Professional Documents
Culture Documents
0
ISE HLD
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 28
Content
Introduction................................................................................................................................................................................................ 3
Retirement of ISE ATP Program........................................................................................................................................................... 3
Document Purpose............................................................................................................................................................................... 3
Business Objectives.................................................................................................................................................................................. 4
Customers Business Goals................................................................................................................................................................. 4
Estimated Timelines................................................................................................................................................................................... 5
Customer Environment Summary............................................................................................................................................................ 6
Customer Network Overview.................................................................................................................................................................... 7
Physical Network Topology.................................................................................................................................................................. 7
Topology Specifics................................................................................................................................................................................ 8
Policy Details............................................................................................................................................................................................ 13
Deployment Details.................................................................................................................................................................................. 17
Unknowns............................................................................................................................................................................................ 17
High Availability................................................................................................................................................................................... 17
Migration.............................................................................................................................................................................................. 17
ISE Node details.................................................................................................................................................................................. 18
Bill of Materials (BOM)............................................................................................................................................................................. 19
Appendix................................................................................................................................................................................................... 20
Security Partner Community.............................................................................................................................................................. 20
Migration SKUs.................................................................................................................................................................................... 20
Migration Guide................................................................................................................................................................................... 20
Machine Access Restrictions (MAR)................................................................................................................................................. 20
Note regarding Performance Specifications.................................................................................................................................... 22
Platform Hardware Specs................................................................................................................................................................... 22
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent EndPoints and
Composite Authentications (Authentication values are approximate values)..............................................................................22
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values)..................................23
System Performance Specs (Per Identity Services Engine deployment)......................................................................................23
System Scale (Per Identity Services Engine deployment)..............................................................................................................23
VM Disk Size Minimum Requirement................................................................................................................................................ 23
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)..........................................24
Latency and bandwidth requirement among ISE nodes.................................................................................................................24
Guest server and ISE Guest Feature Comparison........................................................................................................................... 24
ACS and ISE Feature Comparison..................................................................................................................................................... 26
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 28
Introduction
Retirement of ISE ATP Program
ISE is being phased out of ATP, thus it is no longer required to submit HLD as part of ISE order. For partner resources,
please visit Security Partner Community (https://www.cisco.com/go/securitychannels). Latest version of HLD and Bandwidth
Calculator is available here as well.
Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco Identity Services
Engine (ISE) with the Secure Access solution. Due to the various product configurations and deployment options, we are
providing this document to assist with obtaining relevant design information from your customer. The Secure Access
solution using the Cisco Identity Services Engine is a system architecture comprising of many components including
endpoints, network access devices, identity stores, certificate authorities, and many APIs for third party integrations to
provide guest services, profiling, BYOD enrollment and AAA for all access user and device access control needs. An
engineer must consider the Secure Access solution holistically and consider immediate as well as future requirements
prior to deciding what equipment to purchase. This HLD template will step the engineer through what needs to be
considered. If the engineer is not intimately familiar with the proposed network, a network assessment may be necessary
prior to completing the HLD. This document can be used during design phase of the ISE deployment to assist the
engineers on collecting key information relevant to successful ISE deployment. The Cisco TAC or Secure Access and
Mobility Product Group representatives may request a copy of the HLD with any support or escalation case.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 28
Business Objectives
Customers Business Goals
Describe the customers business goals. Consider the following example business goals:
Profiling for visibility or inventory management (differentiation of services based on device type)
Differentiation of service based on user identity
Regulatory compliance
Securing wireless network and providing guest access
Managing employee-provided devices (e.g., iPads)
Port lockdown
Ensuring endpoint health or posture
Network Device Administration
Other
The Policy Details provided in later sections of this HLD should reflect the business objectives stated here.
Customers Business Goals
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 28
Estimated Timelines
Phase
Number of endpoints
N/A
N/A
Begin
End
Comments
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 28
Use cases in scope for design (Please check or add to the list to
the right):
Response
Wired
Wireless
VPN
BYOD
pxGrid
MACSec
Device Admin
Other Use Cases:
Profiling/Visibility
Posture Assessment
TrustSec
Guest Access
MDM Integration
RADIUS Proxy
Location Integration
Endpoint count
Total endpoint count for entire deployment (endpoint count equals the sum
of user and non-user devices)
o
o
User Endpoints:
Non-user Endpoints:
Total user endpoints (i.e. Windows PC, Mobile devices, guest devices)
Total non-user endpoints (Including IP Phones, Wireless APs, Printers,
etc.)
Concurrent endpoint count
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 28
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 28
Topology Specifics
Question
Response
Please see Cisco ISE MDM Partner Integration guide for supported
MDM vendor for integration and supported versions
EAP Tunnel
PEAP
EAP-TTLS
Inner EAP
MSCHAPv2
GTC
Other EAP Types:
Windows Vista:
Windows 8/8.1:
Windows Other:
AnyConnect NAM
iDevice:
Linux:
IP Phone:
HVAC:
SCADA:
EAP-FAST
EAP-TLS
EAP-Chainng
ID Stores
[EAP and ID Store Compatibility Reference]
List the internal and external ID stores the customer will use for different use
cases.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 28
Question
Response
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 28
Question
Response
Profiling Probes
NETFLOW
DHCPSPAN
RADIUS
DNS
SNMPTRAP
DHCP
HTTP
Device Sensor
NMAP
SNMPQUERY
ISE Nodes/Personas
Number and type (3415/3495/VM) of each ISE appliance (node)
Define the personas assigned to each node (e.g., Administration,
Monitoring, Policy Service, pxGrid, Device Admin) including Primary and
Secondary designations.
In the Deployment Details section below, provide information on the nodes
Note: Inline Posture node is no longer supported starting with ISE 2.0
Note: Each Policy Service Node (PSN) supports limited endpoints. Please
consider the number of PSN as per the number of required endpoints.
Note: EOS and EOL was announced for 33x5 appliances. For more
information please refer to the EOL announcement.
Switch Identity Configuration
Describe the wired switch identity configuration
Multi-auth/multi-domain modes
Flexible authentication sequencing and priority for 802.1X, MAB, and
ISE 2.0 HLD
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 10 of 28
Question
Response
web auth
Is Class-Based Policy Language (CPL) for 3850 switch to be used?
Is Failed-Auth or Guest VLANs to be used?
CA Types
Standalone
Joined to existing PKI infrastructure
SCEP
Note: Please note that Dual SSID and CWA are only supported with WLC
AireOS 7.2 and up. Please plan to use LWA if there is no plan to upgrade to
the devices that support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which
can allow admin to create an ACL for Android devices have access to
Google Play Store.
Integration with 3rd party (Excluding MDM)
Describe the detailed integration with SIEM & Threat Defense products
What product and vendor for SIEM. Please see Cisco ISE SIEM &
Threat Defense Eco System Integration guide for supported SIEM
vendor for integration and supported versions
What information will be forwarded to SIEM
Will pxGrid be used? If so, which devices will subscribe to ISE?
ISE 2.0 HLD
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 11 of 28
Question
Response
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 12 of 28
Policy Details
List all security policies that are needed to implement the business requirements described above.
Authentication: For each use case (wired, wireless, VPN), describe the authentication policies that will be implemented
for all users and endpoints whether managed or unmanaged.
Authentication Policy Example:
Rule Name
Device Access
802.1X Access
VPN
Default
Condition
Wired_MAB
Wired_802.1X
NAS-Port-Type = Virtual
-
Allowed Protocols
Default Network Access
Default Network Access
Default Network Access
Default Network Access
ID Store / ID
Sequence
Internal EndPoints
AD_then_Local
AD
Internal Users
Condition
Allowed Protocols
ID Store / ID
Sequence
Authorization: For each use case (wired, wireless, VPN), describe the authorization policies that will be implemented for
all users and endpoints whether managed or unmanaged.
Authorization Policy Example:
Rule Name
BYOD Unknown
BYOD Registered
Identity Groups
Mobile Devices Logical
Group
Registered
IP_Phones
Cisco-IP-Phones
Other Conditions
EAP Tunnel = PEAP
EAP Type = MSCHAPv2
EAP Type = EAP-TLS
SAN = Calling-StationID
-
Permissions
NSP dACL
NSP Redirect
Registered dACL
Printers
Cameras
Workstation_Access
User_Role_1_Access
User_Role_2_Access
Guest_Access
Default
Managed-Printers
Managed-Cameras
Any
Any
Any
Guest
-
Domain PC
Domain Member Role1
Domain Member Role2
-
Voice VLAN
Authz VVID
Printer VLAN
Camera VLAN
AD Access dACL
Role1 dACL
Role2 dACL
Internet Only dACL
Web Auth
Other Conditions
Permissions
Identity Groups
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 13 of 28
Guest Access: For each use case (wired or wireless), describe guest access policy. Provide information on how guest
will access the network including information on guest provisioning, sponsors, and whether custom guest portal pages
need to be created. Please fill details in the forms below if the answer yes applies to you. Put no if the scenario does not
apply to you.
Services
Guest
Profiling: For each use case (wired or wireless), describe how the profile data will be collected by each probe required to
classify each device type to be profiled. For example, will SPAN or RSPAN be used to carry data from the network to the
Identity Services Engine? If so, what is the SPAN design? Will dedicated ISE interfaces be used? If HTTP probe used,
will SPAN or redirection be used to capture user agent attributes?
Please note that the number of events per second a platform can safely process per the Platform Performance Spec table
below. For example, if IPAD traffic is to be profiled by probing http traffic for the User Agent attribute, then the design
must assure the Policy Services node is not inspecting more than 1200 http events per second (3395 spec). Consider
profiling strategies that reduce overall load on Policy Service node such use of HTTP redirect at connect time to capture
the User Agent attribute, or the use of IP Helper statements for DHCP capture versus the use of SPAN.
Profiling Policy / Requirements Example:
Device Profile Unique Attributes
Cisco IP Phone
OUI
CDP
IP Camera
OUI
CDP
Printer
OUI
DHCP Class Identifier
POS Station
MAC Address
(static IP)
ARP Cache for MAC to IP
mapping
DNS name
Apple iPad/iPhone OUI
Browser User Agent
Device X
Probes Used
RADIUS
SNMP Query
RADIUS
SNMP Query
RADIUS
DHCP
RADIUS (MAC
Address
discovery)
SNMP Query
Collection Method
RADIUS Authentication
Triggered by RADIUS Start
RADIUS Authentication
Triggered by RADIUS Start
RADIUS Authentication
DNS
RADIUS
HTTP
Triggered by IP Discovery
RADIUS Authentication
Authorization Policy posture redirect
to central Policy Service node
cluster
IP Helper from local L3 switch SVI
DHCP
NMAP
RADIUS (MAC
Address
discovery)
DHCP
SNMP Query
RADIUS Authentication
Triggered by RADIUS Start
Active Scanning
RADIUS Authentication
RSPAN of DHCP Server ports to
local Policy Service node
Triggered by RADIUS Start
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 28
mapping
Port # traffic to Destination
IP
Netflow
Probes Used
Collection Method
Posture: Describe posture policy requirements for endpoint compliance. This may include many areas such as asset
checking, application and services checking, and antivirus and antispyware checks, as well as customized checks for
specific use cases. Describe remediation plans and include remediation servers that need to be integrated into the design.
Posture Policy Example:
Rule Name
OS
Conditio Posture
(Windows/Ma ns
Agent
cOSX)
Employee_AV
Windows XP/7
Checks
AD
NAC Agent AV Rule:
group=
for
Microsoft
Employee Windows
Security
Essentials
2.x
AD
NAC Agent Custom
group=
for
registry
Employee Windows
check
ID Group= Web Agent AV_Rule:
Contractor
Any AV
w/current
signatures
Login
Login
OS
Conditi Posture Checks
(Windows/Mac ons
Agent
OSX)
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 15 of 28
Client Provisioning: Describe Client Provisioning policy requirements for posture and native supplicant provisioning.
Client Provisioning Example:
Rule Name
Operating Systems
Apple
Identity
Groups
Any
Windows
Any
Windows All
Android
Any
Android
Other
Conditions
Results
Native Supplicant:
EAP-TLS, SSID
Agent:
NAC Agent
Native Supplicant:
PEAP-MSCHAPv2, SSID
Native Supplicant:
EAP-TLS, SSID
Identity
Groups
Operating Systems
Other
Conditions
Results
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 16 of 28
Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For instance, the information that was required but not
received from the customer, please list it here. (E.g. My customer uses IE3000 series switches. Is this supported?
Customer is using 3rd party NAD. Or the customer is currently using IPv6)
High Availability
Discuss high availability considerations.
High availability for each persona and node should be part of design to ensure that no single persona/appliance
failure results in total loss of a service. Please confirm persona/node redundancy design and explain reason if HA
not planned for any component.
How will network access devices and ISE Policy Service nodes be configured for redundancy? Note: For wireless
deployments using LWA, only one URL can be defined for web authentication.
Please provide the details regarding how Load Balancing will be used in this deployment, if it applies.
Migration
If migrating this deployment from ACS or ISE, provide details on the current deployment and how you're going to address
migration of licensing, existing policy, NAD configurations, etc.
Is this a migration for an existing Cisco Secure ACS, NAC Appliance, NAC Profiler, and/or NAC Guest Server
deployment? If so, please list the existing product SKUs purchased to determine full migration entitlement.
o For existing appliances supported by ISE, please indicate quantity and type of each appliance model (for
example, 1121, 3315, 3355, or 3395) to be migrated.
o For NAC Appliance license counts, please indicate the user license for each NAC Server (FO pairs count as one
license).
o For NAC Profiler endpoint counts, please provide the endpoint license for dedicated Profiler Collectors, or quantity
and type (331x or 335x) of each CLT license.
o If this is a NAC Guest Server (NGS) migration, please note the differences between the guest access features of
NGS and the Identity Services Engine Version 2.0 in the appendix section of this document.
o If this is a ACS migration, please note the differences between the features of ACS 5.8 and the ISE 2.0 in the
appendix section of this document (ACS 4.2 information shown for comparison purpose, currently there is no
direct migration path from ACS 4.2 to ISE 2.0)
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 17 of 28
Persona
ise1.example.com
ise2.example.com
VM/HW
CPU
Admin/MnT 1.1.1.1
VM
600GB
PSN
2.2.2.2
VM
300GB
IP
Address
VM/HW CPU
IP Address
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
RAM
RAM
Storage
Storag
e
Page 18 of 28
Product
Qty
L-ISE-BSE-3500=
L-ISE-ADV3Y-1500=
SNS-3495-K9
CON-PSRT-SNS3495
SNS-3415-K9
CON-PSRT-SNS3415
L-ISE-ADV-S-1K=
ISE-ADV-3YR-1K
1
1
2
2
2
2
1
1
List Price
Extended Price
12345678
12345678
Note: ISE BoM Tool is available to assist with creating BoM. Please refer to ISE BoM Tool located in the partner portal
page: (https://sambt.cisco.com)
Note: Since ISE 1.2, S/N from both Admin nodes can be added to the license to improve flexibility and flexibility. For more
information please refer to the Cisco ISE License Application Note
Customer BOM details:
Lin Product
e
Qty
List Price
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Extended Price
Page 19 of 28
Appendix
Security Partner Community
Please visit Security Partner Community for additional ISE resources (Login required).
Migration SKUs
Please consult the ISE Packaging and Licensing Guide for migration SKUs.
Migration Guide
The Cisco Identity Services Engine Licensing Guide located in the partner portal page
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html ) explains packaging and
licensing under the Authorized Technology Provider program for wired and VPN.
Machine Access Restrictions (MAR)
Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling
authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine
authentication of the computer used to access the Cisco ISE network. For every successful machine authentication,
Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of
a successful machine authentication. Cisco ISE retains each Calling-Station-ID attribute value in cache until the
number of hours that was configured in the Time to Live parameter in the Active Directory Settings page expires.
Once the parameter has expired, Cisco ISE deletes it from its cache. When a user authenticates from an end-user
client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the
Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching userauthentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that
requests authentication in the following ways:
If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a
successful authorization is assigned.
If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a
successful user authentication without machine authentication is assigned.
Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC
address will change when laptop moves from wired to wireless breaking the MAR linkage.
Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE
reboots nor replicated amongst ACS/ISE instances
Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different
location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS
server or has timed out.
Spoofing: Linkage between user authentication and machine authentication is tied to MAC address only. It is
possible for endpoint to pass user authentication only using MAC address of previously machine-authenticated
endpoint.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 20 of 28
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 21 of 28
Processor
1 x QuadCore
Intel Core 2 CPU Q9400
@ 2.66 GHz (4 total cores)
1 x QuadCore
Intel Xeon CPU E5504
@ 2.00 GHz (4 total cores)
2 x QuadCore
Intel Xeon CPU E5504
@ 2.00 GHz (8 total cores)
1 x QuadCore
Intel Xeon CPU E5-2609
@ 2.40 GHz (4 total cores)
2 x QuadCore
Intel Xeon CPU E5-2609
@ 2.40 GHz (8 total cores)
RAM
Hard disk
RAID
Ethernet NIC
Power
4 GB
No
4x Integrated
Gigabit NICs
4 GB
Yes (RAID 0)
4 x Integrated
Gigabit NICs
Redundant
4 GB
Yes (RAID
0+1)
4 x Integrated
Gigabit NICs
Redundant
16GB
No
4 x Integrated
Gigabit NICs
32GB
Yes (RAID 1)
4 x Integrated
Gigabit NICs
Redundant
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent
EndPoints and Composite Authentications (Authentication values are approximate values)
When determining how many PSN is needed for the deployment please use Maximum Concurrent Endpoints as the main
guideline. Authentication performance for specific use cases is also provided in case it is required to size out the
deployment.
Usage
5,000
25 per second
50 per second
17 per second
1,400 per second
1,500 per second
7,00 per second
900 per second
900 per second
2,900 per second
100
20,000
45 per second
68 per second
28 per second
2,800 per second
2,900 per second
1,200 per second
1,700 per second
1,700 per second
4,900 per second
100
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values)
Platform
Int.
PAP
PEAP (MSCHAPv2)
AD LDAP
Int.
AD
EAP-FAST
(MSCHAPv2)
Int.
AD
AD
LDAP
173
376
339
382 323
385
304
512
502
628 513
662
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Int.
MAB
Int. LDAP
153
528 597
(130)
165
1115 1150
(140)
Page 22 of 28
Number
Maximum number of concurrent endpoints with separate Administration, Monitoring, and Policy
Service nodes
Maximum number of concurrent endpoints with Administration and Monitoring on a single node
Number
30,000
100
50
25,000
1,000,000, expect latency for admin gui + user auth 500k beyond
100
1,000,000
25 when Simple mode is used
100 combined rules when Policy Set mode is used
600 (Best Practice to keep it below 100. With 100+ rules rendering of GUI and user
access will be negatively impacted.)
4,000
2,500
40,000
Disk (GB)
Standalone
Administration Only
200+ GB
Monitoring Only
Policy Service Only
Admin + MnT
Admin + MnT + PSN
Note: Thin Provisioning is supported since 1.3, however Tick/Eager Provisioning will yield best performance
Note: 10k RPM+ HDD or equivalent speed required
Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher
Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)
Concurrent Endpoints
10,000
20,000
30,000
40,000
50,000
100,000
150,000
ISE 2.0 HLD
126
63
42
32
26
13
9
252
126
84
63
51
26
17
378
189
126
95
76
38
26
645
323
215
162
129
65
43
1,289
645
430
323
258
129
86
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 23 of 28
200,000
7
13
19
33
65
250,000
6
11
16
26
52
Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary
depending on the environment
Provisioning Interface
ISE 2.0
X
X
X (2.0.3)
NGS 2.0
ISE 2.0
Restrict Login
NGS 2.0
X
X
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Unlimited
Unlimited
X
Page 24 of 28
NGS 2.0
ISE 2.0
Can you allow/require guests to change their password after logging in?
Specify which details about the guest must be recorded. Including first
name, last name, email, company, phone number
5 fields
Guest Roles
X
NGS 2.0
ISE 2.0
X
X
Removed
since 1.3
Start/End
Create accounts by specifying the time the account starts and ends
Duration
Create accounts by specifying the time the account can last from now
Accounts which are valid for X minutes from the first time the guest logs
in
Accounts which are valid for X minutes within Y minutes period from
first login
X
X
NGS 2.0
ISE 2.0
Self Registration
Device Registration
NGS 2.0
ISE 2.0
X
Will the system email guest details to the guests email address?
SMS
Will the system sms guest details to the guests mobile phone?
NGS 2.0
ISE 2.0
Interface Customization
Company Logo
Multiple Languages
Notification Customization
NGS 2.0
ISE 2.0
Reporting
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 25 of 28
Management Reports
CSV Export
NGS 2.0
ISE 2.0
Guest Accounting
Billing Support
Pre-pay Support
Other
Application Programming
Interface
Posture Services for guest
users
Does the system have an API that can be used to perform all sponsor
operations?
Can the guest user's host device be posture assessed and access
policy granted based on compliance with security policy?
Can the guest user's host device be profiled and access policy granted
based on the type of device guest uses to access the network?
X
X
NGS 2.0
ISE 2.0
X
X
X
ACS 5.8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
ISE 2.0
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TACACS+
TACACS+ per-command authorization and accounting
TACACS+ support in IPv6 networks
TACACS+ change password
TACACS+ enable handling
TACACS+ custom services
TACACS+ proxy
TACACS+ optional attributes
ISE 2.0 HLD
ACS 4.2
X
X
X
X
X
X
X
X
X
X
X
X
ACS 4.2
X
X
X
X
X
X
ACS 5.8
X
X
X
X
X
X
X
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
ISE 2.0
X
X
X
X
X
X
Page 26 of 28
ACS 4.2
X
X
X
X
X
X
X
ISE 2.0
X
X
X
X
X
X
X
ACS 4.2
X
X
ACS 5.8
X
X
X (Warning and
disable after defined
interval. Grace
period is not
supported)
X
X
X
X
X
X
X
X
X
X
X
ACS 5.8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
ACS 4.2
X
X
X
X
X
X
X
X
X
X
X
X
X
ACS 5.8
X
ISE 2.0
X
X
X
X
X
X (CLI interface is
supported for bulk
provisioning)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 27 of 28
ACS 4.2
X
X
X
X
X
ACS 5.8
X
X
X
X (Data can be
exported from M&T
for reporting. Not
supported as log
target)
X
X (With Authorization
policy condition or
profiling)
X
X
X
X
X
X
X
X
X
Printed in USA
X
X
ISE 2.0
X
X
X (Not in combination
with other fields)
C07-676884-01
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
09/11 Page 28 of 28