What is Cisco Identity Services Engine (Cisco ISE)?
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure network access to end users and devices. Cisco ISE enables the creation and enforcement of security and access policies for endpoint devices that are connected to an organization's routers and switches. It is designed to help organizations simplify identity management across devices and applications.
Cisco Identity Services Engine helps enterprises understand and gain visibility into their network, giving them the ability to see who is connected as well as which applications are installed and running. The product can help with zero-trust strategies by securing the network and everyone and every endpoint connected to it. ISE can also share data like user and device identities as well as threats and vulnerabilities with other integrated Cisco tools to further streamline security policy management.
Cisco ISE is licensed on a subscription basis, but a 90-day free evaluation license can be downloaded for up to 100 endpoints.
How does Cisco ISE work and what is it used for?
With an increased number of users and devices accessing networks remotely, protecting an organization's data from network security breaches becomes more complex. Administrators can use Cisco Identity Services Engine to control who has access to their network and ensure authorized policy-compliant devices are being used. IT administrators can use ISE for policy enforcement, visibility, granting guest access to the network, threat containment, tool integrations, device administration and bring-your-own-device (BYOD) management.
Cisco ISE can authenticate wired, wireless and virtual private network (VPN) users. Authorized and unauthorized users are logged so administrators can view who and which devices are connected to their network at any time. Administrators can also configure network devices with IPv6.
Cisco Identity Services Engine is available as an appliance or software that can run on VMware and each instance is called a node. Cisco ISE is made up of the following deployment nodes:
- Policy Administration Node. This node enables admins to log into and configure policies and system-related configurations. Once configured, changes are pushed out to policy services nodes.
- Monitoring Node. This node collects logs and generates reports. Events that happen within the ISE topology are logged to this node.
- Policy Service Node. This node provides network access, provisioning, profiling, posture and guest access services.
- pxGrid Node. This node exchanges context-based sensitive data from the Cisco ISE session directory with other ISE network systems and Cisco products. The pxGrid node enables ISE to transfer data to other software.
When a device connects to a network, Cisco Identity Services Engine verifies who the user is, along with the type of device they are using, the time and location of the user's request and the access method used. Once Cisco ISE determines the request is legitimate, the user is granted network access.
Other key functions of Cisco ISE include the following:
- Compliance is enforced by client provisioning and assessing the device posture at all endpoints.
- Enforcement capabilities such as Cisco TrustSec are provided using security group tags and security group access control lists (ACLs).
- The Terminal Access Controller Access-Control System security protocol provides device administration and handles remote authentication.
Top Cisco ISE features
Cisco ISE helps to protect networks from cyber attacks using the following features:
- Access control. Provides users with access control options that include downloadable ACLs, virtual LAN, URL redirections and security group ACLs.
- Centralized management. This enables administrators to configure, manage and authenticate users and devices in one location.
- Cisco DNA Center integration. This network controller and management dashboard can integrate with ISE to act as an analytics platform for networks. DNA Center can also aid in the design, provisioning and application of policies. These policies can then be applied to users and applications instead of network devices.
- Contextual identity and business policies. These policies include authentication, device identity, posture validation, as well as user and endpoint identity attributes.
- Cisco TrustSec and Group-Based Policy. This includes a segmentation controller that manages switch, router, wireless and firewall rules.
- Device profiling. Cisco Identity Services Engine can create custom device templates that automatically detect, classify and associate administration identities.
- Monitoring and troubleshooting. ISE users can access a web console for monitoring, reporting and troubleshooting.
Benefits of Cisco ISE
Cisco Identity Services Engine offers the following benefits:
- Centralized network access control (NAC). All of an organization's network access points can be controlled from one centralized location.
- Simplified network visibility. ISE stores detailed attribute histories of all endpoints and users connected to a network.
- Threat containment. ISE matches endpoints with attributes like users, location, threat and vulnerability, which enable administrators to choose who and what devices to allow on a network.
Cisco ISE licensing
Cisco ISE is licensed on a subscription basis for terms of one, three and five years, and automatically renews at the completion of the term.
Cisco offers three primary licenses: Premier, Advantage and Essentials. Premier is the base package and Essentials is the highest tier. These packages are set up in a nested doll model, meaning all the features in the Premier edition appear in both the Advantage and Essentials tiers, and all the features in the Advantage edition appear in the Essentials tier.
The Premier license includes the following:
- mobile device management visibility and enforcement;
- posture visibility and enforcement; and
- threat-centric NAC visibility and enforcement.
The Advantage license adds the most features, including the following:
- AI endpoint analytics visibility and enforcement;
- BYOD support;
- context sharing;
- group-based policy (TrustSec);
- profiling visibility and enforcement;
- real-time communications; and
- user-defined networks.
The Essentials license adds the following:
- authentication, authorization and accounting (AAA), and 802.1x;
- easy connect PassiveID; and
- support for guest hotspot, self-registration and sponsored.
Along with Cisco ISE, learn about other ways to improve network visibility and security, such as including intrusion detection systems, automation or executive support.