Many people have invested into an automated access control solution from Cisco. In the past, Cisco offered NAC Framework and NAC appliance. There are Cisco press books explaining NAC Framework as the go to enterprise solution utilizing the network as the enforcement point while NAC appliance was the simple “turn-key” solution leveraging SNMP or in-band / bump in the wire type designs. Eventually Framework died and was replaced by an 802.1x-based solution. The release of ACS 5.0 added new features for 802.1x authentication, which left customers with the option to have remediation using the NAC Appliance solution or only authentication with the 802.1x NAC solution.
Cisco found that they had some gaps in their NAC solutions and eventually added bolt on products to their appliance and 802.1x offerings. To manage non-NAC capable devices, which include printers, card readers, X-boxes, IP-phones, etc., Cisco re-branded Great Bay Software’s Beacon appliance as Cisco Profiler. Another gap was around sponsoring guest users, which Cisco offered Cisco Guest server as an additional appliance to handle advanced guest user features.
This spring, Cisco released their latest access control solution Identity Services Engine (ISE). ISE takes on the features of NAC appliance, ACS 802.1x, Cisco Profiler and Cisco Guest server. ISE can be purchased as a VMware or appliance and licensed centrally which is different from how NAC appliance was sold. Smaller networkers can utilize one appliance or VMware to provide what use to be multiple appliances, which saves money as well as centralizes management. Mid to larger deployments can scale by breaking out the functions of ISE into separate Vmware / appliance components. If customers need to support none 802.1x COA switches, hubs or VPN concentrators, they will need to purchase a separate ISE iPEP appliance which cannot be virtualized or include any other ISE functions.
There are some features that are not available in the ISE 1.0 release. ACS customers who use TACACS/Radius support for network device management and 802.1x NAC will need to keep their ACS solutions for device management while ISE can take over the 802.1x NAC function. Another feature missing is the ability to intergrade ACS or NAC with ISE. These and other features are rumored to be road mapped into the solution as well as advancements in profiling to enhance how ISE identifies devices accessing the network. More information on Cisco ISE, NAC appliance and ACS can be found on the NAC links in this blog.