Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • Cisco Identity Service Engine

    Secure Network Access

    Cisco ISE – What is Identity Service Engine?  

    Date: 18.07.2022



    Cisco ISE is a solution designed for controlling the secure network access policy and thus, the organization’s critical resources. It’s a single point providing information on events related to the connection of devices and users to the network. 

    ISE is much more than a concept of complementary security and an “intuitive” network, but we’ll get to that. Meanwhile, I encourage you to read a few words about the ISE architecture on our “Design Corner,” while we’ll talk more about the basic tasks provided by ISE below.  

    Identity Service Engine functionalities  

    As a Radius server, Cisco ISE enables functionalities that support classic Radius servers (such as the well-known Cisco ACS – Access Control System). So, by deploying Cisco ISE, you can run:  

    • 802.1x mechanism in a Wi-Fi network  
    • 802.1x mechanism in a wired network  
    • Authentication and setting attributes to users connected via a VPN  
    • MAC Authentication Bypass (MAB), meaning device authentication using MAC addresses  
    Cisco ISE Guest Authorization
    ISE Guest Authorization

    ISE mechanisms  

    Identity Services Engine uses the so-called augmented Radius CoA (Change of Authorization) communications that make dynamic interaction between an ISE node (Policy Service Node) and network devices, such as switches, routers, Wi-Fi network controllers, and firewalls, possible.  

    How does CoA work?  

    Identity Service Engine uses logical conditions created by the administrator, who applies a particular cause-and-effect logic: IF condition THEN result. With condition combinations, ISE can respond to the conditions arising in the network and communicate with the network devices on its own, for example by sending them a CoA packet with information about setting a port on a switch to the shutdown state, or redirecting a specific user with URL Redirect, if he’s not known in the system.  

    Let’s look at an example of using such a cause-and-effect loop. Take a device with a set MAC address that attempts to connect to our network. First, the MAC address is checked against the database in case it’s already registered. If yes, the connection is complete. If there’s no such address, ISE climbs down the rule ladder and redirects the user to the guest registration portal. 

    Below, you can see how it looks configuration-wise. 

    Chosen features of Cisco ISE
    Chosen features of Cisco ISE

    How can Profiling help?  

    Profiling, or the ISE’s ability to understand the kind of device, browser, manufacturer, device type like phone or laptop, and OS, enables responding, e.g., during the transfer of a packet with customized 802.1x supplicant, i.e., a piece of software responsible for connecting clients to 802.1x secured network, to a user.  

    With Profiling, Cisco ISE sends the right packet to the right device, e.g., a different one to a MacBook with OSX and a different one to a Lenovo device with Windows 10.  

    Posture Assessment, or be compliant  

    Posture Assessment is a mechanism known from solutions like Network Admission / Access Control (NAC) and is used to verify the end system connecting to the network for compliance with conditions enforced by the security policy. These conditions are, for instance, the presence of anti-virus software, OS fixes, or other key applications for a particular organization. During verification, Posture can redirect the checked system to complete any missing elements.  

    Cisco Identity Service Engine as a key security element 

    As you can see, Cisco ISE is a comprehensive solution for planning and controlling security policies, both in wired and wireless networks. Worth noting is the fact that ISE is shaping up to be a key security element, collecting information on who, where, and with which device, tries to connect to our network. In this context and with the use of Software-Defined network segmentation, ISE is the right system for the implementation of Zero-Trust Security.  

    You can learn more about planning and configuration of ISE from our Securing Network Access with Cisco ISE training 

    Author

    Krzysztof Osmałek

    Grandmetric Advanced Services Leader. Expert in the design, build, and configuration of enterprise-scale wireless networks, critical for business continuity and operations.

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric