Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2791
Views
0
Helpful
9
Replies

Cisco ISE - General Info. & capabilities

Adnan Fakruddin
Level 1
Level 1

‎07-24-2013 03:59 PM - edited ‎03-10-2019 08:41 PM

Hello All,

I've read quiet a bit of ISE features, but would like to know the following:

1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?

2. Can it provide details of how much data was transferred from a particular server to a specific client?

3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?

4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?

5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)

Thank you.

Regards,

Adnan

Labels:
0 Helpful
9 Replies 9

Ravi Singh
Level 7
Level 7

‎07-24-2013 07:15 PM

Cisco ISE is a consolidated policy-based access control system that  incorporates a superset of features available in existing Cisco policy  platforms. Cisco ISE performs the following functions:

Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance

Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both

Enforces  endpoint compliance by providing comprehensive client provisioning  measures and assessing device posture for all endpoints that access the  network, including 802.1X environments

Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network

Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed

Employs  advanced enforcement capabilities including security group access (SGA)  through the use of security group tags (SGTs) and security group access  control lists (SGACLs)

Supports scalability to support a number of deployment scenarios from small office to large enterprise environments

The following key functions of Cisco ISE enable you to manage your entire access network.

Provide Identity-Based Network Access

The Cisco ISE solution provides context-aware identity management in the following areas:

Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.

Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.

Cisco  ISE assigns services based on the assigned user role, group, and  associated policy (job role, location, device type, and so on).

Cisco  ISE grants authenticated users with access to specific segments of the  network, or specific applications and services, or both, based on  authentication results.

ISE 3315 can support 1500 users with appropriate license.

0 Helpful

Adnan Fakruddin
Level 1
Level 1
In response to Ravi Singh

‎07-25-2013 04:01 AM

Thanks for your response Ravi. I've checked out the overview of ISE earlier from

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_overview.html

However I would like to know if we can achieve what I stated in my query, especially points 1 & 2. If yes how do we get the info from ISE?

0 Helpful

Shaoqin Li
Level 3
Level 3

‎07-25-2013 08:53 AM

1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
A: if it is a iPEP setup, you can enable corresponding syslog on ASA for your vpn user. and ASA will send the logs to your mnt node for the websites the user accessed. if it is a general setup, if you have ironport/ wsa, you can also get the log from this device, but not ISE.

2. Can it provide details of how much data was transferred from a particular server to a specific client?
A: ISE is not a network monitoring tool, so it does not get info for client traffic. for this is a typical network monitor tool functionality.

Sent from Cisco Technical Support iPad App

0 Helpful

Adnan Fakruddin
Level 1
Level 1
In response to Shaoqin Li

‎07-25-2013 10:59 AM

Thanks Shaoqin, I guess you're right about point 2, I was expecting a different capability altogether.

Actually I've a requirement where I need to ensure not only authentication, access etc but also to track user activity which IP addresses (servers) did the client machine connect with and for how much time.

I'm also wondering if additional authentication like ISE apart from AD, 802.1x really have an adv.?

0 Helpful

Gaurav Sharma
Cisco Employee
Cisco Employee
In response to Adnan Fakruddin

‎07-25-2013 01:14 PM

Adnan,

Everytime a  new user connects to ISE his mac address shows up in the session . to retrieve more inputs about the session you can check the ade logs in ISE and see the duration of the session , what resources did it try to access , what did it try to download.

Wired or Wireless are just the ways to connect to the Network . even with wired clients you can actually use all the functionality of ISE like Profiling , Posture etc

for dot1x switch authentication  generally ISE acts as a radius server in typical scenarios

HTH !

Regards,

Gaurav Sharma

0 Helpful

Shaoqin Li
Level 3
Level 3
In response to Gaurav Sharma

‎07-26-2013 09:53 AM

I don't think ISE can get user traffic information anyway...

but yes basic auth/authz should work as you referred to dot1x or against AD

Sent from Cisco Technical Support iPad App

0 Helpful

Gaurav Sharma
Cisco Employee
Cisco Employee
In response to Shaoqin Li

‎07-28-2013 11:22 PM

yeah thanks for corrrection  , Just checked... not from ISE but we can get the information like what websites were tried to access through the logs from NAD .

Thoughts ?

GS

0 Helpful

Anas Naqvi
Level 1
Level 1

‎09-25-2013 01:57 AM

Hello Adnan,

Reference to your question 1, the Guest Activity report provides details about the websites that guest users are visiting.

You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.

This report is available at: Operations > Reports > Endpoints and Users >

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1470680

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Anas Naqvi

‎09-25-2013 01:00 PM 

1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?

Note that the HTTP URL logs are supposed to be generated on a firewall that sends the logs to ISE for analysis thus providing guest web activity report. A switch, WLC and ISE alone is not enough.

1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
0 Helpful
Customers Also Viewed These Support Documents