May 20 2019

4 Tips to Get the Most from Cisco’s Identity Service Engine

A powerful Cisco tool for identity management requires careful consideration during deployment.

No security program is complete without an effective means of identifying would-be network users and authenticating their credentials. Cisco Systems’ Identity Services Engine does just that. Here’s how government agencies can efficiently and effectively implement the solution across wired networks, wireless networks and VPNs.

MORE FROM STATETECH: See how North Dakota and West Virginia plan to enhance cybersecurity. 

1. Understand What ISE Can (and Can’t) Do

ISE is powerful, but it’s not magic. Agencies must understand its capabilities before they make the financial and time commitment to deploy the product. For example, ISE is capable of probing systems across the network and identifying those that respond to its polling requests, but it does not monitor network traffic for signs of activity

2. Turn to User Authentication to Get More Value 

ISE can be used to authenticate either devices or users. Many organizations benefit from integrating ISE with other components of their security infrastructure, such as Cisco Stealthwatch and Firepower. Those integrations are much more powerful when they have access to user data, so pursue user authentication whenever possible.


3. Check Hardware Compatibility in Advance

Older network equipment may not be compatible with ISE. Perform hardware compatibility checks early in the process to identify switches that require firmware upgrades or hardware replacement. Upgrading in advance speeds up ISE deployment, especially in environments where it’s difficult to schedule downtime.

4. Tune Alarms to Limit False Positives 

Out of the box, ISE sends alerts for almost every event that takes place, and that’s simply too much information for most security teams. Make sure only the most important incidents cause alerts: CPU usage spikes, increases in authentication latency, failed backups, certificate expiration warnings and loss of contact with Active Directory domain controllers.

ERHUI1979/Getty Images

aaa 1