Wednesday, June 8, 2011

Cisco Releases Idenity Services Engine (AKA ISE)


After years of innovation around Network Access Control, Cisco has released its next generation NAC solution: Identity Services Engine. ISE is combines existing loosely coupled devices AAA, profiling, posture and guest management - in single, scalability appliance. As part of the Cisco TrustSec solution and Cisco’s SecureX architecture for Borderless Networks, the Cisco Identity Service Engine provides a centralized policy engine for business relevant policy definition and enforcement. This policy work horse enables centralized, coordinated policy creation and consistent policy enforcement across the entire corporate infrastructure, from head office to branch office.

The best intro i have seen to date has been from the Rob from TechWiseTV:

ISE Features & Benefits

  • Visibility: Single Platform & Pane of Glass - Let IT see who and what is on the network for advanced discovery and troubleshooting
    • Dynamically collects & consolidates endpoint information to make adaptive policy decisions based on ‘context’
    • Integrates functions previously delivered in separate, loosely couples applications to deliver higher levels of policy enforcement 
    • Inherent benefits include simplified administration, monitoring, and troubleshooting for all these functions
  • Policy Architecture
    • Context-aware enforcement: Gathers information from users, devices, infrastructure, and network services to enable organizations to enforce contextual-based business policies across the network
    • Business-relevant policies: Create and enforce consistent policy from the head office to the branch office 
    • Coordinated Profiling: Allows for profiling data to be tightly integrated in to access policies. E.g. LDAP user with personal iPad gets a different privilege than the same LDAP user with Organization Owned iPad 
    • Mobile Device Security: Dynamically identify and provision the proper policies for tablets, smartphones, GFE, etc   
  • Compliance: Create consistent policy across the infrastructure for corporate governance. 
    • Addresses vulnerabilities on user machines through periodic evaluation and remediation to help proactively mitigate network threats such as viruses, worms, and spyware 
    • Ensure configuration baselines are met
    • Ensure patches and AV/AS definitions are up to date
  • Efficiency: Increase IT staff productivity by automating labor-intensive tasks and simplifying service delivery
    • Allows enterprises to authenticate and authorize users and endpoints via wired, wireless, and VPN with consistent policy throughout the enterprise
    • Dramatically reduces cost of ownership with world-class monitoring and troubleshooting features designed to streamline operations for your helpdesk and support teams
  • Compatibility: Cisco Infrastructure Integration AND a standards based platform 
    • ISE integration is thoroughly tested systematically across all cisco switches 
    • Because 802.1X is a standard, 3rd party device support is inherit
    • A Few of the Cisco Switch Features that help with deployment:
      • Open Mode – Allow customers to deploy day 1 without causing any outages and ease with deployment and rollout of 802.1X
      • Multi Authentication – Allows for hubs, desktop VMs, etc to use a single port to authenticate and apply differentiating policies
      • Security Group Access (SGA) 

Packaging and Licensing

Cisco Identity Services Engine is available as either a physical or virtual appliance. The type of license is based on functionality.
  • The Base license is intended for organizations that want to authenticate and authorize users and devices on their network. It includes AAA services, guest lifecycle management, compliance reporting, and end-to-end monitoring and troubleshooting.
  • The Advanced license expands upon the BASE and enables organizations to make policy decisions based on user and device compliance. Advanced license features include device profiling, posture services, and security group access enforcement capabilities.


ISE will be the platform that enables organizations to finally utilize port security, deal with the ever evolving enterprise and ensure they are able to deploy in days/weeks vs. months/years. Check back for some detailed technical write-ups on configuration, best practices and use cases.

ISE Documentation