Cisco Technologies Comparision

1. From cisco ACS To ISE
Comparison of two technologies
M.Zahedi
2015

2. In The Name Of God2
Contents
ACS Introduction
Policy terminology
Access Service /Examples
Why ISE
New features Of ISE

3. Cisco secure Access Control
 Network security officers and administrators need solutions that support flexible
authentication and authorization policies that are tied not only to a user’s identity
but also to context such as the network access type, time of day the access is
requested, and the security of the machine used to access the network.
 Cisco Secure ACS, a core component of the Cisco TrustSec® solution, is a highly
sophisticated policy platform providing RADIUS and TACACS+ services.
 Cisco Secure ACS provides central management of access policies for device
administration and for wireless, wired IEEE 802.1x, and remote (VPN) network access
scenarios.
3

4. Features
 Unique, flexible, and detailed device administration in IPv4 and IPv6 networks, with full
auditing and rules-based policy model that flexibly addresses complex policy needs
 A lightweight, web-based GUI with intuitive navigation and workflow accessible from
both IPv4 and IPv6 clients
 Integrated advanced monitoring, reporting, and troubleshooting capabilities for
excellent control and visibility
 Integration with external identity and policy databases, including Microsoft Active
Directory and Lightweight Directory Access Protocol (LDAP)-accessible databases,
simplifying policy configuration and maintenance
 A distributed deployment model that enables large-scale deployments and provides a
highly available solution
4

5. Main Features and Benefits of Cisco Secure
ACS 5.8
Features Benefit
Complete access control and
confidentiality solution
It can be deployed with other Cisco TrustSec components, including
policy components, infrastructure enforcement components, endpoint
components, and professional services.
Authentication, authorization, and
accounting (AAA) protocols
supporting two distinct AAA protocols: RADIUS and TACACS+
Database options
integration with existing external identity repositories such as Microsoft
AD servers, LDAP servers, and RSA token servers.
Authentication
protocols
PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5,
Protected EAP (PEAP), EAP-Flexible Authentication through Secure
Tunneling (FAST), EAP-Transport Layer Security (TLS), and PEAP-TLS. It
also supports TACACS+ authentication with CHAP/MSCHAP protocols
and PAP-based password change when using TACACS+ and EAP-GTC
with LDAP servers.
5

6. Cont. Main Features and Benefits of Cisco
Secure ACS 5.8
Features Benefit
Access policies
a rules-based, attribute-guided policy model that provides greatly increased power
and flexibility for access control policies, which can include authentication protocol
requirements, device restrictions, time-of- day restrictions, and other access
requirements. Cisco Secure ACS can apply downloadable access control lists
(dACLs), VLAN assignments, and other authorization parameters. Furthermore, it
allows comparison between the values of any two attributes that are available to
Cisco Secure ACS to be used in identity, group-mapping, and authorization policy
rules.
Centralized
management
Cisco Secure ACS 5.8 supports a completely redesigned lightweight, web-based
GUI that is easy to use. An efficient, incremental replication scheme quickly
propagates changes from primary to secondary systems, providing centralized
control over distributed deployments. Software upgrades are also managed
through the GUI and can be distributed by the primary system to secondary
instances.
Support for high
availability in larger
Cisco Secure ACS
deployments
Cisco Secure ACS 5.8 supports up to 22 instances in a single Cisco ACS cluster: 1
primary and 21 secondary. One of these instances can function as a hot (active)
standby system, which can be manually promoted to the primary system in the
event that the original primary system fails.
If <identity-condition, restriction-condition> then <authorization-profile>
6

7. Cont. Main Features and Benefits of Cisco
Secure ACS 5.8
Feature Benefit
Programmatic
interface
cisco Secure ACS 5.8 supports a programmatic interface for create, read,
update, and delete operations on users and identity groups, network devices,
and hosts (endpoints) within the internal database. It also adds the capability
to export the list of Cisco Secure ACS administrators and their roles through
the same web services API.
Monitoring, reporting,
and troubleshooting
Cisco Secure ACS 5.8 includes an integrated monitoring, reporting, and
troubleshooting component that is accessible through the web-based GUI.
This tool provides excellent visibility into configured policies and
authentication and authorization activities across the network.
7

8. Policy terminology
 Access service : A sequential set of policies used to process access request
 Policy element : Global, shared object that defines policy conditions and
permission
 Shell profile: permissions container for TACACS+ based device administration
policy
 Authorize profile: permissions container for RADIUS based network
 Command set: contains the set of permitted commands
 Policy: A set of rules that are used to reach a specific policy decision
 Identity policy: policy for choosing how to authenticate and acquire identity
attributes for a given request.
8

9. Access Services
 Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for
users and devices that connect to the network and for network administrators who administer
network devices
 In ACS 5.x, authentication and authorization requests are processed by access services.
 An access service consists of the following elements:
 Identity Policy—Specifies how the user should be authenticated and includes the allowed
authentication protocols and the user repository to use for password validation.
 Group Mapping Policy—Specifies if the user's ACS identity group should be dynamically
established based on user attributes or group membership in external identity stores. The user's
identity group can be used as part of their authorization.
 Authorization Policy—Specifies the authorization rules for the user.
9

10. Cont. Access Services : A Sample
 Access Service List
 Service selection Policy
10

11. WHY Cisco identity services Engine?
 The Evolving Workplace Landscape
 Device proliferation
15 billion Devices by 2015
that Will Be
Connecting to Your
Network
40% of staff Are
Bringing Their
Devices to Work
On Average Every Person Has 3-
4 Devices On them that
Connects to the Network
Gartner:
until 2020  26 billion Devices in IOE
(Internet of Everything)
11

12. Key Functions
 Combines authentication, authorization, accounting (AAA), posture, and profiler into one
appliance
 Provides for comprehensive guest access management for Cisco ISE administrators
 Enforces endpoint compliance by providing comprehensive client provisioning measures and
assessing the device posture for all endpoints that access the network, including 802.1X
environments
 Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint
devices on the network
 Employs advanced enforcement capabilities including Trustsec through the use of Security Group
Tags (SGTs) and Security Group Access Control Lists (SGACLs)
 Supports scalability to support a number of deployment scenarios from small office to large
enterprise environments
12

13. Features of ISE
Features Benefit
Highly secure
supplicant-
less network access
Provides organizations with the ability to swiftly roll out highly
secure network access without configuring endpoints for
authentication and authorization. Authentication and
authorization are derived from login information across
application layers and used to allow user access without
requiring a 802.1X supplicant to exist on the endpoint
Guest lifecycle
management
Time limits, account expirations, and SMS verification offer
additional security controls, and full guest
auditing can track access across your network for security and
compliance demands.
Source-Group
Tagging
Easier access controls
13

14. Cont. Features of ISE
Feature Benefit
AAA protocols RADIUS /TACACS+ protocols
Authentication
protocols
wide range of authentication protocols, including, but not
limited to, PAP, MS-CHAP, Extensible Authentication Protocol
(EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication
via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS)
and EAP-Tunneled Transport Layer Security (TTLS).
Device profiling
Ships with predefined device templates for many types of
endpoints, such as IP phones, printers, IP cameras, smartphones,
and tablets. Administrators can also create their own device
templates. These templates can be used to automatically detect,
classify, and associate administration-defined identities when
endpoints connect to the network
14

15. Cont. Features of ISE15
Feature Benefit
Internal certificate
authority
Offers organizations an easy-to-deploy internal certificate
authority to simplify certificate management for personal
devices without adding the significant complexity of an
external certificate authority application.
Endpoint posture
Verifies endpoint posture assessment for PCs and mobile
devices connecting to the network.
Ecosystem with pxGrid
integrating through pxGrid with SIEM and threat defense
solutions, web security
solutions, and operational technology control
Monitoring and
troubleshooting
Includes a built-in web console for monitoring, reporting, and
troubleshooting.
Extensive multiforest
AD support
Provides comprehensive authentication and authorization
against multiforest Microsoft Active Directory domains.

16. Comprehensive Visibility Identity and
Context Awareness
Context
Identity
16

17. Identity Awareness
IEEE 802.1x Mac Auth Bypass web Authentication
Consistent identity feature supported on all Catalyst switch models
Authentication Features
17

18. Device identification/Device Profiling
 Automated Device Classification using Cisco Infrastructure
Cisco
Innovation
Profiling operations:
 Determining The Manufacture of
endpoint
Function of endpoint (IP phone, IP
camera, net printer)
Other network level assessments of
endpoint
18

19. Context Awareness: Posture Assessment
 ISE Posture Ensures Endpoint Health before network access
Posturing:
 Using NAC agent, Posturing will
ensure that endpoint is adhering to
security policies.
 If security policy is matched
additional network access can be
allowed via authorization policy.
 Depth of posturing ->3party software
such as MDMs
19

20. Context Awareness: Guest Management
 ISE Guest Service for Managing guests
20

21. SGT Exchange Protocol support
Cisco
Innovation
Flexible Enforcement mechanisms in your infrastructure
21

22. Cont. Security Group Tagging support
:Traditional ACL rules
22

23. Cont. S security Group Tagging support
 Enforcement is based on the Security Group Tag, can control communication in
same VLAN
23

24. Cont. Security Group Tagging support:
Example
Source/Des PCI HR
PCI
HR
 PCI User attempting to talk to HR user on same switch same VLAN is denied.
 HR User on Switch 1 is able to communicate with HR User on Switch 2.
 HR User is denied access to the PCI Server.
 PCI User is granted access to the PCI Server.
24

25. Platform Exchange Grid (pxGrid )
context sharing
 pxGrid is a robust context-sharing platform that takes the deep level of contextual
data collected by ISE and delivers it to external and internal ecosystem partner
solutions
 ISE can integrate through pxGrid with SIEM and threat defense solutions, web
security solutions, and operational technology control (including supervisory
control and data acquisition, or SCADA, operational and security policy
integration).
 The list of ecosystem partners who are taking advantage of this simple unified
framework continues to expand ( The Page: partner security ecosystem page)
25

26. Conclusion26
Features ACS ISE
AAA protocol
(TACACS+/RADUISE)
* *
External DB (AD,LDAP) * *
Auth protocols * * + TTLS
Auth features 802.1x 802.1x,MAB,webAuth
Endpoint posture *
Device profiling *
Guest management *
Access policies Vlan , ACL +SGT
Internal CA *
Complete access
control
With other TrustSec
solutions
With SIEM and security
solutions using pxGrid
Monitoring, reporting,
and troubleshooting
Using columns view Using real-time
dashboard metrics

27. Thank You