Deep Dive into Cisco ISE: Your Path to 300-715 SISE Certification (Extended Edition)

Hello! You're aiming for the Cisco 300-715 SISE certification, and that's excellent! Cisco Identity Services
Engine (ISE) is a crucial component of modern network security, allowing centralized access
management, compliance enforcement, and threat response. This document is your companion for
exploring all the concepts necessary to successfully pass the exam.

Chapter 1: Cisco Identity Services Engine (ISE) Fundamentals

To confidently work with ISE, you first need to understand its foundation.

Architecture and ISE Components

 ISE Nodes:

o Administrative Node (Admin Node - ADMIN):

 Functions: Centralized management of all ISE configurations, web interface

(GUI), CLI access, database management, and reporting (partial). In a distributed
deployment, there can only be one active ADMIN node and one in Standby (HA)
mode.

 Primary/Secondary: Understand the roles in High Availability (HA) mode and

the data synchronization process.

o Policy Service Node (PSN):

 Functions: Processes RADIUS (Authentication, Authorization, Accounting)

requests from Network Access Devices (NADs), executes profiling policies, guest
access, and posture assessment. The PSN is the "face" of ISE to end-devices and
network infrastructure.

 Scalability: Multiple PSNs can be deployed to ensure performance and

redundancy.

o Monitoring Node (MNT):

 Functions: Collects all operational data (authentication, authorization, profiling,

audit logs), system events, and alerts. Stores historical data for troubleshooting
and auditing.

 HA for MNT: Configuring a pair of MNT nodes for high availability and data
backup. Understanding the importance of preserving monitoring data.

o Profiling Node: This role is typically co-located with a PSN.

 Functions: Analyzes various data sources (probes) to determine the type of

connecting device.

 Probe Sources: DHCP, HTTP, DNS, NetFlow, NMAP (active scanning), SNMP
Query, RADIUS. Understand how each probe contributes to profiling.

o pxGrid Node:
  Functions: Provides secure exchange of contextual information between ISE and
other security systems (e.g., Cisco Firepower, Stealthwatch, Splunk, SIEM
systems, MDM) and third-party solutions. This enables ISE to integrate into a
broader security ecosystem.

 Publisher/Subscriber: Understand the roles in pxGrid.

 Deployment Models:

o Standalone: A single node performing all roles. For small environments or labs.

o Distributed: Multiple nodes with dedicated roles (ADMIN, PSN, MNT). For medium to
large-scale environments.

o High Availability (HA): Configuring node pairs (ADMIN, MNT) to ensure continuous
operation in case of a node failure. Understand data synchronization between HA pairs.

 Licensing: Understand which licenses are required for each feature:

o Base: Basic AAA services, MAB, Dot1X (without guest access).

o Plus: Profiling, guest access, Posture, MDM, BYOD, TrustSec SGTs.

o Apex: Vulnerability Assessment, Threat Containment, MDM/UEM integration for policy

management.

o DNA Advantage / Premier: Understand how new Cisco licensing models (e.g., via Cisco
DNA Center) include ISE functionality.

Configuring Basic ISE Settings

 Initial Setup: IP addressing, NTP (critical for certificates and authentication), DNS (for host and
AD domain resolution), hostname.

 Certificates:

o ISE System Certificates: Managing certificates used by ISE itself for HTTPS GUI access, for
EAP-TLS authentication (server certificate), for inter-node communication (Internal CA),
and for pxGrid.

o Importing Trusted Certificates: Importing CA certificates that sign client certificates for
EAP-TLS, or certificates of external LDAP/AD servers.

o Configuring Certificate Usage for EAP-TLS: Selecting the system certificate for EAP-TLS
authentication.

o Certificate Revocation Check (CRL/OCSP): Configuring ISE to check the revocation status
of client certificates.

 Network Access Devices (NADs):

o Adding NADs: Manual addition or import of devices.

o RADIUS Authentication: Configuring shared secrets between ISE and NADs. Understand
RADIUS ports (1812 for Auth, 1813 for Accounting).

o RADIUS CoA (Change of Authorization): Configuration for dynamic authorization

changes or session termination.
 o SNMP Access: For profiling and other functions.

Managing Users and Devices in ISE

 Internal Users: Creating and managing user accounts directly in the ISE database (e.g., for ISE
administrators, or a limited number of internal users).

 Endpoint Identities: Managing the database of known devices (MAC addresses, profiled device
types).

o MAC Address Bypass (MAB) List: Using this database for MAB.

o Static/Dynamic Profiling: Understanding the differences.

 User Groups and Endpoint Identity Groups: Creating logical groups based on identity for more
granular policy application.

o Default Endpoint Group: The default group for all newly profiled devices.

o Creating Custom Groups: For IP phones, printers, cameras, etc.

Chapter 2: Authentication

Authentication is the process of confirming the identity of a user or device.

Authentication Methods

 802.1X (Port-Based Authentication): The foundation of port-based authentication.

o EAP (Extensible Authentication Protocol):

 EAP-TLS (Transport Layer Security):

 How it Works: Mutual authentication using certificates. The client

presents its certificate, and ISE presents its server certificate.

 Advantages: High security, protection against man-in-the-middle

attacks.

 Configuration: Requires a PKI infrastructure, CA configuration on clients

and ISE.

 PEAP (Protected EAP):

 How it Works: Creates an encrypted TLS tunnel between the client and
the server (ISE), inside which other authentication methods are
transmitted, most commonly MS-CHAPv2.

 Advantages: Simplicity of deployment (no client certificates needed),

widely supported.

 Disadvantages: Relies on the user verifying the server certificate to

prevent "Evil Twin" attacks.

 EAP-FAST (Flexible Authentication via Secure Tunneling):

 How it Works: Uses a PAC (Protected Access Credential) to create a

secure tunnel.
  Advantages: Resistant to password phishing, does not require client
certificates.

 Configuration: Requires PAC issuance to clients.

 EAP-GTC (Generic Token Card): Used for integration with One-Time Password
(OTP) systems or token cards.

o Supplicant Configuration: Detailed configuration of clients (Windows Native Supplicant,

Cisco AnyConnect Network Access Manager) for various EAP types.

 MAC Authentication Bypass (MAB):

o How it Works: Authenticates a device solely by its MAC address.

o Use Cases: For devices that cannot perform 802.1X (printers, IP phones, older IoT
devices).

o Processing Order: MAB is typically performed after a failed 802.1X attempt.

 Guest Access:

o Types of Guest Portals:

 Self-Registered Guest Portal: Guests register themselves and receive credentials

(via SMS/Email).

 Sponsored Guest Portal: An employee sponsor (e.g., HR or manager) creates an

account for the guest.

 Hotspot Guest Portal: Simple access without registration, often with terms of
use acceptance.

o Configuring Guest Authentication Flow:

 Web Redirection (Central Web Authentication - CWA): How the network device
redirects client traffic to the ISE guest portal for authentication.

 Account Creation Process: Configuring registration form fields, password

delivery methods.

 Guest Access Policies: Setting time limits, bandwidth limits, available resources
for guests.

Integration with Various Identity Sources

 Active Directory (AD):

o Joining ISE to an AD Domain: Requirements for DNS, service accounts, ports.

o Using AD Groups for Authorization: How ISE imports AD groups and uses them in policy
conditions.

o Understanding AD Attributes Used by ISE: For example, sAMAccountName, memberOf,

userCertificate, machineCertificate.

o Proxying Requests: ISE can proxy requests to multiple domains or external RADIUS
servers.

 LDAP: Integration with other LDAP directories besides AD. Attribute configuration.
  RADIUS: Using external RADIUS servers as identity sources (e.g., for contractors or partners).

 Internal ISE Users: Managing local accounts stored directly in the ISE database.

Configuring Multi-Factor Authentication (MFA)

 Integration with MFA Solutions:

o RADIUS: Most MFA solutions can be integrated with ISE via the RADIUS protocol (e.g.,
Duo Security, RSA SecurID, Microsoft MFA Server/Azure MFA NPS Extension).

o SAML: Integration with cloud-based MFA services via SAML.

 Applying MFA in Policies: Creating authorization policies that require MFA for specific users
(e.g., administrators) or for access to particular resources.

Chapter 3: Authorization

Authorization is the process of determining what a user or device is allowed to do after successful
authentication.

Authorization Policies and Their Application

 Authorization Rule Order:

o Understanding how ISE processes rules from top to bottom and applies the first match.

o The importance of correct order to prevent rule "shadowing."

 Conditions:

o Creating complex conditions using AND/OR operators and nested conditions.

o Using attributes from various sources: user/device identity, profiling result, AD/LDAP
group, Posture information, authentication type, time of day, location.

 Results: Selecting the appropriate Authorization Profile to be applied when a rule matches.

Configuring Authorization Profiles

 Access-Accept/Access-Reject: Basic allowance or denial of access.

 VLAN Assignment:

o Dynamic VLAN Assignment: ISE dynamically assigns a VLAN to the port where the
device/user connects.

o Critical VLAN: Assigning a VLAN in case of authentication failure (e.g., to receive

updates).

 Downloadable ACLs (dACLs):

o How it Works: ISE downloads an ACL directly to the network device.

o Use Cases: Granular traffic control for specific users/devices, e.g., guest access with a
limited set of permissions.

 Security Group Tags (SGTs) / TrustSec:

 o How it Works: Assigning numerical Security Group Tags (SGTs) to users/devices based on
their role.

o Policy Matrix: Using SGTs to define network segmentation rules (Source SGT ->
Destination SGT -> Permission). Understanding how SGTs are enforced on network
devices (switches, routers, firewalls).

o Advantages: Policy independence from IP addresses/VLANs, simplified segmentation.

 URL Redirect:

o Central Web Authentication (CWA): Redirecting client HTTP traffic to an ISE guest or
BYOD portal for authentication.

o URL-Redirect ACL: An access control list that redirects traffic and only allows access to
ISE.

 Timers:

o Reauthentication Timers: The interval after which a device must reauthenticate.

o Session Timers: Maximum duration of a session.

Chapter 4: Accounting

Accounting is the collection and analysis of data about network activity of users and devices.

Collecting and Analyzing Accounting Data

 RADIUS Accounting: How network devices send accounting data (session start, update, end) to
ISE.

 Types of Accounting Records:

o Start: Sent when a session begins.

o Interim-Update: Sent at specified intervals to update session information (e.g., amount

of data transferred).

o Stop: Sent when a session ends.

 Viewing Accounting Reports: Using built-in reports in ISE Monitor/Reports to analyze session
duration, traffic volume, access type, etc.

 Audit Reports: For compliance requirements.

Configuring Accounting Rules

 Sending Data to External Systems (External Logging): Configuring ISE to send accounting data
(Syslog) to Security Information and Event Management (SIEM) systems such as Splunk, ArcSight,
QRadar.

 Configuring NAS (Network Access Server) for Accounting: Ensure switches/routers are
configured to send RADIUS accounting to ISE.

Chapter 5: Integration with Other Systems

Cisco ISE is not an isolated solution; its strength lies in integration and context sharing.

Integration with LDAP, AD, PKI

 LDAP/AD:

o Multi-Forest/Multi-Domain: Integrating ISE with multiple Active Directory forests or

domains. Understanding Trust relationships.

o Attributes: Using extended AD attributes for more complex authorization policies.

o Group Search Order: Configuring the order of group searches in multiple identity
sources.

 PKI (Public Key Infrastructure):

o Using Certificates for Authentication (EAP-TLS, Machine Authentication):

 Configuring ISE to trust the root CA.

 Configuring certificate templates for clients and ISE.

 Understanding certificate field requirements (Subject, SAN, EKU).

o Certificate Revocation Check (CRL, OCSP):

 CRL (Certificate Revocation List): How ISE downloads and uses lists of revoked
certificates.

 OCSP (Online Certificate Status Protocol): How ISE makes real-time queries to
check certificate status.

o Using External Certificate Authorities (CAs): Integration with corporate CAs (Microsoft
CA, DigiCert, etc.).

Configuring Authentication Using SAML (Security Assertion Markup Language)

 SAML Principle: Understanding the roles of Identity Provider (IdP) and Service Provider (SP).

 ISE as a Service Provider (SP): Configuring ISE to work with an external IdP (e.g., Microsoft ADFS,
Okta, Azure AD) for administrator authentication or guest portal users.

 Advantages: Utilizing existing federated identity systems, simplifying password management,

supporting Single Sign-On (SSO).

Using REST API for Integration with External Systems

 ISE APIs:

o ERS (External RESTful Services) API: Used for managing ISE configuration (creating users,
groups, devices, policies). Understanding GET, POST, PUT, DELETE methods.

o Open API (Swagger): Understanding the API documentation structure.

 pxGrid API:

o Contextual Information Exchange: Using pxGrid for dynamic exchange of information

about users, devices, security groups, vulnerabilities, and threats with other systems
(e.g., Firepower, Stealthwatch, MDM, SIEM).
 o Publisher/Subscriber Model: Understanding how systems subscribe to contextual
information.

Chapter 6: Network Security with Cisco ISE

ISE is not just about access; it's also about broader security.

Protecting the Network with Cisco ISE

 Profiling:

o Profiling Methods (Probes): Detailed understanding of how each probe type (DHCP,
HTTP, DNS, NetFlow, NMAP, SNMP Query, RADIUS) provides information for profiling.

o Profiling Policies: Creating rules to match collected attributes to predefined device

profiles (e.g., "Cisco IP Phone", "Windows Workstation", "Linux Server").

o Endpoint Attributes: Which attributes are collected and how they are used.

o Profiling Result: How a profiled device is used in authorization policy conditions to grant
appropriate access.

 Posture Policies:

o How it Works: Checking endpoints for compliance with security policies before granting
full access.

o ISE Agent (Cisco AnyConnect Posture Module): Using the AnyConnect client on devices
to collect information about OS health, antivirus presence, patches, firewall status.

o Remediation: Configuring remediation actions (e.g., redirection to a patch download

page).

o Quarantine: Placing non-compliant devices in a restricted quarantine VLAN.

o Conditional Access: Granting access only if certain security conditions detected during
Posture are met.

Network Access Control (Device Administration)

 Device Admin (TACACS+):

o How it Works: Using ISE for centralized authentication and authorization of

administrators managing network devices (switches, routers, firewalls).

o Command Authorization: Granular control over which commands administrators can

execute on network devices, based on their group or role.

o Command Auditing: Logging all executed commands for auditing purposes.

Incident Response (Threat Containment)

 Integration with Cisco Firepower, Stealthwatch, Splunk:

o pxGrid Integration: Using pxGrid to exchange threat intelligence (e.g., Indicators of

Compromise - IoCs) between ISE and other security tools.
 o Dynamic Authorization (CoA): How ISE can receive threat information from other
systems (e.g., Firepower detected malicious activity) and dynamically change the
authorization of a compromised device (e.g., quarantine it, disconnect it from the
network) using Change of Authorization (CoA).

 Isolating Compromised Devices: Automating threat response, enhancing security through

proactive actions.

Chapter 7: ISE Management and Monitoring

Effective ISE operation requires management, monitoring, and troubleshooting skills.

Configuring ISE Monitoring

 Dashboards and Reports:

o Built-in Dashboards: Overview of system status, authentications, profiling.

o Custom Reports: Creating specialized reports for auditing, performance, compliance.

 Logging and Alarms:

o Syslog: Configuring ISE to send system logs and audit events to external Syslog
servers/SIEM systems.

o SNMP Traps: Sending SNMP notifications for critical events.

o Email Notifications: Configuring email alerts.

 Data Purging: Setting up rules to purge old data to manage disk space on monitoring nodes.

Using Troubleshooting Tools

 Live Logs:

o Real-time Event Viewing: Immediate display of authentication/authorization requests.

o Filtering: Efficiently using filters to search for specific events.

 Authentication Details:

o Detailed Analysis: Deep dive into each authentication/authorization session.

o Understanding Policy Set, Matched Rule, Result: Identifying which rule was triggered
and why, what attributes were received and used.

o Debugging: Activating more verbose logging for specific components (e.g., Profiling,
EAP).

 Diagnostic Tools: Using built-in CLI and GUI tools for network diagnostics from ISE's perspective:
PING, NSLOOKUP, Traceroute, TCP Dump on ISE itself.

 Troubleshooting Wizards: Wizards for resolving common authentication, profiling issues.

 CLI Console: Using CLI commands for node and service status diagnostics, network connectivity
checks.

Updating and Maintaining ISE

  Backup and Restore:

o Backup Types: Configuration Backup and Operational Backup.

o Restore Procedures: Procedures for restoring configurations or an entire node.

o FTP/SFTP/NFS: Configuring servers for storing backups.

 Software Updates (Patching and Upgrading):

o Update Procedures: Understanding the update sequence in a distributed deployment

(ADMIN first, then PSN, MNT).

o Compatibility Requirements: Checking compatibility with NADs and other integrated

systems.

 Performance Optimization:

o Node Placement: Proper distribution of node roles for optimal load.

o Resource Monitoring: CPU, RAM, Disk I/O usage.

o Database Tuning: For efficient data storage and retrieval.

Preparation Recommendations (Review and Reinforce):

Your list of recommendations is excellent, but I'll add a few more points based on my own experience
preparing for Cisco exams:

 Official Cisco Documentation: This is your primary source of truth. Study the deployment,
configuration, and troubleshooting guides for Cisco ISE 3.x. Pay special attention to the Cisco ISE
Administration Guide and the Cisco ISE CLI Reference Guide.

 Cisco SISE Training (Official Course): If possible, take the official course. It's designed by Cisco
and precisely matches the exam blueprint. This will help structure your knowledge and provide
access to official labs.

 Lab Work: This is the MOST IMPORTANT point.

o Set up your own virtual lab (VMware ESXi, KVM, EVE-NG, GNS3) with multiple ISE nodes
(at least a PSN and an ADMIN/MNT on one node), a Cisco switch/router (e.g., Cisco
Catalyst 9k, Cisco IOS XE vRouter), a Wi-Fi controller (if possible, a vWLC), and several
clients (Windows, Linux, macOS) with Cisco AnyConnect installed.

o Practice configuring all topics:

 Basic deployment and AD integration.

 Configuring all types of authentication (802.1X EAP-TLS, PEAP-MSCHAPv2, MAB).

 Creating and testing guest portals (Self-Registered, Sponsored, CWA).

 Configuring profiling using different probes (DHCP, HTTP, NetFlow) and creating
custom profiles.

 Using dACLs, SGTs/TrustSec.

 Configuring Posture policies with the AnyConnect Posture Module.

  Configuring Device Administration (TACACS+).

 Learning to read Live Logs and authentication details for troubleshooting.

o Simulate various scenarios: Successful authentications, failed ones, quarantine,

redirections, and even failures (e.g., one ISE node going down).

 Configuration Examples and Scenarios: Look on Cisco Communities, expert blogs (e.g., CCIE
blogs), and YouTube. Analyze existing configurations and try to replicate them in your lab to
understand Best Practices.

 Regular Knowledge Updates: Cisco ISE evolves rapidly. Subscribe to Cisco Security blogs, follow
announcements of new versions and features, and participate in webinars.

 Understanding Logic: The 300-715 exam doesn't just test command knowledge but also
understanding how ISE makes decisions and why it does so. Learn to read Live Logs and
comprehend the "flow" of authentication/authorization from the client through the NAD to ISE
and back. Pay special attention to how ISE selects an authorization policy based on multiple
attributes.

I hope this extended "selection" helps you dive even deeper into studying Cisco ISE and systematize your
preparation for the 300-715 SISE exam. It's a challenging but very rewarding exam. Good luck with your
studies! If you have any specific questions about any of these topics or lab work, don't hesitate to ask.