Cisco Identity Services Engine (ISE): NAC Product Review

Agents

Cisco ISE can provision an agent on Mac and Windows devices. Alternatively, a temporal web agent deploys as a temporary agent via ActiveX or Java. Additional agents for other Cisco tools such as AnyConnect may also need to be deployed to enable all ISE features.

Applicable Metric

Cisco notes scalability limits for ISE up to:

• 1,000,000 internal guests (but latency delays for authentication may occur beyond 500,000 guests)
• 1,000,000 user certificates
• 1,000 server certificates
• 1,000 trusted certificates
• 2.0 million active endpoints
• 1,000 user identity or endpoint identity groups

Security Qualifications

Cisco has obtained government certification for ISE related to FIPS 140 2 validated cryptographics, Common Criteria certification, and inclusion in the Unified Capabilities approved list.

Features

• Strong guest account options:
  • Hotspot: non credentialed access
  • Self-Registration: guest enters info, can require approval
  • Sponsored Guest: authorized creation of account and share credentials
• Secure wireless connection options: 
  • Passive Identity session (using Active Directory (AD) domain logins, etc.)
  • MAC Address bypass (MAB)
  • 802.1x
  • Assign user to a virtual local area network (VLAN)
  • Discretionary access control list (DACL)
  • Downloadable agents: layer 2 port Access Control (ACL), Security Group Tags (SGT), or Security Group Access Control List (SGACL).
• Asset visibility options:
  • Basic: match endpoint network attributes to known profiles to categorize endpoints and enforce policies based on asset profile
  • Advanced: Artificial Intelligence (AI) enhanced Deep Packet Inspection (DPI) of network traffic between the device and other network assets
• Device compliance analysis: 
  • Deploy a persistent or temporal agent to analyze the device for compliance with patching, antivirus, etc.
  • Variable access can be applied based on level of compliance
  • Can use ISE Posture Engine or integrate with existing Mobile Device Management (MDM) or Enterprise Mobility Management (EMM)
•  Automated BYOD onboarding: enables bring-your-own-device (BYOD) connections to be automated using built-in certificate authority (CA), BYOD registration, and integration with MDM or EMM
• Rapid threat containment: 
  • Changes account privileges in the event of suspicious activity, detected vulnerabilities, or known threats 
  • Automatically or manually moves devices to sandboxes, remediation domain, or denies complete access
• Network segmentation controller simplifies the management of switch, router, wireless and firewall rules to reduce costs and the time to implement changes significantly over traditional segmentation 
• Security ecosystem integration with compatible next generation firewalls (NGFWs), threat feeds, threat intelligence platforms, and other third party systems permits two-way enhancement of the security stack
• Network equipment administration enables the onboard of network devices (routers, switches, firewalls) and remote administration of configurations through ISE 
• Comprehensive contextual identity built through network devices and attributes such as user, time, location, threat, vulnerability, access type and business role
• Maintains detailed attribute history of all endpoints that connect to the network as well as users (including guests, employees and contractors). down to endpoint application details and firewall status
• Cisco TrustSec Security Group Tags (SGT) allow organizations to base access control on business rules and not IP addresses or network hierarchy, giving users and endpoints access on a least privilege basis as resources move across domains
• Government certified FIPS 140-2, Common Criteria type, Unified Capabilities approved list

Pros

• Consolidated and centralized network control in a single solution for both users and networking devices
• Enables zero trust principles with software defined networks, segmentation, and granular access control
• Inherent compliance from NAC policy enforcement and access reports
• Reduced IT workload through self-service on-boarding
• Enables remote connections such as VPN or software defined wide area networks (SD-WAN) through Cisco AnyConnect (additional licenses required)
• Enables compliance through user access controls and specific guides for PCI and HIPAA Compliance processes

Cons

• Licensing can be confusing and expensive
• Some users complain of non-intuitive and complex user interfaces
• ISE can be resource demanding and can require dedicated resources
• Users note that sometimes software upgrades can be buggy or unreliable
• Some customers complain of poor integration with non-Cisco products

Intelligence

Adaptive intelligence engines, automation for detection and response, and machine learning are used as part of related Cisco tools (Endpoint Analytics, DNA Center, etc.) that can be integrated with Cisco ISE, but not directly included with the Cisco ISE product.

Delivery

Cisco provides options for dedicated physical servers and virtual machines to host and manage ISE. ISE Virtual appliances are supported on the following on-premise and cloud virtual environments:

• Amazon Web Services
• KVM on Red Hat 7.x
• Nutanix AHV
• Microsoft Hyper-V on Microsoft Windows Server 2012R2 and later
• VMware Cloud
• VMware ESXi 6.5, 6.7 and 7.x

Pricing

Cisco ISE activates automatically as a 90-day trial period which will only support up to 100 concurrent endpoints. Upon upgrade, the license defaults to a traditional, perpetual license. The ISE Base License is perpetual; however, the Plus, Apex, Mobility, and Mobility Upgrade components may only be licensed on 1, 3, or 5 year subscriptions. Cisco also offers Smart Licensing through a centralized Cisco Smart Software Manager (CSSM) database as well as negotiated enterprise agreements.

Deployment of ISE requires an appliance plus software licenses plus service contracts (for technical or advisory services). Cisco offers virtual appliances, cloud-native ISE, and specially configured Cisco Secure Network Servers configured for physical ISE appliance deployment. Cisco Capital also can provide flexible payment options to ensure predictable payments.

Cisco’s secure network servers come in three basic sizes:

• Small (starting above $13,000) SNS-3715
  • 12 cores and 24 threads
  • 23 GB RAM
  • Dedicated policy service node (PSN) supports 25,000 users
  • Shared PSN supports 12,500 users
• Medium (starting above $30,000) SNS-3755
  • 20 cores and 40 threads
  • 96 GB RAM
  • Dedicated PSN supports 50,000 users
  • Shared PSN supports 25,000 users
• Large (starting above $58,000) SNS-3795
  • 20 cores and 40 threads
  • 256 GB RAM
  • Dedicated PSN secures 100,000 users
  • Shared PSN supports 50,000 users
• Virtual machine (VM) licenses are estimated to be under $2,000 for electronic delivery of a single license, but expect bundles to be available for multiple licenses

Spare components and other customizations may be purchased separately. The appliances must be loaded with ISE software and Cisco offers several different ISE licenses:

• ISE Essentials required for: Guest accounts, secure wireless access, and basic asset visibility
• ISE Advantage required for SGT or SGACL secure wireless access, advanced asset visibility, automated BYOD onboarding, rapid threat containment, network segmentation, and security ecosystem integration
• ISE Premier required for device compliance analysis
• Device Admin license required for the administration of network devices (licensed per policy service node (PSN)
• Cisco DNA Center: Required for Cisco advanced asset visibility

Additional licenses may be required to connect with other Cisco products (AnyConnect, AnyConnect Stealth, pxGrid, etc.). Cisco ISE offers cloud-native options that can be licensed directly through Cisco resale channels or purchased through Amazon Web Services (AWS), Microsoft’s Azure marketplace, or Oracle Cloud Infrastructure (OCI).

Cisco licenses may be purchased through their extensive reseller network and Cisco does not publish pricing, so interested parties should contact reseller partners for more information. Technical support, volume discounts, and other incentives may be available depending upon the partner.

Bottom Line: Great for Enterprise Networks

NAC provides a fundamental control for network access and should be adopted by a broad range of organizations. Many large enterprises already rely upon Cisco networking devices and other products and adopting ISE as a NAC solution may be a natural fit.

Adopting ISE for a Cisco-dominated network ensures compatibility and integration with other Cisco devices that can accelerate installation and adoption. Organizations using Cisco-competitors or with smaller budgets should still consider a NAC solution, but will need to more carefully examine the licensing costs and integrations to verify their return on a Cisco ISE investment.

This article was originally written by Drew Robb on July 7, 2017, and updated by Chad Kime on March 31, 2023.