802.1X / RADIUS authentication
A full RADIUS AAA server with EAP-TLS, TEAP, PEAP, and EAP chaining, plus MAB for devices that cannot run a supplicant.
Security · Identity & access
Cisco ISE: Identity Services Engine for Secure Network Access
Cisco Identity Services Engine (ISE) is the network access control and identity policy engine that decides who and what gets on your network, then enforces zero-trust access across wired, wireless, VPN, and 5G. Uniqcli sizes the appliances or VMs, scopes the license tiers, and returns a TAA-compliant quote.
Authorized Cisco PartnerTAA compliantDoDIN APL-readyGPC acceptedShips from US warehouses
Sized from real inputs
Access-point, port, and rack counts are derived from your facility, not guesswork or a generic template.
Validated Cisco BOM
We confirm the exact SKUs, licensing tier and term, services, and availability before you sign.
Procurement-ready
TAA compliant posture, contract vehicle, and CLIN structure so the quote clears your buyer the first time.
Who and what gets on the network.
Enough detail for IT, procurement, and facilities to move together, then we validate the final BOM.
Profiling & posture
AI/ML endpoint profiling fingerprints IoT, medical, and OT devices; posture checks verify patch level, antivirus, and encryption before access.
TrustSec segmentation
Security Group Tags define policy by role instead of IP address, propagating micro- and macro-segmentation to limit lateral movement.
Guest, BYOD & device admin
Self-service guest and BYOD portals with certificate enrollment, plus TACACS+ command-level device administration and full audit.
At a glance
Network access control + identity
Role
802.1X / RADIUS + TACACS+
Authentication
Essentials / Advantage / Premier
Editions
Appliance, VM, or cloud
Deployment
Zero-trust enforcement
The policy decision point for network access.
ISE is where zero trust meets the wire. It authenticates every user and device, verifies posture, and enforces least-privilege access, sharing identity context with the rest of the security stack through pxGrid.
Network access control
ISE is how Cisco delivers NAC: authenticate, profile, and authorize every endpoint before it reaches the network.
Learn more
Identity context for XDR
ISE and Identity Intelligence feed user and device context into Cisco XDR so incidents carry the identity behind the activity.
Learn more
Duo & device trust
Pair ISE with Cisco Duo for phishing-resistant MFA and device trust across the access layer.
Learn moreWhat Cisco ISE delivers.
Build a quote ›
Network access control (NAC)
802.1X, MAB, and identity-based authorization across wired, wireless, VPN, and 5G, the foundation of zero-trust access.
Endpoint profiling
Cloud-based Multi-Factor Classification machine learning fingerprints unknown IoT, medical, and OT devices by manufacturer, model, and OS.
TrustSec segmentation
ISE acts as the segmentation controller, propagating Security Group Tags across switches, routers, wireless, and firewalls.
Guest & BYOD onboarding
Branded hotspot, sponsored, and self-service portals with SAML 2.0 and automated supplicant provisioning cut help-desk tickets.
Threat containment
Rapid Threat Containment and Threat-Centric NAC quarantine or restrict compromised endpoints automatically by CVSS and threat score.
Catalyst Center & SD-Access
ISE drives group-based segmentation across Catalyst and Meraki infrastructure through Catalyst Center and pxGrid.
Licensing
Cisco ISE license tiers
ISE uses an endpoint-count subscription model with three nested tiers. Each higher tier includes everything below it.
Essentials
Core NAC and AAA
- 802.1X / RADIUS authentication (AAA)
- Guest access: hotspot, self-registration, sponsored
- Easy Connect / PassiveID
- Base endpoint visibility
Advantage
Segmentation, profiling, BYOD
- Everything in Essentials
- Endpoint profiling and AI Endpoint Analytics
- TrustSec / Security Group Tag segmentation
- BYOD onboarding and pxGrid context sharing
- Rapid Threat Containment (ANC)
Premier
Posture, MDM, Threat-Centric NAC
- Everything in Advantage
- Posture visibility and enforcement
- MDM/EMM integration (Intune, Jamf)
- Threat-Centric NAC (CVSS-based)
Device Admin
TACACS+ device administration
- Command-level control of network devices
- Full configuration audit trail
Perpetual, licensed per deployment, separate from the endpoint tiers.
A separate, perpetual Device Administration (TACACS+) license is required for network-device administration. Cisco does not publish flat list pricing; Uniqcli quotes the exact tier mix and endpoint counts.
How it compares
Cisco ISE vs other NAC platforms
All four authenticate users, but the depth of profiling, segmentation, and Cisco-fabric integration differs. See our alternatives guide in Resources for the full breakdown.
| Capability | Cisco ISE | Aruba ClearPass | FortiNAC | Microsoft NPS |
|---|---|---|---|---|
| 802.1X / RADIUS | Yes | Yes | Yes | Yes (basic) |
| Profiling and posture | Yes (AI/ML) | Yes | IoT-focused | No |
| Native SGT segmentation (TrustSec) | Yes | No | No | No |
| SD-Access / Catalyst Center | Native | No | No | No |
| Ecosystem (pxGrid) | 100+ integrations | Partner set | Fortinet fabric | Minimal |
| On-prem, VM, and cloud | Yes | Yes | Yes | Windows Server |
ClearPass, FortiNAC, and NPS are capable platforms. ISE tends to win in Cisco-heavy, segmentation-heavy, and federal stacks.
Services included with every security · identity & access quote.
See the full services catalog ›Design & assessment
Architecture, readiness review, and right-sized BOMs from real facility inputs, not a generic template.
RF & site survey
On-site survey for SCIF, multi-floor, outdoor, and datacenter risk before install, so the count holds at turn-up.
Procurement & TAA
TAA compliant sourcing, contract vehicle, CLIN structure, and a procurement-ready package that clears review.
Staging & configuration
Pre-staging, golden configs, labeling, and validation in our lab before anything ships to the site.
Cabling, install & cutover
Structured cabling, rack-and-stack, optics, and a low-risk cutover with full documentation and handoff.
Managed operations & support
Monitoring, firmware lifecycle, change windows, Smartnet, and quarterly health reviews after turn-up.
Software & assurance
Simplified operations, powered by AgenticOps: automate, defend, and see the whole network end to end.
Network software
Software to automate, monitor, and secure your network, with cloud-managed dashboards and policy from a single pane.
Explore software
Network security
Comprehensive security to protect the network from evolving threats: firewall, identity, segmentation, and SASE.
Explore network security
End-to-end visibility
Assure every digital experience across owned and unowned networks, from client to cloud, with proactive insight.
Explore assuranceBuilt for federal & public-sector delivery.
See the compliance path ›19h
Average inquiry to TAA compliant Cisco BOM in the buyer's inbox.
±15%
First-pass estimate accuracy versus the validated post-survey BOM.
30d
From approved purchase order to live, supported Cisco network.
From scope to operating network.
Packaged as a Cisco services motion: assess, design, price, deploy, and operate with one validated quote path.
Use cases
Confirm users, sites, compliance needs, support term, and the business reason for the refresh.
Cisco stack
Map the right Catalyst, Nexus, controller, security, and licensing components to the scope.
Service package
Staging, cabling, cutover, validation, documentation, and managed handoff.
Quote package
Generate a planning estimate, then we validate the final Cisco quote.
Knowledge base
Cisco ISE, explained in depth
A deeper reference for teams scoping a Cisco Identity Services Engine deployment.
What Cisco ISE does
Cisco Identity Services Engine (ISE) is a centralized network access control and identity policy platform. It authenticates and authorizes every user and device before granting network access, then continuously enforces policy based on identity, posture, and context. It is the policy decision point for zero-trust access at the network layer.
Authentication, profiling, and posture
ISE is a full RADIUS AAA server supporting PAP, MS-CHAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and TEAP, with EAP chaining to validate machine and user in one session. It profiles every connected endpoint using predefined templates and a cloud-based Multi-Factor Classification engine, and checks posture (OS patch level, antivirus, disk encryption) before access.
- 802.1X and MAC Authentication Bypass (MAB) for non-supplicant devices
- AI/ML profiling for IoT, medical, and OT endpoints
- Agent and agentless posture options via Cisco Secure Client
- Internal certificate authority with OCSP revocation
TrustSec segmentation with Security Group Tags
ISE assigns Security Group Tags (SGTs) to users and devices and defines access policy by business role instead of IP address. As the segmentation controller, it propagates SGTs across switches, routers, wireless, and firewalls to limit lateral movement. TrustSec requires the Advantage tier or higher.
Deployment and federal posture
ISE runs on Cisco Secure Network Server (SNS) appliances, as a virtual appliance on VMware, KVM, Hyper-V, Nutanix AHV, and Red Hat OpenShift, and in public cloud on AWS, Azure, and OCI. Recent releases align with Common Criteria (NDcPP), pursue DoDIN APL listing, undergo FIPS 140 review, support USGv6/IPv6, and allow administrator CAC/smart-card login. ISE itself is not a FedRAMP-authorized cloud service, so cloud-hosted posture should be confirmed per release.
Frequently asked questions
Common security · identity & access questions, answered by the Uniqcli Team.
What is Cisco ISE used for?
Cisco ISE is a Network Access Control (NAC) and identity policy engine that authenticates and authorizes users and devices before they connect, then enforces zero-trust access policy across wired, wireless, VPN, and 5G networks. It also handles guest access, BYOD onboarding, endpoint profiling, posture compliance, TrustSec segmentation, and TACACS+ device administration. Uniqcli, an authorized Cisco partner, can scope the right design for your environment.
What are the Cisco ISE license tiers?
ISE uses an endpoint-count-based subscription model with three tiers: Essentials (core 802.1X/AAA), Advantage (segmentation, profiling, BYOD, TrustSec, ecosystem integration), and Premier (MDM posture and Threat-Centric NAC). These replaced the older Base, Plus, and Apex licenses, and each higher tier includes everything in the tiers below it. A separate, perpetual Device Administration license is required for TACACS+ device admin. Uniqcli can quote the exact tier mix and endpoint counts you need.
Is the Cisco ISE Device Admin license the same as the tier licenses?
No. The Essentials, Advantage, and Premier tier licenses are subscriptions tied to active endpoint counts, while the Device Administration license used for TACACS+ network-device management is licensed separately and perpetually. You enable it on Policy Service nodes that run the TACACS+ persona. Uniqcli can confirm how many device-admin licenses your deployment requires.
Does Cisco ISE run on a physical appliance, a VM, or in the cloud?
All three. ISE runs on the Cisco Secure Network Server (SNS) physical appliances, as a virtual appliance on VMware, KVM, Hyper-V, Nutanix AHV, and Red Hat OpenShift, and as a cloud workload on AWS, Azure, OCI, and VMware Cloud. Physical and virtual nodes can be mixed into clusters for scale and redundancy. Uniqcli can size and source the right SNS appliances or VM footprint.
Which SNS appliance do I need for Cisco ISE?
Cisco offers small, mid-size, and large Secure Network Server models that differ by concurrent active-endpoint capacity and redundancy (disks and power supplies). The right model depends on your active endpoint scale, the number of Policy Service nodes, and redundancy requirements. Uniqcli can recommend a model and source TAA-compliant units for public-sector buyers.
What is TrustSec and how does ISE use Security Group Tags?
TrustSec is Cisco's software-defined segmentation technology in which ISE assigns Security Group Tags (SGTs) to users and devices and defines access policy based on business roles rather than IP addresses. ISE acts as the segmentation controller, propagating SGTs across switches, routers, wireless, and firewalls via inline tagging or SXP. This reduces operational complexity and limits lateral movement of threats. The Advantage tier or higher is required for TrustSec.
How does Cisco ISE fit into a zero-trust architecture?
In a zero-trust model ISE is the policy decision point for the workplace (network access). It gathers context from across the stack to authenticate users and endpoints, verify device posture, and enforce least-privilege access, automatically containing threats by changing or revoking access. It complements application-level ZTNA solutions like Cisco Secure Access and Duo rather than replacing them. This aligns with the network and device pillars of the CISA Zero Trust Maturity Model.
What products does Cisco ISE integrate with?
ISE integrates with Cisco Catalyst Center/SD-Access, Catalyst and Meraki infrastructure, Duo, Cisco Secure Client, and the broader Cisco XDR/Secure ecosystem, plus 100+ third-party integrations via pxGrid. It connects to Active Directory and Microsoft Entra ID, MDM platforms like Intune and Jamf, ServiceNow for asset context, and Tenable for vulnerability-driven Threat-Centric NAC. Uniqcli can help plan integrations into your existing stack.
How is Cisco ISE licensed and how do I buy it?
ISE licensing is subscription-based by active endpoint count across the Essentials, Advantage, and Premier tiers, plus a perpetual Device Admin license for TACACS+, managed through Cisco Smart Licensing. Hardware (SNS appliances) is purchased separately. As an authorized Cisco partner, Uniqcli scopes the deployment, sizes endpoint counts, and provides a formal quote, with GPC-payable, TAA-compliant options for government buyers.
Is Cisco ISE TAA compliant and available for government and DoD buyers?
Yes. ISE is widely deployed across US federal, state, local, and education networks as the enforcement point for network-level zero trust, and recent releases align with Common Criteria (NDcPP), pursue DoDIN APL listing, undergo FIPS 140 review, support IPv6/USGv6, and allow administrator CAC/smart-card login. Note that ISE itself is not a FedRAMP-authorized cloud service, so cloud-hosted posture should be confirmed per release. Uniqcli sources TAA-compliant SNS appliances and licensing through GPC-eligible and contract-vehicle channels.
