Cisco Identity Services Engine (ISE) is a security product that enables the creation and enforcement of security and access policies for endpoint devices on a corporate network.

In my previous article (Identity Services Engine) I provided a brief overview of the technology and shared the design of my test lab. This article will focus on the output of the testing, delivered through seven videos, covering the key capabilities.

Please note: Although the videos include some terminology and branding from my work, the test lab is generic, with no use of production hardware, software or data.

Access Triggered by Device

Access Triggered by User

iPad Provisioning

Guest Access (Wired and Wireless)

Visibility and Reporting

Test Lab Overview

ISE Configuration

Overall, I have been impressed with the capabilities of ISE and believe the product will likely become a core part of the Cisco security suite, focused on access control and policy enforcement.

The product itself includes an impressive number of features, however this should not be a surprise, as ISE is really a consolidation of existing products and services. Unfortunately, one by-product of this consolidation is complexity, specifically during the initial setup, which can be very painful. Considering my test lab was very small, I think it is safe to assume that this complexity could become a significant barrier on a large corporate network.

With this in mind, I am not convinced I would recommend ISE for production, instead I would suggest waiting for the product to mature, hopefully resulting in a more intuitive setup process.

If you do plan to deploy ISE on a production network today, I would urge you to start in “monitor-only” mode, prior to activating any policies. The advantage to this approach is that ISE can still provide end-point visibility and reporting, as well as simulate policy enforcement, but it won’t impact any users. Knowing that ISE could disable every end-point on your network, this approach feels like the safest way to ensure success.