Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Cisco ISE

Required for

  • pxGrid
  • SGTs
  • Microsegmentation

Provides 802.1x, Mac Authentication Bypass (MAB), or Web Authentication (WebAuth).

ISE is tightly integrated via API calls to CatC.

  • Talks to Catalyst center via pxGrid.
  • Can talk to AWS or Microsoft AD.

Implements Zero Trust.

Can be deployed as a VM.

Terms

ISE — Identity Services Engine

A modern AAA server.

Zero Trust

  • Least Privilege

SGT

SGT – Security Group Tags

Context that can be shared with other devices to determine what a user is allowed access to.

  • 16 bits
  • AKA, Scalable Group tags
  • AKA, Security Group Tags
  • Can be packaged with packets via VXLAN-GPO
    • Policy for the packets
  • Does not rely on IP or MAC
What can be groupedExample SGT assignment
user roleEmployee, Contractor, Guest
device typeIoT_Sensor, IP_Camera, Printer
device postureCompliant, Non-Compliant
server/subnet (static)PCI_DB, HR_Server
trust levelTrusted_Corp, Untrusted_BYOD
combinationEmployee + Compliant device = Corp_Managed

References

Cisco - Cisco Identity Services Engine Documents Landing Page

Cisco Live - NG Segmentation, A Deep dive into Group Based Policy, SXPv5 and PxGrid Direct

Cisco Live - Katherine McNamara - ISE Deployment Improvement Tips and Tricks - BRKSEC-2347

Last Modified • Sunday, June 28, 2026. 2:26 am UTC+00:00 • Commit: 225ace7