Introduction to ISE & the "node" concept

Module 1
Ludomir Sznajder
ISE Sales Specialist, WW ENS Sales
March 24th, 2022
Today’s agenda for Module 1

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
 Ludomir Sznajder

• 2021: Cisco ISE Sales Specialist in WW ENS Sales

• 2018: Cisco DNA Sales Specialist in WW IBN Sales

• 2017: Stealthwatch Virtual Sales Specialist in WW

Stealthwatch Sales

• 2014: joined Cisco in Prague as Virtual Sales Account

Manager

Prague, Czech Republic

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 3
 What is ISE and why we
1
talk about ISE 3.1?

Introduction to ISE & 2

Few words about ISE
the "node" concept licensing

3 The "node" concept

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 4
 Next-Gen Campus Connectivity Must Start by Defining
the End-User Experience

Gartner

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 5
End-user experience starts with context
Who, what, and how? Where they can go?

Secure Segmentation
Access Employees Corp device
Policy

BYOD
Access Employees Personal device

Next-gen
Guest Access
Access Guests Any Device

IoT
Access
IoT Device

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 6
Cisco ISE for intent-based access
Cisco Identity Services Engine (ISE)
is an industry leading, Network Access Control
and Policy Enforcement platform, that lets Cisco ISE SIEM, MDM,
NBA, IPS, IPAM, etc.
you, Who When
PxGRID
What Where and APIs

How Health
See
Users, endpoints Threats Cvss
Partner Eco System
and applications Access policy
for endpoints for network

Wired Wireless VPN

Secure
By controlling network
VPN
access and segmentation

Share
Context with partners for
enhanced operations
Role-based Access Control | Guest Access | BYOD | Secure Access
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 7
 Module 2 Module 2 Module 2 Module 2

Module 3

ISE
Use Cases

Module 3 Module 3 Module 3 Module 3

What’s new with ISE 3.1?

Enhanced Visibility Improved Simplicity Cloud Enabled

Agentless Posture New User Interface MS Azure AD integration

Privacy enabled devices ISE deployment on AWS

Enhanced Walk- Throughs
checks Cloud

Seamless and enhanced EA Debug Wizard for easy ISE deployment on Vmware
integration troubleshooting Cloud

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 9
Cisco ISE supports Multi-Vendor solution
https://cs.co/ise-compatibility

and more…
Aruba Motorola Ruckus Brocade HP
ISE 1.0 802.1x
Profiling

ISE 2.1 and Posture

beyond Guest
BYOD

Compatible device vendors*

Aruba Wireless HP Wireless

Motorola Wireless Brocade Wired

HP Wired Ruckus Wireless

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 10
*For additional information, refer to the Cisco Compatibility Matrix
 Cisco Security Technical Alliance Partners
Splunk IBM Security LogRhythm Syncurity Exabeam Cynerio Digital Defense E8 Security Elastica Fortscale TrapX Security AirWatch

Micro Focus Check Point Greenlight Attivo BlackRidge

Software Microsoft Siemplify LiveAction HanSight illusive Jamf Lumeta
ArcSight SIEM
Technologies
Technologies Networks Technology

Nozomi
Panaseer Qualys Rapid7 Tenable Bayshore Medigate Micro Focus MobileIron Nyansa Acalvio Armis
Networks

RedShift
XenMobile Claroty Demisto Endace Huntsman Ordr SecureAuth Securonix Skyhigh CyberMDX Cyber X
Networks

LogZilla McAfee Ping Identity SAINT Sophos Mokescreen Tanium Verizon Vu ZingBox Asimily TIBC

Mosyle Absolute
Noovus SAP SOTI Tangoe ALEF BlackBerry Envoy Globo Cylera
Manager Software

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential https://www.cisco.com/go/csta 11
 What is ISE and why we
1
talk about ISE 3.1?

Introduction to ISE & 2

Few words about ISE
the "node" concept licensing

3 The "node" concept

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 12
 The new ISE 3.1 - licensing
2.X (Lego Model) 3.X (Nested-doll Model)
ISE
Plus (Context) Apex (Compliance) Premier (Compliance - Full Stack)
3.1
• Posture • TC-NAC
• MDM Compliance
• Profiling
• Location Visibility & Enforcement
• Context Sharing (pxGrid) Advantage (Context and Cloud) Smart
• Posture
• BYOD (+CA,+MDP) • MDM Compliance licensing
• RTC (ANC) • Context Sharing (pxGrid Out/In) Enforcement via Endpoint
• TC-NAC
• Profiling Analytics
• Location Visibility & • Group Based Policy (TrustSec)
Enforcement Cloud Just one
• BYOD (+CA, +MDP) • User Defined Network common
RTC (ANC) VM license
• Endpoint Visibility and
Base (Network Onboarding)
Essentials (User Visibility & Enforcement) Evaluation
license
• AAA & 802.1X • Trustsec
Enforcement Sponsored) available
• Guest (Hotspot, Self-Reg, • Easy Connect (PassiveID)
• AAA & 802.1X • Easy Connect (PassiveID)
Sponsored)
• Guest (Hotspot, Self-Reg,

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 13
 What is ISE and why we
1
talk about ISE 3.1?

Introduction to ISE & 2

Few words about ISE
the "node" concept licensing

3 The "node" concept

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 14
ISE Node Personas… Explained
Policy Administration Node (PAN) Monitoring & Troubleshooting Node (MNT)
• Administrative GUI • Receives logs from all nodes
• Policy configuration • Handles remote logging targets
• Policy replication • Generates summary Dashboard Views
• Centralized Guest database • Performs scheduled reports
• Centralized BYOD database • Handles reporting and API queries
• Configuration REST APIs

ISE
Policy Service Node (PSN)
• TACACS requests Platform Exchange Grid Node (PXG)
• RADIUS requests • Runs pxGrid controller
• Endpoint profiling probes • Authorizes pxGrid Pubs/Subs
• Identity store queries • Publishes pxGrid topics to subscribers
• Hosts Guest/BYOD portals • Handles ANC requests
• MDM/Posture queries • REST APIs
• TC-NAC & SXP services
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 15
How does it work in practice?
SIEM, MDM, NBA, IPS, IPAM,
etc.
ISE PSN IP address* = AAA
Admin
ANC action PAN
RADIUS server
SIEM

Operates

Context (pxGrid)
DNAC Automation REST
Partner Eco System

Context (pxGrid)
RADIUS, TACACS+,
Profiling, etc.,

Config Sync Context

Optional
PSN PAN

ISE-PXG
Authorization Policy Exchange Topics

If Employee then VLAN-100 TrustSecMetaData

Logs Context SGT Name: Employee = SGT-10
SGT Name: Contractor = SGT-20
If Contractor then SGT-20 MNT ...
SessionDirectory
If Things then ACL-300 Bob with Win10 on CorpSSID

*PSNs can optionally be behind a load-balancer and can be accessed via Load Balancer Virtual IP address (VIPs)
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 16
 Summary:
- Identity Services Engine, Cisco’s
NAC solution, is fundamental
for network security and Zero
Trust
Introduction to ISE & - ISE 3.1 is easier, more flexible
the "node" concept and open to integrate
- ISE Node Personas guarantee
best fit of network access
control to Customers’ business
needs

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 17