At-A-Glance

Cisco Identity Services Engine (ISE)

Introduction

Compliance: Enables effective corporate governance by creating consistent policy across an infrastructure.

Traditional corporate network boundaries and siloed

services are a thing of the past. Todays networks must
accommodate an ever-growing array of consumer IT
devices while providing user-centric policy and enabling
global collaboration. The Cisco TrustSec architecture
addresses this shift by using identity-based access
policies to tell you who and what is connecting to your
network, allowing IT to enable appropriate services
without sacrificing control.

Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive tasks and
streamlining service delivery.

The first release of ISE focuses on the pervasive service

enablement of TrustSec for Borderless Networks.
ISE delivers all the necessary services required by
enterprise networks - AAA, profiling, posture and guest
management - in a single appliance platform. In the
future, the same ISE platform can be used to propagate
consistent service policies throughout the borderless
network, from any end point to the video delivery
optimization, branch service personalization, and data
center server and service agility.
As part of the Cisco TrustSec solution and Ciscos
SecureX architecture for Borderless Networks, the
Cisco Identity Service Engine provides a centralized
policy engine for business relevant policy definition
and enforcement. ISE complements global contextual
information offered by Cisco Security Intelligence
Operations (SIO) with localized context awareness for
effective access policy enforcement.

Overview
Security: Secures your network by providing real-time
visibility into and control over all users and devices on
your network.

Solution Highlights
Business-relevant policies: Enables centralized, coordinated policy creation and consistent policy enforcement
across the entire corporate infrastructure, from head office to branch office.

Consolidated Services,
Software Packages

M
G
R

Session Directory

Flexible Service
Deployment

ACS
User ID

NAC Manager

Device (& IP/MAC)

All-in-One
HA Pair

NAC Profiler
ISE

NAC Server
NAC Guest

Location

Access Rights

Admin
Console

M&T

Distributed PDPs

Simplify Deployment and Admin

Tracks Active Users and Devices

Optimize Where Services Run

AAA, posture, profiling, and guest

management capabilities in a single
appliance platform

Track active users and devices to provide

real-time awareness of who and what is
on the network

Optimize your deployments by applying

appropriate services where and when
they are needed

Policy Extensibility

Manage Security
Group Access

Systemwide Monitoring
and Troubleshooting

SGT

Public

Private

Staff

Permit

Permit

Guest

Permit

Deny

Link in Policy Information Points

Keep Existing Logical Design

Consolidate Data, 3 Click Drill-In

Support for third-party policy information

points such as Active Directory or Sun
ONE Directory Server

Manage security group tags and ACLs

(SGTs and SGACLs) to enforce role-based
access control for VDI environments

Exceptional Day 2 support with correlated

logs, customized queries, a centralized
dashboard, and integrated diagnostics

2011 Cisco Systems, Inc. and/or its affiliates. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Ciscos trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks
mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1007R)

At-A-Glance

Systemwide operational visibility: Discovers, assesses, and monitors users and endpoints and employs advanced
troubleshooting capabilities to give IT teams complete visibility into who and what is on the corporate network.
Context-aware enforcement: Gathers information from users, devices, infrastructure, and network services to
enable organizations to enforce contextual-based business policies across the network. Cisco Identity Services
Engine acts as the single source of truth for contextually rich identity attributes, including connection status, user
and device identity, location, time, and endpoint health.
Flexible services architecture: Combines AAA, posture, profiling, and guest management capabilities into a single
appliance platform. Cisco Identity Services Engine can be deployed across the enterprise infrastructure, applying
the appropriate services supporting 802.1x wired, wireless, and VPN networks.

Benefits

Deployment Services
Personalized, professional services from Cisco and
our partners provide policy review, analysis, and
design expertise to prepare your network to deploy
a Cisco TrustSec solution that features Cisco Identity
Services Engine. Using leading practices, Cisco
TrustSec deployment services help you quickly and
cost-effectively deploy a full authentication and access
solution while providing knowledge transfer for ongoing
operational efficiency.

Packaging and Licensing

Cisco Identity Services Engine is available as either
a physical or virtual appliance. ISE licensing provides
flexibility to customers to choose between functionality
based licensing or deployment based licensing.

ISE-based TrustSec LAN Deployment

NAC Agent and AnyConnect 3.0

(or 802.1X Supplicant)

Guest
Users

Cisco Nexus
Cisco Catalyst 7000 Switch
Switch

Cisco Catalyst
Switch

802.1X
IP Phones

STOP

Campus
Network

Functionality Based Licensing

STOP
STOP

Users,
Endpoints
Network-Attached
Device

WLC

Identity Services Directory

Engine Appliance Service
or Virtual Machine

Protected
Resources

Deployment Components
The Identity Services Engine is part of an infrastructure-based Cisco TrustSec deployment using Cisco network
devices to extend access enforcement throughout a network. Additional deployment components include Cisco
NAC Agent and Cisco AnyConnect (or a 802.1x supplicant) on the endpoint; Cisco Catalyst switches and Cisco
wireless LAN controllers acting as policy enforcement points for the LAN; and Cisco Adaptive Security Appliances for
secure remote access. Cisco Identity Services Engine also integrates with directory services such as Microsoft Active
Directory and Sun ONE Directory Server as policy information points.

The Base license is intended for organizations

that want to authenticate and authorize users and
devices on their network (wired, wireless & vpn). It
includes AAA services, guest lifecycle management,
compliance reporting, and end-to-end monitoring and
troubleshooting.
The Advanced license expands upon the BASE and
enables organizations to make policy decisions based
on user and device compliance. Advanced license
features include device profiling, posture services,
and security group access enforcement capabilities
across the entire network (wired, wireless & vpn).

2011 Cisco Systems, Inc. and/or its affiliates. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Ciscos trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks
mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1007R)

At-A-Glance

Deployment Based Licensing

Technology and solution leadership:

The Wireless license is intended for organizations that want to start their ISE deployment for policy decision for
wireless endpoints only. The features included as part of this license includes the Base and Advanced license
features.

Uniquely combines AAA, posture, profiling, and guest

management features in a single unified appliance,
resulting in simplified deployments and integrated
management.

The Wireless Upgrade license is for customers who deployed ISE for wireless endpoints only and want to expand
their deployment to wired and vpn endpoints.

Why Cisco Identity Services Engine?

Market leadership:

Delivers comprehensive security by integrating with

embedded infrastructure features such as Security
Group Access (SGA).

Largest market share in terms of customer deployments.

Rated #1 by leading industry analysts.
Pioneered the original network access control technologies and developed numerous industry standards.
The only comprehensive, single-vendor solution available today.
Policy Enablement
Platform

Policy-Governed
Networks

Po
lic

Cisco TrustSec

Internet

? Device

Driving
towards

Policy Management
Policy-Enabled Services
Policy Based on
Business objects

ss

Guests

Bu
s

Initial
target

olicies
vant p
ele
s-r
es
in

Full

Quarantine

Business-relevant policies
Context awareness
Visibility and control

d Networks
rne
ve
Go
y

ntrol
nd co
ya
ilit
sib
Vi

Cisco Identity
Services Engine

Dramatically reduces cost of ownership with worldclass monitoring and troubleshooting features
designed to streamline operations for your helpdesk
and support teams.

C o n te x

t aw

ar

e
en

Cisco Vision
The first release of Cisco Identity Services Engine
focuses on the pervasive service enablement of Cisco
TrustSec for Cisco Borderless Networks. Future release
features will include the ability to propagate consistent
service policies throughout the network, from any
endpoint to the data center in areas such as virtualization
and branch office service prioritization.

For More Information

For more information on Cisco Identity Services Engine,
visit http://www.cisco.com/go/ise. For more information
about Cisco TrustSec 2.0 and the full range of products
that comprise the Cisco TrustSec solution, visit
http://www.cisco.com/go/trustsec.

2011 Cisco Systems, Inc. and/or its affiliates. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Ciscos trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks
mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1007R)
C45-654884-01 08/11