CCNP Security FAQ: Identity Management
Figure ISE identity source sequence configuration
Q1. What are two types of identities used in Cisco Identity Service Engine?
b. MAC address
d. IP address
Answer: B, C. An identity is a representation of who a user or device is. Cisco ISE uses an endpoint’s MAC address to uniquely identify that endpoint. A username is one method of uniquely identifying an end user. Although SSIDs and IP addresses can be used as conditions or attributes in ISE policies, they are not identities.
Q2. What are the two general types of identity stores used by Cisco ISE?
Answer: B, C. Cisco ISE can use identities stored in a database that resides as part of the ISE application itself; these are known as internal identity stores. Examples are the GUEST user identity store and the endpoints identity store. Identities can live outside of ISE, such as Active Directory, and these are known as external identity stores.
Q3. Cisco ISE internal identity stores are used to authentication which two of the following?
b. AD security groups
Answer: A, D. ISE has two different types of internal identity stores: users and endpoints. The user identity stores hold identities for interactive users, such as guests or employees. These have attributes such as passwords for the authentication of the user. Endpoints have a different kind of identity. Because they don’t interact with an authentication in most cases, their identities can often just be their MAC addresses.
Q4. Which identity store attributes can be used in an ISE authorization policy? (Choose two.)
Answer: A, D. Either a user or a machine (endpoint) can be authorized for network access. Sometimes it is possible to authorize based on the identity or attributes of both the user and the machine.
Q5. What is an individual identity store called?
a. Authentication source
b. Identity database
c. Identity source
d. Authentication database
Answer: C. The identity store is known as an identity source or an information source. The data contained in the identity store is used for authentication and authorization purposes.
Q6. How is an identity source sequence processed?
a. Bottom to top
b. Left to right
c. Top to bottom
d. No particular order
Answer: C. An identity source sequence (ISS) is a list of identity stores. Much like an access control list (ACL), the ISS list is processed with from the top to the bottom, where the first entry that has the identity is used and the processing of the ISS ends.
Q7. Which of the following identity stores are supported by ISE for authentication? (Choose three.)
c. Microsoft Active Directory
d. RADIUS servers
Answer: A, C, D. Lightweight Directory Access Protocol is a standard directory type that allows vendors to use a common communication structure to provide authentications and information about identities. Microsoft’s Active Directory is an LDAP-like directory source and is one of the most common identity sources in the modern world. In addition to querying an identity source directly, ISE is also able to proxy RADIUS authentications to a different RADIUS server.
Q8. Which of the following can be used with an internal identity store?
b. Guest login
Answer: B, D. Internal identity stores can be used to authenticate user accounts or endpoints. A guest is a type of internal user that ISE can authenticate. MAB is often used to “authenticate” endpoints against the internal endpoints identity store.
Q9. What are the two types of internal identity stores used in ISE?
a. User database
b. Endpoint database
c. System database
d. Admin database
Answer: A, B. ISE has two different types of internal identity stores: users and endpoints. The user identity stores hold identities for interactive users, like guests or employees. These have attributes such as passwords for the authentication of the user. Endpoints have a different kind of identity. Because they don’t interact with an authentication in most cases, their identities can often just be their MAC addresses.
Q10. What are the two primary reasons for using external identity stores?
Answer: C, D. External identity stores often exist already in an organization before ISE would be installed. By pointing to those identity sources, the management overhead is dramatically reduced because the accounts don’t have to be created again in ISE’s internal database(s). Additionally, this enables the organization to scale more effectively by having a single source of truth for identity.