Cisco Identity Services Engine (ISE) Quick Overview

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s routers and switches. The purpose is to simplify identity management across diverse devices and applications. In this short article we will be giving you an overview of the Cisco Identity Services Engine (ISE), that can help you to better grasp the major underlying details.

Cisco describes ISE as :

“The Cisco Identity Services Engine (ISE) offers a network-based approach for adaptable, trusted access everywhere, based on context. It gives you intelligent, integrated protection through intent-based policy and compliance solutions.”

Cisco ISE, What it is used for?

Cisco Identity Services Engine (ISE) is a server based product. By using the ISE you can either have a Cisco ISE appliance or Virtual Machine that enables the creation and enforcement of access polices for endpoint devices connected to a companies network. In simple words ISE is a network administration product that helps network administrators to create and enforce security and access policies for end point devices that are connected with the switch or router in company’s network.

What can be done with  Cisco ISE?

As a network administrator that question arises when you see the ISE product suite. In a very layman terms user can control who can access your network and when they do what they can get access to or have what type of access rights configured for them. Cisco ISE can authenticate wired, wireless and vpn users. In terms of scalability it  can scale to millions of endpoints. Based on many factors including the validity of a certificate, mac address or device profiling network administrator can swiftly identify a machine and determine which vlan that machine is placed into. Any devices that do not pass authorization checks will be placed into a guest vlan or simply denied access to the network. Nothing is completed with out proper logging and in Cisco ISE all  information is logged and network administrator can instantly get a view of what is connected to companies network at any time.

Cisco ISE Nodes

The Cisco ISE solution is comprised of a deployment of nodes with following ISE variants:

  • Policy Administration Node (PAN)
  • Monitoring  Node (MnT)
  • Policy Services Node (PSN)
  • pxGrid

Depending on the size of network deployment all three variants can be run on the same device or spread across multiple devices for redundancy and scalability. We will briefly take a look at each one of them.

cisco identity services engine

Policy Administration Node (PAN)

The Policy Administration Node  is ISE Node at which the administrator logs into to configure policies and make changes to the entire ISE system. Once configured on the PAN the changes are pushed out to the policy services nodes. It handles all system related configurations and can be configured as standalone, primary or secondary.

Monitoring Node (MnT)

The Monitoring Node  is where all the logs are collected and where report generation occurs. Every event that occurs within the ISE topology is logged to the monitoring node you can then generate reports showing the current status of connected devices and unknown devices on your network.

Policy Services Node(PSN)

The Policy Services Node is the contact point into the Company’s network. Each Network switch is configured to query a radius server to get the policy decision to apply to the network port the radius server is the PSN. In larger deployments you use multiple PSN’s to spread the load of all the network requests, thus effectively performing load balancing. The PSN provides network access, posture, guest access, client provisioning, and profiling services. There must be at least one PSN in a distributed setup.

pxGrid Node

The pxGrid framework is used to exchange context-sensitive information from the CISCO ISE session directory. It allows the ISE system to pass data to other Cisco platforms and third party vendors. This information can then be used to invoke actions to quarantine users or block access in response to network security events.


Other Articles you might be interested in


Cisco ISE Licensing

In a very simple manner, the license model of Cisco ISE is written below but all the information from Cisco can be found here in the admin guide license section.

The Cisco ISE licensing model allows user to purchase license based on enterprise needs and requirements. There are two ways of employing licenses. Traditional or Smart.

  • Traditional licensing is where user import a license onto the appliance
  • Smart licensing is where user manage a cisco account that holds all the information on the license purchased for your deployment.

Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

The valid license options are as follows:

  • ISE Base only
  • ISE Base and Plus
  • ISE Base and Apex
  • ISE Base, Plus, and Apex
  • ISE Base, Plus, Apex and AnyConnect Apex

ISE Base License

The base license is a perpetual license and is the only requirement for AAA and IEEE802.1x and also covers guest services and Trustsec. A base license is consumed for every active device on the network.

ISE Base and Plus

A plus license is required for Bring Your Own Device (BYOD), Profiling, Adaptive Network Control (ANC) and PxGrid. A base license is required to install the plus license and the plus license is a subscription for 1,3 or 5 years.

ISE Base and Apex

The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires the base license but is used for Third Party Mobile Device Management & Posture Compliance.

ISE Device Administration

There is a device administration license required for TACACS which is a perpetual license, a base license is required to install the device administration license and you only require one license per deployment.

ISE Evaluation

An evaluation license covers 100 nodes and provide full Cisco ISE functionality for 90 days. All Cisco ISE appliances are supplied with an evaluation license.

 Difference between Cisco ISE and  ACS

The differences between ISE and ACS is the major question that arises in the minds of network managers. In simple terms ISE is the next generation of network authentication and is so much more powerful than ACS. ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC solution. If you want to implement full network access control you need Cisco ISE.


You can have the further information regarding Cisco ISE at following Cisco Website.