07-24-2013 03:59 PM - edited 03-10-2019 08:41 PM
Hello All,
I've read quiet a bit of ISE features, but would like to know the following:
1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
2. Can it provide details of how much data was transferred from a particular server to a specific client?
3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?
4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?
5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)
Thank you.
Regards,
Adnan
07-24-2013 07:15 PM
Cisco ISE is a consolidated policy-based access control system that incorporates a superset of features available in existing Cisco policy platforms. Cisco ISE performs the following functions:
•Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
•Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both
•Enforces endpoint compliance by providing comprehensive client provisioning measures and assessing device posture for all endpoints that access the network, including 802.1X environments
•Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
•Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed
•Employs advanced enforcement capabilities including security group access (SGA) through the use of security group tags (SGTs) and security group access control lists (SGACLs)
•Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
The following key functions of Cisco ISE enable you to manage your entire access network.
Provide Identity-Based Network Access
The Cisco ISE solution provides context-aware identity management in the following areas:
•Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
•Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
•Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role, location, device type, and so on).
•Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.
ISE 3315 can support 1500 users with appropriate license.
07-25-2013 04:01 AM
Thanks for your response Ravi. I've checked out the overview of ISE earlier from
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_overview.html
However I would like to know if we can achieve what I stated in my query, especially points 1 & 2. If yes how do we get the info from ISE?
07-25-2013 08:53 AM
1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
A: if it is a iPEP setup, you can enable corresponding syslog on ASA for your vpn user. and ASA will send the logs to your mnt node for the websites the user accessed. if it is a general setup, if you have ironport/ wsa, you can also get the log from this device, but not ISE.
2. Can it provide details of how much data was transferred from a particular server to a specific client?
A: ISE is not a network monitoring tool, so it does not get info for client traffic. for this is a typical network monitor tool functionality.
Sent from Cisco Technical Support iPad App
07-25-2013 10:59 AM
Thanks Shaoqin, I guess you're right about point 2, I was expecting a different capability altogether.
Actually I've a requirement where I need to ensure not only authentication, access etc but also to track user activity which IP addresses (servers) did the client machine connect with and for how much time.
I'm also wondering if additional authentication like ISE apart from AD, 802.1x really have an adv.?
07-25-2013 01:14 PM
Adnan,
Everytime a new user connects to ISE his mac address shows up in the session . to retrieve more inputs about the session you can check the ade logs in ISE and see the duration of the session , what resources did it try to access , what did it try to download.
Wired or Wireless are just the ways to connect to the Network . even with wired clients you can actually use all the functionality of ISE like Profiling , Posture etc
for dot1x switch authentication generally ISE acts as a radius server in typical scenarios
HTH !
Regards,
Gaurav Sharma
07-26-2013 09:53 AM
I don't think ISE can get user traffic information anyway...
but yes basic auth/authz should work as you referred to dot1x or against AD
Sent from Cisco Technical Support iPad App
07-28-2013 11:22 PM
yeah thanks for corrrection , Just checked... not from ISE but we can get the information like what websites were tried to access through the logs from NAD .
Thoughts ?
GS
09-25-2013 01:57 AM
Hello Adnan,
Reference to your question 1, the Guest Activity report provides details about the websites that guest users are visiting.
You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
This report is available at: Operations > Reports > Endpoints and Users >
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1470680
09-25-2013 01:00 PM
1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
Note that the HTTP URL logs are supposed to be generated on a firewall that sends the logs to ISE for analysis thus providing guest web activity report. A switch, WLC and ISE alone is not enough.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide