Identity Service Engine – ISE
Cisco ISE is a service through which you can easily identify, Contain, and remediates the threats faster. It is the Next Generation identity and access control policy platform that helps enterprises in following way:
- Facilitates New Business Services
- Enforce Secure Compliance
- Streamline Service Operation
- Enhanced Infrastructure Security on Wire, Wireless and VPN
In this Cisco ISE training you will be able to learn all advance concept of Cisco ISE along with get know how Cisco ISE is configured , Managed and used in Enterprise , Here you will also get all scenarios for Cisco ISE labs.
This Cisco ISE Training & Cisco ISE Labs are design in a such a way so that each learning participants can learn very deep dive knowledge on Cisco ISE concepts.
- AAA Fundamentals
- Cisco ISE overview & Concepts
- Designing ISE building blocks
- ISE Deployment Options
- ISE setup for POC
- Configuring ISE Network Access Security Policy
- Configuring Device Security Policy
- Configuring ISE Accounting & Auditing Policy
- Basic Profiling & Security
- How to Bootstrap Network Access Devices
- Learning Network Authorization Policy Elements
- Authentication & Authorization Policy
- Guest Lifecycle Management Introduction
- BYOD: Self Service Onboarding & Registration
- Remote Access VPN & ISE
- Full Cisco ISE Labs
As we will go more and more in details we will see how ISE is very much beneficial for Securing Enterprise. But here are some high level benefits of Cisco ISE.
- It learns who all are getting access to network
- It control Network access securely, consistently & efficiently
Below are some technical capabilities of Cisco ISE:
- Provides User identification along with user access control
- It learns about Network, User and also about Device Context available on Network Devices
- Provides Centralized Security Policy for Wired, Wireless and VPN user.
- Provides Management of Guest user access
- System-wide visibility that mean who, where and what is connected on network
- Provides features like AAA, device profiling, device posture, Mobile device onboarding, guest services
- BYOD onboarding & its Security policies and profiles
- TACACS+ device on AAA
- Implementing Cisco TrustSec policy Management and enforcement
- Building Certificate Authority (CA) for Certificate based authentication
- Ability to share information and context inside of ISE to another device like NGFW, Cisco Platform Exchange Grid.
Identity & Context Awareness Sources for ISE:
ISE provides security by obtaining Identity & Context information from following sources:
802.1X: It is IEEE standard for Layer 2 authentication or access control on wired or wireless network. 802.1X uses either user identity or machine identity or can also use both to offer permit and deny for accessing network.
Identity via Web-portal: Once user try to connect to network, he will be redirected to web-portal to provide information which will be further used by ISE for authentication and authorization.
Some of the other method by which ISE collects information are as given below:
- Guess Access Method
- VPN authentication method
- MAC address authentication bypass
Now once identity information has been established, ISE will use contextual information from network, user and devices. Below are some method ISE use to collect it.
- User identification from LDAP, AD, RADIUS
- Device attributes from LDAP using Machine account lookup
- Location information like physical, GPS location, Switch port location
- Device Posture information like OS version , OS type , OS patches , Service Pack Level , Security Software , Application Inventory , registry keys , digital certificates etc.
- Context Information from network & Security solutions like AMP, Cisco Stealthwatch, Cisco NGFW etc.
Now once these information are collected by ISE, these information are used to build ISE Security Policy Framework. ISE provides centralized view which can manage 500,000 endpoints regardless of wire, wireless and VPN.
Following are permission that ISE provides once policy matches, some of the options are:
- Deny any Network access
- Permit all Network access
- Restrict network access by downloading ACL to access device
- Change Assigned VLAN on switch port
- Restrict client for Web-authentication
- Auto-provision device 802.1X suppliant or Client
- Assign Security Group Tag (SGT) to all data frames