Data Sheet

Cisco Identity Services Engine

Todays enterprise is becoming more dynamic, with increasing numbers of users, devices, and methods of access. The compute platform is no longer tied to its applications and data, creating unprecedented opportunities for differentiated services in the network. While these developments offer enterprises more flexibility, they introduce new possibilities for security breaches and uncontrolled user and endpoint access. Network security officers and administrators require solutions that enable access for users and endpoints based not only on a users or endpoints identity, but also on a range of other attributes such as location, time of day, endpoint type, and the endpoints posture state. Because this contextually rich information is often lacking, administrators struggle to build the appropriate authentication and authorization policies across the enterprise. Moreover, these administrators also now need to effectively audit network use, monitor corporate compliance, and get broad visibility into policies and activities across the network making their jobs even that more challenging.
Cisco has a solution to assist network security officers and administrators with these obstacles: the Cisco Identity Services Engine.

Product Overview
The Cisco Identity Services Engine is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. Its unique architecture allows enterprises to gather real-time contextual information from networks, users, and devices to make proactive governance decisions by enforcing policy across the network infrastructure. The Cisco Identity Services Engine is an integral component of the Cisco TrustSec solution that helps secure and govern borderless networks. The Cisco Identity Services Engine provides a highly powerful and flexible attribute-based access control solution that combines authentication, authorization, and accounting (AAA); posture; profiling; and guest management services on a single platform. Administrators can centrally create and manage access control policies for users and endpoints in a consistent fashion, and gain end-to-end visibility into everything that is connected to the network. The Cisco Identity Services Engine automatically discovers and classifies endpoints, provides the right level of access based on identity, and provides the ability to enforce endpoint compliance by checking a devices posture. The Cisco Identity Services Engine also provides advanced enforcement capabilities, including Security Group Access (SGA) through the use of security group tags (SGTs) and security group access control lists (ACLs).

Features and Benefits

An integral component of the Cisco TrustSec solution, the Cisco Identity Services Engine:

Allows enterprises to authenticate and authorize users and endpoints via wired, wireless, and VPN with consistent policy throughout the enterprise

Prevents unauthorized network access to protect corporate assets Provides complete guest lifecycle management by empowering sponsors to on-board guests, thus reducing IT workload

Discovers, classifies, and controls endpoints connecting to the network to enable the appropriate services per endpoint type

2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 1 of 1

Data Sheet

Addresses vulnerabilities on user machines through periodic evaluation and remediation to help proactively mitigate network threats such as viruses, worms, and spyware

Enforces security policies by blocking, isolating, and repairing noncompliant machines in a quarantine area without needing administrator attention

Offers a built-in monitoring, reporting, and troubleshooting console to assist helpdesk operators and administrators streamline operations

The Cisco Identity Services provides several additional key features, described in Table 1.
Table 1.
Feature AAA protocols Authentication protocols

Key Cisco Identity Services Engines Features

Details Utilizes standard RADIUS protocol for authentication, authorization, and accounting (AAA). Supports a wide range of authentication protocols, including PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), and EAPTransport Layer Security (TLS). Offers a rules-based, attribute-driven policy model for creating flexible and business-relevant access control policies. Attributes are pulled from predefined dictionaries that include information about user and endpoint identity, posture validation, authentication protocols, profiling identity, or other external attribute sources. Attributes can also be created dynamically and saved for later use. Provides a wide range of access control mechanisms including downloadable access control lists (dACLs), VLAN assignments, URL redirect, and SGA tagging leveraging the advanced capabilities of Cisco network devices. Ships with predefined device templates for a wide range of endpoints such as IP phones, printers, IP cameras, smartphones, and tablets. Administrators can also create their own device templates. These templates can be used to automatically detect, classify, and associate administrative-defined identities when endpoints connect to the network. Administrator can also associate endpoint-specific authorization policies based on device type. Enables full guest lifecycle management whereby guest users can access the network for a limited time either through administrator sponsorship or by self-signing via a guest portal. Allows an administrator to customize portals and policies based on specific needs of the enterprise. Verifies endpoint posture assessment for all types of users connecting to the network. Works via either a persistent client-based agent or temporal web agent to validate that an endpoint is conforming to the companys posture policies, such as having the latest operating systems patches and running an antivirus software package with current definition files. Powerful assessment rule logic can check endpoints for such things as file variables (version, date, etc.), registry checks (key, value, etc), application and state, and antivirus/antispyware software status while allowing for simple or complex compound conditions. Also supports auto-remediation of the client as well as periodic reassessment to make sure the endpoint is not in violation of company policies. Enables administrators to centrally configure and manage profiler, posture, guest, authentication, and authorization services in a single web-based GUI console, greatly simplifying administration by providing consistency in managing all these services. Includes an integrated monitoring, reporting, and troubleshooting component accessible through a web-based GUI to assist helpdesk and network operators. Offers comprehensive reporting for all services, logging of all activities, and real-time dashboard metrics of all users and endpoints connecting to the network. Available as a physical or virtual appliance. There are three physical appliance models as well as a VMware ESX or ESXi based appliance.

Policy model

Access control

Profiling

Guest lifecycle management

Posture

Centralized management

Monitoring and troubleshooting

Platform options

Product Specifications
There are three hardware options for the Cisco Identity Services Engine (see Table 2).
Table 2. Cisco Identity Services Engine Hardware Specifications
Cisco Identity Services Engine Appliance 3315 (Small) Processor Memory Hard disk RAID Removable media 1 x QuadCore Intel Core 2 CPU Q9400 @ 2.66 GHz 4 GB 2 x 250-GB SATA HDD No CD/DVD-ROM drive Cisco Identity Services Engine Appliance 3355 (Medium) 1 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz 4 GB 2 x 300-GB SAS drives Yes (RAID 0) CD/DVD-ROM drive Cisco Identity Services Engine Appliance 3395 (Large) 2 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz 4 GB 4 x 300-GB SFF SAS drives Yes (RAID 0+1) CD/DVD-ROM drive

2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 2 of 4

Data Sheet

Cisco Identity Services Engine Appliance 3315 (Small) Network Connectivity Ethernet NICs 10BASE-T cable support 10/100/1000BASE-TX cable support Secure Sockets Layer (SSL) accelerator card Interfaces Serial ports USB 2.0 ports Video ports External SCSI ports System Unit Form factor Weight Dimensions Power supply Cooling fans BTU rating Rack-mount 1 RU 28 lb (12.7 kg) fully configured 1.69 x 17.32 x 22 in. (43 x 440 x 55.9 mm) 350W 6; non-hot plug, nonredundant 1024 BTU/hr (at 300W) 1 4 (two front, two rear) 1 None x Integrated Gigabit NICs Cat 3, 4, or 5 unshielded twisted pair (UTP) up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m) None

Cisco Identity Services Engine Appliance 3355 (Medium)

Cisco Identity Services Engine Appliance 3395 (Large)

4 x Integrated Gigabit NICs Cat 3, 4, or 5 UTP up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m) Cavium CN1620-400-NHB-G

4 x Integrated Gigabit NICs Cat 3, 4, or 5 UTP up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m) Cavium CN1620-400-NHB-G

1 4 (one front, one internal, two rear) 1 None

1 4 (one front, one internal, two rear) 1 None

Rack-mount 1 RU 35 lb (15.87 kg) fully configured 1.69 x 17.32 x 27.99 in. (43 x 42.62 x 711 mm) Dual 675W (redundant) 9; redundant 2661 BTU/hr (at 120V)

Rack-mount 1 RU 35 lb (15.87 kg) fully configured 1.69 x 17.32 x 27.99 in. (43 x 42.62 x 711 mm) Dual 675W (redundant) 9; redundant 2661 BTU/hr (at 120V)

Cisco Identity Services Engine virtual appliances are supported on VMware ESX/ESXi 4.x and should be run on hardware that equals or exceeds the characteristics of the physical appliances listed in Table 2. At minimum, Cisco Identity Services Engines require the virtual target to have allocated at least 4 GB of memory and at least 200 GB of hard drive space.

System Requirements
The optional Cisco NAC Agent works on range of different systems (see Table 3).
Table 3.
Feature Supported OS

Cisco NAC Agent System Requirements

Minimum Requirement Microsoft Windows Vista Business, Windows Vista Ultimate, Windows Vista Enterprise, Windows Vista Home, Windows 7, Windows XP Professional, Windows XP Home, Windows XP Media Center Edition, Windows XP Tablet PC, Windows 2000, Windows 98, Windows SE, and Windows ME; Mac OS X (v10.5.x, v10.6.x) Minimum of 10 MB free hard drive space No minimum hardware requirements (works on various client machines)

Hard drive space Hardware

Service and Support

Cisco offers a wide range of services programs to accelerate your success. These innovative programs are delivered through a combination of people, processes, tools, and partners that results in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, see Cisco Technical Support Services or Cisco Advanced Services. Warranty information is available at http://www.cisco.com/go/warranty. Licensing information is available at http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html.

2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 3 of 4

Data Sheet

For More Information

For more information about Cisco Identity Services Engine products and the Cisco TrustSec solution, visit http://www.cisco.com/go/ise or contact your local Cisco account representative.

Printed in USA

C78-656174-01

08/11

2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 4 of 4