ISE

Identity Services Engine policy sets, endpoint profiling, posture assessment, and guest access.

Policy Sets

Create new policy set — top-level container with conditions, authentication, and authorization policies
Policy > Policy Sets > + (top row)
Policy set condition for wired — matches wired 802.1X connections from switches
Conditions: RADIUS:NAS-Port-Type EQUALS Ethernet
Match MDM-enrolled devices — profiling attribute pair from MDM integration
Conditions: Cisco:cisco-av-pair CONTAINS mdm-tlv

Authentication & Authorization

Certificate-based authentication — requires client cert, CA chain in ISE trusted store, no passwords
Authentication Policy > EAP-TLS
Authorization result — combine dACL for filtering, VLAN for segmentation, SGT for TrustSec
Authorization Profile: DACL + VLAN + SGT
Downloadable ACL — pushed to switch via RADIUS, applied to authenticated port, per-session
dACL: permit ip any any
dACL: deny ip any any
Authorization rule — match identity group, assign authorization profile with network access level
Authorization: If IdentityGroup=Employees Then PermitAccess

Certificates & Identity

Import CA chain — ISE needs root + intermediate CAs to validate client EAP-TLS certificates
Administration > System > Certificates > Trusted Certificates
Join ISE to Active Directory — enables AD group-based authorization rules
Administration > Identity Management > External Identity Sources > AD

ERS API

Enable ERS API — External RESTful Services on port 9060, required for automation
Administration > System > Settings > ERS
ERS API: list internal users — REST GET against ERS, -k skips cert verification for lab
curl -sku admin:pass https://ise:9060/ers/config/internaluser
ERS API: list network devices — returns switches/APs registered as RADIUS clients
curl -sku admin:pass -H "Accept: application/json" \
  https://ise:9060/ers/config/networkdevice
ERS API: create network device — POST JSON payload to add switch/AP as RADIUS client
curl -sku admin:pass \
  -X POST \
  -H "Content-Type: application/json" \
  -d @device.json \
  https://ise:9060/ers/config/networkdevice

Operations & Monitoring

Live authentication logs — real-time view of all RADIUS authentications with pass/fail reason
Operations > RADIUS > Live Logs
Detailed auth report — shows full RADIUS attribute exchange, policy matched, failure reason
Operations > RADIUS > Live Logs > (click detail icon)
Historical RADIUS report — searchable, filterable, export to CSV for analysis
Operations > Reports > Endpoints and Users > RADIUS Authentications
Endpoint profiling — ISE fingerprints devices by DHCP, HTTP, SNMP, NetFlow attributes
Work Centers > Profiler > Profiling Policies
Posture conditions — check for AV, patch level, disk encryption before granting full access
Work Centers > Posture > Policy Elements > Conditions

Administration

Register network device — add switch/AP with IP, shared secret, RADIUS/TACACS settings
Administration > Network Resources > Network Devices > + Add
ISE node roles — view/change PAN, MnT, PSN roles, configure HA pairs
Administration > System > Deployment
Configuration and operational backup — schedule regular backups to repository, test restore
Administration > System > Backup & Restore

Troubleshooting

Service status — check if all ISE services are running from the ISE appliance CLI
show application status ise
MnT database operations — purge, compact, or reset the Monitoring database
application configure ise
! Select option 6
Built-in troubleshooter — enter MAC/IP, ISE shows step-by-step policy evaluation with matched rules
Operations > Troubleshoot > Diagnostic Tools > General Tools > RADIUS Authentication Troubleshooting
RADIUS debug — verbose logging of all RADIUS transactions, use sparingly on production
debug radius all