ISE Operations
Introduction
Comprehensive documentation for Cisco Identity Services Engine (ISE) operations in the DomusDigitalis environment.
This site covers server-side ISE configuration and management. For client-side configuration, see ISE Linux Client (ise-linux).
Modules
| Module | Description |
|---|---|
EAP-TLS, EAP-TEAP, MSCHAPv2 migration, certificate-based authentication |
|
Device classification, BMS segmentation, IoT profiling, custom policies |
|
Authorization rules, policy sets, DACLs, conditions, SGTs |
|
Installation, upgrades, patches, backup/restore, high availability |
|
Active Directory, Vault PKI, Keycloak SSO, external identity stores |
Environment
| Host | IP | Version | Role |
|---|---|---|---|
ise-01 |
10.50.1.20 |
3.4 |
Primary PAN/MnT/PSN |
ise-02 |
10.50.1.21 |
3.2p9 |
Deprecated (pending decommission) |
Key Initiatives
MSCHAPv2 to Certificate Migration
Eliminate password-based 802.1X authentication:
-
Phase 1: EAP-TLS for domain-joined devices
-
Phase 2: EAP-TEAP for BYOD (cert + password fallback)
-
Phase 3: MSCHAPv2 sunset and enforcement
BMS Controller Segmentation
Building Management System isolation via profiling:
-
Custom profiler policies for HVAC, lighting, access control
-
DACL-based network segmentation
-
OT/IT boundary enforcement
Zero Trust 802.1X
Policy patterns for Zero Trust network access:
-
Continuous posture assessment
-
Dynamic authorization
-
Microsegmentation via SGTs
See Zero Trust 802.1X.
Quick Links
-
Quick Reference - Common commands and queries
-
Architecture - ISE deployment topology
-
Installation Guide - Fresh ISE deployment