RUSHIT LLC

Senior Network Security Engineer

Cisco Identity Services Engine (ISE)

Suitland, MD  |  100% On-Site, 5 Days/Week  |  Public Trust Required  |  Federal Contract

Read this before you apply.

This is a senior role. The bar is what it says it is, and we hold it.

If you have not personally configured Cisco ISE on SNS-3715 hardware in production, run a ForeScout to ISE migration, and operated a 2-node clustered HA deployment, do not apply. We will identify the gap inside the first ten minutes of the screen call and we will pass. That is not a threat. It is a courtesy to your time and ours.

Recruiters: do not submit candidates who cannot speak to those three things from memory. We do not place inflated resumes.

About the Role

The customer is decommissioning ForeScout CounterACT and standing up Cisco ISE in its place. You are the engineer running that migration.

Day to day you are hands-on with Cisco ISE on Cisco SNS-3715 hardware, two nodes, clustered, in a high-availability configuration. You own the policy design, the AAA services, the integrations into Active Directory, LDAP, and the Cisco 9800 wireless controllers, the posture and certificate work, and the 802.1X across wired and wireless. The customer is moving to a Zero Trust posture. This deployment is the spine of that work.

You will be the senior person on this engagement. Tier III. When something is broken at the platform level, the customer comes to you.

Key Responsibilities

• Design, deploy, configure, monitor, and troubleshoot Cisco ISE running on Cisco SNS-3715 appliances in a 2-node clustered, high-availability setup.
• Lead the migration from ForeScout CounterACT to Cisco ISE. Review legacy ForeScout policies, device groups, and access workflows, then map them into Cisco ISE policy sets.
• Configure and manage AAA services: RADIUS, TACACS+, and 802.1X authentication for wired and wireless networks.
• Support Cisco ISE integration with Cisco 9800 Wireless LAN Controllers, including guest/registration page redirection and wireless onboarding.
• Integrate Cisco ISE with Active Directory and LDAP for identity lookups, group-based authorization, and directory-based authentication.
• Develop and maintain posture assessment and endpoint compliance policies.
• Implement role-based access control (RBAC) and dynamic VLAN assignment.
• Support Cisco TrustSec segmentation strategies aligned with Zero Trust principles.
• Configure certificate-based authentication (EAP-TLS) and PKI integrations.
• Perform routine health checks, upgrades, patching, and lifecycle management.
• Provide Tier III engineering support. Troubleshoot complex authentication and access issues using ISE logs, syslog, and root-cause analysis tooling.
• Produce technical documentation: SOPs, engineering designs, and implementation procedures.
• Mentor junior engineers and contribute to knowledge sharing across the team.

Required Qualifications

• US Citizenship with active Public Trust, or eligibility to obtain Public Trust prior to start.
• Ability to work 100% on-site in Suitland, MD, 5 days per week. Remote and hybrid are not available.
• Bachelor's degree in Information Technology, Cybersecurity, or a related field.
• 8+ years of experience in network security engineering within a large government organization.
• 5+ years in technical leadership roles, with demonstrated ownership of engineering deliverables and mentorship of junior staff.
• 4+ years hands-on Cisco ISE experience implementing and troubleshooting:
  • Authentication and authorization policies (RADIUS, TACACS+)
  • 802.1X / EAP methods (wired and wireless)
  • Device profiling, posture checks, and endpoint compliance
  • Certificate-based authentication (EAP-TLS) and PKI integration
  • AAA integrations for switches, appliances, firewalls, and wireless controllers
• Hands-on experience with Cisco ISE deployed on SNS-3715 appliances, preferably in a 2-node clustered HA configuration.
• Hands-on experience integrating Cisco ISE with Cisco 9800 Wireless LAN Controllers (guest/registration redirection, wireless onboarding).
• Hands-on experience integrating Cisco ISE with Active Directory and LDAP.
• Working knowledge of ForeScout CounterACT (legacy NAC/NAM policies, device classification, access workflows) sufficient to support migration to Cisco ISE.
• 4+ years supporting identity-centric or Zero Trust architectures, with strong knowledge of segmentation, certificate management, and endpoint posture controls.
• Solid understanding of telecommunications, network security, and Zero Trust best practices.
• Ability to explain Cisco ISE, NAC/NAM, and AAA concepts to both technical and non-technical audiences.

Preferred Qualifications

• Cisco CCNP Security, CCIE Security, or Cisco ISE Specialist certification.
• Active Secret or Top Secret clearance.
• Experience with Cisco TrustSec, Cisco DNA Center, and Cisco AnyConnect.
• Experience with Azure AD / Entra ID, MDM platforms, and SIEM solutions.
• Familiarity with NIST 800-53, FISMA, and Zero Trust Architecture (ZTA) frameworks.
• Experience supporting large, multi-site federal enterprise deployments.

RushIT LLC  |  8(a) Certified Small Business  |  CISSP  |  PMP
www.rushitllc.com