HTML
   HTML5
   CSS
   CSS3
   JavaScript
   jQuery
   AngularJS
   Articles
   Tech Articles
   Blog
Google News
logo
CISCO ISE Interview Questions
1 .
What is Cisco ISE?
Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The unique architecture of Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, Wireless LAN controllers (WLCs), Virtual private network (VPN) gateways, and data center switches.
 
Cisco ISE is a key component of the Cisco Security Group Access Solution.
 
Cisco ISE is a consolidated policy-based access control system that incorporates a superset of features available in existing Cisco policy platforms. Cisco ISE performs the following functions :
 
• Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance

• Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both

• Enforces endpoint compliance by providing comprehensive client provisioning measures and assessing device posture for all endpoints that access the network, including 802.1X environments

• Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network

• Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed

• Employs advanced enforcement capabilities including security group access (SGA) through the use of security group tags (SGTs) and security group access control lists (SGACLs)

• Supports scalability to support a number of deployment scenarios from small office to large enterprise environments The following key functions of Cisco ISE enable you to manage your entire access network
2 .
How does Cisco ISE work and what is it used for?
With an increased number of users and devices accessing networks remotely, protecting an organization's data from network security breaches becomes more complex. Administrators can use Cisco Identity Services Engine to control who has access to their network and ensure authorized policy-compliant devices are being used. IT administrators can use ISE for policy enforcement, visibility, granting guest access to the network, threat containment, tool integrations, device administration and bring-your-own-device (BYOD) management.
 
Cisco ISE can authenticate wired, wireless and virtual private network (VPN) users. Authorized and unauthorized users are logged so administrators can view who and which devices are connected to their network at any time. Administrators can also configure network devices with IPv6.
3 .
Explain some Cisco Identity Services Engine(ISE) Nodes.
Cisco Identity Services Engine is available as an appliance or software that can run on VMware and each instance is called a node. Cisco ISE is made up of the following deployment nodes :
 
Policy Administration Node. This node enables admins to log into and configure policies and system-related configurations. Once configured, changes are pushed out to policy services nodes.

Monitoring Node. This node collects logs and generates reports. Events that happen within the ISE topology are logged to this node.

Policy Service Node. This node provides network access, provisioning, profiling, posture and guest access services.

pxGrid Node. This node exchanges context-based sensitive data from the Cisco ISE session directory with other ISE network systems and Cisco products. The pxGrid node enables ISE to transfer data to other software.
4 .
Explain some Cisco ISE features
Cisco ISE helps to protect networks from cyber attacks using the following features :
 
Access control : Provides users with access control options that include downloadable ACLs, virtual LAN, URL redirections and security group ACLs.

Centralized management : This enables administrators to configure, manage and authenticate users and devices in one location.

Cisco DNA Center integration : This network controller and management dashboard can integrate with ISE to act as an analytics platform for networks. DNA Center can also aid in the design, provisioning and application of policies. These policies can then be applied to users and applications instead of network devices.

Contextual identity and business policies : These policies include authentication, device identity, posture validation, as well as user and endpoint identity attributes.

Cisco TrustSec and Group-Based Policy : This includes a segmentation controller that manages switch, router, wireless and firewall rules.

Device profiling : Cisco Identity Services Engine can create custom device templates that automatically detect, classify and associate administration identities.

Monitoring and troubleshooting : ISE users can access a web console for monitoring, reporting and troubleshooting.
5 .
What are the benefits of Cisco ISE?
Cisco Identity Services Engine offers the following benefits :
 
Centralized network access control (NAC) : All of an organization's network access points can be controlled from one centralized location.

Simplified network visibility : ISE stores detailed attribute histories of all endpoints and users connected to a network.

Threat containment : ISE matches endpoints with attributes like users, location, threat and vulnerability, which enable administrators to choose who and what devices to allow on a network.
6 .
Explain any 3 key functions of Cisco ISE.
* Compliance is enforced by client provisioning and assessing the device posture at all endpoints.

* Enforcement capabilities such as Cisco TrustSec are provided using security group tags and security group access control lists (ACLs).

* The Terminal Access Controller Access-Control System security protocol provides device administration and handles remote authentication.
7 .
What is Cisco ISE and NAC?
Cisco Systems have the Network access control (NAC) solution named as Cisco ISE. Cisco ISE stands for Identity Services Engine (ISE) policy server and is RADIUS-based, which enables Cisco to support authentication in heterogeneous network infrastructure environments. 
 
Cisco ISE supports 802.1X and guest provisioning, and the Advanced package supports endpoint baselining, granular identity policies and other more sophisticated features. A Wireless package supports advanced functionality for wireless devices only. Cisco wired and wireless customers should consider ISE, especially when the Cisco AnyConnect endpoint client will be in use.
8 .
What is NAC- Network Access Control ?
Network access control (NAC) and is also called network admission control, is a method of strengthen the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.
 
So as per the NAC, the end devices are being authenticated to access the network. Hope you understand the use of the NAC- Network Access Control. While the computer is being checked by a installed software agent, it can only access resources that can remediate any issues. 
 
Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. NAC is mainly used for endpoint health checks, but it is often tied to Role-based Access
9 .
What are the RFC Standards in Cisco ISE?
Cisco ISE conforms to the following RFC Standards :
 
* RFC 2138 : Remote Authentication Dial In User Service (RADIUS)
* RFC 2139 : RADIUS Accounting
* RFC 2865 : Remote Authentication Dial In User Service (RADIUS)
* RFC 2866 : RADIUS Accounting
* RFC 2867 : RADIUS Accounting Modifications for Tunnel Protocol Support
* RFC 5176 :Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
10 .
What are the components of Cisco ISE?
* Cable access.
* Converged SDN transport.
* Network automation.
* Optical networking.
* Optics and transceivers.
* Services orchestration.
* Telco cloud.
11 .
What is Aruba Networks (HPE) in Cisco ISE?
Aruba Networks have the NAC solution named as Clearpass and offers a RADIUS based solution and is available for hardware and the virtual appliances.
 
Well talk about the Strengths of Aruba's 802.1X innovations, It include a built-in certificate authority to Clearpass, which eases BYOD implementations by not requiring an external certificate authority. The Clearpass Onboard module provides the ability to revoke and delete certificates.
 
Clearpass offers a strong guest network application. Guest portals can be customized with a wide range of options, including localized language support. Granular policies allow guests to share printers and projectors that use Apple's Bonjour protocol.
Aruba Networks
12 .
Is Cisco ISE a firewall?
Cisco's industry-leading firewall solutions provide deep visibility and context across networks from the endpoint to the cloud.
 
For example, let’s take a look at what happens when a user inserts a USB drive into a corporate laptop that is protected by Cisco security solutions. For starters, Cisco Advanced Malware Protection (AMP) automatically detects, blocks and removes any malware, and the results can be shared with the firewall’s Firepower Management Center (FMC). At the same time, Cisco Identity Services Engine (ISE) sends user identity information and metadata (including device type and security group tags) to the firewall FMC, which provides granular visibility and control. This includes the ability to create firewall policies for specific device types (e.g., Apple or Samsung devices) and enables FMC to differentiate between corporate and personal devices. 
 
The firewall can then direct ISE to take action, including the shutdown of a specific switch port, tagging traffic from a device that has a quarantined system tag, and more. This is just one example since the firewall FMC can use a wide range of criteria to determine if a device is a threat and then direct ISE to take appropriate action.
 
Today the firewall is more relevant than ever, and we need to think about it using a fresh perspective. We must go beyond form factors and physical or virtual appliances to embrace firewalling as a functionality. Firewalling needs to be about delivering world-class security controls – the key elements for preventing, detecting, and blocking attacks faster and more accurately. All with common policy and threat visibility delivered everywhere you need it, including the data center, private cloud, and public cloud environments
13 .
What Is Advanced Malware Protection (AMP) in Cisco ISE?
Advanced malware protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware.

Advanced malware's goal, in general, is to penetrate a system and avoid detection. It usually has a specific target—most often an organization or enterprise—with the objective of financial gain. It might also target similar organizations within the same industry, such as several companies in field of insurance or finance. Advanced malware can take the form of common malware that has been modified to increase its capability to infect.
14 .
How does advanced malware work?
Once loaded onto a computer system, advanced malware can self-replicate and insert itself into other programs or files, infecting them in the process. It can even lay dormant for a time. Advanced malware can also test for conditions of a sandbox meant to block malicious files and attempt to fool security software into signaling that it is not malware.
15 .
Why is advanced malware protection important?
Advanced malware protection is primarily designed to help organizations prevent breaches caused by advanced malware. The damage from such breaches can range from losing a single endpoint to incapacitating an entire IT infrastructure, causing loss of productivity to employees and potentially interrupting customer services and product sales and support.
16 .
Explain some types of advanced malware protection.
Prevention : Traditional antivirus (AV) software relies heavily upon detecting the signature, or binary pattern, of a virus to identify and prevent damage from malware. But most malware authors stay a step ahead of such software by writing oligomorphic, polymorphic, and more recently metamorphic viruses, which use obfuscation techniques such as encrypting parts of themselves or otherwise modify themselves so as to not match virus signatures in the antivirus database.
 
Endpoint security that employs advanced malware protection blocks known malware exploits accurately and efficiently without being solely dependent on signatures. Conversely, legacy AV solutions can be blind to malware in zip and other formats, as well as fileless malware, and fail to catch advanced threats.
 
Detection : Around 2013, the security industry's focus began to shift toward signature-less approaches to antivirus protection. Traditional antivirus solutions may struggle to accurately detect low-prevalence threats. But endpoint security that employs continuous monitoring of all file activity results in faster detection of new threats.
 
New antivirus capabilities were developed to detect and mitigate zero-day attacks and other, more sophisticated malware. Some of these next-generation capabilities include:
 
* Behavior-based malware detection, which builds a full context around every process execution path in real time
* Machine learning models, which identify patterns that match known malware characteristics and other various forms of artificial intelligence

Response : More effective response methods are now found in advanced malware protection solutions, such as endpoint detection and response (EDR) and—more recently—extended detection and response (XDR) tools. Unlike traditional endpoint security, advanced malware protection solutions also provide retrospective security that rapidly contains the threat at the first sign of malicious behavior.
 
Efficiency : Legacy antivirus deployments often require complex configuration and management. Advanced malware protection solutions provide prevention, detection, and response all in one solution and are generally highly automated. Their built-in, open platforms enable much simpler and more efficient workflows.
17 .
Is Cisco ISE a radius server?
Cisco ISE (Identity Services Engine) is a RADIUS Server + policy engine that is used as a gatekeeper for the network through a series of data points, and then acting on those points through integration with Cisco networking gear. ISE identifies, classifies, and tracks all endpoints connected to the network to allow the automation of policy provisioning.
Radius
Open integrations extend interoperability into the cloud. The team can integrate with cloud software-as-a-service (SaaS) security solutions. The biggest benefit of Cisco ISE is complete network visibility. IT administrators have full detail of all devices on the network and are provided with an easy GUI so administrators can navigate easily.
 
The benefits of FreeRADIUS can be summarized in 4 points :
 
* It’s the most popular RADIUS server in the world for a reason; It works like a charm
* It is a no-cost solution and it’s Open Source.
* It’s multithreaded, so it can process more than one transaction at a time.
* There are no license expenses, meaning that it costs the same to authenticate one device as it does hundreds.
 
That being said, it can be difficult for admins with little RADIUS experience to set up FreeRADIUS. It can also be difficult for organizations that have unique use cases to configure and customize FreeRADIUS.
18 .
Does ISE support TACACS+?
Cisco Identity Services Engine (ISE) is an identity and access control policy platform. Administrators can make governance decisions by using policies that determine if a device is granted access to the network and the level of access it is given.
 
ISE combines AAA (Authentication Authorization and Accounting) and profiler into a single appliance. It provides a centralized management system for Device Administration in AAA framework through the Terminal Access Controller Access Control System (TACACS+).
19 .
How can we deploy ISE?
ISE can be either deployed on a physical appliance or Virtual Machine that enables the creation and enforcement of access policies for endpoint devices connected to a company’s network.
 
Physical appliance : SNS 3400(EOL), SNS 3500, SNS 3600

Virtual : ISE can be installed on VMware, Hyper-V
20 .
What is the difference between Cisco ISE vs ACS?
ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC solution wherein it will not be able to control the network by checking the compliance state of the devices in the network.
 
ISE is the next generation of network authentication and is so much more powerful than ACS. If you want to implement full network access control you need ISE.
21 .
Briefly explain different types of ISE deployment?
Standalone Deployment : A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the Administration, Policy Service, and Monitoring personas. This deployment is suitable for Small production setup’s or labs. If we are deploying ISE in standalone mode then we will not have redundancy.
 
Hybrid Deployment : A deployment that has multiple ISE nodes wherein PAN and MNT will be on enabled on a single node. This node will run PAN and MNT along with this we ca dedicated PSN’s in the deployment.
 
Distributed Deployment : A deployment that has multiple ISE nodes wherein we have a separate node for each persona. The distributed deployment consists of one Primary Administration ISE node, Secondary admin nodes, Primary Monitoring node, Secondary Monitoring node followed by PSN(Policy Service Node).
 
Each node can perform one or multiple services. ISE implementation is typically deployed in a distributed manner with individual services run on dedicated ISE nodes.
22 .
Which are all the different types of Licenses which we can have on ISE?
Base License : The base license is a perpetual license. The base license is required for AAA and IEEE 802.1x and also covers guest services and Trustsec. Base licenses are required to use the services enabled by Plus and/or Apex licenses. A base license is consumed for every active device on the network.
 
Base and Plus : A plus license is required for Profiling and Feed services, Bring Your Own Device (BYOD), Adaptive Network Control (ANC) and PxGrid. A base license is required to install the plus license and the plus license is a subscription for 1,3 or 5 years. When onboarding an endpoint with the BYOD flow, the Plus services are consumed on the active session even when related BYOD attributes are not in use.
 
Base and Apex : The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires the base license but is used for Third-Party Mobile Device Management & Posture Compliance. Does not include Base services; a Base license is required to install the Apex license
 
Device Administration : There is a device administration license required for TACACS which is a perpetual license, a base license is required to install the device administration license and you only require one license per deployment. A Base or Mobility license is required to install the Device Administration license.
 
Evaluation : An evaluation license covers 100 nodes and provides full Cisco ISE functionality for 90 days. All Cisco ISE appliances are supplied with an evaluation license. Evaluation licenses will collectively have a base, plus, apex, device administration and so on for 90 days.
23 .
So, how does a network device query Cisco ISE?
As mentioned earlier, the TACACS+ protocol is used between the Cisco ISE server and the network device (AAA or TACACS+ client). Keep in mind that Cisco ISE can separate Authentication, Authorization, and Accounting requests.
TACACS
* When a network device administrator (Terminal User) attempts to log into a device (AAA/TACACS+ client) via Telnet or SSH, the device instantly queries the Cisco ISE (AAA and TACACS+ server) via the TACACS protocol to validate the authentication.
 
* The Cisco ISE server, in turn, uses policy authentication sets to either respond with an “accept” or “reject” to the network device.
 
*  If the user is granted access > the network device queries the Cisco ISE using TACACS+ for authorization The ISE Server checks for authorization policy rules for TACACS+ results, such as command sets and shell profiles.
 
* The user is then provided with a set of commands or shell profiles to perform certain actions on the networking device.
 
* Finally, the Cisco ISE Server provides accounting by logging the activity and providing reports so that an ISE administrator can produce detailed audits.
24 .
Which are the different types of protocols which are supported on ISE?
There are different protocols available on ISE which is used for authenticating and authorizing end clients. Below mentioned are the few known and popularly used protocols.
EAP-TLS, PEAP, MS-CHAPv2 v1 and v2, EAP-TTLS, EAP-MS-CHAPv2, LEAP, EAP FAST.
25 .
What is the major difference between Authentication and Authorization conditions on ISE?
Authentication : In Authentication, we will check if the user is present in the identity store or not and the credentials which are presented by the user are valid or not. For example, a standard Authentication policy can include the type of traffic i.e. if the user traffic wired or wireless and which is the identity store which needs to be checked upon for this traffic.
 
Authorization : In Authz we fetch different attributes for the user and determine for which resources the user has access to. An authorization policy can consist of a single condition or a set of conditions that are user-defined. These rules act to create a specific policy. For example, a standard policy can include the rule name using an If-Then convention that links a value entered for identity groups with specific conditions or attributes to produce a specific set of permissions that create a unique authorization profile.
26 .
Configure The Switch To Allow Profiling To / From Cisco ISE.
Cisco ISE will use Simple Network Management Protocol (SNMP) to query the switch for certain attributes to help identify the devices connected to the switch. We will configure SNMP communities for Cisco ISE to query, as well as SNMP traps to be sent to Cisco ISE.

Step 1 :
* Configure a read-only SNMP community.
* Cisco ISE needs only "read-only" SNMP commands. Ensure that this community string matches the one configured in the network device object in Cisco ISE.
* C3750X(config)#snmp-server community community_string RO

Step 2 : Configure the switch to send traps.
* We will now enable an SNMP trap to be sent with changes to the MAC address table. A trap that includes the device MAC address and interface identifier is sent to Cisco ISE whenever a new address is inserted, removed, or moved in the address table.
 
* C3750X(config)#snmp-server enable traps mac-notification change move threshold

Step 3 : Add Cisco ISE as an SNMP trap receiver.
* Here, a server is added as a trap receiver for the configured MAC notification.
* C3750X(config)#snmp-server host ise_ip_address version 2c community_string mac-notification

Step 4 : Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.
 
DHCP snooping is not required for Cisco TrustSec 2.1, but it is considered a best practice. Not only does it enable better availability by denying rogue DHCP servers, but it also prepares the switch for other security tools such as
 
Dynamic Address Resolution Protocol (ARP) Inspection. DHCP snooping also helps to prepare the switch for functions coming in later releases of Cisco TrustSec technology.
 
Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP snooping, the switch will deny DHCP server replies from any port not configured as "trusted." Enter interface configuration mode for the uplink interface and configure it as a trusted port.
 
* C3750X(config)#interface interface_name
* C3750X(config-if)#ip dhcp snooping trust

Step 5 : Enable DHCP snooping.
 
DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must configure the VLANs it should work with, as follows:
 
* C3750X(config)#ip dhcp snooping
* C3750X(config)#ip dhcp snooping vlan vlan_id_or_vlan_range
27 .
Explain the various types of ISE Distributed deployment?
ISE distributed model can be deployed in 3 different ways depending on the scale.
 
* Small Network Deployments
* Medium Network Deployments
* Large Network Deployments
 
Small Network Deployments : A typical small ISE deployment consists of two Cisco ISE nodes with each node running all 3 services on it. The primary node provides all the configuration, authentication and policy functions and the secondary node functions as a backup.
 
The secondary supports the primary in the event of a loss of connectivity between the network devices and the primary. In case if the primary ISE node goes down we need to manually promote Secondary to Primary.
 
Medium Network Deployment : The medium-sized deployment consists of a primary and secondary administration node and a primary and secondary monitoring node, alongside separate policy service nodes. Here in this deployment PAN and SAN will take care of administration and log collection part wherein PSN’s will handle authentication for both radius and Tacacs traffic.
 
Large Network Deployment : ISE can distribute large individual ISE personas among several ISE nodes with a large network deployment you dedicate each node to a separate persona. So a separate node (secure network server) for administration, monitoring and policy service. You should also consider using load balancers in front of the PSN nodes.
 
Having a single load-balancer does introduce a potential single point of failure so it is highly recommended to deploy two load balancers. Since it’s a large network deployment we can have multiple logging servers so that logs can be transferred across each server.
28 .
What is the difference between Tacacs and Radius?
TACACS : Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary protocol which is used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which makes it reliable.
 
RADIUS : Remote Access Dial-In User Service (RADIUS) is an open standard protocol used for the communication between any vendor AAA client and ACS/ISE server. The standard ports used for radius communication are 1812 for authentication and 1813 for accounting. Legacy radius port number are 1645 for authentication and 1646 for accounting.

RADIUS TACACS
RADIUS uses UDP 1812 for Auth and 1813 for Accounting(Legacy ports:1645,1646) TACACS uses TCP port no 49
RADIUS combines Authentication and Authorization TACACS treats Authentication, Authorization and Accounting separately
RADIUS is an open protocol supported by multiple vendors TACACS is Cisco proprietary
Primary us of Radius is Network Access The primary use of TACACS is Device Administration
Encrypts only the Password field Encrypts the entire Payload
29 .
How to Configure a Password-Based Authentication Using an External Identity Store.
You must first configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.

Procedure :
 
Step 1 & 2 : On the Authentication Method tab, click Password Based and choose one of the external identity sources you have already configured. For example, the Active Directory instance that you have created.
 
Step 3 : Configure any other specific password policy settings that you want for administrators who authenticate using an external identity store.
 
Step 4 : Click Save.
30 .
How does CoA work in ISE?
Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) for endpoints that are already authenticated to enter your network. The global configuration of CoA in Cisco ISE enables the profiler service with more control over endpoints.
 
You can use the global configuration option to disable CoA by using the default No CoA option or enable CoA by using port bounce and reauthentication options. If you have configured Port Bounce CoA in Cisco ISE, the profiler service may still result in issuing other CoAs as described in the CoA Exemptions section.

Sources : Cisco, Techtarget and more..