Cisco Identity Services Engine Interview Questions

Cisco Identity Services Engine Interview Questions

Question
What are the main functionality of Cisco ISE ?
Answer
Cisco ISE is a extension of Access Control System. It does AAA functions (Authentication, Authorization & Accounting)as ACS. Apart from that, Profiling (Device type classification)and Posturing (Endpoint compliance Check). Also we can Monitor, Troubleshoot & get reports on day to day AAA transactions and using that we can take proactive governance decisions on securing networks. It is combination of ACS + NAC servers.
 
Question
Brief about profiling and posturing as this seems to be a new feature in Cisco ISE ?
 
Answer
Yes. Profiler Services -in ISE helps to identify and determine the types and capabilities of all endpoints in the network. It has inbuilt database about all type of device types like Windows, Apple etc. and classify them accordingly. For example if we want to provide specific policy on only Blackberry devices we can do it using this Profiling function. Posture Services – Once a device (ex. Windows) connected to the network, ISE does a compliance check like Antivirus, Antispyware is up to date or not. Endpoints which satisfies the compliance policies, they will be allowed to access respective network resources.
 
Question
What ways ISE can be deployed and what ISE makes difference from ACS ?
Answer
ISE can be deployed as a Standalone or in a distributed way. Standalone- A single ISE node does all AAA functionality. Suitable for Small business Environment. Distributed- Here ISE can be used for specific functions. 1) Administration Node – To define policies and other administrative tasks 2) Monitoring Node- To collect AAA logs (Log collector)3) Policy Services Node- It does the actual AAA functions and endpoints should contact this node. ACS does only AAA functions whereas ISE does AAA as well as NAC functions that helps to have a one box solution for AAA and Profiler & Posture
 
Question
What is major difference between Cisco ISE and Radius server ?
 
Answer
Cisco ISE itself a Radius Server but we have many features on this. As I said we can also use this for Profiling the endpoints and posture them. Then enforces policies based on the requirement. ISE allows enterprises to gather real-time contextual information from networks, users, and devices in a very efficient way.
 
Question
How posturing is tested on clients or endpoints?
Answer
Once authentication is completed, client will get redirected to the Client provisioning portal where Cisco NAC (Nw Access Control) agent will get downloaded. That NAC agent will check whether Antivirus is installed/what is the version/ when it is last updated etc. Then it will send the information back to ISE, and then based on the policies defined on ISE it will allow/deny access.
 
Question
What are the benefits of cisco ISE?
Answer
 
Centralized Policy,RADIUS Server, Posture Assessment,Guest Access Services,Device Profiling, Mobile device compliance check (with MDM),Monitoring, Troubleshooting, Reporting
 
Question
What is the major difference between ISE and radius server
 
Answer
Already answered for the same question.
 
Question
If I am an existing Identity Services Engine customer, will I need to buy a new Cisco Secure Network Server in order to upgrade to ISE Release 1.2?
 
Answer
If you are using SNS 3415 or 3495 you can directly upgrade it to 1.2.0. For your information we have 1.3 released as latest which has enhanced Guest Access Features.
 
Question
Does ISE supports Tacacs and RADIUS both ?
Answer
Unfortunately NO. As of now it supports only Radius.But as per Cisco, Support of TACACS is in Roadmap and expected to come in next version 1.4 in next quarter. Yet to confirm by Cisco.
 
Question
Will there be any price increases associated with ISE Release 1.2?
 
Answer
Prices will not be increased for ISE.
 
Question
 
What new features and capabilities are delivered in Cisco ® Identity Services Engine Software Release 1.2?
 
Answer
Mainly here I can say about MDM integration, Device Feed Services (automatic download of new updates of feeds and patches), bootstrap wizards for simplification while configuring it. Its a standard and recommended version by Cisco and got this information from Cisco Team in my current project.
 
Question
How mobile phone’s are tested for the complaince?
 
Answer
For Mobile phones check, we need to integrate MDM with ISE (its a separate component) for testing mobile devices/tabs compliance like Rooted device, Jail broken device. Based on the information from MDM, ISE takes action against mobile devices. You need ‘Advanced’ licenses in ISE for this integration.
 
Question
How does Cisco ISE identify the which type of endpoint getting connected to the network.. Can u give us an example of android device ?
Answer
ISE has a database which contains the MAC OUI of various device types. For example once a Android device connects to a network, ISE checks for its MAC address of it and check in its database. Once it finds as Android, ISE checks whether any policies defined for that specific device and proceeds.
 
Question
Does Cisco ISE support HA ? If yes, how can we achive it ?
Answer
Yes it supports. For each persona’s (Admin, Monitoring & Policy Services) we can have a HA box(Admin +1, Monitoring +1 & Policy Services+n).
 
Question
 
What is the difference between monitoring node and administration node ?
Answer
Monitoring Node is for collecting logs from Admin, PSN’s and accounting logs whereas Administration node is a console where we can define policies and do all administration functions.
 
Question
What is bootstrap wizards?
 
Answer
Bootstrap wizard provides IT deployment automation. Also simplification when testing the ISE in a proof-of-concept network.
 
Question
Can ISE identify between corporate and non corporate user.
 
Answer
Yes ISE can do that. If their laptop is Domain joined and AD username and password is provided, then it can identify as Corporate laptop and user.
 
Question
 
How do we ensure that posture analysis for a remote user is conducted only on domain computers and not users’ personal tablets
Answer
First rule should be to identify if the endpoint machine is Domain joined and so we can write Session:PostureStatus–> Equals –> Complaint. Due to time constraint I could not brief more. Offline I will update you the policies to be defined.
 
Question
 
What is the pre-requisition to deploy this product ?
 
Answer
 
We have to first decide whether to go for Virtual appliance(so you need VM space) or Hardware (SNS 3415 & 3495 we need rack space). Then you need to have a information for basic installation like ip address, subnet mask etc. Offline I shall update you all information.
 
Question
If Cisco ISE identify it on MAC OUI, Vendor might have Android and Windows phone as well.. Will it be a bottleneck if policies are defined as android profile and a Windows phone gets connected to the network and android policies are mapped
Answer
 
Each and every vendor has their own “Organization ‘Unique’ Identifier”, so ISE will not map a policy to a different device type other than the actual one.
 
Question
Can certificate based authentication be done of ASA VPN connections, when integrated with ISE ?
Answer
yes ASA authenticates user’s using digital certificate whereas ISE does it via RSA SecureID token.
 
Question
Can Cisco ISE SNS appliances be monitored via SNMP traps?
 
Answer
 
Yes you can add Monitoring ISE persona in cisco prime to capture the SNMP logs