DEV Community

FirstPassLab
FirstPassLab

Posted on • Originally published at firstpasslab.com

Build a Cisco ISE 3.x Lab on EVE-NG: Sizing, First Boot, and Your First 802.1X Test

#networking #cisco #security #tutorial

If you are building a Cisco ISE lab for CCIE Security, the biggest trap is treating ISE like a lightweight router VM. It is not. ISE is an application stack with a database, a heavy GUI, and a lot of ways to fail if DNS, NTP, storage, and basic RADIUS plumbing are sloppy.

The good news is that you do not need a giant topology to make it useful. One clean single-node ISE build, one switch, one endpoint, and one working 802.1X plus MAB flow will teach you more exam-relevant troubleshooting than a bigger lab that barely boots.

TL;DR

  • Treat Cisco's published minimum as the floor, not the comfort target.
  • For most homelabs, 8 vCPU, 16 to 24 GB RAM, and a 300 GB qcow2 disk is the sweet spot.
  • Use EVE-NG when you want ISE plus FMC, FTD, guest VMs, and a mixed security stack in one place.
  • Get DNS and NTP right before touching policy.
  • Your first milestone is simple: one switch, one endpoint, one successful RADIUS transaction visible in Live Logs.

What hardware do you actually need for a Cisco ISE lab on EVE-NG?

Cisco's evaluation baseline is usable for proof of concept work, but it feels cramped fast when you start opening the GUI, making policy changes, and testing endpoints.

Lab target vCPU RAM Disk Practical take
Cisco evaluation minimum 4 16 GB 300 GB Fine for a one-time install or very light testing
Comfortable CCIE practice node 8 16 to 24 GB 300 GB qcow2 Best balance for most homelabs
Multi-node or heavier guest/posture testing 12+ 24 to 32 GB 600 GB+ host capacity Only if your server is genuinely strong

The host matters too. Put EVE-NG on SSD or NVMe storage, not spinning disks. Storage performance is one of the main differences between an ISE node that feels merely slow and one that feels broken.

EVE-NG or CML?

For Cisco ISE specifically, EVE-NG is usually the better fit.

Why:

  • ISE behaves more like an appliance than a router image.
  • EVE-NG handles qcow2 disks and mixed topologies more naturally.
  • It is easier to build one security lab with ISE, FMC, FTD, switches, and test endpoints in the same environment.

CML is still great for IOS XE, IOS XR, NX-OS, and repeatable routing and switching labs. But if your immediate goal is realistic ISE practice, EVE-NG is usually the path of least pain.

Import Cisco ISE 3.x into EVE-NG without wasting a day

The clean workflow is simple:

  1. Download the ISE 3.x ISO from Cisco Software Central.
  2. Create the EVE-NG image directory and upload the ISO.
  3. Create one qcow2 disk sized to 300 GB.
  4. Boot with VNC and complete the installer once.
  5. Let the system finish first boot and reach a stable baseline.
  6. Save that clean disk as your gold image.
  7. Fix permissions before cloning or reusing it.

A few rules matter here:

  • Use qcow2, not a random disk format copied from another appliance workflow.
  • Do not under-size the disk just because an old forum post used a smaller value.
  • Do not rely on VM snapshots as your recovery strategy. Treat a clean gold image as the rollback point instead.

That last point is important. ISE is much less forgiving of snapshot abuse than typical network VMs.

First boot checklist

A stable ISE lab starts with boring infrastructure hygiene. If these are wrong, every higher-layer symptom becomes noise.

Use a simple build sheet:

  • Hostname: ise01.lab.local
  • Management IP, mask, and gateway on a clean management network
  • DNS that resolves the ISE FQDN and any AD or repository hosts
  • Reachable NTP
  • One combined PAN, MnT, and PSN persona for a modest lab

Before you touch policy, verify:

  • Evaluation licensing is active
  • Node status is healthy
  • System time is correct
  • DNS resolution works from the CLI and GUI
  • Certificates are at least understood, even if they are lab-only and self-signed

If time is wrong, certificate behavior gets weird fast. If DNS is wrong, joins and integrations fail in ways that waste hours.

Connect a switch and prove 802.1X works

Do not start with guest portals, posture, or a multi-node design. Start with one access switch, one endpoint, one policy set, and one successful authentication.

A basic Catalyst-side config pattern looks like this:

conf t
aaa new-model
radius server ISE1
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 key MySharedSecret
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
interface GigabitEthernet1/0/1
 switchport mode access
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
ip radius source-interface Vlan10
end
Enter fullscreen mode Exit fullscreen mode

Then validate from the switch:

show authentication sessions interface Gi1/0/1
show aaa servers
debug radius authentication
Enter fullscreen mode Exit fullscreen mode

And validate from ISE:

  • Add the switch as a network device
  • Match the shared secret exactly
  • Build a minimal policy set
  • Watch Operations > RADIUS > Live Logs

That is your first real success condition. If Live Logs show clean RADIUS transactions and the switch session state makes sense, the lab is usable.

What breaks most Cisco ISE labs on EVE-NG?

Most failures are not deep security bugs. They are basic hygiene issues.

Symptom Most likely cause Fastest fix
GUI is painfully slow, services flap Under-sized CPU or RAM, or slow storage Reduce topology size, move to SSD/NVMe, increase vCPU
Certificates look invalid Wrong clock or broken NTP Fix host time, then node NTP
Switch cannot authenticate Wrong shared secret or wrong source interface Recheck RADIUS config and Live Logs
AD join fails Broken DNS or time skew Validate forward and reverse resolution, confirm NTP
Lab corrupts after rollback Snapshot misuse Rebuild from a clean gold image

My rule of thumb is simple: if DNS and NTP are not clean, do not trust any higher-layer symptom yet.

What should CCIE Security candidates actually practice?

The highest-value ISE lab is not the biggest one. It is the one that teaches authentication flow, policy logic, and troubleshooting discipline.

Prioritize these first:

  • Single-node install and recovery workflow
  • Network device registration and RADIUS reachability
  • 802.1X plus MAB testing
  • Authorization profiles, VLAN assignment, and dACL basics
  • TrustSec and SGT flow after basic auth is stable
  • Failure analysis from switch CLI and ISE Live Logs

Delay these until the core is reliable:

  • Distributed personas on weak hardware
  • Fancy guest portals before base access works
  • Large AD integrations when local users already prove the flow
  • Big endpoint simulations that hide simple mistakes

Final takeaway

If you build one stable Cisco ISE node on EVE-NG with correct DNS, NTP, storage, and one working 802.1X plus MAB path, you will cover a surprising amount of exam-relevant ground.

That lab teaches the part that matters under pressure: how supplicant, switch, RADIUS, policy, authorization, and logs fit together when something breaks.

AI disclosure: This article was adapted from original FirstPassLab source material with AI assistance and human editorial review.

Top comments (0)