Guest

Cisco Identity Services Engine

Cisco Identity Services Engine (ISE) Data Sheet

Let Us Help

  • Viewing Options

  • PDF (314.2 KB)
  • Feedback

The Cisco® Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources.

Product Overview

The enterprise network no longer sits within four secure walls. It extends to wherever employees are and wherever data goes. Employees today demand access to work resources from more devices and through more non-enterprise networks than ever before. Mobility and the Internet of Everything (IoE) are changing the way we live and work, and as a result, enterprises must support a massive proliferation of new network-enabled devices. However, a myriad of security threats and highly publicized data breaches clearly demonstrate the importance of safeguarding this evolving enterprise network.

As the modern network expands, the complexity of marshaling resources, managing disparate security solutions, and controlling risk grows as well. Factor in the ubiquitous connectivity of IoE with already constrained IT resources, and the potential impact of failing to identify and remediate security threats becomes very large indeed.

A different approach is required for both the management and the security of the evolving mobile enterprise. Enter the Cisco Identity Services Engine. With its superior user and device visibility, Cisco ISE delivers simplified enterprise mobility experiences, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.

Features and Benefits

This solution offers a more holistic approach to network access security and provides:

   Accurate identification of every user and device

   Easy onboarding and provisioning of all devices

   Centralized, context-aware policy management to control user access - whoever, wherever, and from whatever device

   Deeper contextual data about connected users and devices to more rapidly identify, mitigate, and remediate threats

When deployed in a network, customers gain many advantages (Table 1).

Table 1.       Major Customer Advantages

Advantage

Description

Powerful device classification

The solution offers the industry’s first integrated device profiler to identify each endpoint; match it to its user or function and other attributes, including time, location, and network; and create a contextual identity so IT administrators can apply precise controls over who and what is allowed on the network. An automated device feed service updates Cisco ISE in real time to help ensure that new devices can be identified as soon as they are released to the market.

Extensive policy enforcement

Organizations can define access policy rules easily and with great flexibility to meet their ever-changing business needs. For example, IT administrators can define a policy that differentiates guest users and devices from registered users and devices. Guest users may receive limited access across the entire network, while registered users receive their policy-designated access. Further, policies can help ensure that only trusted or compliant devices from registered users can access the network. Based on the user’s or device’s contextual identity, rules for highly secure access are sent to the network point of entry, so the IT administrators are assured of consistent policy enforcement from wherever the user or device is trying to access the network.

Streamlined guest experiences

With out-of-the-box simplicity for guest administration and onboarding, administrators can customize guest portals in minutes. Dynamic visual tools offer real-time previews of the portal screens and the steps that a guest will experience in order to demonstrate exactly how changes to settings will affect users. You gain full customization of guest pages (including advertisements, banners, themes, and branding), full management of guest accounts and expirations, and complete auditing of guest accounts and activity across your network. Supporting every type of guest workflow from hotspot to employee-sponsored guest access with SMS confirmation, the solution makes guest access easy.

Self-service device onboarding

IT staff can decide how to implement an enterprise’s bring-your-own-device (BYOD) or guest policies. With a self-service registration portal, users can register and provision new devices according to the business policies defined by the IT administrators. This permits the IT staff to get the automated device provisioning, profiling, and posturing it needs to comply with security policies while employees can get their devices onto the network without requiring IT assistance.

Security compliance

A single management console simplifies policy creation, visibility, and reporting across all company networks, which makes it easy to validate compliance for audits, regulatory requirements, and mandated federal guidelines for IEEE 802.1X standards.

Automated device-compliance checks

Cisco ISE delivers device posture check and remediation options using he Cisco AnyConnect® 4.0 Unified Agent, which also provides advanced VPN services for desktop and laptop checks. The solution also provides integrations with market-leading enterprise mobility management (EMM) solutions for mobile devices. This capability helps to ensure that a user’s device is both secure and policy-compliant.

Dependable anywhere access

The Identity Services Engine provisions policy on the network access device in real time, so mobile or remote users can get the same consistent access to their services from wired and wireless connections.

Operational efficiency

Onboarding and security automation, central policy control, visibility, troubleshooting, and integration with Cisco Prime solutions helps ensure that IT staff and the help desk will spend far less time on user and network security fixes.

Embedded enforcement

Device-sensing capabilities are built into most Cisco switches and wireless controllers to extend profiling networkwide at the point of entry and without the costs and management of overlay appliances or infrastructure replacement.

Extension of policy into the data center

The Identity Services Engine is the policy controller for the unique Cisco TrustSec® network technology, which provides software-defined network segmentation to take the complexity out of network security. Customers can logically and dynamically segment their network based on business rules using role-based access policy instead of managing multiple VLANs or changing network architecture, thereby simplifying highly secure access across an ever-changing expanded network.

Multivendor-infrastructure support

The solution interoperates with a multivendor infrastructure (for example, switches and wireless access points) that is compliant with RADIUS and IEEE 802.1X standards. Cisco and its partners offer best-practice guidelines as well as detailed, hands-on design guidance. Enterprise customers use the Identity Services Engine with a network infrastructure designed by Cisco along with Cisco TrustSec technology to get even greater intelligence and enhanced visibility out of their networks.

pxGrid context sharing

The solution collects dynamic contextual data from throughout the network and uses pxGrid technology, a robust context-sharing platform, to share that deeper level of contextual data about connected users and devices with external and internal ecosystem partner solutions. Through the use of a single API, the solution’s network and security partners use this data in order to improve their own network access capabilities and accelerate their own solutions’ capabilities to identify, mitigate, and remediate network threats.

Broad, integrated partner ecosystem

The Identity Services Engine boasts one of the largest partner ecosystems. Partners use pxGrid to improve endpoint vulnerability remediation, network forensics, and web single sign-on (SSO). Integrated technology partners for EMM, security information and event management (SIEM), and threat defense (TD) all take advantage of the deep contextual identity awareness that Cisco ISE provides to address many more use cases than they could alone and subsequently undertake their functions even more effectively. With the Identity Services Engine, partner platforms can reach deep into the Cisco network infrastructure and implement network actions on users and devices (for example, quarantining smartphones or laptops and blocking network access).

The Identity Services Engine empowers organizations by providing comprehensive policy management, streamlined device onboarding, rich contextual data that can be shared with partner network solutions, and dynamic enforcement to help ensure highly secure wired, wireless, and VPN access. Features and benefits are shown in Table 2.

Table 2.       Features and Benefits

Feature

Benefit

Business-policy enforcement

Provides a rule-based, attribute-driven policy model for creating flexible and business-relevant access control policies. Provides the ability to create fine-grained policies by pulling attributes from predefined dictionaries that include information about user and endpoint identity, posture validation, authentication protocols, profiling identity, or other external attribute sources. Attributes can also be created dynamically and saved for later use.

Offers the ability to integrate with multiple external identity repositories, such as Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP), RADIUS, RSA one-time password (OTP, and certificate authorities for both authentication and authorization.

Access control

Provides a range of access control options, including downloadable access control lists (dACLs), VLAN assignments, URL redirections, named ACLs, and security group tags (SGTs) using the advanced capabilities of Cisco TrustSec technology-enabled network devices.

Guest lifecycle management

Provides an all-new streamlined experience for enabling and customizing guest network access. With built-in support for hotspot, sponsored, self-service, and numerous other access workflows, the solution makes it easy to create corporate-branded guest experiences, with ads and promotions, in minutes. The new guest administration Work Center provides real-time visual flows that bring the effects of your design to life right before your eyes. Time limits, account expirations, and SMS verification offer additional security controls, and full guest auditing can track access across your network for security and compliance demands.

Streamlined on- and off-premises device onboarding

Delivers fully customizable and branded user experiences with themes. Offers out-of-the-box workflows that walk users through the onboarding process and provides end users with their own self-service portals to add and manage their devices. Provides automatic supplicant provisioning and certificate enrollment for standard PC and mobile computing platforms. By streamlining device onboarding, this creates fewer IT help desk cases along with more secure access and an easier, more transparent experience for users. In addition, mobile workers can now EMM onboard their iOS and Android devices from outside corporate networks or in the office.

AAA protocols

Uses standard RADIUS protocol for authentication, authorization, and accounting (AAA). Supports a wide range of authentication protocols, including, but not limited to, PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), and EAP‑Transport Layer Security (TLS). The Identity Services Engine is the only RADIUS server to support EAP chaining of machine and user credentials.

Internal certificate authority

Offers organizations an easy-to-deploy internal certificate authority to simplify certificate management for personal devices without adding the significant complexity of an external certificate authority application. The solution offers a single console to manage endpoints and their certificates with the capability to check certificate status through the standards-based Online Certificate Status Protocol (OCSP) and provide automatic certificate revocation when a device is stolen. The internal certificate authority supports standalone and subordinate (that is, with your existing enterprise public key infrastructure, or PKI) deployments.

Device profiling

Ships with predefined device templates for many types of endpoints, such as IP phones, printers, IP cameras, smartphones, and tablets. Administrators can also create their own device templates. These templates can be used to automatically detect, classify, and associate administrative-defined identities when endpoints connect to the network. Administrators can also associate endpoint-specific authorization policies based on device type.

The solution collects endpoint attribute data with passive network monitoring and telemetry, querying the actual endpoints, or alternatively from the Cisco infrastructure by means of device sensors on Cisco Catalyst® switches.

The infrastructure-driven endpoint-sensing capability on Catalyst switches is a subset of Cisco ISE’s sensing technology. This capability allows the switch to quickly collect endpoint attribute information and then, using standard RADIUS, pass this information to Cisco ISE for endpoint classification and policy‑based enforcement. This switch-based sensing promotes the efficient and distributed collection of endpoint information for increased scalability, deployability, and time to classification.

Device profile feed service

The industry-first device profile feed service supports its out-of-the-box profiling technology by providing automatic updates of Cisco’s validated device profiles for various IP-enabled devices from multiple vendors. The feed service also offers a mechanism where partners and customers can share their own customized profile information to be vetted by Cisco and redistributed. With these automatic updates, enterprises have the capability to detect all of the newest devices when their users try to connect them to the network. This simplifies the task of keeping up with the multitude of new devices coming out every week and reduces a significant amount of support that the IT administrators need to provide.

Endpoint posture

Verifies endpoint posture assessment for PCs and mobile devices connecting to the network. Works through a persistent client-based agent, a temporary web agent, or a query to an external EMM system to validate that an endpoint is conforming to a company’s posture policies. Provides the ability to create powerful policies that include, but are not limited to, checks for the latest OS patches, antivirus and antispyware software packages with current definition file variables (version, date, etc.), registries (key, value, etc.), mobile PIN-lock or rooted/jailbroken status, and application presence. Also supports the auto-remediation of PC clients as well as periodic reassessments alongside leading enterprise patch-management systems to make sure the endpoint is not in violation of company policies. Can now utilize endpoint state from an external EMM system to apply different policies to remotely connected mobile platforms.

Ecosystem with pxGrid

pxGrid is a robust context-sharing platform within Cisco ISE that delivers a deeper level of contextual data, collected by Cisco ISE, to external and internal ecosystem partner solutions in order to accelerate these solutions’ capabilities across the network. From endpoint vulnerability assessment to web single sign-on, the list of ecosystem partners who are taking advantage of the simple unified framework continues to expand.

Ecosystem Integration: EMM

Connect with EMM technology partner solutions to help ensure that the mobile devices that are trying to connect to the network have registered with the EMM platform and are compliant with the enterprise policy. Helps users remediate their devices. Compliance checks include, but are not limited to, checks for device encryption, pin-lock, and jailbroken status.

Ecosystem Integration: SIEM and TD

Helps SIEM and TD partners supplement their networkwide security event visibility with contextual information about user and device identities, network authorization levels, and security posture. Hunting down misbehaving devices on the network is no longer a months-long forensic event; instead, partners gain real-time visibility with security actions that can be taken directly from inside the administrator panel.

Ecosystem Integration: Web security

Allows enterprises who use the Cisco Web Security Appliance to enhance web access policies with user and device awareness from Cisco ISE. This enables the creation of device- and user-specific web access policies as well as the opportunity to learn valuable end-user behavioral data for continuous policy improvement.

Ecosystem Integration: Control and SCADA operational and security policy integration

Helps enable highly secure access and management of control and supervisory control and data acquisition (SCADA) network devices. Cisco ISE provides context and control for control and SCADA policy managers, leading to easier identification of rogue devices as well as faster remediation and isolation of the device in the event of compromise.

Ecosystem Integration: Simplified network troubleshooting and forensics

Allows packet capture systems to use contextual data collected by Cisco ISE to associate users, devices, and user roles to the packet data captured. Because packet captures are often vital to threat and network issue investigations, linking the contextual data with packet capture simplifies network troubleshooting and accelerates forensic investigations.

Ecosystem Integration: Endpoint vulnerability remediation

Knowing how and what to prioritize on a network vulnerability report is extremely difficult. Sharing contextual data from Cisco ISE with vulnerability reporting better identifies and prioritizes the endpoint vulnerabilities in need of investigation and helps users take remediation action quickly.

Ecosystem Integration: Risk-based, adaptive authentication and single sign-on

Enables context-driven user authentication and web application authorization. Provides the capability to decrease and even eliminate authentication challenges entirely based on fine-grained policy created by a combination of federated identity, authentication risk factors, and contextual data provided by the Identity Services Engine. With the proliferation of mobile devices used by employees to access business assets, user authentication - while vital for security - is cumbersome. This integration allows users to be transparently authenticated to business assets without repeated challenges while preventing access to cloud assets based on risk levels.

Ecosystem Integration: Network and application performance management

Provides deep contextual visibility into either network devices or software applications to allow performance monitors to quickly diagnose and resolve operational bottlenecks or application issues and maintain high levels of user service.

Ecosystem Integration: Cloud security access brokers

Provides enterprises with deeper contextual visibility into cloud services usage as well as the capabilities to implement more dynamic security controls over access to these cloud resources.

Extensive multiforest Active Directory support

Provides comprehensive authentication and authorization against multiforest Microsoft Active Directory domains. Can group multiple disjointed domains into logical groups for simplified configuration of complex Active Directory topologies to support ever-changing business environments. Also supports flexible identity rewriting rules to enable smooth transition and integration.

Supports Microsoft Active Directory 2003, 2008, 2008R2, 2012, and 2012R2.

Endpoint protection service

Allows administrators to quickly take corrective action (quarantine, un-quarantine, or shut down) on risk-compromised endpoints within the network. This helps to reduce risk and increase security in the network.

Centralized management

Helps administrators centrally configure and manage profiler, posture, guest, authentication, and authorization services in a single web-based GUI console, and greatly simplifies administration by providing integrated management services from a single pane of glass.

Monitoring and troubleshooting

Includes a built-in web console for monitoring, reporting, and troubleshooting to assist helpdesk and network operators in quickly identifying and resolving issues. Offers robust historical and real-time reporting for all services, logging of all activities, and real-time dashboard metrics of all users and endpoints connecting to the network.

Platform options

Available as a physical or virtual appliance. There are two physical platforms as well as a VMware ESX- or ESXi-based appliance. Both physical and virtual form factors can be used to create Identity Services Engine clusters to serve larger organizations and provide the necessary scale, redundancy, and failover required of a critical enterprise business system.

Product Specifications

The two hardware options for the Identity Services Engine are outlined in Table 3.

Table 3.       Hardware Specifications

 

Cisco Secure Network Server 3415 (Small)

Cisco Secure Network Server 3495 (Large)

Processor

1 x Intel® Xeon® quad-core 2.4-GHz E5-2609

2 x Intel Xeon quad-core 2.4-GHz E5-2609

Memory

16 GB

32 GB

Hard disk

1 x 600-GB 6-Gb SAS 10K RPM

2 x 600-GB 6-Gb SAS 10K RPM

RAID

No

Yes (RAID 1)

CD/DVD-ROM drive

No

No

Network Connectivity

Ethernet NICs

4 x integrated gigabit NICs

4 x integrated gigabit NICs

10/100/1000BASE-TX cable support

Category 5 UTP up to 328 ft (100 m)

Category 5 UTP up to 328 ft (100 m)

Secure Sockets Layer (SSL) accelerator card

None

Cavium CN1620-400-NHB-G

Interfaces

Front panel connector

1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector)

1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector)

Additional rear connectors

Additional interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet ports

Additional interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet ports

System Unit

Form factor

Rack-mount 1 rack unit (1RU)

Rack-mount 1RU

Weight

35.6 lb (16.2 kg)

26.8 lb (12.1 kg)

35 lb (15.87 kg) fully configured

Dimensions (H x W x L)

1.7 x 16.9 x 28.5 in.

(4.32 x 43 x 72.4 cm)

1.7 x 16.9 x 28.5 in.

(4.32 x 43 x 72.4 cm)

Power supply

650W

Dual 650W (redundant)

Cooling fans

5

5

Temperature: Operating

32 to 104°F (0 to 40°C) (operating, sea level, no fan fail, no CPU throttling, turbo mode)

32 to 104°F (0 to 40°C) (operating, sea level, no fan fail, no CPU throttling, turbo mode)

Temperature: Nonoperating

-40 to 158°F (-40 to 70°C)

-40 to 158°F (-40 to 70°C)

Platform Support and Compatibility

Identity Services Engine virtual appliances are supported on VMware ESX/ESXi 4.x and 5.x and should be run on hardware that equals or exceeds the configurations of the physical platforms listed in Table 3. The solution requires the virtual target to have at least 4 GB of memory and at least 200 GB of hard drive space available.

Posture Assessment System Requirements

System requirements for the Cisco AnyConnect 4.x Agent, used for posture assessment, are the following:

   Microsoft Windows 7, 8, or 8.1 (32-bit or 64-bit)

   Mac OS X 10.7, 10.8, or 10.9

Licensing

Currently, six license packages are available (see Table 4). Cisco support services for the Base licenses are tied to Cisco SMARTnet Software Application Support plus Upgrades contracts. Cisco support services for the various term-based licenses are included in the individual term license for the duration of the license.

Table 4.       License Packages

License Package or Bundle

Focus

Perpetual or Subscription (Terms Available)

Notes

Base

Provides highly secure access

Perpetual

-

Plus

Provides context about endpoints for more detailed access policies

Subscription
(1, 3, or 5 years)

Does not include Base services; Base licenses are required to install Plus licenses

Apex

Provides context and compliance details about endpoints for more detailed access policies

Subscription
(1, 3, or 5 years)

Does not include Base or Plus services; Base licenses are required to install Apex licenses. Please note that AnyConnect® Apex user licenses are required in addition to Identity Services Engine Apex licenses when making use of AnyConnect unified agent services across wired, wireless, and VPN.

Mobility

Delivers complete Identity Services Engine services for wireless and VPN endpoints only

Subscription
(1, 3, or 5 years)

Please note that AnyConnect Apex user licenses are required in addition to Identity Services Engine Mobility licenses when making use of AnyConnect unified agent services.

Mobility Upgrade

Helps enable wired endpoint support for Wireless license deployments

Subscription
(1, 3, or 5 years)

See the Cisco Identity Services Engine License Ordering Guidelines section for quantity requirements.

Express

Entry-level VM license bundle for small guest deployments

Perpetual

Bundle includes 1 Identity Services Engine virtual appliance and 150 Base licenses for guest services. The virtual appliance is for a single-site deployment (non-distributed, no high availability).

Evaluation

Limited use of product for presales customer evaluation

Temporary (90 days)

Full functionality is provided for 100 endpoints.

Ordering Information

To place an order, visit the Cisco Ordering Home Page. To download the Identity Services Engine software, visit the Cisco Software Center.

Service and Support

Cisco offers a wide range of service programs. These innovative programs are delivered through a combination
of people, processes, tools, and partners that results in high levels of customer satisfaction. Cisco Services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see
Cisco Technical Support Services or Cisco Security Services.

Warranty information is found at: http://www.cisco.com/go/warranty. Licensing information is available at: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-licensing-information-listing.html.

Cisco Capital

Financing to Help You Achieve Your Objectives

Cisco Capital® can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more.

For More Information

For more information about the Cisco ISE and the Cisco TrustSec solution, visit http://www.cisco.com/go/ise or contact your local account representative.