Cisco ISE – NAC – ACS

By | 10/02/2015

Cisco has three different products for similar proposes but with some differences: NAC, ACS and ISE.

NAC – Network Access Control

Features: AAA, Evaluate and Remediate for endpoints

Cisco NAC provides Network Access Control for the devices connecting to the network through 802.1x. It can put devices into Quarantine.

There are two additional modules: NAC Guest Server to provide client less web authentication for Guests and NAC Profiles, currently EOL.

Architecture:

  • Cisco NAC Server (stand alone appliance)
  • Cisco NAC Manager – To manage the servers
  • Cisco NAC Agent – For the endpoints. Supports Windows and MAC OS

Deployment

References:

Datasheet

Ordering information

 

ACS – Secure Access Control System

Features: NAC / AAA for endpoints and TACACS+ for network device access control

It can run over SNS Servers or as a VMWare application.

References:

Bulletin

Datasheet

Userguide

 

ISE – Identity Services Engine

Features: NAC / AAA for endpoints, Guest Access, Device Profiler, Trust sec role based classification, BYOD features, Endpoint posture and autoremediation, MAC Sec (L2 encryption)

Note: It doesn’t provide TACACS+ service for network device access control (it’s not a replacement for ACS for that feature)

It can run on SNS servers or as a VMWare application.

Architecture:

Three different kind of roles that can be distributed in different application instances or in the same instance, depending on the deployment model.

  • PAN – Policy Administration Node
  • PSN – Policy Service Node
  • MNT – Monitoring and Troubleshooting Node

Deployment methods (not updated)

Deployment and licenses information

Licenses:

Model 1:

  • Base: permament and included in the application. Include Basic Radius AAA, MAC auth, Web auth, Guest portal.
  • Advanced: subscription. provides profiling, posture (endpoint compliance and remediation), BYOD and security group access

Model 2:

  • Wireless: All the services provided by Advanced license, but only for Wireless devices
  • Wireless upgrade: Upgrade of the wireless license to cover wired devices as well.

 

References:

Datasheet

Licensing

Product IDs

 

Secure Network Servers (SNS)

Hardware servers provided by Cisco to run any of the secure applications

  • Cisco Secure Network Server 3415 (Small) – 5000 endpoints – Supports ISE, ACS and NAC
  • Cisco Secure Network Server 3495 (Large) – 20.000 endpoints – Suppost ISE and NAC

Datasheet

 

 

References:

Summarizing Cisco Access Control / NAC Technologies