Menu

Poland

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Sweden

Drottninggatan 86
111 36 Stockholm
+46 762 041 514
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

  • en
  • pl
  • se
  • How does Cisco ISE network access control work?

    How does Cisco ISE network access control work?

    Date: 16.07.2024

    Category: Cisco ISE, Security


    Cisco Identity Services Engine (ISE) is a robust network access control (NAC) system that provides secure access to network resources.

    It integrates with an organization’s existing network infrastructure to enforce security policies, authenticate users and devices, and ensure compliance with security protocols. Cisco ISE operates by managing identities, ensuring that only authorized users and devices can access the network, and enforcing security policies dynamically. 

    In this article, we answer questions that often arise when talking about NAC systems and specifically the ISE solution itself.

    Is Cisco ISE a RADIUS server?

    Cisco ISE includes a RADIUS server but significantly expands its functionality. In relation to a RADIUS server that implements AAA (Authentication, Authorization, Accounting), ISE can:

    • Create granular access policies based on user and device groups, device type, device health, location, and many other factors
    • Check the health of devices to ensure they meet security policy requirements before granting network access.
    • Provide secure and manageable guest access to the network.
    • Facilitate secure access for BYOD (Bring Your Own Device) personal devices and ensure compliance with corporate policies.
    • Identify and classify devices on the network to apply appropriate policies.
    • Work with other Cisco security products and third-party solutions to create a comprehensive security system.
    compare nac solutions

    What are the use scenarios for Cisco ISE network access control?

    Cisco ISE is a comprehensive solution that enhances network security, ensures compliance, and simplifies the management of network access, making it a valuable tool for a wide range of organizations. Let’s dive into some of them. 

    Cisco ISE network access control use cases
    SECTORREQUIREMENTS
    Large Enterprise Require robust network access control to manage a large number of users, devices, and locations.  Need comprehensive security and compliance management.  
    Educational Institutions Must provide secure access for a diverse user base, including students, faculty, and staff.  Require easy management of guest access and personal devices.  
    Healthcare  Need to protect sensitive patient data and comply with stringent regulatory requirements like HIPAA.  Require detailed visibility and control over network access to ensure data security.  
    Financial Institutions Handle sensitive financial data and require strong security measures to protect against cyber threats.  Must comply with financial regulations and audit requirements.  
    Government Agencies  Require high security and compliance with government regulations.  Need to manage secure access for a large and diverse workforce.  
    Retail Businesses Require secure and manageable guest Wi-Fi access.  Need to protect customer data and maintain compliance with industry standards like PCI-DSS.  

    Is Cisco ISE an appliance or software? 

    Cisco Identity Services Engine (ISE) is a versatile and comprehensive network access control (NAC) system designed to enhance the security and management of network resources. One of the key questions for organizations considering Cisco ISE is whether it is available as an appliance or as software. The answer is that Cisco ISE is available in both formats, providing flexibility to meet different deployment needs and preferences. 

    Physical applicance

    Cisco ISE is available as a physical device, which means it is a dedicated hardware device with ISE software installed. These devices are designed for high performance and reliability, offering a ready-made solution that can be quickly deployed in a network environment. They are particularly beneficial for large enterprises and organizations that require solid performance to manage significant network traffic and a large number of devices.

    Virtual appliance

    Cisco ISE can also be deployed as a virtual appliance, allowing ISE software to run in virtualization environments such as VMware, Hyper-V, and others. Virtual solutions offer significant implementation flexibility, allowing organizations to leverage existing virtual infrastructure.

    How to update Cisco ISE?

    Upgrading your Cisco ISE control system involves several steps to ensure a smooth transition to the latest version without disrupting your network. The update is performed via the CLI or GUI.

    Sample procedure from CLI.

    1. Create a repository on your local disk, e.g. you can create a repository called “upgrade”. Repositories configured with the CLI cannot be used from the ISE web interface and are not replicated to other ISE nodes.
    2. In the Cisco ISE-PIC CLI, enter the application upgrade prepare command. This command copies the update package to the local “upgrade” repository and displays the MD5 and SHA256 checksums.
    3. In the Cisco ISE-PIC CLI, enter the application upgrade proceed command.

    What is profiling?

    Profiling in Cisco Identity Services Engine (ISE) refers to the process of identifying and classifying devices connected to a network. It involves collecting and analyzing data about devices to determine their type, operating system, capabilities, and other attributes. This information is then used to apply appropriate network access policies, improving security and management.

    Cisco ISE uses various techniques and data sources to profile devices. The process typically involves data collection, data analysis, device classification, and policy enforcement. Data for profiling may be collected from various sources, such as:

    • Netflow
    • DHCP
    • RADIUS
    • DNS
    • SNMP
    • Nmap
    • pxGrid

    What is pxGrid?

    pxGrid (Platform Exchange Grid) is a framework that facilitates the exchange of contextual information between various network and security devices. It enables the integration of Cisco ISE with other network systems and security solutions (e.g. monitoring systems, firewalls, SIEM, identity management), allowing them to collaborate and exchange data in real-time. This improved interoperability helps create a more dynamic and responsive security posture across an organization’s network.

    How to purchase a Cisco ISE network access control license?

    Purchasing a Cisco Identity Services Engine (ISE) license involves several steps, including understanding the different license types, selecting the appropriate license for your needs, and working with a Cisco partner or reseller to complete the purchase.

    Licenses are a key part of an ISE implementation because they determine the number of active endpoints that can be authenticated, authorized, monitored or secured by the ISE.

    Cisco ISE has three license levels: Essentials, Advantage and Premier.

    Model licencjonowania Cisco ISE licensing model

    Source: Cisco

    ISE Essentials License

    ISE Essential is a basic license level that provides basic identity and access management features. Includes features such as 802.1X network access, guest access management, posture assessment, and basic profiling capabilities. This tier is suitable for organizations looking for basic security features to control access to network resources.

    ISE Advantage License

    ISE Advantage is a mid-tier licensing option that builds on the features offered in the Essentials tier. In addition to the functionality available in Essentials, Advantage includes more advanced features such as profiling, BYOD, Cisco pxGrid integration, and TrustSec security group tagging (SGT) enforcement. This tier is suitable for organizations requiring more extensive policy enforcement and advanced network access control capabilities.

    ISE Premier License

    Cisco ISE Premier is the highest license level available for Cisco ISE. It includes all the features available in the Essentials and Advantage tiers and adds further enhancements such as endpoint compatibility and security automation integration such as MDM and Posture, as well as advanced threat containment and TC-NAC visibility features. This tier is suitable for organizations with complex network environments and advanced security needs.

    How do I determine which Cisco ISE license is right for my organization?

    After installation, Cisco ISE provides a 90-day evaluation license that supports 100 endpoints and provides all Cisco ISE features. You can configure a limited deployment in evaluation mode and explore all the capabilities and features of Cisco ISE. A valid Cisco.com login is required to download the software.

    When evaluation licenses expire after 90 days, administrators will only be able to view the Licensing window in the Cisco ISE Admin Portal. No alerts are sent to administrators notifying them about the expiration of an evaluation license.

    Cisco sells its products only through a network of certified distributors and partners, so it is worth contacting a reseller. A competent reseller will advise you which licenses will be most beneficial to use.

    compare nac solutions

    Author

    Krzysztof Osmałek

    Grandmetric Advanced Services Leader. Expert in the design, build, and configuration of enterprise-scale wireless networks, critical for business continuity and operations.

    Comments are closed here.
    Grandmetric