500-490 Exam Dumps : Designing Cisco Enterprise Networks (ENDESIGN) exam

Cisco ISE incorporated Cisco ACS (Cisco Secure Access Control System) between ISE releases 2.0 and 2.3. Cisco ACS was a network access policy platform that provided authentication, authorization, and accounting (AAA) services for network devices and users. Cisco ACS was discontinued in 2017 and replaced by Cisco ISE, which offers more advanced features and capabilities for identity-based network access control. Cisco ISE provides a migration tool that allows customers to migrate their data and configurations from Cisco ACS to Cisco ISE. The migration tool supports Cisco ACS versions 5.5, 5.6, 5.7, and 5.8 and Cisco ISE versions 2.0, 2.1, 2.2, and 2.3.

References:

Cisco Secure Access Control System End-of-Life Announcement [Cisco Secure Access Control System]

Cisco Secure ACS to Cisco ISE Migration Tool [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Cisco Secure ACS to Cisco ISE Migration [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Migration [Cisco Identity Services Engine]

[Cisco Identity Services Engine Migration Guide, Release 2.3 [Cisco Identity Services Engine]]

[Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]]

[Cisco Validated Design Guides [Cisco]]

ISE 2.3 includes the final suite of capabilities designed to reach feature parity with Cisco Secure Access Control System (ACS), allowing all existing ACS customers to migrate their deployment to ISE. New features include TACACS+-based device administration for IPv6, import and export capabilities for TACACS+-based command sets, policy export scheduling, IP range support in all octets, and more. See the ACS vs ISE Comparison for feature comparisons with every release of ISE

Cisco ISE can handle authentication for printers that do not have a supplicant using MAB (MAC Authentication Bypass). MAB is a method of authenticating devices based on their MAC address. MAB is useful for devices that do not support 802.1X or other authentication protocols, such as printers, cameras, or IoT devices. MAB works as follows:

The device sends an Ethernet frame with its MAC address as the source address.

The switch sends a RADIUS Access-Request message to ISE with the MAC address as the username and password.

ISE checks the MAC address against a database of known devices or an identity source sequence.

If the MAC address is found and authorized, ISE sends a RADIUS Access-Accept message to the switch with the appropriate authorization profile.

The switch applies the authorization profile to the device and grants it access to the network.

MAB is less secure than 802.1X, as MAC addresses can be spoofed or cloned. Therefore, MAB should be used with caution and combined with other security measures, such as profiling, posture, or endpoint protection. MAB should also be restricted to specific ports or VLANs that are isolated from the rest of the network.

References:

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure MAC Authentication Bypass [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authentication Policies [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authorization Policies [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Identity Source Sequences [Cisco Identity Services Engine]

Cisco Identity Services Engine API Reference Guide, Release 2.7 - Authentication [Cisco Identity Services Engine]

Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]

Cisco Validated Design Guides [Cisco]