Cisco Identity Services Engine (ISE)

CISCO IDENTITY SERVICES ENGINE (ISE)

OVERVIEW OF CISCO ISE

Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations.

The unique architecture of Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.

The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), virtual private network (VPN) gateways, and data center switches.

CISCO ISE FUNCTIONS Combines authentication, authorization, accounting (AAA),

posture, and profiler into one appliance

Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both

Enforces endpoint compliance by providing comprehensive client provisioning measures and assessing device posture for all endpoints that access the network, including 802.1X environments

Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network

Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed

Employs advanced enforcement capabilities including security group access (SGA) through the use of security group tags (SGTs) and security group access control lists (SGACLs)

Supports scalability to support a number of deployment scenarios from small office to large enterprise environments

CONTEXT-AWARE IDENTITY MANAGEMENT

Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.

Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.

Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role, location, device type, and so on).

Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.

BENEFITS & FEATURESProvides comprehensive secure wired, wireless, and VPN

access which includes rigorous identity enforcement, extensive policy enforcement, and security compliance.

Helps increase worker productivity through automated on boarding, automated device security, and dependable anywhere access.

Reduces operations costs by enhanced operational efficiency, leveraging the embedded sensing and enforcement in the existing network and the centralized policy control and visibility to decreasing tedious efforts to secure access.

Guest lifecycle management : Enables full guest lifecycle management, whereby guest users can access the network for a limited time, either through administrator sponsorship or by self-signing via a guest portal.

Rigorous identity enforcement : ISE offers the industry's first device profiler* to identify each device; match it to its user or function and other attributes, including time, location, and network; and create a contextual identity so IT can apply granular control over who and what is allowed on the network. An automated device feed service updates ISE in real time to ensure that new devices can be identified as soon as they are released to the market.

AAA protocols : Utilizes standard RADIUS protocol for authentication, authorization, and accounting (AAA).

Authentication protocols : Supports a wide range of authentication protocols, including PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), and EAP-Transport Layer Security (TLS).

Policy model : Offers a rules-based, attribute-driven policy model for creating flexible and business-relevant access control policies. .

Access control : Provides a wide range of access control mechanisms, including downloadable access control lists (dACLs), VLAN assignments, URL redirect, and Security Group Access (SGA) tagging using the advanced capabilities of Cisco's TrustSec-enabled network devices.

Profiling : Ships with predefined device templates for a wide range of endpoints, such as IP phones, printers, IP cameras, smartphones, and tablets. Administrators can also create their own device templates. These templates can be used to automatically detect, classify, and associate administrative-defined identities when endpoints connect to the network.

Posture :Verifies endpoint posture assessment for PCs and mobile devices connecting to the network. Works via either a persistent client-based agent or a temporal web agent to validate that an endpoint is conforming to a company's posture policies. Provides the ability to create powerful policies that include but are not limited to checks for the latest OS patches, antivirus and antispyware software packages with current definition file variables (version, date, etc.), registries (key, value, etc.), and applications.

Mobile device management integration : MDM integration* enables ISE to connect with Cisco MDM technology partner solutions to ensure that the mobile devices that are trying to connect to the network have previously registered with the MDM platform, are compliant with the enterprise policy, and can help users remediate their devices.

Endpoint protection service : Allows administrators to quickly take corrective action (Quarantine, Un-Quarantine, or Shutdown) on risk-compromised endpoints within the network. This helps to reduce risk and increase security in the network.

Centralized management : Enables administrators to centrally configure and manage profiler, posture, guest, authentication, and authorization services in a single web-based GUI console, and greatly simplifies administration by providing integrated management services from a single pane of glass.

Monitoring and troubleshooting : Includes a built-in web console for monitoring, reporting, and troubleshooting to assist helpdesk and network operators in quickly identifying and resolving issues. Offers comprehensive historical and real-time reporting for all services, logging of all activities, and real-time dashboard metrics of all users and endpoints connecting to the network.

Platform options : Available as a physical or virtual appliance. There are five physical platforms as well as a VMware ESX- or ESXi-based appliance.

Extensive policy enforcement : Based on the user's or device's contextual identity, ISE sends secure access rules to the network point of access so IT is assured of consistent policy enforcement whether the user or device is trying to access the network from a wired, wireless, or VPN connection.

 Security compliance : A single dashboard simplifies policy creation, visibility, and reporting across all company networks so it's easy to validate compliance for audits, regulatory requirements, and mandated federal 802.1X guidelines.

Dependable anywhere access : ISE provisions policy on the network access device in real time, so mobile or remote users can get consistent access to their services from wherever they enter the network.