ISE is the policy decision point in a Zero-Trust network: discover, profile, authenticate, and authorize every endpoint — and revoke access the instant a session goes bad. I've run it as the access-control core for enterprise and federal networks, wired and wireless.
Runnable examples — the NAD side, the ISE side, and the automation that ties them together:
| File | What it shows |
|---|---|
examples/nad-802.1x-ibns2.cfg |
IOS-XE switch NAD — IBNS 2.0 802.1X + MAB with CoA |
examples/wlc-9800-radius.cfg |
Catalyst 9800 WLC — wireless 802.1X to ISE, AAA-override + CoA |
examples/tacacs-device-admin.cfg |
TACACS+ device administration — per-command authz, with a break-glass fallback |
examples/downloadable-acl.md |
Downloadable ACL authorization + a Monitor→Closed rollout that won't lock users out |
examples/ers-add-network-device.py |
Register a NAD via the ERS API (idempotent, secrets from env) |
playbooks/ise_network_device.yml |
The same, declarative — NADs as desired state via the cisco.ise collection |
Placeholders throughout; shared secrets and ERS creds come from the environment — nothing sensitive is committed.
The switch (the NAD) does the enforcement; ISE makes the decision. Here's the IOS-XE side done the modern way — IBNS 2.0, with concurrent 802.1X + MAB and CoA wired in so ISE can quarantine a live session:
! --- RADIUS to ISE, with change-of-authorization for quarantine ---
radius server ISE-1
address ipv4 0.0.0.0 auth-port 1812 acct-port 1813
key <shared-secret>
aaa group server radius ISE
server name ISE-1
ip radius source-interface Vlan10
aaa server radius dynamic-author ! CoA: ISE can bounce/quarantine a session
client 0.0.0.0 server-key <shared-secret>
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
! --- IBNS 2.0 control policy: try 802.1X and MAB at the same time ---
policy-map type control subscriber DOT1X_MAB
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
access-session host-mode multi-auth
access-session port-control auto
! access-session closed <-- leave this OFF until monitor mode proves the policy
dot1x pae authenticator
service-policy type control subscriber DOT1X_MAB
- Phase it: Monitor → Low-Impact → Closed. Authentication runs and logs, but the port
stays open, until the policy is proven. Only then flip
access-session closed. - Certificates, not passwords. EAP-TLS with machine + user certs from an internal CA; MAB only for gear that genuinely can't do 802.1X.
- Distributed personas. Separate PAN / MnT / PSN, two of each for HA; size PSNs to the endpoint count, not the org chart.
- Revocation is the whole point. If you can't CoA a bad session off the network in seconds, it isn't Zero Trust — it's a login page.
aaa new-modelwill lock you out of the box. Enable it on a fresh switch/WLC without also settingaaa authentication enable default enable, andenableover SSH returns "% Error in authentication" — you're stuck in user EXEC. Put the login/enable/exec methods in the same change, or fix it from the console. (Cost me a recovery trip the first time.)- ISE silently drops RADIUS from a NAD it doesn't know. No reject, no obvious log —
test aaajust times out while you blame the shared secret. Add the network device in ISE first, then test. - Closed mode on day one black-holes a floor of users. I learned to live in Monitor Mode for weeks and read the live logs before tightening anything.
- Expired system/EAP certs take auth down quietly. Monitor expiry; automate renewal.
- 3.3 (Jul 10, 2023): TLS 1.3 for EAP-TLS.
- 3.4 (Aug 5, 2024): native Duo identity sync, AD domain-controller failover, pxGrid Direct.
- 3.5 (Sep 18, 2025): SNMPv3 profiling for non-authenticating IoT, cloud Multi-Factor Classification.
ise-demo-enclave — a fully automated ISE 3.4 + Windows AD lab on Proxmox (one Ansible role builds both nodes; serial-driven ISE setup).