Cisco ISE Interview Questions and Answers

Cisco ISE Interview Questions- If you are looking for a job which is related to the ISE administrator then you need to prepare for the latest Cisco ISE Interview Questions. It is true that every interview is different as per the different job profiles. Here, we have prepared the most important Interview Questions and Answers which will help you get success in your upcoming interview and help you get your dream job in your dream company.

Introduction to ISE

Cisco Identity Services Engine (ISE) is a next-generation identity, access control and policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The unique architecture of the Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.

The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), virtual private network (VPN) gateways, and data center switches. Cisco ISE is a key component of the Cisco Security Group Access Solution.

Q. What is the Cisco ISE (Identity Services Engine)?

In simple terms, you can control who can access your network and when they do what they can get access to. It can authenticate wired, wireless and VPN users and can scale to millions of endpoints.

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s Network Administrator devices such as routers and switches. The purpose is to simplify identity management across diverse devices and applications.

Q. What are the different types of personas on Cisco ISE?

1. Policy Administration Node (PAN)
2. Monitoring Node (MnT)
3. Policy Services Node (PSN)

Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy.

Q. Explain the different types of personas on ISE?

Policy Administration Node (PAN) is where the administrator will login to configure policies and make changes to the entire ISE system. Once configured on the PAN the changes are pushed out to the policy services nodes. It handles all system-related configurations and can be configured as standalone, primary or secondary.

Monitoring Node (MnT) is where all the logs are collected and where report generation occurs. Every event that occurs within the ISE topology is logged to the monitoring node you can then generate reports showing the current status of connected devices and unknown devices on your network.

Policy Services Node (PSN) is the contact point into the network. Each switch is configured to query a radius server to get the policy decision to apply to the network port the radius server is the PSN. In larger deployments, you use multiple PSN’s to spread the load of all the network requests. The PSN provides network access, posture, guest access, client provisioning, and profiling services. There must be at least one PSN in a distributed setup.

Q. How can we deploy ISE?
ISE can be either deployed on a physical appliance or Virtual Machine that enables the creation and enforcement of access policies for endpoint devices connected to a company’s network.

Physical appliance: SNS 3400(EOL), SNS 3500, SNS 3600
Virtual: ISE can be installed on VMware, Hyper-V

Q. What is the main objective of Cisco ISE?
Every time a wired or wireless user wants to access the network or tries to access a device [for device administration], the user is validated against the server to check if he/she is permitted to do so. Depending on the end result, the user will be allowed certain access to network/device.

Q. What is the difference between Cisco ISE vs ACS?

ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC solution wherein it will not be able to control the network by checking the compliance state of the devices in the network.

ISE is the next generation of network authentication and is so much more powerful than ACS. If you want to implement full network access control you need ISE.