Cisco ISE: Secure Network Access in Dynamic Environments

By - June 22, 2015

RSM has been implementing Identity Services Engines (ISE) for clients since it was released by Cisco a few years ago. Although it’s not a well-known solution, one of the benefits is it’s a great fit for businesses trying to secure network access and is many times preferred for its flexibility – Wired, Wireless, VPN, BYOD, or Guest access, ISE can secure them all.

From a client focused on providing guest wireless across their campus to a financial institution securing their wired ports throughout its branches, Cisco ISE is flexible enough to work in most environments. The Web Graphical User Interface (GUI) makes configuration user friendly and easy to learn. As financial and health institutions demand unused ports be secure, as well as to have the ability to monitor the whole network, ISE steps to the front. Cisco ISE can integrate with a variety of products; including Cisco Prime, Nessus Vulnerability Scanner, and AirWatch, for a deep view of what is connected to your network.

Designed to defend the network from unauthorized wireless, wired or mobile access, ISE is able to leverage existing network infrastructure and user accounts to control corporate user and guest access. ISE has the ability to integrate with multiple AD, LDAP, RADIUS, or RSA token servers to authenticate users. Authentication is based on IEEE 802.1X and support is built into major OSs including Windows, iOS, Linux and Android. Flexible authentication allows for combinations of servers to be queried based on access method.

ISE can quickly be deployed through a dedicated appliance or virtual machine. Simplified management through an intuitive web GUI eases administrative burden. The ability to reuse objects, ACL, and policies lowers maintenance time and costs. Dynamic change of authorization allows for unused ports to be secured while waiting for an authorized user to connect, simultaneously lifting a major administrative burden and closing a large security gap.

Guest wireless management is simplified for IT staff with the use of the sponsored guest portal. Guest sponsor portal allows approved users the ability to create guest accounts. Approved users can register time-limited guest accounts, removing the burden from IT staff. Account details can be printed, emailed, or sent via SMS to guests.

Computer posture assessment verifies computers meet minimum security requirements before granting network access through an installed agent or a temporary web agent. Posture based on a variety of factors including, AV installation and definition, Windows update level, or file/registry verification.  Remediation policy and servers can automatically repair issues for users before granting access. Users that are non-compliant for an extended period can be limited or blocked from network access.

Prebuilt device profiles and MAC authentication bypass facility secure access for devices like printers, phones, and card swipes that do support 802.1X. Profiles are built by gathering device information from a variety of sources in comparison to a Cisco provided database. Profiles can be customized by the administrator and are regularly updated through a Cisco feed service.

Overall, Cisco ISE is as versatile and customizable as a client chooses to make it. Straight out of the box, there are hundreds of profiles prebuilt and posture checks available for a variety of the most popular ant-virus and anti-spam software. Administrators are able to precisely target their devices through profiling and posture checks.

For more information on this and our other technology capabilities, check out our website or contact us.

Receive Posts by Email

Subscribe and receive notifications of new posts by email.