Data Sheet

Cisco Identity Services Engine (ISE)

With the explosive growth of mobile devices and BYOD, enterprise networks must support an increasing number of mobile users, devices, and access methods. These networks need to ensure consistent security across all wired, wireless, and VPN media while keeping workers productive with reliable access to their data and applications. At the same time, IT professionals need to maintain high levels of access control over unauthorized users or insecure devices while managing operational costs and time losses from numerous device-support microtasks, such as BYOD.
Maintaining network security and operational efficiency today requires a new technology that can accurately identify every user and device, provision and secure devices, help get them on the network, and use policy to control where they can go from any access media - wired, wireless, or VPN. This requires a holistic approach that combines the most comprehensive network security with device security, offering a path to next-generation networking. The Cisco Identity Services Engine helps IT professionals address these challenges.

Product Overview
The Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and VPN access, leading to more productive workers and lower operations costs. When operating in a network, ISE provides the following key features:

Rigorous identity enforcement: ISE offers the industrys first device profiler to identify each device; match it to its user or function and other attributes, including time, location, and network; and create a contextual identity so IT can apply granular control over who and what is allowed on the network. An automated device feed service updates ISE in real time to ensure that new devices can be identified as soon as they are released to the market.

Extensive policy enforcement: Based on the users or devices contextual identity, ISE sends secure access rules to the network point of access so IT is assured of consistent policy enforcement whether the user or device is trying to access the network from a wired, wireless, or VPN connection.

Security compliance: A single dashboard simplifies policy creation, visibility, and reporting across all company networks so its easy to validate compliance for audits, regulatory requirements, and mandated federal 802.1X guidelines.

Automated onboarding: The products self-service registration portal for BYOD, guest, and IT device onboarding automates AAA user identification, device profiling and posturing, 802.1X provisioning, and remediation, so its easy for employees to get their devices on-net and comply with security policy.

Automated device security: Provides device posture check and remediation options, including the lightweight Cisco NAC Client for desktop/laptop checks and integration with many market leading mobile

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 1 of 5

device management (MDM) solutions so its easy for users to keep their devices secure and policycompliant.

Dependable anywhere access: ISE provisions policy on the network access device in real time, so mobile or remote users can get consistent access to their services from wherever they enter the network.

Operational efficiency: Onboarding and security automation, central policy control, visibility, troubleshooting and integration with Cisco Prime means IT and the helpdesk will spend far less time on user and network security fixes.

Embedded enforcement: Device-sensing capabilities are built into most Cisco switches and wireless controllers to extend profiling networkwide without the costs and management of overlay appliances or infrastructure rip and replace.

Next-generation policy networking: ISE is the policy control point for Cisco TrustSec , a next-generation network technology that controls network and application access from end to end, helps turn business policy into network policy, and gives users seamless anywhere service access. Cisco TrustSec makes it easy for customers to migrate to next-generation policy networking, increasing the value of their ISE investment while ending the pain of VLAN, ACL, and firewall rule administration.

The Cisco Identity Services Engine provides several additional key features, described in Table 1.
Table 1.
Feature AAA protocols Authentication protocols

Cisco Identity Services Engines Features

Details Utilizes standard RADIUS protocol for authentication, authorization, and accounting (AAA). Supports a wide range of authentication protocols, including PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), and EAP-Transport Layer Security (TLS). Offers a rules-based, attribute-driven policy model for creating flexible and business-relevant access control policies. Provides the ability to create fine-grained policies by pulling attributes from predefined dictionaries that include information about user and endpoint identity, posture validation, authentication protocols, profiling identity, or other external attribute sources. Attributes can also be created dynamically and saved for later use. Provides a wide range of access control mechanisms, including downloadable access control lists (dACLs), VLAN assignments, URL redirect, and Security Group Access (SGA) tagging using the advanced capabilities of Ciscos TrustSec-enabled network devices. Ships with predefined device templates for a wide range of endpoints, such as IP phones, printers, IP cameras, smartphones, and tablets. Administrators can also create their own device templates. These templates can be used to automatically detect, classify, and associate administrative-defined identities when endpoints connect to the network. Administrators can also associate endpoint-specific authorization policies based on device type. ISE collects endpoint attribute data via passive network telemetry, querying the actual endpoints, or alternatively from the Cisco infrastructure via device sensors on Cisco Catalyst switches. The infrastructure-driven endpoint sensing capability on Cisco Catalyst switches is a subset of ISEs sensing technology, which allows the switch to quickly collect endpoint attribute information and then, using standard RADIUS, pass this information to ISE for endpoint classification and policy-based enforcement. This switchbased sensing allows for the efficient distribution of endpoint information for increased scalability, deployability, and time to classification. The industry-first feed service is also available with ISE to provide validated profiles for various IP-enabled devices from multiple vendors. With the feed service, enterprises can be ensured that they will successfully detect new devices when their users try to connect them to the network, thereby reducing a significant amount of time for the IT administrator

Policy model

Access control

Profiling

Device onboarding

Allows end users to interact with a self-service portal for device onboarding, providing a registration vehicle for all types of devices as well as automatic supplicant provisioning and certificate enrollment for standard PC and mobile computing platforms. This means fewer cases for IT staff and helpdesk personnel, more secure access, and a seamless user experience. Enables full guest lifecycle management, whereby guest users can access the network for a limited time, either through administrator sponsorship or by self-signing via a guest portal. Allows administrators to customize portals and policies based on specific needs of the enterprise. Verifies endpoint posture assessment for PCs and mobile devices connecting to the network. Works via either a persistent client-based agent or a temporal web agent to validate that an endpoint is conforming to a companys posture policies. Provides the ability to create powerful policies that include but are not limited to checks for the latest OS patches, antivirus and antispyware software packages with current definition file variables (version,

Guest lifecycle management

Posture

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 2 of 5

Feature

Details date, etc.), registries (key, value, etc.), and applications. ISE also supports auto-remediation of PC clients as well as periodic reassessment to make sure the endpoint is not in violation of company policies.

Mobile device management integration Endpoint protection service Centralized management

MDM integration enables ISE to connect with Cisco MDM technology partner solutions to ensure that the mobile devices that are trying to connect to the network have previously registered with the MDM platform, are compliant with the enterprise policy, and can help users remediate their devices. Allows administrators to quickly take corrective action (Quarantine, Un-Quarantine, or Shutdown) on riskcompromised endpoints within the network. This helps to reduce risk and increase security in the network. Enables administrators to centrally configure and manage profiler, posture, guest, authentication, and authorization services in a single web-based GUI console, and greatly simplifies administration by providing integrated management services from a single pane of glass. Includes a built-in web console for monitoring, reporting, and troubleshooting to assist helpdesk and network operators in quickly identifying and resolving issues. Offers comprehensive historical and real-time reporting for all services, logging of all activities, and real-time dashboard metrics of all users and endpoints connecting to the network. Available as a physical or virtual appliance. There are five physical platforms as well as a VMware ESX- or ESXibased appliance.

Monitoring and troubleshooting

Platform options

Benefits
The Cisco Identity Services Engine:

Provides comprehensive secure wired, wireless, and VPN access which includes rigorous identity enforcement, extensive policy enforcement, and security compliance.

Helps increase worker productivity through automated onboarding, automated device security, and dependable anywhere access.

Reduces operations costs by enhanced operational efficiency, leveraging the embedded sensing and enforcement in the existing network and the centralized policy control and visibility to decreasing tedious efforts to secure access.

There are five hardware options for the Cisco Identity Services Engine (Table 2).
Table 2. Cisco Identity Services Engine Hardware Specifications
Cisco Identity Services Engine Appliance 3315 (Small) Processor Memory Hard disk RAID Removable media Network Connectivity Ethernet NICs 10BASE-T cable support 10/100/1000BASE-TX cable support Secure Sockets Layer (SSL) accelerator card Interfaces Serial ports USB 2.0 ports Video ports 1 4 (two front, two rear) 1 1 4 (one front, one internal, two rear) 1 1 4 (one front, one internal, two rear) 1 4 x Integrated Gigabit NICs Cat 3, 4, or 5 unshielded twisted pair (UTP) up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m) None 4 x Integrated Gigabit NICs Cat 3, 4, or 5 UTP up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m) Cavium CN1620-400-NHB-G 4 x Integrated Gigabit NICs Cat 3, 4, or 5 UTP up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m) Cavium CN1620-400-NHB-G 1 x QuadCore Intel Core 2 CPU Q9400 @ 2.66 GHz 4 GB 2 x 250-GB SATA HDD No CD/DVD-ROM drive Cisco Identity Services Engine Appliance 3355 (Medium) 1 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz 4 GB 2 x 300-GB SAS drives Yes (RAID 0) CD/DVD-ROM drive Cisco Identity Services Engine Appliance 3395 (Large) 2 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz 4 GB 4 x 300-GB SFF SAS drives Yes (RAID 0+1) CD/DVD-ROM drive

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 3 of 5

Cisco Identity Services Engine Appliance 3315 (Small) External SCSI ports System Unit Form factor Weight Dimensions (H x W x L) Power supply Cooling fans BTU rating Compliance FIPS Uses FIPS 140-2 Level 1 validated cryptographic modules Rack-mount 1 RU 28 lb (12.7 kg) fully configured 1.69 x 17.32 x 22 in. (43 x 440 x 55.9 mm) 350W 6; non-hot plug, nonredundant 1024 BTU/hr (at 300W) None

Cisco Identity Services Engine Appliance 3355 (Medium) None

Cisco Identity Services Engine Appliance 3395 (Large) None

Rack-mount 1 RU 35 lb (15.87 kg) fully configured 1.69 x 17.32 x 27.99 in. (43 x 42.62 x 711 mm) Dual 675W (redundant) 9; redundant 2661 BTU/hr (at 120V)

Rack-mount 1 RU 35 lb (15.87 kg) fully configured 1.69 x 17.32 x 27.99 in. (43 x 42.62 x 711 mm) Dual 675W (redundant) 9; redundant 2661 BTU/hr (at 120V)

Uses FIPS 140-2 Level 1 validated cryptographic modules

Uses FIPS 140-2 Level 1 validated cryptographic modules

Cisco Secure Network Server 3415 (Small) New Processor Memory Hard disk RAID CD/DVD-ROM drive Network Connectivity Ethernet NICs 10/100/1000BASE-TX cable support Secure Sockets Layer (SSL) accelerator card Interfaces Front Panel Connector Additional Rear Connectors 1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector) Additional interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet ports 4 x Integrated Gigabit NICs Cat 5 UTP up to 328 ft (100 m) None 1 x Intel Xenon Quad-Core 2.4 GHz E5-2609 16 GB 1 x 600GB 6Gb SAS 10K RPM No No

Cisco Secure Network Server 3495 (Large) New 2 x Intel Xenon Quad-Core 2.4 GHz E5-2609 32 GB 2 x 600GB 6Gb SAS 10K RPM Yes (RAID 0+1) No

4 x Integrated Gigabit NICs Cat 5 UTP up to 328 ft (100 m) Cavium CN1620-400-NHB-G

1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector) Additional interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet ports

System Unit Form factor Weight Rack-mount 1 RU 35.6 lbs (16.2 kg) 26.8 lbs (12.1 kg) Dimensions (H x W x L) 1.7 x 16.9 x 28.5 in. (4.32 x 43 x 72.4 cm) Power supply Cooling fans Temperature: Operating Temperature: Nonoperating Compliance FIPS Uses FIPS 140-2 Level 1 validated cryptographic modules Uses FIPS 140-2 Level 1 validated cryptographic modules 650W 5 32 to 104 (0 to 40 (operating, sea level, no F C) fan fail, no CPU throttling, turbo mode) -40 to 158 (-40 to 70 F C) 1.7 x 16.9 x 28.5 in. (4.32 x 43 x 72.4 cm) Dual 650W (redundant) 5 32 to 104 (0 to 40 (operating, sea level, F C) no fan fail, no CPU throttling, turbo mode) -40 to 158 (-40 to 70 F C) Rack-mount 1 RU 35 lb (15.87 kg) fully configured

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 4 of 5

Cisco Identity Services Engine virtual appliances are supported on VMware ESX/ESXi 4.x and 5.x and should be run on hardware that equals or exceeds the configurations of the physical platforms listed in Table 2. At minimum, Cisco Identity Services Engines require the virtual target to have allocated at least 4 GB of memory and at least 200 GB of hard drive space. The virtual appliance is also FIPS 140-2 Level 1 compliant.

System Requirements
The system requirements for the Cisco NAC Agent, used for posture assessment, are shown in Table 3.
Table 3.
Feature Supported OS

Cisco NAC Agent System Requirements

Minimum Requirement Windows 8 Basic, Windows 8 Professional, Windows 8 Enterprise, Windows Vista Business, Windows Vista Ultimate, Windows Vista Enterprise, Windows Vista Home, Windows 7, Windows XP Professional, Windows XP Home, Windows XP Media Center Edition, Windows XP Tablet PC; Mac OS X (v10.5.x, v10.6.x, v10.7.x and v10.8.x) Minimum of 10 MB free hard drive space No minimum hardware requirements (works on various client machines)

Hard drive space Hardware

Service and Support

Cisco offers a wide range of services programs to accelerate your success. These innovative programs are delivered through a combination of people, processes, tools, and partners that results in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, see Cisco Technical Support Services or Cisco Advanced Services. Warranty information is available at http://www.cisco.com/go/warranty. Licensing information is available at http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html.

For More Information

For more information about Cisco Identity Services Engine products and the Cisco TrustSec solution, visit http://www.cisco.com/go/ise or contact your local Cisco account representative.

Printed in USA

C78-656174-04

01/13

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 5 of 5