Solved: ASA vs ISE

douglaswhitwill · ‎10-07-2015

Hi guys,

I'm a noob when it comes to ASA and almost no experience with ISE other than what I can find online. It seems like they both do the same sort of things for us. Security for VPNs. What other differences or similarities are there between these products? Even the most basic differences would be helpful since I'm just starting with ISE.

Thanks!

Marvin Rhoads · ‎10-07-2015

Welcome and best wishes on your learning.

ASA vs. ISE ... there's only about 5% overlap in those products.

The ASA does control network access for endpoints if they are, say, remote access VPN clients. It can do a little bit of posture checking to make sure the host is compliant with policy. It does a whole lot of other things - stateful firewalling, network address translation, site-site VPN, protocol inspection, etc.

ISE gives you context-based network access control via classic AAA features (Authentication Authorization and Accounting) combined with rich features such as endpoint profiling, posture assessment, extremely rich rule set creation and processing etc. Ise integrates with many external identity stores such as AD, LDAP, RADIUS etc. and can itself act as a RADIUS server. In fact, a lot of what it does in the context of 802.1x network access control is via Change of Authorization (CoA) using RADIUS Attribute-Value (A-V) pairs. CoA can do things like dynamically change the end user's VLAN assignment, push down a port-specific dynamic access-list, assign a Security Group Tag (SGT), redirect to a web portal for authentication, remediation, device registration etc.

That's just a quick compare and contrast. You can literally spend years learning both and still not know all of either one.

View solution in original post

Marvin Rhoads · ‎10-07-2015

Welcome and best wishes on your learning.

ASA vs. ISE ... there's only about 5% overlap in those products.

The ASA does control network access for endpoints if they are, say, remote access VPN clients. It can do a little bit of posture checking to make sure the host is compliant with policy. It does a whole lot of other things - stateful firewalling, network address translation, site-site VPN, protocol inspection, etc.

ISE gives you context-based network access control via classic AAA features (Authentication Authorization and Accounting) combined with rich features such as endpoint profiling, posture assessment, extremely rich rule set creation and processing etc. Ise integrates with many external identity stores such as AD, LDAP, RADIUS etc. and can itself act as a RADIUS server. In fact, a lot of what it does in the context of 802.1x network access control is via Change of Authorization (CoA) using RADIUS Attribute-Value (A-V) pairs. CoA can do things like dynamically change the end user's VLAN assignment, push down a port-specific dynamic access-list, assign a Security Group Tag (SGT), redirect to a web portal for authentication, remediation, device registration etc.

That's just a quick compare and contrast. You can literally spend years learning both and still not know all of either one.

douglaswhitwill · ‎10-08-2015

Thanks Marvin for the explanation!