Cisco Identity Services Engine (ISE) is a platform for implementing security policies, authentication and access to network equipment such as laptops, tablets, smartphones, security cameras and video conferencing systems connected to the company’s routers and switches. The goal of using Cisco ISE is to strengthen the security of infrastructure and the management of equipment and applications in companies and corporate networks.
Cisco ISE’s unique architecture and licensing allows organizations to accurately and instantly collect background information from networks, users, and equipment, and use that information to determine access Decide on network elements such as access switches, Wireless LAN controllers (WLCs), virtual private networks (VPNs), and data center switches.
Key features of Cisco ISE
- AAA protocols: Cisco ISE uses RADIUS protocol for Authentication, Authorization and Accounting.
- Policy model: Policy model makes it possible to have more flexible access control using features and roles.
- Authentication protocols: It supports various authentication protocols, including PAP, MS-CHAP, EAP-MD5, PEAP, EAP-FAST, EAP-TLS.
- Access control: Cisco ISE provides us with a wide range of access control mechanisms such as URL Redirect, Vlan Assignment, downloadable access control lists (dACL) and SGA tagging.
- Posture: Cisco ISE checks the status of devices connected to the network using NAC-client-Agent or web agent. A network administrator can set various conditions to check, such as antivirus, operating system status, etc.
- Profiling: Profiling is used to identify and analyze network devices. These devices can be any type of device that wants to access the network, such as iPhone, iPad, laptop, printers, etc. By default, ISE has several Profiling for these devices. Also, we can create our desired Profiling and consider certain policies for it.
Cisco ISE intelligently performs identity management in the following sections:
- Cisco ISE can determine user service based on various conditions, such as membership in a specific group, device type, etc.
- The licensed Cisco ISE determines that users accessing the network have accessed the network from a device with specific policies.
- Cisco ISE can provide user access to only one part of the network or specific service and software, which is done based on user authentication.
- Cisco ISE keeps a history of user identification, the location from which the user connected to the network, as well as user accesses, and it can be used for reporting.
How does Cisco ISE work?
Cisco ISE is essentially a policy-based access control system that incorporates a set of features found on Cisco policy platforms. These are as follows:
For more information, Security License
- Allows administrator users to define the access level of Guest users.
- Provides detection, profiling and monitoring of network equipment.
- You can implement this product in different companies and organizations.
- This platform combines Authentication, Authorization, Accounting (AAA), posture and profiler within one appliance.
- Utilizes advanced features such as security group access (SGA) using security group tags (SGTs) and security group access control lists (SGACLs).
- Network equipment that intends to connect to the network authenticates through specific protocols so that communications are restricted and secure.
- Continuous implementation of policies focused on centralized and distributed implementation that ensures that services are provided where needed. In other words, if any person connects to the network from anywhere in the network with their smartphone or laptop, the services required by the person can be used based on the policy set based on the access given to that person.
Ability to access the network based on user authentication
The Cisco ISE platform and its licenses provide user identity management in the following areas:
- Cisco ISE assigns services based on user activities.
- Cisco ISE uses special procedures to assign services to users based on authentication results and authenticate them to a portion of the network.
- Cisco ISE determines whether the equipment used by users is licensed to access the network in accordance with policies set by network administrators or not.
Possibility of Authentication and Authorization of network users by CISCO ISE
Cisco ISE User Authentication Policy enables network administrators to use a variety of standard authentication protocols, including Password Authentication Protocol (PAP), Protected Extensible Authentication (PEAP), Challenge-Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol (EAP) perform the authentication process.
This allows access to the internal network and its resources through a special protocol implemented by CISCO ISE. This protocol is used for network access and one of its advantages is interaction with the 802.1X protocol. Once the user has completed the authentication process, Cisco ISE determines which user is authorized to access the network based on policies set by administrators.
Types of Nodes in the Cisco ISE Platform
There are several nodes in the Cisco Identity Services Engine (ISE) platform and its licenses by which this software manages the network and collects information.
- Administration: This node, also called PAN, is used to implement CISCO ISE as a single point. This node provides users with full system access to the management environment. It is possible to connect up to two administrations in the network.
- Policy Service: This node, also called PSN, is responsible for controlling traffic between network equipment and ISE.
- Monitoring: The responsibility of collecting logs across the network is the responsibility of MNT or Monitoring.
- Inline Posture Node: This Node is located behind network access devices such as wireless LAN controllers (WLCs), central VPNs on a network. This node, also called the IPN, enforces access policies after the user has been authenticated, and requests a change of authorization that the WLC or VPN is able to enforce.
Cisco ISE Roles
Customers can deploy the Cisco ISE (Cisco Identity Services Engine (ISE) License) based on the following roles:
- Standalone: This role in the system is related to the implementation method independently. In stand-alone architecture, the nodes are unaware of each other and operate alone.
- Primary: This role is also related to the distributed implementation method. In this architecture of the Cisco ISE platform, PAN is considered as the main node to have complete control over all configurations and equipment and to manage them easily.
- Secondary: It is related to the distributed implementation method, with the difference that in this architecture, PAN is considered as a support node and is normally disabled. But when the Primary role is no longer available, the GUI environment for the Secondary role is activated and automatically upgraded to Primary.
Cisco ISE Order Pricing
Customers can order the following Cisco ISE licenses by contacting our sales specialists:
- Cisco ISE Essentials License
- Cisco ISE Advantage License
- Cisco ISE Premier License
- Cisco ISE VM License
- Cisco ISE Device Admin License
Cisco ISE Series try to enhance the of infrastructure and applications management in companies and corporate networks. It gives the access layer infrastructure to its trustworthy users. Indeed there are different ways to contact us and order. The customers should proceed from Cisco License price quote to order and link to our experts to give them the best information and guidance. Our experts give the accurate information to the customers to buy related products and licenses.