3 Replies Latest reply: Feb 21, 2013 9:01 AM by Rohit Pardasani Quad CCIE # 21282 RSS

    CCIE Security Version 4 - ISE ISE Baby!

    Anthony Sequeira, CCIE,VCP

      One of the exciting new components of the version 4 CCIE Sec lab is the Identity Services Engine (ISE). It is interesting how many students, and even some instructors, have never even heard of it. In this post, I want to provide a nice high level look at what this technology from Cisco does. We also want to take a peek at some exam particulars like what exact version are we responsible for knowing, and what tasks are relevant.


      First of all, there are lots of variations on how you can implement this service in your network. Let us be clear on our hardware and software focus for the lab. It is the Cisco ISE 3300 Series Identity Services Engine running 1.1x software.


      What in the world does the ISE accomplish? Its main job is to provide authentication and authorization services for users and/or devices in wired, wireless, and VPN-based network deployments. Does this sound exactly like what the Cisco Access Control Server (ACS) product handles for us already? Yes it does. In fact, the ISE can replace the need for your ACS, NAC, and Profiler servers. Keep in mind that in the CCIE Lab Exam, you still have the ACS in place to ensure you can configure that environment as well.


      What specific use cases can be satisfied with the Cisco ISE? Here are just some:


      • AAA
      • Guest life cycle management
      • Device profiling
      • Endpoint posture
      • TrustSec
      • Monitoring and troubleshooting

      What are the specific tasks with the ISE 3300 series we can expect in the CCIE Lab Exam? We need to be ready to accomplish the following:

      • Configuration and initialization
      • ISE authZ result handling
      • ISE Profiling Configuration (Probes)
      • ISE Guest Services
      • ISE Posture Assessment
      • ISE Client Provisioning (CPP)
      • ISE Configuring AD Integration/Identity Sources
      • ISE support for 802.1x
      • ISE MAB support
      • ISE Web Auth support
      • ISE definition and support for VSAs


      Now if you are like me - this has peaked your interest and you want to read more RIGHT NOW! Here is an awesome starting point for you:


      Overview of Cisco ISE


      Thanks for reading and I hope you enjoyed this blog post!


      Anthony Sequeira


      Twitter: @compsolv

      Facebook: http://www.facebook.com/compsolv

        • 1. Re: CCIE Security Version 4 - ISE ISE Baby!

          One thing to keep in mind is that as of 1.1MR(aka 1.1.1), ISE does not support TACACS+, so you still need to run ACS for that. I am sure you know that, just throwing that out there for folks who are hearing of ISE for the first time in this thread. I do not believe the pending 1.2 release for early next calendar year will have that feature either. 1.2 will feature MDM integration, which is a neat feature. Not likely to see that in the lab any time soon though!


          With the hardware in the lab, I would certainly expect VPN support to be included. Otherwise, it would make more sense to run them in VMs. So, to me, seeing the appliance noted reads as VPN profiling as well.



          I'd be interested to see how far they go with Guest Services, posture assessment and CPP. The rest of the topics for ISE are fairly straight forward.


          If the new CCIE Security labs are written like the R&S track you see a subset of the master blueprint per exam, as opposed to every technology per exam, I could see more depth being explored.

          • 2. Re: CCIE Security Version 4 - ISE ISE Baby!
            Steve Means - CCIE #30108

            I know I'm way late in responding to this, but if you've gone through the gold labs it's not a huge deal to turn up a policy that will do simple OS profiling and maybe redirect to CPP. This is actually less complex than say something like configuring a router to do multiple SSL VPN portal domains.

            I think this new test is going to be a lot of fun if it includes things like this. So much fun that I kind of want to take the new version! (If someone else pays for it   )