In my earlier post about the Cisco 300-208 SISAS (Implementing Cisco Secure Access Solutions) exam, I gave a brief overview of the exam and listed the exam topics as laid out by the Cisco Learning Community. However, I felt that these largely boil down to a few key concepts related to Cisco ISE (Identity Services Engine):

  1. Understand what ISE is.
  2. Understand why you might use ISE in a wired or wireless network.
  3. Understand what ISE does at a protocol level.
  4. Understand how ISE interacts with Network Access Devices and other systems.
  5. Understand how to configure ISE and the Network Access Devices.

This post will deal with Concept 1, Understand what Cisco ISE is.

A Little History

Before you can understand what ISE is, I feel that you need to know where it came from. Cisco’s NAC (Network Access Control) offerings have been fairly scattershot over the years. They even tried unsuccessfully to market a contrary meaning of NAC for several years, attempting to sell their services as Network Admission Control. Thankfully, they’ve given in and joined the rest of us in Network Access Control land.

Cisco ACS (Access Control Server) was the direct predecessor to ISE and still exists today. It provides RADIUS and TACACS services and can integrate with central Identity Stores such as Active Directory or another LDAP-speaking software. This means that you would often find ACS in an enterprise network serving to authenticate VPN and wireless users or control access to network devices. Over time ACS evolved, as most Cisco applications have, from something you installed on top of Windows, to a full-blown Linux-based appliance (as of ACS 5.0 in 2009). The common “appliance” model in use today, means that without a little (non-Cisco approved) tinkering you don’t have access to the Linux guts of Cisco ACS, or ISE for that matter, you’ve simply presented an application.

At the same time that ACS was growing and advancing in capabilities, there was also the burst of BYOD onto the market and a growing market in servers/services to manage and administer user Identity on the network. Cisco saw an opportunity to forklift the capabilities of ACS into a new product that was targeted directly at the “new” Identity Management market, not just traditional “access control”. They took the underlying operating system from ACS, a RHEL/CentOS-based distribution that they call ADE-OS (Application Deployment Engine), and added a few new capabilities and features to the application. This creation is what we know today as Cisco ISE. Essentially, you can think of ISE as ACS version 6.0.

The only thing left out of ISE (until the recent release of Cisco ISE v2.0) was TACACS, as it was intended that you still purchase ACS to control network device administrative access. For the 300-208 SISAS exam today, you can consider TACACS to be out-of-scope for ISE, and to be the sole purview of ACS, although you still have to understand TACACS for the exam.

What Is Identity Management?

A full discussion of what Identity and Identity Management is, could take up many pages and posts (see Wikipedia), however for the 300-208 SISAS exam it can be summed up as this from the Official Cert Guide:

An identity is a representation of who a user or device is. Cisco ISE uses an endpoint’s MAC address to uniquely identify that endpoint. A username is one method of uniquely identifying an end user. Although SSIDs and IP addresses can be used as conditions or attributes in ISE policies, they are not identities.

Woland, Aaron; Redmon, Kevin (2015-04-27). CCNP Security SISAS 300-208 Official Cert Guide (Certification Guide) (Kindle Locations 13023-13026). Cisco Press. Kindle Edition.

An Identity Management system can then be defined as a way to keep track of Identity information for many users or devices, as well as the associated Authorization and Authentication information for those entities. This is precisely what Cisco ISE is and does. It provides all manner of services related to managing who users and devices are, and what network resources they may access. Cisco ISE does not directly stop an entity from accessing a portion of the network (there are sometimes Inline Policy Nodes, but they are not common). The Network Access Devices themselves handle the heavy lifting of granting/denying access by utilizing IEEE 802.1x which I will discuss in a subsequent post. ISE simply provides a centralized location to set policy, gather reporting, and then interact with the NAD via Radius.

In the next post, I will delve into Concept 2, the Whys surrounding Cisco ISE, as well as give a few example use cases.