Overview of the Identity Services Engine Service
Cisco’s Identity Services Engine (ISE) is an application that runs on separate servers in your network to provide enhanced identity management. AsyncOS can access user-identity information from an ISE server. If configured, user names and associated Secure Group Tags will be obtained from the Identity Services Engine for appropriately configured Identification Profiles, to allow transparent user identification in policies configured to use those profiles.
Cisco’s Platform Exchange Grid (pxGrid) enables collaboration between components of the network infrastructure, including security-monitoring and network-detection systems, identity and access management platforms, and so on. These components can use pxGrid to exchange information via a publish/subscribe method.
There are essentially three pxGrid components: the pxGrid publisher, the pxGrid client, and the pxGrid controller.
- pxGrid publisher – Provides information for the pxGrid client(s).
- pxGrid client – Any system, such as the Web Security appliance, that subscribes to published information; in this case, Security Group Tag (SGT) and user-group and profiling information.
- pxGrid controller – In this case, the ISE pxGrid node that controls the client registration/management and topic/subscription processes.
Trusted certificates are required for each component, and these must be installed on each host platform.
About the ISE Server Deployment and Failover
A single ISE node set-up is called a “standalone deployment,” and this single node runs the Administration, Policy Service, and Monitoring personae. To support failover and to improve performance, you must set up multiple ISE nodes in a “distributed deployment.” The minimum required distributed ISE configuration to support ISE failover on your Web Security appliance is:
Two pxGrid nodes
Two Monitoring nodes
Two Administration nodes
One Policy Service node
This configuration is referred to in the Cisco Identity Services Engine Hardware Installation Guide as a “ Medium-Sized Network Deployment”. Refer to that network deployments section in the Installation Guide for additional information.