Summarizing Cisco Access Control / NAC technologies (ISE, NAC Appliance, ACS 5.X).

ISE
Here is a breakdown of my last post about Cisco Access Control / NAC / ISE technologies in a list format.

Framework:
• Network based access control. End of Life

NAC Appliance:
• Offers Authentication, Authorization and Remediation
• Covers Wireless, VPN and LAN.
• Only can be used as an appliance. No virtualize offerings. For small locations which ISR routers, a 50 and 100 user module is available.
• Licensed by user count matching and applied to the corresponding enforcement server. Users bundles are 50, 100, 250, 500, 1500, 2500, 3500 and 5000.
• Uses SNMP V1,2 and 3 or can be in-band / bump in the wire.
• Can leverage Cisco Profiler or whitelist non-NAC capable devices.
• Cisco enforcement appliances can provide collecting abilities for Cisco Profiler with an additional license.
• Can Leverage Cisco Guest server for advance guest access.
• Comes in HP or IBM appliance formats.
• IBM appliances are 3315, 3355 and 3395 appliances. They can support ISE
• HP appliances are 3310, 3350 and 3390 appliances. They cannot support ISE

ACS 5.X:
• Offers 802.1x NAC features and device management (TACACS/RADIUS).
• Can be an appliance or Vmware. Appliances that are IBM hardware can support ISE. VMware can be migrated to ISE for an additional cost.
• Provides Authentication and Authorization. Does not offer remediation.
• Requires switches that support 802.1x COA as specified on cisco.com/go/acs to function as the enforcement agent. ACS alone cannot offer access control.
• 802.1x NAC features do not require additional licenses for up to 500 users/devices. To scale beyond 500 users/devices, an additional large deployment license is required.

Cisco Profiler:
• Provide profiling of non-NAC capable devices such as printers, card-readers, Xboxes, IP-phones, etc.
• Profiler is no longer sold by Cisco. ISE is the replacement solution.
• Profiler feeds findings into NAC solutions, which updates their whitelisted devices list.
• The main benefits of Profiler are making deployments easier since administrators don’t have to develop a whitelist of non-NAC capable devices manually and providing monitoring of whitelisted devices for changes in behavior (IE spoofing).
• Can bolt onto NAC appliance or ACS 802.1x solutions.
• Available in HP or IBM appliances.
• Management system could be IBM 3315 or 3355. Both can support ISE
• Management system could be HP 3310 and 3350. Both cannot support ISE
• Collector only appliances are needed for Profiler to work when NAC appliance isn’t providing collecting. NAC appliance offered this feature in enforcement appliances at an additional license cost.
• Collector appliances that are IBM can be migrated to ISE (3315, 3355).
• Collector appliances that are HP based (3310, 3350) cannot support ISE.

Cisco Guest Server:
• Provides advance guest access for NAC solutions.
• Can bolt onto NAC appliance or ACS 802.1x solutions.
• Available in HP or IBM appliances
• Guest server could be a HP or IBM appliance (3310 or 3315).
• The 3315 Cisco Guest Server can support ISE.

Cisco Identity Services Engine (ISE):
• Released spring of 2011
• Combines NAC appliance, ACS 802.1x NAC, Cisco Guest Server and Cisco Profiler in one solution.
• Can be purchased as an appliance or virtual appliance.
• ISE is licensed centrally meaning one license is required for all appliances in one cluster. ISE has two license options, which are base and advanced. Base licenses are purchased one time and provide Authentication and Guest services. Advanced licenses are a subscription service and provide Posture and Remediation.
• Can scale from one appliance to managing all functions or can break up functional components depending on design requirements. The only function that cannot be combined is the iPEP appliance. ISE iPEP appliances must be a physical appliance and cannot be use for any other function. iPEPs are used to support VPN, non-802.1x COA capable switches, hubs, etc.
ISE is the replacement for profiler. Profiling is cisco homegrown and und updated through the advance license subscription service.
• Today (July 2011), ISE cannot be integrated into a NAC appliance or ACS solution
• Today (July 2011), ISE cannot support device management (TACACTS/ Radius) like ACS. Customers should keep their ACS solutions if this function is desired.

Here is a great video that summarizes the Cisco ISE release

VN:F [1.9.22_1171]
Rating: 3.0/5 (3 votes cast)
Summarizing Cisco Access Control / NAC technologies (ISE, NAC Appliance, ACS 5.X). , 3.0 out of 5 based on 3 ratings

5 thoughts on “Summarizing Cisco Access Control / NAC technologies (ISE, NAC Appliance, ACS 5.X).”

  1. I look forward to reading more of your articles and posts in the future, so I’ve bookmarked your blog. When I see good quality content, I like to share it with others. So I’ve created a backlink to your site. Thank you!…
    Sony Camera Reviews

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  2. bonjour ;
    j’ai lu avec intérêt la migration vers ISE

    j’ai besoin de NAC appliance software !
    pour mon PFE
    pouvez vous m’aidez sur ca
    tarikjari(at)hotmail.fr
    merci

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    1. Quels problèmes rencontrez-vous avec compréhension appliance NAC au salon ISE? Oui on peut probablement aider mais je vais en savoir plus au sujet de votre problème.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.