Networking

Cisco ISE Interview Questions and Answers

dixitra20 7 months ago

Cisco ISE Interview Questions and Answers

Cisco ISE Interview Questions- If you are looking for a job which is related to the ISE
administrator then you need to prepare for the latest Cisco ISE Interview Questions. It is true
that every interview is different as per the different job profiles. Here, we have prepared the
most important Interview Questions and Answers which will help you get success in your
upcoming interview and help you get your dream job in your dream company.

Introduction to ISE

Cisco Identity Services Engine (ISE) is a next-generation identity, access control and policy
platform that enables enterprises to enforce compliance, enhance infrastructure security,
and streamline their service operations. The unique architecture of the Cisco ISE allows
enterprises to gather real-time contextual information from networks, users, and devices.

The administrator can then use that information to make proactive governance decisions by
tying identity to various network elements including access switches, wireless LAN
controllers (WLCs), virtual private network (VPN) gateways, and data center switches. Cisco
ISE is a key component of the Cisco Security Group Access Solution.

Q. What is the Cisco ISE (Identity Services Engine)?

In simple terms, you can control who can access your network and when they do what they
can get access to. It can authenticate wired, wireless and VPN users and can scale to millions
of endpoints.

Cisco Identity Services Engine (ISE) is a network administration product that enables the
creation and enforcement of security and access policies for endpoint devices connected to
the company’s Network Administrator devices such as routers and switches. The purpose is
to simplify identity management across diverse devices and applications.

Q. What are the different types of personas on Cisco ISE?

1. Policy Administration Node (PAN)

2. Monitoring Node (MnT)
3. Policy Services Node (PSN)

Depending on the size of your deployment all three personas can be run on the same device
or spread across multiple devices for redundancy.

Q. Explain the different types of personas on ISE?

Policy Administration Node (PAN) is where the administrator will login to configure
policies and make changes to the entire ISE system. Once configured on the PAN the changes
are pushed out to the policy services nodes. It handles all system-related configurations and
can be configured as standalone, primary or secondary.

Monitoring Node (MnT) is where all the logs are collected and where report generation
occurs. Every event that occurs within the ISE topology is logged to the monitoring node you
can then generate reports showing the current status of connected devices and unknown
devices on your network.
Policy Services Node (PSN) is the contact point into the network. Each switch is configured
to query a radius server to get the policy decision to apply to the network port the radius
server is the PSN. In larger deployments, you use multiple PSN’s to spread the load of all the
network requests. The PSN provides network access, posture, guest access, client
provisioning, and profiling services. There must be at least one PSN in a distributed setup.

Q. How can we deploy ISE?

ISE can be either deployed on a physical appliance or Virtual Machine that enables the
creation and enforcement of access policies for endpoint devices connected to a company’s
network.

Physical appliance: SNS 3400(EOL), SNS 3500, SNS 3600

Virtual: ISE can be installed on VMware, Hyper-V

Q. What is the main objective of Cisco ISE?

Every time a wired or wireless user wants to access the network or tries to access a device
[for device administration], the user is validated against the server to check if he/she is
permitted to do so. Depending on the end result, the user will be allowed certain access to
network/device.

Q. What is the difference between Cisco ISE vs ACS?

ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC
solution wherein it will not be able to control the network by checking the compliance state
of the devices in the network.
ISE is the next generation of network authentication and is so much more powerful than
ACS. If you want to implement full network access control you need ISE.

Q. What are the different types of deployments in ISE?

ISE has three different deployment options.

1. Standalone
2. Hybrid deployment
3. Distributed deployment

Q. Briefly explain different types of ISE deployment?

Standalone Deployment: A deployment that has a single Cisco ISE node is called a
standalone deployment. This node runs the Administration, Policy Service, and Monitoring
personas. This deployment is suitable for Small production setup’s or labs. If we are
deploying ISE in standalone mode then we will not have redundancy.
Hybrid Deployment: A deployment that has multiple ISE nodes wherein PAN and MNT will
be on enabled on a single node. This node will run PAN and MNT along with this we ca
dedicated PSN’s in the deployment.

Distributed Deployment: A deployment that has multiple ISE nodes wherein we have a
separate node for each persona. The distributed deployment consists of one Primary
Administration ISE node, Secondary admin nodes, Primary Monitoring node, Secondary
Monitoring node followed by PSN(Policy Service Node).

Each node can perform one or multiple services. ISE implementation is typically deployed in
a distributed manner with individual services run on dedicated ISE nodes.

Q. Explain the various types of ISE Distributed deployment?

ISE distributed model can be deployed in 3 different ways depending on the scale.

Small Network Deployments

Medium Network Deployments
Large Network Deployments

Small Network Deployments: A typical small ISE deployment consists of two Cisco ISE
nodes with each node running all 3 services on it. The primary node provides all the
configuration, authentication and policy functions and the secondary node functions as a
backup.

The secondary supports the primary in the event of a loss of connectivity between the
network devices and the primary. In case if the primary ISE node goes down we need to
manually promote Secondary to Primary.
Medium Network Deployment: The medium-sized deployment consists of a primary and
secondary administration node and a primary and secondary monitoring node, alongside
separate policy service nodes. Here in this deployment PAN and SAN will take care of
administration and log collection part wherein PSN’s will handle authentication for both
radius and Tacacs traffic.
Large Network Deployment: ISE can distribute large individual ISE personas among
several ISE nodes with a large network deployment you dedicate each node to a separate
persona. So a separate node (secure network server) for administration, monitoring and
policy service. You should also consider using load balancers in front of the PSN nodes.

Having a single load-balancer does introduce a potential single point of failure so it is highly
recommended to deploy two load balancers. Since it’s a large network deployment we can
have multiple logging servers so that logs can be transferred across each server.
Q. Which are all the different types of Licenses which we can have on ISE?

ISE Base only

ISE Base and Plus
ISE Base and Apex
Device Administration
ISE Base, Plus, and Apex
Q. What are the different types of Licenses?

Base License: The base license is a perpetual license. The base license is required for AAA
and IEEE 802.1x and also covers guest services and Trustsec. Base licenses are required to
use the services enabled by Plus and/or Apex licenses. A base license is consumed for every
active device on the network.

Base and Plus: A plus license is required for Profiling and Feed services, Bring Your Own
Device (BYOD), Adaptive Network Control (ANC) and PxGrid. A base license is required to
install the plus license and the plus license is a subscription for 1,3 or 5 years. When
onboarding an endpoint with the BYOD flow, the Plus services are consumed on the active
session even when related BYOD attributes are not in use.

Base and Apex: The Apex license is the same as the plus license in that it is a 1,3,5 year
subscription, requires the base license but is used for Third-Party Mobile Device
Management & Posture Compliance. Does not include Base services; a Base license is
required to install the Apex license

Device Administration: There is a device administration license required for TACACS which
is a perpetual license, a base license is required to install the device administration license
and you only require one license per deployment. A Base or Mobility license is required to
install the Device Administration license.

Evaluation: An evaluation license covers 100 nodes and provides full Cisco ISE functionality
for 90 days. All Cisco ISE appliances are supplied with an evaluation license. Evaluation
licenses will collectively have a base, plus, apex, device administration and so on for 90 days.

Q. Does Cisco ISE support Tacacs?

Cisco ISE supports device administration using the TACACS+ security protocol to control and
audit the configuration of network devices. The network devices are configured to query ISE
for authentication and authorization of device administrator actions and send accounting
messages for ISE to log the actions.
Cisco ISE now supports TACACS+. Prior to ISE 2.0 ISE was only supporting Radius but post 2.0
ISE versions TACACS is supported.

Device admin is not enabled by default, to enable it go to:

Administration / Deployment / Node Name / Enable Device Admin Service
This service should be enabled on the PSNs.

Q.Which are the different types of protocols which are supported on ISE?
There are different protocols available on ISE which is used for authenticating and
authorizing end clients. Below mentioned are the few known and popularly used protocols.
EAP-TLS, PEAP, MS-CHAPv2 v1 and v2, EAP-TTLS, EAP-MS-CHAPv2, LEAP, EAP FAST.

Q. What are policy sets on ISE?

Cisco ISE is a policy-based, network-access-control solution, which offers network access
policy sets, allowing you to manage several different network access use cases such as
wireless, wired, guest, and client provisioning.

When you install ISE, there is always one policy set defined, which is the default policy set,
and the default policy set contains within it, predefined and default authentication,
authorization and exception policy rules.
Q. What is the major difference between Authentication and Authorization conditions
on ISE?
Authentication: In Authentication, we will check if the user is present in the identity store
or not and the credentials which are presented by the user are valid or not. For example, a
standard Authentication policy can include the type of traffic i.e. if the user traffic wired or
wireless and which is the identity store which needs to be checked upon for this traffic.

Authorization: In Authz we fetch different attributes for the user and determine for which
resources the user has access to. An authorization policy can consist of a single condition or
a set of conditions that are user-defined. These rules act to create a specific policy. For
example, a standard policy can include the rule name using an If-Then convention that links
a value entered for identity groups with specific conditions or attributes to produce a
specific set of permissions that create a unique authorization profile.
Q. What is Identity Store on Cisco ISE?
Identity Store is where we check for the credentials against a particular database. Identity
store database can be internal or external. Internal identity store will refer to
Identity/Endpoint information which is created locally on ISE. External identity store can be
AD, LDAP, Radius token server, RSA and Certificate Authority.

Q. What is the difference between Tacacs and Radius?

TACACS: Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary
protocol which is used for the communication of the Cisco client and Cisco ACS server. It uses
TCP port number 49 which makes it reliable.

RADIUS: Remote Access Dial-In User Service (RADIUS) is an open standard protocol used for
the communication between any vendor AAA client and ACS/ISE server. The standard ports
used for radius communication are 1812 for authentication and 1813 for accounting. Legacy
radius port number are 1645 for authentication and 1646 for accounting.

RADIUSTACACSRADIUS uses UDP 1812 for Auth and 1813 for Accounting(Legacy
ports:1645,1646)TACACS uses TCP port no 49RADIUS combines Authentication and
AuthorizationTACACS treats Authentication, Authorization and Accounting
separatelyRADIUS is an open protocol supported by multiple vendorsTACACS is Cisco
proprietaryPrimary us of Radius is Network AccessThe primary use of TACACS is Device
AdministrationEncrypts only the Password fieldEncrypts the entire Payload

Q. What is dot1x?

802.1X defines a client-server-based access control and authentication protocol that restricts
unauthorized clients from connecting to a LAN through publicly accessible ports. Until and
unless the post is not authorized, the access will not be given to the end client who’s
connecting on that port.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication
Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After
authentication is successful, normal traffic can pass through the port.
Q. What is Profile ?

Ans-

ISE has several methods of detecting what type of device is

connecting to the network, mostly we are using a common method to identify device.

• Network Scan (NMAP) —

Will run an intrusive scan on the endpoint. Typically used in conjunction with
other probes and only when necessary.

• DNS

Checks DNS records for additional information.

• SNMPQUERY/SNMPTRAP

Gathers information from SNMP. This is typically used to help identify

networking equipment.
• Active Directory

Queries AD for additional endpoint information for AD joined devices.

• pxGrid

Used with the Cisco Industrial Network Director (not covered in this course

ISE comes with a database of endpoint attributes which gets updated

frequently.

• Each profile rule is assigned a numerical value, if matched.

• The matched rules are added together to determine a Certainty
Factor.
• If the added rules exceed the “Minimum Certainty Factor”, the
overall profile is matched.

We can use one example to understand profiling –

we can create one profile in ISE profile named “Switch”

• When a device first attaches to the network, ISE does not know what it is yet. Seconds later,
ISE receives the profiling data and we must configure which action we want ISE to take. This
can be set globally or under each profile:

•Take No Action

The device will remain “unknown” until it does a re-authentication naturally.

• Port Bounce

ISE will instruct the network access device to bounce the connection. The device will re-
authenticate, but now we have the profiling data and it will match whichever profile.

• Reauth

ISE will force the endpoint to re-authenticate (faster than port bounce)

Q. Unable to login on cisco ISE though GUI

Ans-

we can troubleshoot issue about Unable to login on ISE though GUI This is very common
issue If you are not able to login on ISE thought GUI so in this case you must login ISE via CLI
and try to run some command –

we need to stop and start application services use below command

1- you can verify first all services should running –# show application status ise

2- If Application service is running then there we need to stop and start application services
use below command and before restart you must shift traffic from primary two secondary
because its take 10 min to up the devices My suggestion is please do the activity during
Maintenance window.

#application stop ise

#application start ise
after run this command issue will fix
Q. What is Mac Authentication Bypass(MAB)?

MAC Authentication Bypass (MAB) is a way to give a white-list to certain network devices. If
you know the MAC address of a certain device you know should get access to your network
you can grant it access purely by its MAC address. This is used for devices that cannot have
certificates loaded on them or are hard to profile. In MAB username and password both will
be the MAC address.
Before MAB authentication, the identity of the endpoint is unknown and all traffic is blocked.
The switch examines a single packet to learn and authenticate the source MAC address. After
MAB succeeds, the identity of the endpoint is known and all traffic from that endpoint is
allowed.
Q. What are the key components involved in dot1x and MAB authentication?

Supplicant, Network Access Device and Authentication Server are the 3 key components
which are involved in dot1x authentication.
Supplicant: User/Endpoint who’s trying to authenticate in order to gain the network access.
NAD: Access switch/Access point to which the supplicant is connected which will carry the
user credentials and present it to the server in order to authenticate the user.
Authentication Server: Credential’s which were presented by NAD will be verified on the
server and depending on the end result either access will be given or denied.
Q. What is the use of profiling in Cisco ISE?

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints
connected to the network. Using MAC addresses as the unique identifier, ISE collects various
attributes for each network endpoint to build an internal endpoint database. In this case
instead of adding endpoints manually on the identity groups with help of profiling service
devices can be detected dynamically and based on policy sets which have been configured
access can be given accordingly.

Q. How do you enable Profiling on Cisco ISE?

The ISE Profiling feature set requires the installation of a Plus license on the Policy
Administration Node (PAN). One Plus feature license is required for each endpoint that is
actively authenticated to the network and where profiling data is used to make an
Authorization Policy decision.

Profiling has to be enabled from the Administration .>Deployment > Enable Profiling Service
on whichever PSN which you wish to handle the Profiling traffic.

Q- Cisco ise lab free provided by cisco

Ans-

Cisco ISE lab free online —

Now you can get Cisco ISE lab free that’s provided by Cisco –
step 1- login into the below URL also make sure you have a cisco account if not please
register yourself free.

This URL is for document and help purposes –

Cisco Identity Services Engine (ISE) 3.0 — Instant Demo | News | Cisco dCloud

For login to Cisco ISE use this URL lab — Identity Services Engine (cisco.com)

you can log in with your user name and password, if not you can register on the cisco
website for free

if you have not cisco account , Register free on cisco portal use this url- Register (cisco.com)
STEP 2- now you can see cisco Dashboard and do whatever you want like create policy check
logs.

Configure anything you want to test in lab — -

for more help watch this video , it will help you.

Please note:- Sometime this Lab will not work because of high traffic on that.

use below URL also

use this URL — Identity Services Engine (cisco.com)

username — admin

password — C1sco12345
Q- How to upgrade Cisco ISE

Ans-

You can upgrade Cisco ISE using GUI, Backup and Restore, or CLI. In case you are using GUI
to upgrade you can choose the order of nodes to be upgraded

Please follow-up below step to upgrade ISE-

take backup of cisco ISE go to this link —

how to take backup of cisco ise thought cli and GUI — Networking (techclick.in)

1- Backup all configuration and monitoring data. You should also export a copy of the
internal CA key and certificate chain, and take a backup of the ISE server certificates of all
ISE nodes

2 — we need to upgrade first Secondary Administration Node At this point, the Primary
Administration Node remains at the previous version and can be used for rollback if the
upgrade fails.

3 — If you have a distributed deployment, upgrade all the nodes that are available in the site
that has Secondary Administration Node of your existing Cisco ISE deployment

Choose your Upgrade Method –

 Upgrade Cisco ISE using Backup and Restore Procedure (Recommended)

Upgrade a Cisco ISE deployment from GUI

Upgrade a Cisco ISE deployment from CLI

Three types of upgrade option available–

Full Upgrade: Full upgrade is a multi-step process that enables a complete upgrade of all the
nodes in your Cisco ISE deployment at the same time. This method will upgrade the
deployment in lesser time when compared to the split upgrade process

Please note that — Full Upgrade method is supported for Cisco ISE 2.6 patch 10 and
above Cisco ISE 2.7 patch 4 and above, and Cisco ISE 3.0 patch 3 and above

in this process application services will be down durin

g this upgrade process because all nodes are upgraded parallelly

Legacy Split Upgrade: Split upgrade is a multi-step process that enables the upgrade of your
Cisco ISE deployment while allowing services to remain available during the upgrade
process

Note — this Legacy split supported any Cisco ISE version and patch

Split Upgrade: Split upgrade is a multi-step process that enables the upgrade of your Cisco
ISE deployment while allowing services to remain available during the upgrade process. This
upgrade method allows you to choose the Cisco ISE nodes to be upgraded on your
deployment

–>> We recommended use Upgrade a Cisco ISE deployment from GUI

We are using full upgrade option below

Step 1 –>>

click the Menu icon (

) and choose ISE Administration > Upgrade

Step 2 –>>

Create a new repository to download the ISO image

Step 3 –>>

Please note down upgrade check list –

click on print checklist

Step 4 –>>

Go for prepare for upgrade and select repository where you store cisco ISE bundle in my
case i am using ftp_repo repository
Cisco ISE checks the following during the upgrade process like

Repository Validation

Memory Check

PAN Failover Validation

Scheduled Backup Check

Config Backup, CheckLicense Validation, etc

If any of the components are inactive or have failed, they are displayed in red and It is
mandatory to rectify these failures before performing an upgrade

Step 5 –>>

During upgrade staging, the upgraded database file is copied to all the nodes in the
deployment, and the configuration files are backed up on all the nodes in the deployment
please note If upgrade staging on a node is successful, it is displayed in green. If the upgrade
staging fails for a particular node, it is displayed in red

Click Next to proceed to the Upgrade Nodes window and Click Start to initiate the upgrade
process

Step 6 –>>

You can monitor the primary PAN upgrade status from the secondary PAN dashboard while
the primary PAN is upgraded

Clicking the Exit Wizard option in this window will prevent you from viewing the
Summary window later.
STEP 7 –>>

Click Next in the Upgrade Nodes window to check whether all the nodes are upgraded
successfully.

If there are any failed nodes, a dialog box with information about the failed nodes is
displayed.

STEP 8 –>>

You can verify and download the upgrade summary reports with relevant details such

as Checklist, Prepare to Upgrade, Upgrade Report, and System Health checklist items

If you are using any other method of upgrade like Legacy Split Upgrade , you simple
download bungle and start upgrade

Q- How to take backup of Cisco ISE-

Take backup from ISE thought CLI and GUI

1- Creating a Repository
2- Adding crypto key
3- Backing up ISE
4- Backing Up ISE Certificates

STEP 1- Create Repository –

–>>>>>> Administration > System > Maintenance > Repository

For cli simple login on device thought cli and put below command for create repository –

Please make sure when you will create repository you should add id and password under
repository otherwise it will failed

STEP 2- >>>>>>
This is very important to create crypto key without this backup may be fail after 70%
complete

STEP 3–>>>>>>>>>>>

BACKUP ISE

There are two types of backup below-

Configuration backup: It contains configuration data.

Operational backup: It contains monitoring & troubleshooting data

We need to take backup for both. To do that (after clicking Backup Now), we need to add
Backup Name, Type, Repository Name, Encryption key and then click Start Backup

Configuration backup –
Operational backup

we can use below CLI command if we dont take backup thought GUI-

Run — backup “bkp_name” repository “repository_name” ise-config encryption-key

plain ccna1234
STEP 4–>>>>>>>>>Backing Up ISE Certificates –

RUN this command into cli-

application configure ise

Run above command on CLI of ise and press 7 to export all certificatesExport Repository
Name: BackupSFTP (put name of your repository)
Enter encryption-key for export: admin1234

Categories: cisco ise

Tags: cisco ise