Escolar Documentos
Profissional Documentos
Cultura Documentos
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 24
Contents
Retirement of ISE ATP Program ......................................................................................................................................................... 3
Document Purpose.............................................................................................................................................................................. 3
Physical Network Topology ................................................................................................................................................................ 6
Topology Specifics .............................................................................................................................................................................. 6
Unknowns .......................................................................................................................................................................................... 13
High Availability................................................................................................................................................................................. 14
Migration ............................................................................................................................................................................................ 14
ISE Node details ................................................................................................................................................................................ 14
Security Partner Community ............................................................................................................................................................ 16
Migration SKUs .................................................................................................................................................................................. 16
Migration Guide ................................................................................................................................................................................. 16
Machine Access Restrictions (MAR) ............................................................................................................................................... 16
Note regarding Performance Specifications ................................................................................................................................... 18
Platform Hardware Specs ................................................................................................................................................................. 18
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent EndPoints and
Composite Authentications (Authentication values are approximate values) ............................................................................. 18
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values) .................................. 19
System Performance Specs (Per Identity Services Engine deployment) ..................................................................................... 19
System Scale (Per Identity Services Engine deployment) ............................................................................................................. 19
VM Disk Size Minimum Requirement ............................................................................................................................................... 19
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled) ......................................... 20
Latency and bandwidth requirement among ISE nodes ................................................................................................................ 20
Guest server and ISE Guest Feature Comparison .......................................................................................................................... 20
ACS and ISE Feature Comparison ................................................................................................................................................... 22
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 24
Introduction
Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco Identity Services
Engine (ISE) with the Secure Access solution. Due to the various product configurations and deployment options, we are
providing this document to assist with obtaining relevant design information for your ISE deployment. ISE is the
foundational network directory providing a single pane for network access policy and contextual information about network
endpoints. ISE relies on a security architecture comprising of many components including endpoints, network access
devices, identity stores, certificate authorities, and many APIs for third party integrations to provide guest services,
profiling, BYOD enrollment and AAA for all access user and device access control needs. An engineer must consider the
Secure Access solution holistically and consider immediate as well as future requirements prior to deciding what
equipment to purchase. This HLD template will step the engineer through what needs to be considered. If the engineer is
not intimately familiar with the existing or proposed network, a network assessment may be necessary prior to completing
the HLD. This document can be used during the design phase and throughout the depoyment of the Secure Access
solution to assist the engineers on collecting key information relevant to successful ISE deployment. The Cisco TAC or
Security Business Group representatives may request a copy of this HLD with any support or escalation case.
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 24
Business Objectives
Describe your security-based business goals. Consider the following example business goals:
Profiling for visibility or inventory management (differentiation of services based on device type)
Differentiation of service based on user identity
Regulatory compliance
Securing wireless network and providing guest access
Managing employee-provided devices (e.g., iPads)
Port lockdown
Ensuring endpoint health or posture
Network Device Administration
Other
The Policy Details provided in later sections of this HLD should reflect the business objectives stated here.
Business Goals
Estimated Timelines
Phase Number of endpoints Begin End Comments
Lab testing and qualification N/A
Production phase 1 (pilot)
Production phase 2
Production phase 3
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 24
Endpoint Summary
Deployment Summary Response
Use cases in scope for design (Please check or add to the list to Wired Profiling/Visibility
the right): Wireless Posture Assessment
VPN TrustSec
BYOD Guest Access
pxGrid MDM Integration
MACSec RADIUS Proxy
Device Admin Location Integration
Other Use Cases:
Endpoint count
Total endpoint count for entire deployment (endpoint count equals the User Endpoints:
sum of user and non-user devices) Non-user Endpoints:
Total user endpoints (i.e. Windows PC, Mobile devices, guest devices)
Total non-user endpoints (Including IP Phones, Wireless APs, Printers,
etc.)
Concurrent endpoint count
Maximum number of concurrent endpoints expected Concurrent User Endpoints:
Concurrent endpoints with 3rd party MDM:
Total concurrent user endpoints including guest devices
Concurrent endpoints with posture assessment:
Total mobile endpoints using 3rd party MDM using ISE
Concurrent non-user endpoints:
Total endpoints for posture assessment
Total concurrent non-user endpoints (Typically non-user endpoints are always
connected)
EndPoint Types
What are the general client types deployed (Please provide service pack details 3rd party MDM Vendor:
for Windows and OS types for MacOSX)?
Windows Versions
Will 3rd party Mobile Device Management (MDM) be integrated with ISE? Windows XP: Windows Vista:
If already using 3rd party Mobile Device Management (MDM) or planning to Windows 7: Windows 8/8.1:
use MDM please note the vendor and version as well as brief description Windows 10: Windows Other:
on how it will integrate with ISE Supplicant Type
Please see Cisco ISE MDM Partner Integration guide for supported Windows Native AnyConnect NAM
MDM vendor for integration and supported versions 3rd Party supplicant:
Are mobile devices corporate- or employee-owned assets? Other User EndPoint Types
Will user access policy be based on device type (for example, laptop versus Mac OSX: iDevice:
iPad)? If so, will machine auth or profiling or static MAC assignments be Android: Linux:
used to distinguish device types? Other EndPoint Types:
Please note how many of the concurrent endpoints will utilize MDM Non-User EndPoint Types
information during authorization from ISE Wireless AP: IP Phone:
Printer/Fax/Etc: HVAC:
Note: For domain joined Windows machines to function properly, machine Medical: SCADA:
authentication is recommended. Performing user only authentication may break Other:
critical functions such as machine GPO and other background services such as
backup and software push.
Note: State whether the deployment is using machine or user authentication, or
both. If both machine and user authentication are planned, are Machine Access
Restrictions (MAR) planned? If so, review the Appendix information on MAR
caveats.
For machine / user authentication details, please refer to 802.1X Authenticated
Wired and Wireless Access
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 24
Network Overview
Physical Network Topology
Insert a high-level network diagram showing the proposed Identity Services Engine solution. This should include any
branch networks and data centers. Include the general number of endpoint and types per location. Include WAN
bandwidth information and show placement of network access devices such as Active Directory/LDAP, DNS servers, NTP
servers, wireless controllers, switches, and VPN concentrators.
Note: The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is
200ms. Here is link to the WAN bandwidth calculator for ISE deployment (https://www.cisco.com/go/securitychannels). This
calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.
Physical Network Topology
Topology Specifics
Question Response
Network Access Devices
Provide the general switch/controller model numbers/platforms deployed and
Cisco IOS and AireOS Software versions to be deployed to support ISE
design.
Please see ISE Component Compatibility Document for the
recommended IOS and AireOS versions
Please explain if you are not planning on deploying the versions listed
in the ISE compatibility document.
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 24
Question Response
ID Stores
[EAP and ID Store Compatibility Reference]
List the internal and external ID stores used for different use cases.
Note: AD Site & Services is recommended for ISE subnets for all forests.
For more information regarding multi-AD support, please refer to ISE 1.3
Multi-AD how-to guide
Web Authentication
Will WebAuthuth be used?
Will WebAuth be used for wired, wireless, or both?
Will Local Web Auth (LWA) or Central Web Auth (CWA) be used?
Where will the web portal be hosted?
Note: If deploying CWA the portal must be hosted by ISE. If deploying
LWA the portal can be local to access device, or external (such as ISE).
Will web auth be used for guest access? Will web auth be used for non-
guests (for example, employees)?
Note: For more information on CWA and LWA support on different platforms,
please refer to ISE Component Compatibility Document
Authorization
Describe the enforcement types used. Consider the following options:
VLANs
ACLs (dACL for wired /named ACL for wireless)
Security group tags/ACLs (SGTs/SGACLs)
dACL considerations:
Cisco Catalyst switches support the wirerate access control list (ACL)
with use of the ternary content addressable memory (TCAM). If the
TCAM is exhausted, the packets may be forwarded via the CPU path,
which can decrease performance for those packets. It is recommended
to limit the number of Access Control Entries (ACE) to prevent potential
TCAM exhaustion.
Using IP SourceGuard feature or QoS feature may also affect the TCAM
utilization
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 24
Question Response
VLAN considerations:
Consider the use case for why VLAN enforcement is used and estimate
the number of VLANS required.
To authorize an endpoint using dynamic VLANs (dVLANs), the access
device must have that VLAN locally defined or else authorization will fail.
To reduce the number of unique authorization policy rules, access
devices should use consistent numbering, or case-sensitive naming if
assign dVLANs by VLAN name or VLAN Group name.
When using monitor mode of the phased deployment, VLAN assignment
may cause endpoints with wrong IP address
Some endpoints, such as non-user devices, may not refresh IP after
VLAN change
If devices are statically addressed, they may not be able to
communicate on assigned VLAN
Posture
Which posture agents will be used? Consider: AnyConect 4.0 posture
agent for Windows or Mac, Web agent for Windows
If persistent posture agents deployed, how will they be provisioned?
(e.g. through ISE or other desktop software/patch management solution,
via ASA, or via ISE)
In the Posture Policy section below, explain the posture policy by OS type
including remediation policies.
Note: For latest AV/AS posture requirements, review the list of currently
supported packages for Windows and MacOSX
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 24
Question Response
Switch Identity Configuration
Describe the wired switch identity configuration
Multi-auth/multi-domain modes
Flexible authentication sequencing and priority for 802.1X, MAB, and
web auth
Is Class-Based Policy Language (CPL) for 3850 switch to be used?
Is Failed-Auth or Guest VLANs to be used?
Wireless Configuration
Describe the wireless configuration
How many SSIDs does the deployment require?
Please provide SSID security settings.
Is wireless AP in FlexConnect mode or not?
For Guest wireless access, is the WLC configured as an anchor
controller?
Note: Please note that Dual SSID and CWA are only supported with WLC
AireOS 7.2 and up. Please plan to use LWA if there is no plan to upgrade to
the devices that support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which
can allow admin to create an ACL for Android devices have access to
Google Play Store.
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 24
Question Response
Integration with 3rd party (Excluding MDM)
Describe the detailed integration with SIEM & Threat Defense products
What product and vendor for SIEM. Please see Cisco ISE SIEM &
Threat Defense Eco System Integration guide for supported SIEM
vendor for integration and supported versions
What information will be forwarded to SIEM
Will pxGrid be used? If so, which devices will subscribe to ISE?
Will Adaptive Network Control (ANC) be used?
Policy Details
List all security policies that are needed to implement the business requirements described above.
Authentication: For each use case (wired, wireless, VPN), describe the authentication policies that will be implemented
for all users and endpoints whether managed or unmanaged.
Authentication Policy:
Rule Name Condition Allowed Protocols ID Store / ID Sequence
Authorization: For each use case (wired, wireless, VPN), describe the authorization policies that will be implemented for
all users and endpoints whether managed or unmanaged.
Guest Access: For each use case (wired or wireless), describe guest access policy. Provide information on how guest
will access the network including information on guest provisioning, sponsors, and whether custom guest portal pages
need to be created. Please fill details in the forms below if the answer yes applies to you. Put no if the scenario does not
apply to you.
Services Wired (yes or no) Wireless (yes or no)
Guest
Profiling: For each use case (wired or wireless), describe how the profile data will be collected by each probe required to
classify each device type to be profiled. For example, will SPAN or RSPAN be used to carry data from the network to the
Identity Services Engine? If so, what is the SPAN design? Will dedicated ISE interfaces be used? If HTTP probe used,
will SPAN or redirection be used to capture user agent attributes?
Please note that the number of events per second a platform can safely process per the Platform Performance Spec table
below. For example, if IPAD traffic is to be profiled by probing http traffic for the User Agent attribute, then the design
must assure the Policy Services node is not inspecting more than 1200 http events per second (3395 spec). Consider
profiling strategies that reduce overall load on Policy Service node such use of HTTP redirect at connect time to capture
the User Agent attribute, or the use of IP Helper statements for DHCP capture versus the use of SPAN.
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 24
DHCP Class Identifier + DHCP IP Helper from local L3 switch SVI
MAC to IP mapping
NMAP Scan Result NMAP Active Scanning
Device X MAC Address RADIUS (MAC RADIUS Authentication
Address
discovery)
Requested IP Address for DHCP RSPAN of DHCP Server ports to
MAC to IP mapping local Policy Service node
Optional to acquire ARP SNMP Query Triggered by RADIUS Start
Cache for MAC to IP
mapping
Port # traffic to Destination Netflow Netflow export from Distribution
IP 6500 switch to central Policy Service
node
Posture: Describe posture policy requirements for endpoint compliance. This may include many areas such as asset
checking, application and services checking, and antivirus and antispyware checks, as well as customized checks for
specific use cases. Describe remediation plans and include remediation servers that need to be integrated into the design.
Posture Policy:
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 24
Rule Name OS Conditions Posture Checks Remediation Enforcement When
(Windows/MacOSX) Agent (Audit/Opt/ Assessed
Mandatory) (Login/PR
A/Both)
Client Provisioning: Describe Client Provisioning policy requirements for posture and native supplicant provisioning.
Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For example, are there unsupported switches, old or
Third Party NAD incapable of some desired scenarios, or IPv6 is in use in some locations, etc.
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 24
High Availability
Discuss high availability considerations.
High availability for each persona and node should be part of design to ensure that no single persona/appliance
failure results in total loss of a service. Please confirm persona/node redundancy design and explain reason if HA
not planned for any component.
How will network access devices and ISE Policy Service nodes be configured for redundancy? Note: For wireless
deployments using LWA, only one URL can be defined for web authentication.
Please provide the details regarding how Load Balancing will be used in this deployment, if it applies.
Migration
If migrating this deployment from ACS or ISE, provide details on the current deployment and how you're going to address
migration of licensing, existing policy, NAD configurations, etc.
Is this a migration for an existing Cisco Secure ACS, NAC Appliance, NAC Profiler, and/or NAC Guest Server
deployment? If so, please list the existing product SKUs purchased to determine full migration entitlement.
o For existing appliances supported by ISE, please indicate quantity and type of each appliance model (for
example, 1121, 3315, 3355, or 3395) to be migrated.
o For NAC Appliance license counts, please indicate the user license for each NAC Server (FO pairs count as one
license).
o For NAC Profiler endpoint counts, please provide the endpoint license for dedicated Profiler Collectors, or
quantity and type (331x or 335x) of each CLT license.
o If this is a NAC Guest Server (NGS) migration, please note the differences between the guest access features of
NGS and the Identity Services Engine Version 2.0 in the appendix section of this document.
o If this is a ACS migration, please note the differences between the features of ACS 5.8 and the ISE 2.0 in the
appendix section of this document (ACS 4.2 information shown for comparison purpose, currently there is no
direct migration path from ACS 4.2 to ISE 2.0)
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 24
The VM host should be sized comparably with the ISE appliance. See platform hardware specs below for CPU
specification of the various appliances. For example, if the performance characteristics required are similar to a 3495
appliance, then per platform performance specs the VM should contain 32GB RAM, 8 CPUs equivalent to a Intel Xeon
CPU E5-2609 @ 2.4 GHZ.
Note: Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk should be higher than
300MB/sec and IO Write performance should be higher than 50MB/sec. VMotion is supported since ISE 1.3. Please make
sure to reserve the RAM and CPU cycles for the ISE node deployed as VM.
Note: If disk size needs to be resized, the node will need to be re-imaged from the ISO
Note: The resources need to be reserved for each ISE node and cannot be shared among different ISE nodes or other
guest VMs on the host.
Example:
ise1.example.com Admin/MnT 1.1.1.1 VM Intel Xeon E5-2609 @ 2.4 GHZ X 32GB 600GB
8 Core
ise2.example.com PSN 2.2.2.2 VM Intel Xeon E5-2609 @ 2.4 GHZ X 32GB 300GB
8 Core
Please include SmartNet/SAU or explain its omission (for example, included as part of another order, support agreement,
or deliberate acknowledgement that support refused).
If HLD is part of an ACS/NAC migration, please include appropriate migration SKUs. Use the information previously
entered regarding existing appliance, software, and license purchases on eligible products to determine migration
entitlement. For further details on migration entitlement and SKUs, please refer to ISE Migration entitlement calculator
located in the partner portal page:
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html)
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 24
Note: Please only include the information of the products that are related ISE.
Example BOM:
Line Product Qty List Price Contract Discount Unit Price Extended Price
1 L-ISE-BSE-3500= 1
2 L-ISE-ADV3Y-1500= 1
3 SNS-3495-K9 2
4 CON-PSRT-SNS3495 2 12345678
5 SNS-3415-K9 2
6 CON-PSRT-SNS3415 2 12345678
7 L-ISE-ADV-S-1K= 1
8 ISE-ADV-3YR-1K 1
Note: ISE BoM Tool is available to assist with creating BoM. Please refer to ISE BoM Tool located in the partner portal
page: (https://sambt.cisco.com)
Note: Since ISE 1.2, S/N from both Admin nodes can be added to the license to improve flexibility and flexibility. For more
information please refer to the Cisco ISE License Application Note
BOM details:
Line Product Qty List Price Contract Discount Unit Price Extended Price
Appendix
Security Partner Community
Please visit Security Partner Community for additional ISE resources (Login required).
Migration SKUs
Please consult the ISE Packaging and Licensing Guide for migration SKUs.
Migration Guide
The Cisco Identity Services Engine Licensing Guide located in the partner portal page
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html ) explains packaging and
licensing under the Authorized Technology Provider program for wired and VPN.
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 24
Once the parameter has expired, Cisco ISE deletes it from its cache. When a user authenticates from an end-user
client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the
Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-
authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that
requests authentication in the following ways:
If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a
successful authorization is assigned.
If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a
successful user authentication without machine authentication is assigned.
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 24
Note regarding Performance Specifications
EOL was announced for 33x5 appliances and provided here as a reference for migration. Deployments with VM should
follow platform specifications based on 3415 or 3495 appliances. For more information please refer to the EOL
announcement
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent
EndPoints and Composite Authentications (Authentication values are approximate values)
When determining how many PSN is needed for the deployment please use Maximum Concurrent Endpoints as the
main guideline. Authentication performance for specific use cases is also provided in case it is required to size out the
deployment.
Usage Cisco Secure Network Server 3415 Cisco Secure Network Server 3495
Appliance Appliance
Maximum Concurrent Endpoints 5,000 20,000
Posture Authentications 25 per second 45 per second
Guest Hotspot Authentications 50 per second 68 per second
Guest Sponsored User Authentications 17 per second 28 per second
Bulk Guest Creation via ERS API 50 per second 95 per second
BYOD Onboarding Single SSID (iOS) 9 (External CA:12) per second 15 (External CA:17) per second
BYOD Onboarding Dual SSID (iOS) 10 (External CA:12) per second 14 (External CA:17) per second
BYOD Onboarding Single SSID (Android) 12 (External CA:18) per second 19 (External CA:18) per second
BYOD Onboarding Dual SSID (Android) 17 (External CA:18) per second 18 (External CA:18) per second
MDM 58 per second 243 per second
MDM w/ cache 114 per second 406 per second
Internal CA Certificate Issuance via Web 43 per second 41 per second
Internal CA with AnyConnect/ASA SCEP 18 per second 34 per second
Internal CA Authorization w/ OCSP 30 per second 30 per second
TACACS+ AuthC & AuthZ combined 2,000+ per second 2,000+ per second
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 24
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values)
Platform PAP PEAP (MSCHAPv2) EAP-FAST EAP-FAST (GTC) EAP-TLS MAB
(MSCHAPv2)
Int. AD LDAP Int. AD Int. AD Int. AD LDAP Int. Int. LDAP
Cisco Secure Network Server 153
764 471 789 185 173 376 339 382 323 385 528 597
3415 Appliance (130)
Cisco Secure Network Server 165
1318 419 1328 324 304 512 502 628 513 662 1115 1150
3495 Appliance (140)
Note: For PEAP (MSCHAPv2) numbers are w/o session resume & fast reconnect
Note: For EAP-FAST (MSCHAPv2) numbers are authentication, PAC provisioning
Note: For EAP-TLS numbers are w/o session resume
Note: EAP-TLS # in brackets are for 2k size certificate
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 24
Note: Thin Provisioning is supported since 1.3, however Tick/Eager Provisioning will yield best performance
Note: 10k RPM+ HDD or equivalent speed required
Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher
Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)
Concurrent Endpoints MnT Disk Size
200 GB 400 GB 600 GB 1024 GB 2048 GB
10,000 126 252 378 645 1,289
20,000 63 126 189 323 645
30,000 42 84 126 215 430
40,000 32 63 95 162 323
50,000 26 51 76 129 258
100,000 13 26 38 65 129
150,000 9 17 26 43 86
200,000 7 13 19 33 65
250,000 6 11 16 26 52
Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary
depending on the environment
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 24
Sponsor Role Based Access Can different sponsors be assigned different permission levels based X X
Control upon group assigned by Local Group, LDAP or RADIUS attribute
Restrict Login Can you stop sponsors from logging in based upon role X X
Can you grant permission to sponsors to create or not be able to create X X
Ability to create accounts guest accounts?
Can you grant permission to sponsors to edit or not be able to edit X X
Ability to edit accounts guest accounts?
Can you grant permission to sponsors to suspend or not be able to X X
Ability to suspend accounts suspend guest accounts?
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 24
Print Out Will the system create a printout of the guest details? X X
Email Will the system email guest details to the guests email address? X X
SMS Will the system sms guest details to the guests mobile phone? X X
Details emailed to sponsor The sponsor can receive a copy of the account by email? X X
Interface Customization NGS 2.0 ISE 2.0
Company Logo Can the sponsor interface be customized with a company logo? X X
Multiple Languages Can the sponsor interface support multiple languages? X X
Notification Customization Can the email/sms/print outs be customized? X X
Reporting NGS 2.0 ISE 2.0
Keep a full audit trail of each operation made to an account by all X X
Sponsor Audit Trail sponsors.
Guest Accounting Report on guest login/logout times, mac address and ip address used. X X
Supports the ability to report on guests network activity such as URLs
visited, connections made etc. Needs external device such as an ASA X X
Guest Activity Reporting or proxy to send the information via syslog to the box.
Management Reports X X
CSV Export Provide the ability for any report to be exported in CSV format. X X
Billing Support NGS 2.0 ISE 2.0
Supports guests purchasing accounts and billing against a Payment X
Credit Card Billing Support Gateway
Allows accounts to be randomly created upfront that become valid at X
Pre-pay Support first login
Other NGS 2.0 ISE 2.0
Application Programming Does the system have an API that can be used to perform all sponsor X X
Interface operations?
Posture Services for guest Can the guest user's host device be posture assessed and access X
users policy granted based on compliance with security policy?
Profiling Services for guest Can the guest user's host device be profiled and access policy granted X
users based on the type of device guest uses to access the network?
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 24
TACACS+ per-command authorization and accounting X X X
TACACS+ support in IPv6 networks X
TACACS+ change password X X X
TACACS+ enable handling X X X
TACACS+ custom services X X X
TACACS+ proxy X X X
TACACS+ optional attributes X X X
TACACS+ additional auth types (CHAP / MSCHAP) X X X
TACACS+ attribute substitution for Shell profiles X X
TACACS+ custom port X
Identity Stores ACS 4.2 ACS 5.8 ISE 2.0
Internal User & Host Database X X X
Windows Active Directory X X X
LDAP X X X
RSA SecurID X X X
RADIUS token server X X X
ODBC X
AD Server specification per ACS/ISE instance X X
SAML X
LDAP Server specification per ACS/ISE instance X
Ability to retrieve an internal users password from
X X
external ID store
Internal Users / Administrators ACS 4.2 ACS 5.8 ISE 2.0
Users: Password complexity X X X
Users: Static IP Address Assignment X X X
X (Warning and
disable after defined
Users: Password aging X interval. Grace X
period is not
supported)
Users: Password history X X X
Users: Max failed attempts X X X
Users: User expiration after a number of days X X
Users: Password inactivity X X
Limited (If the internal
users are authorized
as sponsors, then
Users: User change password (UCP) utility X X
they may update
passwords at the
sponsor portal)
Admin: Password complexity X X X
Admin: Password aging X X X
Admin: Password history X X X
Admin: Max failed attempts X X X
Admin: Password inactivity X
Admin: entitlement report X X X
Admin: session and access restrictions X X X
Miscellaneous ACS 4.2 ACS 5.8 ISE 2.0
Network Access Restrictions (NARs) X X
RDBMS sync X
X (CLI interface is
Command line / scripting interface (CSUtil) X supported for bulk
provisioning)
Integration with CiscoWorks for admin RBAC X
Log Viewing and reports X X X
Export logs via SYSLOG X X X
Time based permissions X X X
Configurable management HTTPS certificate X X X
ISE 2.0 HLD 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 24
CRL: Multiple URL definition X
CRL: LDAP based definition X X
Online Certificate Status Protocol (OCSP) X X X
Comparison of any two attributes in authorization policies X X X
Configurable RADIUS ports X
Programmatic Interface for users, groups and end-point
X X X
CRUD operations
Multiple NIC interfaces X X
Secure Syslogs X X
Miscellaneous ACS 4.2 ACS 5.8 ISE 2.0
EAP-TLS Certificate lookup in LDAP X X X
EAP-TLS Certificate lookup in Active Directory X X X
Maximum concurrent sessions per user/group X X
X (Data can be
exported from M&T
Log to external DB (via ODBC) X X for reporting. Not
supported as log
target)
Programmatic Interface for network device CRUD
X X X
operations
X (With Authorization
Wildcards for hosts X X policy condition or
profiling)
Configure devices with IP CIDR format X X X
Configure devices with IP address ranges X X
X (Not in combination
Lookup Network Device by IP address X X
with other fields)
Dial-in Attribute Support X X
Support comparison of any two attributes in policies X X X
Display RSA de missing secret X X
Starts with / Ends with / contains / Contains Any Policy
X X X
Operators
Nested compound conditions with both AND or OR
X X X
operators