Ise 2.0 Atp HLD Template v0.4

Cisco Identity Services Engine (ISE) 2.
0
ISE HLD
High-Level Design (HLD)

An ISE HLD may be requested at any time by the Cisco TAC to troubleshoot an ISE
deployment. An HLD will be required for any assistance by the Policy and Access Team
for Technical Marketing or Escalation services. Inability to produce a current HLD upon
request covering the full scope of your ISE deployment will delay the resolution of your
problem. Even though ISE deployment does not require an HLD, it is still
recommended to complete one for records.
Required preliminary information
Provide your answers in this column
Customer Company Name

Partner Company Name
Engineers Name, Email and Phone
That created or reviewed this HLD
Cisco Sales Order number(s),
If order has been placed
ISE 2.0 HLD
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 28
Content
Introduction................................................................................................................................................................................................ 3
Retirement of ISE ATP Program........................................................................................................................................................... 3
Document Purpose............................................................................................................................................................................... 3
Business Objectives.................................................................................................................................................................................. 4
Customers Business Goals................................................................................................................................................................. 4
Estimated Timelines................................................................................................................................................................................... 5
Customer Environment Summary............................................................................................................................................................ 6
Customer Network Overview.................................................................................................................................................................... 7
Physical Network Topology.................................................................................................................................................................. 7
Topology Specifics................................................................................................................................................................................ 8
Policy Details............................................................................................................................................................................................ 13
Deployment Details.................................................................................................................................................................................. 17
Unknowns............................................................................................................................................................................................ 17
High Availability................................................................................................................................................................................... 17
Migration.............................................................................................................................................................................................. 17
ISE Node details.................................................................................................................................................................................. 18
Bill of Materials (BOM)............................................................................................................................................................................. 19
Appendix................................................................................................................................................................................................... 20
Security Partner Community.............................................................................................................................................................. 20
Migration SKUs.................................................................................................................................................................................... 20
Migration Guide................................................................................................................................................................................... 20
Machine Access Restrictions (MAR)................................................................................................................................................. 20
Note regarding Performance Specifications.................................................................................................................................... 22
Platform Hardware Specs................................................................................................................................................................... 22
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent EndPoints and
Composite Authentications (Authentication values are approximate values)..............................................................................22
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values)..................................23
System Performance Specs (Per Identity Services Engine deployment)......................................................................................23
System Scale (Per Identity Services Engine deployment)..............................................................................................................23
VM Disk Size Minimum Requirement................................................................................................................................................ 23
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)..........................................24
Latency and bandwidth requirement among ISE nodes.................................................................................................................24
Guest server and ISE Guest Feature Comparison........................................................................................................................... 24
ACS and ISE Feature Comparison..................................................................................................................................................... 26
ISE 2.0 HLD
Page 2 of 28
Introduction
Retirement of ISE ATP Program
ISE is being phased out of ATP, thus it is no longer required to submit HLD as part of ISE order. For partner resources,
please visit Security Partner Community (https://www.cisco.com/go/securitychannels). Latest version of HLD and Bandwidth
Calculator is available here as well.
Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco Identity Services
Engine (ISE) with the Secure Access solution. Due to the various product configurations and deployment options, we are
providing this document to assist with obtaining relevant design information from your customer. The Secure Access
solution using the Cisco Identity Services Engine is a system architecture comprising of many components including
endpoints, network access devices, identity stores, certificate authorities, and many APIs for third party integrations to
provide guest services, profiling, BYOD enrollment and AAA for all access user and device access control needs. An
engineer must consider the Secure Access solution holistically and consider immediate as well as future requirements
prior to deciding what equipment to purchase. This HLD template will step the engineer through what needs to be
considered. If the engineer is not intimately familiar with the proposed network, a network assessment may be necessary
prior to completing the HLD. This document can be used during design phase of the ISE deployment to assist the
engineers on collecting key information relevant to successful ISE deployment. The Cisco TAC or Secure Access and
Mobility Product Group representatives may request a copy of the HLD with any support or escalation case.
ISE 2.0 HLD
Page 3 of 28
Business Objectives
Customers Business Goals
Describe the customers business goals. Consider the following example business goals:
Profiling for visibility or inventory management (differentiation of services based on device type)
Differentiation of service based on user identity
Regulatory compliance
Securing wireless network and providing guest access
Managing employee-provided devices (e.g., iPads)
Port lockdown
Ensuring endpoint health or posture
Network Device Administration
Other
The Policy Details provided in later sections of this HLD should reflect the business objectives stated here.
Customers Business Goals
ISE 2.0 HLD
Page 4 of 28
Estimated Timelines
Phase
Number of endpoints
Lab testing and qualification
N/A
Final Design Review call with Cisco SME
N/A
Begin
Earliest target date

for review call
End
Comments
Latest target date for May also occur after

review call
initial pilot/POC
phase
Production phase 1 (pilot)

Production phase 2
Production phase 3
ISE 2.0 HLD
Page 5 of 28
Customer Environment Summary

Deployment Summary
Use cases in scope for design (Please check or add to the list to
the right):
Response
Wired
Wireless
VPN
BYOD
pxGrid
MACSec
Device Admin
Other Use Cases:
Profiling/Visibility
Posture Assessment
TrustSec
Guest Access
MDM Integration
RADIUS Proxy
Location Integration
Endpoint count
Total endpoint count for entire deployment (endpoint count equals the sum
of user and non-user devices)
o
o
User Endpoints:
Non-user Endpoints:
Maximum number of concurrent endpoints expected

o Total concurrent user endpoints including guest devices
o Total mobile endpoints using 3rd party MDM using ISE
o Total endpoints for posture assessment
o Total concurrent non-user endpoints (Typically non-user endpoints are
always connected)
Concurrent User Endpoints:

Concurrent endpoints with 3rd party MDM:
Concurrent endpoints with posture assessment:
Concurrent non-user endpoints:
Total user endpoints (i.e. Windows PC, Mobile devices, guest devices)
Total non-user endpoints (Including IP Phones, Wireless APs, Printers,
etc.)
Concurrent endpoint count
ISE 2.0 HLD
Page 6 of 28
Customer Network Overview

Physical Network Topology
Insert a high-level network diagram showing the proposed Identity Services Engine solution. This should include any
branch networks and data centers. Include the general number of endpoint and types per location. Include WAN
bandwidth information and show placement of network access devices such as Active Directory/LDAP, DNS servers, NTP
servers, wireless controllers, switches, and VPN concentrators.
Note: The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is
200ms. Here is link to the WAN bandwidth calculator for ISE deployment (https://www.cisco.com/go/securitychannels). This
calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.
Customers Physical Network Topology
ISE 2.0 HLD
Page 7 of 28
Topology Specifics
Question
Response
Network Access Devices

Provide the general switch/controller model numbers/platforms deployed and
Cisco IOS and AireOS Software versions to be deployed to support ISE
design.
Please see ISE Component Compatibility Document for the

recommended IOS and AireOS versions
Please explain if you are not planning on deploying the versions listed
in the ISE compatibility document.
Identity Services Engine Software Version
Please see CCO Download Software Page for the latest software release.
EndPoint Types
What are the general client types deployed (Please provide service pack
details for Windows and OS types for MacOSX)?
Will 3rd party Mobile Device Management (MDM) be integrated with

ISE?
If already using 3rd party Mobile Device Management (MDM) or planning
to use MDM please note the vendor and version as well as brief
description on how it will integrate with ISE
Please see Cisco ISE MDM Partner Integration guide for supported
MDM vendor for integration and supported versions
Are mobile devices corporate- or employee-owned assets?

Will user access policy be based on device type (for example, laptop
versus iPad)? If so, will machine auth or profiling or static MAC
assignments be used to distinguish device types?
Please note how many of the concurrent endpoints will utilize MDM
information during authorization from ISE
Note: For domain joined Windows machines to function properly, machine

authentication is recommended. Performing user only authentication may
break critical functions such as machine GPO and other background
services such as backup and software push.
Note: State whether the customer is using machine or user authentication, or
both. If both machine and user authentication are planned, are Machine
Access Restrictions (MAR) planned? If so, review the Appendix information
on MAR caveats.
For machine / user authentication details, please refer to 802.1X
Authenticated Wired and Wireless Access
Extensible Authentication Protocol (EAP) Types
Note: EAP-TTLS is not supported by ISE.
Note: Cisco ISE version 1.1 supports FIPS 140-2 Level 1 Compliance,
please see the details in FIPS 140-2 Level 1 Compliance Page for more
information.
Note: Cisco ISE 2.0 supports EAP chaining. When EAP Chaining is turned
off, Cisco ISE performs usual EAP-FAST authentication.
3rd party MDM Vendor:

Windows Versions
Windows XP:
Windows 7:
Windows 10:
Supplicant Type
Windows Native
3rd Party supplicant:
Other User EndPoint Types
Mac OSX:
Android:
Other EndPoint Types:
Non-User EndPoint Types
Wireless AP:
Printer/Fax/Etc:
Medical:
Other:
EAP Tunnel
PEAP
EAP-TTLS
Inner EAP
MSCHAPv2
GTC
Other EAP Types:
Windows Vista:
Windows 8/8.1:
Windows Other:
AnyConnect NAM
iDevice:
Linux:
IP Phone:
HVAC:
SCADA:
EAP-FAST
EAP-TLS
EAP-Chainng
ID Stores
[EAP and ID Store Compatibility Reference]
List the internal and external ID stores the customer will use for different use
cases.
ISE 2.0 HLD
Page 8 of 28
Question
Response
Consider the following:

802.1X: AD
MAB: Internal EndPoint + AD
Web Authentication: Internal Guest + AD
VPN: SecurID
Guest Sponsors: AD
Oracle Access Manager
ISE GUI Admin: Certificate
Note: For Sponsored or Self-Service Guests, ID store is always ISE guest
users database
MS Active Directory Environment
How many AD forests are to be integrated with ISE with multi-AD
feature?
ISE requires AD forest DNS consolidated into central DNS servers. What
method is used to consolidate DNS information for the separate AD
forests?
What version of AD is in use?
Are there any Read-Only domains in place?
Note: AD Site & Services is recommended for ISE subnets for all forests.
For more information regarding multi-AD support, please refer to ISE 1.3
Multi-AD how-to guide
Web Authentication
Will WebAuthuth be used?
Will WebAuth be used for wired, wireless, or both?
Will Local Web Auth (LWA) or Central Web Auth (CWA) be used?
Where will the web portal be hosted?
Note: If deploying CWA the portal must be hosted by ISE. If deploying
LWA the portal can be local to access device, or external (such as ISE).
Will web auth be used for guest access? Will web auth be used for nonguests (for example, employees)?
Note: For more information on CWA and LWA support on different platforms,
please refer to ISE Component Compatibility Document
Authorization
Describe the enforcement types used. Consider the following options:
VLANs
ACLs (dACL for wired /named ACL for wireless)
Security group tags/ACLs (SGTs/SGACLs)
dACL considerations:
Cisco Catalyst switches support the wirerate access control list (ACL)
with use of the ternary content addressable memory (TCAM). If the
TCAM is exhausted, the packets may be forwarded via the CPU path,
which can decrease performance for those packets. It is recommended
to limit the number of Access Control Entries (ACE) to prevent potential
TCAM exhaustion.
Using IP SourceGuard feature or QoS feature may also affect the TCAM
utilization
VLAN considerations:
Consider the use case for why VLAN enforcement is used and estimate
the number of VLANS required.
To authorize an endpoint using dynamic VLANs (dVLANs), the access
device must have that VLAN locally defined or else authorization will fail.
ISE 2.0 HLD
Page 9 of 28
Question
Response
To reduce the number of unique authorization policy rules, access

devices should use consistent numbering, or case-sensitive naming if
assign dVLANs by VLAN name or VLAN Group name.
When using monitor mode of the phased deployment, VLAN assignment
may cause endpoints with wrong IP address
Some endpoints, such as non-user devices, may not refresh IP after
VLAN change
If devices are statically addressed, they may not be able to communicate
on assigned VLAN
Note: VLAN assignment is not supported with LWA (wired or wireless)

Note: When using dVLAN assignment to change VLANs between machine
authentication and user authentication or for remediation purpose on
Windows platform may result in delay in getting a new IP address
Posture
Which posture agents will be used? Consider: AnyConect 4.0 posture
agent for Windows or Mac, Web agent for Windows
If persistent posture agents deployed, how will they be provisioned? (e.g.
through ISE or other desktop software/patch management solution, via
ASA, or via ISE)
In the Posture Policy section below, explain the posture policy by OS type
including remediation policies.
Note: For latest AV/AS posture requirements, review the list of currently
supported packages for Windows and MacOSX
Profiling
Identify the primary device types to be profiled
What is the profile data required to classify each device type?
Which probes will be deployed to collect the required data?
If SPAN/RSPAN is to be used, does infrastructure support these
technologies?
Note: If SPAN/RSPAN used, a dedicated interface should be used on the
Policy Service Node for the DHCP SPAN or HTTP SPAN probe.
If RSPAN or Netflow is to be used, is there sufficient bandwidth between
source SPAN/Netflow exporter and ISE Policy Service node used for
profiling?
Is profiling for visibility only or for use in authorization policy?
In the Profiling Policy section below, explain the profiling policy in detail.
Profiling Probes
NETFLOW
DHCPSPAN
RADIUS
DNS
SNMPTRAP
DHCP
HTTP
Device Sensor
NMAP
SNMPQUERY
ISE Nodes/Personas
Number and type (3415/3495/VM) of each ISE appliance (node)
Define the personas assigned to each node (e.g., Administration,
Monitoring, Policy Service, pxGrid, Device Admin) including Primary and
Secondary designations.
In the Deployment Details section below, provide information on the nodes
Note: Inline Posture node is no longer supported starting with ISE 2.0
Note: Each Policy Service Node (PSN) supports limited endpoints. Please
consider the number of PSN as per the number of required endpoints.
Note: EOS and EOL was announced for 33x5 appliances. For more
information please refer to the EOL announcement.
Switch Identity Configuration
Describe the wired switch identity configuration
Multi-auth/multi-domain modes
Flexible authentication sequencing and priority for 802.1X, MAB, and
ISE 2.0 HLD
Page 10 of 28
Question
Response
web auth
Is Class-Based Policy Language (CPL) for 3850 switch to be used?
Is Failed-Auth or Guest VLANs to be used?
Note: These fallback mechanisms cannot be used with LWA/CWA

Note: Please refer to Cisco TrustSec 2.1 HowTo Guide in the Appendix for
configuration reference. We would recommend inputting the detailed switch
configurations here.
Wireless Configuration
Describe the wireless configuration
How many SSIDs does the deployment require?
Please provide SSID security settings.
Is wireless AP in FlexConnect mode or not?
For Guest wireless access, is the WLC configured as an anchor
controller?
Note: Not all functionality of FlexConnect AP mode with ISE is officially
supported.
Note: For the WLANs, please configure the idle-timer to be more than 3600
seconds (1 hour) and session-timeout to be more than 7200 seconds (2
hours). Also, please increase the RADIUS Authentication & Accounting
server timeout to be 5 seconds.
Certificate Authority (CA) Integration
Describe the CA configuration
How will ISE integrate with 3rd party CA?
Will ISE be issuing certificates for BYOD?
Utilize web based CA portal on ISE?
Utilize API for certificate management?
Utilize AnyConnect/ASA for SCEP enrollment?
Bring Your Own Devices (BYOD)
Describe the detailed BYOD configuration
Is it Single SSID or Dual SSID?
Will Android be in the BYOD design? If so, please provide details of
provisioning authorization profile
What devices will be auto provisioned?
What supplicant will be used? Please provide detailed supplicant
configuration information.
What access will unsupported device get? (i.e. Blackberry, Windows
phones, Chromebooks)
Will MDM be integrated with BYOD design, If so, please provide details
of MDM policy below in the Authorization Policy section and whether or
not redirection will be used for MDM agent installation
CA Types
Standalone
Joined to existing PKI infrastructure
SCEP
Note: Please note that Dual SSID and CWA are only supported with WLC
AireOS 7.2 and up. Please plan to use LWA if there is no plan to upgrade to
the devices that support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which
can allow admin to create an ACL for Android devices have access to
Google Play Store.
Integration with 3rd party (Excluding MDM)
Describe the detailed integration with SIEM & Threat Defense products
What product and vendor for SIEM. Please see Cisco ISE SIEM &
Threat Defense Eco System Integration guide for supported SIEM
vendor for integration and supported versions
What information will be forwarded to SIEM
Will pxGrid be used? If so, which devices will subscribe to ISE?
ISE 2.0 HLD
Page 11 of 28
Question
Response
Will Adaptive Network Control (ANC) be used?
ISE 2.0 HLD
Page 12 of 28
Policy Details
List all security policies that are needed to implement the business requirements described above.
Authentication: For each use case (wired, wireless, VPN), describe the authentication policies that will be implemented
for all users and endpoints whether managed or unmanaged.
Authentication Policy Example:
Rule Name
Device Access
802.1X Access
VPN
Default
Condition
Wired_MAB
Wired_802.1X
NAS-Port-Type = Virtual
-
Allowed Protocols
Default Network Access
ID Store / ID
Sequence
Internal EndPoints
AD_then_Local
AD
Internal Users
Customer Authentication Policy:

Rule Name
Condition
Allowed Protocols
ID Store / ID
Sequence
Authorization: For each use case (wired, wireless, VPN), describe the authorization policies that will be implemented for
all users and endpoints whether managed or unmanaged.
Authorization Policy Example:
Rule Name
BYOD Unknown
BYOD Registered
Identity Groups
Mobile Devices Logical
Group
Registered
IP_Phones
Cisco-IP-Phones
Other Conditions
EAP Tunnel = PEAP
EAP Type = MSCHAPv2
EAP Type = EAP-TLS
SAN = Calling-StationID
-
Permissions
NSP dACL
NSP Redirect
Registered dACL
Printers
Cameras
Workstation_Access
User_Role_1_Access
User_Role_2_Access
Guest_Access
Default
Managed-Printers
Managed-Cameras
Any
Any
Any
Guest
-
Domain PC
Domain Member Role1
Domain Member Role2
-
Voice VLAN
Authz VVID
Printer VLAN
Camera VLAN
AD Access dACL
Role1 dACL
Role2 dACL
Internet Only dACL
Web Auth
Other Conditions
Permissions
Customer Authorization Policy:

Rule Name
ISE 2.0 HLD
Identity Groups
Page 13 of 28
Guest Access: For each use case (wired or wireless), describe guest access policy. Provide information on how guest
will access the network including information on guest provisioning, sponsors, and whether custom guest portal pages
need to be created. Please fill details in the forms below if the answer yes applies to you. Put no if the scenario does not
apply to you.
Services
Guest
Wired (yes or no)
Wireless (yes or no)
Profiling: For each use case (wired or wireless), describe how the profile data will be collected by each probe required to
classify each device type to be profiled. For example, will SPAN or RSPAN be used to carry data from the network to the
Identity Services Engine? If so, what is the SPAN design? Will dedicated ISE interfaces be used? If HTTP probe used,
will SPAN or redirection be used to capture user agent attributes?
Please note that the number of events per second a platform can safely process per the Platform Performance Spec table
below. For example, if IPAD traffic is to be profiled by probing http traffic for the User Agent attribute, then the design
must assure the Policy Services node is not inspecting more than 1200 http events per second (3395 spec). Consider
profiling strategies that reduce overall load on Policy Service node such use of HTTP redirect at connect time to capture
the User Agent attribute, or the use of IP Helper statements for DHCP capture versus the use of SPAN.
Profiling Policy / Requirements Example:
Device Profile Unique Attributes
Cisco IP Phone
OUI
CDP
IP Camera
OUI
CDP
Printer
OUI
DHCP Class Identifier
POS Station
MAC Address
(static IP)
ARP Cache for MAC to IP
mapping
DNS name
Apple iPad/iPhone OUI
Browser User Agent
Device X
DHCP Class Identifier +

MAC to IP mapping
NMAP Scan Result
MAC Address
Requested IP Address for
MAC to IP mapping
Optional to acquire ARP
Cache for MAC to IP
ISE 2.0 HLD
Probes Used
RADIUS
SNMP Query
RADIUS
SNMP Query
RADIUS
DHCP
RADIUS (MAC
Address
discovery)
SNMP Query
Collection Method
RADIUS Authentication
Triggered by RADIUS Start
DNS
RADIUS
HTTP
Triggered by IP Discovery
Authorization Policy posture redirect
to central Policy Service node
cluster
IP Helper from local L3 switch SVI
DHCP
NMAP
RADIUS (MAC
Address
discovery)
DHCP
SNMP Query
Active Scanning
RSPAN of DHCP Server ports to
local Policy Service node
Page 14 of 28
mapping
Port # traffic to Destination
IP
Netflow
Netflow export from Distribution

6500 switch to central Policy Service
node
Probes Used
Collection Method
Customer Profiling Policy / Requirements:

Device Profile Unique Attributes
Posture: Describe posture policy requirements for endpoint compliance. This may include many areas such as asset
checking, application and services checking, and antivirus and antispyware checks, as well as customized checks for
specific use cases. Describe remediation plans and include remediation servers that need to be integrated into the design.
Posture Policy Example:
Rule Name
OS
Conditio Posture
(Windows/Ma ns
Agent
cOSX)
Employee_AV
Windows XP/7
Employee_Ass Windows XP/7

et
Contractor_AV Windows ALL
Checks
AD
NAC Agent AV Rule:
group=
for
Microsoft
Employee Windows
Security
Essentials
2.x
AD
NAC Agent Custom
group=
for
registry
Employee Windows
check
ID Group= Web Agent AV_Rule:
Contractor
Any AV
w/current
signatures
Remediat Enforcem When

ion
ent
Assesse
(Audit/Op d
t/
(Login/
Mandator PRA/Bo
y)
th)
Live update Mandatory Both
(Automatic)
Link redirect Mandatory

to policy
page
(Manual)
Local
Mandatory
Message
regarding
AV Policy
Login
Login
Customer Posture Policy:

Rule Name
ISE 2.0 HLD
OS
Conditi Posture Checks
(Windows/Mac ons
Agent
OSX)
Remediat Enforcem When

ion
ent
Assesse
(Audit/Op d
t/
(Login/P
Mandator RA/Both
y)
)
Page 15 of 28
Client Provisioning: Describe Client Provisioning policy requirements for posture and native supplicant provisioning.
Client Provisioning Example:
Rule Name
Operating Systems
Apple
Identity
Groups
Any
Windows
Any
Windows All
Android
Any
Android
Other
Conditions
MAC OSX or Apple iOS
Results
Native Supplicant:
EAP-TLS, SSID
Agent:
NAC Agent
Native Supplicant:
PEAP-MSCHAPv2, SSID
Native Supplicant:
EAP-TLS, SSID
Customer Client Provisioning Policy:

Rule Name
ISE 2.0 HLD
Identity
Groups
Operating Systems
Other
Conditions
Results
Page 16 of 28
Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For instance, the information that was required but not
received from the customer, please list it here. (E.g. My customer uses IE3000 series switches. Is this supported?
Customer is using 3rd party NAD. Or the customer is currently using IPv6)
High Availability
Discuss high availability considerations.
High availability for each persona and node should be part of design to ensure that no single persona/appliance
failure results in total loss of a service. Please confirm persona/node redundancy design and explain reason if HA
not planned for any component.
How will network access devices and ISE Policy Service nodes be configured for redundancy? Note: For wireless
deployments using LWA, only one URL can be defined for web authentication.
Please provide the details regarding how Load Balancing will be used in this deployment, if it applies.
Migration
If migrating this deployment from ACS or ISE, provide details on the current deployment and how you're going to address
migration of licensing, existing policy, NAD configurations, etc.
Is this a migration for an existing Cisco Secure ACS, NAC Appliance, NAC Profiler, and/or NAC Guest Server
deployment? If so, please list the existing product SKUs purchased to determine full migration entitlement.
o For existing appliances supported by ISE, please indicate quantity and type of each appliance model (for
example, 1121, 3315, 3355, or 3395) to be migrated.
o For NAC Appliance license counts, please indicate the user license for each NAC Server (FO pairs count as one
license).
o For NAC Profiler endpoint counts, please provide the endpoint license for dedicated Profiler Collectors, or quantity
and type (331x or 335x) of each CLT license.
o If this is a NAC Guest Server (NGS) migration, please note the differences between the guest access features of
NGS and the Identity Services Engine Version 2.0 in the appendix section of this document.
o If this is a ACS migration, please note the differences between the features of ACS 5.8 and the ISE 2.0 in the
appendix section of this document (ACS 4.2 information shown for comparison purpose, currently there is no
direct migration path from ACS 4.2 to ISE 2.0)
Client Provisioning and 802.1X Phasing

Supplicant / Supplicant Configuration provisioning:
o For none native supplicant (such like AnyConnect NAM), how are supplicants provisioned? (E.g. SMS/WSUS)
o For native supplicant, please provide how the supplicant configuration provisioned? (E.g. GPO )
Certificate provisioning and CA:
o Are certificates used?
o How are they deployed?
o What is certificate strength, if known (key length, crypto hash)?
o Does customer use in-house CA or public CA?
ISE 2.0 HLD
Page 17 of 28
o Describe customer PKI infrastructure and requirements

Note: Cisco strongly recommends server certificate, which is signed by in-house CA or other 3 rd party Root CA server,
to be used for ISE. Self-signed server certificate should not be used for production deployment.
Deployment modes (Please refer to DIG in Appendix for Mode details):
o Will Monitor mode be enabled for a period of time on the 802.1X-enabled routers and switches?
o Will Authenticated or Enforcement mode (formerly known as Low Impact mode) be deployed?
o Will Closed Mode (formerly known as High Security mode) be deployed?
ISE Node details
For customers deploying VMs:
The VM host should be sized comparably with the ISE appliance. See platform hardware specs below for CPU
specification of the various appliances. For example, if the performance characteristics required are similar to a 3495
appliance, then per platform performance specs the VM should contain 32GB RAM, 8 CPUs equivalent to a Intel Xeon
CPU E5-2609 @ 2.4 GHZ.
Note: Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk should be higher than
300MB/sec and IO Write performance should be higher than 50MB/sec. VMotion is supported since ISE 1.3. Please make
sure to reserve the RAM and CPU cycles for the ISE node deployed as VM.
Note: If disk size needs to be resized, the node will need to be re-imaged from the ISO
Note: The resources need to be reserved for each ISE node and cannot be shared among different ISE nodes or other
guest VMs on the host.
Example:
Host Name (FQDN)
Persona
ise1.example.com
ise2.example.com
VM/HW
CPU
Admin/MnT 1.1.1.1
VM
Intel Xeon E5-2609 @ 2.4 GHZ X 32GB

8 Core
600GB
PSN
2.2.2.2
VM
Intel Xeon E5-2609 @ 2.4 GHZ X 32GB

8 Core
300GB
IP
Address
VM/HW CPU
Host Name (FQDN) Persona
ISE 2.0 HLD
IP Address
RAM
RAM
Storage
Storag
e
Page 18 of 28
Bill of Materials (BOM)

Insert as part of this document, or in a separate attachment, the list of equipment to be ordered for the Identity Services
Engine deployment that matches the design. If Sales Order already placed, then be sure to include the order details here.
Please include SmartNet/SAU or explain its omission (for example, included as part of another order, support agreement,
or deliberate acknowledgement that support refused).
If HLD is part of an ACS/NAC migration, please include appropriate migration SKUs. Use the information previously
entered regarding existing appliance, software, and license purchases on eligible products to determine migration
entitlement. For further details on migration entitlement and SKUs, please refer to ISE Migration entitlement calculator
located in the partner portal page:
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html)
Note: Please only include the information of the products that are related ISE.
Example BOM:
Lin
e
1
2
3
4
5
6
7
8
Product
Qty
L-ISE-BSE-3500=
L-ISE-ADV3Y-1500=
SNS-3495-K9
CON-PSRT-SNS3495
SNS-3415-K9
CON-PSRT-SNS3415
L-ISE-ADV-S-1K=
ISE-ADV-3YR-1K
1
1
2
2
2
2
1
1
List Price
Contract Discoun Unit Price

t
Extended Price
12345678
12345678
Note: ISE BoM Tool is available to assist with creating BoM. Please refer to ISE BoM Tool located in the partner portal
page: (https://sambt.cisco.com)
Note: Since ISE 1.2, S/N from both Admin nodes can be added to the license to improve flexibility and flexibility. For more
information please refer to the Cisco ISE License Application Note
Customer BOM details:
Lin Product
e
ISE 2.0 HLD
Qty
List Price
Contract Discoun Unit Price

t
Extended Price
Page 19 of 28
Appendix
Security Partner Community
Please visit Security Partner Community for additional ISE resources (Login required).
Migration SKUs
Please consult the ISE Packaging and Licensing Guide for migration SKUs.
Migration Guide
The Cisco Identity Services Engine Licensing Guide located in the partner portal page
(http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html ) explains packaging and
licensing under the Authorized Technology Provider program for wired and VPN.
Machine Access Restrictions (MAR)
Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling
authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine
authentication of the computer used to access the Cisco ISE network. For every successful machine authentication,
Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of
a successful machine authentication. Cisco ISE retains each Calling-Station-ID attribute value in cache until the
number of hours that was configured in the Time to Live parameter in the Active Directory Settings page expires.
Once the parameter has expired, Cisco ISE deletes it from its cache. When a user authenticates from an end-user
client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the
Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching userauthentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that
requests authentication in the following ways:
If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a
successful authorization is assigned.
If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a
successful user authentication without machine authentication is assigned.
Potential Issues with MAR:
Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC
address will change when laptop moves from wired to wireless breaking the MAR linkage.
Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE
reboots nor replicated amongst ACS/ISE instances
Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different
location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS
server or has timed out.
Spoofing: Linkage between user authentication and machine authentication is tied to MAC address only. It is
possible for endpoint to pass user authentication only using MAC address of previously machine-authenticated
endpoint.
Cisco TrustSec Design and TrustSec 2.1 HowTo Guide

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html
Cisco SNS-3400 Series Appliance Specifications
http://www.cisco.com/c/en/us/td/docs/security/ise/14/installation_guide/b_ise_InstallationGuide14/b_ise_InstallationGuide14_chapter_010.html
ISE 2.0 HLD
Page 20 of 28
Cisco Secure Access and TrustSec Release 5.0

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/c96-731479-00-secureaccess.pdf
Cisco TrustSec-Enabled Infrastructure
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Cisco ISE COnfigured Limited Deployment (ISE COLD) Program
https://communities.cisco.com/docs/DOC-32999
ISE 2.0 HLD
Page 21 of 28
Note regarding Performance Specifications

EOL was announced for 33x5 appliances and provided here as a reference for migration customers. Deployments with
VM should follow platform specifications based on 3415 or 3495 appliances. For more information please refer to the EOL
announcement
Platform Hardware Specs
Platform
Processor
Cisco Identity Services Engine

Appliance 3315 (Small)
Appliance 3355 (Medium)
Appliance 3395 (Large)
Cisco Secure Network Server
3415 (Small/Medium)
3495 (Large)
1 x QuadCore
Intel Core 2 CPU Q9400
@ 2.66 GHz (4 total cores)
1 x QuadCore
Intel Xeon CPU E5504
2 x QuadCore
Intel Xeon CPU E5504
1 x QuadCore
Intel Xeon CPU E5-2609
2 x QuadCore
Intel Xeon CPU E5-2609
RAM
Hard disk
RAID
Ethernet NIC
Power
4 GB
2 x 250-GB SATA HDD

(250 GB total disk space)
No
4x Integrated
Gigabit NICs
4 GB
2 x 300-GB SAS drives

Yes (RAID 0)
4 x Integrated
Gigabit NICs
Redundant
4 GB
4 x 300-GB SFF SAS drives

Yes (RAID
0+1)
4 x Integrated
Gigabit NICs
Redundant
16GB
1 x 600-GB 10k SAS HDD

No
4 x Integrated
Gigabit NICs
32GB
2 x 600-GB 10k SAS HDDs

Yes (RAID 1)
4 x Integrated
Gigabit NICs
Redundant
Platform Performance Specs for PSN when PAN and MNT deployed as separate node Max Concurrent
EndPoints and Composite Authentications (Authentication values are approximate values)
When determining how many PSN is needed for the deployment please use Maximum Concurrent Endpoints as the main
guideline. Authentication performance for specific use cases is also provided in case it is required to size out the
deployment.
Usage
Cisco Secure Network Server 3415

Appliance
Maximum Concurrent Endpoints

Posture Authentications
Guest Hotspot Authentications
Guest Sponsored User Authentications
TACACS+ Function: PAP
TACACS+ Function: CHAP
TACACS+ Function: Enable
TACACS+ Function: Session AuthZ
TACACS+ Function: Command AuthZ
TACACS+ Function: Accounting
Maximum number of SXP peer
5,000
25 per second
50 per second
17 per second
1,400 per second
1,500 per second
7,00 per second
900 per second
900 per second
2,900 per second
100
Cisco Secure Network Server 3495

Appliance
20,000
45 per second
68 per second
28 per second
2,800 per second
2,900 per second
1,200 per second
1,700 per second
1,700 per second
4,900 per second
100
Platform Performance Specs Authentications/Second with PSN only persona (Approximate values)
Platform
Int.
PAP
PEAP (MSCHAPv2)
AD LDAP
Int.

764 471 789
185
3415 Appliance
1318 419 1328
324
3495 Appliance
Note: EAP-TLS # in brackets are for 2k size certificate
ISE 2.0 HLD
AD
EAP-FAST
(MSCHAPv2)
Int.
AD
EAP-FAST (GTC) EAP-TLS

Int.
AD
LDAP
173
376
339
382 323
385
304
512
502
628 513
662
Int.
MAB
Int. LDAP
153
528 597
(130)
165
1115 1150
(140)
Page 22 of 28
System Performance Specs (Per Identity Services Engine deployment)

Description
Number
Maximum number of concurrent endpoints with separate Administration, Monitoring, and Policy
Service nodes
Maximum number of concurrent endpoints with Administration and Monitoring on a single node
250,000 for 3495 as PAN
5,000 for 3415 as PAN/MnT

10,000 for 3495 as PAN/MnT
Maximum number of concurrent endpoints with Administration, Monitoring, and Policy Service all 5,000 for 3415
on a single node
10,000 for 3495
Maximum number of Policy Service nodes with separate Administration, Monitoring, and Policy
40 for 3495 as PAN
Service nodes
Maximum number of Policy Service nodes with Administration and Monitoring on a single node
5
System Scale (Per Identity Services Engine deployment)

Description
Number
Maximum number of NADs

Maximum number of Network Device Groups
Maximum number of AD join point
Maximum number of Internal users
Maximum number of Internal guests
Maximum number of Guest portals
Maximum number of EndPoints
Maximum number of Authentication Rules
Maximum number of Authorization Rules
TrustSec Security Group Tags (SGT)
TrustSec Security Group ACLs (SGACLs)
Maximum number of SXP bindings
30,000
100
50
25,000
1,000,000, expect latency for admin gui + user auth 500k beyond
100
1,000,000
25 when Simple mode is used
100 combined rules when Policy Set mode is used
600 (Best Practice to keep it below 100. With 100+ rules rendering of GUI and user
access will be negatively impacted.)
4,000
2,500
40,000
VM Disk Size Minimum Requirement

Persona
Disk (GB)
Standalone
Administration Only
200+ GB
Monitoring Only
Policy Service Only
Admin + MnT
Admin + MnT + PSN
Note: Thin Provisioning is supported since 1.3, however Tick/Eager Provisioning will yield best performance
Note: 10k RPM+ HDD or equivalent speed required
Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher
Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node
MnT Persona Log Storage Requirement (Days of retention, assuming collection filter is enabled)
Concurrent Endpoints
10,000
20,000
30,000
40,000
50,000
100,000
150,000
ISE 2.0 HLD
MnT Disk Size

200 GB 400 GB 600 GB 1024 GB 2048 GB
126
63
42
32
26
13
9
252
126
84
63
51
26
17
378
189
126
95
76
38
26
645
323
215
162
129
65
43
1,289
645
430
323
258
129
86
Page 23 of 28
200,000
7
13
19
33
65
250,000
6
11
16
26
52
Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary
depending on the environment
Latency and bandwidth requirement among ISE nodes

The maximum latency between admin node and any other ISE node including secondary admin, MnT, and PSN is 200ms. The WAN
bandwidth calculator for ISE deployment is available here: https://www.cisco.com/go/securitychannels (1.2 version of the tool is still
valid for 2.0 release). This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN
links.
Guest server and ISE Guest Feature Comparison

Enforcement Device Support
Wireless LAN Controller
NAC Appliance
Catalyst Web Authentication
IOS Authentication Proxy
ASA Authentication Proxy
Other RADIUS Devices
Central Web Authentication
Web-Auth Off-Box Credentials
Can the WLC be used as a captive portal to authenticate the guest

user?
Can NAC Appliance be used as a captive portal to authenticate the
guest user?
Can Web Authentication in Catalyst switches be used as a captive
portal to authenticate the guest user?
Can IOS Auth-Proxy in routers be used as a captive portal to
authenticate the guest user?
Can Auth-Proxy in the ASA be used as a captive portal to authenticate
the guest user?
Can other devices that support a captive portal to authenticate the
guest user against a RADIUS Server be used? For example a proxy
server.
Can Central Web Authentication be used to authenticate guests?
Web-auth entered credentials can be authenticated against an external
database via RADIUS?
Provisioning Interface
ISE 2.0
X
X
X (2.0.3)
NGS 2.0
ISE 2.0
Local Sponsor Authentication

AD SSO Sponsor
Authentication
SAML SSO Sponsor
Authentication
Can sponsors user accounts be defined locally on the device

Can the device automatically authenticate sponsors against Active
Directory using Single Sign On from their web browser (Kerberos)
LDAP Sponsor Authentication

RADIUS Sponsor
Authentication
Number of Concurrent
Sponsors
Sponsor Role Based Access
Control
Can the device authenticate sponsors against external LDAP servers
Restrict Login
Ability to suspend accounts
Can you stop sponsors from logging in based upon role

Can you grant permission to sponsors to create or not be able to create
guest accounts?
Can you grant permission to sponsors to edit or not be able to edit
guest accounts?
Can you grant permission to sponsors to suspend or not be able to
suspend guest accounts?
Ability to reinstate accounts
Can you grant permission to sponsors to reinstate a suspended guest

accounts.
Can the guest user accounts be purged from the database

Does the system allow multiple accounts to be created at the same time
by entering the details into a text form?
Does the system allow multiple accounts to be created at the same time
by importing a csv file?
Ability to create accounts

Ability to edit accounts
Ability to purge accounts

Bulk Creation by text
Bulk Creation by csv import
ISE 2.0 HLD
NGS 2.0
X
X
Can the sponsors authenticate via SAML
Can the device authenticate sponsors against external RADIUS servers

How many sponsors can be logged in concurrently
Can different sponsors be assigned different permission levels based
upon group assigned by Local Group, LDAP or RADIUS attribute
Unlimited
Unlimited
X
Page 24 of 28
Bulk Create random accounts
Does the system allow multiple accounts to be created with no user

details need entering, and username/password being randomly
generated?
NGS 2.0
ISE 2.0
Guest Account Policies
Guest Username Policy
Guest Password Policy

Guest Password Change
Can you control how the guest username is automatically created?

Can you control how the password is configured, requiring a minimum
number of alpha, numeric and special characters
Guest Details Policy
Can you allow/require guests to change their password after logging in?
Specify which details about the guest must be recorded. Including first
name, last name, email, company, phone number
Custom Guest Details
Request additional custom defined fields about the guest
5 fields
Guest Roles
Can you assign different roles to different guests?

Only allow accounts created with a guest role the ability to login from
pre-defined locations
Set QoS parameters by guest role

Set a different ACL on each guest based upon the role they have been
assigned
Set a different VLAN on each guest based upon the role they have
been assigned
Set a different SGT on each guest based upon the role they have been
assigned
Can guest access be changed based on contextual awareness and
endpoint state?
Restrict Login by Location

Set QoS per role
Set ACL per role
Set VLAN per role
Set SGT per role
CoA
Account Types
X
NGS 2.0
ISE 2.0
X
X
Removed
since 1.3
Start/End
Create accounts by specifying the time the account starts and ends
Duration
Create accounts by specifying the time the account can last from now
Accounts which are valid for X minutes from the first time the guest logs
in
Accounts which are valid for X minutes within Y minutes period from
first login
From First Login

Usage Based
Guest Portal
X
X
NGS 2.0
ISE 2.0
Self Registration
Does the system support self-registration by guests?
Device Registration
Does the system support registration of devices?
Device Self Registration
Does the system support self-registration of devices by guests?
Guest Password Change
Allow Guests to change their password based upon policy?
Customizable guest portal
Can the guests web pages be fully customized?

Can an Acceptable Use Policy be enforced so that guests must agree
before being allowed access?
NGS 2.0
ISE 2.0
X
Acceptable Use Policy

Notification
Print Out
Will the system create a printout of the guest details?
Email
Will the system email guest details to the guests email address?
SMS
Will the system sms guest details to the guests mobile phone?
Details emailed to sponsor
The sponsor can receive a copy of the account by email?
NGS 2.0
ISE 2.0
Interface Customization
Company Logo
Can the sponsor interface be customized with a company logo?
Multiple Languages
Can the sponsor interface support multiple languages?
Notification Customization
Can the email/sms/print outs be customized?
NGS 2.0
ISE 2.0
Reporting
ISE 2.0 HLD
Page 25 of 28
Sponsor Audit Trail
Keep a full audit trail of each operation made to an account by all

sponsors.
Management Reports
CSV Export
NGS 2.0
ISE 2.0
Guest Accounting
Report on guest login/logout times, mac address and ip address used.

Guest Activity Reporting
Supports the ability to report on guests network activity such as URLs
visited, connections made etc. Needs external device such as an ASA
or proxy to send the information via syslog to the box.
Provide the ability for any report to be exported in CSV format.
Billing Support
Pre-pay Support
Supports guests purchasing accounts and billing against a Payment

Gateway
Allows accounts to be randomly created upfront that become valid at
first login
Other
Application Programming
Interface
Posture Services for guest
users
Does the system have an API that can be used to perform all sponsor
operations?
Can the guest user's host device be posture assessed and access
policy granted based on compliance with security policy?
Profiling Services for guest

users
Can the guest user's host device be profiled and access policy granted
based on the type of device guest uses to access the network?
Credit Card Billing Support
X
X
NGS 2.0
ISE 2.0
X
X
X
ACS and ISE Feature Comparison

Authentication Protocol
PAP
CHAP
MS-CHAPv1
MS-CHAPv2
EAP-MD5
EAP-TLS
PEAP (with EAP-MSCHAPv2 inner method)
PEAP (with EAP-GTC inner method)
PEAP (with EAP-TLS inner method)
EAP-FAST (with EAP-MSCHAPv2 inner method)
EAP-FAST (with EAP-GTC inner method)
EAP-FAST (with EAP-TLS inner method)
EAP Chaining with EAP-FASTv2
EAP-TTLS
RADIUS Proxy
RADIUS VSAs
LEAP
LEAP Proxy
ACS 5.8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
ISE 2.0
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TACACS+
TACACS+ per-command authorization and accounting
TACACS+ support in IPv6 networks
TACACS+ change password
TACACS+ enable handling
TACACS+ custom services
TACACS+ proxy
TACACS+ optional attributes
ISE 2.0 HLD
ACS 4.2
X
X
X
X
X
X
X
X
X
X
X
X
ACS 4.2
X
X
X
X
X
X
ACS 5.8
X
X
X
X
X
X
X
ISE 2.0
X
X
X
X
X
X
Page 26 of 28
TACACS+ additional auth types (CHAP / MSCHAP)

TACACS+ attribute substitution for Shell profiles
TACACS+ custom port
Identity Stores
Internal User & Host Database
Windows Active Directory
LDAP
RSA SecurID
RADIUS token server
ODBC
AD Server specification per ACS/ISE instance
SAML
LDAP Server specification per ACS/ISE instance
Ability to retrieve an internal users password from
external ID store
Internal Users / Administrators
Users: Password complexity
Users: Static IP Address Assignment
ACS 4.2
X
X
X
X
X
X
X
ISE 2.0
X
X
X
X
X
X
X
ACS 4.2
X
X
ACS 5.8
X
X
X (Warning and
disable after defined
interval. Grace
period is not
supported)
X
X
X
X
Users: Password history

Users: Max failed attempts
Users: User expiration after a number of days
Users: Password inactivity
X
X
X
X
Admin: Password complexity

Admin: Password aging
Admin: Password history
Admin: Max failed attempts
Admin: Password inactivity
Admin: entitlement report
Admin: session and access restrictions
Miscellaneous
Network Access Restrictions (NARs)
RDBMS sync
X
X
X
ACS 5.8
X
X
X
X
X
Users: Password aging
Users: User change password (UCP) utility
ISE 2.0 HLD
X
X
X
X
X
X
X
X
X
ACS 4.2
X
X
X
X
X
X
Command line / scripting interface (CSUtil)
Integration with CiscoWorks for admin RBAC

Log Viewing and reports
Export logs via SYSLOG
Time based permissions
Configurable management HTTPS certificate
X
X
X
X
X
CRL: Multiple URL definition
CRL: LDAP based definition

Online Certificate Status Protocol (OCSP)
Comparison of any two attributes in authorization policies
Configurable RADIUS ports
Programmatic Interface for users, groups and end-point
CRUD operations
X
X
ACS 5.8
X
ISE 2.0
X
X
X
X
X
Limited (If the internal

users are authorized
as sponsors, then
they may update
passwords at the
sponsor portal)
X
X
X
X
X
X
ISE 2.0
X (CLI interface is
supported for bulk
provisioning)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 27 of 28
Multiple NIC interfaces

Secure Syslogs
Miscellaneous
EAP-TLS Certificate lookup in LDAP
EAP-TLS Certificate lookup in Active Directory
Maximum concurrent sessions per user/group
ACS 4.2
X
X
X
X
X
ACS 5.8
X
X
X
Log to external DB (via ODBC)
Programmatic Interface for network device CRUD

operations
X (Data can be
exported from M&T
for reporting. Not
supported as log
target)
X
X (With Authorization
policy condition or
profiling)
X
Wildcards for hosts
Configure devices with IP CIDR format

Configure devices with IP address ranges
X
X
X
X
Lookup Network Device by IP address
Dial-in Attribute Support

Support comparison of any two attributes in policies
Display RSA de missing secret
Starts with / Ends with / contains / Contains Any Policy
Operators
Nested compound conditions with both AND or OR
operators
X
X
X
X
Printed in USA
ISE 2.0 HLD
X
X
ISE 2.0
X
X
X (Not in combination
with other fields)
C07-676884-01
09/11 Page 28 of 28

Ise 2.0 Atp HLD Template v0.4

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ise 2.0 Atp HLD Template v0.4

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco Identity Services Engine (ISE) 2.

High-Level Design (HLD)

Required preliminary information

Provide your answers in this column

Customer Company Name

ISE 2.0 HLD

ISE 2.0 HLD

ISE 2.0 HLD

ISE 2.0 HLD

Lab testing and qualification

Final Design Review call with Cisco SME

Earliest target date

Latest target date for May also occur after

Production phase 1 (pilot)

ISE 2.0 HLD

Customer Environment Summary

Maximum number of concurrent endpoints expected

Concurrent User Endpoints:

ISE 2.0 HLD

Customer Network Overview

ISE 2.0 HLD

Network Access Devices

Please see ISE Component Compatibility Document for the

Will 3rd party Mobile Device Management (MDM) be integrated with

Are mobile devices corporate- or employee-owned assets?

Note: For domain joined Windows machines to function properly, machine

3rd party MDM Vendor:

ISE 2.0 HLD

Consider the following:

To reduce the number of unique authorization policy rules, access

Note: VLAN assignment is not supported with LWA (wired or wireless)

Note: These fallback mechanisms cannot be used with LWA/CWA

Will Adaptive Network Control (ANC) be used?

ISE 2.0 HLD

Customer Authentication Policy:

Customer Authorization Policy:

ISE 2.0 HLD

Wired (yes or no)

Wireless (yes or no)

DHCP Class Identifier +

ISE 2.0 HLD

Netflow export from Distribution

Customer Profiling Policy / Requirements:

Employee_Ass Windows XP/7

Remediat Enforcem When

Link redirect Mandatory

Customer Posture Policy:

ISE 2.0 HLD

Remediat Enforcem When

MAC OSX or Apple iOS

Customer Client Provisioning Policy:

ISE 2.0 HLD

Client Provisioning and 802.1X Phasing

o Describe customer PKI infrastructure and requirements

Intel Xeon E5-2609 @ 2.4 GHZ X 32GB

Intel Xeon E5-2609 @ 2.4 GHZ X 32GB

Host Name (FQDN) Persona

ISE 2.0 HLD

Bill of Materials (BOM)

Contract Discoun Unit Price

ISE 2.0 HLD

Contract Discoun Unit Price

Potential Issues with MAR: