Today’s enterprise network is rapidly changing, especially when it comes to employee mobility. Employees are no longer tethered to desktop workstations, but instead access enterprise resources via a variety of devices: tablets, smartphones, and personal laptops, just to name a few. Being able to access resources from anywhere greatly increases productivity, but it also increases the probability of data breaches and security threats because you may not control the security posture of devices accessing the network. Keeping track of all devices accessing the network is a huge task in itself, and as the need for more access arises, the more unsustainable it becomes to manage.
The Cisco Identity Services Engine (ISE) is an identity-based network access control and policy enforcement system. ISE allows a network administrator to centrally control access policies for wired and wireless endpoints based on information gathered via RADIUS messages passed between the device and the ISE node, also known as profiling. The profiling database is updated on a regular basis to keep up with the latest and greatest devices so there are no gaps in device visibility.
Essentially, ISE attaches an identity to a device based on user, function, or other attributes to provide policy enforcement and security compliance before the device is authorized to access the network. Based on the results from a variety of variables, an endpoint can be allowed onto the network with a specific set of access rules applied to the interface it is connected to, else it can be completely denied or given guest access based on your specific company guidelines.
Let’s analogize LOTR-style for clarification: ISE is Gandalf, and the end-user device is the pursuing Balrog. I think you know where this is going.
ISE an automated policy enforcement engine that takes care of the mundane day-to-day tasks like BYOD device onboarding, guest onboarding, switchport VLAN changes for end-users, access list management, and many others, so a network administrator can focus on other important tasks (and cool projects!).
The ISE platform is typically a distributed deployment of nodes made up of three different personas: Policy Administration Node (PAN), Monitoring and Troubleshooting Node (MnT), and Policy Services Node (PSN). All three roles are required for ISE to function.
The PAN persona is the interface an administrator logs into in order to configure policies. It is the control center of the deployment. This node allows an administrator to make changes to the entire ISE topology, and those changes are pushed out from the admin node to the Policy Services Nodes (PSN).
The PSN persona is where policy decisions are made. These are the nodes where network enforcement devices send all network messaging to; RADIUS messaging is an example of what is sent to the PSNs. The messages are processed and the PSN gives the go/no-go for access to the network.
The MnT persona is where logging occurs and reports are generated. All logs are sent to this node and it sorts through them so it can assemble them in a legible format. It is also used to generate various reports so you can make management happy with pretty pictures and numbers (*wink wink*) as well as notify you of any alarms for ISE.
Now that you know what each persona does, let’s take a look at how everything fits together as a complete system. The diagram shows a logical representation of ISE, because the personas may be distributed across many different appliances. Familiarize yourself with the figure below, and I will explain what each piece is doing:
The figure above is from the . If you’re considering deploying ISE, I really recommend reading all before you plan your implementation.
This is definitely a complex beast with a lot of moving parts, but as long as you keep the fundamentals in mind and break it down into different parts, it’s not too tough to implement and troubleshoot. The most time-consuming part of a deployment is figuring out your policies for authorization. Once you have standard policies across the board, enforcing those policies is a breeze with ISE. I will go into policies in my next post, but let’s move onto the last topic for the overview: Deployment Topologies and Licensing.
What I’m about to say here is probably the most important part of a deployment: DO NOT TRY TO SAVE MONEY BY GIVING UP HIGH AVAILABILITY! These nodes control access to your entire network. If these nodes go down, you might as well have a total network failure because nobody will get authenticated or authorized. Design ISE with as much high availability as you can afford. The only time a standalone deployment is acceptable is if you are doing a very small proof-of-concept which does not effect production end-users.
The other important part of a deployment is the hardware chosen to implement ISE on. Now, Cisco does offer an ESX/ESXi option, however, I don’t recommend that for a few reasons. First and foremost, the appliance option is tested and rated to scale to a certain number of endpoints. If you use the ESX/ESXi option, you are losing a little bit of that predictability. I said it before and I will say it again, these nodes control access to your entire network, so if you have unpredictable performance, then you will have unpredictable issues. The other thing I don’t like about an ESX/ESXi option is troubleshooting. If you do have an issue with ISE, you really want it resolved quickly. If you’re using the VM deployment and something goes wrong, you have to open tickets with Cisco, your server manufacturer, VMWare, and anything else that may be tied to your deployment. That’s not incredibly efficient, and you’re likely to run into a lot of vendor finger-pointing before you finally get the issue