{"id":2860,"date":"2026-01-14T21:17:00","date_gmt":"2026-01-14T21:17:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2860"},"modified":"2026-02-05T18:37:25","modified_gmt":"2026-02-05T18:37:25","slug":"89-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2860","title":{"rendered":"89 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n

Identity Services Engine (ISE) & 802.1X<\/mark><\/h2>\n\n\n\n

ISE Feature<\/a><\/h2>\n\n\n\n

New Certificate with ISE<\/a><\/h2>\n\n\n\n

ISE 2.4 AD Join <\/a><\/h2>\n\n\n\n

Installing Cisco ISE 3.0 in VMware ESXi<\/a><\/h2>\n\n\n\n

Cisco ISE<\/strong>\u00a0and the\u00a0IEEE 802.1X<\/strong>\u00a0standard. While the theory is straightforward, the “real-world” implementation involves a complex dance of protocols and certificates.<\/p>\n\n\n\n

The Architecture: The Three Pillars<\/mark><\/h2>\n\n\n\n

802.1X is not a single protocol; it is a framework involving three distinct roles:<\/p>\n\n\n\n

    \n
  1. The Supplicant:<\/strong>\u00a0The endpoint (Laptop, IP Phone, IoT device) running software that supports 802.1X.<\/li>\n\n\n\n
  2. The Authenticator:<\/strong>\u00a0The network access device (NAD)\u2014usually a Switch or Wireless LAN Controller (WLC). It acts as a “gatekeeper.”<\/li>\n\n\n\n
  3. The Authentication Server (ISE):<\/strong>\u00a0The “brain” that validates credentials and pushes down policies.<\/li>\n<\/ol>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    The 802.1X Flow<\/strong><\/mark><\/h2>\n\n\n\n

    To understand how this works in a production environment, you have to look at the encapsulation layers. The process moves from EAPOL<\/strong> (EAP over LAN) between the client and switch, to RADIUS<\/strong> between the switch and ISE.<\/p>\n\n\n\n

    1. The Negotiation Phase<\/p>\n\n\n\n

    When a device connects, the switch port is in an “unauthorized” state, allowing only EAPOL, CDP, and STP traffic.<\/p>\n\n\n\n

      \n
    • The Switch sends an\u00a0EAP-Request\/Identity<\/strong>\u00a0frame.<\/li>\n\n\n\n
    • The Supplicant responds with an\u00a0EAP-Response\/Identity<\/strong>\u00a0containing the username or machine certificate.<\/li>\n<\/ul>\n\n\n\n

      2. The RADIUS Tunnel<\/p>\n\n\n\n

      The switch takes this EAP response, wraps it in a RADIUS Access-Request<\/strong> packet, and sends it to ISE. This is crucial: The switch does not validate the credentials; it simply acts as a proxy.<\/strong><\/p>\n\n\n\n

      3. EAP Method Selection (The Secure Tunnel)<\/p>\n\n\n\n

      Most modern enterprises use EAP-TLS<\/strong> (Certificate-based) or PEAP-MSCHAPv2<\/strong> (Username\/Password).<\/p>\n\n\n\n

        \n
      • EAP-TLS:<\/strong>\u00a0Provides the highest security. A TLS tunnel is built where both the server and the client exchange digital certificates.<\/li>\n\n\n\n
      • ISE’s Role:<\/strong>\u00a0ISE checks the certificate’s validity against the Certificate Authority (CA) and ensures the account is active in Active Directory (AD).<\/li>\n<\/ul>\n\n\n\n

        4. Authorization & Enforcement<\/p>\n\n\n\n

        Once authenticated, ISE sends a RADIUS Access-Accept<\/strong>. This packet isn’t just a “Yes”; it contains Authorisation Profiles<\/strong> such as:<\/p>\n\n\n\n

          \n
        • VLAN ID:<\/strong>\u00a0Moving the user from a “Quarantine” VLAN to “Finance.”<\/li>\n\n\n\n
        • dACL (Downloadable ACL):<\/strong>\u00a0Restricting the user to specific IP addresses.<\/li>\n\n\n\n
        • SGT (Scalable Group Tag):<\/strong>\u00a0For TrustSec-enabled environments.<\/li>\n<\/ul>\n\n\n\n

          To prevent widespread network outages, Cisco recommends a phased approach using specific deployment modes that shift the balance from visibility to strict enforcement. <\/h2>\n\n\n\n

          1. Monitor Mode (Visibility Phase)<\/p>\n\n\n\n

          In this initial stage, the network is configured for 802.1X, but access is not restricted. <\/p>\n\n\n\n

            \n
          • How it works:<\/strong>\u00a0The switchport is set to\u00a0authentication open<\/code>. While endpoints are prompted for credentials and ISE processes the request, the port remains open regardless of the authentication result.<\/li>\n\n\n\n
          • Technical Goal:<\/strong>\u00a0Gather data and identify endpoints that lack 802.1X supplicants (e.g., printers, IoT) or have expired certificates.<\/li>\n\n\n\n
          • Real-World Use:<\/strong>\u00a0Used to “audit” the network for several weeks to ensure all legitimate devices can authenticate before turning on enforcement.\u00a0<\/li>\n<\/ul>\n\n\n\n

            2. Low-Impact Mode (Graduated Enforcement)<\/p>\n\n\n\n

            This mode introduces basic security while still allowing critical services to function pre-authentication. <\/p>\n\n\n\n

              \n
            • How it works:<\/strong>\u00a0A\u00a0Pre-Authentication ACL (PACL)<\/strong>\u00a0is applied to the switchport. This ACL typically permits only essential traffic\u2014like DHCP, DNS, and PXE boot\u2014to allow a machine to start up and reach the network to authenticate.<\/li>\n\n\n\n
            • Enforcement:<\/strong>\u00a0Once the user authenticates, ISE pushes a\u00a0Downloadable ACL (dACL)<\/strong>\u00a0or assigns a new VLAN to grant full access.<\/li>\n\n\n\n
            • Real-World Use:<\/strong>\u00a0Ideal for environments with “thin clients” or machines that need to download an OS\/updates before the 802.1X service can start.\u00a0<\/li>\n<\/ul>\n\n\n\n

              3. Closed Mode (High Security)<\/p>\n\n\n\n

              This is the “gold standard” for a secure environment but requires the most preparation. <\/p>\n\n\n\n

                \n
              • How it works:<\/strong>\u00a0The port is completely locked down by default. No traffic is allowed except for\u00a0EAPoL<\/strong>\u00a0(Extensible Authentication Protocol over LAN).<\/li>\n\n\n\n
              • Enforcement:<\/strong>\u00a0The device receives zero network access\u2014not even an IP address\u2014until it successfully completes authentication.<\/li>\n\n\n\n
              • Real-World Use:<\/strong>\u00a0Used in highly secure areas or\u00a0SD-Access<\/strong>\u00a0fabrics where you want to ensure no “rogue” device can even send a single packet into the network without being identified.\u00a0<\/li>\n<\/ul>\n\n\n\n

                ISE Authorization<\/strong>\u00a0is the process that determines the level of access a device receives\u00a0after<\/em>\u00a0it has successfully proven its identity (Authentication).<\/h2>\n\n\n\n

                Authorization works through a top-down evaluation of rules that result in the delivery of specific network permissions to the access switch or wireless controller. <\/p>\n\n\n\n

                1. The Authorization Rule Logic<\/p>\n\n\n\n

                ISE evaluates Authorization Policies<\/strong> using a “First Match” approach. Each rule consists of: <\/p>\n\n\n\n

                  \n
                • Conditions:<\/strong>\u00a0These are “If” statements based on context. For example:\u00a0If (User is in AD-Finance-Group) AND (Device-Type is Windows-Laptop) AND (Location is HQ)<\/em>.<\/li>\n\n\n\n
                • Permissions (Results):<\/strong>\u00a0If the conditions are met, ISE assigns an\u00a0Authorization Profile<\/strong>\u2014a container of specific access instructions.\u00a0<\/li>\n<\/ul>\n\n\n\n

                  2. The Authorization Profile (What gets pushed?)<\/p>\n\n\n\n

                  When a rule matches, ISE sends a RADIUS Access-Accept<\/strong> message back to the network device. This message contains “Attributes” that tell the hardware how to restrict the port: <\/p>\n\n\n\n

                    \n
                  • VLAN Assignment:<\/strong>\u00a0Moves the device to a specific segment (e.g., VLAN 20 for HR).<\/li>\n\n\n\n
                  • Downloadable ACL (dACL):<\/strong>\u00a0A dynamic access list pushed from ISE to the switch to restrict specific traffic (e.g., allow only SQL server access).<\/li>\n\n\n\n
                  • Scalable Group Tag (SGT):<\/strong>\u00a0A tag used in Cisco TrustSec for group-based segmentation instead of traditional IP-based ACLs.<\/li>\n\n\n\n
                  • Voice Domain Permission:<\/strong>\u00a0Automatically places IP phones into the voice VLAN.\u00a0<\/li>\n<\/ul>\n\n\n\n

                    3. Change of Authorization (CoA)<\/p>\n\n\n\n

                    Authorization is not always static. If a device’s status changes (e.g., a “Posture” scan finds it is missing an antivirus update), ISE can send a CoA<\/strong> message. <\/p>\n\n\n\n

                      \n
                    • The switch receives this request and immediately re-evaluates the device’s access, often moving it to a “Quarantine” VLAN without the user having to unplug and replug their cable.\u00a0<\/li>\n<\/ul>\n\n\n\n

                      Summary of the Flow<\/strong><\/mark><\/h2>\n\n\n\n
                        \n
                      1. Request:<\/strong>\u00a0Device authenticates successfully.<\/li>\n\n\n\n
                      2. Match:<\/strong>\u00a0ISE matches the session against Authorization Policy rules.<\/li>\n\n\n\n
                      3. Instruction:<\/strong>\u00a0ISE sends the selected\u00a0Authorization Profile<\/strong>\u00a0via RADIUS.<\/li>\n\n\n\n
                      4. Enforcement:<\/strong>\u00a0The switch applies the VLAN, dACL, or SGT to the physical port.\u00a0<\/li>\n<\/ol>\n\n\n\n
                        \"\"<\/figure>\n\n\n\n

                        Guest Access Flows :<\/strong><\/mark><\/h2>\n\n\n\n
                        \"\"<\/figure>\n\n\n\n

                        Happy Labingggggggggggggggggggggggggg !<\/strong><\/p>\n\n\n\n

                        <\/p>\n","protected":false},"excerpt":{"rendered":"

                        Identity Services Engine (ISE) & 802.1X ISE Feature New Certificate with ISE ISE 2.4 AD Join Installing Cisco ISE 3.0 in VMware ESXi Cisco ISE\u00a0and the\u00a0IEEE 802.1X\u00a0standard. While the theory is straightforward, the “real-world” implementation involves a complex dance of protocols and certificates. The Architecture: The Three Pillars 802.1X is not a single protocol; it […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2,6],"tags":[],"class_list":["post-2860","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco","category-security"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2860"}],"version-history":[{"count":1,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2860\/revisions"}],"predecessor-version":[{"id":2864,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2860\/revisions\/2864"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}