Identity-Based Network AccessThe Cisco ISE solution provides context-aware identity management in the following areas:
• Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
• Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
• Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role,location, device type, and so on).
• Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.
Basic User Authentication and AuthorizationUser authentication policies in Cisco ISE enable you to provide authentication for a number of user login session types using a variety of standard authentication protocols including, but not limited to, Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP). Cisco ISE specifies the allowable protocol(s) that are available to the network devices on which the user tries to authenticate and specifies the identity sources from which user authentication is validated.
Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks.
Client Posture AssessmentTo ensure that the imposed network security measures remain relevant and effective, Cisco ISE enables you to validate and maintain security capabilities on any client machine that accesses the protected network. By employing posture policies that are designed to ensure that the most up-to-date security settings or applications are available on client machines, the Cisco ISE administrator can ensure that any client machine that accesses the network meets, and continues to meet, the defined security standards for enterprise network access.
Posture assessment and compliance occurs using one of the following agent types available in Cisco ISE:
• Cisco NAC Web Agent—A temporal agent that the users install on their system at the time of login and that is no longer visible on the client machine once the login session terminates.
• Cisco NAC Agent—A persistent agent that, once installed, remains on a Windows or Mac OS X client machine to perform all security compliance functions.
• AnyConnect ISE Agent — A persistent agent that can be installed on Windows or Mac OS X client to perform posture compliance functions.
Profiled Endpoints on the NetworkThe Profiler service assists in identifying, locating, and determining the capabilities of all endpoints on your network (known as identities in Cisco ISE), regardless of their device types, to ensure and maintain appropriate access to your enterprise network. The Cisco ISE Profiler function uses a number of probes to collect attributes for all endpoints on your network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups.
The Profiler Feed service allows administrators to retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in to Cisco ISE.