In modern enterprise networks, the perimeter has dissolved—users connect from anywhere, on any device. Cisco ISE (Identity Services Engine) is the central policy engine that enforces access control based on who you are, what device you're using, and how you're connecting. For the CCNA 200-301 exam (objective 5.3), you need to understand ISE's role in a security architecture: it's not just a RADIUS server; it's a policy decision point that integrates with switches, wireless LAN controllers, and VPNs to deliver 802.1X, MAC Authentication Bypass (MAB), and posture assessment. Without ISE, you're managing ACLs by hand—with it, you can dynamically assign VLANs and ACLs based on user identity and device compliance.
Jump to a section
Think of your corporate network as an exclusive nightclub. The club has multiple entrances (wired ports, Wi-Fi, VPN). A bouncer stands at each door—these are your network access devices (switches, WLCs, firewalls). When a guest (user device) arrives, the bouncer doesn't just let them in; they first check ID. The bouncer radios the club's central security office (Cisco ISE) to verify the guest's identity and check if they're on the VIP list or have a criminal record. The security office has a database of all members and their privileges: VIPs get backstage access (corporate VLAN), regular members get the main floor (guest VLAN), and banned individuals get thrown out (denied access). But ISE does more than just identity checks—it also inspects the guest's behavior: Are they wearing the right dress code? (Is their antivirus up-to-date? Are they using a corporate device?) If not, the bouncer might redirect them to a 'remediation room' (quarantine VLAN) where they can fix the issue before entering. The club's door policy (ISE policy set) defines rules like 'If guest is an employee AND device is compliant, permit; else, quarantine.' This is exactly how ISE works: it receives RADIUS requests from network devices, evaluates policy, and returns an access decision—typically a VLAN assignment or downloadable ACL (dACL). The bouncer doesn't think; it just enforces the central office's instructions. This separation of policy decision (ISE) from policy enforcement (switch/AP) is the core of software-defined access.
What is Cisco ISE?
Cisco Identity Services Engine (ISE) is a policy-based network access control (NAC) platform that centralizes authentication, authorization, and accounting (AAA) for wired, wireless, and VPN connections. It replaces legacy RADIUS/TACACS+ servers with a context-aware policy engine that can evaluate identity (username, AD group), device posture (OS, antivirus status), location (switch port, SSID), and time of day. On the CCNA exam, ISE is the primary tool for implementing 802.1X-based network access control.
ISE Architecture Components
ISE is deployed as a virtual or physical appliance, typically in a three-node cluster for redundancy (Administration, Policy Service, Monitoring). The key logical components are:
Policy Service Node (PSN): Handles RADIUS requests, performs authentication, and applies authorization policies. This is the node that network devices communicate with.
Administration Node (PAN): Provides the web GUI, manages policy configuration, and pushes changes to PSNs.
Monitoring Node (MNT): Collects logs and accounting data; provides reporting and troubleshooting.
For CCNA, you only need to know that ISE acts as a RADIUS server and policy decision point. The network device (switch, WLC) acts as a RADIUS client (Network Access Device - NAD) that forwards authentication requests to ISE.
How ISE Works: Authentication and Authorization Flow
The process follows the 802.1X standard (Extensible Authentication Protocol over LAN - EAPoL):
Supplicant (user device) connects to a switch port. The switch detects the link up and sends an EAP-Request Identity frame.
Supplicant responds with an EAP-Response Identity (e.g., username).
Switch (authenticator) encapsulates the EAP message in a RADIUS Access-Request packet and sends it to ISE.
ISE (authentication server) checks the identity against its identity store (Active Directory, internal database, LDAP). It may challenge the supplicant for a password or certificate (EAP-MSCHAPv2, EAP-TLS, PEAP).
After successful authentication, ISE sends a RADIUS Access-Accept packet containing authorization attributes: VLAN ID, downloadable ACL name, session timeout, etc.
Switch applies the attributes: places the port in the specified VLAN, applies the ACL, and allows traffic.
Key Protocols and Standards
RADIUS: UDP-based (ports 1812 for authentication, 1813 for accounting). ISE is the server; the network device is the client. RADIUS packets include AV pairs (Attribute-Value pairs) for authorization.
802.1X: Port-based access control standard. Defines EAPoL (EAP over LAN) for communication between supplicant and authenticator.
EAP (Extensible Authentication Protocol): A framework for multiple authentication methods. Common methods: EAP-MSCHAPv2 (password-based), EAP-TLS (certificate-based), PEAP (protected EAP with inner method).
MAC Authentication Bypass (MAB): Fallback when the device does not support 802.1X. The switch sends the MAC address as the username/password in a RADIUS request.
Policy Sets and Rules
ISE uses a hierarchical policy model:
Policy Sets: Top-level containers that group conditions and rules. Each set can match on attributes like device type, location, or time.
Authentication Policy: Determines which identity store to use and which EAP method to allow.
Authorization Policy: After authentication, evaluates conditions (user group, device compliance) to return a result (permit with VLAN, deny, quarantine).
Example authorization rule: If AD group = "Network_Admins" AND device compliance = "Compliant", then permit with VLAN 100 and dACL "Full_Access".
Downloadable ACLs (dACLs)
Instead of configuring ACLs on each switch, ISE can push a dACL name in the RADIUS Access-Accept. The switch must have the dACL pre-configured, or ISE can push the entire ACL via RADIUS (using Cisco AV pairs). dACLs are applied per session, not per port, allowing dynamic per-user access control.
ISE Integration with Active Directory
ISE can join an Active Directory domain to authenticate users. It uses Kerberos or LDAP to verify credentials. ISE can also retrieve user group memberships for authorization policies. For CCNA, understand that ISE can be a proxy to AD, not a direct replacement.
Verification Commands
On the network device (switch), use these commands to verify ISE integration:
show authentication sessions
show dot1x all summary
show radius server-group
show aaa serversExample output for show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Gi1/0/1 0050.7966.6800 dot1x DATA Authz Success 0A0B0C0D00000001On ISE, use the live logs (Operations > RADIUS > Live Logs) to see authentication attempts and policy results.
Interaction with Related Technologies
802.1X and MAB: ISE can fall back from 802.1X to MAB if the supplicant does not respond. The switch is configured with a timeout for EAPoL.
Flexible Authentication Ordering: The switch can try multiple authentication methods (e.g., dot1x first, then MAB). ISE receives the request based on the method used.
TrustSec: ISE can assign Security Group Tags (SGTs) via RADIUS, enabling Cisco TrustSec for micro-segmentation. CCNA may touch on SGTs but not in depth.
Common Defaults and Timers
RADIUS timeout: Default 5 seconds on Cisco switches.
RADIUS retransmit count: Default 3.
802.1X reauthentication period: Default 3600 seconds (1 hour).
EAPoL timeout: Default 30 seconds for supplicant response.
Exam Tip
Know that ISE is not just a RADIUS server—it is a policy decision point that can enforce dynamic VLAN assignment, dACLs, and posture policies. The exam focuses on the AAA flow: authentication (who you are), authorization (what you can do), and accounting (what you did). Be able to identify the roles of supplicant, authenticator, and authentication server in a given scenario.
Configure RADIUS on Switch
First, configure the switch to communicate with ISE as a RADIUS server. Use the global configuration command `radius server ISE` to define the server. Specify the IP address of the ISE PSN and the shared secret key. Then configure AAA authentication for dot1x: `aaa new-model` enables AAA, and `aaa authentication dot1x default group radius` tells the switch to use RADIUS for 802.1X authentication. Example: ``` radius server ISE address ipv4 10.1.1.10 auth-port 1812 acct-port 1813 key MySecretKey ! aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius ```
Enable 802.1X on Switch Port
On the interface that connects to the endpoint, enable 802.1X port-based authentication. Use `dot1x pae authenticator` to set the port as an 802.1X authenticator. Then apply the authentication command: `authentication port-control auto` sets the port to automatically start authentication when a device connects. Optionally configure a fallback method like MAB: `authentication order dot1x mab`. Example: ``` interface GigabitEthernet1/0/1 switchport mode access dot1x pae authenticator authentication port-control auto authentication order dot1x mab authentication priority dot1x mab ```
Configure ISE as RADIUS Client
On ISE, add the switch as a network access device (NAD). Navigate to Administration > Network Resources > Network Devices. Click Add, enter the switch name and IP address. Under RADIUS Authentication Settings, enter the shared secret key (must match the switch). Optionally set the device type and location for policy conditions. This step registers the switch so ISE trusts RADIUS requests from it. Without this, ISE will silently drop requests.
Create Identity Source and User
ISE needs to know who the users are. For testing, you can create internal users: Administration > Identity Management > Users > Add. Enter a username and password. Alternatively, join ISE to Active Directory for enterprise use. For CCNA, understand that ISE can authenticate against internal database, AD, LDAP, or RSA SecurID. The authentication policy determines which identity store to use.
Define Authentication and Authorization Policies
Configure policy sets in ISE: Policy > Policy Sets. Create a new policy set with a condition like `Device Type equals Cisco` or `Location equals HQ`. Inside, set the authentication policy to use the internal user database or AD. Then create authorization rules: e.g., if user group equals 'Employees' and device compliance equals 'Compliant', then permit with VLAN 100 and dACL 'Full_Access'. The result includes RADIUS attributes like `Filter-ID` for dACL and `Tunnel-Pvt-Group-ID` for VLAN.
Verify Authentication and Authorization
Connect a client device to the configured switch port. On the switch, use `show authentication sessions` to see the session status. Look for 'Authz Success' status. Use `show dot1x all summary` to see 802.1X details. On ISE, go to Operations > RADIUS > Live Logs. You should see an Access-Accept entry with the user details and authorization attributes. If the result is Access-Reject, check the username/password or policy conditions. Common issues: wrong shared secret, missing NAD definition, or policy not matching.
In a typical enterprise deployment, ISE sits at the heart of network access control. Consider a university campus with thousands of students, faculty, and guests. The network has wired ports in dorms, classrooms, and offices, plus a campus-wide Wi-Fi. Without ISE, managing VLAN assignments would be a nightmare—each port would need static VLAN configuration, and guests would have no segregated access. With ISE, the network access devices (switches and WLCs) are configured with 802.1X and MAB. When a student plugs in their laptop, the switch sends a RADIUS request to ISE. ISE checks the user's identity against Active Directory (joined to the university's domain) and also checks the device's posture via the Cisco AnyConnect client (posture agent). If the laptop has up-to-date antivirus and OS patches, ISE returns an Access-Accept with VLAN 10 (student network) and a dACL that permits only educational services. If the device fails posture, ISE sends the port to a quarantine VLAN with limited access to remediation servers. A guest connecting to Wi-Fi uses a captive portal: ISE redirects the guest to a web page where they accept terms and receive a guest account. ISE then authenticates via MAB (MAC address) or a temporary username and assigns a guest VLAN with internet-only access.
Another scenario is a healthcare organization with strict regulatory requirements (HIPAA). ISE enforces that only authorized personnel can access the medical records network. A doctor using a hospital-issued tablet with a certificate (EAP-TLS) is authenticated and placed in the 'medical devices' VLAN with access to the EMR system. A personal phone attempting to connect is denied or placed in a guest VLAN. ISE also integrates with MDM (Mobile Device Management) to check device compliance before granting access.
Common scale considerations: A single ISE PSN can handle thousands of concurrent sessions. For large deployments (50,000+ endpoints), multiple PSNs are deployed behind a load balancer. Misconfiguration often leads to authentication failures: the most common mistake is mismatched shared secrets between the switch and ISE. Another is incorrect policy ordering—ISE evaluates rules top-down, so a broad permit rule before a specific deny rule can cause unintended access. Also, forgetting to add the switch as a network device in ISE will cause all requests to be dropped. In production, always test with a single port before rolling out globally.
The CCNA 200-301 exam objective 5.3 covers 'Cisco ISE Overview'. The exam expects you to understand ISE's role in a security architecture, not detailed configuration or troubleshooting. Focus on the AAA framework and how ISE functions as a policy decision point. Key points:
ISE is the authentication server in 802.1X: Know the roles: supplicant (client), authenticator (switch/AP), authentication server (ISE). Be able to identify which device performs which role.
RADIUS attributes: ISE uses RADIUS AV pairs to send authorization. Common attributes: Filter-ID (dACL name), Tunnel-Pvt-Group-ID (VLAN ID), Session-Timeout. The exam may ask which attribute is used for VLAN assignment.
MAB vs. 802.1X: Understand that MAB is used for devices that don't support 802.1X (printers, IoT). The switch sends the MAC address as credentials. ISE can authenticate MAB requests using an endpoint identity store.
Common wrong answers:
Thinking ISE is a firewall or VPN concentrator. It is not—it's a policy engine.
Confusing ISE with Cisco ACS (Access Control Server). ISE is the modern replacement; ACS is legacy.
Believing ISE must be inline with traffic. ISE is out-of-band; it only receives RADIUS packets, not data traffic.
Assuming ISE can enforce policies without network device cooperation. The switch must be configured to trust ISE's RADIUS responses.
Decision rule: In scenario questions, if the question mentions 'centralized policy', 'dynamic VLAN assignment', or 'identity-based access', the answer likely involves ISE. If the question is about firewall rules, think ASA/Firepower. If about VPN, think AnyConnect.
Specific values: RADIUS ports 1812/1813; default timeout 5 seconds; EAPoL timeout 30 seconds. These may appear in troubleshooting questions.
Command outputs: Be able to interpret show authentication sessions output to determine if authentication succeeded. Look for 'Authz Success' or 'Authz Fail'.
Trap: A question might describe a scenario where a user can authenticate but not access resources. The likely cause is an incorrect authorization policy or dACL, not an authentication failure.
ISE is a policy decision point (PDP) that centralizes AAA for network access.
RADIUS is the protocol used between network devices (authenticators) and ISE (authentication server).
RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting).
802.1X defines three roles: supplicant, authenticator, authentication server.
MAC Authentication Bypass (MAB) uses the device MAC address as credentials for non-802.1X-capable devices.
ISE can assign dynamic VLANs via the RADIUS attribute Tunnel-Pvt-Group-ID.
Downloadable ACLs (dACLs) are pushed via RADIUS Filter-ID attribute for per-session access control.
ISE policies are evaluated top-down; first match applies.
Common misconfiguration: mismatched RADIUS shared secret between switch and ISE.
ISE can integrate with Active Directory for user authentication and group membership.
Posture assessment (via AnyConnect) checks device compliance (antivirus, OS patches) before granting access.
The switch command 'show authentication sessions' displays the current authentication state and authorization result.
These come up on the exam all the time. Here's how to tell them apart.
802.1X
Uses EAP over LAN (EAPoL) for authentication
Requires supplicant software on the client
Supports multiple EAP methods (MSCHAPv2, TLS, PEAP)
Provides mutual authentication (client and server)
More secure; resistant to MAC spoofing
MAC Authentication Bypass (MAB)
Uses MAC address as username and password
No client software required; works with any device
Only one method: MAC address lookup
No mutual authentication; server only verifies MAC
Less secure; MAC addresses can be spoofed
Mistake
ISE is a firewall that inspects all network traffic.
Correct
ISE is an out-of-band policy server that only receives RADIUS packets. It does not sit in the data path; network devices enforce the policies ISE sends.
Candidates confuse policy decision with policy enforcement, thinking ISE must see all traffic to control access.
Mistake
ISE can authenticate users without any configuration on the switch.
Correct
The switch must be configured as a RADIUS client with the ISE IP and shared secret, and 802.1X must be enabled on the port. Without these, the switch will not send RADIUS requests.
Candidates assume ISE is a 'plug-and-play' solution, but it requires network device integration.
Mistake
MAB is more secure than 802.1X because it uses the MAC address.
Correct
MAB is less secure because MAC addresses can be spoofed. 802.1X with EAP-TLS (certificates) is the strongest method.
Candidates think MAC addresses are unique and immutable, but they are easily changed in software.
Mistake
ISE requires a separate appliance for each function (PAN, PSN, MNT).
Correct
In small deployments, all three roles can run on a single node. In larger environments, they are distributed for scalability.
Candidates overcomplicate the architecture; the exam expects you to know the functions, not the deployment models.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
ISE is a RADIUS server, but it is much more. A basic RADIUS server can authenticate users and return static attributes like VLAN. ISE adds policy-based context: it can evaluate identity, device posture, location, and time to make dynamic decisions. ISE also integrates with Active Directory, provides guest management, and supports downloadable ACLs and Security Group Tags. For CCNA, think of ISE as a 'smart' RADIUS server that can change its response based on conditions. Exam tip: If a question mentions 'policy-based access control' or 'context-aware', the answer is ISE, not a generic RADIUS server.
Yes, ISE supports TACACS+ for device administration (e.g., authenticating administrators logging into switches and routers). However, the CCNA exam focuses on RADIUS for network access (user authentication). TACACS+ is used for administrative access and is not in scope for objective 5.3. Keep them separate: RADIUS for user network access, TACACS+ for admin device access.
A dACL is an access control list that ISE pushes to the network device (switch) as part of the authorization result. Instead of configuring ACLs manually on every switch, you define the ACL on ISE and reference it by name in an authorization policy. ISE sends the dACL name in the RADIUS Access-Accept packet using the Filter-ID attribute. The switch must have the dACL pre-configured globally, or ISE can push the entire ACL via RADIUS using Cisco AV pairs. dACLs are per-session, so each user can have a unique ACL. Exam tip: Know that Filter-ID is used for dACL names, and that the switch must have the ACL defined if using the name method.
The default RADIUS timeout on Cisco switches is 5 seconds. This is the time the switch waits for a response from the RADIUS server before retransmitting. The default retransmit count is 3. So the total wait time before giving up is 20 seconds (5 seconds x 4 attempts). If ISE is slow or unreachable, authentication will fail after this timeout. You can adjust these with 'timeout' and 'retransmit' under the RADIUS server configuration. Exam tip: These values may appear in troubleshooting questions where authentication fails due to timeout.
ISE provides a guest management system. When a guest connects to a wireless SSID or wired port configured for guest access, ISE can redirect the guest to a captive portal web page. The guest can self-register (enter email, accept terms) or be issued a temporary username/password by a sponsor. After authentication, ISE assigns the guest to a limited-access VLAN with internet-only access. The guest's MAC address is stored in the endpoint identity store. For CCNA, understand that ISE can act as a captive portal and manage guest accounts, but detailed configuration is beyond scope.
Authentication is the process of verifying the identity of the user or device (e.g., checking username/password against AD). Authorization is the process of determining what access the authenticated entity should have (e.g., which VLAN, which ACL). In ISE, these are separate policies. Authentication policy defines which identity store to use and which EAP methods are allowed. Authorization policy defines conditions (user group, device compliance) and results (VLAN, dACL). A user can authenticate successfully but be denied access if authorization fails (e.g., no matching rule). Exam tip: The exam often tests this distinction—know that 'Authc' is identity, 'Authz' is permissions.
As of CCNA 200-301, ISE is primarily an on-premises appliance (physical or virtual). Cisco offers a cloud-based version called Cisco ISE Cloud, but it's not covered in the exam. For the exam, assume ISE is deployed in the data center. The network devices (switches, WLCs) must have IP reachability to the ISE PSN. Latency and reliability are important; RADIUS is UDP-based, so packet loss can cause timeouts.
You've just covered Cisco ISE Overview — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?