Vous êtes sur la page 1sur 28

ISE HLD

Cisco Identity Services Engine (ISE) 2.0


High-Level Design (HLD)
An ISE HLD may be requested at any time by the Cisco TAC to troubleshoot an ISE
deployment. An HLD will be required for any assistance by the Policy and Access
Team for Technical Marketing or Escalation services. Inability to produce a current
HLD upon request covering the full scope of your ISE deployment will delay the
resolution of your problem. Even though ISE deployment does not require an HLD, it is
still recommended to complete one for records.

Required preliminary information Provide your answers in this column


Customer Company Name

Partner Company Name

Engineer’s Name, Email and Phone


That created or reviewed this HLD

Cisco Sales Order number(s),


If order has been placed

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 28
Contents
Introduction .............................................................................................................................................................................................. 3
Retirement of ISE ATP Program ......................................................................................................................................................... 3
Document Purpose.............................................................................................................................................................................. 3
Business Objectives ................................................................................................................................................................................ 4
Customer’s Business Goals ............................................................................................................................................................... 4
Estimated Timelines ................................................................................................................................................................................. 5
Customer Environment Summary .......................................................................................................................................................... 6
Customer Network Overview ................................................................................................................................................................... 7
Physical Network Topology ................................................................................................................................................................ 7
Topology Specifics .............................................................................................................................................................................. 8
Policy Details .......................................................................................................................................................................................... 13
Deployment Details ................................................................................................................................................................................ 17
Unknowns .......................................................................................................................................................................................... 17
High Availability................................................................................................................................................................................. 17
Migration ............................................................................................................................................................................................ 17
ISE Node details ................................................................................................................................................................................ 18
Bill of Materials (BOM) ........................................................................................................................................................................... 19
Appendix ................................................................................................................................................................................................. 20
Security Partner Community ............................................................................................................................................................ 20
Migration SKUs .................................................................................................................................................................................. 20
Migration Guide ................................................................................................................................................................................. 20
Machine Access Restrictions (MAR) ............................................................................................................................................... 20
Note regarding Performance Specifications ................................................................................................................................... 22
Platform Hardware Specs ................................................................................................................................................................. 22
Platform Performance Specs for PSN when PAN and MNT deployed as separate node – Max Concurrent EndPoints and
Composite Authentications (Authentication values are approximate values) ............................................................................. 22
Platform Performance Specs – Authentications/Second with PSN only persona (Approximate values) .................................. 22
System Performance Specs (Per Identity Services Engine deployment) ..................................................................................... 23
System Scale (Per Identity Services Engine deployment) ............................................................................................................. 23
VM Disk Size Minimum Requirement ............................................................................................................................................... 23
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled) ......................................... 23
Latency and bandwidth requirement among ISE nodes ................................................................................................................ 24
Guest server and ISE Guest Feature Comparison .......................................................................................................................... 24
ACS and ISE Feature Comparison ................................................................................................................................................... 26

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 28
Introduction

Retirement of ISE ATP Program


ISE is being phased out of ATP, thus it is no longer required to submit HLD as part of ISE order. For partner resources,
please visit Security Partner Community (https://www.cisco.com/go/securitychannels). Latest version of HLD and Bandwidth
Calculator is available here as well.

Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco Identity Services
Engine (ISE) with the Secure Access solution. Due to the various product configurations and deployment options, we are
providing this document to assist with obtaining relevant design information from your customer. The Secure Access
solution using the Cisco Identity Services Engine is a system architecture comprising of many components including
endpoints, network access devices, identity stores, certificate authorities, and many APIs for third party integrations to
provide guest services, profiling, BYOD enrollment and AAA for all access user and device access control needs. An
engineer must consider the Secure Access solution holistically and consider immediate as well as future requirements
prior to deciding what equipment to purchase. This HLD template will step the engineer through what needs to be
considered. If the engineer is not intimately familiar with the proposed network, a network assessment may be necessary
prior to completing the HLD. This document can be used during design phase of the ISE deployment to assist the
engineers on collecting key information relevant to successful ISE deployment. The Cisco TAC or Secure Access and
Mobility Product Group representatives may request a copy of the HLD with any support or escalation case.

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 28
Business Objectives
Customer’s Business Goals
Describe the customer’s business goals. Consider the following example business goals:
● Profiling for visibility or inventory management (differentiation of services based on device type)
● Differentiation of service based on user identity
● Regulatory compliance
● Securing wireless network and providing guest access
● Managing employee-provided devices (e.g., iPads)
● Port lockdown
● Ensuring endpoint health or posture
● Network Device Administration
● Other

The Policy Details provided in later sections of this HLD should reflect the business objectives stated here.

Customer’s Business Goals

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 28
Estimated Timelines
Phase Number of endpoints Begin End Comments
Lab testing and qualification N/A
Final Design Review call with Cisco SME N/A Earliest target date Latest target date for May also occur after
for review call review call initial pilot/POC
phase
Production phase 1 (pilot)
Production phase 2
Production phase 3

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 28
Customer Environment Summary
Deployment Summary Response
Use cases in scope for design (Please check or add to the list to Wired Profiling/Visibility
the right): Wireless Posture Assessment
VPN TrustSec
BYOD Guest Access
pxGrid MDM Integration
MACSec RADIUS Proxy
Device Admin Location Integration
Other Use Cases:
Endpoint count
● Total endpoint count for entire deployment (endpoint count equals the sum
of user and non-user devices)
o Total user endpoints (i.e. Windows PC, Mobile devices, guest devices) User Endpoints:
o Total non-user endpoints (Including IP Phones, Wireless APs, Printers, Non-user Endpoints:
etc.)
Concurrent endpoint count
● Maximum number of concurrent endpoints expected
o Total concurrent user endpoints including guest devices Concurrent User Endpoints:
o Total mobile endpoints using 3rd party MDM using ISE Concurrent endpoints with 3rd party MDM:
o Total endpoints for posture assessment Concurrent endpoints with posture assessment:
o Total concurrent non-user endpoints (Typically non-user endpoints are Concurrent non-user endpoints:
always connected)

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 28
Customer Network Overview
Physical Network Topology
Insert a high-level network diagram showing the proposed Identity Services Engine solution. This should include any
branch networks and data centers. Include the general number of endpoint and types per location. Include WAN
bandwidth information and show placement of network access devices such as Active Directory/LDAP, DNS servers, NTP
servers, wireless controllers, switches, and VPN concentrators.

Note: The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is
200ms. Here is link to the WAN bandwidth calculator for ISE deployment (https://www.cisco.com/go/securitychannels). This
calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.
Customer’s Physical Network Topology

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 28
Topology Specifics

Question Response
Network Access Devices
Provide the general switch/controller model numbers/platforms deployed and
Cisco IOS and AireOS Software versions to be deployed to support ISE
design.
 Please see ISE Component Compatibility Document for the
recommended IOS and AireOS versions
Please explain if you are not planning on deploying the versions listed
in the ISE compatibility document.

Identity Services Engine Software Version


Please see CCO Download Software Page for the latest software release.

EndPoint Types
What are the general client types deployed (Please provide service pack
details for Windows and OS types for MacOSX)?

● Will 3rd party Mobile Device Management (MDM) be integrated with 3rd party MDM Vendor:
ISE?
● If already using 3rd party Mobile Device Management (MDM) or Windows Versions
planning to use MDM please note the vendor and version as well as Windows XP: Windows Vista:
brief description on how it will integrate with ISE Windows 7: Windows 8/8.1:
◦ Please see Cisco ISE – MDM Partner Integration guide for supported Windows 10: Windows Other:
MDM vendor for integration and supported versions Supplicant Type
● Are mobile devices corporate- or employee-owned assets? Windows Native AnyConnect NAM
● Will user access policy be based on device type (for example, laptop 3rd Party supplicant:
versus iPad)? If so, will machine auth or profiling or static MAC Other User EndPoint Types
assignments be used to distinguish device types? Mac OSX: iDevice:
● Please note how many of the concurrent endpoints will utilize MDM Android: Linux:
information during authorization from ISE Other EndPoint Types:
Non-User EndPoint Types
Note: For domain joined Windows machines to function properly, machine Wireless AP: IP Phone:
authentication is recommended. Performing user only authentication may Printer/Fax/Etc: HVAC:
break critical functions such as machine GPO and other background Medical: SCADA:
services such as backup and software push. Other:
Note: State whether the customer is using machine or user authentication, or
both. If both machine and user authentication are planned, are Machine
Access Restrictions (MAR) planned? If so, review the Appendix information
on MAR caveats.
For machine / user authentication details, please refer to 802.1X
Authenticated Wired and Wireless Access

Extensible Authentication Protocol (EAP) Types EAP Tunnel


Note: EAP-TTLS is not supported by ISE. PEAP EAP-FAST
Note: Cisco ISE version 1.1 supports FIPS 140-2 Level 1 Compliance, EAP-TTLS
please see the details in FIPS 140-2 Level 1 Compliance Page for more Inner EAP
information. MSCHAPv2 EAP-TLS
Note: Cisco ISE 2.0 supports EAP chaining. When EAP Chaining is turned GTC EAP-Chainng
off, Cisco ISE performs usual EAP-FAST authentication. Other EAP Types:

ID Stores
[EAP and ID Store Compatibility Reference]

List the internal and external ID stores the customer will use for different use
cases.

Consider the following:

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 28
Question Response
● 802.1X: AD
● MAB: Internal EndPoint + AD
● Web Authentication: Internal Guest + AD
● VPN: SecurID
● Guest Sponsors: AD
● Oracle Access Manager
● ISE GUI Admin: Certificate

Note: For Sponsored or Self-Service Guests, ID store is always ISE guest


users database

MS Active Directory Environment


● How many AD forests are to be integrated with ISE with multi-AD
feature?
● ISE requires AD forest DNS consolidated into central DNS servers.
What method is used to consolidate DNS information for the separate
AD forests?
● What version of AD is in use?
● Are there any Read-Only domains in place?

Note: AD Site & Services is recommended for ISE subnets for all forests.
For more information regarding multi-AD support, please refer to ISE 1.3
Multi-AD how-to guide

Web Authentication
● Will WebAuthuth be used?
● Will WebAuth be used for wired, wireless, or both?
● Will Local Web Auth (LWA) or Central Web Auth (CWA) be used?
● Where will the web portal be hosted?
Note: If deploying CWA the portal must be hosted by ISE. If deploying
LWA the portal can be local to access device, or external (such as ISE).
● Will web auth be used for guest access? Will web auth be used for non-
guests (for example, employees)?

Note: For more information on CWA and LWA support on different platforms,
please refer to ISE Component Compatibility Document

Authorization
Describe the enforcement types used. Consider the following options:
● VLANs
● ACLs (dACL for wired /named ACL for wireless)
● Security group tags/ACLs (SGTs/SGACLs)

dACL considerations:
● Cisco Catalyst switches support the wire−rate access control list (ACL)
with use of the ternary content addressable memory (TCAM). If the
TCAM is exhausted, the packets may be forwarded via the CPU path,
which can decrease performance for those packets. It is recommended
to limit the number of Access Control Entries (ACE) to prevent potential
TCAM exhaustion.
● Using IP SourceGuard feature or QoS feature may also affect the TCAM
utilization

VLAN considerations:
● Consider the use case for why VLAN enforcement is used and estimate
the number of VLANS required.
● To authorize an endpoint using dynamic VLANs (dVLANs), the access
device must have that VLAN locally defined or else authorization will fail.
● To reduce the number of unique authorization policy rules, access

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 28
Question Response
devices should use consistent numbering, or case-sensitive naming if
assign dVLANs by VLAN name or VLAN Group name.
● When using monitor mode of the phased deployment, VLAN assignment
may cause endpoints with wrong IP address
● Some endpoints, such as non-user devices, may not refresh IP after
VLAN change
● If devices are statically addressed, they may not be able to
communicate on assigned VLAN

Note: VLAN assignment is not supported with LWA (wired or wireless)


Note: When using dVLAN assignment to change VLANs between machine
authentication and user authentication or for remediation purpose on
Windows platform may result in delay in getting a new IP address

Posture
● Which posture agents will be used? Consider: AnyConect 4.0 posture
agent for Windows or Mac, Web agent for Windows
● If persistent posture agents deployed, how will they be provisioned?
(e.g. through ISE or other desktop software/patch management solution,
via ASA, or via ISE)

In the Posture Policy section below, explain the posture policy by OS type
including remediation policies.

Note: For latest AV/AS posture requirements, review the list of currently
supported packages for Windows and MacOSX

Profiling Profiling Probes


● Identify the primary device types to be profiled NETFLOW DHCP
● What is the profile data required to classify each device type? DHCPSPAN HTTP
● Which probes will be deployed to collect the required data? RADIUS Device Sensor
● If SPAN/RSPAN is to be used, does infrastructure support these DNS NMAP
technologies? SNMPTRAP SNMPQUERY
Note: If SPAN/RSPAN used, a dedicated interface should be used on
the Policy Service Node for the DHCP SPAN or HTTP SPAN probe.
● If RSPAN or Netflow is to be used, is there sufficient bandwidth between
source SPAN/Netflow exporter and ISE Policy Service node used for
profiling?
● Is profiling for visibility only or for use in authorization policy?
In the Profiling Policy section below, explain the profiling policy in detail.
ISE Nodes/Personas
● Number and type (3415/3495/VM) of each ISE appliance (node)
● Define the personas assigned to each node (e.g., Administration,
Monitoring, Policy Service, pxGrid, Device Admin) including Primary and
Secondary designations.

In the Deployment Details section below, provide information on the nodes


Note: Inline Posture node is no longer supported starting with ISE 2.0
Note: Each Policy Service Node (PSN) supports limited endpoints. Please
consider the number of PSN as per the number of required endpoints.
Note: EOS and EOL was announced for 33x5 appliances. For more
information please refer to the EOL announcement.

Switch Identity Configuration


Describe the wired switch identity configuration
● Multi-auth/multi-domain modes
● Flexible authentication sequencing and priority for 802.1X, MAB, and
web auth
● Is Class-Based Policy Language (CPL) for 3850 switch to be used?

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 28
Question Response
● Is Failed-Auth or Guest VLANs to be used?

Note: These fallback mechanisms cannot be used with LWA/CWA


Note: Please refer to Cisco TrustSec 2.1 HowTo Guide in the Appendix for
configuration reference. We would recommend inputting the detailed switch
configurations here.

Wireless Configuration
Describe the wireless configuration
● How many SSIDs does the deployment require?
● Please provide SSID security settings.
● Is wireless AP in FlexConnect mode or not?
● For Guest wireless access, is the WLC configured as an anchor
controller?

Note: Not all functionality of FlexConnect AP mode with ISE is officially


supported.
Note: For the WLANs, please configure the idle-timer to be more than 3600
seconds (1 hour) and session-timeout to be more than 7200 seconds (2
hours). Also, please increase the RADIUS Authentication & Accounting
server timeout to be 5 seconds.

Certificate Authority (CA) Integration CA Types


Describe the CA configuration Standalone
● How will ISE integrate with 3rd party CA? Joined to existing PKI infrastructure
● Will ISE be issuing certificates for BYOD? SCEP
● Utilize web based CA portal on ISE?
● Utilize API for certificate management?
● Utilize AnyConnect/ASA for SCEP enrollment?
Bring Your Own Devices (BYOD)
Describe the detailed BYOD configuration
● Is it Single SSID or Dual SSID?
● Will Android be in the BYOD design? If so, please provide details of
provisioning authorization profile
● What devices will be auto provisioned?
● What supplicant will be used? Please provide detailed supplicant
configuration information.
● What access will unsupported device get? (i.e. Blackberry, Windows
phones, Chromebooks)
● Will MDM be integrated with BYOD design, If so, please provide details
of MDM policy below in the Authorization Policy section and whether or
not redirection will be used for MDM agent installation

Note: Please note that Dual SSID and CWA are only supported with WLC
AireOS 7.2 and up. Please plan to use LWA if there is no plan to upgrade to
the devices that support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which
can allow admin to create an ACL for Android devices have access to
Google Play Store.

Integration with 3rd party (Excluding MDM)


Describe the detailed integration with SIEM & Threat Defense products
● What product and vendor for SIEM. Please see Cisco ISE – SIEM &
Threat Defense Eco System Integration guide for supported SIEM
vendor for integration and supported versions
● What information will be forwarded to SIEM
● Will pxGrid be used? If so, which devices will subscribe to ISE?
● Will Adaptive Network Control (ANC) be used?

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 28
ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 28
Policy Details
List all security policies that are needed to implement the business requirements described above.

Authentication: For each use case (wired, wireless, VPN), describe the authentication policies that will be implemented
for all users and endpoints whether managed or unmanaged.

Authentication Policy Example:


Rule Name Condition Allowed Protocols ID Store / ID Sequence
Device Access Wired_MAB Default Network Access Internal EndPoints
802.1X Access Wired_802.1X Default Network Access AD_then_Local
VPN NAS-Port-Type = Virtual Default Network Access AD
Default - Default Network Access Internal Users

Customer Authentication Policy:


Rule Name Condition Allowed Protocols ID Store / ID Sequence

Authorization: For each use case (wired, wireless, VPN), describe the authorization policies that will be implemented for
all users and endpoints whether managed or unmanaged.

Authorization Policy Example:


Rule Name Identity Groups Other Conditions Permissions
BYOD Unknown Mobile Devices Logical EAP Tunnel = PEAP NSP dACL
Group EAP Type = MSCHAPv2 NSP Redirect
BYOD Registered Registered EAP Type = EAP-TLS Registered dACL
SAN = Calling-StationID
IP_Phones Cisco-IP-Phones - Voice VLAN
Authz VVID
Printers Managed-Printers - Printer VLAN
Cameras Managed-Cameras - Camera VLAN
Workstation_Access Any Domain PC AD Access dACL
User_Role_1_Access Any Domain Member Role1 Role1 dACL
User_Role_2_Access Any Domain Member Role2 Role2 dACL
Guest_Access Guest - Internet Only dACL
Default - - Web Auth

Customer Authorization Policy:


Rule Name Identity Groups Other Conditions Permissions

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 28
Guest Access: For each use case (wired or wireless), describe guest access policy. Provide information on how guest
will access the network including information on guest provisioning, sponsors, and whether custom guest portal pages
need to be created. Please fill details in the forms below if the answer yes applies to you. Put no if the scenario does not
apply to you.
Services Wired (yes or no) Wireless (yes or no)
Guest

Profiling: For each use case (wired or wireless), describe how the profile data will be collected by each probe required to
classify each device type to be profiled. For example, will SPAN or RSPAN be used to carry data from the network to the
Identity Services Engine? If so, what is the SPAN design? Will dedicated ISE interfaces be used? If HTTP probe used,
will SPAN or redirection be used to capture user agent attributes?

Please note that the number of events per second a platform can safely process per the Platform Performance Spec table
below. For example, if IPAD traffic is to be profiled by probing http traffic for the User Agent attribute, then the design
must assure the Policy Services node is not inspecting more than 1200 http events per second (3395 spec). Consider
profiling strategies that reduce overall load on Policy Service node such use of HTTP redirect at connect time to capture
the User Agent attribute, or the use of IP Helper statements for DHCP capture versus the use of SPAN.

Profiling Policy / Requirements Example:


Device Profile Unique Attributes Probes Used Collection Method
Cisco IP Phone OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
IP Camera OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
Printer OUI RADIUS RADIUS Authentication
DHCP Class Identifier DHCP
POS Station MAC Address RADIUS (MAC RADIUS Authentication
(static IP) Address
discovery)
ARP Cache for MAC to IP SNMP Query Triggered by RADIUS Start
mapping
DNS name DNS Triggered by IP Discovery
Apple iPad/iPhone OUI RADIUS RADIUS Authentication
Browser User Agent HTTP Authorization Policy posture redirect
to central Policy Service node
cluster
DHCP Class Identifier + DHCP IP Helper from local L3 switch SVI
MAC to IP mapping
NMAP Scan Result NMAP Active Scanning
Device X MAC Address RADIUS (MAC RADIUS Authentication
Address
discovery)
Requested IP Address for DHCP RSPAN of DHCP Server ports to
MAC to IP mapping local Policy Service node
Optional to acquire ARP SNMP Query Triggered by RADIUS Start
Cache for MAC to IP
mapping

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 28
Port # traffic to Destination Netflow Netflow export from Distribution
IP 6500 switch to central Policy Service
node

Customer Profiling Policy / Requirements:


Device Profile Unique Attributes Probes Used Collection Method

Posture: Describe posture policy requirements for endpoint compliance. This may include many areas such as asset
checking, application and services checking, and antivirus and antispyware checks, as well as customized checks for
specific use cases. Describe remediation plans and include remediation servers that need to be integrated into the design.

Posture Policy Example:


Rule Name OS Conditions Posture Checks Remediation Enforcement When
(Windows/MacOS Agent (Audit/Opt/ Assessed
X) Mandatory) (Login/PR
A/Both)
Employee_AV Windows XP/7 AD NAC Agent AV Rule: Live update Mandatory Both
group= for Microsoft (Automatic)
Employee Windows Security
Essentials
2.x
Employee_Ass Windows XP/7 AD NAC Agent Custom Link redirect Mandatory Login
et group= for registry to policy
Employee Windows check page
(Manual)
Contractor_AV Windows ALL ID Group= Web Agent AV_Rule: Local Mandatory Login
Contractor Any AV Message
w/current regarding
signatures AV Policy

Customer Posture Policy:


Rule Name OS Conditions Posture Checks Remediation Enforcement When
(Windows/MacOSX) Agent (Audit/Opt/ Assessed
Mandatory) (Login/PR
A/Both)

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 28
Client Provisioning: Describe Client Provisioning policy requirements for posture and native supplicant provisioning.

Client Provisioning Example:


Rule Name Identity Groups Operating Systems Other Conditions Results
Apple Any MAC OSX or Apple iOS Native Supplicant:
EAP-TLS, SSID
Windows Any Windows All Agent:
NAC Agent
Native Supplicant:
PEAP-MSCHAPv2, SSID
Android Any Android Native Supplicant:
EAP-TLS, SSID

Customer Client Provisioning Policy:


Rule Name Identity Groups Operating Systems Other Conditions Results

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 28
Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For instance, the information that was required but not
received from the customer, please list it here. (E.g. My customer uses IE3000 series switches. Is this supported?
Customer is using 3rd party NAD. Or the customer is currently using IPv6)

High Availability
Discuss high availability considerations.

 High availability for each persona and node should be part of design to ensure that no single persona/appliance
failure results in total loss of a service. Please confirm persona/node redundancy design and explain reason if HA
not planned for any component.
 How will network access devices and ISE Policy Service nodes be configured for redundancy? Note: For wireless
deployments using LWA, only one URL can be defined for web authentication.
 Please provide the details regarding how Load Balancing will be used in this deployment, if it applies.

Migration
If migrating this deployment from ACS or ISE, provide details on the current deployment and how you're going to address
migration of licensing, existing policy, NAD configurations, etc.
● Is this a migration for an existing Cisco Secure ACS, NAC Appliance, NAC Profiler, and/or NAC Guest Server
deployment? If so, please list the existing product SKUs purchased to determine full migration entitlement.
o For existing appliances supported by ISE, please indicate quantity and type of each appliance model (for
example, 1121, 3315, 3355, or 3395) to be migrated.
o For NAC Appliance license counts, please indicate the user license for each NAC Server (FO pairs count as one
license).
o For NAC Profiler endpoint counts, please provide the endpoint license for dedicated Profiler Collectors, or
quantity and type (331x or 335x) of each “CLT” license.
o If this is a NAC Guest Server (NGS) migration, please note the differences between the guest access features of
NGS and the Identity Services Engine Version 2.0 in the appendix section of this document.
o If this is a ACS migration, please note the differences between the features of ACS 5.8 and the ISE 2.0 in the
appendix section of this document (ACS 4.2 information shown for comparison purpose, currently there is no
direct migration path from ACS 4.2 to ISE 2.0)

Client Provisioning and 802.1X Phasing


● Supplicant / Supplicant Configuration provisioning:
o For none native supplicant (such like AnyConnect NAM), how are supplicants provisioned? (E.g. SMS/WSUS)
o For native supplicant, please provide how the supplicant configuration provisioned? (E.g. GPO )
● Certificate provisioning and CA:
o Are certificates used?
o How are they deployed?
o What is certificate strength, if known (key length, crypto hash)?
o Does customer use in-house CA or public CA?

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 28
o Describe customer PKI infrastructure and requirements
Note: Cisco strongly recommends server certificate, which is signed by in-house CA or other 3rd party Root CA server,
to be used for ISE. Self-signed server certificate should not be used for production deployment.
● Deployment modes (Please refer to DIG in Appendix for Mode details):
o Will Monitor mode be enabled for a period of time on the 802.1X-enabled routers and switches?
o Will Authenticated or Enforcement mode (formerly known as “Low Impact mode”) be deployed?
o Will Closed Mode (formerly known as “High Security mode”) be deployed?

ISE Node details


For customers deploying VMs:

The VM host should be sized comparably with the ISE appliance. See platform hardware specs below for CPU
specification of the various appliances. For example, if the performance characteristics required are similar to a 3495
appliance, then per platform performance specs the VM should contain 32GB RAM, 8 CPUs equivalent to a Intel Xeon
CPU E5-2609 @ 2.4 GHZ.
Note: Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk should be higher than
300MB/sec and IO Write performance should be higher than 50MB/sec. VMotion is supported since ISE 1.3. Please make
sure to reserve the RAM and CPU cycles for the ISE node deployed as VM.

Note: If disk size needs to be resized, the node will need to be re-imaged from the ISO

Note: The resources need to be reserved for each ISE node and cannot be shared among different ISE nodes or other
guest VMs on the host.

Example:

Host Name (FQDN) Persona IP Address VM/HW CPU RAM Storage

ise1.example.com Admin/MnT 1.1.1.1 VM Intel Xeon E5-2609 @ 2.4 GHZ X 32GB 600GB
8 Core

ise2.example.com PSN 2.2.2.2 VM Intel Xeon E5-2609 @ 2.4 GHZ X 32GB 300GB
8 Core

Host Name (FQDN) Persona IP Address VM/HW CPU RAM Storage

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 28
Bill of Materials (BOM)
Insert as part of this document, or in a separate attachment, the list of equipment to be ordered for the Identity Services
Engine deployment that matches the design. If Sales Order already placed, then be sure to include the order details here.

Please include SmartNet/SAU or explain its omission (for example, included as part of another order, support agreement,
or deliberate acknowledgement that support refused).

If HLD is part of an ACS/NAC migration, please include appropriate migration SKUs. Use the information previously
entered regarding existing appliance, software, and license purchases on eligible products to determine migration
entitlement. For further details on migration entitlement and SKUs, please refer to ISE Migration entitlement calculator
located in the partner portal page:
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html)

Note: Please only include the information of the products that are related ISE.

Example BOM:
Line Product Qty List Price Contract Discount Unit Price Extended Price
1 L-ISE-BSE-3500= 1
2 L-ISE-ADV3Y-1500= 1
3 SNS-3495-K9 2
4 CON-PSRT-SNS3495 2 12345678
5 SNS-3415-K9 2
6 CON-PSRT-SNS3415 2 12345678
7 L-ISE-ADV-S-1K= 1
8 ISE-ADV-3YR-1K 1

Note: ISE BoM Tool is available to assist with creating BoM. Please refer to ISE BoM Tool located in the partner portal
page: (https://sambt.cisco.com)

Note: Since ISE 1.2, S/N from both Admin nodes can be added to the license to improve flexibility and flexibility. For more
information please refer to the Cisco ISE License Application Note

Customer BOM details:


Line Product Qty List Price Contract Discount Unit Price Extended Price

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 28
Appendix
Security Partner Community
Please visit Security Partner Community for additional ISE resources (Login required).
Migration SKUs
Please consult the ISE Packaging and Licensing Guide for migration SKUs.

Migration Guide
The Cisco Identity Services Engine Licensing Guide located in the partner portal page
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html ) explains packaging and
licensing under the Authorized Technology Provider program for wired and VPN.

Machine Access Restrictions (MAR)


 Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling
authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine
authentication of the computer used to access the Cisco ISE network. For every successful machine authentication,
Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of
a successful machine authentication. Cisco ISE retains each Calling-Station-ID attribute value in cache until the
number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires.
Once the parameter has expired, Cisco ISE deletes it from its cache. When a user authenticates from an end-user
client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the
Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-
authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that
requests authentication in the following ways:
● If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a
successful authorization is assigned.
● If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a
successful user authentication without machine authentication is assigned.

 Potential Issues with MAR:


● Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC
address will change when laptop moves from wired to wireless breaking the MAR linkage.
● Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE
reboots nor replicated amongst ACS/ISE instances
● Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different
location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS
server or has timed out.
● Spoofing: Linkage between user authentication and machine authentication is tied to MAC address only. It is
possible for endpoint to pass user authentication only using MAC address of previously machine-authenticated
endpoint.

Cisco TrustSec Design and TrustSec 2.1 HowTo Guide


● http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

Cisco SNS-3400 Series Appliance Specifications


● http://www.cisco.com/c/en/us/td/docs/security/ise/1-
4/installation_guide/b_ise_InstallationGuide14/b_ise_InstallationGuide14_chapter_010.html

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 28
Cisco Secure Access and TrustSec Release 5.0
● http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/c96-731479-00-secure-
access.pdf

Cisco TrustSec-Enabled Infrastructure


● http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

Cisco ISE COnfigured Limited Deployment (ISE COLD) Program


● https://communities.cisco.com/docs/DOC-32999

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 28
Note regarding Performance Specifications
EOL was announced for 33x5 appliances and provided here as a reference for migration customers. Deployments with
VM should follow platform specifications based on 3415 or 3495 appliances. For more information please refer to the EOL
announcement

Platform Hardware Specs


Platform Processor RAM Hard disk RAID Ethernet NIC Power
1 x QuadCore
Cisco Identity Services Engine 2 x 250-GB SATA HDD 4x Integrated
Intel Core 2 CPU Q9400 4 GB No
Appliance 3315 (Small) (250 GB total disk space) Gigabit NICs
@ 2.66 GHz (4 total cores)
1 x QuadCore
Cisco Identity Services Engine 2 x 300-GB SAS drives 4 x Integrated
Intel Xeon CPU E5504 4 GB Yes (RAID 0) Redundant
Appliance 3355 (Medium) (600 GB total disk space) Gigabit NICs
@ 2.00 GHz (4 total cores)
2 x QuadCore
Cisco Identity Services Engine 4 x 300-GB SFF SAS drives Yes (RAID 4 x Integrated
Intel Xeon CPU E5504 4 GB Redundant
Appliance 3395 (Large) (600 GB total disk space) 0+1) Gigabit NICs
@ 2.00 GHz (8 total cores)
1 x QuadCore
Cisco Secure Network Server 1 x 600-GB 10k SAS HDD 4 x Integrated
Intel Xeon CPU E5-2609 16GB No
3415 (Small/Medium) (600 GB total disk space) Gigabit NICs
@ 2.40 GHz (4 total cores)
2 x QuadCore
Cisco Secure Network Server 2 x 600-GB 10k SAS HDDs 4 x Integrated
Intel Xeon CPU E5-2609 32GB Yes (RAID 1) Redundant
3495 (Large) (600 GB total disk space) Gigabit NICs
@ 2.40 GHz (8 total cores)

Platform Performance Specs for PSN when PAN and MNT deployed as separate node – Max Concurrent
EndPoints and Composite Authentications (Authentication values are approximate values)

When determining how many PSN is needed for the deployment please use ‘Maximum Concurrent Endpoints’ as the
main guideline. Authentication performance for specific use cases is also provided in case it is required to size out the
deployment.

Usage Cisco Secure Network Server 3415 Cisco Secure Network Server 3495
Appliance Appliance
Maximum Concurrent Endpoints 5,000 20,000
Posture Authentications 25 per second 45 per second
Guest Hotspot Authentications 50 per second 68 per second
Guest Sponsored User Authentications 17 per second 28 per second
TACACS+ Function: PAP 1,400 per second 2,800 per second
TACACS+ Function: CHAP 1,500 per second 2,900 per second
TACACS+ Function: Enable 7,00 per second 1,200 per second
TACACS+ Function: Session AuthZ 900 per second 1,700 per second
TACACS+ Function: Command AuthZ 900 per second 1,700 per second
TACACS+ Function: Accounting 2,900 per second 4,900 per second
Maximum number of SXP peer 100 100

Platform Performance Specs – Authentications/Second with PSN only persona (Approximate values)
Platform PAP PEAP (MSCHAPv2) EAP-FAST EAP-FAST (GTC) EAP-TLS MAB
(MSCHAPv2)
Int. AD LDAP Int. AD Int. AD Int. AD LDAP Int. Int. LDAP
Cisco Secure Network Server 153
764 471 789 185 173 376 339 382 323 385 528 597
3415 Appliance (130)
Cisco Secure Network Server 165
1318 419 1328 324 304 512 502 628 513 662 1115 1150
3495 Appliance (140)
Note: EAP-TLS # in brackets are for 2k size certificate

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 28
System Performance Specs (Per Identity Services Engine deployment)
Description Number
Maximum number of concurrent endpoints with separate Administration, Monitoring, and Policy 250,000 for 3495 as PAN
Service nodes
Maximum number of concurrent endpoints with Administration and Monitoring on a single node 5,000 for 3415 as PAN/MnT
10,000 for 3495 as PAN/MnT
Maximum number of concurrent endpoints with Administration, Monitoring, and Policy Service all 5,000 for 3415
on a single node 10,000 for 3495
Maximum number of Policy Service nodes with separate Administration, Monitoring, and Policy 40 for 3495 as PAN
Service nodes
Maximum number of Policy Service nodes with Administration and Monitoring on a single node 5

System Scale (Per Identity Services Engine deployment)


Description Number
Maximum number of NADs 30,000
Maximum number of Network Device Groups 100
Maximum number of AD join point 50
Maximum number of Internal users 25,000
Maximum number of Internal guests 1,000,000, expect latency for admin gui + user auth 500k beyond
Maximum number of Guest portals 100
Maximum number of EndPoints 1,000,000
Maximum number of Authentication Rules 25 when Simple mode is used
100 combined rules when Policy Set mode is used
Maximum number of Authorization Rules 600 (Best Practice to keep it below 100. With 100+ rules rendering of GUI and user
access will be negatively impacted.)
TrustSec Security Group Tags (SGT) 4,000
TrustSec Security Group ACLs (SGACLs) 2,500
Maximum number of SXP bindings 40,000

VM Disk Size Minimum Requirement


Persona Disk (GB)
Standalone
Administration Only
Monitoring Only 200+ GB
Policy Service Only
Admin + MnT
Admin + MnT + PSN
Note: Thin Provisioning is supported since 1.3, however Tick/Eager Provisioning will yield best performance
Note: 10k RPM+ HDD or equivalent speed required
Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher
Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node

MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)
Concurrent Endpoints MnT Disk Size
200 GB 400 GB 600 GB 1024 GB 2048 GB
10,000 126 252 378 645 1,289
20,000 63 126 189 323 645
30,000 42 84 126 215 430
40,000 32 63 95 162 323
50,000 26 51 76 129 258
100,000 13 26 38 65 129
150,000 9 17 26 43 86
200,000 7 13 19 33 65

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 28
250,000 6 11 16 26 52
Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary
depending on the environment

Latency and bandwidth requirement among ISE nodes


The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is 200ms. The WAN
bandwidth calculator for ISE deployment is available here: https://www.cisco.com/go/securitychannels (1.2 version of the tool is still
valid for 2.0 release). This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN
links.

Guest server and ISE Guest Feature Comparison

Enforcement Device Support NGS 2.0 ISE 2.0


Can the WLC be used as a captive portal to authenticate the guest
X X
Wireless LAN Controller user?
Can NAC Appliance be used as a captive portal to authenticate the X X
NAC Appliance guest user?
Can Web Authentication in Catalyst switches be used as a captive X X
Catalyst Web Authentication portal to authenticate the guest user?
Can IOS Auth-Proxy in routers be used as a captive portal to X X
IOS Authentication Proxy authenticate the guest user?
Can Auth-Proxy in the ASA be used as a captive portal to authenticate X X
ASA Authentication Proxy the guest user?
Can other devices that support a captive portal to authenticate the
guest user against a RADIUS Server be used? For example a proxy X X
Other RADIUS Devices server.
Central Web Authentication Can Central Web Authentication be used to authenticate guests? X
Web-auth entered credentials can be authenticated against an external X (2.0.3) X
Web-Auth Off-Box Credentials database via RADIUS?
Provisioning Interface NGS 2.0 ISE 2.0
Local Sponsor Authentication Can sponsors user accounts be defined locally on the device X X
AD SSO Sponsor Can the device automatically authenticate sponsors against Active X
Authentication Directory using Single Sign On from their web browser (Kerberos)
SAML SSO Sponsor X
Authentication Can the sponsors authenticate via SAML
LDAP Sponsor Authentication Can the device authenticate sponsors against external LDAP servers X X
RADIUS Sponsor
X X
Authentication Can the device authenticate sponsors against external RADIUS servers
Number of Concurrent
Unlimited Unlimited
Sponsors How many sponsors can be logged in concurrently
Sponsor Role Based Access Can different sponsors be assigned different permission levels based X X
Control upon group assigned by Local Group, LDAP or RADIUS attribute
Restrict Login Can you stop sponsors from logging in based upon role X X
Can you grant permission to sponsors to create or not be able to create X X
Ability to create accounts guest accounts?
Can you grant permission to sponsors to edit or not be able to edit X X
Ability to edit accounts guest accounts?
Can you grant permission to sponsors to suspend or not be able to X X
Ability to suspend accounts suspend guest accounts?

Can you grant permission to sponsors to reinstate a suspended guest X


Ability to reinstate accounts accounts.
Ability to purge accounts Can the guest user accounts be purged from the database X
Does the system allow multiple accounts to be created at the same time X X
Bulk Creation by text by entering the details into a text form?
Does the system allow multiple accounts to be created at the same time X X
Bulk Creation by csv import by importing a csv file?

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 28
Does the system allow multiple accounts to be created with no user
details need entering, and username/password being randomly X X
Bulk Create random accounts generated?
Guest Account Policies NGS 2.0 ISE 2.0
Guest Username Policy Can you control how the guest username is automatically created? X X
Can you control how the password is configured, requiring a minimum X X
Guest Password Policy number of alpha, numeric and special characters
Guest Password Change Can you allow/require guests to change their password after logging in? X X
Specify which details about the guest must be recorded. Including first X X
Guest Details Policy name, last name, email, company, phone number
Custom Guest Details Request additional custom defined fields about the guest 5 fields X
Guest Roles Can you assign different roles to different guests? X X
Only allow accounts created with a guest role the ability to login from X X
Restrict Login by Location pre-defined locations
Set QoS per role Set QoS parameters by guest role X X
Set a different ACL on each guest based upon the role they have been X X
Set ACL per role assigned
Set a different VLAN on each guest based upon the role they have X X
Set VLAN per role been assigned
Set a different SGT on each guest based upon the role they have been X
Set SGT per role assigned
Can guest access be changed based on contextual awareness and
X
CoA endpoint state?
Account Types NGS 2.0 ISE 2.0
Start/End Create accounts by specifying the time the account starts and ends X X
Duration Create accounts by specifying the time the account can last from now X X
Accounts which are valid for X minutes from the first time the guest logs Removed
X
From First Login in since 1.3
Accounts which are valid for X minutes within Y minutes period from X
Usage Based first login
Guest Portal NGS 2.0 ISE 2.0
Self Registration Does the system support self-registration by guests? X X
Device Registration Does the system support registration of devices? X
Device Self Registration Does the system support self-registration of devices by guests? X
Guest Password Change Allow Guests to change their password based upon policy? X X
Customizable guest portal Can the guest’s web pages be fully customized? X X
Can an Acceptable Use Policy be enforced so that guests must agree X X
Acceptable Use Policy before being allowed access?
Notification NGS 2.0 ISE 2.0
Print Out Will the system create a printout of the guest details? X X
Email Will the system email guest details to the guests email address? X X
SMS Will the system sms guest details to the guests mobile phone? X X
Details emailed to sponsor The sponsor can receive a copy of the account by email? X X
Interface Customization NGS 2.0 ISE 2.0
Company Logo Can the sponsor interface be customized with a company logo? X X
Multiple Languages Can the sponsor interface support multiple languages? X X
Notification Customization Can the email/sms/print outs be customized? X X
Reporting NGS 2.0 ISE 2.0
Keep a full audit trail of each operation made to an account by all X X
Sponsor Audit Trail sponsors.
Guest Accounting Report on guest login/logout times, mac address and ip address used. X X

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 28
Supports the ability to report on guests network activity such as URLs
visited, connections made etc. Needs external device such as an ASA X X
Guest Activity Reporting or proxy to send the information via syslog to the box.
Management Reports X X
CSV Export Provide the ability for any report to be exported in CSV format. X X
Billing Support NGS 2.0 ISE 2.0
Supports guests purchasing accounts and billing against a Payment X
Credit Card Billing Support Gateway
Allows accounts to be randomly created upfront that become valid at X
Pre-pay Support first login
Other NGS 2.0 ISE 2.0
Application Programming Does the system have an API that can be used to perform all sponsor X X
Interface operations?
Posture Services for guest Can the guest user's host device be posture assessed and access X
users policy granted based on compliance with security policy?

Profiling Services for guest Can the guest user's host device be profiled and access policy granted X
users based on the type of device guest uses to access the network?

ACS and ISE Feature Comparison

Authentication Protocol ACS 4.2 ACS 5.8 ISE 2.0


PAP X X X
CHAP X X X
MS-CHAPv1 X X X
MS-CHAPv2 X X X
EAP-MD5 X X X
EAP-TLS X X X
PEAP (with EAP-MSCHAPv2 inner method) X X X
PEAP (with EAP-GTC inner method) X X X
PEAP (with EAP-TLS inner method) X X X
EAP-FAST (with EAP-MSCHAPv2 inner method) X X X
EAP-FAST (with EAP-GTC inner method) X X X
EAP-FAST (with EAP-TLS inner method) X X X
EAP Chaining with EAP-FASTv2 X
EAP-TTLS X
RADIUS Proxy X X X
RADIUS VSAs X X X
LEAP X X X
LEAP Proxy X
TACACS+ ACS 4.2 ACS 5.8 ISE 2.0
TACACS+ per-command authorization and accounting X X X
TACACS+ support in IPv6 networks X
TACACS+ change password X X X
TACACS+ enable handling X X X
TACACS+ custom services X X X
TACACS+ proxy X X X
TACACS+ optional attributes X X X
TACACS+ additional auth types (CHAP / MSCHAP) X X X
TACACS+ attribute substitution for Shell profiles X X
TACACS+ custom port X
Identity Stores ACS 4.2 ACS 5.8 ISE 2.0
Internal User & Host Database X X X
Windows Active Directory X X X
LDAP X X X

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 28
RSA SecurID X X X
RADIUS token server X X X
ODBC X
AD Server specification per ACS/ISE instance X X
SAML X
LDAP Server specification per ACS/ISE instance X
Ability to retrieve an internal user’s password from
X X
external ID store
Internal Users / Administrators ACS 4.2 ACS 5.8 ISE 2.0
Users: Password complexity X X X
Users: Static IP Address Assignment X X X
X (Warning and
disable after defined
Users: Password aging X interval. Grace X
period is not
supported)
Users: Password history X X X
Users: Max failed attempts X X X
Users: User expiration after a number of days X X
Users: Password inactivity X X
Limited (If the internal
users are authorized
as sponsors, then
Users: User change password (UCP) utility X X
they may update
passwords at the
sponsor portal)
Admin: Password complexity X X X
Admin: Password aging X X X
Admin: Password history X X X
Admin: Max failed attempts X X X
Admin: Password inactivity X
Admin: entitlement report X X X
Admin: session and access restrictions X X X
Miscellaneous ACS 4.2 ACS 5.8 ISE 2.0
Network Access Restrictions (NARs) X X
RDBMS sync X
X (CLI interface is
Command line / scripting interface (CSUtil) X supported for bulk
provisioning)
Integration with CiscoWorks for admin RBAC X
Log Viewing and reports X X X
Export logs via SYSLOG X X X
Time based permissions X X X
Configurable management HTTPS certificate X X X
CRL: Multiple URL definition X
CRL: LDAP based definition X X
Online Certificate Status Protocol (OCSP) X X X
Comparison of any two attributes in authorization policies X X X
Configurable RADIUS ports X
Programmatic Interface for users, groups and end-point
X X X
CRUD operations
Multiple NIC interfaces X X
Secure Syslogs X X
Miscellaneous ACS 4.2 ACS 5.8 ISE 2.0
EAP-TLS Certificate lookup in LDAP X X X
EAP-TLS Certificate lookup in Active Directory X X X
Maximum concurrent sessions per user/group X X
Log to external DB (via ODBC) X X X (Data can be

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 28
exported from M&T
for reporting. Not
supported as log
target)
Programmatic Interface for network device CRUD
X X X
operations
X (With Authorization
Wildcards for hosts X X policy condition or
profiling)
Configure devices with IP CIDR format X X X
Configure devices with IP address ranges X X
X (Not in combination
Lookup Network Device by IP address X X
with other fields)
Dial-in Attribute Support X X
Support comparison of any two attributes in policies X X X
Display RSA de missing secret X X
Starts with / Ends with / contains / Contains Any Policy
X X X
Operators
Nested compound conditions with both AND or OR
X X X
operators

Printed in USA C07-676884-01 09/11


ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 28