Architecture approach to Network Security Policy Enforcement:
In relation to Centralized and dynamic Network Security Policy Enforcement prior to 2004 Cisco has product named NAC and we say as Cisco NAC Solution and it was based on 802.1X and integration with network services , but it was not widely deployed.
In 2011 Cisco developed and released Cisco ISE to provide 802.1X based NAC solution to its customer and since 2011 ISE has been aggressively evolved with more and more and rich feature set.
Below figure describe how ISE works in nutshell.
ISE feature & Benefits:
Below is the composite feature and benefits of Cisco ISE.
Centralized Management: We can centrally configure, manage profile, posture, guest, authentication & authorization, via single web based GUI console.
Business Policy Enforcement: For business-relevant access control policy it provides rule based and attribute driven policy. Various attributes includes user, end point identity, posture validation, authentication protocols, profiling identity, etc. These attributes can be created dynamically and saved to use later.
It integrates with various third party external identity repository like LDAP, AD, RADIUS, certificate authority.
Access Control: It provides various access control options like dACL, VLAN assignment, URL redirection, named ACLs, SGTs.
Secure Supplicant-less network access with Easy Connect: It derives authentication & authorization from login information across application layers.
Guest Lifecycle Management: Its helps in achieving Guest Lifecycle management from guest authentication to guest onboarding and guest security policy compliance. Time limits, account expiration, SMS verification are some services provided by ISE.
Streamline Device Onboarding: It enables user to add and manage their devices with self-service portal and supports SAML 2.0 language for web portal.
It also integrates with MDM/EMM vendors to enroll mobile device and ensure that those device are compliant with security policy.
AAA Services: It uses RADIUS protocols for authentication, authorization and accounting. It also supports wide range of authentication protocols like PAP, CHAP, EAP-MD5, EAP (PEAP), EAP-FAST, EAP-TLS, and EAP-TTLS.
Device administration access control and auditing: Uses TACACS+ protocols for authentication, authorization and accounting users when they access device that supports TACACS+ protocols.