Cisco ISE Interview Questions- If you are looking for a job that is related to the ISE administrator then you need to prepare for the latest Cisco ISE Interview Questions. It is true that every interview is different as per the different job profiles. Here, we have prepared the most important Interview Questions and Answers that will help you get success in your upcoming interview and help you get your dream job in your dream company.
Introduction to ISE
Cisco Identity Services Engine (ISE) is a next-generation identity, access control, and policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The unique architecture of the Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.
The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), virtual private network (VPN) gateways, and data center switches. Cisco ISE is a key component of the Cisco Security Group Access Solution.
Q. What is the Cisco ISE (Identity Services Engine)?
In simple terms, you can control who can access your network and when they do what they can get access to. It can authenticate wired, wireless, and VPN users and can scale to millions of endpoints.
Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s Network Administrator devices such as routers and switches. The purpose is to simplify identity management across diverse devices and applications.
Q. What are the different types of personas on Cisco ISE?
- Policy Administration Node (PAN)
- Monitoring Node (MnT)
- Policy Services Node (PSN)
Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy.
Q. Explain the different types of personas on ISE?
Policy Administration Node (PAN) is where the administrator will login to configure policies and make changes to the entire ISE system. Once configured on the PAN the changes are pushed out to the policy services nodes. It handles all system-related configurations and can be configured as standalone, primary, or secondary.
Monitoring Node (MnT) is where all the logs are collected and where report generation occurs. Every event that occurs within the ISE topology is logged to the monitoring node you can then generate reports showing the current status of connected devices and unknown devices on your network.
Policy Services Node (PSN) is the contact point in the network. Each switch is configured to query a radius server to get the policy decision to apply to the network port the radius server is the PSN. In larger deployments, you use multiple PSN’s to spread the load of all the network requests. The PSN provides network access, posture, guest access, client provisioning, and profiling services. There must be at least one PSN in a distributed setup.
Q. How can we deploy ISE?
ISE can be either deployed on a physical appliance or a Virtual Machine that enables the creation and enforcement of access policies for endpoint devices connected to a company’s network.
Physical appliance: SNS 3400(EOL), SNS 3500, SNS 3600
Virtual: ISE can be installed on VMware, Hyper-V
Q. What is the main objective of Cisco ISE?
Every time a wired or wireless user wants to access the network or tries to access a device [for device administration], the user is validated against the server to check if he/she is permitted to do so. Depending on the end result, the user will be allowed certain access to network/device.
Q. What is the difference between Cisco ISE vs ACS?
ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC solution wherein it will not be able to control the network by checking the compliance state of the devices in the network.
ISE is the next generation of network authentication and is so much more powerful than ACS. If you want to implement full network access control you need ISE.
Q. What are the different types of deployments in ISE?
ISE has three different deployment options.
- Hybrid deployment
- Distributed deployment
Q. Briefly explain different types of ISE deployment.
Standalone Deployment: A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the Administration, Policy Service, and Monitoring personas. This deployment is suitable for Small production setups or labs. If we are deploying ISE in standalone mode then we will not have redundancy.
Hybrid Deployment: A deployment that has multiple ISE nodes wherein PAN and MNT will be on enabled on a single node. This node will run PAN and MNT along with this we ca dedicated PSN’s in the deployment.
Distributed Deployment: A deployment that has multiple ISE nodes wherein we have a separate node for each persona. The distributed deployment consists of one Primary Administration ISE node, Secondary admin nodes, Primary Monitoring node, and Secondary Monitoring node followed by PSN(Policy Service Node).
Each node can perform one or multiple services. ISE implementation is typically deployed in a distributed manner with individual services run on dedicated ISE nodes.
Q. Explain the various types of ISE Distributed deployment.
ISE distributed model can be deployed in 3 different ways depending on the scale.
- Small Network Deployments
- Medium Network Deployments
- Large Network Deployments
Small Network Deployments: A typical small ISE deployment consists of two Cisco ISE nodes with each node running all 3 services on it. The primary node provides all the configuration, authentication and policy functions and the secondary node functions as a backup.
The secondary supports the primary in the event of a loss of connectivity between the network devices and the primary. In case if the primary ISE node goes down we need to manually promote Secondary to Primary.
Medium Network Deployment: The medium-sized deployment consists of a primary and secondary administration node and a primary and secondary monitoring node, alongside separate policy service nodes. Here in this deployment PAN and SAN will take care of the administration and log collection part wherein PSN’s will handle authentication for both radius and Tacacs traffic.
Large Network Deployment: ISE can distribute large individual ISE personas among several ISE nodes with a large network deployment you dedicate each node to a separate persona. So a separate node (secure network server) for administration, monitoring, and policy service. You should also consider using load balancers in front of the PSN nodes.
Having a single load balancer does introduce a potential single point of failure so it is highly recommended to deploy two load balancers. Since it’s a large network deployment we can have multiple logging servers so that logs can be transferred across each server.
Q. What are all the different types of Licenses that we can have on ISE?
- ISE Base only
- ISE Base and Plus
- ISE Base and Apex
- Device Administration
- ISE Base, Plus, and Apex
Q. What are the different types of Licenses?
Base License: The base license is a perpetual license. The base license is required for AAA and IEEE 802.1x and also covers guest services and Trustsec. Base licenses are required to use the services enabled by Plus and/or Apex licenses. A base license is consumed for every active device on the network.
Base and Plus: A plus license is required for Profiling and Feed services, Bring Your Own Device (BYOD), Adaptive Network Control (ANC) and PxGrid. A base license is required to install the plus license and the plus license is a subscription for 1,3 or 5 years. When onboarding an endpoint with the BYOD flow, the Plus services are consumed on the active session even when related BYOD attributes are not in use.
Base and Apex: The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires the base license but is used for Third-Party Mobile Device Management & Posture Compliance. Does not include Base services; a Base license is required to install the Apex license
Device Administration: There is a device administration license required for TACACS which is a perpetual license, a base license is required to install the device administration license and you only require one license per deployment. A Base or Mobility license is required to install the Device Administration license.
Evaluation: An evaluation license covers 100 nodes and provides full Cisco ISE functionality for 90 days. All Cisco ISE appliances are supplied with an evaluation license. Evaluation licenses will collectively have a base, plus, apex, device administration and so on for 90 days.
Q. Does Cisco ISE support Tacacs?
Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices. The network devices are configured to query ISE for authentication and authorization of device administrator actions and send accounting messages for ISE to log the actions.
Cisco ISE now supports TACACS+. Prior to ISE 2.0 ISE was only supporting Radius but post 2.0 ISE versions TACACS is supported.
Device admin is not enabled by default, to enable it go to:
Administration / Deployment / Node Name / Enable Device Admin Service
This service should be enabled on the PSNs.
Q. What are the different types of protocols that are supported on ISE?
There are different protocols available on ISE which is used for authenticating and authorizing end clients. Below mentioned are the few known and popularly used protocols.
EAP-TLS, PEAP, MS-CHAPv2 v1 and v2, EAP-TTLS, EAP-MS-CHAPv2, LEAP, EAP FAST.
Q. What are policy sets on ISE?
Cisco ISE is a policy-based, network-access-control solution, which offers network access policy sets, allowing you to manage several different network access use cases such as wireless, wired, guest, and client provisioning.
When you install ISE, there is always one policy set defined, which is the default policy set, and the default policy set contains within it, predefined and default authentication, authorization and exception policy rules.
Q. What is the major difference between Authentication and Authorization conditions on ISE?
Authentication: In Authentication, we will check if the user is present in the identity store or not and the credentials which are presented by the user are valid or not. For example, a standard Authentication policy can include the type of traffic i.e. if the user traffic wired or wireless and which is the identity store which needs to be checked upon for this traffic.
Authorization: In Authz we fetch different attributes for the user and determine for which resources the user has access to. An authorization policy can consist of a single condition or a set of conditions that are user-defined. These rules act to create a specific policy. For example, a standard policy can include the rule name using an If-Then convention that links a value entered for identity groups with specific conditions or attributes to produce a specific set of permissions that create a unique authorization profile.
Q. What is Identity Store on Cisco ISE?
Identity Store is where we check for the credentials against a particular database. Identity store database can be internal or external. Internal identity store will refer to Identity/Endpoint information which is created locally on ISE. External identity store can be AD, LDAP, Radius token server, RSA and Certificate Authority.
Q. What is the difference between Tacacs and Radius?
TACACS: Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary protocol which is used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which makes it reliable.
RADIUS: Remote Access Dial-In User Service (RADIUS) is an open standard protocol used for the communication between any vendor AAA client and ACS/ISE server. The standard ports used for radius communication are 1812 for authentication and 1813 for accounting. Legacy radius port number are 1645 for authentication and 1646 for accounting.
|RADIUS uses UDP 1812 for Auth and 1813 for Accounting(Legacy ports:1645,1646)||TACACS uses TCP port no 49|
|RADIUS combines Authentication and Authorization||TACACS treats Authentication, Authorization and Accounting separately|
|RADIUS is an open protocol supported by multiple vendors||TACACS is Cisco proprietary|
|Primary us of Radius is Network Access||The primary use of TACACS is Device Administration|
|Encrypts only the Password field||Encrypts the entire Payload|
Q. What is dot1x?
802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. Until and unless the post is not authorized, the access will not be given to the end client who’s connecting on that port.
Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Q. What is Mac Authentication Bypass(MAB)?
MAC Authentication Bypass (MAB) is a way to give a white-list to certain network devices. If you know the MAC address of a certain device you know should get access to your network you can grant it access purely by its MAC address. This is used for devices that cannot have certificates loaded on them or are hard to profile. In MAB username and password both will be the MAC address.
Before MAB authentication, the identity of the endpoint is unknown and all traffic is blocked. The switch examines a single packet to learn and authenticate the source MAC address. After MAB succeeds, the identity of the endpoint is known and all traffic from that endpoint is allowed.
Q. What are the key components involved in dot1x and MAB authentication?
Supplicant, Network Access Device, and Authentication Server are the 3 key components that are involved in dot1x authentication.
Supplicant: User/Endpoint who’s trying to authenticate in order to gain network access.
NAD: Access switch/Access point to which the supplicant is connected which will carry the user credentials and present it to the server in order to authenticate the user.
Authentication Server: Credentials which were presented by NAD will be verified on the server and depending on the end result either access will be given or denied.