Cisco Identity Services Engine Installation Guide, Release 3.5

Cisco ISE network architecture

Updated: May 6, 2026

Want to summarize with AI?

On this page

Overview

Cisco ISE network architecture components
Cisco ISE nodes and personas

Overview

Explains the network architecture of Cisco ISE, covering its core components such as nodes and persona types.

Cisco Identity Services Engine (ISE) is a comprehensive security policy management platform that provides identity-based network access control and policy enforcement. It enables enterprises to gather real-time contextual information about users, devices, and network conditions to make informed access control decisions. Cisco ISE supports a scalable architecture with centralized management, allowing deployment as standalone, high availability, or distributed systems. It integrates with various network elements such as switches, wireless controllers, VPN gateways, and private 5G networks to enforce consistent security policies. Cisco ISE helps enterprises ensure compliance, enhance infrastructure security, and streamline service operations by creating and applying granular access policies based on user identity, device type, location, and other contextual factors. Cisco ISE is available on Cisco Secure Network Server appliances, virtual machines, and public clouds, supporting diverse deployment scenarios and use cases.

Cisco ISE network architecture integrates specialized nodes and deployment models to deliver comprehensive, scalable network access control and security policy enforcement.

The core components include nodes with specific personas that work together to manage network access and security. It supports various deployment models, including standalone and distributed setups, suited for small to large networks. This architecture ensures scalable, secure, and efficient policy enforcement across wired, wireless, and VPN connections.

Cisco ISE network architecture components

Cisco ISE architecture includes these components:

Table 1. Components of Cisco ISE network architecture
Cisco ISE network components	Description
Nodes (personas or roles)	Cisco ISE servers that run one or more roles. A node can run multiple personas.
Network resources	Infrastructure that controls or provides network access, such as switches, WLCs, VPN devices and so on.
Endpoints	Users or devices trying to connect to the network, such as laptops, phones, printers, IoTand so on.

Cisco ISE nodes and personas

A Cisco ISE node can assume any or all of these personas:

Table 2. Cisco ISE nodes and personas
Persona	Role	Use cases
Administration persona	Manages configuration and system settings	Primary or secondary admin nodes
Policy Service persona (PSN)	Makes access-control decisions and enforces policy The policy information point (PIP) is where external information is communicated to the Policy Service persona. For example, external information might be a Lightweight Directory Access Protocol (LDAP) attribute.	RADIUS and TACACS+ processing
Monitoring persona	Collects logs and reporting data	Troubleshooting, audits, reports
pxGrid persona	Shares context with other systems	Integrations with security tools

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.