Cisco Identity Services Engine (ISE)

Balancing Business Objectives and Providing Protection with

Zero-Trust in The Workplace

July 2023
Cisco Secure Zero Trust
A comprehensive approach to securing all access across your people,
applications, and environments.

Workforce Workplace Workloads

Ensure only the right users and secure devices Secure all user and device connections Secure all connections within your apps,
can access applications. across your network, including IoT. across multi-cloud.

2
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Foundations of Zero Trust in Your Workplace

Visibility Segmentation Containment

Grant the right level of Shrink zones of trust and grant Automate containment of
network access to users across access based on least privilege infected endpoints and revoke
domains network access

3
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Provides Zero Trust for the Workplace
Enterprise Security

Endpoints Network Devices Cisco ISE Identity Services Security Services

• Users • Switches • Single ISE Evaluation • Azure/AD/LDAP • Cloud Analytics
• Devices • WLCs / APs • Distributed ISE • MDM • Secure Firewall
• Things • VPN • VM/Appliance/Cloud • SAML/MFA • Partners

ISE

Cisco DNA Center

4
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Customers Buy ISE
TACACS+ Migrating from Cisco Secure ACS or building a new Device Administration Policy Server, this allows for
Device Administration secure, identity-based access to the network devices

Allow wired, wireless, or VPN access to network resources based upon the identity of the
Secure Access user and/or endpoint. Use RADIUS with 802.1X, MAB, Easy Connect, or Passive ID

Differentiate between Corporate and Guest users and devices. Choose from Hotspot, Self-Registered Guest, and
Guest Access Sponsored Guest access options

Use the probes in ISE and Cisco network devices to classify endpoints and authorize them
Asset Visibility appropriately with Device Profiling. Automate access for many different IoT devices

Use agentless posture, Cisco Secure Client, MDM, or EMM to check endpoints to verify
Compliance & Posture compliance with policies (Patches, AV, AM, USB, etc.) before allowing network access
ISE pxGrid is an ecosystem that allows any application or vendor to integrate with ISE for endpoint identity and context
Context Exchange to increase Network Visibility and facilitate automated Enforcement.

Group-based Policy allows for segmentation of the network through the use of Security Group Tags (SGT) and
Segmentation Security Group ACLs (SGACL) instead of VLAN/ACL segmentation.

ISE integrates with DNA Center to automate the network fabric and enforces the policies throughout the entire
Cisco SDA/DNAC network infrastructure using Software-Defined Access (SDA)

Allow employees to use their own devices to access network resources by registering their device and downloading
BYOD certificates for authentication through a simple onboarding process

Using a Threat Analysis tool, such as Cisco Cognitive Threat Analytics, to grade an endpoints threat score and allow
Threat Containment network access based upon the results

6
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Administration with TACACS+

Network Admin

SSH, Telnet, Serial

Help desk Admin

7
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE and Duo Integration for MFA

Contractors Duo Auth Proxy 2nd Factor Auth

John On-premise

Guest
Bob

ISE
Employees
Alice Duo Cloud Service

John connected via Switch-SJC01 Microsoft

Active Directory
Bob connected via ”CORP” AP-SJC03

Alice connected via SJC-VPN-2

8
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Guest Solution Overview

1
million API

EMAIL PRINT SMS

# of supported Portal language Social Media Manage guest
Guest accounts Guest account notification options customization Login support accounts via REST

The 3 types of guest access

Hotspot Self Registered Sponsored Guest Access

Immediate, un-credentialed Self-registration by guests, Sponsors may Authorized sponsors create account and
Internet access approve access share credentials

10
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE BYOD Solution
Public
Device Support EMM/MDM Integrations

Single / Dual SSID Access based on

iDevice
provisioning MDM policy

Android
Resources
✕✓✕✓✓✓

Devices
macOS ✓✓✕✓✕✕
✕✓✓✕✕✕

Windows

Native supplicant ISE internal CA for

ChromeOS & cert provisioning BYOD certificates

Corporate

EMM: Enterprise Mobility Management | MDM: Mobile Device Management

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
cisco.com/go/csta 11
 Random & Changing MAC solution 3.1
Introduction of GUID – Globally Unique Identification to track endpoints

• Wi-Fi configured • Provide Random MAC visibility • Shared via NMSP

for EAP-TLS • Police Random MAC devices

DNA Spaces

MDM/EMM Client ISE Catalyst 9800 DNAC +

Endpoint Analytics

• Generate GUID • Generate GUID (BYOD) • Shared via telemetry • Provide Random MAC
• Provide compliance status • Certificate & Wi-Fi profile visibility
• Certificate & Wi-Fi profile • Share GUID via RADIUS-Accept and
pxGrid
• Provide Random MAC visibility • Provide Random MAC visibility
• Police Random MAC devices within Endpoint Analytics

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
NMSP – Network Mobility Services Protocol 12
Endpoint Profiling
The profiling service in Cisco ISE identifies the devices that connect to your network

ISE Data Collection Methods for Device Profiling

Active Probes: Netflow | DHCP | DNS | HTTP | RADIUS | NMAP | SNMP | AD
DS Device Sensor: CDP| LLDP | DHCP | HTTP | H323 | SIP | MDNS

Cisco Secure Client (formerly AnyConnect): ACIDex

Endpoints send
interesting data,
that reveal their
device type Feed Service
(Online/Offline)
DS ISE

ACIDex

Cisco Secure Client Identity Extensions (ACIDex) | Device Sensor (DS)

13
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling Packages and Integrations
Medical Devices IOT Building & Automation
Library

XML

250+ Medical
Hospital device profiles

pxGrid ISE pxGrid

Factory
Cisco CyberVision
Industrial Devices Cisco AI Endpoint Analytics
Profiles IOT devices and sends endpoint labels via pxGrid to ISE for authorization

https://community.cisco.com/t5/tag/ise-endpoint-profile/tg-p/board-id/4561-docs-security 14
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Factor Classification on ISE

MFC-Manufacturer: Cisco
MFC-EndpointType: IP-Phone
MFC-Model: IP Phone 7980
MFC-OS: IOS
ISE Feed Service
(Online/Offline)

MFC-Manufacturer MFC-EndpointType MFC-Model MFC-OS

Cisco Arlo IP-Phone Camera IP Phone 7980 Pro Wireless Cam IOS Linux

Apple Lenovo Laptop Laptop MacBook Pro Thinkpad 540 macOS 12.0.1 Windows Enterprise

15
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco AI Machine Learning Profiling
Clustering Rule Creation
ML groups different Creates a rule that
endpoints into clusters uniquely groups together
based on attribute data endpoint clusters
Active Learning
Cluster 2
ML learns new labels and
validates existing labels

Attribute B
Cluster 1 New Labels
Bosch Coffee
= Machine

Attribute A
= Arlo Pro
Wireless Cam

Unknown endpoints
ISE
Label Validation
Endpoint Labeling
System recommends labels or customer can = Apple Watch
teach ML what to label the endpoints in a cluster
Cisco IP
= Phone 7980
These are Bosch Coffee
Machines

= This step is done in the ML Cloud

16
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco AI Endpoint Analytics and ISE
Cisco ISE
Web Interface Cisco DNAC+EA

Context

Classifications ISE
Policy
Endpoint Analytics shows
device classification results
associated with endpoints Distribution Layer
SPAN

Wireless LAN
NBAR Telemetry Traffic Appliance Controller
(SD-AVC Agent) (TTA)

Catalyst 9000

Legacy Cisco Switches / 3 rd party devices

17
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication and Authorization
PROTECTED SHARED SERVICES PUBLIC NETWORK
SERVERS

Employee

NETWORK ACCESS
Contractor alice
*****

AUTHENTICATION AUTHORIZATION
Who are you? What can you do?
19
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture & Compliance MDM Attributes
ActivityType
AdminAction
AdminActionUUID
AnyConnectVersion
cisco.com/go/csta DaysSinceLastCheckin
DetailedInfo
DeviceID
DeviceName
DeviceType
DiskEncryption
EndPointMatchedProfile
FailureReason
Agentless IdentityGroup
IMEI
IpAddress
JailBroken
Authorization Policy LastCheckInTimeStamp
Cisco MacAddress
Secure IF JailBroken is No Manufacturer
MDMCompliantStatus
Client ISE AND PinLock is Yes
THEN Compliant
MDMFailureReason
MDMServerName
MEID
Model
OperatingSystem
EMM/MDM PhoneNumber
PinLock
PolicyMatched
RegisterStatus
SerialNumber
ServerType
SessionId
UDID
UserName
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
UserNotified 20
Cisco Secure Client (formerly AnyConnect)
A Suite of Security Service Enablement Modules

VPN Module (Core)

ISE Posture

Diagnostics and Reporting Tool (DART)

21
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agentless Posture 3.0

Employee
802.1X / MAB
ISE Compliant
Unknown

PowerShell Shell (.sh)

>_ Posture Status

Linux Support added in ISE 3.1 22

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Supported 3.3
Posture Deployment Options Limitations
Not Supported

Capability Cisco Secure Client AC Stealth Temporal Agentless

Anti-Malware Checks
Firewall Installation Checks
Application Inventory Visibility (Less Effort)
Hardware Inventory
Process Checks
Dictionary Conditions
Application Checks
File Checks
Experience (Less Time)
Service Checks
Disk Encryption
Patch Management
Registry Checks N/A N/A N/A N/A N/A
USB Checks
WSUS remediation (legacy) N/A N/A N/A
Auto,
Security (More Protection)
Remediation Manual
Partial Partial Part Auto Partial Text Text

Reassessment
23
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization Enforcement Options
Beyond RADIUS Access-Accept / Access-Reject

VLANs ACLs: DL, Named, DNS Security Group Tags

Downloadable ACL (Wired) or
Dynamic VLAN Assignments Cisco Group-Based Policy
Named ACL (Wired + Wireless)

Printers
VLAN 5
Employees
VLAN 3

Guest
VLAN 4 16-bit SGT assignment and SGT
Employee Contractor
Per port / Per Domain / Per MAC
permit ip any any deny ip host <critical> based Access Control
permit ip any any

24
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group Based Policy Simplifies Segmentation
Traditional Segmentation TrustSec DC Servers

Enterprise Micro/Macro Segmentation Enterprise

Static ACL Backbone Central Policy Provisioning Backbone
Routing No Topology Change
ISE
Redundancy Aggregation No VLAN Change
VACL
DHCP Scope Layer Policy
Subnet Addresses
ISE Employee Tag

VLAN Supplier Tag

Access Layer Non-Compliant Tag Access Layer

Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD

Quarantine Voice Data Guest BYOD Voice Data

VLAN VLAN VLAN VLAN VLAN VLAN VLAN

Security Policy based on Topology Use existing topology and automate security
High cost and complex maintenance policy to reduce OpEx

25
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Non-Fabric Group-Based Policy Enforcement

deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433
deny tcp src dst eq 1521
deny tcp src dst eq 445
deny tcp src dst eq 137
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet

26
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Build, Summarize, Exchange
Visibility and Access Control Context Reuse
ISE builds context and applies access control restrictions to users and devices by eco-system partners for analysis & control

Threat Intelligence Mobility Services Engine

System managers Mobile Device Managers Who

Directory Services Vulnerability Scanners What

When Secure Network Analytics
pxGrid
How
REST API Secure Firewall
Where
Syslog
ISE Posture
DNAC

Threat + 3rd Party Partners

Vulnerability

Security Group Tag

Endpoints

27
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing with pxGrid
Eco system partnership to enrich, exchange context and enact

Context to Partner Enrich ISE Context Threat Mitigation Context Brokerage

Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE

CONTEXT CONTEXT ACTION Eco-Partner

MITIGATE
ISE 2.2+

ISE makes Customer Enrich ISE context. Make ISE a Enforce dynamic policies into ISE brokers Customer’s IT
IT Platforms User/Identity, better Policy Enforcement the network based on Partner’s platforms to share data
Device and Network Aware Platform request amongst themselves

28
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid for Group-Based Policy
Cisco Secure
Firewall

Cisco Secure
Web Appliance
RADIUS

Cisco pxGrid
ISE
Cisco
DNA Center

Any pxGrid
subscriber

29
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco pxGrid and Cloud-based Security Services
ISE (pxGrid Server) Security Service
Firewall

The current 8910/TCP

architecture of
pxGrid does not HTTPS Handshake
allow it to traverse
through the

time
perimeter without Bi-directional messages
punching holes in the open & persistent connection
firewall(s)

One side closes channel

connection closed

30
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco pxGrid Cloud Architecture May 2022

ISE
dna.cisco.com

OFFER

OFFER Subscribe ✓
OFFER
Launch

Register Partner App

App App App App App App

Connect App Store Activate

31
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat Visibility Rapid Threat Containment (RTC)
1 2 AMP on Endpoint notifies the cloud

Jim 5

3
Threat from Jim’s
Harry device

Cisco ISE

Alice

32
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Vulnerability Assessment (Threat-Centric NAC)
On-prem Scanner
3 Scans Scan report 4

Jim 1 6
2 Scan Jim’s Endpoint

5
CVSS=10
Harry

Cisco ISE

Alice
Authorization Policy
If CVSS is Greater than 5 = true, then Quarantine
CVSS: Common Vulnerability Scoring System

33
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco pxGrid 2.0
ISE 3.1 Deprecates pxGrid 1.0
pxGrid 1.0 pxGrid 2.0 All Cisco products now support
Protocol XMPP WebSockets & REST pxGrid 2.0!
Two One Product Min Version
Ports
(TCP 5222 & 7400) (TCP 8910)
Cisco Firepower 6.0
Service
No (No HA) Yes Cisco Stealthwatch
redundancy 7.3.2
Enterprise
Low – Limited High – Scalable
Scale and integrations integrations Cisco Cyber Vision 3.1.0
performance (5,000 KB/s for 4 (100,000 KB/s agg. for
subscribers) 150 subscribers) Cisco Web Security
11.7
Client-side Appliance
Java or C Any language
development
Cisco Industrial
1.3
Support From ISE 1.3 From ISE 2.4 Network Director

Not supported in 3.1 Cisco DNA Center 2.1.0

More at http://bit.ly/pxgrid2-0
34
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISE Security Technical Alliance Partners Sep 2022

cisco.com/go/csta
35
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISE Ecosystem Partner Integration Details
cs.co/ise-ecosystem-partners

ISE Authz
Partner Policy
ISE Version Version RTC Action (EPS,
Partner API Type Status (min) (min) RTC Type (pxGrid) ANC) pxGrid Topics/Attributes
42Gears MDM 2.4 - None - - -
Absolute MDM 1.2 - None - - -
Acalvio pxGrid v2 2.4 4.0 pxGrid Automated via ANC -
policy

Alef Nula - Identity Bridge pxGrid v2 2.4 - None - - Session - Identity Bridge (replaces CDA type
functionality with ASA)

Alef Nula - AleFTI MAB Other 2.4 - None - - -

Keeper, Office Locator

ArcSight SIEM 1.2 - EPS REST - - -

Armis pxGrid v2 2.4 - pxGrid Manual via GUI ANC Topic Subscribes: ANC

Asimily pxGrid v2 2.4 20.10 pxGrid Manual via GUI (or ANC Session
automatic) ERS API calls to configure ACL

Attivo Networks pxGrid v1 2.1 ATV Botsink pxGrid Manual via GUI EPS Topic Subscribes:
4.0 EndpointProtectionService
36
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 ISE Security Ecosystem Integration Guides Sep 2022
Configuration guides for all ISE integrations, sorted by Vendor and Product!

cs.co/ise-guides
AirWatch Cisco Secure Firewall - formerly NGFW or Terraform Oracle
Acalvio (pxGrid, ANC) Firepower Management Center (FMC) HP Oracle Cloud Infrastructure (OCI)
Alef (pxGrid) Cisco Secure Network Analytics - formerly Cisco Huawei ORDR (formerly CloudPost)
Amazon Web Services (AWS) Stealthwatch IBM Palo Alto Networks
Ansible Cisco Secure Workload - formerly Cisco Tetration IBM MaaS360 IoT Security ISE Integration (ERS)
Arista Cisco Security Manager (CSM) IBM QRadar (Syslog & pxGrid) IoT ISE pxGrid Integration
Armis (pxGrid - ERS API) Cisco Catalyst Switches InfoBlox (pxGrid) Other Documents
Aruba Cisco TrustSec Ivanti (formerly MobileIron) Ping Federate
Asimily Cisco UCS / Cisco Integrated Management Center Juniper Postman
Avaya (CIMC) KVM (Hypervisor) Qualys (TC-NAC)
Bayshore Cisco Umbrella Lightweight Directory Access Protocol (LDAP) RADIUS Servers
Blusapphire (pxGrid) Cisco Web Security Appliance (WSA) LinkShadow (pxGrid) Radiflow (pxGrid-ERS)
Brocade Cisco Webex Room Navigator Live Action (pxGrid) Rapid7 (TC-NAC)
Certego Citrix XenMobile Logzilla (syslog) REST (Representational State Transfer APIs)
Certificates / Private Key Infrastructure (PKI) Compliance McAfee (pxGrid) Rockwell
Checkpoint CyberArk (API) Microsoft RSA
Cisco Cyber Observer (API) Microsoft Active Directory Ruckus
Cisco Adaptive Security Appliance (ASA) Cylera (pxGrid) Microsoft Azure Securonix (Syslog)
Cisco AI Endpoint Analytics Cynerio (pxGrid) Microsoft Azure Active Directory ServiceNow (ERS API)
Cisco Secure Client (formerly AnyConnect) Digital Defense by Help Systems Microsoft Endpoint Manager (MEM) Smokescreen - CarbonBlack now Zscaler (pxGrid)
Cisco Catalyst Wireless DFLabs - Incman - (SOAR) Microsoft Hyper-V SMTP (Simple Mail Transfer Protocol)
Cisco Cognitive Threat Analytics (CTA) EAP (Extensible Authentication Protocol) Microsoft Intune SMS
Cisco CyberVision Envoy (Guest) Microsoft System Center Configuration Manager Splunk (syslog, SOAR)
Cisco DNA Center (DNAC) ExtraHop (pxGrid) (SCCM) Symantec
Cisco Industrial Network Director (IND) Extreme Networks Microsoft WSUS TACACS (Terminal Access Controller Access-
Cisco IP Phones F5 MicroTik (TACACs) Control System) Protocol
Cisco Meraki Forescout Mobile Device Management (MDM) Tanium (pxGrid)
Cisco pxGrid (Platform Exchange Grid) Fortinet FortiManager/FortiGate - pxGrid Motorola Tenable Nessus (TC-NAC)
Cisco pxGrid Cloud Good (MDM) MySQL ThreatConnect (SOAR)
Cisco Prime Infrastructure Google Nozomi (pxGrid) TrapX Labs DeceptionGrid (pxGrid)
Cisco Secure Access by Duo - formerly Cisco Duo Google Android Nutanix VMware
Cisco Secure Endpoint - formerly©Advanced 37
2023 Cisco and/or its Google
affiliates. Chromebook
All rights reserved. Cisco Public Okta vCenter
Malware Protection (AMP) HashiCorp Open DataBase Connect (ODBC) XTENDISE
A Typical Customer Journey
Not a standard or recommended approach
Each use case may be the end goal

Use Case
Visibility Visibility

Wireless Guest Wired Posture Segmentation RTC

Customer Corporate
Start with Secure Wired See Apps & HW Use SGTs for Integrate with
Wireless Access inventory segmentation eco-system
partners
Non-disruptive 802.1X / MAB Enforce system Enforce Group
due to SSIDs (with Profiling) compliance based policies Contain threats
BYOD

38
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Architecture cs.co/ise-scale
Distributed ISE
Standalone ISE Policy Administration Node (PAN)
• Single plane of glass for ISE admin
• Replication hub for all config changes
Monitoring & Troubleshooting Node (MnT)
• Reporting and logging node
• Syslog collector from ISE Nodes Network
Policy Services Node (PSN)
• Makes policy decisions
• RADIUS / TACACS+ Servers
pxGrid Controller (PXG)
• Facilitates sharing of context

Single Node (Virtual/Appliance) Multiple Nodes (Virtual/Appliance)

Up to 50,000 concurrent endpoints 3600 Up to 2,000,000 concurrent endpoints

Up to 100,000 concurrent endpoints 3700 Up to 2,000,000 concurrent endpoints

39
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Deployment Scale cs.co/ise-scale 2.6+

<=50: PSNs + <= 4 PXGs)

Same for physical, virtual, & cloud instances
Compatible with load balancers

Lab and Evaluation Small HA Deployment Medium Multi-node Deployment Large Deployment
2 x (PAN+MNT+PSN) 2 x (PAN+MNT+PXG), <= 6 PSN 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs

100 Endpoints Up to 50,000 Endpoints Up to 2,000,000 Endpoints 3600

100 Endpoints Up to 100,000 Endpoints Up to 2,000,000 Endpoints 3700

41
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Fully Distributed Architecture
• Centralize in DCs…or Distribute PSNs across Geographies

DC1 DC2
Primary PAN & MNT Secondary PAN & MNT

• Separate PAN and MNTs

• 50 PSN max per deployment
• 300ms delay between PAN and
other ISE nodes
• Co-locate PSNs with AD

42
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Nodes – Mix and Match

Physical Appliances Virtual Machines Cloud Instances

SNS-3795
SNS-3755
SNS-3715
SNS-3695 Future
SNS-3655
SNS-3615
SNS-3595
43
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 ISE 3.3 Supported Platforms
See Deploy Cisco ISE Natively on Cloud Platforms for provider instance types and XS/S/M/L node sizing

Cisco ISE Cisco ISE Cisco ISE Cisco ISE

Cisco SNS AWS | Azure | Oracle

Any Server AWS | Azure

Standalone
Appliances Sessions PSN Sessions Processor Cores Memory Disk RAID Network Interfaces
32 GB 2x10Gbase-T
SNS-3615 12,500 25,000 1 – Intel Xeon 2.10 GHz 4110 8 1 (600GB) No
(2 x 16 GB) 4x1GBase-T
EoL/EoS 96 GB 2x10Gbase-T
8/2023 SNS-3655 25,000 50,000 1 – Intel Xeon 2.10 GHz 4116 12
(6 x 16 GB)
4 (600 GB) 10
4x1GBase-T
256 GB 2x10Gbase-T
PSN SNS-3695 25,000 50,000 1 – Intel Xeon 2.10 GHz 4116 12
(8 x 32 GB)
8 (600 GB) 10
4x1GBase-T
1 (600GB) HD or
32 GB 2x10Gbase-T
SNS-3715 25,000 50,000 1 – Intel Xeon 2.10 GHz 4310 12 1 (800GB) SSD or No
(2 x 16 GB) 4x10GE SFP
1 (960GB) SED
4 (600GB) HD or
96 GB 2x10Gbase-T
SNS-3755 50,000 100,000 1 – Intel Xeon 2.30 GHz 4316 20 4 (800GB) SSD or 10
(6 x 16 GB) 4x10GE SFP
4 (960GB) SED
8 (600GB) HD or
256 GB 2x10Gbase-T
PSN SNS-3795 50,000 100,000 1 – Intel Xeon 2.30 GHz 4316 20
(8 x 32 GB)
8 (800GB) SSD or 10
4x10GE SFP
8 (960GB) SED
44
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public * SNS-3595 no longer supported with ISE 3.3
* VMWare version 6.7+ required
ISE Performance & Scale
cs.co/ise-scale
• Deployment Architectures: S / M / L
• Maximum Concurrent Active Sessions
• Deployment Scale Limits
• Protocol Performance
• Scenario Performance

46
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE APIs and Automation 3.1

internaluser
OpenAPIs
certificate
sgt sgacl
Postman endpoint
REST policy
ISE identitygroup
node portal

activedirectory

guestuser

github.com/CiscoISE
 ISE 3.x Licensing Model cs.co/ise-licensing
2.x (Lego) Model 3.x (Nested-Doll) Model
Premier (Compliance)
Plus (Context) Apex (Compliance) • Posture
• MDM Compliance Smart licensing only
• TC-NAC (Satellite, SLR available)
• Profiling • Posture
• Location Visibility & • MDM Compliance
Enforcement • TC-NAC Advantage (Asset Visibility & Context) All Endpoint licenses are
• Context Sharing (pxGrid) term-based
• BYOD (+CA,+MDP) • Context Sharing (pxGrid • Endpoint Visibility &
• RTC (ANC) Out/In) Enforcement via
• Profiling Endpoint Analytics
• Location Visibility & • MFC Classification Single ‘common’ VM
Enforcement • AI/ML Profiling license (across all sizes &
• BYOD (+CA, +MDP) • WiFi Edge Analytics platforms/clouds)
• Group Based Policy • Rapid Threat
(TrustSec) Containment (ANC)
Base (Network Onboarding) • User Defined Network
Device Admin does not
need endpoint licenses
• AAA & 802.1x • Easy Connect (PassiveID) Essentials (User Visibility & Enforcement)
• Guest (Hotspot, Self-Reg,
Sponsored) • AAA & 802.1X
• Trustsec • Guest (Hotspot, Self-Reg, Sponsored) Base → Essentials, term
• Easy Connect (PassiveID) fixed for Oct 2023 expiry
• Native IPSec

48
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Try ISE 3 for Free! 90-day Eval Licenses on Install!

Premier

Advantage
100 x
Essentials

Device Admin Appliance License

1x TACACS+

49
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE 3.0 Release Highlights

Azure AD
Agentless Posture
Integration*

AD 2019 Posture Custom ODBC

integration Scripts Enhancements

Enhanced Passive Device lookup Multi-DNAC Minimum AV/AM

Identity w/o MAC Integration check

New licensing Next-gen AI Endpoint

model User Interface Analytics Sync

ISE install on
API Gateway
VMware Cloud

* Controlled Availability

50
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE 3.1 Release Features
APIs for system Random &
SAML SSO for ISE deployment
and policy Changing MAC
admin login on AWS
management address

Streamlined
Zero-touch Enhanced audit
upgrade
provisioning logs
experience

Endpoint
Posture bi- Enhanced posture
Remediation Linux posture
directional trigger discovery
Scripts

Active Directory
Authentication Context visibility
DC failover
Dashboard Alarms import/export
enhancement

Prevent AD Seamless EA Logical profile

RADIUS CoA Proxy
account lockout integration dashlet

51
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 What’s New in ISE 3.2 - Release Highlights
ISE in Microsoft ISE in Oracle Cloud Cisco ISE in Cisco Secure Client
Azure Cloud (OCI) Light or Dark Mode Support
( AnyConnect
Rebranding )
EAP-TLS & TEAP ERS APIs Open API Posture Condition Extra Small Virtual
Authentication with Specs Script Support Machine
Azure AD Deployment

ERS APIs PATCH Cisco pxGrid Direct Infrastructure Data Connect

Requests for ServiceNow Monitoring
CMDB
Zero Touch Internal User Single GUID Entry for Mobile Device
Provisioning (ZTP) – Password Expiration Endpoints within Management
Security Update Context Visibility Enhancement

5G as a Service Authorization
Policies
for PassiveID Users
ISE 3.3 Release Highlights

NEW Split Upgrade ISE Ciphers Controlled

Navigation Process Control Restart after Admin
Improvements Certificate Renewal
pxGrid Direct
API Support for pxGrid Context-In Posture for ARM64-
visibility
LDAP Enhancement based endpoints
enhancements

Use Wi-Fi Edge IPv6 Support

IPv6 Support for Machine Learning
Analytics data for (Guest Portal,
Agentless Posture Based Profiling
ISE profiling​ Posture, Profiling)

Multi-Factor Custom Attribute

Classification (MFC) Reprofiling
on ISE Trigger

53
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Resources • ISE Webinars
cs.co/ise-webinars
• ISE YouTube Channel
cs.co/ise-videos
• ISE Resources
cs.co/ise-resources
• ISE Community
cs.co/ise-community
• ISE Security Integration Guides
cs.co/ise-guides
• ISE Compatibility Guides
cs.co/ise-compatibility
• Network Access Device Capabilities
cs.co/nad-capabilities
• ISE Licensing & Evaluations
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
cs.co/ise-licensing 54
Next steps
‣ Visit cisco.com/go/ise

‣ Show an ISE demo with the

cs.co/ise-instant-demo

‣ Schedule a dCloud Demo:

cs.co/selling-ise-demos

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public