Cisco ISE / NAC Engineer

Nasze wymagania: 5+ years enterprise network/security engineering with strong NAC focus; proven deployments at scale (multi-site). Strong hands-on Cisco ISE (2.x/3.x): Policy Sets, authorization profiles, CoA, profiling; posture familiarity (AnyConnect). Strong in 802.1X/EAP (EAP-TLS, PEAP), RADIUS, MAB, certificate troubleshooting. Experience integrating ISE with AD/LDAP and PKI/CA; ability to manage cert lifecycle safely. Proven ability to integrate NAC with non-Cisco switching — specifically Arista (802.1X/MAB implementation patterns, edge cases). Comfortable working in environments using Check Point firewalls and understanding how segmentation intents translate to enforcement boundaries. Practical automation experience: ISE REST API + scripting (Python) and/or Ansible; Git workflows. Mile widziane: Experience designing identity-driven segmentation in heterogeneous networks (non-Cisco campus/core). Experience with compliance/regulatory environments and audit-ready documentation. Familiarity with Zero Trust frameworks and operating models (exception governance, SoD, least privilege). O projekcie: Needed a Cisco ISE engineer/consultant to support Zero Trust implementation for user/device access through Network Access Control (NAC), leveraging Cisco ISE + AnyConnect, integrated with Check Point firewalls and Arista core/access switching. The role focuses on user segmentation, policy automation, and operationalization (runbooks, exception process, monitoring), working closely with Network, Security, IAM/PKI, and ZeroTrust team. Zakres obowiązków: 1) Build a working Zero Trust segmentation model in ISE • Define roles/attributes (users, devices, posture where applicable) and map them to clear access outcomes (e.g., VLAN/ACL/dACL assignments, enforcement hooks). • Produce a policy matrix and standards that are easy to operate and audit. 2) Implement NAC on Arista (wired) with enterprise-grade stability • Deploy/configure 802.1X + MAB patterns, NAD onboarding templates, CoA, profiling basics. • Ensure high availability/scaling of ISE and validate end-to-end flows (client ↔ Arista ↔ ISE ↔ AD/PKI). 3) Integrate AnyConnect/VPN authentication and leverage posture signals where in scope • Configure VPN AAA (RADIUS) and incorporate AnyConnect context (posture/attributes if used) into authorization. • Align remote access outcomes with the same segmentation intent as on-prem. 4) Align segmentation intent with Check Point enforcement and operational processes • Define how NAC outcomes relate to enforcement boundaries and how exceptions are handled. • Establish governance: request/approval workflow, temporary exceptions with expiry, reporting. 5) Automate and operationalize the service • Automate repetitive tasks (NAD onboarding, bulk policy object updates, reporting) using ISE REST APIs and scripting/Ansible; use Git where possible. • Deliver runbooks (operations + troubleshooting + certificate renewal), monitoring/alerting, backup/restore, upgrade plan