Data Sheet

Cisco Identity Services Engine

Enterprise networks are more dynamic than ever before, servicing an increasing
number of users, devices, and access methods. Along with increased access and
device proliferation comes an increased potential for security breaches and new
operational challenges. Maintaining network security and operational efficiency today
requires new solutions that effectively enforce access policies, audit network use,
monitor corporate compliance, and provide increased visibility into network-wide
activity.
Cisco offers a solution to assist network security officers and administrators with these obstacles: the Cisco

Identity Services Engine.

Product Overview
The Cisco Identity Services Engine is a next-generation identity and access control policy platform that enables
enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. Its unique
architecture allows enterprises to gather real-time contextual information from networks, users, and devices to
make proactive governance decisions by enforcing policy across the network infrastructure - wired, wireless and

remote. The Cisco Identity Services Engine is an integral component of the Cisco TrustSec solution and
SecureX architecture.
The Cisco Identity Services Engine provides a highly powerful and flexible policy-based access control solution
that combines multiple services, namely authentication, authorization, and accounting (AAA); posture; profiling;
and guest management on a common platform. This greatly reduces complexity and provides consistency across
the enterprise. Using the Cisco Identity Services Engine, administrators can centrally create and manage access
control policies for users and endpoints in a consistent fashion and gain end-to-end visibility into everything that is
connected to the network.

Features
The Cisco Identity Services Engine:

Allows enterprises to authenticate and authorize users and endpoints via wired, wireless, and VPN with
consistent policy throughout the enterprise

Prevents unauthorized network access to protect corporate assets

Provides complete guest lifecycle management by empowering sponsors to on-board guests, thus
reducing IT workload

Delivers customizable portals as well as ability to host web pages to ease on-boarding and overall enduser
experience inside business defined worksflows

Offers comprehensive visibility of the network by automatically discovering, classifying and controlling of
endpoints connecting the network to enable the appropriate services per endpoint

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 1 of 5

Addresses vulnerabilities on user machines through periodic evaluation and remediation to help proactively
mitigate network threats such as viruses, worms, and spyware

Enforces security policies by blocking, isolating, and repairing noncompliant machines in a quarantine area
without requiring administrator attention

Offers a built-in monitoring, reporting, and troubleshooting console to assist help-desk operators and
administrators streamline operations

Allows you to get finer granularity while identifying devices on your network with Active Endpoint Scanning.
Augments network-based profiling by targeting specific endpoints (based on policy) for specific attribute
device scans, resulting in better accuracy and comprehensive visibility of what is on your network

Manages endpoint access to the network with Endpoint Protection Service. With EPS, an admin can
specify an endpoint and select an action such as move to a new VAN or return to the original VAN, or
isolate the endpoint from the network entirely - all in a simple interface

The Cisco Identity Services provides several additional key features, described in Table 1.
Table 1.

Key Cisco Identity Services Engines Features

Feature

Details

AAA protocols

Utilizes standard RADIUS protocol for authentication, authorization, and accounting (AAA).

Authentication protocols

Supports a wide range of authentication protocols, including PAP, MS-CHAP, Extensible Authentication Protocol
(EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), and
EAP-Transport Layer Security (TLS).

Policy model

Offers a rules-based, attribute-driven policy model for creating flexible and business-relevant access control
policies. Provides the ability to create fine-grained policies by pulling attributes from predefined dictionaries that
include information about user and endpoint identity, posture validation, authentication protocols, profiling identity,
or other external attribute sources. Attributes can also be created dynamically and saved for later use.

Access control

Provides a wide range of access control mechanisms, including downloadable access control lists (dACLs),
VLAN assignments, URL redirect, and SGA tagging leveraging the advanced capabilities of Cisco network
devices.

Profiling

Ships with predefined device templates for a wide range of endpoints such as IP phones, printers, IP cameras,
smartphones, and tablets. Administrators can also create their own device templates. These templates can be
used to automatically detect, classify, and associate administrative-defined identities when endpoints connect to
the network. Administrators can also associate endpoint-specific authorization policies based on device type.
The Cisco Identity Services Engine collects endpoint attribute data via passive network telemetry, querying the
actual endpoints, or alternatively from the Cisco Infrastructure via Device Sensors on the catalyst switches.

The infrastructure-driven endpoint sensing technology on Cisco Catalyst switches are a subset of ISE sensing
technology. This allows the switch to quickly collect endpoint attribute information on the switch and then pass
this information using standard RADIUS to the Identity Services Engine for endpoint classification and
policy-based enforcement. This switch-based sensing technology allows for the efficient distribution of endpoint
information for increased scalability, deployability and time to classification.
Guest lifecycle management

Enables full guest lifecycle management whereby guest users can access the network for a limited time, either
through administrator sponsorship or by self-signing via a guest portal. Allows administrators to customize portals
and policies based on specific needs of the enterprise.

Posture

Verifies endpoint posture assessment for all types of users connecting to the network. Works via either a
persistent client-based agent or a temporal web agent to validate that an endpoint is conforming to the companys
posture policies. Provides the ability to create powerful policies that include checks for the latest OS patches,
antivirus/antispyware software packages with current definition file variables (version, date, etc.), registries (key,
value, etc), and applications. The Identity Services Engine also supports auto-remediation of the client as well as
periodic reassessment to make sure the endpoint is not in violation of company policies.

Endpoint protection service

Allows administrators to quickly take corrective action (Quarantine, Un-Quarantine, or Shutdown) on riskcompromised endpoints within the network. This helps to reduce risk and increase security in the network.

Centralized management

Enables administrators to centrally configure and manage profiler, posture, guest, authentication, and
authorization services in a single web-based GUI console, greatly simplifying administration by providing
consistency in managing all these services.

Monitoring and
troubleshooting

Includes a built-in web console for monitoring, reporting, and troubleshooting to assist help-desk and network
operators to quickly identify and resolve issues. Offers comprehensive historical and real-time reporting for all
services, logging of all activities, and real-time dashboard metrics of all users and endpoints connecting to the
network.

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 2 of 5

Feature

Details

Platform options

Available as a physical or virtual appliance. There are three physical appliance models as well as a VMware ESXor ESXi-based appliance.

Benefits
The Cisco Identity Services Engine:

Allows enterprises to roll out highly customized and sophisticated business access policies in a consistent
fashion

Reduces operational costs by providing full visibility into, historical reporting of, and enhanced
troubleshooting tools for network access

Reduces network outages and downtime by ensuring that only compliant users get full access to the
network and non-compliant users are isolated to limited areas of the network

Allows enterprises to be in compliance with regulatory mandates by ensuring that required controls can be
enforced and audited

Product Specifications
There are three hardware options for the Cisco Identity Services Engine (see Table 2).
Table 2.

Cisco Identity Services Engine Hardware Specifications

Cisco Identity Services Engine
Appliance 3315 (Small)

Cisco Identity Services Engine

Appliance 3355 (Medium)

Cisco Identity Services Engine

Appliance 3395 (Large)

Processor

1 x QuadCore Intel Core 2 CPU

Q9400 @ 2.66 GHz

1 x QuadCore Intel Xeon CPU

E5504 @ 2.00 GHz

2 x QuadCore Intel Xeon CPU

E5504 @ 2.00 GHz

Memory

4 GB

4 GB

4 GB

Hard disk

2 x 250-GB SATA HDD

2 x 300-GB SAS drives

4 x 300-GB SFF SAS drives

RAID

No

Yes (RAID 0)

Yes (RAID 0+1)

Removable media

CD/DVD-ROM drive

CD/DVD-ROM drive

CD/DVD-ROM drive

Ethernet NICs

4 x Integrated Gigabit NICs

4 x Integrated Gigabit NICs

4 x Integrated Gigabit NICs

10BASE-T cable support

Cat 3, 4, or 5 unshielded twisted

pair (UTP) up to 328 ft (100 m)

Cat 3, 4, or 5 UTP up to 328 ft

(100 m)

Cat 3, 4, or 5 UTP up to 328 ft

(100 m)

10/100/1000BASE-TX cable
support

Cat 5 UTP up to 328 ft (100 m)

Cat 5 UTP up to 328 ft (100 m)

Cat 5 UTP up to 328 ft (100 m)

Secure Sockets Layer (SSL)

accelerator card

None

Cavium CN1620-400-NHB-G

Cavium CN1620-400-NHB-G

Serial ports

USB 2.0 ports

4 (two front, two rear)

4 (one front, one internal, two rear)

4 (one front, one internal, two rear)

Video ports

External SCSI ports

None

None

None

Form factor

Rack-mount 1 RU

Rack-mount 1 RU

Rack-mount 1 RU

Weight

28 lb (12.7 kg) fully configured

35 lb (15.87 kg) fully configured

35 lb (15.87 kg) fully configured

Dimensions

1.69H x 17.32W x 22 in.L

(43 x 440 x 55.9 mm)

1.69H x 17.32W x 27.99 in.L

(43 x 42.62 x 711 mm)

1.69H x 17.32W x 27.99 in.L

(43 x 42.62 x 711 mm)

Power supply

350W

Dual 675W (redundant)

Dual 675W (redundant)

Cooling fans

6; non-hot plug, nonredundant

9; redundant

9; redundant

Network Connectivity

Interfaces

System Unit

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 3 of 5

BTU rating

Cisco Identity Services Engine

Appliance 3315 (Small)

Cisco Identity Services Engine

Appliance 3355 (Medium)

Cisco Identity Services Engine

Appliance 3395 (Large)

1024 BTU/hr (at 300W)

2661 BTU/hr (at 120V)

2661 BTU/hr (at 120V)

Uses FIPS 140-2 Level 1 validated

cryptographic modules

Uses FIPS 140-2 Level 1 validated

cryptographic modules

Uses FIPS 140-2 Level 1 validated

cryptographic modules

Compliance
FIPS

Cisco Identity Services Engine virtual appliances are supported on VMware ESX/ESXi 4.x and should be run on
hardware that equals or exceeds the characteristics of the physical appliances listed in Table 2. At minimum,
Cisco Identity Services Engines require the virtual target to have allocated at least 4 GB of memory and at least
200 GB of hard drive space. The virtual appliance is also FIPS 140-2 Level 1 compliant.

System Requirements
The set of system requirements for the Cisco NAC Agent, used for posture assessment, are shown in Table 3.
Table 3.

Cisco NAC Agent System Requirements

Feature

Minimum Requirement

Supported OS

Microsoft Windows Vista Business, Windows Vista Ultimate, Windows Vista Enterprise, Windows Vista
Home, Windows 7, Windows XP Professional, Windows XP Home, Windows XP Media Center Edition,
Windows XP Tablet PC, Windows 2000, Windows 98, Windows SE, and Windows ME; Mac OS X (v10.5.x,
v10.6.x)

Hard drive space

Minimum of 10 MB free hard drive space

Hardware

No minimum hardware requirements (works on various client machines)

License Specifications
A Cisco Identity Services Engine deployment requires a license to activate different services. There are three
types of Identity Services Engine licenses:

ISE BASE License. Used to activate basic services, such as authentication, authorization, guest,
monitoring, and troubleshooting services.

ISE ADVANCED License. Used to activate advanced services, such as posture, profiling, SGA and EPS.
Please note that the BASE license is a prerequisite for installing the ADVANCED license.

ISE WIRELESS License. Activates all Identity Services Engine services, but only for wireless endpoints.

Table 4 summarizes the license types.

Table 4.

Cisco Identity Services Engine License Specifications

BASE License

ADVANCED License

WIRELESS License
*

Authentication and authorization

Guest services

Monitoring and troubleshooting

*
*
*

Posture assessment

Profile

X*

SGA

Endpoint protection service

*
*

Only for wireless endpoints.

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 4 of 5

Service and Support

Cisco offers a wide range of services programs to accelerate your success. These innovative programs are
delivered through a combination of people, processes, tools, and partners that results in high levels of customer
satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare
your network for new applications to extend network intelligence and the power of your business. For more
information about Cisco services, see Cisco Technical Support Services or Cisco Advanced Services.
Warranty information is available at http://www.cisco.com/go/warranty. Licensing information is available at
http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html.

For More Information

For more information about Cisco Identity Services Engine products and the Cisco TrustSec solution, visit
http://www.cisco.com/go/ise or contact your local Cisco account representative.

Printed in USA

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

C78-656174-02

02/12

Page 5 of 5