Senior Network Security Engineer - Cisco ISE & Zero Trust Segmentation

Job Description

Job Description

We are seeking a Senior Network Security Engineer with deep expertise in Cisco Identity Services Engine (ISE) and identity-driven network segmentation to support and enhance a modern enterprise security architecture. This role will focus on designing, implementing, and operating network access control (NAC) and TrustSec-based segmentation across wired, wireless, and data center environments.

The ideal candidate will have extensive hands-on experience deploying and managing Cisco ISE platforms and will play a key role in advancing Zero Trust Network Access (ZTNA) strategies. This position requires strong technical depth across authentication protocols, identity-based policy enforcement, and enterprise networking fundamentals. This position requires regular onsite presence at client locations within the Chicago metropolitan area (3–4 days per week). Candidates must currently reside within commuting distance of Chicago and be able to attend onsite meetings, deployments, and troubleshooting activities on short notice.

**** Applicants who are not currently located in the Chicago area will not be considered. ****

Key Responsibilities

• Design, deploy, and operate Cisco ISE (2.x and 3.x) environments supporting enterprise NAC and identity-based policy enforcement.

• Develop and manage ISE policy sets, profiling policies, posture assessment, and guest/BYOD access workflows.

• Implement and maintain 802.1X and MAB authentication across wired and wireless environments.

• Integrate ISE with Active Directory, PKI infrastructures, certificate-based authentication, and MDM platforms.

• Configure and maintain TACACS+ device administration for network infrastructure access control.

• Support pxGrid integrations to enable identity and context sharing across security platforms.

• Design and implement TrustSec segmentation architectures using Security Group Tags (SGTs) and SGACL policies.

• Enable identity-to-role mapping and enforce segmentation policies across Catalyst switches, Nexus platforms, and wireless controllers.

• Lead the design and implementation of microsegmentation strategies across campus and data center environments.

• Perform advanced troubleshooting using ISE live logs, session directory, packet captures, and switch/WLC debugging tools.

• Collaborate with network and security teams to implement Zero Trust principles, minimizing lateral movement and enforcing least-privilege access.

• Manage network security changes through structured implementation plans, pilot deployments, and staged rollouts.

• Develop testing procedures and rollback strategies to ensure stable production operations.

• Travel to multiple sites within the city of Chicago as needed and work onsite 3–4 days per week to support network deployments and troubleshooting activities.

Mandatory Skills

• 5+ years of hands-on experience deploying and operating Cisco Identity Services Engine (ISE).

• Strong expertise in:

  • ISE Policy Sets

  • Profiling and Posture Assessment

  • Guest and BYOD access workflows

  • pxGrid integrations

  • TACACS+ device administration

• Deep understanding of 802.1X and MAB authentication for wired and wireless networks.

• Strong knowledge of supplicant behavior, Change of Authorization (CoA), and EAP methods such as PEAP and EAP-TLS.

• Experience integrating ISE with:

  • Active Directory / Identity Providers

  • PKI and certificate-based authentication

  • Mobile Device Management (MDM) platforms

• Hands-on experience with Cisco TrustSec:

  • SGT classification and propagation

  • SGACL policy design and enforcement

• Experience implementing segmentation across Catalyst switches, Nexus platforms, and wireless controllers.

• Advanced troubleshooting skills using ISE logs, packet captures, session directory, and network device debugging tools.

• Strong knowledge of Layer 2 and Layer 3 networking fundamentals.

• Experience with routing protocols including OSPF and BGP.

• Experience with ACLs, QoS, NAT, Spanning Tree, and wireless networking (WLC / 802.11).

• Familiarity with enterprise network services including NTP, DNS, and DHCP.

• Proven experience supporting enterprise campus and data center network architectures.

Desirable Skills

• Experience designing or supporting Zero Trust Network Access (ZTNA) architectures.

• Strong understanding of identity-driven access control and least-privilege security models.

• Knowledge of north–south vs. east–west traffic patterns in enterprise environments.

• Experience performing threat modeling and lateral movement analysis within segmented networks.

• Experience implementing data center or host-based microsegmentation.

• Experience with large-scale network policy orchestration and automation.

• Cisco certifications such as CCNP Security, CCIE Security, or Cisco ISE Specialist.

Additional Requirements

• Candidates must currently reside in the Chicago metropolitan area.
• Identity will be verified during the interview process.
• Candidates should expect live technical interviews and onsite verification meetings as part of the hiring process.
• This role cannot be performed fully remotely.

Compensation

$90–$100 per hour (1099/W2)