Overview of the Identity Services Engine (ISE) / ISE Passive Identity Controller (ISE-PIC) Service
Cisco’s Identity Services Engine (ISE), and Passive Identity Connector (ISE-PIC) are applications that run on separate servers in your network to provide enhanced identity management. The Web Security appliance can access user-identity information from an ISE or ISE-PIC server. When either ISE, or ISE-PIC is configured, information is retrieved (user names and associated Secure Group Tags from ISE, user names and Active Directory groups from ISE-PIC) for appropriately configured Identification Profiles, to allow transparent user identification in policies configured to use those profiles.
Note |
|
Related Topics
About pxGrid
Cisco’s Platform Exchange Grid (pxGrid) enables collaboration between components of the network infrastructure, including security-monitoring and network-detection systems, identity and access management platforms, and so on. These components can use pxGrid to exchange information via a publish/subscribe method.
There are essentially three pxGrid components: the pxGrid publisher, the pxGrid client, and the pxGrid controller.
-
pxGrid publisher – Provides information for the pxGrid client(s).
-
pxGrid client – Any system, such as the Web Security appliance, that subscribes to published information; in this case, Security Group Tag (SGT), Active Directory groups, user-group, and profiling information.
-
pxGrid controller – In this case, the ISE/ISE-PIC pxGrid node that controls the client registration/management and topic/subscription processes.
Trusted certificates are required for each component, and these must be installed on each host platform.
About the ISE/ISE-PIC Server Deployment and Failover
A single ISE/ISE-PIC node set-up is called a standalone deployment, and this single node runs the Administration, and Policy Service. To support failover and to improve performance, you must set up multiple ISE/ISE-PIC nodes in a distributed deployment. The minimum required distributed ISE/ISE-PIC configuration to support ISE/ISE-PIC failover on your Web Security appliance is:
-
Two pxGrid nodes
-
Two Administration nodes
-
One Policy Service node
This configuration is referred to in the Cisco Identity Services Engine Hardware Installation Guide as a 'Medium-Sized Network Deployment'. Refer to the network deployments section in that installation guide for additional information.