ISE HLD

Cisco Identity Services Engine (ISE) 2.x

High-Level Design (HLD)
An ISE High Level Design (HLD) is recommended to assist you with the design and planning of your
ISE deployment. Having a clearly written security policy - whether aspirational or active - is the first
step in assessing, planning and deploying network access security.  Without this, it is hard to break
down the deployment into phases by location or capabilities. When seeking outside help, the HLD
provides a huge time savings for education other teams, partners, Cisco Sales representative,
Technical Assistance Center (TAC) representative or even the ISE product and engineering teams.
Clearly state the desired solution capabilities, hardware and software environment and integrations
can quickly allow people to understand what you want and how to configure it or troubleshoot it.
 

Required preliminary information Provide your answers in this column

Company Name

Engineer’s Name, Email and Phone

That created or reviewed this HLD

Partner Company Name

Cisco Sales Order number(s),

If order has been placed

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 26
 Content

Retirement of ISE ATP Program.......................................................................................................................................................... 3

Document Purpose............................................................................................................................................................................... 3
Physical Network Topology................................................................................................................................................................. 6
Topology Specifics............................................................................................................................................................................... 6
Unknowns............................................................................................................................................................................................ 13
High Availability.................................................................................................................................................................................. 14
Migration.............................................................................................................................................................................................. 14
ISE Node details.................................................................................................................................................................................. 14
Security Partner Community.............................................................................................................................................................. 16
Migration SKUs.................................................................................................................................................................................... 16
Migration Guide................................................................................................................................................................................... 16
Machine Access Restrictions (MAR)................................................................................................................................................. 16
Note regarding Performance Specifications.................................................................................................................................... 18
Platform Hardware Specs................................................................................................................................................................... 18
Platform Performance Specs for PSN when PAN and MNT deployed as separate node – Max Concurrent EndPoints and
Composite Authentications (Authentication values are approximate values)..............................................................................18
Platform Performance Specs – Authentications/Second with PSN only persona (Approximate values)..................................19
System Performance Specs (Per Identity Services Engine deployment)......................................................................................19
System Scale (Per Identity Services Engine deployment)..............................................................................................................19
VM Disk Size Minimum Requirement................................................................................................................................................ 19
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)..........................................20
Latency and bandwidth requirement among ISE nodes.................................................................................................................20
Guest server and ISE Guest Feature Comparison...........................................................................................................................20
ACS and ISE Feature Comparison..................................................................................................................................................... 22

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 26
 Introduction

Retirement of ISE ATP Program

ISE is being phased out of ATP, thus it is no longer required to submit HLD as part of ISE order. For
partner resources, please visit Security Partner Community ( https://www.cisco.com/go/securitychannels). Latest
version of HLD and Bandwidth Calculator is available here as well.

Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco
Identity Services Engine (ISE) with the Secure Access solution. Due to the various product
configurations and deployment options, we are providing this document to assist with obtaining
relevant design information for your ISE deployment. ISE is the foundational network directory
providing a single pane for network access policy and contextual information about network
endpoints. ISE relies on a security architecture comprising of many components including endpoints,
network access devices, identity stores, certificate authorities, and many APIs for third party
integrations to provide guest services, profiling, BYOD enrollment and AAA for all access user and
device access control needs. An engineer must consider the Secure Access solution holistically and
consider immediate as well as future requirements prior to deciding what equipment to purchase.
This HLD template will step the engineer through what needs to be considered. If the engineer is not
intimately familiar with the existing or proposed network, a network assessment may be necessary
prior to completing the HLD. This document can be used during the design phase and throughout the
depoyment of the Secure Access solution to assist the engineers on collecting key information
relevant to successful ISE deployment. The Cisco TAC or Security Business Group representatives
may request a copy of this HLD with any support or escalation case.

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 26
 Business Objectives
Describe your security-based business goals. Consider the following example business goals:
● Profiling for visibility or inventory management (differentiation of services based on device type)
● Differentiation of service based on user identity
● Regulatory compliance
● Securing wireless network and providing guest access
● Managing employee-provided devices (e.g., iPads)
● Port lockdown
● Ensuring endpoint health or posture
● Network Device Administration
● Other

The Policy Details provided in later sections of this HLD should reflect the business objectives stated
here.

Business Goals

Estimated Timelines
Phase Number of endpoints Begin End Comments
Lab testing and qualification N/A
Production phase 1 (pilot)
Production phase 2
Production phase 3

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 26
 Endpoint Summary
Deployment Summary Response
Use cases in scope for design (Please check or add to the list to Wired Profiling/Visibility
the right): Wireless Posture Assessment
VPN TrustSec
BYOD Guest Access
pxGrid MDM Integration
MACSec RADIUS Proxy
Device Admin Location Integration
Other Use Cases:
Endpoint count
 Total endpoint count for entire deployment (endpoint count equals the User Endpoints:
sum of user and non-user devices) Non-user Endpoints:
 Total user endpoints (i.e. Windows PC, Mobile devices, guest devices)
 Total non-user endpoints (Including IP Phones, Wireless APs, Printers,
etc.)
Concurrent endpoint count
 Maximum number of concurrent endpoints expected Concurrent User Endpoints:
Concurrent endpoints with 3rd party MDM:
 Total concurrent user endpoints including guest devices
Concurrent endpoints with posture assessment:
 Total mobile endpoints using 3rd party MDM using ISE
Concurrent non-user endpoints:
 Total endpoints for posture assessment
Total concurrent non-user endpoints (Typically non-user endpoints are always
connected)
EndPoint Types
What are the general client types deployed (Please provide service pack details 3rd party MDM Vendor:
for Windows and OS types for MacOSX)?
Windows Versions
● Will 3rd party Mobile Device Management (MDM) be integrated with ISE? Windows XP: Windows Vista:
● If already using 3rd party Mobile Device Management (MDM) or planning to Windows 7: Windows 8/8.1:
use MDM please note the vendor and version as well as brief description on Windows 10: Windows Other:
how it will integrate with ISE Supplicant Type
◦ Please see Cisco ISE – MDM Partner Integration guide for supported Windows Native AnyConnect NAM
MDM vendor for integration and supported versions 3rd Party supplicant:
● Are mobile devices corporate- or employee-owned assets? Other User EndPoint Types
● Will user access policy be based on device type (for example, laptop versus Mac OSX: iDevice:
iPad)? If so, will machine auth or profiling or static MAC assignments be Android: Linux:
used to distinguish device types? Other EndPoint Types:
● Please note how many of the concurrent endpoints will utilize MDM Non-User EndPoint Types
information during authorization from ISE Wireless AP: IP Phone:
Printer/Fax/Etc: HVAC:
Note: For domain joined Windows machines to function properly, machine Medical: SCADA:
authentication is recommended. Performing user only authentication may break Other:
critical functions such as machine GPO and other background services such as
backup and software push.
Note: State whether the deployment is using machine or user authentication, or
both. If both machine and user authentication are planned, are Machine Access
Restrictions (MAR) planned? If so, review the Appendix information on MAR
caveats.
For machine / user authentication details, please refer to 802.1X Authenticated
Wired and Wireless Access

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 26
 Network Overview
Physical Network Topology
Insert a high-level network diagram showing the proposed Identity Services Engine solution. This
should include any branch networks and data centers. Include the general number of endpoint and
types per location. Include WAN bandwidth information and show placement of network access
devices such as Active Directory/LDAP, DNS servers, NTP servers, wireless controllers, switches,
and VPN concentrators.
Note: The maximum latency between admin node and any other ISE node including secondary
admin, MnT, and PSN is 200ms. Here is link to the WAN bandwidth calculator for ISE deployment
(https://www.cisco.com/go/securitychannels). This calculator can be used to find out how much bandwidth needs
to be reserved for ISE operation across WAN links.
Physical Network Topology

Topology Specifics
Question Response
Network Access Devices
Provide the general switch/controller model numbers/platforms deployed and
Cisco IOS and AireOS Software versions to be deployed to support ISE
design.
 Please see ISE Component Compatibility Document for the
recommended IOS and AireOS versions
Please explain if you are not planning on deploying the versions listed
in the ISE compatibility document.

Identity Services Engine Software Version

Please see CCO Download Software Page for the latest software release.

Extensible Authentication Protocol (EAP) Types EAP Tunnel

Note: Inner EAP MSCHAPv2 is not supported with LDAP PEAP EAP-FAST
Note: Cisco ISE version 1.1 supports FIPS 140-2 Level 1 Compliance, EAP-TTLS
please see the details in FIPS 140-2 Level 1 Compliance Page for more Inner EAP
information. MSCHAPv2 EAP-TLS

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 26
 Question Response
Note: Cisco ISE 2.0 supports EAP chaining. When EAP Chaining is turned GTC EAP-Chainng
off, Cisco ISE performs usual EAP-FAST authentication.  Other EAP Types:

ID Stores
[EAP and ID Store Compatibility Reference]

List the internal and external ID stores used for different use cases.

Consider the following:

● 802.1X: AD
● MAB: Internal EndPoint + AD
● Web Authentication: Internal Guest + AD
● VPN: SecurID
● Guest Sponsors: AD
● Oracle Access Manager
● ISE GUI Admin: Certificate

Note: For Sponsored or Self-Service Guests, ID store is always ISE guest

users database

MS Active Directory Environment

● How many AD forests are to be integrated with ISE with multi-AD
feature?
● ISE requires AD forest DNS consolidated into central DNS servers. What
method is used to consolidate DNS information for the separate AD
forests?
● What version of AD is in use?
● Are there any Read-Only domains in place?

Note: AD Site & Services is recommended for ISE subnets for all forests.
For more information regarding multi-AD support, please refer to ISE 1.3
Multi-AD how-to guide

Web Authentication
● Will WebAuthuth be used?
● Will WebAuth be used for wired, wireless, or both?
● Will Local Web Auth (LWA) or Central Web Auth (CWA) be used?
● Where will the web portal be hosted?
Note: If deploying CWA the portal must be hosted by ISE. If deploying
LWA the portal can be local to access device, or external (such as ISE).
● Will web auth be used for guest access? Will web auth be used for non-
guests (for example, employees)?

Note: For more information on CWA and LWA support on different platforms,
please refer to ISE Component Compatibility Document

Authorization
Describe the enforcement types used. Consider the following options:
● VLANs
● ACLs (dACL for wired /named ACL for wireless)
● Security group tags/ACLs (SGTs/SGACLs)

dACL considerations:
● Cisco Catalyst switches support the wire−rate access control list (ACL)
with use of the ternary content addressable memory (TCAM). If the
TCAM is exhausted, the packets may be forwarded via the CPU path,
which can decrease performance for those packets. It is recommended
to limit the number of Access Control Entries (ACE) to prevent potential
TCAM exhaustion.
● Using IP SourceGuard feature or QoS feature may also affect the TCAM

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 26
 Question Response
utilization

VLAN considerations:
● Consider the use case for why VLAN enforcement is used and estimate
the number of VLANS required.
● To authorize an endpoint using dynamic VLANs (dVLANs), the access
device must have that VLAN locally defined or else authorization will fail.
● To reduce the number of unique authorization policy rules, access
devices should use consistent numbering, or case-sensitive naming if
assign dVLANs by VLAN name or VLAN Group name.
● When using monitor mode of the phased deployment, VLAN assignment
may cause endpoints with wrong IP address
● Some endpoints, such as non-user devices, may not refresh IP after
VLAN change
● If devices are statically addressed, they may not be able to communicate
on assigned VLAN

Note: VLAN assignment is not supported with LWA (wired or wireless)

Note: When using dVLAN assignment to change VLANs between machine
authentication and user authentication or for remediation purpose on
Windows platform may result in delay in getting a new IP address

Posture
● Which posture agents will be used? Consider: AnyConect 4.0 posture
agent for Windows or Mac, Web agent for Windows
● If persistent posture agents deployed, how will they be provisioned? (e.g.
through ISE or other desktop software/patch management solution, via
ASA, or via ISE)

In the Posture Policy section below, explain the posture policy by OS type
including remediation policies.

Note: For latest AV/AS posture requirements, review the list of currently
supported packages for Windows and MacOSX

Profiling Profiling Probes

● Identify the primary device types to be profiled NETFLOW DHCP
● What is the profile data required to classify each device type? DHCPSPAN HTTP
● Which probes will be deployed to collect the required data? RADIUS Device Sensor
● If SPAN/RSPAN is to be used, does infrastructure support these DNS NMAP
technologies? SNMPTRAP SNMPQUERY
Note: If SPAN/RSPAN used, a dedicated interface should be used on the
Policy Service Node for the DHCP SPAN or HTTP SPAN probe.
● If RSPAN or Netflow is to be used, is there sufficient bandwidth between
source SPAN/Netflow exporter and ISE Policy Service node used for
profiling?
● Is profiling for visibility only or for use in authorization policy?
In the Profiling Policy section below, explain the profiling policy in detail.
ISE Nodes/Personas
● Number and type (3415/3495/VM) of each ISE appliance (node)
● Define the personas assigned to each node (e.g., Administration,
Monitoring, Policy Service, pxGrid, Device Admin) including Primary and
Secondary designations.

In the Deployment Details section below, provide information on the nodes

Note: Inline Posture node is no longer supported starting with ISE 2.0
Note: Each Policy Service Node (PSN) supports limited endpoints. Please
consider the number of PSN as per the number of required endpoints.
Note: EOS and EOL was announced for 33x5 appliances. For more

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 26
 Question Response
information please refer to the EOL announcement.

Switch Identity Configuration

Describe the wired switch identity configuration
● Multi-auth/multi-domain modes
● Flexible authentication sequencing and priority for 802.1X, MAB, and
web auth
● Is Class-Based Policy Language (CPL) for 3850 switch to be used?
● Is Failed-Auth or Guest VLANs to be used?

Note: These fallback mechanisms cannot be used with LWA/CWA

Note: Please refer to Cisco TrustSec 2.1 HowTo Guide in the Appendix for
configuration reference. We would recommend inputting the detailed switch
configurations here.

Wireless Configuration
Describe the wireless configuration
● How many SSIDs does the deployment require?
● Please provide SSID security settings.
● Is wireless AP in FlexConnect mode or not?
● For Guest wireless access, is the WLC configured as an anchor
controller?

Note: Not all functionality of FlexConnect AP mode with ISE is officially

supported.
Note: For the WLANs, please configure the idle-timer to be more than 3600
seconds (1 hour) and session-timeout to be more than 7200 seconds (2
hours). Also, please increase the RADIUS Authentication & Accounting
server timeout to be 5 seconds.

Certificate Authority (CA) Integration CA Types

Describe the CA configuration Standalone
● How will ISE integrate with 3rd party CA?
● Will ISE be issuing certificates for BYOD? Joined to existing PKI infrastructure
● Utilize web based CA portal on ISE? SCEP
● Utilize API for certificate management?
● Utilize AnyConnect/ASA for SCEP enrollment?
Bring Your Own Devices (BYOD)
Describe the detailed BYOD configuration
● Is it Single SSID or Dual SSID?
● Will Android be in the BYOD design? If so, please provide details of
provisioning authorization profile
● What devices will be auto provisioned?
● What supplicant will be used? Please provide detailed supplicant
configuration information.
● What access will unsupported device get? (i.e. Blackberry, Windows
phones, Chromebooks)
● Will MDM be integrated with BYOD design, If so, please provide details
of MDM policy below in the Authorization Policy section and whether or
not redirection will be used for MDM agent installation

Note: Please note that Dual SSID and CWA are only supported with WLC
AireOS 7.2 and up. Please plan to use LWA if there is no plan to upgrade to
the devices that support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which
can allow admin to create an ACL for Android devices have access to
Google Play Store.

Integration with 3rd party (Excluding MDM)

Describe the detailed integration with SIEM & Threat Defense products
ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 26
 Question Response
● What product and vendor for SIEM. Please see Cisco ISE – SIEM &
Threat Defense Eco System Integration guide for supported SIEM
vendor for integration and supported versions
● What information will be forwarded to SIEM
● Will pxGrid be used? If so, which devices will subscribe to ISE?
● Will Adaptive Network Control (ANC) be used?

Policy Details
List all security policies that are needed to implement the business requirements described above.
Authentication: For each use case (wired, wireless, VPN), describe the authentication policies that
will be implemented for all users and endpoints whether managed or unmanaged.
Authentication Policy Example:
Rule Name Condition Allowed Protocols ID Store / ID Sequence
Device Access Wired_MAB Default Network Access Internal EndPoints
802.1X Access Wired_802.1X Default Network Access AD_then_Local
VPN NAS-Port-Type = Virtual Default Network Access AD
Default - Default Network Access Internal Users

Authentication Policy:
Rule Name Condition Allowed Protocols ID Store / ID Sequence

Authorization: For each use case (wired, wireless, VPN), describe the authorization policies that will
be implemented for all users and endpoints whether managed or unmanaged.
Authorization Policy Example:
Rule Name Identity Groups Other Conditions Permissions
BYOD Unknown Mobile Devices Logical EAP Tunnel = PEAP NSP dACL
Group EAP Type = MSCHAPv2 NSP Redirect
BYOD Registered Registered EAP Type = EAP-TLS Registered dACL
SAN = Calling-StationID
IP_Phones Cisco-IP-Phones - Voice VLAN
Authz VVID
Printers Managed-Printers - Printer VLAN
Cameras Managed-Cameras - Camera VLAN
Workstation_Access Any Domain PC AD Access dACL
User_Role_1_Access Any Domain Member Role1 Role1 dACL
User_Role_2_Access Any Domain Member Role2 Role2 dACL
Guest_Access Guest - Internet Only dACL
Default - - Web Auth

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 26
 Authorization Policy:
Rule Name Identity Groups Other Conditions Permissions

Guest Access: For each use case (wired or wireless), describe guest access policy. Provide
information on how guest will access the network including information on guest provisioning,
sponsors, and whether custom guest portal pages need to be created. Please fill details in the forms
below if the answer yes applies to you. Put no if the scenario does not apply to you.
Services Wired (yes or no) Wireless (yes or no)
Guest

Profiling: For each use case (wired or wireless), describe how the profile data will be collected by
each probe required to classify each device type to be profiled. For example, will SPAN or RSPAN be
used to carry data from the network to the Identity Services Engine? If so, what is the SPAN design?
Will dedicated ISE interfaces be used? If HTTP probe used, will SPAN or redirection be used to
capture user agent attributes?
Please note that the number of events per second a platform can safely process per the Platform
Performance Spec table below. For example, if IPAD traffic is to be profiled by probing http traffic for
the User Agent attribute, then the design must assure the Policy Services node is not inspecting more
than 1200 http events per second (3395 spec). Consider profiling strategies that reduce overall load
on Policy Service node such use of HTTP redirect at connect time to capture the User Agent attribute,
or the use of IP Helper statements for DHCP capture versus the use of SPAN.
Profiling Policy / Requirements Example:
Device Profile Unique Attributes Probes Used Collection Method
Cisco IP Phone OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
IP Camera OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
Printer OUI RADIUS RADIUS Authentication
DHCP Class Identifier DHCP
POS Station MAC Address RADIUS (MAC RADIUS Authentication
(static IP) Address
discovery)
ARP Cache for MAC to IP SNMP Query Triggered by RADIUS Start
mapping
DNS name DNS Triggered by IP Discovery
Apple iPad/iPhone OUI RADIUS RADIUS Authentication
Browser User Agent HTTP Authorization Policy posture redirect
to central Policy Service node
cluster

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 26
 DHCP Class Identifier + DHCP IP Helper from local L3 switch SVI
MAC to IP mapping
NMAP Scan Result NMAP Active Scanning
Device X MAC Address RADIUS (MAC RADIUS Authentication
Address
discovery)
Requested IP Address for DHCP RSPAN of DHCP Server ports to
MAC to IP mapping local Policy Service node
Optional to acquire ARP SNMP Query Triggered by RADIUS Start
Cache for MAC to IP
mapping
Port # traffic to Destination Netflow Netflow export from Distribution
IP 6500 switch to central Policy Service
node

Profiling Policy / Requirements:

Device Profile Unique Attributes Probes Used Collection Method

Posture: Describe posture policy requirements for endpoint compliance. This may include many
areas such as asset checking, application and services checking, and antivirus and antispyware
checks, as well as customized checks for specific use cases. Describe remediation plans and include
remediation servers that need to be integrated into the design.
Posture Policy Example:
Rule Name OS Conditions Posture Checks Remediation Enforcement When
(Windows/MacOS Agent (Audit/Opt/ Assessed
X) Mandatory) (Login/PR
A/Both)
Employee_AV Windows XP/7 AD NAC Agent AV Rule: Live update Mandatory Both
group= for Microsoft (Automatic)
Employee Windows Security
Essentials
2.x
Employee_Ass Windows XP/7 AD NAC Agent Custom Link redirect Mandatory Login
et group= for registry to policy
Employee Windows check page
(Manual)
Contractor_AV Windows ALL ID Group= Web Agent AV_Rule: Local Mandatory Login
Contractor Any AV Message
w/current regarding
signatures AV Policy

Posture Policy:

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 26
 Rule Name OS Conditions Posture Checks Remediation Enforcement When
(Windows/MacOSX) Agent Assessed
(Audit/Opt/ (Login/PRA
Mandatory) /Both)

Client Provisioning: Describe Client Provisioning policy requirements for posture and native
supplicant provisioning.
Client Provisioning Example:
Rule Name Identity Groups Operating Systems Other Conditions Results
Apple Any MAC OSX or Apple iOS Native Supplicant:
EAP-TLS, SSID
Windows Any Windows All Agent:
NAC Agent
Native Supplicant:
PEAP-MSCHAPv2, SSID
Android Any Android Native Supplicant:
EAP-TLS, SSID

Client Provisioning Policy:

Rule Name Identity Groups Operating Systems Other Conditions Results

Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For example, are there unsupported
switches, old or Third Party NAD incapable of some desired scenarios, or IPv6 is in use in some
locations, etc.

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 26
 High Availability
Discuss high availability considerations.
 High availability for each persona and node should be part of design to ensure that no single
persona/appliance failure results in total loss of a service. Please confirm persona/node
redundancy design and explain reason if HA not planned for any component.
 How will network access devices and ISE Policy Service nodes be configured for redundancy?
Note: For wireless deployments using LWA, only one URL can be defined for web
authentication.
 Please provide the details regarding how Load Balancing will be used in this deployment, if it
applies.

Migration
If migrating this deployment from ACS or ISE, provide details on the current deployment and how
you're going to address migration of licensing, existing policy, NAD configurations, etc.
● Is this a migration for an existing Cisco Secure ACS, NAC Appliance, NAC Profiler, and/or NAC
Guest Server deployment? If so, please list the existing product SKUs purchased to determine
full migration entitlement.
o For existing appliances supported by ISE, please indicate quantity and type of each appliance
model (for example, 1121, 3315, 3355, or 3395) to be migrated.
o For NAC Appliance license counts, please indicate the user license for each NAC Server (FO
pairs count as one license).
o For NAC Profiler endpoint counts, please provide the endpoint license for dedicated Profiler
Collectors, or quantity and type (331x or 335x) of each “CLT” license.
o If this is a NAC Guest Server (NGS) migration, please note the differences between the guest
access features of NGS and the Identity Services Engine Version 2.0 in the appendix section
of this document.
o If this is a ACS migration, please note the differences between the features of ACS 5.8 and
the ISE 2.0 in the appendix section of this document (ACS 4.2 information shown for
comparison purpose, currently there is no direct migration path from ACS 4.2 to ISE 2.0)

Client Provisioning and 802.1X Phasing

● Supplicant / Supplicant Configuration provisioning:
o For none native supplicant (such like AnyConnect NAM), how are supplicants provisioned?
(E.g. SMS/WSUS)
o For native supplicant, please provide how the supplicant configuration provisioned? (E.g.
GPO )
● Certificate provisioning and CA:
o Are certificates used?

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 26
 o How are they deployed?
o What is certificate strength, if known (key length, crypto hash)?
o Does the deployment have an in-house CA or public CA?
o Describe PKI infrastructure and requirements
Note: Cisco strongly recommends server certificate, which is signed by in-house CA or other 3 rd
party Root CA server, to be used for ISE. Self-signed server certificate should not be used for
production deployment.
● Deployment modes (Please refer to DIG in Appendix for Mode details):
o Will Monitor mode be enabled for a period of time on the 802.1X-enabled routers and
switches?
o Will Authenticated or Enforcement mode (formerly known as “Low Impact mode”) be
deployed?
o Will Closed Mode (formerly known as “High Security mode”) be deployed?

ISE Node details

For deploying VMs:
The VM host should be sized comparably with the ISE appliance. See platform hardware specs
below for CPU specification of the various appliances. For example, if the performance
characteristics required are similar to a 3495 appliance, then per platform performance specs the VM
should contain 32GB RAM, 8 CPUs equivalent to a Intel Xeon CPU E5-2609 @ 2.4 GHZ.
Note: Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk
should be higher than 300MB/sec and IO Write performance should be higher than 50MB/sec.
VMotion is supported since ISE 1.3. Please make sure to reserve the RAM and CPU cycles for the
ISE node deployed as VM.
Note: If disk size needs to be resized, the node will need to be re-imaged from the ISO
Note: The resources need to be reserved for each ISE node and cannot be shared among different
ISE nodes or other guest VMs on the host.
Example:
Host Name (FQDN) Persona IP VM/HW CPU RAM Storag
Address e
ise1.example.com Admin/Mn 1.1.1.1 VM Intel Xeon E5-2609 @ 2.4 32GB 600GB
T GHZ X 8 Core
ise2.example.com PSN 2.2.2.2 VM Intel Xeon E5-2609 @ 2.4 32GB 300GB
GHZ X 8 Core

Host Name (FQDN) Persona IP Address VM/HW CPU RAM Storage

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 26
 Bill of Materials (BOM)
Insert as part of this document, or in a separate attachment, the list of equipment to be ordered for
the Identity Services Engine deployment that matches the design. If Sales Order already placed,
then be sure to include the order details here.
Please include SmartNet/SAU or explain its omission (for example, included as part of another order,
support agreement, or deliberate acknowledgement that support refused).
If HLD is part of an ACS/NAC migration, please include appropriate migration SKUs. Use the
information previously entered regarding existing appliance, software, and license purchases on
eligible products to determine migration entitlement. For further details on migration entitlement and
SKUs, please refer to ISE Migration entitlement calculator located in the partner portal page:
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html)
Note: Please only include the information of the products that are related ISE.
Example BOM:
Line Product Qty List Price Contract Discount Unit Price Extended Price
1 L-ISE-BSE-3500= 1
2 L-ISE-ADV3Y-1500= 1
3 SNS-3495-K9 2
4 CON-PSRT-SNS3495 2 12345678
5 SNS-3415-K9 2
6 CON-PSRT-SNS3415 2 12345678
7 L-ISE-ADV-S-1K= 1
8 ISE-ADV-3YR-1K 1

Note: ISE BoM Tool is available to assist with creating BoM. Please refer to ISE BoM Tool located in
the partner portal page: (https://sambt.cisco.com)
Note: Since ISE 1.2, S/N from both Admin nodes can be added to the license to improve flexibility
and flexibility. For more information please refer to the Cisco ISE License Application Note
BOM details:
Line Product Qty List Price Contract Discount Unit Price Extended Price

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 26
 Appendix
Security Partner Community
Please visit Security Partner Community for additional ISE resources (Login required).
Migration SKUs
Please consult the ISE Packaging and Licensing Guide for migration SKUs.

Migration Guide
The Cisco Identity Services Engine Licensing Guide located in the partner portal page
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html )
explains packaging and licensing under the Authorized Technology Provider program for wired and
VPN.

Machine Access Restrictions (MAR)

 Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional
means of controlling authorization for Microsoft Active Directory-authentication users. This form of
authorization is based on the machine authentication of the computer used to access the Cisco
ISE network. For every successful machine authentication, Cisco ISE caches the value that was
received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful
machine authentication. Cisco ISE retains each Calling-Station-ID attribute value in cache until the
number of hours that was configured in the “Time to Live” parameter in the Active Directory
Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache. When
a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-
ID value from successful machine authentications for the Calling-Station-ID value that was
received in the user authentication request. If Cisco ISE finds a matching user-authentication
Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user
that requests authentication in the following ways:
● If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization
profile for a successful authorization is assigned.
● If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the
authorization profile for a successful user authentication without machine authentication is
assigned.

 Potential Issues with MAR:

● Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user
authentication; MAC address will change when laptop moves from wired to wireless breaking
the MAR linkage.

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 26
 ● Machine state caching: The state cache of previous machine authentications is neither
persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances
● Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then
moves to a different location, or comes back into the office the following day, where machine
auth cache is not present in new RADIUS server or has timed out.
● Spoofing: Linkage between user authentication and machine authentication is tied to MAC
address only. It is possible for endpoint to pass user authentication only using MAC address of
previously machine-authenticated endpoint.
Cisco TrustSec Design and TrustSec 2.1 HowTo Guide
● http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-
security/landing_DesignZone_TrustSec.html

Cisco SNS-3400 Series Appliance Specifications

● http://www.cisco.com/c/en/us/td/docs/security/ise/1-
4/installation_guide/b_ise_InstallationGuide14/b_ise_InstallationGuide14_chapter_010.html

Cisco Secure Access and TrustSec Release 5.0

● http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/c96-731479-
00-secure-access.pdf

Cisco TrustSec-Enabled Infrastructure

● http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

Cisco ISE COnfigured Limited Deployment (ISE COLD) Program

● https://communities.cisco.com/docs/DOC-32999

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 26
 Note regarding Performance Specifications
EOL was announced for 33x5 appliances and provided here as a reference for migration.
Deployments with VM should follow platform specifications based on 3415 or 3495 appliances. For
more information please refer to the EOL announcement

Platform Hardware Specs

Platform Processor RAM Hard disk RAID Ethernet NIC Power
1 x QuadCore
Cisco Identity Services Engine 2 x 250-GB SATA HDD 4x Integrated
Intel Core 2 CPU Q9400 4 GB No  
Appliance 3315 (Small) (250 GB total disk space) Gigabit NICs
@ 2.66 GHz (4 total cores)
1 x QuadCore
Cisco Identity Services Engine 2 x 300-GB SAS drives 4 x Integrated
Intel Xeon CPU E5504 4 GB Yes (RAID 0) Redundant
Appliance 3355 (Medium) (600 GB total disk space) Gigabit NICs
@ 2.00 GHz (4 total cores)
2 x QuadCore
Cisco Identity Services Engine 4 x 300-GB SFF SAS drives Yes (RAID 4 x Integrated
Intel Xeon CPU E5504 4 GB Redundant
Appliance 3395 (Large) (600 GB total disk space) 0+1) Gigabit NICs
@ 2.00 GHz (8 total cores)
1 x QuadCore
Cisco Secure Network Server 1 x 600-GB 10k SAS HDD 4 x Integrated
Intel Xeon CPU E5-2609 16GB No  
3415 (Small/Medium) (600 GB total disk space) Gigabit NICs
@ 2.40 GHz (4 total cores)
2 x QuadCore
Cisco Secure Network Server 2 x 600-GB 10k SAS HDDs 4 x Integrated
Intel Xeon CPU E5-2609 32GB Yes (RAID 1) Redundant
3495 (Large) (600 GB total disk space) Gigabit NICs
@ 2.40 GHz (8 total cores)

Platform Performance Specs for PSN when PAN and MNT deployed as separate node – Max
Concurrent EndPoints and Composite Authentications (Authentication values are approximate
values)
When determining how many PSN is needed for the deployment please use ‘Maximum Concurrent
Endpoints’ as the main guideline. Authentication performance for specific use cases is also provided
in case it is required to size out the deployment.

Usage Cisco Secure Network Server 3415 Cisco Secure Network Server 3495
Appliance Appliance
Maximum Concurrent Endpoints 5,000 20,000
Posture Authentications 25 per second 45 per second
Guest Hotspot Authentications 50 per second 68 per second
Guest Sponsored User Authentications 17 per second 28 per second
Bulk Guest Creation via ERS API 50 per second 95 per second
BYOD Onboarding Single SSID (iOS) 9 (External CA:12) per second 15 (External CA:17) per second
BYOD Onboarding Dual SSID (iOS) 10 (External CA:12) per second 14 (External CA:17) per second
BYOD Onboarding Single SSID (Android) 12 (External CA:18) per second 19 (External CA:18) per second
BYOD Onboarding Dual SSID (Android) 17 (External CA:18) per second 18 (External CA:18) per second
MDM 58 per second 243 per second
MDM w/ cache 114 per second 406 per second
Internal CA Certificate Issuance via Web 43 per second 41 per second
Internal CA with AnyConnect/ASA SCEP 18 per second 34 per second
Internal CA Authorization w/ OCSP 30 per second 30 per second
TACACS+ AuthC & AuthZ combined 2,000+ per second 2,000+ per second

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 26
 Platform Performance Specs – Authentications/Second with PSN only persona (Approximate
values)
Platform PAP PEAP (MSCHAPv2) EAP-FAST EAP-FAST (GTC) EAP-TLS MAB
(MSCHAPv2)
Int. AD LDAP Int. AD Int. AD Int. AD LDAP Int. Int. LDAP
Cisco Secure Network Server 153
764 471 789 185 173 376 339 382 323 385 528 597
3415 Appliance (130)
Cisco Secure Network Server 165
1318 419 1328 324 304 512 502 628 513 662 11151150
3495 Appliance (140)
Note: For PEAP (MSCHAPv2) numbers are w/o session resume & fast reconnect
Note: For EAP-FAST (MSCHAPv2) numbers are authentication, PAC provisioning
Note: For EAP-TLS numbers are w/o session resume
Note: EAP-TLS # in brackets are for 2k size certificate

System Performance Specs (Per Identity Services Engine deployment)

Description Number
Maximum number of concurrent endpoints with separate Administration, Monitoring, and Policy 250,000 for 3495 as PAN
Service nodes
Maximum number of concurrent endpoints with Administration and Monitoring on a single node 5,000 for 3415 as PAN/MnT
10,000 for 3495 as PAN/MnT
Maximum number of concurrent endpoints with Administration, Monitoring, and Policy Service all 5,000 for 3415
on a single node 10,000 for 3495
Maximum number of Policy Service nodes with separate Administration, Monitoring, and Policy 40 for 3495 as PAN
Service nodes
Maximum number of Policy Service nodes with Administration and Monitoring on a single node 5
Maximum number of SXP peer 100

System Scale (Per Identity Services Engine deployment)

Description Number
Maximum number of NADs 30,000
Maximum number of Network Device Groups 100
Maximum number of AD join point 50
Maximum number of Internal users 25,000
Maximum number of Internal guests 1,000,000, expect latency for admin gui + user auth 500k beyond
Maximum number of Guest portals 100
Maximum number of EndPoints 1,000,000
Maximum number of Authentication Rules 100 when Simple mode is used
100 combined rules when Policy Set mode is used
Maximum number of Authorization Rules 400 when Simple mode is used
600 combined rules when Policy Set mode is used
(Best Practice to keep it below 100. With 100+ rules rendering of GUI and user access
will be negatively impacted.)
TrustSec Security Group Tags (SGT) 4,000
TrustSec Security Group ACLs (SGACLs) 2,500
Maximum number of SXP bindings 40,000

VM Disk Size Minimum Requirement

Persona Disk (GB)
Standalone
Administration Only
Monitoring Only 200+ GB
Policy Service Only
Admin + MnT
Admin + MnT + PSN

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 26
 Note: Thin Provisioning is supported since 1.3, however Tick/Eager Provisioning will yield best performance
Note: 10k RPM+ HDD or equivalent speed required
Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher
Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node

MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is
enabled)
Concurrent Endpoints MnT Disk Size
200 GB 400 GB 600 GB 1024 GB 2048 GB
10,000 126 252 378 645 1,289
20,000 63 126 189 323 645
30,000 42 84 126 215 430
40,000 32 63 95 162 323
50,000 26 51 76 129 258
100,000 13 26 38 65 129
150,000 9 17 26 43 86
200,000 7 13 19 33 65
250,000 6 11 16 26 52
Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary
depending on the environment

Latency and bandwidth requirement among ISE nodes

The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is 200ms. The WAN
bandwidth calculator for ISE deployment is available here: https://www.cisco.com/go/securitychannels (1.2 version of the tool is still
valid for 2.0 release). This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN
links.

Guest server and ISE Guest Feature Comparison

Enforcement Device Support   NGS 2.0 ISE 2.0

Can the WLC be used as a captive portal to authenticate the guest
X X
Wireless LAN Controller user?
Can NAC Appliance be used as a captive portal to authenticate the
X X
NAC Appliance guest user?
Can Web Authentication in Catalyst switches be used as a captive
X X
Catalyst Web Authentication portal to authenticate the guest user?
Can IOS Auth-Proxy in routers be used as a captive portal to
X X
IOS Authentication Proxy authenticate the guest user?
Can Auth-Proxy in the ASA be used as a captive portal to authenticate
X X
ASA Authentication Proxy the guest user?
Can other devices that support a captive portal to authenticate the
guest user against a RADIUS Server be used? For example a proxy X X
Other RADIUS Devices server.
Central Web Authentication Can Central Web Authentication be used to authenticate guests?   X
Web-auth entered credentials can be authenticated against an external
X (2.0.3) X
Web-Auth Off-Box Credentials database via RADIUS?
Provisioning Interface   NGS 2.0 ISE 2.0
Local Sponsor Authentication Can sponsors user accounts be defined locally on the device X X
AD SSO Sponsor Can the device automatically authenticate sponsors against Active X
Authentication Directory using Single Sign On from their web browser (Kerberos)
SAML SSO Sponsor X
Authentication Can the sponsors authenticate via SAML
LDAP Sponsor Authentication Can the device authenticate sponsors against external LDAP servers X X
RADIUS Sponsor
X X
Authentication Can the device authenticate sponsors against external RADIUS servers
Number of Concurrent
Unlimited Unlimited
Sponsors How many sponsors can be logged in concurrently

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 26
 Sponsor Role Based Access Can different sponsors be assigned different permission levels based X X
Control upon group assigned by Local Group, LDAP or RADIUS attribute
Restrict Login Can you stop sponsors from logging in based upon role X X
Can you grant permission to sponsors to create or not be able to create X X
Ability to create accounts guest accounts?
Can you grant permission to sponsors to edit or not be able to edit X X
Ability to edit accounts guest accounts?
Can you grant permission to sponsors to suspend or not be able to X X
Ability to suspend accounts suspend guest accounts?

Can you grant permission to sponsors to reinstate a suspended guest   X

Ability to reinstate accounts accounts.
Ability to purge accounts Can the guest user accounts be purged from the database   X
Does the system allow multiple accounts to be created at the same time X X
Bulk Creation by text by entering the details into a text form?
Does the system allow multiple accounts to be created at the same time X X
Bulk Creation by csv import by importing a csv file?
Does the system allow multiple accounts to be created with no user
details need entering, and username/password being randomly X X
Bulk Create random accounts generated?
Guest Account Policies   NGS 2.0 ISE 2.0
Guest Username Policy Can you control how the guest username is automatically created? X X
Can you control how the password is configured, requiring a minimum X X
Guest Password Policy number of alpha, numeric and special characters
Guest Password Change Can you allow/require guests to change their password after logging in? X X
Specify which details about the guest must be recorded. Including first X X
Guest Details Policy name, last name, email, company, phone number
Custom Guest Details Request additional custom defined fields about the guest 5 fields X
Guest Roles Can you assign different roles to different guests? X X
Only allow accounts created with a guest role the ability to login from X X
Restrict Login by Location pre-defined locations
Set QoS per role Set QoS parameters by guest role X X
Set a different ACL on each guest based upon the role they have been X X
Set ACL per role assigned
Set a different VLAN on each guest based upon the role they have X X
Set VLAN per role been assigned
Set a different SGT on each guest based upon the role they have been   X
Set SGT per role assigned
Can guest access be changed based on contextual awareness and
  X
CoA endpoint state?
Account Types   NGS 2.0 ISE 2.0
Start/End Create accounts by specifying the time the account starts and ends X X
Duration Create accounts by specifying the time the account can last from now X X
Accounts which are valid for X minutes from the first time the guest logs Removed
X
From First Login in since 1.3
Accounts which are valid for X minutes within Y minutes period from X  
Usage Based first login
Guest Portal   NGS 2.0 ISE 2.0
Self Registration Does the system support self-registration by guests? X X
Device Registration Does the system support registration of devices?   X
Device Self Registration Does the system support self-registration of devices by guests?   X
Guest Password Change Allow Guests to change their password based upon policy? X X
Customizable guest portal Can the guest’s web pages be fully customized? X X
Can an Acceptable Use Policy be enforced so that guests must agree X X
Acceptable Use Policy before being allowed access?
Notification   NGS 2.0 ISE 2.0
Print Out Will the system create a printout of the guest details? X X

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 26
 Email Will the system email guest details to the guests email address? X X
SMS

X X

Will the system sms guest details to the guests mobile phone?
Details emailed to sponsor

X X

The sponsor can receive a copy of the account by email?

Interface Customization
NGS 2.0 ISE 2.0
 
Company Logo
X X
Can the sponsor interface be customized with a company logo?
Multiple Languages Can the sponsor interface support multiple languages? X X
Notification Customization Can the email/sms/print outs be customized? X X
Reporting   NGS 2.0 ISE 2.0
Keep a full audit trail of each operation made to an account by all
X X
Sponsor Audit Trail sponsors.
Guest Accounting Report on guest login/logout times, mac address and ip address used. X X
Supports the ability to report on guests network activity such as URLs
visited, connections made etc. Needs external device such as an ASA X X
Guest Activity Reporting or proxy to send the information via syslog to the box.
Management Reports   X X
CSV Export Provide the ability for any report to be exported in CSV format. X X
Billing Support   NGS 2.0 ISE 2.0
Supports guests purchasing accounts and billing against a Payment
X  
Credit Card Billing Support Gateway
Allows accounts to be randomly created upfront that become valid at
X  
Pre-pay Support first login
Other   NGS 2.0 ISE 2.0
Application Programming Does the system have an API that can be used to perform all sponsor
X  X
Interface operations?
Posture Services for guest Can the guest user's host device be posture assessed and access
  X
users policy granted based on compliance with security policy?

Profiling Services for guest Can the guest user's host device be profiled and access policy granted   X
users based on the type of device guest uses to access the network?

ACS and ISE Feature Comparison

Authentication Protocol ACS 4.2 ACS 5.8 ISE 2.0

PAP X X X
CHAP X X X
MS-CHAPv1 X X X
MS-CHAPv2 X X X
EAP-MD5 X X X
EAP-TLS X X X
PEAP (with EAP-MSCHAPv2 inner method) X X X
PEAP (with EAP-GTC inner method) X X X
PEAP (with EAP-TLS inner method) X X X
EAP-FAST (with EAP-MSCHAPv2 inner method) X X X

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 26
 EAP-FAST (with EAP-GTC inner method) X X X
EAP-FAST (with EAP-TLS inner method)

X X X

EAP Chaining with EAP-FASTv2

    X

EAP-TTLS
X
RADIUS Proxy X X X
RADIUS VSAs X X X
LEAP X X X
LEAP Proxy X  
TACACS+ ACS 4.2 ACS 5.8 ISE 2.0
TACACS+ per-command authorization and accounting X X  X
TACACS+ support in IPv6 networks   X  
TACACS+ change password X X  X
TACACS+ enable handling X X  X
TACACS+ custom services X X X 
TACACS+ proxy X X  X
TACACS+ optional attributes X X  X
TACACS+ additional auth types (CHAP / MSCHAP) X X  X
TACACS+ attribute substitution for Shell profiles X X  
TACACS+ custom port X
Identity Stores ACS 4.2 ACS 5.8 ISE 2.0
Internal User & Host Database X X X
Windows Active Directory X X X
LDAP X X X
RSA SecurID X X X
RADIUS token server X X X
ODBC X    
AD Server specification per ACS/ISE instance X X
SAML X
LDAP Server specification per ACS/ISE instance X    
Ability to retrieve an internal user’s password from
X X  
external ID store
Internal Users / Administrators ACS 4.2 ACS 5.8 ISE 2.0
Users: Password complexity X X X
Users: Static IP Address Assignment X X X
X (Warning and
disable after defined
Users: Password aging X interval. Grace X
period is not
supported)
Users: Password history X X X
Users: Max failed attempts X X X
Users: User expiration after a number of days X X  
Users: Password inactivity X X
Limited (If the internal
users are authorized
as sponsors, then
Users: User change password (UCP) utility X X
they may update
passwords at the
sponsor portal)

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 26
 Admin: Password complexity X X X
X
Admin: Password aging X X

Admin: Password history X X X

Admin: Max failed attempts X X X
Admin: Password inactivity X
Admin: entitlement report X X X
Admin: session and access restrictions X X X
Miscellaneous ACS 4.2 ACS 5.8 ISE 2.0
Network Access Restrictions (NARs) X X  
RDBMS sync X    
X (CLI interface is
Command line / scripting interface (CSUtil) X supported for bulk  
provisioning)
Integration with CiscoWorks for admin RBAC X    
Log Viewing and reports X X X
Export logs via SYSLOG X X X
Time based permissions X X X
Configurable management HTTPS certificate X X X

CRL: Multiple URL definition

X  

CRL: LDAP based definition

X   X

Online Certificate Status Protocol (OCSP)

X X X

Comparison of any two attributes in authorization policies

X X X

Configurable RADIUS ports X    

Programmatic Interface for users, groups and end-point
X X X
CRUD operations
Multiple NIC interfaces   X X
Secure Syslogs    X X
Miscellaneous ACS 4.2 ACS 5.8 ISE 2.0
EAP-TLS Certificate lookup in LDAP X X X
EAP-TLS Certificate lookup in Active Directory X X X
Maximum concurrent sessions per user/group X X  
 X (Data can be
exported from M&T
Log to external DB (via ODBC) X X for reporting. Not
supported as log
target)
Programmatic Interface for network device CRUD
X X X 
operations
X (With Authorization
Wildcards for hosts X X policy condition or
profiling)

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 26
 Configure devices with IP CIDR format X X X
Configure devices with IP address ranges X X  
X (Not in combination
Lookup Network Device by IP address X X
with other fields)
Dial-in Attribute Support X X
Support comparison of any two attributes in policies X X X
Display RSA de missing secret X X  
Starts with / Ends with / contains / Contains Any Policy
X X X
Operators
Nested compound conditions with both AND or OR
X X X
operators

Printed in USA C07-676884-01

ISE 2.0 HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 09/11 Page 26 of 26