Senior Network Security Engineer – Cisco ISE & Zero Trust Segmentation

We are seeking a Senior Network Security Engineer with deep expertise in Cisco Identity Services Engine (ISE) and identity-driven network segmentation to support and enhance a modern enterprise security architecture. This role will focus on designing, implementing, and operating network access control (NAC) and TrustSec-based segmentation across wired, wireless, and data center environments.

The ideal candidate will have extensive hands-on experience deploying and managing Cisco ISE platforms and will play a key role in advancing Zero Trust Network Access (ZTNA) strategies. This position requires strong technical depth across authentication protocols, identity-based policy enforcement, and enterprise networking fundamentals. This role requires onsite work 3–4 days per week and may require travel to multiple sites within the city of Chicago.

Key Responsibilities

• Design, deploy, and operate Cisco ISE (2.x and 3.x) environments supporting enterprise NAC and identity-based policy enforcement.

• Develop and manage ISE policy sets, profiling policies, posture assessment, and guest/BYOD access workflows.

• Implement and maintain 802.1X and MAB authentication across wired and wireless environments.

• Integrate ISE with Active Directory, PKI infrastructures, certificate-based authentication, and MDM platforms.

• Configure and maintain TACACS+ device administration for network infrastructure access control.

• Support pxGrid integrations to enable identity and context sharing across security platforms.

• Design and implement TrustSec segmentation architectures using Security Group Tags (SGTs) and SGACL policies.

• Enable identity-to-role mapping and enforce segmentation policies across Catalyst switches, Nexus platforms, and wireless controllers.

• Lead the design and implementation of microsegmentation strategies across campus and data center environments.

• Perform advanced troubleshooting using ISE live logs, session directory, packet captures, and switch/WLC debugging tools.

• Collaborate with network and security teams to implement Zero Trust principles, minimizing lateral movement and enforcing least-privilege access.

• Manage network security changes through structured implementation plans, pilot deployments, and staged rollouts.

• Develop testing procedures and rollback strategies to ensure stable production operations.

• Travel to multiple sites within the city of Chicago as needed and work onsite 3–4 days per week to support network deployments and troubleshooting activities.

Mandatory Skills

• 5+ years of hands-on experience deploying and operating Cisco Identity Services Engine (ISE).

• Strong expertise in:

  • ISE Policy Sets

  • Profiling and Posture Assessment

  • Guest and BYOD access workflows

  • pxGrid integrations

  • TACACS+ device administration

• Deep understanding of 802.1X and MAB authentication for wired and wireless networks.

• Strong knowledge of supplicant behavior, Change of Authorization (CoA), and EAP methods such as PEAP and EAP-TLS.

• Experience integrating ISE with:

  • Active Directory / Identity Providers

  • PKI and certificate-based authentication

  • Mobile Device Management (MDM) platforms

• Hands-on experience with Cisco TrustSec:

  • SGT classification and propagation

  • SGACL policy design and enforcement

• Experience implementing segmentation across Catalyst switches, Nexus platforms, and wireless controllers.

• Advanced troubleshooting skills using ISE logs, packet captures, session directory, and network device debugging tools.

• Strong knowledge of Layer 2 and Layer 3 networking fundamentals.

• Experience with routing protocols including OSPF and BGP.

• Experience with ACLs, QoS, NAT, Spanning Tree, and wireless networking (WLC / 802.11).

• Familiarity with enterprise network services including NTP, DNS, and DHCP.

• Proven experience supporting enterprise campus and data center network architectures.

Desirable Skills

• Experience designing or supporting Zero Trust Network Access (ZTNA) architectures.

• Strong understanding of identity-driven access control and least-privilege security models.

• Knowledge of north–south vs. east–west traffic patterns in enterprise environments.

• Experience performing threat modeling and lateral movement analysis within segmented networks.

• Experience implementing data center or host-based microsegmentation.

• Experience with large-scale network policy orchestration and automation.

• Cisco certifications such as CCNP Security, CCIE Security, or Cisco ISE Specialist.

Compensation

$90–$100 per hour (1099/W2)