Cisco Cisco Identity Services Engine 1.1 Libro blanco
© 2015 Cisco and/or its affiliates. All rights reserved. This document is zzCisco Public.
1 of 13
Cisco IT Article
Cisco IT and Identity Services Engine
Cisco IT and the Identity Services Engine
A multiyear deployment journey.
By Greg Rasner
Security Engagement Manager, Cisco
Security Engagement Manager, Cisco
The Cisco Identity Services Engine (ISE), a policy engine, enables contextual network access control across wired
and wireless networks, and extends to mobile connectivity as well (Bring Your Own Device, or BYOD). Contextual
controls are based on multiple variables, including who (user identity), when (time of day), where (location), how
(access method), and what (device). ISE works with our existing infrastructure to enforce security policy on all
devices that attempt to gain access to the network. To do this, ISE can use access switches, wireless controllers,
and most Cisco
®
network gear for edge authentication, as device profiling sensors, and as access enforcement
points.
ISE is also capable of extending authentication services on other vendors
’ 802.1X-compliant hardware, and
enabling web authentication as backup for non-802.1X-compliant devices. ISE is deployed as an appliance or runs
on a virtual machine (VM). We deploy ISE on a VM, which is in step with our overall data center virtualization and
footprint reduction goals. We are taking a measured, controlled approach to rolling out new ISE capabilities.
This approach helps IT to ensure a smooth adoption, to collect user feedback, and to build on and leverage ISE
capabilities in each phase.
Cisco IT was an early adopter of ISE (deploying ISE 1.1 in 2012), and we have made much progress rolling out
ISE capabilities in the last year and a half. See
making during the initial deployment phase. That deployment strategy held throughout
Cisco’s fiscal-year 2014,
which ran from August 2013 to July 2014.
This article focuses on key areas of our current ISE deployments, including Deployment Strategy, Testing and
Certification Process, Guest Networking and Enhancements, Profiling, Wireless Authentication, Wired
Authentication, Replication and Scaling, Operational Support, Pilot and Limited Deployments, and
Challenges/Lessons Learned.