Zero Trust with Cisco ISE: identity-based access, explained

Zero trust is less a product than a principle: never trust, always verify. On a network, that means access decisions based on identity and posture rather than where a device happens to plug in. Cisco Identity Services Engine (ISE) is how that principle becomes enforceable policy.

From IP addresses to identity

Traditional access control keys on IP addresses and VLANs, which break down the moment users and devices move. ISE authenticates with 802.1X and assigns Security Group Tags (SGT) — so policy can say 'contractors cannot reach finance systems' without anyone maintaining IP access lists.

Why it underpins segmentation

Segmentation limits how far an attacker can move. With SGTs, segmentation policy is written once in identity terms and enforced across switches, wireless, and firewalls — rather than rebuilt as VLAN and ACL sprawl in every closet.

• 802.1X / MAB authentication for wired and wireless.
• Posture checks before granting access.
• Security Group Tags carried across the fabric.
• Integration with Secure Firewall for identity-aware rules.

“When policy follows identity, moving a device no longer means rewriting the network.”

— Uniqcli security practice