What is Cisco ISE (Identity Services Engine)

ise image

Today’s enterprise network is rapidly changing, especially when it comes to employee mobility. Employees are no longer tethered to desktop workstations, but instead access enterprise resources via a variety of devices: tablets, smartphones, and personal laptops, just to name a few. Being able to access resources from anywhere greatly increases productivity, but it also increases the probability of data breaches and security threats because you may not control the security posture of devices accessing the network. Keeping track of all devices accessing the network is a huge task in itself, and as the need for more access arises, the more unsustainable it becomes to manage.

The Cisco Identity Services Engine (ISE) is an identity-based network access control and policy enforcement system. ISE allows a network administrator to centrally control access policies for wired and wireless endpoints based on information gathered via RADIUS messages passed between the device and the ISE node, also known as profiling. The profiling database is updated on a regular basis to keep up with the latest and greatest devices so there are no gaps in device visibility.

Essentially, ISE attaches an identity to a device based on user, function, or other attributes to provide policy enforcement and security compliance before the device is authorized to access the network. Based on the results from a variety of variables, an endpoint can be allowed onto the network with a specific set of access rules applied to the interface it is connected to, else it can be completely denied or given guest access based on your specific company guidelines.

ISE an automated policy enforcement engine that takes care of the mundane day-to-day tasks like BYOD device onboarding, guest onboarding, switchport VLAN changes for end-users, access list management, and many others, so a network administrator can focus on other important tasks (and cool projects!).

ISE Basics
The ISE platform is typically a distributed deployment of nodes made up of three different personas: Policy Administration Node (PAN), Monitoring and Troubleshooting Node (MnT), and Policy Services Node (PSN). All three roles are required for ISE to function.

  • Policy Administration Node (PAN)The PAN persona is the interface an administrator logs into in order to configure policies. It is the control center of the deployment. This node allows an administrator to make changes to the entire ISE topology, and those changes are pushed out from the admin node to the Policy Services Nodes (PSN).
  • Policy Services Node (PSN)The PSN persona is where policy decisions are made. These are the nodes where network enforcement devices send all network messaging to; RADIUS messaging is an example of what is sent to the PSNs. The messages are processed and the PSN gives the go/no-go for access to the network.
  • Monitoring and Troubleshooting Node (MnT)The MnT persona is where logging occurs and reports are generated. All logs are sent to this node and it sorts through them so it can assemble them in a legible format. It is also used to generate various reports so you can make management happy with pretty pictures and numbers (*wink wink*) as well as notify you of any alarms for ISE.