Cisco Identity Services Engine Ordering Guide: A Comprehensive Plan
This guide details the process of procuring Cisco ISE, covering appliance selection, licensing tiers, and crucial considerations for network access control deployments.
Cisco Identity Services Engine (ISE) is a leading network access control, policy enforcement, and advanced threat defense platform. It centralizes policy administration, simplifying security management across wired, wireless, and VPN environments. ISE provides granular control over user and device access, enhancing network visibility and reducing risk. Understanding its capabilities is crucial before ordering. This platform supports various authentication methods and integrates with threat intelligence feeds, like Talos, for proactive security. Proper ordering ensures alignment with organizational needs, considering scalability and licensing requirements for optimal performance and protection.
Understanding ISE Licensing Models
Cisco ISE licensing operates on a tiered system, with options like Base and Advanced licenses impacting feature availability. Licensing is often tied to endpoint counts, requiring careful capacity planning during the ordering process. Understanding these models is vital for cost-effective deployment. Licenses can be transferred to a Smart Account for centralized management. Bundles offer consolidated ordering options. The choice between license tiers depends on required functionalities, such as profiling, guest access, and advanced threat capabilities. Proper license selection ensures full utilization of ISE’s potential.
ISE Appliance Ordering Options
Cisco ISE offers both physical and virtual appliance options to suit diverse deployment needs. Physical appliances provide dedicated hardware for performance, while virtual appliances offer flexibility and scalability within existing infrastructure. Ordering considerations include required throughput, concurrent sessions, and high availability requirements. Virtual appliances require compatible hypervisors. Selecting the right appliance impacts initial investment and ongoing operational costs. Careful evaluation of network size and user density is crucial for optimal performance. Both options support the same licensing models, ensuring feature parity.
Physical Appliances
Cisco ISE physical appliances are purpose-built hardware designed for robust network access control. These appliances deliver dedicated processing power and storage, ensuring consistent performance even under heavy load. Ordering involves selecting a model based on concurrent user capacity and desired throughput. Physical appliances simplify deployment, requiring only power and network connectivity. They are ideal for organizations prioritizing dedicated resources and predictable performance. Consider rack space and environmental requirements during planning. Cisco offers various physical appliance models to accommodate different network sizes and security needs.
Virtual Appliances
Cisco ISE virtual appliances offer deployment flexibility, running on standard virtualization platforms like VMware or Hyper-V. This approach reduces hardware costs and simplifies management within existing virtualized infrastructures. Ordering requires specifying the virtual appliance license and ensuring sufficient virtual machine resources are allocated. Virtual appliances scale easily, allowing organizations to adjust capacity as needed. They are well-suited for environments already leveraging virtualization and seeking operational efficiency. Proper resource allocation is crucial for optimal performance; carefully assess CPU, memory, and storage requirements.
Licensing Tiers and Features
Cisco ISE licensing operates on a tiered system, with Base and Advanced licenses providing varying feature sets. The Base license delivers core network access control functionality, including 802.1X authentication and profiling. Advanced licensing unlocks enhanced capabilities like TrustSec, guest access, and more comprehensive threat defense. Selecting the appropriate tier depends on an organization’s specific security requirements and desired level of control. Understanding these differences is crucial for cost-effective ordering and maximizing the value of the ISE investment.
Base License
The Cisco ISE Base license provides foundational network access control capabilities essential for secure network operations. It supports 802.1X authentication, enabling robust user and device verification. Key features include profiling, which categorizes endpoints, and basic posture assessment to ensure compliance with security policies. This tier is ideal for organizations needing core NAC functionality without advanced features like TrustSec or extensive guest access options. Ordering the Base license offers a cost-effective entry point into Cisco’s comprehensive identity management solution.
Advanced License
The Cisco ISE Advanced license unlocks enhanced features beyond the Base license, providing a more comprehensive security posture. It incorporates TrustSec, enabling scalable segmentation and policy enforcement. Advanced profiling capabilities offer granular endpoint visibility, while enhanced guest access management simplifies visitor network access. This tier also includes features like centralized policy management and integration with threat intelligence feeds. Ordering the Advanced license is suited for organizations requiring robust segmentation, detailed endpoint control, and advanced threat mitigation capabilities within their network access control framework.
Capacity Planning for ISE Deployments
Effective capacity planning is crucial for optimal Cisco ISE performance and scalability. Accurately determining the anticipated user count – concurrent and total – is the initial step. Beyond users, consider network size, encompassing the number of network devices and endpoints requiring authentication. Network complexity, including the volume of policies and the diversity of authentication methods, significantly impacts resource demands. Ordering sufficient appliance capacity and licenses upfront avoids performance bottlenecks and ensures a seamless user experience as your network grows and evolves.
Determining User Count
Accurate user count estimation is foundational for ISE capacity planning. Distinguish between concurrent users – those actively connected simultaneously – and total users requiring access. Analyze peak usage times to project maximum concurrent connections. Consider both employee and guest access scenarios; Factor in BYOD (Bring Your Own Device) policies, as each device represents a potential user. Overestimating slightly is preferable to underestimating, preventing performance degradation. Regularly reassess user counts as your organization evolves to ensure ISE remains appropriately sized for optimal performance.
Considering Network Size and Complexity
Network scale significantly impacts ISE deployment requirements. Larger networks with numerous devices necessitate higher-capacity appliances. Complex network architectures – incorporating segmentation, multiple VLANs, or wireless deployments – demand increased processing power. Evaluate the number of network access points and switches requiring integration with ISE. Consider the volume of network traffic and the level of granular policy enforcement needed. Factor in future growth projections to avoid premature capacity limitations. A thorough network assessment is crucial for selecting the appropriate ISE solution.
Ordering Process Overview
The Cisco ISE ordering process involves several key steps to ensure a smooth procurement experience. Initially, account preparation with a valid Cisco account is essential. Subsequently, selecting the correct appliance – physical or virtual – based on capacity planning is vital. Following this, license selection aligned with desired features and user counts is necessary. Ordering through Cisco or a partner, followed by license activation via Smart Account, completes the process. Careful planning and documentation are recommended for efficient ordering and deployment of your Cisco ISE solution.
Step 1: Account Preparation
Before initiating your Cisco ISE order, ensure a valid and active Cisco account is readily available. This account serves as the central hub for all transactions and license management. Verify that the account possesses the necessary permissions for purchasing and managing Cisco products. Confirm billing information is current and accurate to prevent delays. Linking your account to a Smart Account is highly recommended for streamlined license management and support access. Proper account preparation is foundational for a successful and efficient ISE ordering experience.
Step 2: Selecting the Right Appliance
Choosing the appropriate ISE appliance hinges on a thorough assessment of your network’s scale and anticipated user density. Consider both physical and virtual appliance options, evaluating their respective hardware specifications and performance capabilities. Physical appliances offer dedicated resources, while virtual appliances provide deployment flexibility. Carefully analyze your current and projected user counts, alongside network complexity, to determine the necessary processing power and storage capacity. Accurate appliance selection ensures optimal ISE performance and scalability, preventing future bottlenecks.
License Ordering and Activation
Proper license ordering and activation are critical for full ISE functionality. Licenses are typically ordered through Cisco’s Smart Licensing portal and transferred to your Smart Account for centralized management. Understanding available license bundles – Base, Advanced, and potentially others – is essential to match features with your security requirements. After purchase, activation involves registering the licenses with your ISE appliance. Ensure compatibility with your software version and follow Cisco’s documentation for a seamless process, avoiding service disruptions and maximizing your investment.
Transferring Licenses to Smart Account
Centralizing license management via your Cisco Smart Account streamlines administration and provides visibility. After purchasing ISE licenses, promptly transfer them from the ordering portal to your designated Smart Account. This ensures licenses are readily available for assignment to your ISE appliances. The transfer process typically involves a few clicks within the Cisco portal, linking the purchased entitlements to your account. Regularly verify license quantities and expiration dates within your Smart Account to proactively manage renewals and avoid service interruptions, maintaining continuous network access control.
Understanding License Bundles
Cisco often offers ISE licenses in bundled packages to provide cost-effectiveness and comprehensive features. These bundles typically combine base licenses with advanced capabilities like TrustSec, profiling, or guest access. Carefully evaluate your organization’s specific requirements to determine the most suitable bundle. Bundles can simplify procurement and ensure you acquire all necessary features upfront. Comparing bundle contents against your network access control needs is crucial for optimizing investment. Consider future scalability when selecting a bundle, anticipating potential growth in user count or feature demands.
Software Version Compatibility
Maintaining compatibility between ISE software versions and associated licenses is paramount for optimal performance and security. Ensure your chosen appliance supports the desired ISE version, particularly when considering upgrades. Cisco recommends staying current with the latest patches for version 2.7, addressing known vulnerabilities. Inline upgrades from 2.7 to later versions require careful planning to minimize disruption. Verify license compatibility before and after any software upgrade to avoid service interruptions. Regularly check Cisco’s compatibility matrix for supported versions and licensing requirements to ensure a seamless operational environment.
Ensuring Version 2.7 is Up-to-Date
Prior to any upgrade path, verifying that your Cisco ISE 2;7 installation is running the latest patch is critical for security and stability. Cisco has addressed numerous vulnerabilities within the 2.7 release through subsequent patches. Applying these updates mitigates potential risks, including critical remote code execution flaws. Regularly check the Cisco Security Advisories for the most recent patch information. A fully patched 2.7 version provides a solid foundation for a smooth inline upgrade to newer releases, minimizing compatibility issues and ensuring a secure network access control posture.
Inline Upgrade Considerations (2.7 to later)
When upgrading from ISE version 2.7 to a later release, careful planning is essential to minimize downtime and ensure a successful transition. Back up your current configuration thoroughly before initiating the upgrade process. Review the Cisco documentation for specific upgrade paths and compatibility notes. Consider performing the upgrade during a maintenance window to limit disruption to network access. Validate the upgrade in a lab environment before deploying to production. Post-upgrade, verify functionality and monitor system performance closely to identify and address any potential issues promptly.
Security Vulnerabilities and Patching
Cisco ISE, like all network infrastructure devices, is subject to security vulnerabilities. Staying current with security patches is paramount to protect your network. Cisco regularly releases updates to address identified flaws, including critical Remote Code Execution (RCE) vulnerabilities. Proactive monitoring for security advisories and prompt application of patches are crucial. Implement a robust vulnerability management process, including regular scans and assessments. Be aware of potential exploits and mitigation strategies. Prioritize patching based on vulnerability severity and potential impact to your environment.
Critical RCE Vulnerabilities
Recent Cisco security bulletins have highlighted critical, unauthenticated Remote Code Execution (RCE) vulnerabilities within Cisco ISE and its Passive Identity Connector. These vulnerabilities pose a significant risk, potentially allowing attackers to gain control of affected systems without requiring credentials. Cisco has acknowledged attempted exploitation of these flaws. Immediate patching is essential to mitigate this threat. Organizations should prioritize applying the necessary security updates to prevent unauthorized access and maintain network integrity. Proof-of-concept exploit code is publicly available, increasing the urgency.
Exploit Awareness and Mitigation
Given the public availability of proof-of-concept exploit code for the critical RCE vulnerabilities in Cisco ISE, heightened awareness is crucial. Mitigation strategies include promptly applying security patches released by Cisco, ensuring ISE versions are up-to-date, and implementing robust network segmentation. Regularly monitor systems for suspicious activity and review access logs. Consider employing intrusion detection and prevention systems to identify and block potential exploits. Prioritize patching systems directly exposed to the internet and those with administrative access.
Integrating Talos Incident Response
Cisco Talos Incident Response can be seamlessly integrated when ordering Cisco ISE subscriptions, providing an enhanced security posture. This integration offers proactive threat intelligence, expert analysis, and rapid response capabilities to mitigate security incidents. Ordering Talos alongside ISE creates a comprehensive security solution, bolstering defenses against evolving cyber threats. It delivers another option for creating a robust security framework, enabling faster detection, containment, and remediation of security breaches impacting your network infrastructure and identity services.
Ordering with ISE Subscriptions
When procuring Cisco ISE subscriptions, consider bundling options for optimal value and comprehensive security coverage. Ordering directly through Cisco or authorized partners streamlines the process, ensuring license compliance and access to support. Subscriptions typically include software updates, maintenance, and access to the Cisco Threat Response platform. Carefully evaluate your organization’s needs to select the appropriate subscription tier and duration. This approach simplifies license management and provides ongoing protection against emerging threats, enhancing your overall security investment.
Remote Access and VPN Considerations
ISE plays a critical role in securing remote access and VPN connections, extending network access control policies to off-network users. When ordering, assess the number of concurrent VPN users and required authentication methods. Consider licensing implications for remote access VPN endpoints, as these often require separate endpoint licenses. Ensure ISE integrates seamlessly with your existing VPN infrastructure, such as Cisco AnyConnect. Proper planning guarantees secure and scalable remote access, protecting sensitive data and maintaining network integrity for a distributed workforce.
Passive Identity Connector Licensing
The Passive Identity Connector (PIC) requires specific licensing based on the number of sources it integrates with and the volume of identity data processed. PIC licensing is separate from core ISE licensing and is crucial for extending NAC to non-Cisco network devices. Carefully evaluate the number of sources – like firewalls or wireless controllers – needing integration. Consider the expected data throughput to determine the appropriate PIC license tier. Proper licensing ensures optimal performance and compliance when leveraging existing infrastructure with ISE’s powerful NAC capabilities.
Endpoint Licenses and Scalability
ISE endpoint licenses dictate the maximum number of devices that can simultaneously connect and be managed by the system. Scalability is paramount; anticipate future growth when determining the initial license count. Additional ISE endpoint licenses can be purchased to accommodate increasing device density. Consider both wired and wireless endpoints, plus BYOD scenarios. Regularly monitor endpoint usage to proactively address licensing needs and avoid service disruptions. Proper endpoint license planning ensures a robust and scalable NAC solution aligned with organizational demands.
Additional ISE Endpoint Licenses
Procuring additional ISE endpoint licenses is straightforward through Cisco’s ordering portals, like the Cisco Ordering Tool (COT). These licenses are typically perpetual, granting ongoing usage rights. When adding licenses, ensure compatibility with your existing ISE software version. License bundles often offer cost savings compared to individual purchases. Remember to transfer the newly acquired licenses to your Smart Account for centralized management and simplified deployment. Careful tracking of endpoint counts is vital to determine the precise number of licenses needed for optimal network access control.
ISE and Network Access Control (NAC) Fundamentals
Cisco ISE is a leading Network Access Control (NAC) solution, central to modern network security. NAC fundamentally controls access to network resources based on identity and device posture. ISE provides granular policy enforcement, ensuring only authorized users and compliant devices gain access. Key NAC functions include authentication, authorization, and accounting (AAA). Understanding these fundamentals is crucial when planning an ISE deployment and determining appropriate licensing. ISE’s robust capabilities extend beyond simple access control, offering advanced features like profiling and guest access management.
Identity vs. Identify: Clarification
Within the context of Cisco ISE, distinguishing “identity” from “identify” is essential for accurate understanding. “Identity” functions as a noun, representing a user or device’s unique characteristics – who or what is connecting. Conversely, “identify” is a verb, signifying the process of recognizing or determining that identity. ISE’s core function revolves around verifying and validating identities before granting network access. Correct usage ensures clear communication regarding ISE’s capabilities and the principles of network access control, streamlining the ordering process.
Identity as a Noun
In the realm of Cisco ISE, “identity” consistently operates as a noun, denoting the unique attributes defining a network entity. This encompasses users, devices, or services seeking network access. ISE meticulously manages these identities, storing crucial information like usernames, group memberships, and device characteristics. When considering ISE ordering, understanding the number of identities – representing distinct users and endpoints – is paramount for accurate licensing. Properly defining and quantifying these identities directly impacts the required licensing tier and overall system capacity.
Identify as a Verb
Conversely, “identify” functions as a verb within the Cisco ISE context, signifying the process of recognizing and authenticating a network entity. ISE actively works to identify users and devices attempting network access, employing various methods like 802.1X, MAC authentication bypass (MAB), and guest access. This identification process is fundamental to enforcing network access policies. When planning your ISE order, consider the methods used to identify endpoints, as this influences feature requirements and potential licensing needs for passive identity connectors.
Ordering Documentation and Resources
Cisco provides extensive documentation to streamline your ISE ordering experience. Access the official Cisco Identity Services Engine Ordering Guide for detailed appliance specifications, licensing options, and compatibility matrices. Utilize Cisco’s Configuration Guides to understand feature sets associated with each license tier. The Cisco Commerce Portal offers direct ordering capabilities, while Cisco partners can assist with customized solutions. Remember to consult the latest software version compatibility notes before finalizing your order, ensuring a smooth deployment and avoiding potential upgrade complexities.
Support and Maintenance Options
Cisco offers various support and maintenance contracts for your ISE deployment, ensuring optimal performance and security. Smart Net Total Care provides 24/7 technical assistance, rapid replacement of failed hardware, and access to software updates, including critical security patches. Consider Service Contract Renewal to maintain uninterrupted support. Proactive monitoring and advisory services are also available. Regularly applying security patches is vital, especially given recent critical RCE vulnerabilities. Leverage Cisco’s Talos Incident Response subscriptions for enhanced threat intelligence and mitigation capabilities alongside your ISE investment.
Future Considerations for ISE Licensing
ISE licensing is evolving with cloud-based identity services and increasing network complexity. Expect potential shifts towards subscription-based models offering greater flexibility and scalability. Consider future growth when selecting license tiers, anticipating increased endpoint counts and advanced feature requirements. Staying current with software version compatibility, particularly post-2.7 upgrades, is crucial. Monitor Cisco’s announcements regarding new licensing bundles and features. Proactive capacity planning, factoring in remote access and VPN demands, will optimize your long-term ISE investment and avoid costly mid-term adjustments.
Troubleshooting Ordering Issues
Ordering challenges with Cisco ISE can arise from account preparation or license compatibility. Verify Smart Account access and permissions before initiating the process. Confirm appliance and license selections align with network requirements. If encountering errors, review Cisco’s ordering documentation and portals for guidance. Contact Cisco support for assistance with complex issues, providing detailed order information. Ensure software version compatibility, especially during upgrades. Double-check license bundles and transfer processes. Document all communication and troubleshooting steps for efficient resolution and future reference.
Cisco Ordering Tools and Portals
Cisco provides several tools to streamline ISE procurement. The Cisco Commerce Portal (CCP) facilitates online ordering and license management. Cisco Ordering Central offers detailed product information and configuration assistance. Smart Accounts are essential for consolidating licenses and simplifying transfers. Utilize the Cisco Configuration Tool (CCT) to validate appliance builds. Access Cisco’s documentation library for ordering guides and compatibility matrices. These portals offer self-service capabilities, reducing reliance on manual processes and accelerating deployment. Regularly check for updates and new features within these platforms.
