Cisco ISE Interview Questions and Answers

Posted by

Cisco ISE Interview Questions and Answers

Cisco ISE Interview Questions- If you are looking for a job which is related to the ISE administrator then you need to prepare for the latest Cisco ISE Interview Questions. It is true that every interview is different as per the different job profiles. Here, we have prepared the most important Interview Questions and Answers which will help you get success in your upcoming interview and help you get your dream job in your dream company.

Introduction to ISE

Cisco Identity Services Engine (ISE) is a next-generation identity, access control and policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The unique architecture of the Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.

The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), virtual private network (VPN) gateways, and data center switches. Cisco ISE is a key component of the Cisco Security Group Access Solution.

Q. What is the Cisco ISE (Identity Services Engine)?

In simple terms, you can control who can access your network and when they do what they can get access to. It can authenticate wired, wireless and VPN users and can scale to millions of endpoints.

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s Network Administrator devices such as routers and switches. The purpose is to simplify identity management across diverse devices and applications.

Q. What are the different types of personas on Cisco ISE?

  1. Policy Administration Node (PAN)
  2. Monitoring Node (MnT)
  3. Policy Services Node (PSN)

Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy.

Q. Explain the different types of personas on ISE?

Policy Administration Node (PAN) is where the administrator will login to configure policies and make changes to the entire ISE system. Once configured on the PAN the changes are pushed out to the policy services nodes. It handles all system-related configurations and can be configured as standalone, primary or secondary.

Monitoring Node (MnT) is where all the logs are collected and where report generation occurs. Every event that occurs within the ISE topology is logged to the monitoring node you can then generate reports showing the current status of connected devices and unknown devices on your network.

Policy Services Node (PSN) is the contact point into the network. Each switch is configured to query a radius server to get the policy decision to apply to the network port the radius server is the PSN. In larger deployments, you use multiple PSN’s to spread the load of all the network requests. The PSN provides network access, posture, guest access, client provisioning, and profiling services. There must be at least one PSN in a distributed setup.

Q. How can we deploy ISE?
ISE can be either deployed on a physical appliance or Virtual Machine that enables the creation and enforcement of access policies for endpoint devices connected to a company’s network.

Physical appliance: SNS 3400(EOL), SNS 3500, SNS 3600
Virtual: ISE can be installed on VMware, Hyper-V

Q. What is the main objective of Cisco ISE?
Every time a wired or wireless user wants to access the network or tries to access a device [for device administration], the user is validated against the server to check if he/she is permitted to do so. Depending on the end result, the user will be allowed certain access to network/device.

Q. What is the difference between Cisco ISE vs ACS?

ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC solution wherein it will not be able to control the network by checking the compliance state of the devices in the network.

ISE is the next generation of network authentication and is so much more powerful than ACS. If you want to implement full network access control you need ISE.

Q. What are the different types of deployments in ISE?

ISE has three different deployment options.

  1. Standalone
  2. Hybrid deployment
  3. Distributed deployment

Q. Briefly explain different types of ISE deployment?

Standalone Deployment: A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the Administration, Policy Service, and Monitoring personas. This deployment is suitable for Small production setup’s or labs. If we are deploying ISE in standalone mode then we will not have redundancy.

Hybrid Deployment: A deployment that has multiple ISE nodes wherein PAN and MNT will be on enabled on a single node. This node will run PAN and MNT along with this we ca dedicated PSN’s in the deployment.

Distributed Deployment: A deployment that has multiple ISE nodes wherein we have a separate node for each persona. The distributed deployment consists of one Primary Administration ISE node, Secondary admin nodes, Primary Monitoring node, Secondary Monitoring node followed by PSN(Policy Service Node).

Each node can perform one or multiple services. ISE implementation is typically deployed in a distributed manner with individual services run on dedicated ISE nodes.

Q. Explain the various types of ISE Distributed deployment?

ISE distributed model can be deployed in 3 different ways depending on the scale.

  • Small Network Deployments
  • Medium Network Deployments
  • Large Network Deployments

Small Network Deployments: A typical small ISE deployment consists of two Cisco ISE nodes with each node running all 3 services on it. The primary node provides all the configuration, authentication and policy functions and the secondary node functions as a backup.

The secondary supports the primary in the event of a loss of connectivity between the network devices and the primary. In case if the primary ISE node goes down we need to manually promote Secondary to Primary.

Medium Network Deployment: The medium-sized deployment consists of a primary and secondary administration node and a primary and secondary monitoring node, alongside separate policy service nodes. Here in this deployment PAN and SAN will take care of administration and log collection part wherein PSN’s will handle authentication for both radius and Tacacs traffic.

Large Network Deployment: ISE can distribute large individual ISE personas among several ISE nodes with a large network deployment you dedicate each node to a separate persona. So a separate node (secure network server) for administration, monitoring and policy service. You should also consider using load balancers in front of the PSN nodes.

Having a single load-balancer does introduce a potential single point of failure so it is highly recommended to deploy two load balancers. Since it’s a large network deployment we can have multiple logging servers so that logs can be transferred across each server.

Q. Which are all the different types of Licenses which we can have on ISE?

  • ISE Base only
  • ISE Base and Plus
  • ISE Base and Apex
  • Device Administration
  • ISE Base, Plus, and Apex

Q. What are the different types of Licenses?

Base License: The base license is a perpetual license. The base license is required for AAA and IEEE 802.1x and also covers guest services and Trustsec. Base licenses are required to use the services enabled by Plus and/or Apex licenses. A base license is consumed for every active device on the network.

Base and Plus: A plus license is required for Profiling and Feed services, Bring Your Own Device (BYOD), Adaptive Network Control (ANC) and PxGrid. A base license is required to install the plus license and the plus license is a subscription for 1,3 or 5 years. When onboarding an endpoint with the BYOD flow, the Plus services are consumed on the active session even when related BYOD attributes are not in use.

Base and Apex: The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires the base license but is used for Third-Party Mobile Device Management & Posture Compliance. Does not include Base services; a Base license is required to install the Apex license

Device Administration: There is a device administration license required for TACACS which is a perpetual license, a base license is required to install the device administration license and you only require one license per deployment. A Base or Mobility license is required to install the Device Administration license.

Evaluation: An evaluation license covers 100 nodes and provides full Cisco ISE functionality for 90 days. All Cisco ISE appliances are supplied with an evaluation license. Evaluation licenses will collectively have a base, plus, apex, device administration and so on for 90 days.

Q. Does Cisco ISE support Tacacs?

Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices. The network devices are configured to query ISE for authentication and authorization of device administrator actions and send accounting messages for ISE to log the actions.
Cisco ISE now supports TACACS+. Prior to ISE 2.0 ISE was only supporting Radius but post 2.0 ISE versions TACACS is supported.

Device admin is not enabled by default, to enable it go to:
Administration / Deployment / Node Name / Enable Device Admin Service
This service should be enabled on the PSNs.

Q.Which are the different types of protocols which are supported on ISE?
There are different protocols available on ISE which is used for authenticating and authorizing end clients. Below mentioned are the few known and popularly used protocols.
EAP-TLS, PEAP, MS-CHAPv2 v1 and v2, EAP-TTLS, EAP-MS-CHAPv2, LEAP, EAP FAST.

Q. What are policy sets on ISE?
Cisco ISE is a policy-based, network-access-control solution, which offers network access policy sets, allowing you to manage several different network access use cases such as wireless, wired, guest, and client provisioning.

When you install ISE, there is always one policy set defined, which is the default policy set, and the default policy set contains within it, predefined and default authentication, authorization and exception policy rules.

Q. What is the major difference between Authentication and Authorization conditions on ISE?
Authentication:
In Authentication, we will check if the user is present in the identity store or not and the credentials which are presented by the user are valid or not. For example, a standard Authentication policy can include the type of traffic i.e. if the user traffic wired or wireless and which is the identity store which needs to be checked upon for this traffic.

Authorization: In Authz we fetch different attributes for the user and determine for which resources the user has access to. An authorization policy can consist of a single condition or a set of conditions that are user-defined. These rules act to create a specific policy. For example, a standard policy can include the rule name using an If-Then convention that links a value entered for identity groups with specific conditions or attributes to produce a specific set of permissions that create a unique authorization profile.

Q. What is Identity Store on Cisco ISE?
Identity Store is where we check for the credentials against a particular database. Identity store database can be internal or external. Internal identity store will refer to Identity/Endpoint information which is created locally on ISE. External identity store can be AD, LDAP, Radius token server, RSA and Certificate Authority.

Q. What is the difference between Tacacs and Radius?

TACACS: Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary protocol which is used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which makes it reliable.

RADIUS: Remote Access Dial-In User Service (RADIUS) is an open standard protocol used for the communication between any vendor AAA client and ACS/ISE server. The standard ports used for radius communication are 1812 for authentication and 1813 for accounting. Legacy radius port number are 1645 for authentication and 1646 for accounting.

RADIUSTACACSRADIUS uses UDP 1812 for Auth and 1813 for Accounting(Legacy ports:1645,1646)TACACS uses TCP port no 49RADIUS combines Authentication and AuthorizationTACACS treats Authentication, Authorization and Accounting separatelyRADIUS is an open protocol supported by multiple vendorsTACACS is Cisco proprietaryPrimary us of Radius is Network AccessThe primary use of TACACS is Device AdministrationEncrypts only the Password fieldEncrypts the entire Payload

Q. What is dot1x?

802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. Until and unless the post is not authorized, the access will not be given to the end client who’s connecting on that port.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Q. What is Profile ?

Ans- 

ISE has several methods of detecting what type of device is
connecting to the network, mostly we are using a common method to identify device.

Network Scan (NMAP) — 

Will run an intrusive scan on the endpoint. Typically used in conjunction with
other probes and only when necessary.

• DNS

Checks DNS records for additional information.

SNMPQUERY/SNMPTRAP

Gathers information from SNMP. This is typically used to help identify
networking equipment.

Active Directory

Queries AD for additional endpoint information for AD joined devices.

pxGrid

Used with the Cisco Industrial Network Director (not covered in this course

ISE comes with a database of endpoint attributes which gets updated 
frequently.

• Each profile rule is assigned a numerical value, if matched.
• The matched rules are added together to determine a Certainty 
Factor.
• If the added rules exceed the “Minimum Certainty Factor”, the 
overall profile is matched.

We can use one example to understand profiling –

we can create one profile in ISE profile named “Switch”

• When a device first attaches to the network, ISE does not know what it is yet. Seconds later, ISE receives the profiling data and we must configure which action we want ISE to take. This can be set globally or under each profile:

•Take No Action

The device will remain “unknown” until it does a re-authentication naturally.

Port Bounce

ISE will instruct the network access device to bounce the connection. The device will re-authenticate, but now we have the profiling data and it will match whichever profile.

Reauth

ISE will force the endpoint to re-authenticate (faster than port bounce)

Q. Unable to login on cisco ISE though GUI

Ans- 

we can troubleshoot issue about Unable to login on ISE though GUI This is very common issue If you are not able to login on ISE thought GUI so in this case you must login ISE via CLI and try to run some command –

we need to stop and start application services use below command

1- you can verify first all services should running –# show application status ise

2- If Application service is running then there we need to stop and start application services use below command and before restart you must shift traffic from primary two secondary because its take 10 min to up the devices My suggestion is please do the activity during Maintenance window.

#application stop ise
#application start ise
after run this command issue will fix

Q. What is Mac Authentication Bypass(MAB)?

MAC Authentication Bypass (MAB) is a way to give a white-list to certain network devices. If you know the MAC address of a certain device you know should get access to your network you can grant it access purely by its MAC address. This is used for devices that cannot have certificates loaded on them or are hard to profile. In MAB username and password both will be the MAC address.
Before MAB authentication, the identity of the endpoint is unknown and all traffic is blocked. The switch examines a single packet to learn and authenticate the source MAC address. After MAB succeeds, the identity of the endpoint is known and all traffic from that endpoint is allowed.

Q. What are the key components involved in dot1x and MAB authentication?

Supplicant, Network Access Device and Authentication Server are the 3 key components which are involved in dot1x authentication.
Supplicant: User/Endpoint who’s trying to authenticate in order to gain the network access.
NAD: Access switch/Access point to which the supplicant is connected which will carry the user credentials and present it to the server in order to authenticate the user.
Authentication Server: Credential’s which were presented by NAD will be verified on the server and depending on the end result either access will be given or denied.

Q. What is the use of profiling in Cisco ISE?

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network endpoint to build an internal endpoint database. In this case instead of adding endpoints manually on the identity groups with help of profiling service devices can be detected dynamically and based on policy sets which have been configured access can be given accordingly.

Q. How do you enable Profiling on Cisco ISE?

The ISE Profiling feature set requires the installation of a Plus license on the Policy Administration Node (PAN). One Plus feature license is required for each endpoint that is actively authenticated to the network and where profiling data is used to make an Authorization Policy decision.

Profiling has to be enabled from the Administration .>Deployment > Enable Profiling Service on whichever PSN which you wish to handle the Profiling traffic.

Q- Cisco ise lab free provided by cisco

Ans- 

Cisco ISE lab free online — 

Now you can get Cisco ISE lab free that’s provided by Cisco –

step 1- login into the below URL also make sure you have a cisco account if not please register yourself free.

This URL is for document and help purposes –

Cisco Identity Services Engine (ISE) 3.0 — Instant Demo | News | Cisco dCloud

For login to Cisco ISE use this URL lab — Identity Services Engine (cisco.com)

you can log in with your user name and password, if not you can register on the cisco website for free

if you have not cisco account , Register free on cisco portal use this url- Register (cisco.com)

STEP 2- now you can see cisco Dashboard and do whatever you want like create policy check logs.

Configure anything you want to test in lab — -

for more help watch this video , it will help you.

Please note:- Sometime this Lab will not work because of high traffic on that.

use below URL also

use this URL — Identity Services Engine (cisco.com)

username — admin

password — C1sco12345

Q- How to upgrade Cisco ISE

Ans-

You can upgrade Cisco ISE using GUI, Backup and Restore, or CLI. In case you are using GUI to upgrade you can choose the order of nodes to be upgraded

Please follow-up below step to upgrade ISE-

take backup of cisco ISE go to this link —

how to take backup of cisco ise thought cli and GUI — Networking (techclick.in)

1- Backup all configuration and monitoring data. You should also export a copy of the internal CA key and certificate chain, and take a backup of the ISE server certificates of all ISE nodes

2 — we need to upgrade first Secondary Administration Node At this point, the Primary Administration Node remains at the previous version and can be used for rollback if the upgrade fails.

3 — If you have a distributed deployment, upgrade all the nodes that are available in the site that has Secondary Administration Node of your existing Cisco ISE deployment

Choose your Upgrade Method –

  • Upgrade Cisco ISE using Backup and Restore Procedure (Recommended)
  • Upgrade a Cisco ISE deployment from GUI
  • Upgrade a Cisco ISE deployment from CLI

Three types of upgrade option available–

Full Upgrade: Full upgrade is a multi-step process that enables a complete upgrade of all the nodes in your Cisco ISE deployment at the same time. This method will upgrade the deployment in lesser time when compared to the split upgrade process

Please note that — Full Upgrade method is supported for Cisco ISE 2.6 patch 10 and above Cisco ISE 2.7 patch 4 and above, and Cisco ISE 3.0 patch 3 and above

in this process application services will be down durin
g this upgrade process because all nodes are upgraded parallelly

Legacy Split Upgrade: Split upgrade is a multi-step process that enables the upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process

Note — this Legacy split supported any Cisco ISE version and patch

Split Upgrade: Split upgrade is a multi-step process that enables the upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process. This upgrade method allows you to choose the Cisco ISE nodes to be upgraded on your deployment

–>> We recommended use Upgrade a Cisco ISE deployment from GUI

We are using full upgrade option below

Step 1 –>>

click the Menu icon (

) and choose ISE Administration > Upgrade

Step 2 –>>

Create a new repository to download the ISO image

Step 3 –>>

Please note down upgrade check list –

click on print checklist

Step 4 –>>

Go for prepare for upgrade and select repository where you store cisco ISE bundle in my case i am using ftp_repo repository

Cisco ISE checks the following during the upgrade process like

Repository Validation

Memory Check

PAN Failover Validation

Scheduled Backup Check

Config Backup, CheckLicense Validation, etc

If any of the components are inactive or have failed, they are displayed in red and It is mandatory to rectify these failures before performing an upgrade

Step 5 –>>

During upgrade staging, the upgraded database file is copied to all the nodes in the deployment, and the configuration files are backed up on all the nodes in the deployment

please note If upgrade staging on a node is successful, it is displayed in green. If the upgrade staging fails for a particular node, it is displayed in red

Click Next to proceed to the Upgrade Nodes window and Click Start to initiate the upgrade process

Step 6 –>>

You can monitor the primary PAN upgrade status from the secondary PAN dashboard while the primary PAN is upgraded

Clicking the Exit Wizard option in this window will prevent you from viewing the Summary window later.

STEP 7 –>>

Click Next in the Upgrade Nodes window to check whether all the nodes are upgraded successfully.

If there are any failed nodes, a dialog box with information about the failed nodes is displayed.

STEP 8 –>>

You can verify and download the upgrade summary reports with relevant details such

as Checklist, Prepare to Upgrade, Upgrade Report, and System Health checklist items

If you are using any other method of upgrade like Legacy Split Upgrade , you simple download bungle and start upgrade

Q- How to take backup of Cisco ISE-

Take backup from ISE thought CLI and GUI

  • 1- Creating a Repository
  • 2- Adding crypto key
  • 3- Backing up ISE
  • 4- Backing Up ISE Certificates

STEP 1- Create Repository –

–>>>>>> Administration > System > Maintenance > Repository

For cli simple login on device thought cli and put below command for create repository –

Please make sure when you will create repository you should add id and password under repository otherwise it will failed

STEP 2- >>>>>>

This is very important to create crypto key without this backup may be fail after 70% complete

STEP 3–>>>>>>>>>>>

BACKUP ISE

There are two types of backup below-

Configuration backup: It contains configuration data.
Operational backup: It contains monitoring & troubleshooting data

We need to take backup for both. To do that (after clicking Backup Now), we need to add Backup Name, Type, Repository Name, Encryption key and then click Start Backup

Configuration backup –

Operational backup

we can use below CLI command if we dont take backup thought GUI-

Run — backup “bkp_name” repository “repository_name” ise-config encryption-key plain ccna1234

STEP 4–>>>>>>>>>Backing Up ISE Certificates –

RUN this command into cli-

application configure ise

Run above command on CLI of ise and press 7 to export all certificatesExport Repository Name: BackupSFTP (put name of your repository)
Enter encryption-key for export: admin1234

[the-post-grid id=”9538″ title=””]

Leave a Reply

Your email address will not be published. Required fields are marked *

Visit Our Store and Buy All document (F5, Zscaler, ASA, Paloalto, Checkpoint,Forescout, Cisco ISE etc) only in  1600RS, click here on store - Store

X
error: Content is protected !!