Downloads |
Q. What new features and capabilities are delivered in Cisco® Identity Services Engine Software Release 1.2*?
A. Cisco Identity Services Engine (ISE) Software Release 1.2 is a major release that delivers important enhancements to the Identity Services Engine in several areas, including scalability and usability. New ISE 1.2 features include MDM Integration to ensure all mobile devices comply with security policy, a Device Feed Service so supporting the latest devices is hassle-free for users and IT, Doubling of Scale and Performance means IT will be ready to handle the continuous influx of new devices, and Bootstrap Wizards, which provides IT deployment automation and simplification when testing ISE in a proof of concept network.
Q. What else is being released with ISE 1.2*?
A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The multiuse Cisco Secure Network Servers offer many improvements over current ISE, ACS, and NAC appliances, and are the platform recommended to deploy newer versions of these applications. During ordering, customers can specify which security application they would like to have installed. See the Product Details section for more information.
Q. If I am an existing ISE customer, will I need to buy the new Cisco Secure Network Server in order to upgrade to ISE 1.2*?
A. No, there is no need to buy new hardware. The current IBM servers will support ISE 1.2 through manual software upgrade. However, the new Cisco Secure Network Servers* can only run ISE 1.2 and subsequent versions.
Q. Can I mix hardware in my ISE deployment?
A. Yes. It is ok to use different hardware but all software versions need to be the same in your environment.
Q. What are the scalability enhancements?
A. The Identity Services Engine was previously able to scale to 100,000 concurrent connected endpoints. ISE Release 1.2* enables the Identity Services Engine to handle up to 250,000 concurrent connected endpoints. Additionally, the new Cisco Secure Network Servers* increase endpoint support over the Cisco Identity Services Engine 3300 Series appliances. For example, the Cisco Secure Network Server 3415* supports 5000 endpoints compared to 3000 for the Cisco Identity Services Engine 3315, and the Secure Network Server 3495* supports 20,000 endpoints compared to 10,000 for the Cisco Identity Services Engine 3395.
Q. What are the usability enhancements?
A. ISE Release 1.2* delivers simplified product configuration capabilities. The bootstrap wizards aid in the configuration of the authentication, authorization, profiler, posture, compliance, and guest capabilities so its easier and faster to deploy ISE services across an organization's networks.
Q. How does MDM integration add value to the solution?
A. ISE Release 1.2* delivers integration between Identity Services Engine and MDM platforms, which can ensure that all mobile devices are compliant with security policy before they are allowed to access the network. This feature* enables posture compliance assessment and network access control of mobile endpoints attempting to access the network. The solution also performs ongoing posture checks to ensure that devices remain compliant and that the correct network access level is maintained. The specific posture attributes collected by MDM partner platforms for compliance and access policy enforcement in the Identity Services Engine are:
• Is the mobile device registered with MDM?
• Does the mobile device have disk encryption enabled?
• Does the device have PIN-Lock enabled?
• Has the device been jail-broken/rooted?
In terms of global compliance, posture compliance decisions may be made by the MDM platform instead of the Identity Services Engine. In this scenario, additional attributes such as blacklisted applications or presence of an enterprise data container may be checked. The MDM platform simply informs the Identity Services Engine if a device is in compliance, then the Identity Services Engine enforces the appropriate network access policy.
This integration brings great value to MDM customers as it automates to the device registration process. As MDM solutions are network-blind, they can't detect a new device when it connects to the wireless network and the admin needs to send a notification to the users who wish to enroll their devices. Thanks to the ISE integration*, device enrollment is done automatically when users connect their device to the Wi-Fi network.
Q. What MDM platforms are supported with ISE Release 1.2*?
A. Presently, the following six MDM platforms are supported with ISE Release 1.2: AirWatch, Good Technology, Fiberlink, MobileIron, SAP/Afaria, and Citrix/Zenprise.
Q. What is the new device feed service, and what are the benefits?
A. With ISE Release 1.2*, Cisco is delivering, a unique feed service that provides new and updated profiles for various IP enabled devices when vendors release new devices. So ISE customers will be able to recognize new devices, in addition to a multitude of other network attached devices such as printers, video cameras, and specialized mobile computing devices.
Cisco works with various vendors, partners, customers, etc. to profile the multitude of IP enabled devices that are expected to be deployed in various customer environments and create profiles for these. These profiles are made available through the Cisco Feed Service. An ISE server* that is configured to connect to the Feed Service establishes a secure connection with cloud based Feed Service. The various profiles on the Feed Service are then automatically downloaded to the ISE server, thus providing ISE customers the ability to stay abreast and detect various IP enabled devices that connect to their network. The Feed Service will be available with the release of ISE 1.2* software release and is part of the Advanced License.
Q. Given the new capabilities introduced in ISE Release 1.2*, is there any change to the Identity Services Engine product packaging and licensing?
A. The current Base, Advanced, and Wireless licenses remain the same. In order to benefit from the MDM integration capability or the profiler feed service, Advanced licenses will need to be purchased.
Q. Are there any enhancements to Identity Services Engine license management?
A. Yes. Beginning with ISE Release 1.2*, customers will be able to register an ISE PAK for Primary and Secondary Administration nodes by entering the Unique Device Identifier (UDI) of both nodes. This allows the resulting Identity Services Engine license file to be installed on both nodes, which is a significant enhancement for failover and upgrade processes. Also, enhancements to the Cisco License Administration Portal allow the customer to re-host their existing Identity Services Engine licenses to another node or two nodes.
Q. What new languages are supported in ISE Release 1.2*?
A. Czech, Dutch - Netherland Dialect, Hungarian, and Polish are now supported.
Q. Will there be any price increases associated with ISE Release 1.2*?
A. No. Prices will not be increased for any Identity Services Engine product.
Q. Can I run ISE Release 1.2* on my existing Identity Services Engine hardware appliances?
A. Yes. ISE Release 1.2 will work with the Identity Services Engine 3315, 3355, and 3395 hardware appliances in their default configurations.
General Overview
Q. What is the Cisco Identity Services Engine?
A. The Cisco Identity Services Engine is a single policy control point for identity, access control, and device security across wired, wireless, and VPN networks. Through complete, automated features for BYOD and guest access, employees and guests can use the device of their choice while integration* with mobile device management (MDM) solutions to endure device security before allowing access to work resources. IT can assure identity and account for all network attached devices including printers, surveillance cameras, servers, and unique mobile computing devices used in retail, healthcare, and manufacturing. And resources are protected by strong access control that's already embedded in the Cisco network.
Q. What are the key features of ISE?
A. The core ISE features stem from the tight integration of identity services in a single RADIUS-based product from Cisco, the world leader in security, mobility, access control, and networking. This includes:
• Rigorous Identity Enforcement: Extensive device profiling and asset visibility with automatic feed service*
• Extensive Policy Enforcement: Contextual identity access control on wired, wireless, and VPN Networks
• Automated Onboarding: Supports IT, BYOD, and Guest devices
• Automated Device Security: Enforces MDM policy through integration** with many market leading Mobile Device Management (MDM)* technologies
** Cisco Partners
• Dependable Anywhere Access: Consistent resource availability for workers
• Operational Efficiencies: ISE automation reduces IT and helpdesk burden, improves accuracy
• Embedded Enforcement: Device sensing and enforcement already in Cisco networks reduces equipment costs
• Next Generation Policy Networking: Ends the pain of VLAN, ACL, and firewall rule administration.
ISE starts with rigorous identity enforcement, with an the industry-first, automatic device feed service to keep the device profiler current with the latest smartphones, tablets, mobile computing devices, printers, video surveillance cameras and extends to specialized devices used in the retail and healthcare industry. The product identifies a device, the user ID, location, time, and media and creates a contextual identity, applies a policy, and dynamically provisions the network so workers get dependable access to their resources from virtually anywhere.
Q. What role does the Cisco Identity Services Engine play in the Cisco SecureX solution?
A. As a core component of the SecureX framework, the Cisco Identity Services Engine provides a unified policy platform that ties organizational security policies to business components such as security and network infrastructure, user identity, resources, and IT operational processes. The Cisco Identity Services Engine allows customers to create and manage centralized policies, while Cisco TrustSec delivers policies and enforcement through the network.
Q. What role does the Cisco Identity Services Engine play in the Cisco Unified Access solution?
A. The Cisco Identity Services Engine (ISE) is the "One Policy" in the Unified Access solution which also includes "One Management" and "One Network". ISE provides central policy management across all Cisco wired, wireless and remote networks. Cisco Unified Access is an intelligent network platform comprised of ISE policy management, Cisco Prime network management, Cisco Catalyst switches, and wireless controller, access points, and mobility services manager. This platform enables IT to intelligently connect people, processes, data, and things with greater intelligence, security, and efficiency than ever before.
Q. What customer challenges does the Cisco Identity Services Engine solve?
A. The Cisco Identity Services Engine solves four customer challenges:
• Secure Access: Provides authenticated and authorized access to the network based on who is accessing the network, the types of devices being used, and the location and health status of each device.
• BYOD Automation: Provides easy onboarding of employee-owned devices while ensuring that the right level of security is in place.
• Guest Lifecycle management: Allows provisioning, notification, management, and reporting of guest user accounts.
• Next Generation Network Control Point ISE is the policy control point for next generation TrustSec networking. TrustSec networking is secure access policy embedded/or woven into the network infrastructure to ensure consistent and efficient enforcement.
Q. What types of customers can benefit from deploying the Cisco Identity Services Engine?
A. All customers requiring identity and network access services across their wired, wireless, and VPN networks will benefit from deploying the Cisco Identity Services Engine.
Q. Are there customer references?
A. Yes. Cisco ISE currently has thousands of customers in industries such as financial services, manufacturing, healthcare, public sector, education and more. There are written case studies and video on some of these customers here.
Q. How does the Cisco identity Services Engine compare to other solutions in the industry?
A. While ISE offers so many capabilities in one integrated product that it may drive a new classification for secure access, the most relevant comparison is the Gartner Magic Quadrant for NAC where it is named the market leader.
Q. Will the Cisco Identity Services Engine replace Cisco Secure Access Control Server (ACS) and Cisco Network Access Control (NAC)?
A. Not at this time. The Cisco Secure ACS and Cisco NAC product lines are viable products, and they will continue to be sold.
Q. Should existing Cisco NAC Appliance, Cisco NAC Profiler, or Cisco NAC Guest Server customers migrate to the Cisco Identity Services Engine platform?
A. Cisco NAC customers can migrate to the Cisco Identity Services Engine platform if they so desire. However, it is highly recommended that customers consult with their sales representatives and Cisco Certified Partners to determine the best course of action.
Q. Should existing Cisco Secure ACS customers migrate to the Cisco Identity Services Engine platform?
A. Existing Cisco Secure ACS customers using network access can easily migrate to the Cisco Identity Services Engine platform using migration part numbers and tools. However, existing Cisco Secure ACS customers using TACACS functions will not be able to migrate to the current version of ISE for network device identity management which is often acceptable for customers who prefer to keep user and network identity on separate systems.
Q. Does the Cisco Identity Services Engine support older Cisco Secure ACS and Cisco NAC deployments?
A. ISE Release 1.2* does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services Engine can work in tandem with Cisco NAC Manager to provide the same profiling service as the NAC Profiler, which has reached end-of-sale status. Please speak to your local Security Sales Specialist to verify applicability in your environment.
Product Details
Q. What are the Cisco Identity Services Engine product components?
A. The Cisco Identity Services Engine has three components: appliances, software application, and software licenses. Appliances include physical and virtual options. The entire software application is installed on each appliance when it is shipped. To enable specific software functionality, you must order a separate software license. The Base license is perpetual, and the Advanced and Wireless licenses are term-based (3- and 5-year terms). The Wireless Upgrade license adds the ability to support wired and VPN use cases to Wireless licenses. The Wireless Upgrade license enables 1 Wireless license to be equal to 1 Base and 1 Advanced License. The Wireless Upgrade license can be purchased in 3- or 5-year terms. The number or Wireless Upgrade licenses ordered must be equal to the Wireless license quantity the customer has deployed. Table 1 lists the platforms and the options available.
Table 1. Platforms and Options
Q. How does the Cisco Secure Network Server 3415* compare to the Cisco Identity Services Engine 3315 Appliance?
A. High-level configuration comparison is as follows:
Q. How does the Cisco Secure Network Server 3495* compare to the Cisco Identity Services Engine 3395 Appliance?
A. High-level configuration comparison is as follows:
Q. Why aren't Cisco Secure Network Servers referred to as "appliances"?
A. Appliances are generally specific-purpose devices. Servers are generally considered to be multipurpose devices. Because the new hardware platforms support multiple applications with the same configuration(s), labeling them as "servers" is more appropriate.
Q. What is the default Identity Services Engine software release for the different appliances and servers?
A. The default Identity Services Engine software release installed during manufacturing is as follows:
• Cisco Secure Network Servers* (3415 and 3495): ISE Release 1.2*
• Cisco ISE Appliances (3315, 3355, 3395): ISE Release 1.1.1
• Cisco ISE VM Appliances: ISE Release 1.2
Q. Can I modify the version of Identity Services Engine software that is installed on appliances and servers?
A. No.
Q. Do the new Cisco Secure Network Servers offer any components as spares and FRUs?
A. Yes. Customers can order power supplies, hard disk drives, KVM cables, and rail kits as spares.
Q. With the release of the new Cisco Secure Network Servers, will end-of-sale (EOS) status for the Cisco Identity Services Engine 3300 Series be announced soon?
A. Yes. While the exact EOS date is being determined, it is anticipated that an EOS announcement for the Identity Services Engine 3300 Series will be posted by mid-2013.
Q. When does the term begin for a Cisco Identity Services Engine license?
A. Consistent with Cisco policy, the Identity Services Engine license term starts 24 hours after dispatch. All Identity Services Engine licenses are electronically delivered and are typically dispatched within 48 hours after order processing.
Q. Can I order multiple licenses?
A. Yes. You can order multiple licenses to increase the number of endpoints supported. Identity Services Engine licenses are cumulative across the entire Identity Services Engine deployment and apply only to concurrent, active sessions. This is different from the Cisco NAC Appliance or NAC Profiler, where licenses are applied per appliance.
Q. Can I order Identity Services Engine licenses as options to the appliances and servers?
A. No. Identity Services Engine licenses are defined as spares and must be ordered separately.
Q. Can I consolidate multiple license terms with different start and end dates to allow synchronization of the renewal contracts?
A. No. License terms cannot be synchronized (e.g., co-term) at this time.
Q. Does the Cisco Identity Services Engine include an evaluation license?
A. Yes. The Cisco Identity Services Engine includes a free 90-day evaluation license that can support up to 100 devices. The evaluation license supports both Cisco Identity Services Engine Base and Advanced software packages.
Q. How do I purchase technical support for the Cisco Identity Services Engine?
A. For Cisco Identity Services Engine hardware appliances, you have the option to purchase Cisco SMARTnet® service contracts. For Cisco Identity Services Engine "virtual" appliances, you have the option to purchase Cisco Software Application Support plus Upgrades (SASU) service contracts. A valid Cisco SMARTnet or SASU contract covers advanced hardware replacement, Cisco Technical Assistance Center (TAC) support, and major and minor software upgrades and bug fixes for all Cisco Identity Services Engine products. You do not need to purchase separate service contracts for the Base or Advanced licenses.
Product Comparisons
Q. What are the primary differences between Cisco NAC, Cisco Secure ACS, and Cisco Identity Services Engine?
A. Cisco NAC and Cisco Identity Services Engine differences are listed in Table 2, and Cisco Secure ACS and Cisco Identity Services Engine differences are listed in Table 3.
Table 2. Differences Between Cisco NAC and Cisco Identity Services Engine
Table 3. Differences Between Cisco Secure ACS and Cisco Identity Services Engine
Q. When deployed with a NAC Appliance, the NAC Agent supports a feature called Active Directory Single Sign-On (SSO), which provides automatic network authentication based on successful Windows login to AD. The Identity Services Engine also uses the NAC Agent, so does it offer this same functionality?
A. Yes. Unlike a NAC Appliance that uses the NAC Agent for authentication and posture, in an Identity Services Engine deployment, the NAC Agent performs only posture assessment functions. SSO support for Identity Services Engine users is provided through supplicants that support transparent 802.1X user authentication based on a user's Windows login credentials. 802.1X supplicants, including Cisco AnyConnect® Network Access Manager and the Microsoft native OS supplicant for Windows XP, Vista, and Windows 7, support this capability. Identity Services Engine customers that deploy certificate-based authentication will also experience transparent network login.
Q. The NAC Appliance supports a feature called VPN SSO that provides automatic network authentication based on successful login to a RADIUS gateway. Does the Identity Services Engine offer this same functionality?
A. Yes. Unlike a NAC Appliance that requires a separate network authentication following login to a VPN concentrator or wireless LAN controller, the Identity Services Engine authenticates users at the point of access to the VPN or wireless network since it is the RADIUS server for these access devices. No additional network login is required.
Cisco Identity Services Engine Licensing
Q. How do I license the Cisco Identity Services Engine, and how does it work?
A. Cisco offers three packages:
• Base package includes authentication, authorization, guest, and MAC security services.
• Advanced package includes Base package offerings, plus posture, profiler, feed service*, MDM integration*, automated endpoint onboarding, and SGA services.
• Wireless package includes all services (for wireless endpoints only).
Every package is licensed based on the total number of concurrent endpoints that use the services in the package. The total number of endpoints includes all the endpoints connecting to the Cisco Identity Services Engine within a deployment. Every time an endpoint connects to the Cisco Identity Services Engine, it consumes one license from one or more packages (depending on what services it uses); when the endpoint disconnects from the network, it releases that license from the Cisco Identity Services Engine (after the Cisco Identity Services Engine receives a RADIUS stop message).
Q. How can I upgrade from one package to another?
A. License Upgrades can be implements in 2 methods: Base license with Advanced License and Wireless with Wireless Upgrade license
Q. How and when does an endpoint in the Cisco Identity Services Engine consume an endpoint license?
A. An endpoint consumes a license in the Cisco Identity Services Engine when it uses services that belong to specific packages. Table 4 depicts how licenses are consumed in the Cisco Identity Services Engine.
Table 4. How Licenses Are Consumed in Cisco Identity Services Engine Software
Q. If I want to use profiling for automated network authorization on a subset of my endpoints, can I buy a smaller number of Advanced licenses than Base licenses?
A. Yes. Having some Advanced licenses (even as few as 100) will enable the Identity Services Engine to collect contextual information for all the endpoints on the network up to the total number of Base licenses. Only when the profile information is used in an authorization decision is the Advanced license consumed. This allows IT administrators to have visibility into the endpoints on the network and then use this information to determine which endpoint categories can be put into a static white list of MAC addresses and which need the full profiler functionality for automated discovery and network services enablement.
Q. What are the prerequisites for deploying any software package?
A. Base package: There are no prerequisites for deploying the Base software package.
Advanced package: A Base license must be preinstalled in order to install the Advanced software package. The endpoint count for the Advanced license should be equal to or less than that of the Base license.
Wireless package: There are no prerequisites for deploying the Wireless software package.
Wireless Upgrade package: A Wireless license must be preinstalled in order to install the Wireless Upgrade software package. The endpoint count for the Wireless Upgrade license should be equal to that of the Wireless license.
Q. What is the term of the Wireless Upgrade license?
A. Wireless Upgrade licenses can be ordered in 3- and 5-year terms and must match the term of the wireless license ordered.
Q. What are the differences between the various licenses available for the Cisco Identity Services Engine?
A. Table 5 lists the differences.
Table 5. Differences Between Cisco Identity Services Engine Licenses
Q. What is an ISE Migration license?
A. ISE Migration licenses are specially priced licenses intended to help existing ACS and NAC customers to migrate to the Identity Services Engine. The ISE Base Migration license is for ACS customers and provides an ISE Base license specific to the quantity ordered. The ISE Advanced Migration license is a license bundle for NAC customers and provides an ISE Base license and a 3-year ISE Advanced license in the quantities ordered.
Deployments
Q. What is the maximum number of concurrent endpoints that a Cisco Identity Services Engine deployment can support?
A. A Cisco Identity Services Engine deployment using ISE Release 1.2* can control up to 250,000 endpoints. Deployments using ISE Release 1.x can support a maximum of 100,000 endpoints.
Q. Can I deploy Identity Services Engine appliances and servers using different versions of ISE software?
A. No.
Q. Which reports can the Cisco Identity Services Engine generate?
A. The Cisco Identity Services Engine Release 1.2* has a comprehensive reporting mechanism that shows detailed current and historical information related to authentication, accounting, posture, profiler, guest access, and session directory.
Q. Can the Cisco Identity Services Engine provide data to external reporting systems?
A. Yes. In addition to log data that can be sent to an external log/report server, the Identity Services Engine provides session directory APIs so that you can query the data directly.
Q. Does the Cisco Identity Services Engine provide mechanisms to transport the reports to any external or central reporting system?
A. The Cisco Identity Services Engine has the capability, through APIs, to tie into central reporting solutions.
Q. What kind of high-availability and redundancy scheme does the solution offer?
A. The Identity Services Engine Release 1.2 offers service redundancy through redundant appliances and supports integration with external load balancers to eliminate single points of failure. For details about high availability and redundancy, please refer to the Cisco Identity Services Engine user guide.
Q. Can I deploy the Cisco Identity Services Engine solution for wireless networks only?
A. Yes. You can deploy the Cisco Identity Services Engine solution with Wireless licenses for wireless-only deployments (e.g., BYOD or guest network services).
Q. Is there an equivalent of the Base license for wireless networks only?
A. No. The Base license supports wired, wireless, and VPN endpoints. Customers can deploy the Base license for wireless endpoints only. The Wireless license enables all the features offered by the Base and Advanced licenses (basic network access, guest access, profiler, posture, and SGA) for wireless endpoints only.
Q. If I'm using Wireless licenses, what is the recommended way to add support for wired and VPN devices?
A. The recommended approach is to order and install a Wireless Upgrade license. The Wireless Upgrade license must be ordered in the same quantity as the existing Wireless license. It is strongly suggested not to add Base or Advanced licenses to deployments where Wireless licenses are already in use.
Q. If I order Wireless Upgrade licenses, will this quantity account specifically for wired and VPN devices?
A. No. Adding a Wireless Upgrade license does not add to the count of supported endpoints. For example, if a customer has 500 Wireless licenses installed and then purchases and installs 500 Wireless Upgrade licenses, their Identity Services Engine deployment can support a maximum of 500 concurrent endpoints (wired, wireless, VPN devices combined).
Q. If I'm using Wireless licenses, can I install Base licenses for wired or VPN device support?
A. No. It is strongly suggested not to add Base or Advanced licenses to deployments where Wireless licenses are already in use.
Ordering and Purchasing
Q. How can I purchase the Cisco Identity Services Engine?
A. Cisco Identity Services Engine Advanced, Base, and Wireless Upgrade licenses can be purchased through Cisco Authorized Technology Provider (ATP) Partners, through Cisco Advanced Services, or through a fully trained business-unit-sponsored professional services partner.
Note: Cisco Identity Services Engine platforms (both physical and virtual) and Wireless licenses are generally available for purchase through any Cisco Certified Partner.
Q. What is an Authorized Technology Provider (ATP) Partner?
A. Cisco ATP Partners have demonstrated expert levels of training and knowledge in specific advanced technologies. The ATP Program for the Identity Services Engine was designed to ensure customer success in solving complex security challenges related to their Identity Services Engine deployments.
Q. What if an ATP Partner cannot address a customer's deployment needs in a timely manner?
A. If an ATP Partner does not have immediate resources, assistance can be requested from Cisco Advanced Services or from a business-unit-sponsored professional services partner who has been fully trained, has authored HLD documents, and has worked at Cisco as a Technical Marketing Engineer, such as SecurView.
Additional Information
Q. Whom should I contact for additional information?
A. Please contact your local Cisco sales representative or Cisco Certified Partner.
Q. Where can I go for additional information?
A. To learn more about the Cisco Identity Services Engine, please visit http://www.cisco.com/go/ise.
* Estimated Availability in 3rd Quarter of CY2013.