Cisco Identity Services Engine User Guide, Release 1.1.x
Downloads: This chapterpdf (PDF - 227.0 KB) The complete bookPDF (PDF - 25.84 MB) | Feedback



Also known as dot1X, 802.1X is an IEEE standard for port-based network access control. Per this standard, the Extensible Authentication Protocol (EAP) protocol is used for communication between the client and the authenticator (switches, wireless access points).
802.1X-REV is a revision of the 802.1X standard that contains security encryption and secure key exchange, allowing secure communication between authenticated and authorized devices. The 802.1X-REV feature includes the 802.1AE MAC Security (MACSec) encryption as well as 802.1af MACSec Key Agreement (MKA) protocol.

Combined authentication, authorization, and accounting processes that are found in a management framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information that is necessary to bill for services. These three processes are considered essential for effective network management and security. Typically, a server-based system in IP-based networking, AAA controls what computer resources users have access to, and manages and audits the activity of users over a network.
AAA client IP address
An IP address of the AAA client, used to configure the AAA client in the Cisco Identity Services Engine (Cisco ISE) to interact with the network device. To represent multiple network devices, specify multiple IP addresses. Separate each IP address by pressing the Enter key.
AAA server
A server program that manages user requests for access to computer resources and, for an enterprise, provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with network access and gateway servers, as well as with databases and directories that contain user information. The current standard by which devices or applications communicate with a AAA server is the RADIUS.
The capability to get to what you need. Data access is being able to get to (usually having permission to use) particular data on a computer.
access control
Ensures that resources are only granted to those users who are entitled to them.
access control list (ACL)
A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.
access control service
A security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets.
access control system (ACS)
A AAA server that performs authentication, authorization, and accounting to manage devices in a network.
access policies
The policies that limit access to the Cisco ISE web interface by IP address, TCP port range, and Secure Sockets Layer (SSL).
The capability of Cisco ISE to record user sessions in a log file.
Active Directory
Active Directory is a Microsoft implementation of LDAP directory services for use in Windows-based environments. Active Directory provides administrators with the means for assigning network wide policies, deploying programs to many computer systems concurrently, and applying critical updates to an entire organization. Active Directory stores information and settings related to an organization in a centralized and accessible database.
Administration Persona
Administrative service running on Cisco ISE that allows you to administer and maintain Cisco ISE.
administrative operations
A set of operations that you must perform to effectively deploy and manage the Cisco ISE servers in your network.
Accessibility design requirements. Provides detail on how to design accessible products, websites, and documentation.
Advanced encryption standard. A Federal Information Processing Standard (FIPS) publication that specifies a cryptographic algorithm for use by U.S. government organizations to protect sensitive (unclassified) information. This standard specifies Rijndael as a FIPS-approved symmetric encryption algorithm that may be used by U.S. government organizations (and others) to protect sensitive information.
allowed protocols access service

Allowed protocols access service is a configurable object that contains a set of protocols that Cisco ISE uses to communicate with the device that requests access to your network resources.

anchored overlay
A stationary pop-up dialog that simplifies specifying multiple options for a particular function. An anchored overlay is typically linked to a specific user interface function-related element.
anonymous (LDAP)
An LDAP session is described as anonymous if no user distinguished name or secret is supplied when initiating the session (sending the bind).
anti virus
A software program that is designed to identify and remove a known or potential computer virus.
Access point. The hub of a wireless network. Wireless clients connect to the access point, and traffic between two clients must travel through the access point.
Application programming interface. The specific methodology by which a programmer writing an application program may make requests of the operating system or another application.
Java programs; an application program that uses the client web browser to provide a user interface.
Address resolution protocol. A protocol for mapping an IP address to a physical machine address that is recognized in the local network. A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
Advanced Research Projects Agency Network. A pioneer packet-switched network that was built in the early 1970s under contract with the US government. It led to the development of the modern Internet, and was decommissioned in June 1990.
Asymmetric Key Exchange
Asymmetric or public key cryptography is based on the concept of a key pair. Each half of the pair (one key) can encrypt information so that only the other half (the other key) can decrypt it. One part of the key pair, the private key, is known only by the designated owner; the other part, the public key, is published widely but is still associated with the owner.
attribute (LDAP)
The data in an entry is contained in attribute-value pairs. Each attribute has a name (and sometimes a short form of the name) and belongs to an objectClass. The attributes characteristics are fully described by an ASN.1 definition. One or more objectClasses may be included in a Schema. Depending on the ASN.1 definition of the attribute, there can be more that one attribute-value pair of the same named attribute in an entry. One (or more) attribute (or attributes), the naming attribute, or RDN will always uniquely identify an entry.
The information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities.
authenticated (LDAP)
A session is described as authenticated if a user distinguished name and secret are supplied when initiating the session (sending the bind).
The process of confirming the correctness of the claimed identity.
Authenticator (AT)
A device that is already part of a trusted network.
The validity and conformance of the original information.
The approval, permission, or empowerment for someone or something to do something.
authorization profile
The basic “permissions container” for a RADIUS-based network access service. The authorization profile is where you define all permissions to be granted for a network access request. VLANs, ACLs, URL redirects, session timeout or reauthorization timers, or any other RADIUS attributes to be returned in a response are defined in the authorization profile.
Authorization Server (AS)
AAA server, such as Cisco ISE that provides authentication and authorization services.


basic authentication
The simplest web-based authentication scheme that works by sending the username and password with each request.
Berkeley Internet Name Domain. An implementation of DNS. DNS is used for domain-name-to-IP-address resolution.
bind (LDAP)
When connection is made to an LDAP server, the first operation of the sequence is called a bind. The bind operation sends the distinguished name of the entry that will be used for authentication and the password to be used. In the case of an anonymous bind, both values will be NULL.
block cipher
Encrypts one block of data at a time.
A product that connects a LAN to another LAN that uses the same protocol (for example, Ethernet or Token Ring).
To simultaneously send the same message to multiple recipients. One host to all hosts on network.
broadcast address
An address that is used to broadcast a datagram to all hosts on a given network using UDP or ICMP protocol.
A client computer program that can retrieve and display information from servers on the World Wide Web.


A certificate authority. An authority in a network that issues and manages security credentials and public keys for message encryption and decryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information that is provided by the requestor of a digital certificate. If the RA verifies the information of the requestor, the CA can then issue a certificate.
CA signature
A digital code that vouches for the authenticity of a digital certificate. The CA signature is provided by the certificate authority (CA) that issued the certificate.
A special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching.
Digital representation of user or device attributes, including a public key, which is signed with an authoritative private key.
certificate authentication profile
Certificate authentication profiles are identity sources that are used in certificate-based authentications to verify the authenticity of users.
certificate-based authentication
The use of Secure Sockets Layer (SSL) and certificates to authenticate and encrypt HTTP traffic.
Common gateway interface. This mechanism is used by HTTP servers (web servers) to pass parameters to executable scripts in order to generate responses dynamically.
Challenge-Handshake Authentication Protocol. A protocol that uses a challenge-response authentication mechanism where the response varies every challenge to prevent replay attacks.
CHAP is an authentication technique where after a link is established, a server sends a challenge to the requestor. The requestor responds with a value that is obtained by using a one-way hash function. The server checks the response by comparing it its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated.
A common authentication technique whereby an individual is prompted (the challenge) to provide some private information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.
A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data.
A cryptographic algorithm for encryption and decryption. The method is used to transform a readable message (called plaintext or cleartext) into an unreadable, scrambled, or hidden message (called ciphertext).
The encrypted form of the message being sent. Ciphertext is data that has been encrypted. It is the output of the encryption process and can be transformed back into a readable form (plaintext) with the appropriate decryption key.
A system entity that requests and uses a service that is provided by another system entity, called a server. In some cases, the server may itself be a client of some other server.
Describes the relationship between two computer programs in which one program, the client, makes a service request from another program, the server, which fulfills the request. Although the client/server idea can be used by programs within a single computer, it is a more important idea in a network. In a network, the client/server model provides a convenient way to interconnect programs that are distributed efficiently across different locations.
Common name is one of the attributes listed in an LDAP directory entry.
RADIUS Change of Authorization provides a mechanism to change the attributes of a session after it is authenticated. When there is a change in policy for a user or user group in AAA, you can send the RADIUS CoA packets from the AAA server such as Cisco ISE to reinitialize authentication and apply the new policies.
Occurs when multiple systems transmit simultaneously on the same wire.
community string
A character string that is used to identify valid sources for Simple Network Management Protocol (SNMP) requests, and to limit the scope of accessible information. Ravlin units use a community string, such as a password, allowing only a limited set of management stations to access its MIB.
computer network
A collection of host computers together with the subnetwork or internetwork through which they can exchange data.
The need to ensure that information is disclosed only to those who are authorized to view it.
configuration management
The process of establishing a known baseline condition and managing it.
Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use. An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections.
Class of service. A way of managing traffic in a network by grouping similar types of traffic (for example, email, streaming video, voice, large document file transfer) and treating each type as a class with its own level of service priority.
Reactive methods that is used to prevent an exploit from successfully occurring once a threat has been detected. Intrusion prevention systems (IPSs) commonly employ countermeasures to prevent intruders form gaining further access to a computer network. Other countermeasures are patches, access control lists and malware filters.
covert channels
The means by which information can be communicated between two parties in a covert fashion by using normal system operations. For example, by changing the amount of hard-drive space that is available on a file server can be used to communicate information.
Certificate revocation list. A list of certificates (more accurately: their serial numbers) that have been revoked and are no longer valid, and should not be relied upon by any system user.
Create, read, update, and delete. The basic management operations that are performed on managed data.
The mathematical science that deals with analysis of a cryptographic system in order to gain knowledge that is needed to break or circumvent the protection that the system is designed to provide. In other words, to convert the cipher text to plaintext without knowing the key.
cryptographic algorithm or hash
An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic algorithm or hash, Digital Signature Algorithm (DSA), and key agreement algorithms.
Garbles a message in such a way that anyone who intercepts the message cannot understand it.
Cascading style sheet. A web page that is derived from multiple sources with a defined order of precedence where the definitions of any style element conflict.
Comma-separated value. This file format is a delimited data format that has fields separated by the comma character and records separated by new lines.
Common user experience
A method of switching where only the header of a packet is read before it is forwarded to its destination.


A program that is often started at the time when the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. Daemons are supported by many operating systems, even if the original UNIX term is not. Windows, for example, refers to daemons as system agents and services.
A dashlet is a UI container that displays a variety of widgets, such as text, form elements, tables, charts, tabs, and nested content modules.
Request for Comment 1594 says, “a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network.” The term has been generally replaced by the term “packet.” Datagrams or packets are the message units that the IP processes with and that the Internet transports. A datagram or packet needs to be self-contained without reliance on earlier exchanges because there is no connection of fixed duration between the two communicating points as there is, for example, in most voice telephone conversations. (This kind of protocol is referred to as connectionless.)
The process of stripping off the headers of one layer and passing the rest of the packet up to the next, higher layer on the protocol stack.
The process of transforming an encrypted message into its original plaintext.
The ability to click a sparkline on the Cisco ISE dashboard to automatically display a granular report of that data.
denial of service
The prevention of authorized access to a system resource, or the delaying of system operations and functions.
Data Encryption Standard. A widely used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.
device administration
Capability to control and audit the administration operations that are performed on network devices. The network device administrator role has full access to perform the administrative operations on network devices.
A store to configure attributes of the RADIUS protocol, internal users, and internal hosts.
dictionary attack
An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words, compared to a brute force attack that tries all possible combinations.
A key agreement algorithm that was published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.
Digest Authentication
Allows a web client to compute MD5 hashes of the password to prove it has the password.
digital certificate
An electronic “credit card” that establishes your credentials when doing business or other transactions on the web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the public key of the certificate holder (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
digital envelope
An encrypted message with the encrypted session key.
digital signature
A hash of a message that uniquely identifies the sender of the message and proves the message has not changed since transmission.
The process of taking a binary program and deriving the source code from it.
A circumstance or event that interrupts or prevents the correct operation of system services and functions.
Directory information tree (also known as the naming context). The hierarchy of objects that make up the local directory structure. More than one DIT may be supported by an LDAP server. The Root DSE will provide this information.
Dynamic link library. A collection of small programs, any of which can be called when needed by a larger program that is running in the computer. The small program that lets the larger program communicate with a specific device such as a printer or scanner is often packaged as a DLL program (usually referred to as a DLL file).
Distinguished name. A DN is composed of a series of RDNs that uniquely describe the naming attributes on the path up the DIT from the required entry to the directory root. A DN is written left to right.
Domain Name System. The way that Internet domain names are located and translated into IP addresses. A domain name is a meaningful and easy-to-remember “handle” for an Internet address.
A sphere of knowledge, or a collection of facts about some program entities or a number of network points or addresses, identified by a name. On the Internet, a domain consists of a set of network addresses. In the Domain Name System (DNS) of the Internet, a domain is a name with which name server records are associated that describe subdomains or host. In Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so on) for a group of users. The user only needs to log into the domain to gain access to the resources, which may be located on many different servers in the network.
domain name
Locates an organization or other entity on the Internet. For example, the domain name “” locates an Internet address for “” at Internet point and a particular host server named “www.” The “org” part of the domain name reflects the purpose of the organization or entity (in this example, “organization”) and is called the top-level domain name. The “sans” part of the domain name defines the organization or entity and, together with the top-level name, is called the second-level domain name.
Digital Signature Algorithm. An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified.
DSA Directory System Agent
X.500 term for any DAP- or LDAP-enabled directory service; for example, an LDAP server.
DSE DSA Specific Entry
An entry in a local directory server.
Digital Signature Standard. The U.S. government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.


Extensible Authentication Protocol. A protocol for wireless networks that expands on Authentication methods used by the PPP (Point-to-Point Protocol), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and Public Key Encryption authentication.
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling. EAP-FAST is compliant with IEEE 802.1X and IEEE 802.11i. Like all EAP types, EAP-FAST can be used with WPA and WPA2 networks.
Extensible Authentication Protocol-Message Digest 5. An EAP security algorithm developed by RSA Security that uses a 128-bit generated number string, or hash, to verify the authenticity of a data communication.
Extensible Authentication Protocol-Translation Layer Security. A high-security version of EAP that requires authentication from both the client and the server. If one of them fails to offer the appropriate authenticator, the connection is terminated. Used to create a secured connection for 802.1X by preinstalling a digital certificate on the client computer. EAP-TLS is the protocol that serves for mutual authentication and integrity-protected cipher suite negotiation and key exchange between a client and server. Both the client and the server use X.509 certificates to verify their identities to each other.
Listening to a private conversation which may reveal information which can provide access to a facility or network.
A user role with privileges to edit all parts of the Cisco ISE user interface, with the exception of delete privileges for network resources.
Egress is the point at which a data packet leaves a trusted network, where the security group tag (SGT) is removed from the packet and the egress policy is applied.
egress filtering
Filtering outbound traffic.
The inclusion of one data structure within another structure so that the first data structure is hidden for the time being.
Cryptographic transformation of data (called “plaintext”) into a form (called “cipher text”) that conceals the data's original meaning to prevent it from being known or used.
An endpoint is a network capable device connecting to your enterprise network that can use the resources on your network.
entry (LDAP)
The name given to a stored object in a LDAP enabled directory. Each entry has one parent entry (object) and zero or more child entries (objects). The data content of an entry consist of one or more attributes one (or more) of which is (are) used as the naming attribute (more correctly the RDN) to uniquely identify this object in the DIT.
equality (LDAP)
Equality defines the comparison rule of an attribute when used in a search filter that contains no wildcards, and both the content and length must be exactly the same. When wildcards are used, this is called a substring and the SUBSTR rule is used.
The most widely-installed LAN technology. Specified in a standard, IEEE 802.3, an Ethernet LAN typically uses coaxial cable or special grades of twisted pair wires. Devices are connected to the cable and compete for access using a CSMA/CD protocol.
An observable occurrence in a system or network.
exception action
A single configurable action triggered if a set of conditions do not match.
Exponential Backoff Algorithm
Used to adjust TCP timeout values on the fly so that network devices do not continue to timeout sending data over saturated links.
A threat action whereby sensitive data is directly released to an unauthorized entity.
expression builder
A pop-up dialog box that simplifies creating expressions by allowing you to make selections from menus and other pop-up dialogs.
extended ACLs
A more powerful form of standard ACLs on Cisco routers. They can make filtering decisions based on IP addresses (source or destination), Ports (source or destination), protocols, and whether a session is established.
external identity source
External databases that Cisco ISE accesses to perform credential and authentication validations for internal and external users (as defined by you within a policy).
external user
A user defined in an external identity source.


false rejects
When an authentication system fails to recognize a valid user.
Used to specify which packets will or will not be used. It can be used in sniffers to determine which packets get displayed, or by firewalls to determine which packets get blocked.
filtering router
An inter-network router that selectively prevents the passage of data packets according to a security policy. A filtering router may be used as a firewall or part of a firewall. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy. The policy is implemented by rules (packet filters) loaded into the router.
A TCP/IP Fragmentation Attack that is possible because IP allows packets to be broken down into fragments for more efficient transport across various media. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten.
The process of storing a data file in several “chunks” or fragments rather than in a single contiguous sequence of bits in one place on the storage medium.
Data that is transmitted between network points as a unit complete with addressing and necessary protocol control information. A frame is usually transmitted serial bit by bit and contains a header field and a trailer field that “frame” the data. (Some control frames contain no data.)
File Transfer Protocol. A TCP/IP protocol specifying the transfer of text or binary files across the network.
full duplex
A type of duplex communications channel which carries data in both directions at once. Refers to the transmission of data in two directions simultaneously. Communications in which both sender and receiver can send at the same time.
fully qualified domain name
A server name with a hostname followed by the full domain name.


A network point that acts as an entrance to another network.
global system options
Configuring EAP-TTLS, PEAP, and EAP-FAST run-time characteristics and generating EAP-FAST PAC.
guest user
A guest user is the person who needs a guest user account to access the network temporarily.


hash functions
Used to generate a one way “check sum” for a larger text, which is not trivially reversed. The result of this hash function can be used to validate if a larger file has been altered, without having to compare the larger files to each other. Frequently used hash functions are MD5 and SHA1.
The extra information in a packet that is needed for the protocol stack to process the packet.
A user role with privileges for read-only the Cisco ISE dashboard, as well as Alarms within Monitor and Report.
Any computer that has full two-way access to other computers on the Internet. Or a computer with a web server that serves the pages for one or more Web sites.
Host-Based ID
Host-based intrusion detection systems use information from the operating system audit records to watch all operations occurring on the host that the intrusion detection software has been installed upon. These operations are then compared with a predefined security policy. This analysis of the audit trail imposes potentially significant overhead requirements on the system because of the increased amount of processing power which must be utilized by the intrusion detection system. Depending on the size of the audit trail and the processing ability of the system, the review of audit data could result in the loss of a real-time analysis capability.
Hypertext Markup Language. The set of markup symbols or codes inserted in a file intended for display on a World Wide Web browser page.
Hypertext Transfer Protocol. The protocol in the Internet Protocol (IP) family used to transport hypertext documents across an internet.
Hypertext Transfer Protocol over Secure Sockets Layer, or HTTP over SSL. HTTPS is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL. HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP and an additional encryption/authentication layer between HTTP and TCP.
A network device that operates by repeating data that it receives on one port to all the other ports. As a result, data transmitted by one host is retransmitted to all other hosts on the hub. The central device in a star network, whether wired or wireless. Wireless access points act as hubs in wireless networks.
hybrid attack
Builds on the dictionary attack method by adding numerals and symbols to dictionary words.
hybrid encryption
An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption.


Internationalization and localization are means of adapting software for non-native environments, especially other nations and cultures. Internationalization is the adaptation of products for potential use virtually everywhere, while localization is the addition of special features for use in a specific locale.
Whom someone or what something is, for example, the name by which something is known.
A user role with privileges to add, update, and delete entries in the internal ISE identity stores, including internal users and hosts.
identity groups
A logical entity that is associated with all types of users and hosts.
identity source

A database such as internal users, AD, LDAP, and so on that Cisco ISE uses to obtain user information for authentication.

identity source sequence

An object that contains a set of identity sources that Cisco ISE will look up for user information for authentication. Cisco ISE searches these identity sources in the order in which they are defined in this sequence.

Internet Engineering Task Force. The body that defines standard Internet operating protocols such as TCP/IP. The IETF is supervised by the Internet Society Internet Architecture Board (IAB). IETF members are drawn from the Internet Society's individual and organization membership.
incremental backup
A scheduled job that allows users to take smaller, periodic backups of the Monitoring & Report Viewer database.

Ingress is the point at which a data packet encounters the first security group access (SGA)-capable device on its path to the destination, where it is tagged with a security group tag (SGT).

inline PEP

Inline Policy Enforcement Point (IPEP) is a gatekeeping node that is positioned behind wireless LAN controllers (WLC) and Virtual Private Network (VPN) concentrators on the network.

The need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete.
internal identity sources
A database that contains the internal user attributes and credential information used to authenticate internal users and endpoints.
internal user
A user defined in the internal identity source.
A signal that informs the OS that something has occurred.
intrusion detection
A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).
Internet Protocol. The method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet.
IP address
A computer's inter-network address that is assigned for use by the Internet Protocol and other protocols. An IPv4 address is written as a series of four 8-bit numbers separated by periods.
IP flood
A denial of service attack that sends a host more echo request (“ping”) packets than the protocol implementation can handle.
IP forwarding
An Operating System option that allows a host to act as a router. A system that has more than 1 network interface card must have IP forwarding turned on for the system to be able to act as a router.
IP poofing
The technique of supplying a false IP address.
Internet Protocol Security. A developing standard for security at the network or packet processing layer of network communication.
International Organization for Standardization, a voluntary, non-treaty, non-government organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations.
Internet service provider. A business or organization that provides to consumers access to the Internet and related services. In the past, most ISPs were run by the phone companies.


An object oriented programming language developed by Sun Microsystems. The Java language was designed to be elegantly concise, allowing it to be portable across platforms and operating systems at both source and binary levels.
Java Runtime Environment. A software bundle that allows a computer system to run a Java application.


A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment.
In cryptography, a key is a variable value that is applied using an algorithm to a string or block of unencrypted text to produce encrypted text, or to decrypt encrypted text. The length of the key is a factor in considering how difficult it will be to decrypt the text in a given message.


Layer 2 Forwarding Protocol (L2F)
An Internet protocol (originally developed by Cisco) that uses tunneling of PPP over IP to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and transparent to the dial-up user.
Layer 2 Tunneling Protocol (L2TP)
An extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable the operation of a virtual private network over the Internet.
LDAP client
LDAP client describes a piece of software that provides access to an LDAP sever. Most standard web browsers provide limited LDAP client capabilities using LDAP URLs. LDAP browsers and web interfaces are both very common examples of LDAP clients. List of Open Source Clients.
Lightweight Directory Access Protocol (LDAP)
LDAP is a networking application protocol for querying and modifying data using directory services running over TCP/IP The LDAP protocol is used to locate organizations, individuals, and other resources such as files and devices in a network, on the public Internet or on a corporate Intranet.
Local Operations (secondary servers only)
The operations performed to register or deregister a secondary server, or to replicate a secondary server and a request for a local mode from the Join a Distributed System page.
Log Configuration

A system that uses logging categories and maintenance parameters that enable you to configure and store the logs generated for accounting messages, AAA audit and diagnostics messages, system diagnostics messages, and administrative audit messages.


MAC Address
A physical Media Access Control address which is a numeric value or identifier assigned by the manufacturer that acts to uniquely identify a network device from every other device of this type.
matchingRule (LDAP)
The method by which an attribute is compared in a search operation. A matchingRule is an ASN.1 definition that usually contains an OID a name (for example, caseIgnoreMatch [OID =]), and the data type it operates on (for example, DirectoryString).
A one way cryptographic hash function.
metric meter
A type of widget that provides an at-a-glance view of data depicting network activity. Sparklines and stack bars convey the number of instances that have occurred over a designated period of time, such as the last 60 minutes or 24 hours.
MIB (Management Information Base)
A MIB is a formal description of a set of network objects that can be managed using Simple Network Management Protocol (SNMP).
monitoring and reporting
Cisco ISE features that allow you to monitor the state and health of the network and its devices, and generate reports of various types.
MPPE Microsoft Point-to-Point Encryption
A protocol for encrypting data across PPP (Point-to-Point Protocol) and Virtual Private Network links.


name space (LDAP)
Term used to describe all DNs that lie in (or are contained within or bounded by) a given directory information tree (DIT). If the DIT root is dc=example,dc=com, then cn=people,dc=example,dc=com is said to lie in the name space but ou=people,dc=example,dc=net does not; it lies in the dc=example,dc=net name space.
naming attribute (LDAP)
A unique identifier for each entry in the directory information tree (DIT). Also known as the Relative Distinguished Name (RDN).
naming context (LDAP)
A a unique name space starting from (and including) the root Distinguished Name (DN). Also known as namingContext or directory information tree (DIT).
NAS (network access server)
A single point of access to a remote resource. The NAS is meant to act as a gateway to guard access to a protected resource. This can be anything from a telephone network, to printers, to the Internet.
A user role with privileges to manage the Cisco ISE network device repository, including adding, updating, and deleting devices. These permissions provide the administrator solely with read and write access to network devices.
network device groups
Network device groups (NDGs) are a logical grouping of network devices by location and type.
network resources
A location where you define all network devices in the device repository that access the Cisco ISE network, including Network Device Groups (NDGs), network devices, AAA clients, and external policy servers.

Object selector
A pop-up dialog box with items you can choose for a specific function. An object selector is often linked to another dialog, to provide input for a selected option.


PAP (Password Authentication Protocol)
PAP is a simple authentication protocol used to authenticate a user to a remote access server or Internet service provider (ISP).
A user role with privileges to change the password for internal users, and is intended for administrators who manage administrator accounts. An administrator with these privileges can change the password for other administrators.
Policy Service Persona
Policy Service is the runtime service running on Cisco ISE that evaluates requests and processes them.
PI (Programmatic Interface)
The Cisco ISE PI is a programmatic interface that provides external applications the ability to communicate with Cisco ISE to configure and operate Cisco ISE. PI allows for performing the following operations on Cisco ISE objects: create, update, delete, and read.
policy condition
Rule-based single conditions that are based on policies, which are sets of rules used to evaluate an access request and return a decision.
policy element
Global, shared object that defines policy conditions (for example, time and date, or custom conditions based on user-selected attributes) and permissions (for example, authorization profiles). Policy elements are referenced when you create policy rules.
port setting
You can configure Cisco ISE to authenticate using different LDAP servers, or different databases on the same LDAP server, by creating more than one LDAP instance with different IP addresses or port settings.
Checking a host that accesses a protected network resource for compliance.
PPP (Point-to-Point Protocol)
PPP is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet server provider may provide you with a PPP connection so that the provider's server can respond to your requests, pass them on to the Internet, and forward your requested Internet responses back to you. PPP uses the Internet Protocol (IP) and is designed to handle others. It is sometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet.
Periodic Reassessment is reporting to the Cisco ISE server by periodically checking hosts for compliance.
You can match identities like endpoints for the purpose of classifying them based on a set of conditions.
A protocol is the special set of rules that end points in a telecommunication connection use when they communicate. Protocols exist at several levels in a telecommunication connection. For example, there are protocols for the data interchange at the hardware device level and protocols for data interchange at the application program level. In the standard model known as Open Systems Interconnection (OSI), there are one or more protocols at each layer in the telecommunication exchange that both ends of the exchange must recognize and observe. Protocols are often described in an industry or international standard.
An HTTP Proxy is a server that acts as a middleman in the communication between HTTP clients and servers.
Public Key
In Cryptography a publicKey is a value provided by some designated authority as an Encryption Key that, combined with a private key derived from the public key, can be used to effectively encrypt messages andDigital Signatures.
The use of combined public and private keys is known as asymmetric cryptography. A system for using public keys is called a public key infrastructure (PKI).
Public Key Infrastructure (PKI)
A PKI enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The Public Key infrastructure provides for a Digital Certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.


Quick View
A pop-up dialog that provides information that is relevant to the location in the user interface.


RADIUS Servers
Any third-party server that supports the RADIUS interface.
The Relative Distinguished Name (frequently but incorrectly written as Relatively Distinguished Name) is an X.500 terminology. The name given to an attribute(s) that is unique at its level in the hierarchy. RDNs may be single valued or multi-valued in which case two or more attributes are combined using '+' (plus) to create the RDN e.g. cn+uid. The term RDN is only meaningful when used as part of a DN to uniquely describe the attributes on the path UP the DIT from a selected entry (or search start location) to the directory root (or more correctly the Root DSE).
referral (LDAP)
An operation in which the LDAP server returns to an LDAP client the name (typically in the form of an LDAP URL) of another LDAP server that might be able to provide the information requested by the LDAP client.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it's easier to track usage for billing and for keeping network statistics.
An operation that a host undergoes to get authenticated to access a protected network.
A user role with privileges for generating and viewing reports and monitoring data, with read-only access to logs.
RFC (Request for Comments)
A series of memoranda that encompass new research, innovations, and methodologies applicable to Internet technologies.
A set of typical administrator tasks, each with an associated set of permissions. An administrator can have more than one predefined role, and a role can apply to multiple administrators.
root (LDAP)
The root entry (a.k.a base, suffix) is one of many terms used to describe the topmost entry in a DIT. The Root DSE is a a kind of super root.
Conceptually the top most entry in a LDAP hierarchy - think of it as a super root and normally invisible, for example, not accessed in normal operations. Sometimes confused with root or base or suffix. DSE stands for DSA Specific Entry and DSA in turn stands for Directory System Agent (any directory enabled service providing DAP or LDAP access). Information about the rootDSE may be obtained in OpenLDAP by querying the OpenLDAProoDSE classobject and will provide information about protocol versions supported, services supported and the naming-context(s) or DIT(s) supported.
rootdn (LDAP)
The rootdn is a confusingly named directive in the slapd.conf file which defines a superuser which can bypass normal directory access rules.
RPM (RedHat Package Manager)
An RPM is a downloadable software package that is installable on Linux distributions that use RPM as their package management format.


SAN (Subject Alternative Name)
Extension within certificate information.
Schema (LDAP)
A package of attributes and object classes that are sometimes (nominally) related. The schema(s) in which the object classes and attributes that the application will use (reference) are packaged are identified to the LDAP server so that it can read and parse all that wonderful ASN.1 stuff. In OpenLDAP this done using the slapd.conf file.
search (LDAP)
An operation that is carried out by defining a base directory name (DN), a scope, and a search filter.
Secure Sockets Layer(SSL)
A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. SSL is a cryptographic protocol which provides secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. The term “TLS” as used here applies to both protocols unless clarified by context.
A user role with privileges to create, update, and delete administrator accounts, to assign administrative roles, and change the password policy.
Security Group Access (SGA)
Security Group Access (SGA) is a solution that builds secure networks by establishing clouds of trusted networks. The Cisco SGA solution was previously known as Cisco TrustSec (CTS) solution.
Security Policy
A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.
A system entity that provides a service in response to requests from other system entities called clients.
service provisioning
Service provisioning refers to the “preparation beforehand” of IT systems’ materials or supplies required to carry out a specific activity. This includes the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as the provisioning of non-digital or “physical” resources such as cell phones and credit cards.
service selection policy
A set of rules that determines which access policy applies to an incoming request.
A session is a virtual connection between two hosts by which network traffic is passed.
session (LDAP)
A session occurs between a LDAP client and a server when the client sends a bind command. A session may be either anonymous or authenticated.
session conditions
Custom conditions, and date and time conditions.
Session Key
In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be rekeyed frequently.
SGA device
Any device that supports the Cisco Security Group Access solution.
SLA (Service Level Agreement)
A SLA is that part of a service contract in which a certain level of service is agreed upon. A SLA is a formal negotiated agreement between two parties. It is a contract that exists between customers and their service provider, or between service providers. It transcripts the common understanding about services, priorities, responsibilities, guarantee, and so on. It then specifies the levels of availability, serviceability, performance, operation or other attributes of the service like billing.
Short Message Service.
SMTP (Simple Mail Transfer Protocol)
SMTP is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks.
SNMP (Simple Network Management Protocol)
A TCP/IP network protocol that provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
SOAP (Simple Object Access Protocol)
A lightweight XML-based protocol for exchange of information in a decentralized, distributed environment. SOAP consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses.
A type of widget on the Cisco ISE dashboard where vertical lines show trends over time. The height of a sparkline is based on a percentage of the maximum number of instances over a designated period of time, such as the last 60 minutes or the last 24 hours. Clicking a sparkline generates a deep-drill report showing granular data for a function.
SPML (Service Provisioning Markup Language)
SPML is the open standard protocol for the integration and interoperation of service provisioning requests.
sponsor group
A group of sponsor users who are assigned with the same set of privileges.
sponsor user
A sponsor user is the person who creates the guest user account. This person is often an employee of the organization that provides the network access. Sponsors can be specific individuals with certain job roles, or can be any employee who can authenticate against a corporate directory such as Microsoft Active Directory (AD).
SSH (Secure Shell)
A program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another.
SSL (Secure Sockets Layer)
SSL is a cryptographic protocols that provide security for communications over networks.
stack bar
A type of widget on the Cisco ISE dashboard comprised of horizontal color segments representing the distribution of a parameter over time.
subtype (LDAP)
LDAPv3 defines a number of subtypes. At this time, two have been defined binary (in RFC 2251) and lang (in RFC 2596). Subtypes may be used when referencing an attribute and for qualifying, for example, cn;lang-en-us=smith would perform a search using U.S. English. The subtype does not affect the encoding since UTF-8 (used for cn) allows for all language types. Language subtypes are case insensitive.
suffix (LDAP)
Also known as root, base, is one of many terms used to describe the topmost entry in a DIT. The term is typically used because this entry is usually defined in the suffix parameter in a OpenLDAP's slapd.conf file. The Root DSE is a kind of super root. Suffix Naming.
A user role with privileges across the entire system, including monitoring and troubleshooting. SuperAdmin permissions allow the administrator to create, read, update, delete, and execute (CRUDX) all the Cisco ISE resources.
support bundle
Support bundle contains Cisco ISE log messages, which can be used to prepare diagnostic information for TAC.
system administration
The role-based administrative functions performed by a group of administrators.
system administrators
Administrators with different access privileges defined in the Cisco ISE GUI. They administer and manage Cisco ISE deployments in your network.
system configuration
The role-based administrative functions performed by a group of administrators to configure system performance.
System Health Dashboard
The Monitoring & Report Viewer Dashboard that provides information about the health status of associated Cisco ISE instances.


Transmission Control Protocol/Internet Protocol is the basic communication language or protocol of the Internet. TCP/IP is a two-layer program. The higher layer, Transmission Control Protocol, manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. The lower layer, Internet Protocol, handles the address part of each packet so that it gets to the right destination.
Time profile
Assign different levels of access time to a guest account.
TrustSec solution
Cisco TrustSec is an identity-based access control solution that secures networks and networked resources through policy-based access control, identity-aware networking, data integrity, and confidentiality services.


User Datagram Protocol. A communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP)
Uniform Resource Locator. The unique address for a file that is accessible on the Internet.
user attribute configuration
An administrative task consisting of configuring an internal user's identity attributes.
user roles
User roles are sets of permissions that determine the tasks a user is allowed to perform on the Cisco ISE network. Due to associated permissions, user roles can affect what appears in the ISE user interface.


A user role with privileges for read-only all parts of the Cisco ISE user interface, and read-only access to all network resources.
Virtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses “tunneling” to encrypt all information at the IP level.
Vendor-specific attribute. A proprietary property or characteristic not provided by the standard Remote Authentication Dial-In User Service (RADIUS) attribute set. VSAs are defined by vendors of remote access servers to customize RADIUS for their servers.


Cisco Wireless Control System us a platform designed to help enterprises design, control and monitor Cisco wireless LANs. WCS is the industry leading platform for wireless LAN planning, configuration, and management.
Web server
A Web server is a program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol (HTTP), serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests).
Web service
A Web service is a software system designed to support interoperable machine-to-machine interaction over a network. The web server interface is described in a machine-processable format, WSDL. Other systems interact with the Web service, typically using HTTP with an XML serialization in conjunction with other Web-related standards.
WLC (Wireless Lan Controller)
WLC is a device that assumes a central role in the Cisco Unified Wireless Network (CUWN). Traditional roles of access points, such as association or authentication of wireless clients, are done by the WLC.
WSDL (Web Services Description Language)
WSDL is an XML-based language used to describe the services a business offers and to provide a way for individuals and other businesses to access those services electronically.


A standard for public key infrastructure. X.509 specifies, amongst other things, standard formats for public key certificates and a certification path validation algorithm.
XML (eXtensible Markup Language)
XML is a flexible way to create common information formats and share both the format and the data on the World Wide Web, intranets, and elsewhere.