CCNP Security FAQ: Cisco Identity Services Engine Architecture

CCNP Security FAQ: Cisco Identity Services Engine Architecture


Figure: Single-node/standalone ISE configuration.

Q1. Cisco Identity Services Engine (ISE) is which of the following?
a. A switch that provides authenticated access to the network
b. A network management platform
c. A network security and policy platform
d. A unified computing system that incorporates virtualization of endpoints

Answer: C. Cisco Identity Services Engine is a network security and policy platform. Using Cisco ISE, a network administrator can maintain and serve security policy to all network devices from a central location.

Q2. The four key personas of Cisco ISE are which of the following? (Select four.)
a. Administration
b. Authentication Server
c. File Download
d. Monitoring and Troubleshooting
e. Policy Services Node
f. Identity Management
g. Inline Posture Node

Answer: A, D, E, G. Cisco ISE has four personas. These personas are Administration, Monitoring and Troubleshooting, Policy Services Node, and Inline Posture Node. Each of these personas is required at least once in an ISE deployment, with the exception of the Inline Posture Node. The function of each persona is discussed within the chapter.

Q3. The Cisco ISE Administration Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data

Answer: A. Cisco ISE’s Policy Administration Node (PAN) persona is the instance of Cisco ISE where policy configuration actually happens. This persona will then distribute this policy to all other nodes.

Q4. The Cisco ISE Monitoring and Troubleshooting Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data

Answer: D. The Cisco ISE Monitoring and Troubleshooting (MnT) Node persona provides a platform for logging and reporting data from the Cisco ISE deployment. As a user or device authenticates and authorizes to the network, the ability to monitor and log those AAA events will be the responsibility of the Monitoring and Troubleshooting Node.

Q5. The Cisco ISE Policy Service Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data

Answer: C. The Cisco ISE Policy Service Node (PSN) persona provides policy decision-making. As a user or an endpoint attempts to authenticate to the network, the PSN will be responsible for making the AAA decisions based on the policy as downloaded from the Cisco ISE Policy Administration Node (PAN).

Q6. Which of the following is true about the Cisco ISE Inline Posture Node persona?
a. A gatekeeper that enforces access policies and handles CoA requests, specifically for those that cannot process CoA requests
b. Is an ergonomic tool included within Cisco ISE to ensure that network administrators are not slouching on the job
c. Allows users to always bypass authentication and authorization, giving them unfettered access to the network.
d. Sniffs all the packets sent from an endpoint, inline, making sure that the endpoint is not distributing viruses and malware onto the network.

Answer: A. The Cisco ISE Inline Posture Node is responsible for enforcing access policies and handling the CoA requests for those network access devices that cannot process CoA requests. After an endpoint is authenticated, the Inline Posture Node will ensure that the posture of the endpoint adheres to the network security policy.

Q7. A virtual ISE appliance should do which of the following?
a. Be kept as small as possible for speed and agility
b. Be appropriately sized to match the equivalent physical appliance
c. Reserve the appropriate resources to ensure that other virtualized applications do notcannibalize the ISE resources
d. A and B
e. B and C
f. A, B, and C

Answer: E. If you choose to deploy ISE as a virtual appliance, it is paramount that you allocate the appropriate virtual resources to best emulate the equivalent SNS-3415 or SNS-3495 physical appliance. Also, you should reserve 100% of these resources to ensure that other virtualized network functions do not starve the ISE of the resources.

Q8. In a single-node/standalone deployment of ISE which of the following is true?
a. Each ISE appliance services a single network access device.
b. Each ISE appliance services only a single ISE persona.
c. All endpoints bypass authentication.
d. All core ISE personas reside on a single ISE appliance.

Answer: D. In a single-node deployment of ISE, all ISE personas (PAN, MNT, and PSN) reside on a single appliance. In this deployment, there are no options for redundancy. For instance, if the PSN persona fails, or if the physical appliance fails, RADIUS authentications and authorizations will fail until the issue can be resolved.

Q9. In a four-node deployment of Cisco ISE, the ____ and ____ personas are combined on two of the appliances, while the ____ persona is by itself on each of the other two appliances.
a. PAN, PSN, MNT
b. PAN, IPN, MNT
c. PSN, MNT, IPN
d. PSN, PAN, MNT
e. PAN, MNT, IPN
f. PAN, MNT, PSN

Answer: F. In a four-node ISE deployment, the PAN and MNT personas are combined on two of the appliances, with each acting as primary on one appliance and secondary on the other appliance. On the remaining two appliances, only the PSN persona is configured.

Q10. The maximum number of PSNs supported with ISE 1.2 in a fully distributed deployment model is ____, resulting in a maximum number of supported endpoints of ______.
a. 5; 5,000
b. 5; 10,000
c. 5; 50,000
d. 40; 5,000
e. 40; 20,000
f. 40; 250,000

Answer: F. In a fully distributed ISE deployment, the ISE PAN and MNT personas each reside on a separate appliance (or a separate pair of appliances if redundancy is required). Each of the PAN and MNT appliances will be an SNS-3495 appliance (or equivalent virtual appliance). With these PAN and MNT functions distributed, up to 40 PSNs can be deployed. For each SNS-3415 PSN deployed, up to 5,000 endpoints can be supported. For each SNS-3495 PSN deployed, up to 20,000 endpoints can be supported. A limitation on the PAN/MNT nodes, however, will allow only up to 250,000 endpoints to be supported in a single fully distributed ISE 1.2 deployment.

About the author

James Palmer

Leave a Comment