Back in the old days, when Cisco Secure ACS was still running on Solaris, the solution was mostly about device admin (TACACS) and authentication/accounting for access solutions such as ISDN. At that time Cisco also had a confidential solution called URT, which would control a switch port through SNMP to provide access to authenticated users.
Then came 802.1X. It was initially introduced in ACS 4.x but considered too complex and deprecated. Cisco then acquired Perfigo, whose product CleanAccess became the “Cisco NAC Appliance” — and, perhaps unsurprisingly, it was also mostly based on SNMP to control switch ports. It also introduced a profiler and a guest server. A few years later the NAC Appliance got killed, but those last two components survived. Combined with ACS 5.x — where 802.1X had been reintroduced — they became ISE v1.0. That was 2011.
Since then, many features have been added to turn it into the solution it is today. If I had to pick two milestones: posture assessment in combination with what was still called AnyConnect (now Cisco Secure Client), and the — admittedly bumpy — introduction of TrustSec, one of the cornerstones of micro-segmentation and Zero Trust.
What this blog is not #
I’m not planning to cover well-known topics or start from scratch. I’ll assume you already have a solid understanding of the product.
If you don’t, these resources will get you up to speed:
- ISE Admin Guide (3.5) — and more generally the ISE product page
- ISE Licensing Guide
- Performance and Scalability Guide
- Cisco ISE TME YouTube channel
- ISE Community (BERG)
What this blog is #
Deep dives into the topics that don’t get enough coverage — the edge cases, the underdocumented behaviours, the things you only figure out after hitting a production issue at 2am.
A few topics I have in mind:
- Dedicated PSN for wired guest — not wireless, that’s well covered, but the wired use case which is a different beast entirely
- ISE with multiple interfaces — a topic that is almost entirely undocumented
- IP fragmentation — how it bites ISE deployments and what to do about it
More to come.