Cisco ISE Part 1: introduction

Cisco ISE is a identity management product of Cisco. In the upcoming weeks more blogposts about the configuration and implementation of Cisco ISE. See the Cisco website for more information about the use of this awesome product. Also, watch this youtube movie for a great introduction about the functionality.
The blogpost Agenda:

  • Part 1: introduction
  • Part 2: installation
  • Part 3: Active Directory
  • Part 4: High Availability
  • Part 5: Configuring wired network devices
  • Part 6: Policy enforcement and MAB
  • Part 7: Configuring wireless network devices
  • Part 8: Inline posture and VPN
  • Part 9: Guest and web authentication
  • Part 10: Profiling and posture

This week, part 1: a basic product introduction to ISE.
This information could be outdated, Cisco released new appliances!
There are 3 appliances available and a virtual machine based on VMware 4.x or 5.x.

  • Cisco ISE 3315
  • Cisco ISE 3355
  • Cisco ISE 3395
  • VM (specs based on physical hardware)

The ISE deployment is based on node roles. There are 4 node roles available:

  • Admin
  • Monitoring
  • Policy
  • Inline posture

The admin node is for central management of the ISE deployment. Most of the configuration will be done on this node.
The monitoring node collects all monitoring events about all authentication and authorization attempts.
The policy node is the node which communicates with the endpoints and makes decisions about authentication and authorization. This is your radius server.
The inline role is used with devices which don’t have support for CoA (change of authority). Most of the recent Cisco switches do have support for CoA. The inline appliance can only be a physical appliance and can be in routed or bridged mode. The table below shows the device compatibility:

Access switch Minimum OS MAB 802.1X Web auth CoA VLAN dACL
Catalyst 2940 IOS v12.1(22)EA1 Y Y Y
Catalyst 2950 IOS v12.1(22)EA1 Y Y
Catalyst 2955 IOS v12.2(22)EA1 Y Y
Catalyst 2960 IOS v12.2(52)EA1 Y Y Y Y Y Y
Catalyst 2970 IOS v12.2(25)EA1 Y Y Y
Catalyst 2975 IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3550 IOS v12.2(44)SE Y Y Y Y
Catalyst 3560-E IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3560-X IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750 IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750-E IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750-Metro IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750-X IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 4500 IOS v12.2(54)SG Y Y Y Y Y Y
Catalyst 6500 IOS v12.2(33)SXJ Y Y Y Y Y Y
Catalust 4900 IOS v12.1(54)SG Y Y Y Y Y Y
Nexus 7000 NX-OS 5.0(2) Y
WLAN Controller  WLC 2100, 4400, 5500 Y Y Y Y Y
WLC for 3759 Y Y Y Y Y

Most features of Cisco ISE require CoA!
Cisco ISE appliance roles can be combined or used on a single appliance. This depends on the ISE design. More policy nodes in your network means bigger an more administrations and montoring nodes. See this chart. In de left colomn the amount of endpoints, in the top colomn the amount of policy nodes.
There is a maximum of 2 admin nodes (active/standby, not hot-standby)
There is a maximum of 2 monitoring nodes (active/standby or HA)
Licensing is based on concurrent endpoints and on features.
The wireless license contains base + advanced features but for wireless only!
ise license
Some considerations for a ISE design:

  • Only 1 Microsoft Active Directory membership per ISE deployment (at this point, version 1.1.x)
  • Licensing is based on concurrent amount of endpoints
  • Endpoint is a authenticated device, like a PC, Phone, Printer, iPad, etc
  • Authentication of Microsoft AD, LDAP, EAP-TLS, Webbased authentication can be mixed.
  • Profiling (detecting device type) and posture (health of an endpoint) is advanced license only
  • Maximum of 2000 endpoints if you’re using 1 ISE appliance with all roles
  • Maximum of 4000 endpoints (non-redundant) if you’re using 2 ISE appliances with all roles

If you’re using seperate nodes for the policy role, this are the maximum supported endpoints:

  • 3315: 3000 endpoints
  • 3355: 6000 endpoints
  • 3395: 10.000 endpoints

When colocating admin and monitoring roles together, only 5 policy nodes in your deployment are supported!
When you’re using seperate admin and monitoring roles, both redundant, maximum 40 policy nodes are supported with a maximum of 100.000 endpoints.
These are some more limitations:

  • 100.000 endpoints per ISE domain (deployment)
  • Max 5 or 40 policy nodes
  • Unlimited inline posture nodes

Performance of the deployment according Cisco, in authentications per second:

  • PAP: 1431
  • EAP-MD5: 600
  • EAP-TLS: 335 internal, 124 LDAP
  • LEAP: 455
  • MSCHAPv1: 1064 internal, 361 AD
  • MSCHAPv2: 1316 internal, 277 AD
  • PEAP-MSCHAPv2: 181
  • PEAP-GTC: 196 AD, 188 LDAP
  • FAST-MSCHAPv2: 192
  • GAST-GTC: 222
  • Guest (Web auth): 17

Bandwidth requirements:

  • Policy services and monitoring: 1Mb/s
  • Admin and monitoring: 256Kb/s
  • Endpoints and policy: 125 Kb/s per endpoint
  • Redundant monitoring pair: 256 Kb/s
  • Admin and policy: 256Kb/s

I’ll start with the basic installation of the ISE software in part 2 of this Cisco ISE blog series.


  • Can Cisco ISE handle vpn, wired and wireless authentication and authorization on one node?

    • It depends..
      First, a single node deployment only supports 2000 concurrent endpoints. But even more importantt:
      the devices where the endpoints are connected to, need to have support for CoA (Change of Authority). I’ve posted a picture of a table in this post, with a list of CoA supported devices. As you can see in this picture, firewalls or other vpn devices are not listed, they don’t support CoA.
      So, if you want to authenticate and authorize VPN users you have to use a inline posture node. This node can not be virtual, a physical appliance is required.
      Wired and wireless authentication and authorization on 1 node is offcourse possible.

  • Can you talk about physical 33×5 appliances and network cabling necessary, is NIC-teaming an option?

Leave a Reply to USF IT Cancel reply

Your email address will not be published.