Ise 1.4 Atp HLD Template v1.2
Ise 1.4 Atp HLD Template v1.2
Ise 1.4 Atp HLD Template v1.2
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 28
Contents
Introduction .............................................................................................................................................................................................. 3
ATP Partner Resource Center ............................................................................................................................................................ 3
ISE ATP Engineers .............................................................................................................................................................................. 3
Document Purpose.............................................................................................................................................................................. 3
Why is Completing the HLD Required Prior to Placing the Order? ................................................................................................ 3
Business Objectives ................................................................................................................................................................................ 4
Customers Business Goals ............................................................................................................................................................... 4
Estimated Timelines ................................................................................................................................................................................. 5
Customer Environment Summary .......................................................................................................................................................... 6
Customer Network Overview ................................................................................................................................................................... 7
Physical Network Topology ................................................................................................................................................................ 7
Topology Specifics .............................................................................................................................................................................. 8
Policy Details .......................................................................................................................................................................................... 13
Deployment Details ................................................................................................................................................................................ 17
Unknowns .......................................................................................................................................................................................... 17
High Availability................................................................................................................................................................................. 17
Migration ............................................................................................................................................................................................ 17
ISE Node details ................................................................................................................................................................................ 18
Bill of Materials (BOM) ........................................................................................................................................................................... 19
Appendix ................................................................................................................................................................................................. 20
ATP Partner Resource Center .......................................................................................................................................................... 20
Migration SKUs .................................................................................................................................................................................. 20
Migration Guide ................................................................................................................................................................................. 20
Machine Access Restrictions (MAR) ............................................................................................................................................... 20
Note regarding Performance Specifications ................................................................................................................................... 22
Platform Hardware Specs ................................................................................................................................................................. 22
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent EndPoints and
Composite Authentications (Authentication values are approximate values) ............................................................................. 22
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values) .................................. 22
System Performance Specs (Per Identity Services Engine deployment) ..................................................................................... 22
System Scale (Per Identity Services Engine deployment) ............................................................................................................. 23
VM Disk Size Minimum Requirement ............................................................................................................................................... 23
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled) ......................................... 23
Latency and bandwidth requirement among ISE nodes ................................................................................................................ 24
Inline Posture Specifications............................................................................................................................................................ 24
Guest server and ISE Guest Feature Comparison .......................................................................................................................... 24
ACS and ISE Feature Comparison ................................................................................................................................................... 26
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 28
Introduction
Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco Identity Services
Engine (ISE) with the Secure Access solution. Due to the complex product configurations and deployment options, ISE
SKUs must be sold with ISE ATP-approved Professional Services which create the HLD and provide deployment
oversight unless an exception can be obtained. The Cisco TAC or Secure Access and Mobility Product Group
representatives may request a copy of the HLD with any support or escalation case. ISE ATP-certified Partners must have
their first 3 HLDs reviewed by Cisco before being exempted from mandatory HLD review for ISE orders. It is also
recommended to have subsequent engineers within the certified partner to have their first three HLDs reviewed by
someone who is fully certified as a best practice.
**If the order will be placed after the HLD has been approved, please send the SO # to sac-support@cisco.com, and reference this HLD, to have the
order released. You may contact Sales Acceleration Center (SAC) by phone at +1-408-902-4872 or Live Chat: http://tinyurl.com/sacucs as well. SAC is
open 24 hours a day (Monday to Friday)
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 28
Business Objectives
Customers Business Goals
Describe the customers business goals. Consider the following example business goals:
Profiling for visibility or inventory management (differentiation of services based on device type)
Differentiation of service based on user identity
Regulatory compliance
Securing wireless network and providing guest access
Managing employee-provided devices (e.g., iPads)
Port lockdown
Ensuring endpoint health or posture
Other
The Policy Details provided in later sections of this HLD should reflect the business objectives stated here.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 28
Estimated Timelines
Phase Number of endpoints Begin End Comments
Lab testing and qualification N/A
Final Design Review call with Cisco SME N/A Earliest target date Latest target date for May also occur after
for review call review call initial pilot/POC
phase
Production phase 1 (pilot)
Production phase 2
Production phase 3
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 28
Customer Environment Summary
Deployment Summary Response
Use cases in scope for design (Please check or add to the list to Wired Profiling
the right): Wireless Posture Assessment
VPN TrustSec (SGT)
BYOD Guest Access
pxGrid 3rd party MDM
MACSec RADIUS Proxy
Other Use Cases:
Endpoint count
Total endpoint count for entire deployment (endpoint count equals the sum
of user and non-user devices)
o Total user endpoints (i.e. Windows PC, Mobile devices, guest devices) User Endpoints:
o Total non-user endpoints (Including IP Phones, Wireless APs, Printers, Non-user Endpoints:
etc.)
Concurrent endpoint count
Maximum number of concurrent endpoints expected
o Total concurrent user endpoints including guest devices Concurrent User Endpoints:
o Total mobile endpoints using 3rd party MDM using ISE Concurrent endpoints with 3rd party MDM:
o Total endpoints for posture assessment Concurrent endpoints with posture assessment:
o Total concurrent non-user endpoints (Typically non-user endpoints are Concurrent non-user endpoints:
always connected)
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 28
Customer Network Overview
Physical Network Topology
Insert a high-level network diagram showing the proposed Identity Services Engine solution. This should include any
branch networks and data centers. Include the general number of endpoint and types per location. Include WAN
bandwidth information and show placement of network access devices such as Active Directory/LDAP, DNS servers, NTP
servers, wireless controllers, switches, and VPN concentrators.
Note: The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is
200ms. Here is link to the WAN bandwidth calculator for ISE 1.2 deployment (May need to copy & paste the url
http://www.ciscosecurityatp.com/resourcelib.asp?id=108). This calculator can be used to find out how much bandwidth
needs to be reserved for ISE operation across WAN links.
Customers Physical Network Topology
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 28
Topology Specifics
Question Response
Network Access Devices
Provide the general switch/controller model numbers/platforms deployed and
Cisco IOS and AireOS Software versions to be deployed to support ISE
design.
Please see ISE Component Compatibility Document for the
recommended IOS and AireOS versions
Please explain if you are not planning on deploying the versions listed
in the ISE compatibility document.
EndPoint Types
What are the general client types deployed (Please provide service pack
details for Windows and OS types for MacOSX)?
Will 3rd party Mobile Device Management (MDM) be integrated with 3rd party MDM Vendor:
ISE?
If already using 3rd party Mobile Device Management (MDM) or Windows Versions
planning to use MDM please note the vendor and version as well as Windows XP: Windows Vista:
brief description on how it will integrate with ISE Windows 7: Windows 8/8.1:
Please see Cisco ISE MDM Partner Integration guide for supported Supplicant Type
MDM vendor for integration and supported versions Windows Native AnyConnect NAM
Are mobile devices corporate- or employee-owned assets? 3rd Party supplicant:
Will user access policy be based on device type (for example, laptop Other User EndPoint Types
versus iPad)? If so, will machine auth or profiling or static MAC Mac OSX: iDevice:
assignments be used to distinguish device types? Android: Linux:
Please note how many of the concurrent endpoints will utilize MDM Other EndPoint Types:
information during authorization from ISE Non-User EndPoint Types
Wireless AP: IP Phone:
Note: For domain joined Windows machines to function properly, machine Printer/Fax/Etc: HVAC:
authentication is recommended. Performing user only authentication may Medical: SCADA:
break critical functions such as machine GPO and other background Other:
services such as backup and software push.
Note: State whether the customer is using machine or user authentication, or
both. If both machine and user authentication are planned, are Machine
Access Restrictions (MAR) planned? If so, review the Appendix information
on MAR caveats.
For machine / user authentication details, please refer to 802.1X
Authenticated Wired and Wireless Access
ID Stores
[EAP and ID Store Compatibility Reference]
List the internal and external ID stores the customer will use for different use
cases.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 28
Question Response
802.1X: AD
MAB: Internal EndPoint + AD
Web Authentication: Internal Guest + AD
VPN: SecurID
Guest Sponsors: AD
Oracle Access Manager
ISE GUI Admin: Certificate
Note: AD Site & Services is recommended for ISE subnets for all forests.
For more information regarding multi-AD support, please refer to ISE 1.3
Multi-AD how-to guide
Web Authentication
Will WebAuthuth be used?
Will WebAuth be used for wired, wireless, or both?
Will Local Web Auth (LWA) or Central Web Auth (CWA) be used?
Where will the web portal be hosted?
Note: If deploying CWA the portal must be hosted by ISE. If deploying
LWA the portal can be local to access device, or external (such as ISE).
Will web auth be used for guest access? Will web auth be used for non-
guests (for example, employees)?
Note: For more information on CWA and LWA support on different platforms,
please refer to ISE Component Compatibility Document
Authorization
Describe the enforcement types used. Consider the following options:
VLANs
ACLs (dACL for wired /named ACL for wireless)
Security group tags/ACLs (SGTs/SGACLs)
dACL considerations:
Cisco Catalyst switches support the wirerate access control list (ACL)
with use of the ternary content addressable memory (TCAM). If the
TCAM is exhausted, the packets may be forwarded via the CPU path,
which can decrease performance for those packets. It is recommended
to limit the number of Access Control Entries (ACE) to prevent potential
TCAM exhaustion.
Using IP SourceGuard feature or QoS feature may also affect the TCAM
utilization
VLAN considerations:
Consider the use case for why VLAN enforcement is used and estimate
the number of VLANS required.
To authorize an endpoint using dynamic VLANs (dVLANs), the access
device must have that VLAN locally defined or else authorization will fail.
To reduce the number of unique authorization policy rules, access
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 28
Question Response
devices should use consistent numbering, or case-sensitive naming if
assign dVLANs by VLAN name or VLAN Group name.
When using monitor mode of the phased deployment, VLAN assignment
may cause endpoints with wrong IP address
Some endpoints, such as non-user devices, may not refresh IP after
VLAN change
If devices are statically addressed, they may not be able to
communicate on assigned VLAN
Posture
Which posture agents will be used? Consider: AnyConect 4.0 posture
agent for Windows or Mac, Web agent for Windows
If persistent posture agents deployed, how will they be provisioned?
(e.g. through ISE or other desktop software/patch management solution,
via ASA, or via ISE)
In the Posture Policy section below, explain the posture policy by OS type
including remediation policies.
Note: For latest AV/AS posture requirements, review the list of currently
supported packages for Windows and MacOSX
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 28
Question Response
web auth
Is Class-Based Policy Language (CPL) for 3850 switch to be used?
Is Failed-Auth or Guest VLANs to be used?
Wireless Configuration
Describe the wireless configuration
How many SSIDs does the deployment require?
Please provide SSID security settings.
Is wireless AP in FlexConnect mode or not?
For Guest wireless access, is the WLC configured as an anchor
controller?
Note: Please note that Dual SSID and CWA are only supported with WLC
AireOS 7.2 and up. Please plan to use LWA if there is no plan to upgrade to
the devices that support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which
can allow admin to create an ACL for Android devices have access to
Google Play Store.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 28
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 28
Policy Details
List all security policies that are needed to implement the business requirements described above.
Authentication: For each use case (wired, wireless, VPN), describe the authentication policies that will be implemented
for all users and endpoints whether managed or unmanaged.
Authorization: For each use case (wired, wireless, VPN), describe the authorization policies that will be implemented for
all users and endpoints whether managed or unmanaged.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 28
Guest Access: For each use case (wired or wireless), describe guest access policy. Provide information on how guest
will access the network including information on guest provisioning, sponsors, and whether custom guest portal pages
need to be created. Please fill details in the forms below if the answer yes applies to you. Put no if the scenario does not
apply to you.
Services Wired (yes or no) Wireless (yes or no)
Guest
Profiling: For each use case (wired or wireless), describe how the profile data will be collected by each probe required to
classify each device type to be profiled. For example, will SPAN or RSPAN be used to carry data from the network to the
Identity Services Engine? If so, what is the SPAN design? Will dedicated ISE interfaces be used? If HTTP probe used,
will SPAN or redirection be used to capture user agent attributes?
Please note that the number of events per second a platform can safely process per the Platform Performance Spec table
below. For example, if IPAD traffic is to be profiled by probing http traffic for the User Agent attribute, then the design
must assure the Policy Services node is not inspecting more than 1200 http events per second (3395 spec). Consider
profiling strategies that reduce overall load on Policy Service node such use of HTTP redirect at connect time to capture
the User Agent attribute, or the use of IP Helper statements for DHCP capture versus the use of SPAN.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 28
Port # traffic to Destination Netflow Netflow export from Distribution
IP 6500 switch to central Policy Service
node
Posture: Describe posture policy requirements for endpoint compliance. This may include many areas such as asset
checking, application and services checking, and antivirus and antispyware checks, as well as customized checks for
specific use cases. Describe remediation plans and include remediation servers that need to be integrated into the design.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 28
Client Provisioning: Describe Client Provisioning policy requirements for posture and native supplicant provisioning.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 28
Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For instance, the information that was required but not
received from the customer, please list it here. (E.g. My customer uses IE3000 series switches. Is this supported?
Customer is using 3rd party NAD. Or the customer is currently using IPv6)
High Availability
Discuss high availability considerations.
High availability for each persona and node should be part of design to ensure that no single persona/appliance
failure results in total loss of a service. Please confirm persona/node redundancy design and explain reason if HA
not planned for any component.
How will network access devices and ISE Policy Service nodes be configured for redundancy? Note: For wireless
deployments using LWA, only one URL can be defined for web authentication.
Please provide the details regarding how Load Balancing will be used in this deployment, if it applies.
Migration
If migrating this deployment from ACS or ISE, provide details on the current deployment and how you're going to address
migration of licensing, existing policy, NAD configurations, etc.
Is this a migration for an existing Cisco Secure ACS, NAC Appliance, NAC Profiler, and/or NAC Guest Server
deployment? If so, please list the existing product SKUs purchased to determine full migration entitlement.
o For existing appliances supported by ISE, please indicate quantity and type of each appliance model (for
example, 1121, 3315, 3355, or 3395) to be migrated.
o For NAC Appliance license counts, please indicate the user license for each NAC Server (FO pairs count as one
license).
o For NAC Profiler endpoint counts, please provide the endpoint license for dedicated Profiler Collectors, or
quantity and type (331x or 335x) of each CLT license.
o If this is a NAC Guest Server (NGS) migration, please note the differences between the guest access features of
NGS and the Identity Services Engine Version 1.4 in the appendix section of this document.
o If this is a ACS migration, please note the differences between the features of ACS 5.4 and the ISE 1.4 in the
appendix section of this document (ACS 4.2 information shown for comparison purpose, currently there is no
direct migration path from ACS 4.2 to ISE 1.4)
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 28
o Describe customer PKI infrastructure and requirements
Note: Cisco strongly recommends server certificate, which is signed by in-house CA or other 3rd party Root CA server,
to be used for ISE. Self-signed server certificate should not be used for production deployment.
Deployment modes (Please refer to DIG in Appendix for Mode details):
o Will Monitor mode be enabled for a period of time on the 802.1X-enabled routers and switches?
o Will Authenticated or Enforcement mode (formerly known as Low Impact mode) be deployed?
o Will Closed Mode (formerly known as High Security mode) be deployed?
The VM host should be sized comparably with the ISE appliance. See platform hardware specs below for CPU
specification of the various appliances. For example, if the performance characteristics required are similar to a 3495
appliance, then per platform performance specs the VM should contain 32GB RAM, 8 CPUs equivalent to a Intel Xeon
CPU E5-2609 @ 2.4 GHZ.
Note: Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk should be higher than
300MB/sec and IO Write performance should be higher than 50MB/sec. VMotion is supported since ISE 1.3. Please make
sure to reserve the RAM and CPU cycles for the ISE node deployed as VM.
Note: If disk size needs to be resized, the node will need to be re-imaged from the ISO
Note: The resources need to be reserved for each ISE node and cannot be shared among different ISE nodes or other
guest VMs on the host.
Example:
ise1.example.com Admin/MnT 1.1.1.1 VM Intel Xeon E5-2609 @ 2.4 GHZ X 32GB 600GB
8 Core
ise2.example.com PSN 2.2.2.2 VM Intel Xeon E5-2609 @ 2.4 GHZ X 32GB 300GB
8 Core
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 28
Bill of Materials (BOM)
Insert as part of this document, or in a separate attachment, the list of equipment to be ordered for the Identity Services
Engine deployment that matches the design. If Sales Order already placed, then be sure to include the order details here.
Please include SmartNet/SAU or explain its omission (for example, included as part of another order, support agreement,
or deliberate acknowledgement that support refused).
If HLD is part of an ACS/NAC migration, please include appropriate migration SKUs. Use the information previously
entered regarding existing appliance, software, and license purchases on eligible products to determine migration
entitlement. For further details on migration entitlement and SKUs, please refer to ISE Migration entitlement calculator
located in the partner portal page:
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html)
Note: Please only include the information of the products that are related ISE.
Example BOM:
Line Product Qty List Price Contract Discount Unit Price Extended Price
1 L-ISE-BSE-3500= 1
2 L-ISE-ADV3Y-1500= 1
3 SNS-3495-K9 2
4 CON-PSRT-SNS3495 2 12345678
5 SNS-3415-K9 2
6 CON-PSRT-SNS3415 2 12345678
7 L-ISE-ADV-S-1K= 1
8 ISE-ADV-3YR-1K 1
Note: ISE BoM Tool is available to assist with creating BoM. Please refer to ISE BoM Tool located in the partner portal
page: (http://www.ciscosecurityatp.com/resourcelib.asp?id=123)
Note: Since ISE 1.2, S/N from both Admin nodes can be added to the license to improve flexibility and flexibility. For more
information please refer to the Cisco ISE License Application Note
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 28
Appendix
ATP Partner Resource Center
Please visit Security Technologies ATP Partner Resource Center for additional ISE ATP resources (Login required).
Migration SKUs
Please consult the ISE Packaging and Licensing Guide for migration SKUs.
Migration Guide
The Cisco Identity Services Engine Licensing Guide located in the partner portal page
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html ) explains packaging and
licensing under the Authorized Technology Provider program for wired and VPN.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 28
Cisco Secure Access and TrustSec Release 5.0
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/c96-731479-00-secure-
access.pdf
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 28
Note regarding Performance Specifications
EOL was announced for 33x5 appliances and provided here as a reference for migration customers. Deployments with
VM should follow platform specifications based on 3415 or 3495 appliances. For more information please refer to the EOL
announcement
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent
EndPoints and Composite Authentications (Authentication values are approximate values)
When determining how many PSN is needed for the deployment please use Maximum Concurrent Endpoints as the
main guideline. Authentication performance for specific use cases is also provided in case it is required to size out the
deployment.
Platform Maximum Concurrent Posture Guest CWA BYOD
Endpoints Authentications Authentications Onboarding
Cisco Secure Network Server 3415 Appliance 5,000 25 per second
20 per second 20 per second
Cisco Secure Network Server 3495 Appliance 20,000 45 per second
Note: Posture Authentication is based on full flow including CoA
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values)
Platform PAP PEAP (MSCHAPv2) EAP-FAST EAP-FAST (GTC) EAP-TLS MAB
(MSCHAPv2)
Int. AD LDAP Int. AD Int. AD Int. AD LDAP Int. Int. LDAP
Cisco Secure Network Server
1100 800 1300 200/350/450 200/350/450 350/15 300/15 350 350 350 100/400 850 300
3415 Appliance
Cisco Secure Network Server
2100 900 2400 250/400/500 200/400/450 400/15 300/15 400 350 400 100/400 1500 1650
3495 Appliance
Note: For PEAP (MSCHAPv2) numbers are w/o session resume, w/ session resume, w/ fast reconnect
Note: For EAP-FAST (MSCHAPv2) numbers are authentication, PAC provisioning
Note: For EAP-TLS numbers are w/o session resume, w/ session resume
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 28
Maximum number of concurrent endpoints with Administration, Monitoring, and Policy Service all 5,000 for 3415
on a single node 10,000 for 3495
Maximum number of Policy Service nodes with separate Administration, Monitoring, and Policy 40 for 3495 as PAN
Service nodes
Maximum number of Policy Service nodes with Administration and Monitoring on a single node 5
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)
Concurrent Endpoints MnT Disk Size
200 GB 400 GB 600 GB 1024 GB 2048 GB
10,000 126 252 378 645 1,289
20,000 63 126 189 323 645
30,000 42 84 126 215 430
40,000 32 63 95 162 323
50,000 26 51 76 129 258
100,000 13 26 38 65 129
150,000 9 17 26 43 86
200,000 7 13 19 33 65
250,000 6 11 16 26 52
Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary
depending on the environment
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 28
Latency and bandwidth requirement among ISE nodes
The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is 200ms. Here is link
to the WAN bandwidth calculator for ISE 1.2 deployment (May need to copy & paste the url
http://www.ciscosecurityatp.com/resourcelib.asp?id=108). This calculator can be used to find out how much bandwidth needs to be
reserved for ISE operation across WAN links.
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 28
Can you grant permission to sponsors to reinstate a suspended guest X
Ability to reinstate accounts accounts.
Ability to purge accounts Can the guest user accounts be purged from the database X
Does the system allow multiple accounts to be created at the same time X X
Bulk Creation by text by entering the details into a text form?
Does the system allow multiple accounts to be created at the same time X X
Bulk Creation by csv import by importing a csv file?
Does the system allow multiple accounts to be created with no user
details need entering, and username/password being randomly X X
Bulk Create random accounts generated?
Guest Account Policies NGS 2.0 ISE 1.4
Guest Username Policy Can you control how the guest username is automatically created? X X
Can you control how the password is configured, requiring a minimum X X
Guest Password Policy number of alpha, numeric and special characters
Guest Password Change Can you allow/require guests to change their password after logging in? X X
Specify which details about the guest must be recorded. Including first X X
Guest Details Policy name, last name, email, company, phone number
Custom Guest Details Request additional custom defined fields about the guest 5 fields X
Guest Roles Can you assign different roles to different guests? X X
Only allow accounts created with a guest role the ability to login from X X
Restrict Login by Location pre-defined locations
Set QoS per role Set QoS parameters by guest role X X
Set a different ACL on each guest based upon the role they have been X X
Set ACL per role assigned
Set a different VLAN on each guest based upon the role they have X X
Set VLAN per role been assigned
Set a different SGT on each guest based upon the role they have been X
Set SGT per role assigned
Can guest access be changed based on contextual awareness and
X
CoA endpoint state?
Account Types NGS 2.0 ISE 1.4
Start/End Create accounts by specifying the time the account starts and ends X X
Duration Create accounts by specifying the time the account can last from now X X
Accounts which are valid for X minutes from the first time the guest logs Removed
X
From First Login in since 1.3
Accounts which are valid for X minutes within Y minutes period from X
Usage Based first login
Guest Portal NGS 2.0 ISE 1.4
Self Registration Does the system support self-registration by guests? X X
Device Registration Does the system support registration of devices? X
Device Self Registration Does the system support self-registration of devices by guests? X
Guest Password Change Allow Guests to change their password based upon policy? X X
Customizable guest portal Can the guests web pages be fully customized? X X
Can an Acceptable Use Policy be enforced so that guests must agree X X
Acceptable Use Policy before being allowed access?
Notification NGS 2.0 ISE 1.4
Print Out Will the system create a printout of the guest details? X X
Email Will the system email guest details to the guests email address? X X
SMS Will the system sms guest details to the guests mobile phone? X X
Details emailed to sponsor The sponsor can receive a copy of the account by email? X X
Interface Customization NGS 2.0 ISE 1.4
Company Logo Can the sponsor interface be customized with a company logo? X X
Multiple Languages Can the sponsor interface support multiple languages? X X
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 28
Notification Customization Can the email/sms/print outs be customized? X X
Reporting NGS 2.0 ISE 1.4
Keep a full audit trail of each operation made to an account by all X X
Sponsor Audit Trail sponsors.
Guest Accounting Report on guest login/logout times, mac address and ip address used. X X
Supports the ability to report on guests network activity such as URLs
visited, connections made etc. Needs external device such as an ASA X X
Guest Activity Reporting or proxy to send the information via syslog to the box.
Management Reports X X
CSV Export Provide the ability for any report to be exported in CSV format. X X
Billing Support NGS 2.0 ISE 1.4
Supports guests purchasing accounts and billing against a Payment X
Credit Card Billing Support Gateway
Allows accounts to be randomly created upfront that become valid at X
Pre-pay Support first login
Other NGS 2.0 ISE 1.4
Application Programming Does the system have an API that can be used to perform all sponsor X X
Interface operations?
Posture Services for guest Can the guest user's host device be posture assessed and access X
users policy granted based on compliance with security policy?
Profiling Services for guest Can the guest user's host device be profiled and access policy granted X
users based on the type of device guest uses to access the network?
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 28
Identity Stores ACS 4.2 ACS 5.4 ISE 1.4
Internal User & Host Database X X X
Windows Active Directory X X X
LDAP X X X
RSA SecurID X X X
RADIUS token server X X X
ODBC X
AD Server specification per ACS/ISE instance X X
LDAP Server specification per ACS/ISE instance X
Ability to retrieve an internal users password from
X X
external ID store
Internal Users / Administrators ACS 4.2 ACS 5.4 ISE 1.4
Users: Password complexity X X X
Users: Static IP Address Assignment X X X
X (Warning and
disable after defined
Users: Password aging X interval. Grace X
period is not
supported)
Users: Password history X X X
Users: Max failed attempts X X X
Users: User expiration after a number of days X X
Users: Password inactivity X X
Limited (If the internal
users are authorized
as sponsors, then
Users: User change password (UCP) utility X X
they may update
passwords at the
sponsor portal)
Admin: Password complexity X X X
Admin: Password aging X X X
Admin: Password history X X X
Admin: Max failed attempts X X X
Admin: Password inactivity X X X
Admin: entitlement report X X X
Admin: session and access restrictions X X X
Miscellaneous ACS 4.2 ACS 5.4 ISE 1.4
Network Access Restrictions (NARs) X X
RDBMS sync X
X (CLI interface is
Command line / scripting interface (CSUtil) X supported for bulk
provisioning)
Integration with CiscoWorks for admin RBAC X
Log Viewing and reports X X X
Export logs via SYSLOG X X X
Time based permissions X X X
Configurable management HTTPS certificate X X X
CRL: Multiple URL definition X
CRL: LDAP based definition X X
Online Certificate Status Protocol (OCSP) X X X
Comparison of any two attributes in authorization policies X X X
Configurable RADIUS ports X
Programmatic Interface for users, groups and end-point
X X X
CRUD operations
Multiple NIC interfaces X X
Secure Syslogs X
Miscellaneous ACS 4.2 ACS 5.4 ISE 1.4
EAP-TLS Certificate lookup in LDAP X X X
ISE 1.4 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 28
EAP-TLS Certificate lookup in Active Directory X X X
Maximum concurrent sessions per user/group X X
X (Data can be
exported from M&T
Log to external DB (via ODBC) X for reporting. Not
supported as log
target)
Programmatic Interface for network device CRUD
X X
operations
X (With Authorization
Wildcards for hosts X X policy condition or
profiling)
Configure devices with IP address ranges X X
X (Not in combination
Lookup Network Device by IP address X X
with other fields)
Dial-in Attribute Support X X
Support comparison of any two attributes in policies X X X
Display RSA de missing secret X X
Starts with / Ends with / contains / Contains Any Policy
X X X
Operators
Nested compound conditions with both AND or OR
X X X
operators