has the most recent antivirus definitions installed, and if not, it can remediate the endpoint by applying the latest updates. This ensures that the endpoint is protected from the latest malware threats and vulnerabilities, and reduces the risk of infection and compromise.

References:

• Cisco Identity Services Engine Administrator Guide, Release 2.2, Configure Client Posture Policies
• Configuring Posture Policies, Antivirus Compound Condition
• Which two actions does the Cisco Identity Services Engine posture module provide that ensures endpoint security?

Mobile device management (MDM) is a solution that allows organizations to manage and secure mobile devices such as smartphones and tablets. MDM can provide two security benefits:

• Robust security policy enforcement: MDM can enforce strong security practices and hygiene by defining unified settings that can be applied across your fleet. This centralized software ensures all devices are continuously staying in compliance. For example, MDM can configure settings like full-disk encryption, screen locks, password policies, device restrictions, VPN, firewall, antivirus, and more. MDM can also prevent unwanted or risky software from being installed, and remotely lock or wipe devices if they are lost, stolen, or compromised1.
• Privacy control checks: MDM can help organizations stay compliant with privacy regulations and protect sensitive data from unauthorized access. MDM can segment personal and corporate data on devices, and selectively wipe only corporate data when needed. MDM can also monitor device usage and location, and alert administrators of any suspicious or anomalous behavior. MDM can also provide secure containers for sensitive documents and content, and encrypt data in transit and at rest23.

References:

• 1: 5 benefits of implementing a Mobile Device Management (MDM) platform - CyberOne
• 2: Top Six Benefits of Mobile Device Management - N-able
• 3: Mobile device management 101: Why it matters and how to deploy - Vanta
• 4: MDM and security: here is everything you should know - Blog Appaloosa

Microsegmentation is a network security technique that enables security architects to logically divide the data center or cloud environment into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment. Microsegmentation software with network virtualization technology is used to create zones in cloud deployments. These granular secure zones isolate workloads, securing them individually with custom, workload-specific policies. Microsegmentation uses a zero-trust model, which means that no traffic is allowed by default, and only explicitly authorized traffic is permitted based on the principle of least privilege. Microsegmentation helps to reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance. The other options are incorrect because they do not describe microsegmentation accurately. Option B is incorrect because container orchestration platforms, such as Kubernetes, are used to automate the deployment, scaling, and management of containerized applications, but they do not provide microsegmentation by themselves. Option C is incorrect because private VLAN segmentation is a network security technique that isolates hosts within the same VLAN, but it does not provide granular security controls at the workload level. Option D is incorrect because host-based firewall rules are one of the components of microsegmentation, but they are not sufficient to implement microsegmentation without network virtualization and policy automation. References : What Is Microsegmentation? - Palo Alto Networks, What Is Micro-Segmentation? - Cisco, What is Micro-Segmentation? | VMware Glossary