Data Sheet

Cisco Identity Services Engine

Today’s enterprise is becoming more dynamic, with increasing numbers of users, devices, and methods
of access. The compute platform is no longer tied to its applications and data, creating unprecedented
opportunities for differentiated services in the network. While these developments offer enterprises more
flexibility, they introduce new possibilities for security breaches and uncontrolled user and endpoint
access. Network security officers and administrators require solutions that enable access for users and
endpoints based not only on a user’s or endpoint’s identity, but also on a range of other attributes such as
location, time of day, endpoint type, and the endpoint’s posture state. Because this contextually rich
information is often lacking, administrators struggle to build the appropriate authentication and
authorization policies across the enterprise. Moreover, these administrators also now need to effectively
audit network use, monitor corporate compliance, and get broad visibility into policies and activities across
the network making their jobs even that more challenging.

®
Cisco has a solution to assist network security officers and administrators with these obstacles: the Cisco Identity
Services Engine.

Product Overview
The Cisco Identity Services Engine is a next-generation identity and access control policy platform that enables
enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. Its unique
architecture allows enterprises to gather real-time contextual information from networks, users, and devices to make
proactive governance decisions by enforcing policy across the network infrastructure. The Cisco Identity Services
®
Engine is an integral component of the Cisco TrustSec solution that helps secure and govern borderless networks.

The Cisco Identity Services Engine provides a highly powerful and flexible attribute-based access control solution
that combines authentication, authorization, and accounting (AAA); posture; profiling; and guest management
services on a single platform. Administrators can centrally create and manage access control policies for users and
endpoints in a consistent fashion, and gain end-to-end visibility into everything that is connected to the network. The
Cisco Identity Services Engine automatically discovers and classifies endpoints, provides the right level of access
based on identity, and provides the ability to enforce endpoint compliance by checking a device’s posture. The Cisco
Identity Services Engine also provides advanced enforcement capabilities, including Security Group Access (SGA)
through the use of security group tags (SGTs) and security group access control lists (ACLs).

Features and Benefits

An integral component of the Cisco TrustSec solution, the Cisco Identity Services Engine:

● Allows enterprises to authenticate and authorize users and endpoints via wired, wireless, and VPN with
consistent policy throughout the enterprise
● Prevents unauthorized network access to protect corporate assets
● Provides complete guest lifecycle management by empowering sponsors to on-board guests, thus reducing
IT workload
● Discovers, classifies, and controls endpoints connecting to the network to enable the appropriate services per
endpoint type

© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 1
 Data Sheet

● Addresses vulnerabilities on user machines through periodic evaluation and remediation to help proactively
mitigate network threats such as viruses, worms, and spyware
● Enforces security policies by blocking, isolating, and repairing noncompliant machines in a quarantine area
without needing administrator attention
● Offers a built-in monitoring, reporting, and troubleshooting console to assist helpdesk operators and
administrators streamline operations
The Cisco Identity Services provides several additional key features, described in Table 1.

Table 1. Key Cisco Identity Services Engines Features

Feature Details

AAA protocols Utilizes standard RADIUS protocol for authentication, authorization, and accounting (AAA).

Authentication protocols Supports a wide range of authentication protocols, including PAP, MS-CHAP, Extensible Authentication Protocol
(EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), and EAP-
Transport Layer Security (TLS).

Policy model Offers a rules-based, attribute-driven policy model for creating flexible and business-relevant access control
policies. Attributes are pulled from predefined dictionaries that include information about user and endpoint
identity, posture validation, authentication protocols, profiling identity, or other external attribute sources.
Attributes can also be created dynamically and saved for later use.

Access control Provides a wide range of access control mechanisms including downloadable access control lists (dACLs),
VLAN assignments, URL redirect, and SGA tagging leveraging the advanced capabilities of Cisco network
devices.

Profiling Ships with predefined device templates for a wide range of endpoints such as IP phones, printers, IP cameras,
smartphones, and tablets. Administrators can also create their own device templates. These templates can be
used to automatically detect, classify, and associate administrative-defined identities when endpoints connect to
the network. Administrator can also associate endpoint-specific authorization policies based on device type.

Guest lifecycle management Enables full guest lifecycle management whereby guest users can access the network for a limited time either
through administrator sponsorship or by self-signing via a guest portal. Allows an administrator to customize
portals and policies based on specific needs of the enterprise.

Posture Verifies endpoint posture assessment for all types of users connecting to the network. Works via either a
persistent client-based agent or temporal web agent to validate that an endpoint is conforming to the company’s
posture policies, such as having the latest operating systems patches and running an antivirus software package
with current definition files. Powerful assessment rule logic can check endpoints for such things as file variables
(version, date, etc.), registry checks (key, value, etc), application and state, and antivirus/antispyware software
status while allowing for simple or complex compound conditions. Also supports auto-remediation of the client as
well as periodic reassessment to make sure the endpoint is not in violation of company policies.

Centralized management Enables administrators to centrally configure and manage profiler, posture, guest, authentication, and
authorization services in a single web-based GUI console, greatly simplifying administration by providing
consistency in managing all these services.

Monitoring and troubleshooting Includes an integrated monitoring, reporting, and troubleshooting component accessible through a web-based
GUI to assist helpdesk and network operators. Offers comprehensive reporting for all services, logging of all
activities, and real-time dashboard metrics of all users and endpoints connecting to the network.

Platform options Available as a physical or virtual appliance. There are three physical appliance models as well as a VMware ESX
or ESXi based appliance.

Product Specifications
There are three hardware options for the Cisco Identity Services Engine (see Table 2).

Table 2. Cisco Identity Services Engine Hardware Specifications

Cisco Identity Services Engine Cisco Identity Services Engine Cisco Identity Services Engine
Appliance 3315 (Small) Appliance 3355 (Medium) Appliance 3395 (Large)

Processor 1 x QuadCore Intel Core 2 CPU 1 x QuadCore Intel Xeon CPU 2 x QuadCore Intel Xeon CPU
Q9400 @ 2.66 GHz E5504 @ 2.00 GHz E5504 @ 2.00 GHz

Memory 4 GB 4 GB 4 GB

Hard disk 2 x 250-GB SATA HDD 2 x 300-GB SAS drives 4 x 300-GB SFF SAS drives

RAID No Yes (RAID 0) Yes (RAID 0+1)

Removable media CD/DVD-ROM drive CD/DVD-ROM drive CD/DVD-ROM drive

© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 4
 Data Sheet

Cisco Identity Services Engine Cisco Identity Services Engine Cisco Identity Services Engine
Appliance 3315 (Small) Appliance 3355 (Medium) Appliance 3395 (Large)

Network Connectivity

Ethernet NICs x Integrated Gigabit NICs 4 x Integrated Gigabit NICs 4 x Integrated Gigabit NICs

10BASE-T cable support Cat 3, 4, or 5 unshielded twisted Cat 3, 4, or 5 UTP up to 328 ft Cat 3, 4, or 5 UTP up to 328 ft
pair (UTP) up to 328 ft (100 m) (100 m) (100 m)

10/100/1000BASE-TX cable Cat 5 UTP up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m) Cat 5 UTP up to 328 ft (100 m)
support

Secure Sockets Layer (SSL) None Cavium CN1620-400-NHB-G Cavium CN1620-400-NHB-G

accelerator card

Interfaces

Serial ports 1 1 1

USB 2.0 ports 4 (two front, two rear) 4 (one front, one internal, two rear) 4 (one front, one internal, two rear)

Video ports 1 1 1

External SCSI ports None None None

System Unit

Form factor Rack-mount 1 RU Rack-mount 1 RU Rack-mount 1 RU

Weight 28 lb (12.7 kg) fully configured 35 lb (15.87 kg) fully configured 35 lb (15.87 kg) fully configured

Dimensions 1.69 x 17.32 x 22 in. 1.69 x 17.32 x 27.99 in. 1.69 x 17.32 x 27.99 in.
(43 x 440 x 55.9 mm) (43 x 42.62 x 711 mm) (43 x 42.62 x 711 mm)

Power supply 350W Dual 675W (redundant) Dual 675W (redundant)

Cooling fans 6; non-hot plug, nonredundant 9; redundant 9; redundant

BTU rating 1024 BTU/hr (at 300W) 2661 BTU/hr (at 120V) 2661 BTU/hr (at 120V)

Cisco Identity Services Engine virtual appliances are supported on VMware ESX/ESXi 4.x and should be run on
hardware that equals or exceeds the characteristics of the physical appliances listed in Table 2. At minimum, Cisco
Identity Services Engines require the virtual target to have allocated at least 4 GB of memory and at least 200 GB of
hard drive space.

System Requirements
The optional Cisco NAC Agent works on range of different systems (see Table 3).

Table 3. Cisco NAC Agent System Requirements

Feature Minimum Requirement

Supported OS Microsoft Windows Vista Business, Windows Vista Ultimate, Windows Vista Enterprise, Windows Vista Home,
Windows 7, Windows XP Professional, Windows XP Home, Windows XP Media Center Edition, Windows XP
Tablet PC, Windows 2000, Windows 98, Windows SE, and Windows ME; Mac OS X (v10.5.x, v10.6.x)

Hard drive space Minimum of 10 MB free hard drive space

Hardware No minimum hardware requirements (works on various client machines)

Service and Support

Cisco offers a wide range of services programs to accelerate your success. These innovative programs are delivered
through a combination of people, processes, tools, and partners that results in high levels of customer satisfaction.
Cisco services help you to protect your network investment, optimize network operations, and prepare your network
for new applications to extend network intelligence and the power of your business. For more information about
Cisco services, see Cisco Technical Support Services or Cisco Advanced Services.

Warranty information is available at http://www.cisco.com/go/warranty. Licensing information is available at

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html.

© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 4
 Data Sheet

For More Information

For more information about Cisco Identity Services Engine products and the Cisco TrustSec solution, visit
http://www.cisco.com/go/ise or contact your local Cisco account representative.

Printed in USA C78-656174-01 08/11

© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 4