Identity Service Engine (Cisco ISE)

Cisco Identity Services Engine (ISE) is a solution that helps businesses protect their networks and resources by allowing them to control who and what can access their network. It allows organizations to monitor events related to device and user connections to the network. It acts as a central point of information for these activities. Available in a form of a physical appliance or a virtual machine.

Price: 4280 USD

Availability: Available

  • Description
  • Key Features
  • Use cases
  • Licensing
  • Configurations

ISE as NAC server

Cisco Identity Services Engine (ISE) is a solution that helps businesses protect their networks and resources by allowing them to control who and what can access their network.

 

Cisco ISE provides flexibility and choice, allowing organizations to connect their Network Access Control (NAC) services to multiple clouds and maintain business continuity during uncertain times. It also offers a modernized way to deploy NAC services, allowing teams to quickly deliver pervasive visibility and dynamic control to secure network access across hybrid environments. This way businesses can protect the integrity of their operations and maintain security in the face of an expanding attack surface and heightened global uncertainty.

 

How it works?

Cisco Identity Services Engine (ISE) is a security solution that uses intelligence from across the security stack to become the policy decision point in a zero-trust architecture for the workplace.

It enables organizations to automate the process of discovering, profiling, authenticating, and authorizing trusted endpoints and users that connect to their self-managed network infrastructure, regardless of the access medium.

Network administrators can use ISE to create and maintain dynamic, risk-based policies that ensure only trusted users and devices have access to trusted resources, going beyond authentication to maintain trust throughout the entire session.

As a Radius server, Cisco ISE enables functionalities that support classic Radius servers (such as the well-known Cisco ACS – Access Control System). So, by deploying Cisco ISE, you can run:

  • 802.1x mechanism in a Wi-Fi network
  • 802.1x mechanism in a wired network
  • Authentication and set up of attributes to users connected via a VPN
  • MAC Authentication Bypass (MAB), meaning device authentication using MAC addresses

 

Identity Services Engine uses the so-called augmented Radius CoA (Change of Authorization) communications that make dynamic interaction between an ISE node (Policy Service Node) and network devices, such as switches, routers, Wi-Fi network controllers, and firewalls, possible.

 

Endpoint Compliance

Cisco Identity Services Engine (ISE) continuously verifies that the behaviour of devices on the network complies with the organization’s security policies, ensuring that risky, unpatched, and outdated devices cannot compromise the network. ISE 3.x offers a customizable approach to continuous posture assessments for endpoints connecting to the managed infrastructure. With the ability to conduct an unlimited number of posture checks, organizations can tailor their policies to their specific needs and enforce them dynamically to gain continuous trusted access.

 

Visibility Control

Cisco ISE provides pervasive visibility and dynamic control, allowing teams to see, know, and control what is connecting to their networks and ensure that their posture doesn’t compromise the business. With granular visibility and control IT admins can confidently and quickly provision new resources to allow connection to the network without sacrificing protection.

 

Mature Zero-Trust

It also offers fully mature zero trust capabilities, integrating intelligence from across the stack into policy enforcement points throughout the network to ensure continuous trusted access.

 

Automated Threat Prevention

Additionally, Cisco ISE includes automated threat prevention capabilities, allowing organizations to not only block threats but also remove them from the network through integrated intelligence at enforcement points. ISE integrates with Cisco Security products and third-party ecosystem partners through pxGrid and pxGrid Cloud to gain contextual information from on-prem and cloud-native solutions.

 

Deployments Acceleration

This solution also helps teams merge speed and agility by moving from managing infrastructure in a box to using infrastructure in code (IaC) with automated deployments, allowing them to accelerate secure network access.

Guest Access

Guest Access

Cisco Identity Services Engine (ISE) provides organizations with the ability to create and manage guest accounts for visitors who need temporary internet access. This includes vendors, retail customers, short-term vendors or contractors, and others.

It also provides a rich set of APIs that can be used to integrate with other systems, such as vendor management systems, to create, edit, and delete guest accounts. The user portals that guests see can be fully customized to match the organization’s brand, including the font, colour, and themes.

 

There are three ways to provide guest access with ISE:

  • Hotspot (immediate, non-credentialed access),
  • Self-Registration,
  • Sponsored Guest access.

Secure Wireless Access

Secure Wireless Access

Cisco Identity Services Engine (ISE) is a solution that helps organizations secure their wireless networks by allowing only authorized users and devices to connect to the network. This includes personal devices, such as mobile phones, tablets, or laptops, as well as other wireless “things” that are used in the organization.

Cisco ISE uses authentication and authorization as its core functionalities. Every session begins with authentication, whether it is for a user or a device. Authentication can be active, using 802.1X protocols, or passive, such as when the user authenticates against an Identity Source like Microsoft’s Active Directory (AD) and AD notifies ISE. This allows organizations to enforce different security policies and protect their networks from unauthorized access.

Selected-methods-of-securing-wireless-networks-by-Grandmetric

Secure Wired Access

Secure Wired Access

Cisco Identity Services Engine (ISE) uses authentication and authorization to control access to the network.

Active authentication is performed using 802.1X protocols, in which Cisco ISE authenticates the user against an Identity Source, such as a directory server.

Passive authentication involves Cisco ISE learning about the user’s identity through means such as AD domain logins or other indirect methods.

Once the user or device has been authenticated successfully, authorization takes place. This involves assigning the endpoint’s network access session with a dynamic VLAN, a downloadable access control list (ACL), or other segmentation methods. This allows organizations to control which resources the user or device can access on the network and ensure that only authorized users and devices have access to sensitive information.

 

Cisco ISE authenticates the users and endpoints via 802.1X, Web Authentication, MAB, and other means. Cisco ISE can query external identity sources for identity resolutions and apply appropriate network policies by instructing the network devices.

Required license: ISE Essentials

Asset Visibility

Asset Visibility

Cisco ISE offers two types of asset visibility: basic and advanced.

Basic asset visibility profiles endpoints by matching their network attribute to known profiles, while advanced asset visibility uses Deep Packet Inspection (DPI) to perform a deeper analysis of the conversations that applications on these devices have with other endpoints and servers on the network.

Basic asset visibility provides visibility into most devices on the network, including traditional devices like printers and mobile phones, while advanced asset visibility provides visibility into more specialized devices, such as those used in the Internet of Things (IoT).

Rapid Threat Containment (RTC)

Rapid Threat Containment (RTC)

Cisco Identity Services Engine (ISE) can integrate with more than 75 ecosystem partners through pxGrid to implement a variety of security use cases.

When a flagrant threat is detected on an endpoint, a pxGrid ecosystem partner can instruct ISE to contain the infected device, either manually or automatically. This can involve moving the device to a sandbox for observation, moving it to a remediation domain for repair, or removing it from the network entirely.

ISE can also receive standardized Common Vulnerability Scoring System (CVSS) and Structured Threat Information Expression (STIX) threat classifications, allowing it to gracefully adjust a user’s access privileges based on their security score.

A license for ISE Advantage is required to use this feature.

Bring Your Own Device (BYOD)

Bring Your Own Device (BYOD)

Cisco Identity Services Engine (ISE) provides multiple features that automate the onboarding process for Bring Your Own Device (BYOD) programs.

These include

  • a built-in Certificate Authority (CA) that can create and distribute certificates to different types of devices,
  • a My Devices Portal that allows end users to register their BYOD devices and mark them as lost or blocked from the network.

Cisco ISE supports two approaches to BYOD onboarding: single-SSID and dual-SSID.

In the single-SSID approach, the same wireless network SSID is used for onboarding and connecting the device, while in the dual-SSID approach, a different open SSID is used for onboarding, and the device is then connected to a different, more secure SSID after the onboarding process is complete.

For customers who want to provide more comprehensive management policies, BYOD can also be used to connect end users to the onboarding page of their mobile device management (MDM) system.

A license for ISE Advantage is required to use this feature.

Segmentation

Segmentation

Cisco Group-Based Policy/TrustSec software-defined segmentation is a simpler and more effective way to protect critical business assets through network segmentation than traditional VLAN-based approaches.

The policy is defined through security groups, and Cisco ISE serves as the segmentation controller, simplifying the management of the switch, router, wireless, and firewall rules. This approach provides better security at lower costs than traditional segmentation.

A Forrester Consulting analysis found that operational costs were reduced by 80% and policy changes were 98% faster for customers who used Group-Based Policy/TrustSec Segmentation. This approach is based on open standards from the Internet Engineering Task Force (IETF) and is supported on third-party and Cisco platforms, including Open Daylight.

 

Segmentation is a key component of Software-Defined Access (SDA), which uses Cisco Digital Network Architecture (DNA) Controller and Cisco Identity Services Engine (ISE) to automate network segmentation and group-based policy.

Identity-based policy and segmentation decouple security policy definitions from VLAN and IP addresses, allowing for more flexible and scalable network design.

The Software-Defined Access Design and Deployment Guides provide detailed information on configuring and deploying Group-Based Policy.

These guides can help organizations implement SDA and take advantage of the benefits of software-defined networking, including improved security, reduced complexity, and increased agility.

 

Cisco Identity Services Engine (ISE) can interface with the Cisco Application Centric Infrastructure (ACI) Controller to extend segmentation across the enterprise network. This allows ISE to create and populate SG-EPG translation tables that are used by border devices to translate TrustSec-ACI identifiers as traffic passes between network domains.

TrustSec technology is supported by over 50 Cisco product families and can work with open-source and third-party products. ISE acts as the policy controller for routers, switches, wireless devices, and security products.

 

A license for ISE Advantage is required to use this feature.

Licenses that enable segmentation via SDA include Advantage or Premier on Cisco ISE, and Cisco DNA Premier/Cisco DNA Advantage.

Security Ecosystem Integrations

Security Ecosystem Integrations

Cisco Identity Services Engine (ISE) collects contextual data about endpoints, including device type, location, time of access, posture, and associated users, and can use this data to apply network access control policies.

Endpoints can be tagged with Scalable Group Tags (SGTs) based on these attributes, and this contextual information can also be shared with ecosystem partners to enhance their services. For example, Cisco Next-Generation Firewall (NGFW) policies can be based on identity context received from ISE. In turn, context from third-party systems can be fed into ISE to improve its sensing and profiling capabilities and support threat containment.

This context exchange can be achieved through Cisco pxGrid (including pxGrid Cloud and pxGrid Direct) or REST APIs. External RESTful Services (ERS) on ISE serve both the purpose of context sharing and the management of ISE for specific use cases through REST APIs.

Required license: ISE Advantage

Device Administration (TACACS+)

Device Administration (TACACS+)

Cisco Identity Services Engine (ISE) provides the ability to automate device administration tasks and monitor network and security devices using TACACS+ within a controlled space in the user interface. This can help network and security administrators manage a large number of devices more efficiently and effectively.

Automation and a smooth workflow can make it easier to keep track of admin users, privileges, and changes in configuration. Such a feature can be particularly useful in large networks with hundreds or thousands of devices.

 

The license that enables Device Administration: Device Admin License

License consumption: Device Administration licenses are consumed per Policy Service Node (PSN). You must have a Device Administration license for each of the policy service nodes that you enable TACACS+ service on.

Device Administration using TACACS+ does not consume endpoints, and there is no limit on network devices for Device Administration. The user does not require an Essentials license.

Compliance

Compliance

Cisco Identity Services Engine (ISE) uses posture agents to evaluate the compliance of endpoint devices with the corporate software policy before granting them access to the network. This helps ensure that the operating system, antimalware, firewall, and other software on the device are up to date and enabled, lowering the organizational risk and reducing the threat surface created by non-compliant, unhygienic endpoints.

Cisco ISE’s Posture engine or an MDM can be used to evaluate the compliance of endpoints and take appropriate action to protect the network.

A license for ISE Premier with Cisco AnyConnect Apex is required to use this feature.

Cisco ISE offers different levels of licensing to manage the application features and access.

The nested-doll model of licensing ensures that customers can easily upgrade their licensing as their needs change, without having to purchase additional licenses for individual features. This allows for greater flexibility and scalability in managing network access and security.

With the new model, you can directly purchase Premier or Advantage licenses without the need for an Essentials license.

Cisco ISE Releases 2.x: Classic licensing

2.x licenses are now End-of-Life and no longer for sale effective March 9, 2022.

 

Base Plus Apex
Features mapped to Base licence:

  • AAA and 802.1x
  • Guest (Hotspot, Self-Reg, Sponsored)
  • TrustSec (Group-Based Policy)
  • Easy Connect (Passive ID)
Features mapped to Plus licence. Require a Base licence.

  • Profiling
  • BYOD (+CA, +MDP)
  • Context Sharing (pxGrid Out/In)
  • Rapid Threat Containment
Features mapped to Apex licence. Require Base and Plus licences.

  • Posture
  • Mobile Device Management Compliance
  • Threat-Centric NAC

 

Cisco ISE Releases 3.x: Tier licensing

Essential Advantage Premier
Essential x
Advantage x x
Premier x x x
Features
  • AAA and 802.1x
  • Guest (Hotspot, Self-Reg, Sponsored)
  • Easy Connect (Passive ID)
  • Profiling
  • Endpoint Analytics Visibility and Enforcement
  • Rapid Threat Containment
  • TrustSec (Group-Based Policy)
  • BYOD (+CA, +MDP)
  • Context Sharing (pxGrid Out/In)
  • User Defined Network (Cloud)
  • Location Service
  • Posture
  • Mobile Device Management Compliance
  • Threat-Centric NAC