Security Fundamentals Intermediate

Cisco ISE Basics

Cisco Identity Services Engine — the RADIUS/TACACS+ + posture + profiling brain behind enterprise wired/wireless network access. What ISE does, where it sits, and the deployment model behind 802.1X-everywhere.

TL;DR

ISE is Cisco's identity + policy server. It centralizes RADIUS (network access), TACACS+ (device admin), profiling, posture, BYOD, and guest portals.
Switches/APs send `Access-Request` to ISE when a user/device authenticates; ISE evaluates policy (who/what/where/when/how-healthy) and answers with permit + VLAN + SGT + dACL.
It's the policy engine SD-Access needs for identity-based segmentation. Even without SD-Access, ISE is the de-facto enterprise NAC.

Mental model

A switch port or AP needs to make a decision when a device shows up: who is this, what VLAN do they belong to, what policy applies. The switch itself doesn’t know — it asks an external policy engine.

That engine is the RADIUS / AAA server. In a Cisco enterprise, it’s almost always Cisco ISE — Identity Services Engine.

       802.1X / MAB / WebAuth
         (from user / device)
                │
                ▼
       ┌──────────────────┐
       │  Switch  /  WLC   │   "Network Access Device" (NAD)
       └──────┬────────────┘
              │ RADIUS Access-Request
              ▼
       ┌──────────────────┐
       │      ISE          │   Policy Service Node (PSN)
       │  Auth + Posture   │
       │  Profiling + GBAC │
       └──┬──────┬──────┬──┘
          │      │      │
        Active   AD    CA / external sources
        Directory

ISE evaluates:

Authentication — is this user/device known? (Active Directory, internal users, certificates)
Authorization — what should they get? (VLAN, dACL, SGT, time-of-day, location)
Profiling — what KIND of device is this? (IP phone? printer? laptop? IoT?)
Posture — is the device compliant? (AV up to date, disk encrypted, patches current)
Guest — sponsored vs self-registration vs hotspot for visitors
BYOD — onboarding personal devices with limited rights

…and answers the NAD: “permit this client, put them in VLAN 20, with this dACL, with SGT EMPLOYEE-CONTRACTOR.”

If you haven’t already, read AAA and 802.1X — this topic builds on both.

What ISE provides

1. RADIUS authentication

The day-one feature. Every wired switchport and every Wi-Fi SSID does 802.1X against ISE. Devices that don’t speak 802.1X (printers, IoT) fall back to MAB (MAC Authentication Bypass — see 802.1X).

ISE policy rules look like:

IF      user-group = "Domain Admins"
THEN    permit, VLAN ADMIN, dACL ADMIN-FULL, SGT 100 (Admin)

ELSE IF user-group = "Employees" AND posture = "Compliant"
THEN    permit, VLAN EMPLOYEE, dACL EMPLOYEE, SGT 10 (Employee)

ELSE IF user-group = "Employees" AND posture = "Non-Compliant"
THEN    permit, VLAN QUARANTINE, dACL REMEDIATE-ONLY, SGT 999 (Quarantine)

ELSE    deny

ISE pushes this back as RADIUS attributes the switch/AP enforces.

2. TACACS+ for device administration

Separate from RADIUS-for-users. TACACS+ controls who can SSH into the switches and what commands they can run:

Network admins → full enable access
Helpdesk        → show commands only
Auditors        → show running-config only

Per-command authorization with audit trail. Standard in any environment with more than ~5 network engineers.

3. Profiling

ISE listens to passive signals (DHCP, CDP, LLDP, MAC OUI, HTTP user-agent, SNMP) and identifies what’s behind each MAC. The profile says: “this MAC is a Cisco IP Phone 8861.”

Why it matters: you can write policy by device type rather than by MAC list:

Printers → printer VLAN, deny everything outbound.
IP phones → voice VLAN, limited dACL.
Random IoT → quarantine VLAN.

Maintains itself — no manual MAC tables. Re-profiles in real-time.

4. Posture assessment

For corporate laptops: ISE deploys a lightweight AnyConnect Posture Module that reports back disk encryption status, AV signatures, OS patches, firewall state.

If non-compliant, ISE quarantines the device (limited dACL, no production network) until remediation runs. Then re-grants normal access.

5. Guest portals

Three flavors:

Hotspot — connect, accept terms, go.
Self-registration — guest fills a form, gets a temporary login.
Sponsored — guest’s host approves access in a couple of clicks.

ISE handles the captive portal, ties the guest to an SSID + VLAN, expires the access automatically.

6. BYOD onboarding

Personal device shows up. ISE redirects to a portal. User logs in with corporate credentials. ISE issues a per-device cert tied to the user. Device authenticates via cert from then on — limited rights, no posture, no full corporate access.

7. SGT / TrustSec (with SD-Access)

ISE assigns a Scalable Group Tag to each authenticated session. Switches and routers enforce Group-Based Access Control (GBAC) — “Employees can talk to Servers” is a single matrix entry, not 200 per-VLAN ACLs.

This is the integration point with Cisco DNA / Catalyst Center for SD-Access deployments.

The deployment model

ISE deploys as a cluster of nodes running specific personas:

Persona	Role
PAN	Policy Administration Node — GUI, config repository. One active + one standby (HA).
MnT	Monitoring & Troubleshooting Node — log storage, reports. One active + one standby.
PSN	Policy Service Node — actually handles RADIUS/TACACS requests. Scale-out — add more for more throughput.
pxGrid	Inter-product integration plane (sends ISE events to firewalls, SIEM, NAC partners).

A small deployment uses two appliances with all personas combined. A large deployment scales out PSNs (one or two per region) while keeping PAN + MnT central.

Where ISE sits architecturally

       Active Directory (users + groups)
       Microsoft CA      (certificates)
       MDM (Intune/JAMF)  (device compliance)
                           │ external integrations
                           ▼
                ┌────────────────────┐
                │       ISE          │
                │  PAN + MnT + PSN   │   policy + identity
                └─────────┬──────────┘
                          │ RADIUS / TACACS+ / pxGrid
                          ▼
       ┌─────────────────────────────────┐
       │ Switches, WLCs, FW, VPN, etc.    │  NADs enforcing policy
       └─────────────────────────────────┘
                          ▼
                       Users, devices

ISE sits between identity sources and the network enforcement points. It speaks RADIUS to enforcers and LDAP/Kerberos to identity providers.

Configuration — a tiny taste

ISE itself is configured through its web GUI (Policy → Policy Sets, Identity Stores, etc.) — there is no CLI policy language in the way you’d write access-list.

On the switch (NAD) side, you point at ISE as a RADIUS server:

SW1(config)# aaa new-model
SW1(config)# radius server ISE-PSN-1
SW1(config-radius-server)# address ipv4 10.99.99.10 auth-port 1812 acct-port 1813
SW1(config-radius-server)# key SecretSharedWithISE

SW1(config)# aaa group server radius ISE-GROUP
SW1(config-sg-radius)# server name ISE-PSN-1

SW1(config)# aaa authentication dot1x default group ISE-GROUP
SW1(config)# aaa authorization network default group ISE-GROUP
SW1(config)# aaa accounting dot1x default start-stop group ISE-GROUP

SW1(config)# dot1x system-auth-control

SW1(config)# interface Gi1/0/1
SW1(config-if)# authentication host-mode multi-domain
SW1(config-if)# authentication open                    ! optional: monitor mode
SW1(config-if)# authentication port-control auto
SW1(config-if)# mab
SW1(config-if)# dot1x pae authenticator

ISE handles the rest via its policy GUI.

CCNA depth

For the CCNA 200-301 exam, you should be able to:

Identify ISE as Cisco’s enterprise AAA / NAC platform.
Describe the difference between RADIUS and TACACS+ (see AAA) and how ISE provides both.
Recognize the deployment model — PAN, MnT, PSN nodes.
Connect ISE to 802.1X / MAB — it’s the back-end policy engine.
Connect ISE to SD-Access / DNAC — ISE assigns SGTs that SD-Access uses for GBAC.

You won’t configure ISE on the CCNA. Configuration is CCNP / specialist exam territory.

Common mistakes

Treating ISE as just a RADIUS server. It does much more — profiling, posture, BYOD, guest. If you only use it for 802.1X, you’re paying for capabilities you’re not getting.
Missing pre-auth ACLs. When a port is doing 802.1X and the device hasn’t authenticated yet, you need a small pre-auth ACL allowing DHCP, DNS, and the path to ISE. Without it, authentication itself can’t complete.
Confusing “authentication open” with “no security.” Open mode lets traffic flow before auth completes — useful during 802.1X rollout for monitoring. It still applies the post-auth policy once auth completes. Don’t leave open forever.
PSN sizing. One PSN can handle ~10-20k auths/sec. Plan based on real traffic. A flash storm (every laptop in the building boots at 8am) tests this.
No HA. Single-PAN deployment + a failed appliance = ISE GUI gone. Authentications still work (PSNs are cached) but you can’t change policy. Always have a standby PAN.
Skipping certificate hygiene. ISE uses certs everywhere — admin GUI, EAP, portals, pxGrid. Expired certs = mysterious failures. Track them.
Active Directory tight coupling. ISE depends on AD for user/group lookups. Plan for AD outages (caching helps, but design with the assumption that AD can be unavailable briefly).
Skipping a “monitor mode” rollout. Going straight from “no NAC” to “strict 802.1X” causes mass auth failures and a help-desk meltdown. Start in open mode, audit failures for weeks, then tighten.

Lab to try (sandbox)

Cisco DevNet has free ISE sandboxes — reserve one.
Log into the GUI. Tour: Identities (users), Policy → Policy Sets, Policy Elements (Conditions / Results), Operations (live logs).
Look at the included sample policy set — see how rules match conditions and return authorization profiles.
From a simulated switch, send a test RADIUS request: test aaa group ISE-GROUP <user> <pass> new-code. Watch ISE’s Live Logs.
Add an identity (user → group). Create an authorization profile (VLAN + dACL). Wire them together in a new rule. Re-test.
Bonus: enable profiling. Connect a simulated client and watch ISE classify it based on DHCP fingerprints.

Cheat strip

Concept	Plain English
ISE	Cisco’s enterprise AAA / NAC platform
RADIUS vs TACACS+	RADIUS = network access (user auth + authz); TACACS+ = device admin (who can SSH + what commands)
NAD	Network Access Device — the switch/AP/firewall asking ISE
PAN / MnT / PSN	Admin node / Monitoring node / Policy Service node
Profiling	Identify what kind of device is behind a MAC
Posture	Check the device is compliant before granting access
BYOD	Onboard personal devices with per-user cert
Guest	Captive portal for visitors
SGT	Scalable Group Tag — identity-based segmentation. ISE assigns; switches enforce
pxGrid	Integration plane to send ISE info to other security products
Open mode	802.1X in monitor — allow + log — useful during rollout
CCNA depth	Know what ISE is. Know where it sits. Know it powers 802.1X and SD-Access.

← Previous topic

Hierarchical Network Design

Cisco's three-tier model — Access, Distribution, Core — and the design principles that have built every campus network for 25 years. When to collapse the core, where to put redundancy, and why hierarchical design beats flat networks every time.

Next topic →

Network Troubleshooting Methodology

How seasoned engineers actually approach unknown problems — OSI bottom-up vs top-down vs divide-and-conquer, the questions that come before commands, and the seven-step Cisco methodology.

Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.