Cisco Identity Services Engine (ISE)
Cisco·AE_HSc_CiscoISEConnectorGuide
Overview
The Cisco ISE connector integrates AlertEnterprise Guardian with Cisco Identity Services Engine — Cisco's enterprise NAC (Network Access Control) / network-side IAM platform. ISE is unusual in the IAM connector catalog because its scope is network access rather than application access — ISE governs which network users (wired, wireless, VPN, BYOD) can authenticate onto the customer's network and what segmentation policies apply. Cisco ISE is one of the most commonly deployed NAC platforms in the Fortune 500.
The connector supports both Internal Users (the local-database identity store ISE maintains for guest/contractor/contingent populations) and Guest Users (the sponsored-guest model used for visitor Wi-Fi and time-bounded access). Per the connector guide, "Modify User Roles" only applies to Internal Users — Guest user roles are managed differently in ISE.
Architecture: AE Guardian → ACF → Cisco ISE Connector → Cisco ISE REST API → Cisco ISE Access Control Manager. Standard HTTPS REST. The connector ships as ALNTCiscoISEConnector-5.0-SNAPSHOT.jar.
Architecture
Composed from this connector's actors + edges. Trust zones are color-coded; trust crossings render as thicker lines.
Authentication
1 method supported
Cisco ISE authentication uses basic auth — username + password for an ISE administrator or ERS Admin account. SSL/TLS is required; the connector guide documents the standard keytool -importcert procedure for importing the ISE certificate into the AE host's JVM cacerts keystore.
Prerequisites
Everything that must be in place for this connector to work, with the owner who's responsible.
Cisco ISE deployment with ERS (External RESTful Services) enabled
customerAn operational Cisco ISE deployment (2.2 through 3.4) with the ERS API enabled. ERS is disabled by default — the ISE admin must enable it under Administration → System → Settings → ERS Settings. The REST URLs are provided as part of the Cisco ISE subscription.
ISE ERS Admin account with API privileges
customerA dedicated ISE administrator account in the ERS Admin role with privileges to manage Internal Users + Guest Users.
SSL certificate trust
aeISE certificate imported into the AE host's JVM cacerts keystore via keytool -importcert; restart Job and API services.
Known limitations
Documented constraints to set customer expectations before deployment.
Modify User Roles supported for Internal Users only
informationalThe Modify User Roles provisioning capability applies only to Internal Users. Guest user identity groups are managed through ISE's Sponsor Portal workflow rather than the ERS API, so AE cannot directly modify Guest user role assignments.
IAM specifics
- OIDC
- no
- SAML
- yes
- SCIM
- no
- JIT provisioning
- unknown
- Group sync mode
- flat
- Source of record
- No
ISE supports MFA enforcement at the network-access policy layer (e.g., requiring DUO + 802.1X for VPN). MFA configuration is owned by the ISE admin; AE does not configure ISE policies.
Standard ISE Internal User attributes (UserName, FirstName, LastName, Email, Description) + Guest User attributes (similar plus sponsor info).
- src/connectors/cisco-ise/source.pdf — Full connector guide — 27 pages, updated 2024-12-03
- src/connectors/cisco-ise/source.pdf — p5 — Supported Version
- src/connectors/cisco-ise/source.pdf — p5 — Provisioning Capabilities