Informacje o stanowisku

technologies-expected :

• Cisco

• Needed a Cisco ISE engineer/consultant to support Zero Trust implementation for user/device access through Network Access Control (NAC), leveraging Cisco ISE + AnyConnect, integrated with Check Point firewalls and Arista core/access switching. The role focuses on user segmentation, policy automation, and operationalization (runbooks, exception process, monitoring), working closely with Network, Security, IAM/PKI, and ZeroTrust team.

• 1) Build a working Zero Trust segmentation model in ISE
• Define roles/attributes (users, devices, posture where applicable) and map them to clear access outcomes (e.g., VLAN/ACL/dACL assignments, enforcement hooks).
• Produce a policy matrix and standards that are easy to operate and audit.
• 2) Implement NAC on Arista (wired) with enterprise-grade stability
• Deploy/configure 802.1X + MAB patterns, NAD onboarding templates, CoA, profiling basics.
• Ensure high availability/scaling of ISE and validate end-to-end flows (client ↔ Arista ↔ ISE ↔ AD/PKI).
• 3) Integrate AnyConnect/VPN authentication and leverage posture signals where in scope
• Configure VPN AAA (RADIUS) and incorporate AnyConnect context (posture/attributes if used) into authorization.
• Align remote access outcomes with the same segmentation intent as on-prem.
• 4) Align segmentation intent with Check Point enforcement and operational processes
• Define how NAC outcomes relate to enforcement boundaries and how exceptions are handled.
• Establish governance: request/approval workflow, temporary exceptions with expiry, reporting.
• 5) Automate and operationalize the service
• Automate repetitive tasks (NAD onboarding, bulk policy object updates, reporting) using ISE REST APIs and scripting/Ansible; use Git where possible.
• Deliver runbooks (operations + troubleshooting + certificate renewal), monitoring/alerting, backup/restore, upgrade plan

• 5+ years enterprise network/security engineering with strong NAC focus; proven deployments at scale (multi-site).
• Strong hands-on Cisco ISE (2.x/3.x): Policy Sets, authorization profiles, CoA, profiling; posture familiarity (AnyConnect).
• Strong in 802.1X/EAP (EAP-TLS, PEAP), RADIUS, MAB, certificate troubleshooting.
• Experience integrating ISE with AD/LDAP and PKI/CA; ability to manage cert lifecycle safely.
• Proven ability to integrate NAC with non-Cisco switching — specifically Arista (802.1X/MAB implementation patterns, edge cases).
• Comfortable working in environments using Check Point firewalls and understanding how segmentation intents translate to enforcement boundaries.
• Practical automation experience: ISE REST API + scripting (Python) and/or Ansible; Git workflows.

Wrocław - Oferty pracy w okolicznych lokalizacjach