Cisco Identity Service Engine

Cisco ISE is a solution designed for controlling the secure network access policy and thus, the organization’s critical resources. It’s a single point providing information on events related to the connection of devices and users to the network. 

ISE is much more than a concept of complementary security and an “intuitive” network, but we’ll get to that. Meanwhile, I encourage you to read a few words about the ISE architecture on our “Design Corner,” while we’ll talk more about the basic tasks provided by ISE below.  

Identity Service Engine functionalities  

As a Radius server, Cisco ISE enables functionalities that support classic Radius servers (such as the well-known Cisco ACS – Access Control System). So, by deploying Cisco ISE, you can run:  

• 802.1x mechanism in a Wi-Fi network  
• 802.1x mechanism in a wired network  
• Authentication and setting attributes to users connected via a VPN  
• MAC Authentication Bypass (MAB), meaning device authentication using MAC addresses  

ISE mechanisms  

Identity Services Engine uses the so-called augmented Radius CoA (Change of Authorization) communications that make dynamic interaction between an ISE node (Policy Service Node) and network devices, such as switches, routers, Wi-Fi network controllers, and firewalls, possible.  

How does CoA work?  

Identity Service Engine uses logical conditions created by the administrator, who applies a particular cause-and-effect logic: IF condition THEN result. With condition combinations, ISE can respond to the conditions arising in the network and communicate with the network devices on its own, for example by sending them a CoA packet with information about setting a port on a switch to the shutdown state, or redirecting a specific user with URL Redirect, if he’s not known in the system.  

Let’s look at an example of using such a cause-and-effect loop. Take a device with a set MAC address that attempts to connect to our network. First, the MAC address is checked against the database in case it’s already registered. If yes, the connection is complete. If there’s no such address, ISE climbs down the rule ladder and redirects the user to the guest registration portal. 

Below, you can see how it looks configuration-wise. 

How can Profiling help?  

Profiling, or the ISE’s ability to understand the kind of device, browser, manufacturer, device type like phone or laptop, and OS, enables responding, e.g., during the transfer of a packet with customized 802.1x supplicant, i.e., a piece of software responsible for connecting clients to 802.1x secured network, to a user.  

With Profiling, Cisco ISE sends the right packet to the right device, e.g., a different one to a MacBook with OSX and a different one to a Lenovo device with Windows 10.  

Posture Assessment, or be compliant  

Posture Assessment is a mechanism known from solutions like Network Admission / Access Control (NAC) and is used to verify the end system connecting to the network for compliance with conditions enforced by the security policy. These conditions are, for instance, the presence of anti-virus software, OS fixes, or other key applications for a particular organization. During verification, Posture can redirect the checked system to complete any missing elements.  

Cisco Identity Service Engine as a key security element 

As you can see, Cisco ISE is a comprehensive solution for planning and controlling security policies, both in wired and wireless networks. Worth noting is the fact that ISE is shaping up to be a key security element, collecting information on who, where, and with which device, tries to connect to our network. In this context and with the use of Software-Defined network segmentation, ISE is the right system for the implementation of Zero-Trust Security.  

You can learn more about planning and configuration of ISE from our Securing Network Access with Cisco ISE training