Saturday, June 25, 2011

Cisco Releases Idenity Services Engine (AKA ISE)


After years of innovation around Network Access Control, Cisco has released its next generation NAC solution: Identity Services Engine. ISE is combines existing loosely coupled devices AAA, profiling, posture and guest management - in single, scalability appliance. As part of the Cisco TrustSec solution and Cisco’s SecureX architecture for Borderless Networks, the Cisco Identity Service Engine provides a centralized policy engine for business relevant policy definition and enforcement. This policy work horse enables centralized, coordinated policy creation and consistent policy enforcement across the entire corporate infrastructure, from head office to branch office.

The best intro i have seen to date has been from the Rob from TechWiseTV:

ISE Features & Benefits

  • Visibility: Single Platform & Pane of Glass - Let IT see who and what is on the network for advanced discovery and troubleshooting
    • Dynamically collects & consolidates endpoint information to make adaptive policy decisions based on ‘context’
    • Integrates functions previously delivered in separate, loosely couples applications to deliver higher levels of policy enforcement 
    • Inherent benefits include simplified administration, monitoring, and troubleshooting for all these functions
  • Policy Architecture
    • Context-aware enforcement: Gathers information from users, devices, infrastructure, and network services to enable organizations to enforce contextual-based business policies across the network
    • Business-relevant policies: Create and enforce consistent policy from the head office to the branch office 
    • Coordinated Profiling: Allows for profiling data to be tightly integrated in to access policies. E.g. LDAP user with personal iPad gets a different privilege than the same LDAP user with Organization Owned iPad 
    • Mobile Device Security: Dynamically identify and provision the proper policies for tablets, smartphones, GFE, etc   
  • Compliance: Create consistent policy across the infrastructure for corporate governance. 
    • Addresses vulnerabilities on user machines through periodic evaluation and remediation to help proactively mitigate network threats such as viruses, worms, and spyware 
    • Ensure configuration baselines are met
    • Ensure patches and AV/AS definitions are up to date
  • Efficiency: Increase IT staff productivity by automating labor-intensive tasks and simplifying service delivery
    • Allows enterprises to authenticate and authorize users and endpoints via wired, wireless, and VPN with consistent policy throughout the enterprise
    • Dramatically reduces cost of ownership with world-class monitoring and troubleshooting features designed to streamline operations for your helpdesk and support teams
  • Compatibility: Cisco Infrastructure Integration AND a standards based platform 
    • ISE integration is thoroughly tested systematically across all cisco switches 
    • Because 802.1X is a standard, 3rd party device support is inherit
    • A Few of the Cisco Switch Features that help with deployment:
      • Open Mode – Allow customers to deploy day 1 without causing any outages and ease with deployment and rollout of 802.1X
      • Multi Authentication – Allows for hubs, desktop VMs, etc to use a single port to authenticate and apply differentiating policies
      • Security Group Access (SGA) 

Packaging and Licensing

Cisco Identity Services Engine is available as either a physical or virtual appliance. The type of license is based on functionality.
  • The Base license is intended for organizations that want to authenticate and authorize users and devices on their network. It includes AAA services, guest lifecycle management, compliance reporting, and end-to-end monitoring and troubleshooting.
  • The Advanced license expands upon the BASE and enables organizations to make policy decisions based on user and device compliance. Advanced license features include device profiling, posture services, and security group access enforcement capabilities.


ISE will be the platform that enables organizations to finally utilize port security, deal with the ever evolving enterprise and ensure they are able to deploy in days/weeks vs. months/years. Check back for some detailed technical write-ups on configuration, best practices and use cases.

ISE Documentation

Thursday, July 2, 2009

NAC Version 4.6.1 - Now Available

NAC Appliance Version 4.6.1 was release yesterday.

Some of the new features:

Posture Assessment Support for 64-Bit Windows Operating Systems

The new NAC Agent can be installed and launched on 64-bit versions of Windows XP and Windows Vista, and can perform posture assessment and remediation on client machines. Earlier releases of Cisco NAC Appliance provided only authentication support for 64-bit client operating systems.

Agent Configuration XML File Upload Enhancement

This XML configuration file method of setting up Agents on client machines replaces the previous Clean Access Agent configuration schema requiring Windows registry setting manipulation for custom parameters. No more registry changes, hooray!

If you previously employed Windows registry settings to adjust Clean Access Agent behavior on client machines, you must specify the same settings in the XML Agent configuration file to preserve Agent behavior using the Cisco NAC Agent.

This upgrade has a ton of new agent features, as you can see in the above images, so make sure to check out the release notes and read for yourself.

4.6.1 Release Notes

And to configure these features, please reference the configuration guides:

NAC Manager Config Guide
NAC Server Config Guide

Thursday, March 19, 2009

Cisco NAC Guest Server 2.0

NAC Guest Server has changed significantly with the latest 2.0 release. From External Portal Support to AD SSO, this revision has added some key enterprise features.

The features that have hit home the most for myself and my customers have been:

Active Directory Single Sign On

Cisco NAC Guest Server 2.0 can be joined to an Active Directory Domain and then automatically authenticate Internet Explorer browsers using Integrated Windows Authentication. This removes the need for sponsors to enter their username and password.

For details on configuration of ADSSO, see the Configuration of Active Directory Single Sign-On for NAC Guest Server Configuration Example

Credit Card Billing Support

Cisco NAC Guest Server 2.0 provides the ability for guests to purchase accounts via credit card support.

This means that you can now use NGS to provide ROI for guest internet access.

Management Reports

Management reports are enhanced to provide the following guest network usage information:

•Total Guest Accounts Created
•Total Authenticated Guests
•Total Cumulative Connect Time
•Sponsor Usage Reporting
•Access Summaries by Device

To See a list of all the new features in NAC Guest Server 2.0, please read the the release notes:

And to configure these features, please reference the configuration guide:

Thursday, January 22, 2009


The following is a list of new things out there in the Cisco NAC World. The NAC Market is continuing to grow in 2009 and with the growth the products will continue to evolve, get better and have more options.

Security Options Abound: New NAC Release

My friends over at TechWiseTV are a huge multi-media machine, producing video, audio and podcasts. Well this PodCast is on NAC 4.5, Alok Agrawal of the NAC Business Unit and Myself dive into some of the cool features of 4.5. All of the podcasts can be subscribed to through iTunes.

To access the NAC podcast go to:

And to get more information on all the great stuff coming from Techwise TV visit:

NAC Layer 3 Out of Band Design Guide That Uses VRF-Lite for Traffic Isolation

Cisco wrote a new configuration guide on using VRF-Lite for traffic isolation. This is a great configuration option for NAC, but with that said never re-design your network just for NAC. VRFs can become very complex and introducing new technology into the network should be carefully planned. Using VRFs in a enterprise network does make sense, but the reasons for moving to the new network design should be a combination of the added features/benefits for Security(NAC, Guest Access, Wireless, etc.) and Network managebility, throughput, and scalability.

New NAC Profiler Release

Last month a new maintenance release of Cisco NAC Profiler came out. 2.1.8-38 brings a good list of BugFixes and minor enhancements.

One Minor Enhancement that made it was Endpoint and Directory Timeout Unified Into Endpoint Timeout, which gives us more control on how to age out endpoints out of the database.

Find all the Fixes and information in the Release Notes.

The Release Notes can be found:

The new software can be download at: (Requires Valid Smartnet Contract)

Tuesday, November 18, 2008

NAC Support Logs in 4.5

Many people might be wondering what happen to the handy dandy support logs that used to be located in the "/perfigo/logs/" directory in previous NAC versions. Well in version 4.5 there were some enhancements to the logging and with those enhancements came new placement of the logs.

These logs are most commonly used to troubleshoot NAC during deployments. Please do not turn on advanced logging without reading the documentation fully or with the assistance of Cisco TAC.

The CAM log can be found at:


The CAS log can be found at:


For those of you not familiar with what the logs contain, please feel free to reference the CAM and CAS Configuration Guides:

CAM Admin Guide - Support Logs
CAS Admin Guide - Support Logs

Thursday, November 13, 2008

NAC Version Matrix

In June of 2006, NAC Version 4.0.0 was released. Since then, Cisco has released numerous updates and features to the NAC Appliance line! Recently a member of the NAC Mailing List posted the following request:

Is there a feature matrix to compare the various versions/tracks of
Cisco NAC?

So that is exactly what this posts answers. It is long, but I know at least one person appreciates it!

I will explore 3 major lines of code.. 4.0.X, 4.1.X and 4.5.X. Realistically all new deployments should be using 4.1.X or 4.5.X, but I wanted to give a good overview for everyone on older codes.


  • Support for Active Directory (Windows Domain) Single Sign-On (SSO)
  • Corporate Asset Authentication and Posture Assessment by MAC Address
  • Support for Layer 3 Out-of-Band (OOB) Deployment
  • New Windows Update Requirement Type
  • SMP Kernel Support for Super CAM
  • Support for Assigning VLANs by VLAN Name in OOB Deployments
  • Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
  • Ability to Change Priority of Wildcard/Range Global Device Filters
  • Ability to View or Search Active L2 Devices in Device Filter List
  • Ability to Test MAC Addresses Against Device Filters
  • Support for Relay IP Class Restrictions on DHCP Server
  • Support for DHCP Global Actions
  • New "service perfigo maintenance" CLI Command for CAS
  • Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
  • Support for Stub Installation/Update of the Clean Access Agent
  • OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
  • SNMP Enhancements for CAM
  • CAS Host-Based Traffic Policy Enhancements for Proxy Servers
  • Enhancements for DHCP Option Configuration Forms
  • Authentication Cache Timeout
  • Enable L3 Strict Mode
  • OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
  • Link-Failure Based Failover in CAS HA
  • Upgrade Enhancements
  • CAM Disable Serial Login
  • CAM Admin Console Login Enhancements
  • Client OS Detection Signature Lookup
  • Start Timer Specification for Cisco Updates
  • API Enhancements
  • Enhancements for Windows XP Media Center Edition/Tablet PC
  • Restricted Network Access Option for Clean Access Agent Users
  • Daylight Savings Time Support
  • Support for Windows Vista Operating System
  • License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
  • Improved Memory Footprint for Clean Access Agent Reports
  • Broadcast ARP Server Management Option Removed
  • Kernel Upgrade
  • Debug Log Download Enhancement
  • Syslog Configuration Enhancement


  • CAS Policy Fallback
  • Clean Access Agent/ActiveX/Applet DHCP Release/Renew
  • Support for GPO Update Trigger
  • Online Update to Retrieve Switch OIDs
  • Qualified Remediation Program Launch
  • Clean Access Agent for Mac OS X Authentication
  • Clean Access Agent Installation Options
  • Clean Access Agent Language Template Support
  • Clean Access Agent Silent Auditing
  • Searchable Clean Access Agent Reports
  • Certified Devices Timer Enhancements for Periodic Assessment
  • DHCP Renewal Enhancements
  • DHCP Subnet List Enhancements
  • DHCP Global Option Enhancements
  • IE 7.0 Support
  • Clean Access Agent Enhancements (
  • Port Profile Management for OOB Users
  • Enhancements to Check Parameters
  • Daylight Savings Time Support
  • Supported AV/AS Product List Enhancements (Version 42)
  • Deprecated IPsec/L2TP/PPTP/PPP Features
  • Deprecated Roaming Features

  • Support for Windows Vista Operating System
  • RADIUS Challenge-Response Support
  • Layer 2 Traffic Policy Support
  • Multiple Active Directory Server Support in AD SSO
  • Restricted Administrator Web Console Options Hidden from View
  • Proxy Server Basic/Digest/NTLM Authentication Support
  • VLAN Profiles
  • VLAN Pruning
  • Event Logs Enhancement
  • Agent Report Retrieval API Operation
  • Out-of-Band IP Refresh Enhancement
  • Switch Port Configuration Enhancements
  • SNMP Receiver Settings Enhancement
  • Support for Windows Vista Operating System
  • Windows Update Upon Agent Login
  • Agent Reports Show System and User Information
  • Agent IP Address Refresh/Renew Enhancement
  • CAS-Agent Discovery (SWISS) Enhancements
  • 4.1.0.x Agent Support on Release 4.1(1)
  • MAC OS RADIUS Challenge-Response Support
  • MAC OS Automatically Close Message Dialog After Successful Login
  • MAC OS IP Refresh Support for Out-of-Band Deployments
  • MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time
  • Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution
  • New Cisco NAC Network Module (NME-NAC-K9) Support
  • NAC Appliance Platform Type Display
  • Debug Log Download Enhancement
  • Active VPN Client Status Page Enhancement
  • WSUS Requirement Configuration Display Enhancement
  • New "service perfigo platform" CLI Command
  • Web Login Support Using Safari Browser for Mac OS
  • Windows Clean Access Agent Language Template Support Enhancement
  • Cisco NAC Web Agent
  • Support for Clients with Multiple Active NICs
  • Clean Access Server HA Heartbeat Link Enhancement
  • Clean Access Manager HA Configuration and Heartbeat Link Enhancements
  • Guest User Login and Registration Enhancements
  • LDAP Authentication Enhancement
  • Clean Access Server and WSUS Interaction Enhancement
  • Agent Restricted User Access Enhancement
  • Device Filter List Display and Import/Export Enhancement
  • Agent Report Information Display and Export Enhancement
  • VPN SSO Login Enhancement
  • VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
  • Syslog Configuration Enhancement
  • Debug Log Download Enhancement
  • cisco_api.jsp Enhancement
  • CSRF Protection
  • Proxy Support Enhancements
  • ARP Broadcast Packet Handling Improvement
  • Clean Access Server HA ARP Broadcast Enhancement
  • Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
  • Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
  • Clean Access Agent Auto Remediation
  • Delay Agent Logoff on CAM/CAS
  • 64-bit Windows Operating System Agent Support
  • Access to Authentication VLAN Change Detection Enhancement
  • SNMP Inform Notification Enhancement
  • SNMP "MAC Move Notification" Switch Port Configuration Support
  • Trusted Certificate Authority Enhancement for Production Environments
  • Enhanced CAM/CAS Web Console Features Certificate Warning Messages
  • Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
  • Enhanced Security with Server Identity Based Authorization
  • JMX Over SSL Secured with Mutual Authentication
  • HTTPS Connections Enhanced with Mutual Authentication
  • Features Optimized/Removed


  • Policy Import/Export
  • CAM/CAS SSL Certificate Management Enhancement
  • CAM/CAS Software Upload Page Enhancements
  • Database Snapshot Upgrade Enhancement
  • Clean Access Manager High Availability User Interface Enhancement
  • CAM/CAS Support Log Level Settings Enhancement
  • CAM/CAS High Availability Configuration Able to Detect Hard-Drive Failure
  • Support for Wireless Out-of-Band Deployments
  • Assign Restricted VLAN for OOB Client Machines When Disconnected
  • Certified Device List/Online User List Enhancements
  • Out-of-Band Shield Enhancement
  • Out-of-Band Discovered Clients Cleanup
  • Pre-Login Banner
  • Strong Password Support for Root Admin Users
  • External Authentication Server Support for Web Administrator Login
  • Support for Cisco NAC Appliance/NME-NAC Platforms Only
  • Web Upgrade Support Removed
  • Default CAM Web Console Password Removed
  • Windows ME/98/NT OS Support Removed

Bottom Line, I recommend 4.1.6 for any new deployment that does require any of the features of 4.5.X

Tuesday, October 21, 2008

Cisco NAC Appliance 4.5 Released

The time has come.... 4.5 is here

It can be downloaded here! (Require Valid Smartnet Contract)

As with all NAC releases, be sure to read the RELEASE NOTES before upgrading!

CAM/CAS Configuration Guides:
Bottom line is that 4.5 brings way too many features to list. That is why the release notes will help!

Looks for future posts on new features and benefits!

Monday, October 20, 2008

Configuration Example - Wireless Out Of Band - New NAC 4.5 Feature

The following is a configuration guide that was posted to explain how to configure NAC 4.5 with Wireless LAN Controller 5.1 for NAC Wireless OOB support.

NAC Out-Of-Band (OOB) Wireless Configuration Example

Wireless OOB is a feature we all have been waiting for. Some of the great benefits that I see are:

- No need for a second Clean Access Server(CAS) just for wireless. If you are a smaller organization wireless and wired can be performed on a single CAS.
- Bandwidth benefits for larger wireless infrastructures. With 10Gbps network backbones and large central wireless deployments(lots of clients), having a OOB wireless deployment is a no brainer.

This is one of a few great features coming out with NAC release 4.5.

Sunday, October 19, 2008

Coming Soon - Cisco NAC Release 4.5

Cisco is preparing for NAC Release 4.5 which will include great features like Wireless OOB, Mac Posture Assessment Support and CAM import/export of policies.

The first piece of documentation has been published:

Cisco NAC Appliance Release 4.5 - Video Data Sheet

Keep a lookout for posting on all the new features and when the download becomes available.

Tuesday, September 30, 2008

NAC Updates

Windows Clean Access Agent Version 4.1.7 Released - Sept 30th

In this release their are a few minor resolved caveats:

- Symantec AntiVirus 10.x not fully compatible with CCA Agent
- V
ista Agent does not detect MAC Address of Wireless NIC
AVG Anti-Virus Free 8.x support for Virus Definition check

As with all upgrades, it is highly recommended to read the release notes before upgrading. Also, on a side note, remember that upgrades should be done for a purpose, either to fix a caveat or to gain new features.

Download 4.1.7 Windows Agent

Release Notes

3 NEW Configuration Examples posted to CCO

- NAC Appliance (CCA): Configure High Availability (HA) for the Clean Access Manager (CAM)

- Deploy NAC Profiler in an Existing Out-of-Band NAC

- Importing SSL Certificates to NAC Profiler

To see all the previous Configuration Examples and TechNotes

How to Block Operating Systems with CCA

A friend of mine, Rob Chee, writes a blog on network security and had a great post on how to block operating systems using User Pages with CCA.

Make sure you check out his Post.

Thursday, July 31, 2008

New Configuration Example: Configure Guest Access

Cisco posted a new Configuration Guide:

NAC: Configure Guest Access
This example will walk you through how to configure the various types of guest access on the Cisco Clean Access or NAC appliance.

To see all the previous
Configuration Examples and TechNotes

NEW NAC Version 4.1(6)

4.1.6 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download

4.1(6) Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1(6) CAM Installation & Configuration Guide

4.1(6) CAS Installation & Configuration Guide