Cisco Identity Services Engine (ISE) License
Cisco Identity Server Engine (ISE)
Cisco Identity Services Engine is a network admission control and access layer infrastructure, where people are connecting to network, and we assume they are trusted. Cisco ISE has improved the policy engine which handles the access layer infrastructure.
ISE can authenticate everything attaching to your network. Your wired network, your wireless network and your VPN access points. So, it gives you that assurance that all the devices on your network should be there. Moreover, you can inspect what software is running on those end points. Furthermore, it gives you visibility and control over your access network and apply policy enforcement, authentication, identifying on these devices, and controlling your access layer.
- ISE works hand in hand with your network infrastructure. Particularly, your wireless system and your network access switches. ISE could be implemented as either Radius server or Tacacs+. One of the fundamental use cases for ISE is authentication to the network. So we want to make sure that the computers, printers, and phones in this case, are valid end points that we desire to connect. In order to authenticate them, we use 802.1x so the end points could talk to the switches using various protocols like EAP through The switches that deliver authentication information to your Cisco Identify Engine. So ISE could place in a data center across or you could put it local to where your access networks are. These access switches and controllers which take credentials are sent by your end points connecting to the network and forward them to ISE. ISE is going to use a robust policy engine, to make a decision on whether or not the end point should get access to the network or is a limited access to the network. And for that purpose, ISE integrates with identity stores like commonly is Microsoft Active Directory. Most of our customers already have a pretty robust security group architecture there. ISE can leverage all of that existing directory structure to make decisions about what devices should be allowed on the network and what level of access they should get to that. Cisco ISE Provides for comprehensive guest access management for administrators, sanctioned sponsor administrators, or both , Enforces endpoint compliance by providing comprehensive client provisioning measures and assessing the device posture for all endpoints that access the network, including 802.1X environments, Moreover Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network and Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed. Furthermore, Employs advanced enforcement capabilities including Trustsec through the use of Security Group Tags (SGTs) and Security Group Access Control Lists (SGACLs) and Supports scalability to support a number of deployment scenarios from small office to large enterprise environments.
Basically, Cisco Identity Services Engine (ISE) License can be deployed across an enterprise infrastructure, supporting 802.1X wired, wireless, and Virtual Private Networks (VPNs). Although, The Cisco ISE architecture supports both standalone and distributed (also known as “high-availability” or “redundant”) deployments where one machine assumes the primary role and another “backup” machine assumes the secondary role. Cisco ISE features distinct configurable personas, services, and roles, which allow you to create and apply Cisco ISE services where they are needed in the network. The result is a comprehensive Cisco ISE deployment that operates as a fully functional and integrated system. Also, Cisco ISE nodes can be deployed with one or more of the Administration (PAN), Monitoring (MnT), and Policy Service personas (PSN) —each one performing a different vital part in your overall network policy management topology. Finally, Installing Cisco ISE with an Administration persona allows you to configure and manage your network from a centralized portal to promote efficiency and ease of use.
The Cisco ISE can be deployed on both physical Cisco’s SNS Server and virtual environments like VMware, KVM and Huper-V.
Basic User Authentication and Authorization
User authentication policies in Cisco ISE enable you to provide authentication for a number of user login session types using a variety of standard authentication protocols including, but not limited to, Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP). Cisco ISE specifies the allowable protocol(s) that are available to the network devices on which the user tries to authenticate and specifies the identity sources from which user authentication is validated.
Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources.
At the most fundamental level, Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks. Once authentication succeeds, the session flow proceeds to the authorization policy. (There are also options available that allow Cisco ISE to process the authorization policy even when the authentication did not succeed.) Cisco ISE enables you to configure behavior for “authentication failed,” “user not found,” and “process failed” cases, and also to decide whether to reject the request, drop the request (no response is issued), or continue to the authorization policy. In cases where Cisco ISE continues to perform authorization, you can use the “Authentication Status” attribute in the “Network Access” dictionary to incorporate the authentication result as part of the authorization policy.
The authorization policy result is Cisco Identity Services Engine (ISE) License assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
Client Posture Assessment
To ensure that the imposed network security measures remain relevant and effective, Cisco ISE enables you to validate and maintain security capabilities on any client machine that accesses the protected network. By employing posture policies that are designed to ensure that the most up-to-date security settings or applications are available on client machines, the Cisco ISE administrator can ensure that any client machine that accesses the network meets, and continues to meet, the defined security standards for enterprise network access. Posture compliance reports provide Cisco ISE with a snapshot of the compliance level of the client machine at the time of user login, as well as any time a periodic reassessment occurs.
Mobile Device Manager Interoperability with Cisco ISE
Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM enforces policy on endpoints, but it cannot force users to register their device or force remediation. ISE retrieves policies from the MDM server, and enforces those policies when users register their devices. If the ISE device policy requires MDM, and the device is not compliant with MDM, then ISE redirects the user to the MDM on-boarding portal, and prompts the user to update the device for network access. ISE can also allow internet-only access to users who decline MDM compliance.
Wireless and VPN Traffic with Inline Posture Nodes
Inline Posture nodes are gatekeeping nodes that enforce Cisco ISE access policies and handle Change of Authorization (CoA) requests. After initial authentication (using EAP/802.1X and RADIUS), client machines must still go through posture assessment. The posture assessment process determines whether the client should be restricted, denied, or allowed full access to the network. When a client accesses the network through a WLC or VPN device, the Inline Posture node has the responsibility for the policy enforcement and CoA that the other network devices are unable to accommodate. Consequently, a Cisco ISE can be deployed as an Inline Posture node behind other network access devices on your network, such as WLCs and VPN concentrators.
Profiled Endpoints on the Network
The Profiler service assists in identifying, locating, and determining the capabilities of all endpoints on your network (known as identities in Cisco ISE), regardless of their device types, to ensure and maintain appropriate access to your enterprise network. The Cisco ISE Profiler function uses a number of probes to collect attributes for all endpoints on your network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups.
The Profiler Feed service allows administrators to retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in to Cisco ISE.
Cisco pxGrid is used to enable the sharing of contextual-based information from Cisco ISE session directory to other policy network systems such as Cisco Adaptive Security Appliance (ASA). The pxGrid framework can also be used to exchange policy and configuration data between nodes like sharing tags and policy objects between ISE and third party vendors, and for non-ISE related information exchanges such as threat information.
Cisco ISE Certificate Authority
Cisco Identity Services Engine (ISE) License provides a native Certificate Authority (CA) that issues and manages digital certificates for endpoints from a centralized console to allow employees to connect to the company’s network using their personal devices. Cisco ISE CA supports standalone and subordinate deployments.
Cisco ISE Smart Licenses
Cisco has introduced its innovative smart licensing method, now Cisco ISE like other products, supports smart licenses. All product instances would be registered on CSSM website with valid smart account containing the specific licenses. Also, Cisco ISE PLR license including Essential license, Advantage license and Premier license all in one, can be used in highly secured environments in order to register all instances with no need to connect to Internet.
Old Licenses (ISE v2.x) vs. New Licenses (ISE v3.x)
When converting existing licenses to the new scheme, the licenses will be migrated using the following rules. While functionality will be retained across licenses, notice that the license count might be different to what the Base/Plus/Apex license count is, and that all licenses will have an expiry date:
How to migrate from old Cisco ISE Base, Plus, and Apex licenses to new Cisco ISE Essentials, Advantage, and Premier Licenses
Migrating to the new licensing scheme requires simple steps to convert your existing PAK licenses to Smart Licenses. ISE will reach out to the Smart Licensing Portal and will enable features and capabilities based on what licenses are available on the portal. As a result, ISE needs network connectivity to reach the CSSM. ISE on the 3.0 release support PLR, Satellite (On-Premises SSM), or SLR.