The more I work with Cisco ISE (Identity Services Engine), the more possibilities I see. In my opinion, it is the most exciting Cisco product since UCS. It’s the only product I’ve seen that provides such a high level of flexibility, control, and centralized configuration for network edge access.
With ISE, you can authenticate, profile, and posture any wired or wireless device that connects to your network. Policy is configured in a centralized controller and pushed to clients when they connect to the network. Based on a myriad of identity and profiling criteria, you can apply a vlan, push a DACL, or inject a Security Group Tag for each client. Today, all of that information is used only for security purposes, but think about the possibilities!
What if every packet on your network is tagged with an identifier based on an amalgam of criteria including: user identity, device type, AD group, application flow, etc? Consider the opportunities if each packet is proactively encoded with a handle that distinguishes it based on complex criteria. What if this criteria is centrally managed and abstracted into a structure that allows you to make quick decisions in hardware? It’s reasonable to conclude that not only security decisions, but routing, QOS, and optimization could be configured based on this identity tag in the packet. And, all of this policy can be pushed from a centralized controller into a data plane of your network.
Granted, ISE doesn’t do this today. It provides authentication, authorization, profiling, and posture services and is solely a security tool. However, the potential power of the platform is limitless.
Of course, ISE is a proprietary Cisco solution that only works well in an all Cisco environment. Aside from standard radius authentication, all of the great ISE features are Cisco only. However, if the solution were more open and interoperable with other networking vendors, it could become a huge platform to improve the entire networking industry.
For Cisco, ISE should be a huge component to their long-term strategy for centralized network control, automation, and security. For a vendor that receives a lot of flack that they’re not a software company, ISE is a great software product.
We’ve been hesitant to migrate from ACS to ISE although we are eager to implement wired 802.1x. ACS has some serious drawbacks that ISE would help alleviate. My understanding is that ISE has limited HA functionality, especially across a private WAN. Have you seen or experienced any implementations where ISE controllers were placed at an HQ and branch office or disaster recovery site and were expected to be redundant and sync automatically? Just curious because our partner has been telling us this is not currently possible.
Right now, you can’t do everything with ISE that you can do with ACS, although I understand that ACS functionality is being built into ISE. You’re correct about HA functionality. If you do not have a PSN (policy service node — aka. ISE radius server) at a site, if it looses WAN connectivity you can’t authenticate. Right now, ISE only supports 40 PSNs. This is a weakness with the product IMO. We are not running ISE in production yet so understand my experience is still limited.
If you only have a handful of remote sites, I would investigate putting a PSN at the mission critical ones but I don’t yet know all the caveats of that implementation.
One of the challenges networking will have to overcome is how to distribute the centralized model. It’s great to have centralized control when everything is working, but as we know, things don’t always work. Links get saturated, fiber gets cut and devices misbehave.
Look at aruba’s ClearPass instead. Does most if not more of ISE and includes MDM/MAM as well.
Oh… And it supports tacacs+
Love it , was trying to know more about ISE
Great article. Would love to add your Cisco ISE review to IT Central Station.
Users in our community often compare Cisco ISE to ForeScout CounterACT. You can see a direct comparison between the two solutions here: https://www.itcentralstation.com/products/comparisons/cisco-identity-services-engine_vs_forescout-counteract/tzd/c206-sbc-57