In my earlier post about the Cisco 300-208 SISAS (Implementing Cisco Secure Access Solutions) exam, I listed out a few key concepts related to Cisco ISE (Identity Services Engine):

  • Understand what ISE is.
  • Understand why you might use ISE in a wired or wireless network.
  • Understand what ISE does at a protocol level.
  • Understand how ISE interacts with Network Access Devices and other systems.
  • Understand how to configure ISE and the Network Access Devices.

This post will deal with Concept 2, Understand why you might use Cisco ISE.

So You Have a Network…

In looking at why you might use Cisco ISE, you need to think about things beyond the simple routing/switching of packets which seems to be the mindset of many network engineers.  There is life outside layers 1 through 4 of the OSI Model, unfortunately, and it has a direct impact on why we might want to use Cisco ISE (or any NAC product for that matter).

Imagine that you have a medium to large enterprise network; it is a happy network, with carloads of capacity and scads of speed.  However, during a recent compliance audit, you were informed that your network is woefully un-segmented and just won’t do.  Adam the Accountant, Marge the Marketer, and Harry at the Help Desk all live in the same VLAN.  In addition, Harry and Adam are both using personal tablets on the WiFi to access the corporate Intranet, and Marge’s wireless VoIP phone is on the same SSID as well.  The question here, is what do you do?

Well obviously, the complete solution to this problem is not simply “CISCO ISE DAWG, WE GOT THIS!”

How do you determine that Brad the Banker is only allowed to access appropriate resources?