Cisco Identity Service Engine (ISE) is a network access control and policy enforcement platform. Network devices are the main avenues for wired network, Wireless and VPN connection to allow the users and the endpoint to connect to the network to access various services. With the help of credentials such as password, certificates, tokens or at least the endpoints MAC address. Now these credentials reach ISE in a process called authentication.
ISE can talk up to hundred thousand network devices, can support up to 1.5 million endpoints, 300,000 internal user accounts, 1 million guest user accounts and 1 million user certificates that can be issued from ISE. That’s quite a lot what Cisco ISE can deliver however when you look at enterprises today, they do have some infrastructure running that already has some of these identity services like Microsoft Active Directory or an LDAP server.
Cisco ISE 3 Features
Cisco Identity Services Engine or ISE is the industry-leading tool for ultimate visibility into every device on your network and gives you the control to build visibility-based segmentation to support a zero-trust framework. The dramatic increase in BYOD devices, work from home and cloud applications has made obtaining visibility harder than ever.
That’s why Cisco ISE 3.0 now makes the experience incredibly simpler, adds complete and dynamic visibility and enables a cloud-first security. Approach visibility is the number one function of ISE giving you a detailed view into every device.
You can get a snapshot of activity, unusual behavior, access denials and more all in a new easy to read graphic interface and to maintain visibility with the increase in BYOD and IoT devices coming on and off the network.
Cisco ISE now supports agentless posture giving you the option to identify classify and configure an endpoint or device without installing anything on it. This gives your team the flexibility to manage the speed and ease of onboarding new users and devices at any time or place as they see fit what’s more.
ISE can also be set to automatically identify and classify new devices based on their behavior using AI endpoint analytics. This way policy can be applied dynamically as the device’s posture or situation changes and you don’t have to reconfigure it manually.
802.1X with Azure
You can now take ISE to the cloud as it is already deployable on VMware and AWS. ISE also supports SSO with Microsoft Azure active directory so you can use cloud-based identity to authenticate users. Cisco is leading the migration to the cloud so as your company is headed there ISE is right there with you to support and enable your cloud first strategy.
Finally, to help you manage it all with ease Cisco has completely overhauled the user experience with ISE to make it more intuitive, supportive and easy to set up monitor and use.
What is New Cisco ISE 3.1
ISE 3.1 release will support various new features such as deployment in AWS and tons of new API support for operations such as upgrades repository, certificate management and policies which applies to both Radius for the network access end users and TACACS plus for the device administration policies. Moreover, ability to do posture on Linux clients, which will support Red hat SUSE and Ubuntu Linux is now available. Cisco is also introducing something called custom remediation script what it means is that you can push down a custom script as part of remediation for posture assessment on your Linux, Windows and Mac OS. So previously, when you were doing remediation, meaning that you have an endpoint that connects and it does not meet the requirements, you had a certain set of things that you can do on the endpoint such as install a software, update the anti-virus or install the latest updates. Now with Linux sponsor, Cisco ISE supports Red hat, Ubuntu and SUSE Linux and with the immediate custom remediation script you can craft a script that runs on locally on the computer. You can run it as the user, that's been logged in, or the admin user that installed the AnyConnect client for that machine.
Cisco ISE Open APIs
Basically, the idea of using APIs is to create, read, update and delete operations through https on different resources to control the configuration and operation of ISE. Cisco has been using ERS, MNT and pxGride APIs for years and now Open APIs has been added in ISE 3.1 to add some configuration. The reason that Open APIs are interesting is because it's a way that a lot of different companies are finally coming together with a common format or a standardized way of describing their APIs.
Cisco ISE 2 vs 3 Licensing
Essentially, the Cisco ISE licensing structure used in ISE version 2.x release is called the Lego model. There are three different license tiers: Base for user visibility and enforcement, Plus for context and Apex for compliance. It is called the Lego model because you can assemble your licenses as you need their associated features. The features you can use with one license, don't overlap with the features you can use with another license and you have to have Base license to use Plus and or Apex license.
The most significant change in Cisco ISE 3 is the hierarchy of the license tiers which called the nested doll model. In this model the higher tier license covers the lower tier license. So you can use any ISE features with essential license if you have advantage or premium license. Also, you can use any ISE features with advantage license if you have premier license.
The new licensing structure is much simpler than the 2.x licensing model. For example, to fully use Cisco ISE functionality in ISE version 2.x you need three different licenses. But you need only one license in 3.0 model. Another significant change is that Cisco ISE 3 licenses support only smart licensing. when a smart license token is active and registered in the Cisco ISE administration portal, the Cisco smart software manager or CSSM monitors the license consumption by each endpoint session or product license. So you need your smart account registered in the CSSM and your ISE deployment needs to be continuously connected to the CSSM to monitor the license consumption.
However, in case that customers are not willing to connect their devices to the Internet and any inbound or outbound connection would violate their network security policies, they can use Cisco ISE PLR license or Cisco ISE permanent license reservation which enables all premier capabilities on the product permanently. This license also includes device admin license and Cisco ISE virtual license. Contact Cisco License for more information.
Moreover, all tier licenses including the essentials license are now time based why the device admin license is still perpetual. Additionally, device admin licenses no longer need any tier licenses in 3.0 whereas it needs at least 100 base licenses in 2.x model.
In general, the Essentials license equals to the Base license, Advantage license is equivalent to Base and Plus licenses, and Premium license is identical to Base, Plus and Apex licenses.