Cisco Identity Services Engine

The practical value of a corporate identity access control system based on the Cisco Identity Services Engine.

If the following words are not abstract concepts for you, but actual tasks - this article is for you:
● (network) security policy;
● reducing the risks of information security threats;
● access control to the corporate network;
● automation of tasks of IT departments;
● implementation of IT solutions that increase business dynamics (BYOD, Mobility).

Access control is a key measure of information security. The introduction of an access control system to the enterprise network will not only significantly reduce the risks of information security threats, but also achieve economic benefits from the introduction of such systems.

The Cisco Identity Services Engine (Cisco ISE) is a feature-rich solution that covers the full spectrum of corporate network access control [CD] issues. Centralizing network access policies and automating many routine tasks are key benefits of Cisco ISE.

Corporate network access control

The CD system implementation project affects the interests of many departments in the enterprise:
● the access control task affects IT departments as the main contractor;
● information security units are also interested in similar projects in the context of implementing the enterprise’s security policy;
● top management can get significant benefits from the introduction of access control systems, as they contribute to the introduction of new business models, such as: Mobility (safe mobility of the employee’s workplace) and BYOD (use of personal devices for working with corporate data);
● for managersit is also an opportunity to achieve the separation of powers and responsibilities of IT departments and information security units, increase the response of the enterprise IT infrastructure to new business requirements, reduce operating costs and automate demanding IT processes;
● users will be able to get their usual set of network services, regardless of location and method of connecting to the network.

Even at home, on your own tablet it will be possible to safely process corporate information, receiving the same set of services as in the office with a wired connection or at the client via guest Wi-Fi. Ultimately, by implementing a CA system, you can get significant benefits for all departments of the enterprise.

The effectiveness of the CD system, like any high-tech tool, depends on how correctly it is used. Let us dwell in more detail on the issues that must be remembered when planning the implementation of such systems.

Should all employees have equal access to all corporate information? Obviously not. This tells us the theory of information security and common sense. The secretary does not need to know the financial performance of the company; the accountant should not see the contacts and schedule of the head in the corporate CRM. The customer base of the company should not be accessible to the administrator of the company's mail server; The sales manager should not have access to the technology management network.

How was this issue resolved earlier? Users were divided into groups by access level. For each group, settings were made on the ports connecting employees to the network. Authenticate users more efficiently when entering the network and apply access policies at the network connection point.

Corporate Directory Authentication

Keeping a separate user base for each access control solution is inconvenient. There is a question of synchronization with other similar databases.

Most organizations have a corporate directory - a single place to store user data. Most often it is Microsoft Active Directory (MS AD), but it can also be an LDAP server. It is convenient to start users in one place and manage most of the settings of their working environment. Many systems can receive data from the active directory: mail server, CRM, etc. The problem is that the “network”, as an entity, does not know how to authenticate in the active directory. There must be an intermediate device that understands, for example, MS AD and the network.

Using Cisco ISE as an intermediate device, you can easily solve this problem.
More details in the video review:


RADIUS is one of the oldest and most common network authentication protocols. To authenticate users on the network, a RADIUS server must be deployed.



Architecture Example of a CD Solution Based on Cisco ISE

In modern designs of Cisco networks, the role of such a RADIUS server is played by Cisco ISE. In addition, Cisco ISE allows you to automate many tasks that inevitably arise in conjunction with projects implementing a RADIUS server to control access to the network.


Cisco ISE Network Connectivity Framework

Practical value for IT

Mobile gadgets have penetrated not only our lives, but also our work. Who does not read corporate mail from their smartphone? The requirements of business and the modern world impose a rather difficult task on IT departments - to provide users with access to corporate resources from any device.

Ubiquitous mobilization pushed for the development of Wi-Fi. Laptops have become the norm, and some even got rid of the wired interface, leaving only Wi-Fi. Moving with a laptop around the office and the ability to connect it to a network anywhere in the office are current requirements for the workplace.

Many people want to be able to use personal devices for work (BYOD). It's so simple to “be in touch” and “in work” when there is nothing else besides your tablet. Remote access via VPN has long been the norm for most organizations. IT departments are forced to synchronize access policies and settings on wired, wireless, and remote access devices.

The user must receive the same level of network services in order to effectively perform their work in the mobile employee mode. The business requirements for user mobility determine the binding of the policy not to the place of connection, but to the user - this complicates network settings and maintenance.

Support questions are also multiplied by the number of possible network access options. Often, even for a basic assessment of current problems in the network, automation tools will be needed. To reduce the time for user support, it would be convenient to be able to see the username in all logs and monitoring windows. This eliminates the need to find how and how the user is connected to the network.

Cisco ISE will solve a whole range of tasks related to CA.

Increasing the observability and speed of the network reaction.
To increase the observability and speed of solving problems, it is advisable to implement a single solution that is deeply integrated into the existing infrastructure and combines all access policies on network equipment. This task for IT departments is solved by Cisco ISE.

Centralizing and simplifying the management of
Cisco ISE CAs simplifies and centralizes network access policies.
Corporate information has its value. Network access control is one of the means of protecting information. With so many connectivity options, manual policy management becomes time consuming. This introduces significant delays in the network response rate to changes. Some tasks, such as monitoring the status of network connections in real time and in retrospect, are not feasible manually and will definitely require the development of any scripts and bringing all of their functions together into one control system. Supporting these kinds of solutions becomes an overwhelming burden for IT over time. To be sure that only trusted devices in the enterprise network, centralization of network policy management and deep integration with other network services are necessary.

Automation of routine tasks
Significantly reducing transaction costs, you can increase the efficiency of IT and the enterprise as a whole. The introduction of automation tools for network access policies will allow you to separate the tasks and areas of responsibility of IT and information security. The time spent on internal and external audits can also be minimized. All accounting information is stored in one place. There is always the opportunity to assess the current state.

The implementation of the Cisco ISE access control automation solution will reduce the operational costs of maintaining all network services.

Cisco ISE helps accelerate adoption of new business support technologies. Trends such as Mobility, BYOD can be easily adopted by IT departments.

It is worth noting thatUsing Cisco ISE will significantly reduce costs in the data center through the use of new architectures and technologies (TrustSec / SGT). It is important to have a single solution linking access policies on different devices: access switches, firewalls, data center infrastructure.

Thanks to Cisco ISE, it is possible to differentiate access according to many criteria:
● who should have access;
● from which devices;
● what time of day;
● through which network devices;
● what level of access is needed.
All this determines the context of network access.

Practical value for information security departments

Information security departments are the main internal customer of network access control solutions.

Access control is the primary security measure. Cisco ISE makes it possible to increase the simplicity of network access control and the dynamic monitoring of user connections to the network. Simplification and centralization of the network access policy make it possible to look where you have not looked before. Find the most problematic issues, take operational measures to reduce information security risks.
Getting at their disposal an effective tool that allows you to personalize access to the network, information security departments significantly increase the efficiency of their daily work.


Access policy visualization example

Differentiation of powers and responsibilities of IT and information security will allow better monitoring of compliance with security policies. At the same time, audits can be carried out as soon as possible due to the availability of all accounting information and its generalization in the form of detailed reports.

Cisco ISE makes it possible to deeply integrate the concept of network access context (who? How? Where? From which device?) Into a wide range of network and information security solutions.


An example of a policy taking into account the context of network access.

Thus, it is possible to achieve a significant reduction in the risks associated with information security.

Practical value for company management

Improving the operational efficiency of IT and information security will reduce costs and increase the response of the “network” to business requirements.

New business models, with the support of IT departments, will be able to get a new impetus. Introducing BYOD in your enterprise can seamlessly fit into your existing information security model through the introduction of Cisco ISE.

The introduction of qualitatively new automation and control tools will help to reduce information security risks and expected losses due to information security incidents.

To ensure the necessary business dynamics, access policies should be tied to the user, and not to the location and method of access. ISE allows you to solve this important task quickly and efficiently.

More details in the analytical report “The Increasing Importance of Workplace Mobility” .

Cisco ISE will enable the integration of disparate network access control components into a single architecture. The Cisco ISE solution is a key part of the secure access architecture for Cisco TrustSec enterprise networks. Cisco’s leading approach to network access control has been repeatedly pointed out by analytic agencies such as Gartner.

Cisco ISE is part of TrustSec’s highly developed modular architecture.


The tree diagram of TrustSec architecture designs.

This allows you to be sure that the engineers setting up the solution have all the necessary supporting documents from the manufacturer for this, thatpositively affects the speed and quality of project implementation.

Practical value for marketing departments

The image of the company depends not only on the quality of the product being created, but also on the relationship with potential customers. Such image elements as guest Wi-Fi access will allow you to get a positive impression from customers.

The technologies embedded in Cisco ISE allow enriching the portrait of the client with the registration data that the client provides when registering in the guest network.

The start page of the guest portal may contain a description of marketing campaigns or links to sections of the company’s website.

Providing large-scale events with high-quality Wi-Fi service will also not be a problem. Cisco ISE enables you to pre-generate access credentials for a list of visitors.

Practical value for ordinary users

Employees will be able to more flexibly distribute their working hours, without being tied to the walls of the office for work. Moreover, the set of network services can be unchanged, which erases the boundaries of the workplace, moving it to a more convenient plane. An employee who has the tools to find the optimal balance between work and personal time will be able to work more efficiently and with less labor.
Familiar Personal Devices (BYODs) can become reliable business partners.



Learn more about Cisco ISE:
www.cisco.com/go/ise

Ovrashko Andrey,
Cisco Systems Engineer