My company is in the very early stages of an MDM BYOD project. As part of that we are looking at the Cisco Identity Service Engine (ISE) as a central piece. I am about half way through my testing and I thought that I would pass on some of what I have learned so far. I am far from being an ISE expert and I don’t mention profiling or the advanced features in this post. I have tried them but don’t feel knowledgeable enough to go into these details.
ISE is an excellent NAC system but it does much more than that. One of the advantages of trying to configure a new piece of technology yourself is that you learn much more and also other ways to increase the ROI. The main reason we are interested in ISE is as the enforcement point on our wireless network. When a device tries to connect to our BYOD network we want ISE to query the MDM server to verify if the device is registered and if not to redirect the device to the MDM provisioning portal. If the device is registered with MDM ISE will then query AD and verify the user credentials. This is a core function of ISE and went fairly well.
As a wireless engineer, I am very excited about the guest wireless features of ISE; this a huge value add for my company as we have thousands of guests a month and the WLC lobby admin feature is a bit tedious. ISE will allow anyone in the correct AD group to sponsor a guest or we can let the guest self-register. A downloadable access control list (dACL) can then be applied, limiting the guest’s access to internal resources. I personally like the sponsor option better for our environment.
Another feature I love and can see using in the future is once again using the dACL. We have handheld scanners in our environment and let’s say their security features are not robust. By putting the scanners username in an AD group we can call a dACL on our WLC and limit what the scanners can talk to. This again will be a value add and replace non centralized methods we have in use now. While these features have been available in the past from Cisco in other products, having them brought together in one fully integrated product will be a dream to administer and gives the fabled “single pane of glass” view into network access.
I am very hopeful about ISE from what I have tested so far and I am glad I decided to do it myself for the lab portion. I intend to engage a Partner for the pilot and deployment due to the scale. If you want to keep up on my lab testing you can take a look at my twitter feed @wfmaguire. Thanks for reading and please leave a comment below about your favorite ISE feature or if there is another one I should look at!
Nice write up….keep men in the loop of your journey!
My last job we had something like that. I always wanted to know about provisioning portal. Great post.
Good information. I am also working on an ISE deployment to achieve network edge security for devices that are of an either ‘Owned’, ‘Trusted’ or ‘Untrusted’ classification for about 350,000 end points. I think the product is very young but has potential.