This is part two of ISE interview questions and answers. This article covers intermediate level interview questions and answers if you are new to ISE please refer Cisco ISE basic interview question and answer first.
Q. What is Profiling in Cisco ISE?
The Profiling service in Cisco Identity Services Engine Identifies the devices that connect to your network and their location. Later the endpoints are profiled based on the endpoint policies configured in Cisco ISE. The profiling service allows the identity services engine to profile devices connected to the network and give them an identity based on numerous factors. These devices can then be granted access or denied access to the network based on the security policies which are defined on ISE.
Q. What is the use of profiling in Cisco ISE?
Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network endpoint to build an internal endpoint database. In this case instead of adding endpoints manually on the identity groups with help of profiling service devices can be detected dynamically and based on policy sets which have been configured access can be given accordingly.
Q. How do you enable Profiling on Cisco ISE?
The ISE Profiling feature set requires the installation of a Plus license on the Policy Administration Node (PAN). One Plus feature license is required for each endpoint that is actively authenticated to the network and where profiling data is used to make an Authorization Policy decision.
Profiling has to be enabled from the Administration .>Deployment > Enable Profiling Service on whichever PSN which you wish to handle the Profiling traffic.
Q. How do you deploy profiling in the production deployment?
A typical network deployment would start by putting ISE into monitor mode. In monitor mode no enforcement takes place but the ISE administrator can start to see what devices are connecting to the network and what identity it has been given. During this phase, a lot of devices are normally discovered that the network administrator did not even know were connected to the network.
Based on the devices which are connecting in the network and the profiles which are being assigned network administrator can tweak in case if he/she needs the precise profiling groups or create new profiling policies. With this approach of Profiling deployment Network Administrator will have a complete picture of all devices that are connected to your network and will be in complete control of their access.
Q. What is Device Sensor?
Device Sensor feature is used to gather raw endpoint data from network devices using protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), and DHCP. The endpoint data is made available to registered clients in the context of an access session.
Q. What are Probes and which are the various types of probes used in Cisco ISE?
A probe is a method used to collect an attribute or a set of attributes from an endpoint on your network. The probe allows you to create or update endpoints with their matched profile in the Cisco ISE database. ISE Profiling Services uses various collectors, or probes, to collect attributes about connected endpoints.
Probes help you to gain more network visibility. Below mentioned are the commonly used probes in Cisco ISE.
HTTP SPAN Probe
Active Directory Probe
Probes can be enabled from Administration > Deployment > Profiling Configuration and enable the required probes as per your network.
Q. What is Profiling Feed Service and what is the use of it?
Profiling Feed Service is the database which has information about profiling policies and the updated OUI and this database can be downloaded from a designated Cisco feed server through a subscription into Cisco ISE.
By updating the Profiling Feed latest Database can be downloaded which will have the updated Profiling policies and OUI’s. We can even configure to receive e-mail notifications to the e-mail address as an administrator of Cisco ISE that you have configured for applied, success, and failure messages.
Profiling feed will be updated only when Cisco provided profiling policies and the endpoint profiling policies which were modified by the previous update, are updated. Profiling Feed can be updated offline as well by downloading from cisco site with CCO credentials and uploading it manually to Cisco ISE.
Q. What is Posture service in Cisco ISE?
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. This allows you to control clients to access protected areas of a network.
Q. Which type of License is required to host Guest portals in Cisco ISE?
Cisco ISE Posture requires the installation of an Apex license. If you have not installed the Apex license on the Primary PAN, then the posture requests will not be served in Cisco ISE.
Q. What are the various endpoint Compliance posture states?
The compliance (posture) status of an endpoint can be:
Unknown: No data was collected in order to determine the posture state.
Non-Compliant: A posture assessment was performed, and one or more requirements failed.
Compliant: The endpoint is compliant with all mandatory requirements.
Q. What are the various probes which are initiated during policy server detection?
There is a series of probes which will be sent during policy server detection.
Default Gateway IP
Previously connected PSN over SSL on port 8905
Default Gateway: In this state discovery of the policy server detection will be attempted to the default gateway.
Enroll.cisco.com : If there is no response received from the default gateway then discovery will be attempted on enrol.cisco.com. This FQDN needs to be successfully resolvable by DNS server.
Discovery Host : Here http get request will be sent in order to find policy server to discovery host. Discovery host value is returned from ISE during installation in AC posture profile. Expected result for the probe is redirect-URL.
Previously connected PSN: Here http get request will be sent across to previously connected PSN on port 8905. This request contains information about client IPs and MACs list for session lookup on ISE side. This probe is not presented during the first posture attempt. Connection is protected by ISE admin certificate. As a result of this probe ISE can return session ID back to the client if node where probe landed is the same node where user has been authenticated.
Q. Name a few compliance conditions check which can be done Cisco ISE using Posture?
The posture policy defines the set of requirements for an endpoint to be categorised as compliant based upon file presence, registry key, process, application, Windows, and anti-virus (AV)/anti-spyware (AS) checks and rules. Posture policy is applied to endpoints based upon a defined set of conditions such as user identity and client OS type.
Q. What is Cisco TrustSec?
Cisco TrustSec is an embedded technology in your existing Cisco infrastructure. TrustSec can simplify provisioning and management of network access, make security operations more efficient, and help to enforce segmentation policy consistently, anywhere in the network.
Cisco TrustSec technology uses software-defined segmentation to simplify the provisioning of network access, accelerate security operations, and consistently enforce policy anywhere in the network. Cisco TrustSec is embedded technology in Cisco switches, routers, and wireless and security devices.
Q. What is Secure Group Tagging in Cisco TrustSec?
The Security Group Tag (SGT) Exchange Protocol (SXP) is one of several protocols that supports Cisco TrustSec. CTS-SGT is a control protocol for propagating IP-to-SGT binding information across network devices that do not have the capability to tag packets.
Q.What is pxGrid?
Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.
Cisco pxGrid is an open and scalable Security Product Integration Framework (SPIF) that allows for bi-directional any-to-any partner platform integrations. Cisco pxGrid uses a pub/sub model and publishes Cisco Identity Services Engine (ISE) contextual information. In addition, pxGrid publishes this session directory topic and other ISE topics of information for ecosystem partners to consume.
Q. What are the devices that can be integrated through pxGrid?
By using Cisco pxGrid we can integrate multiple security products in order to exchange information and work together. Below mentioned are the sample Firepower Management Center and Stealthwatch Management Center integration with ISE and benefits of it.
ISE and FMC can be integrated with pxGrid in order to exchange below mentioned information.
User to IP information will be provided by ISE to FMC through pxGrid.
SGT mapping information will be shared across to FMC from ISE via pxGrid.
With the help of pxGrid, we should be able to fetch information such as application info, information through NetFlow, threat data, firewall logs, MDM logs from multiple security products.
We can integrate Stealthwatch Management Console to ISE through pxGrid which will provide the Stealthwatch system with extra contextual information about the endpoint and user on that endpoint as well as the ability to quarantine that endpoint if they are misbehaving.
Q. What is Bring Your Own Device (BYOD) and why is being used?
In BYOD employees are allowed to connect their personal devices securely to the network.
Employees are increasingly using both personal and work devices at their office and they don’t want to switch or carry both work and personal devices. They are willing to access their personal devices to access work application.
BYOD is a process wherein we onboard employees personal devices into the corporate network and provide access to the work applications from their own devices. By achieving this BYOD will simplify IT operations, providing “work-your-way” experience to employees, helping secure data by applying policies and controls.
Q. What are the different design approach for BYOD solution in a wireless environment?
There are 2 design approach for implementing a BYOD solution in a wireless environment.
Single SSID solution.
Dual SSID Solution.
Q. What is a Single SSID and Dual SSID solution in BYOD?
Single SSID :
In single SSID setup, same WLAN is used for certificate enrolment, provisioning(entire on-boarding process) and secure network access will be done on single SSID.
Dual SSID :
In Dual SSID setup, two SSID’s will be used wherein one SSID provides certificate enrolment and provisioning(entire on-boarding process) and the other SSID provides secure network access.
Q. Explain the sample Single SSID and Dual SSID BYOD flow?
Single SSID Flow:
- User connects to secure SSID.
- PEAP: User enter username and password.
- User will be redirected to provisioning portal.
- User registers the personal device.
- Downloads certificate and supplicant configuration.
- User reconnects using EAP-TLS.
Dual SSID Flow:
- User connects to open SSID.
- User will be redirected to WebAuth portal.
- User enters guest or employee credentials.
- Guest signs AUP and guest access will be provided.
- Employee registers the device.
- Downloads certificate and supplicant configuration.
- Employee reconnects using EAP-TLS.
Q. What are the various types of Guest portals in Cisco ISE?
There are 3 types of Guest portals:
- Sponsored Guest Portal
- Self-Registered Guest Portal
- Hotspot Guest Portal
Q. What type of License is required to host Guest portals in Cisco ISE?
The ISE Guest feature set requires the installation of a Base license.
Q. What are various types of Guests portal?
Sponsored Guest Portal:
Using the Sponsor portal, sponsors can create and manage temporary accounts for authorized visitors to securely access the corporate network or the Internet. After creating a guest account, sponsors also can use the Sponsor portal to provide account details to the guest by printing, emailing, or texting. Before providing self-registering guests access to the company network, sponsors may be requested via email to approve their guests’ accounts.
Self-Registered Guest Portal:
In Self-Registered portal, Guests will create their own accounts by registering themselves on the Self-Registered Guest portal. Based on the portal configuration, these self-registering guests may need sponsor approval before they receive their login credentials or they can log in post registering themselves on portal.
Hotspot Guest Portal:
The Hotspot Guest portal is an alternative Guest portal that allows you to provide network access without requiring guests to have usernames and passwords and alleviates the need to manage guest accounts. Instead, Cisco ISE works together with the network access device (NAD) and Device Registration Web Authentication (Device Registration WebAuth) to grant network access directly to the guest devices.
In order to create Guest portal navigate to WorkCentre >Portal & Components and create required Guest portal:
Note: Advanced interview questions on ISE are coming soon.