Cisco Identity Services Engine (ISE)

1. CISCO IDENTITY SERVICES ENGINE (ISE)

2. OVERVIEW OF CISCO ISE
Cisco Identity Services Engine (ISE) is a next-generation identity
and access control policy platform that enables enterprises to
enforce compliance, enhance infrastructure security, and
streamline their service operations.
The unique architecture of Cisco ISE allows enterprises to gather
real-time contextual information from networks, users, and devices.
The administrator can then use that information to make proactive
governance decisions by tying identity to various network elements
including access switches, wireless LAN controllers (WLCs), virtual
private network (VPN) gateways, and data center switches.

3. CISCO ISE FUNCTIONS
Combines authentication, authorization, accounting
(AAA), posture, and profiler into one appliance
Provides for comprehensive guest access management for the Cisco
ISE administrator, sanctioned sponsor administrators, or both
Enforces endpoint compliance by providing comprehensive client
provisioning measures and assessing device posture for all
endpoints that access the network, including 802.1X environments
Provides support for discovery, profiling, policy-based placement, and
monitoring of endpoint devices on the network
Enables consistent policy in centralized and distributed deployments
that allows services to be delivered where they are needed
Employs advanced enforcement capabilities including security group
access (SGA) through the use of security group tags (SGTs) and
security group access control lists (SGACLs)
Supports scalability to support a number of deployment scenarios
from small office to large enterprise environments

4. CONTEXT-AWARE IDENTITY MANAGEMENT
Cisco ISE determines whether users are accessing the network on an
authorized, policy-compliant device.
Cisco ISE establishes user identity, location, and access
history, which can be used for compliance and reporting.
Cisco ISE assigns services based on the assigned user
role, group, and associated policy (job role, location, device
type, and so on).
Cisco ISE grants authenticated users with access to specific
segments of the network, or specific applications and services, or
both, based on authentication results.

5. BENEFITS & FEATURES
Provides comprehensive secure wired, wireless, and VPN access
which includes rigorous identity enforcement, extensive policy
enforcement, and security compliance.
Helps increase worker productivity through automated on
boarding, automated device security, and dependable anywhere
access.
Reduces operations costs by enhanced operational
efficiency, leveraging the embedded sensing and enforcement in
the existing network and the centralized policy control and visibility
to decreasing tedious efforts to secure access.
Guest lifecycle management : Enables full guest lifecycle
management, whereby guest users can access the network for a
limited time, either through administrator sponsorship or by selfsigning via a guest portal.
Rigorous identity enforcement : ISE offers the industry's first device
profiler* to identify each device; match it to its user or function and
other attributes, including time, location, and network; and create a

6. AAA protocols : Utilizes standard RADIUS protocol for
authentication, authorization, and accounting (AAA).
Authentication protocols : Supports a wide range of authentication
protocols, including PAP, MS-CHAP, Extensible Authentication
Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible
Authentication via Secure Tunneling (FAST), and EAP-Transport
Layer Security (TLS).
Policy model : Offers a rules-based, attribute-driven policy model for
creating flexible and business-relevant access control policies. .
Access control : Provides a wide range of access control
mechanisms, including downloadable access control lists
(dACLs), VLAN assignments, URL redirect, and Security
Group Access (SGA) tagging using the advanced
capabilities of Cisco's TrustSec-enabled network devices.
Profiling : Ships with predefined device templates for a wide
range of endpoints, such as IP phones, printers, IP
cameras, smartphones, and tablets. Administrators can
also create their own device templates. These templates
can be used to automatically detect, classify, and associate
administrative-defined identities when endpoints connect

7. Posture :Verifies endpoint posture assessment for PCs and mobile
devices connecting to the network. Works via either a persistent
client-based agent or a temporal web agent to validate that an
endpoint is conforming to a company's posture policies. Provides
the ability to create powerful policies that include but are not
limited to checks for the latest OS patches, antivirus and
antispyware software packages with current definition file variables
(version, date, etc.), registries (key, value, etc.), and applications.
Mobile device management integration : MDM integration* enables ISE
to connect with Cisco MDM technology partner solutions to ensure
that the mobile devices that are trying to connect to the network
have previously registered with the MDM platform, are compliant
with the enterprise policy, and can help users remediate their
devices.
Endpoint protection service : Allows administrators to quickly take
corrective action (Quarantine, Un-Quarantine, or Shutdown) on riskcompromised endpoints within the network. This helps to reduce
risk and increase security in the network.
Centralized management : Enables administrators to centrally
configure and manage profiler, posture, guest, authentication, and

8. Monitoring and troubleshooting : Includes a built-in web console for
monitoring, reporting, and troubleshooting to assist helpdesk and
network operators in quickly identifying and resolving issues.
Offers comprehensive historical and real-time reporting for all
services, logging of all activities, and real-time dashboard metrics
of all users and endpoints connecting to the network.
Platform options : Available as a physical or virtual appliance. There
are five physical platforms as well as a VMware ESX- or ESXi-based
appliance.
Extensive policy enforcement : Based on the user's or device's
contextual identity, ISE sends secure access rules to the network
point of access so IT is assured of consistent policy enforcement
whether the user or device is trying to access the network from a
wired, wireless, or VPN connection.
Security compliance : A single dashboard simplifies policy creation,
visibility, and reporting across all company networks so it's easy to
validate compliance for audits, regulatory requirements, and
mandated federal 802.1X guidelines.
Dependable anywhere access : ISE provisions policy on the network
access device in real time, so mobile or remote users can get