Cisco Identity Services Engine (ISE) is a robust network access control (NAC) system that provides secure access to network resources.
It integrates with an organization’s existing network infrastructure to enforce security policies, authenticate users and devices, and ensure compliance with security protocols. Cisco ISE operates by managing identities, ensuring that only authorized users and devices can access the network, and enforcing security policies dynamically.
In this article, we answer questions that often arise when talking about NAC systems and specifically the ISE solution itself.
Cisco ISE includes a RADIUS server but significantly expands its functionality. In relation to a RADIUS server that implements AAA (Authentication, Authorization, Accounting), ISE can:
Cisco ISE is a comprehensive solution that enhances network security, ensures compliance, and simplifies the management of network access, making it a valuable tool for a wide range of organizations. Let’s dive into some of them.
SECTOR | REQUIREMENTS |
Large Enterprise | Require robust network access control to manage a large number of users, devices, and locations. Need comprehensive security and compliance management. |
Educational Institutions | Must provide secure access for a diverse user base, including students, faculty, and staff. Require easy management of guest access and personal devices. |
Healthcare | Need to protect sensitive patient data and comply with stringent regulatory requirements like HIPAA. Require detailed visibility and control over network access to ensure data security. |
Financial Institutions | Handle sensitive financial data and require strong security measures to protect against cyber threats. Must comply with financial regulations and audit requirements. |
Government Agencies | Require high security and compliance with government regulations. Need to manage secure access for a large and diverse workforce. |
Retail Businesses | Require secure and manageable guest Wi-Fi access. Need to protect customer data and maintain compliance with industry standards like PCI-DSS. |
Cisco Identity Services Engine (ISE) is a versatile and comprehensive network access control (NAC) system designed to enhance the security and management of network resources. One of the key questions for organizations considering Cisco ISE is whether it is available as an appliance or as software. The answer is that Cisco ISE is available in both formats, providing flexibility to meet different deployment needs and preferences.
Cisco ISE is available as a physical device, which means it is a dedicated hardware device with ISE software installed. These devices are designed for high performance and reliability, offering a ready-made solution that can be quickly deployed in a network environment. They are particularly beneficial for large enterprises and organizations that require solid performance to manage significant network traffic and a large number of devices.
Cisco ISE can also be deployed as a virtual appliance, allowing ISE software to run in virtualization environments such as VMware, Hyper-V, and others. Virtual solutions offer significant implementation flexibility, allowing organizations to leverage existing virtual infrastructure.
Upgrading your Cisco ISE control system involves several steps to ensure a smooth transition to the latest version without disrupting your network. The update is performed via the CLI or GUI.
Sample procedure from CLI.
Profiling in Cisco Identity Services Engine (ISE) refers to the process of identifying and classifying devices connected to a network. It involves collecting and analyzing data about devices to determine their type, operating system, capabilities, and other attributes. This information is then used to apply appropriate network access policies, improving security and management.
Cisco ISE uses various techniques and data sources to profile devices. The process typically involves data collection, data analysis, device classification, and policy enforcement. Data for profiling may be collected from various sources, such as:
pxGrid (Platform Exchange Grid) is a framework that facilitates the exchange of contextual information between various network and security devices. It enables the integration of Cisco ISE with other network systems and security solutions (e.g. monitoring systems, firewalls, SIEM, identity management), allowing them to collaborate and exchange data in real-time. This improved interoperability helps create a more dynamic and responsive security posture across an organization’s network.
Purchasing a Cisco Identity Services Engine (ISE) license involves several steps, including understanding the different license types, selecting the appropriate license for your needs, and working with a Cisco partner or reseller to complete the purchase.
Licenses are a key part of an ISE implementation because they determine the number of active endpoints that can be authenticated, authorized, monitored or secured by the ISE.
Cisco ISE has three license levels: Essentials, Advantage and Premier.
Source: Cisco
ISE Essential is a basic license level that provides basic identity and access management features. Includes features such as 802.1X network access, guest access management, posture assessment, and basic profiling capabilities. This tier is suitable for organizations looking for basic security features to control access to network resources.
ISE Advantage is a mid-tier licensing option that builds on the features offered in the Essentials tier. In addition to the functionality available in Essentials, Advantage includes more advanced features such as profiling, BYOD, Cisco pxGrid integration, and TrustSec security group tagging (SGT) enforcement. This tier is suitable for organizations requiring more extensive policy enforcement and advanced network access control capabilities.
Cisco ISE Premier is the highest license level available for Cisco ISE. It includes all the features available in the Essentials and Advantage tiers and adds further enhancements such as endpoint compatibility and security automation integration such as MDM and Posture, as well as advanced threat containment and TC-NAC visibility features. This tier is suitable for organizations with complex network environments and advanced security needs.
After installation, Cisco ISE provides a 90-day evaluation license that supports 100 endpoints and provides all Cisco ISE features. You can configure a limited deployment in evaluation mode and explore all the capabilities and features of Cisco ISE. A valid Cisco.com login is required to download the software.
When evaluation licenses expire after 90 days, administrators will only be able to view the Licensing window in the Cisco ISE Admin Portal. No alerts are sent to administrators notifying them about the expiration of an evaluation license.
Cisco sells its products only through a network of certified distributors and partners, so it is worth contacting a reseller. A competent reseller will advise you which licenses will be most beneficial to use.