Updated: May 29, 2026
Most Indian enterprise networks still grant access by what is plugged into the network jack, not by who or what is trying to connect. That assumption is the single largest reason for the lateral-movement breaches now hitting BPO floors, the compliance gaps showing up under DPDP and CERT-In, the inability to put an OT engineer's laptop on the plant network without disabling controls, the unmanaged BYOD and contractor sprawl that no audit team can defend, and the cyber-insurance underwriting questions that keep coming back without good answers. Cisco Identity Services Engine (ISE) is the platform that retires the assumption.
Cisco Identity Services Engine (ISE) is a Network Access Control (NAC) and policy engine. It authenticates every user and device joining the enterprise network, authorises what they can reach, profiles what they are, posture-checks their compliance state, and segments access using identity tags instead of IP addresses.
Zero Trust in network terms is the doctrine that no user or device gets implicit trust because of where it is plugged in. Every session is authenticated, every flow is authorised, and trust is re-evaluated continuously. ISE is the component that turns that doctrine into RADIUS conversations and switch ACLs.
ISE sits at the centre of Cisco's Zero Trust for the workplace architecture, working in concert with Cisco Duo (user identity and MFA), Cisco Secure Access (cloud-side SSE and ZTNA), Cisco Catalyst and Meraki (the enforcement layer in the network), Cisco Catalyst Center (the campus controller that pushes policy), Cisco Cyber Vision (OT visibility) and Cisco XDR (cross-domain detection).
Five forces converging on the same desk.
DPDP and CERT-In. Rule 6 of the DPDP Rules 2025 requires access limited to authorised persons and audit logs retained for at least one year. CERT-In requires reporting of specified incidents within six hours. An identity-led network is what makes both obligations operational.
The BPO phishing wave. UNC6783, ShinyHunters and the MFA-bypassing phishing kits all rely on lateral movement after a single agent's credentials fall. Identity-led segmentation is the control that contains the blast radius.
OT and IT convergence. Industry 4.0 has eroded the air gap in most Indian plants, with PLCs, HMIs and SCADA increasingly sharing the corporate network. ISE plus Cisco Cyber Vision is the pair that enforces zone segmentation in the plant.
Contractor and BYOD sprawl. A typical Indian enterprise now has more contractor laptops, vendor engineer devices and personal phones on the network than corporate-owned endpoints. Access without identity is no longer defensible.
Insurance and audit pressure. Cyber insurers underwriting Indian risk now expect MFA on privileged access, segmentation between user systems and crown jewels, and named-user logging.
For context, India's security services market is forecast to reach US$4.8 billion by 2027 at a 14.9% CAGR (IDC), with NAC and Zero Trust segments rising as Indian enterprises align with DPDP and CERT-In obligations.
What Does ISE Actually Do? Six Things in One Platform
| Capability | What It Does | Why It Matters |
|---|---|---|
| Authentication | RADIUS 802.1X for users and devices, MAB for legacy devices, certificate-based EAP-TLS for managed endpoints | No anonymous connections. Every session has a named identity. |
| Authorisation | Maps the authenticated identity to a policy: VLAN assignment, downloadable ACL, or a Security Group Tag (SGT) | Access decisions follow the user across wired, wireless and VPN. |
| Profiling | Recognises what kind of device is connecting (Windows laptop, PLC, IP camera, printer, BYOD phone) using DHCP, CDP, LLDP, SNMP, HTTP and active scans. ISE 3.4 added AI-assisted device classification, which materially reduces the profiling-policy tuning effort that historically slowed NAC rollouts. | Catches unauthorised devices and applies device-appropriate policy. |
| Posture assessment | Checks endpoint state at connection time and continuously: patch level, EDR running, disk encryption, firewall enabled | Compliance-gated access. Non-compliant devices land in a remediation VLAN. |
| Segmentation (TrustSec / SGT) | Tag-based microsegmentation independent of IP and VLAN structure, enforced across the Cisco network | One identity-led policy instead of thousands of static ACL lines. See our ISE Posture for DPDP and CERT-In piece for the compliance-control mapping. |
| Device administration (TACACS+) | AAA for switch, router and firewall administrative access, with command authorisation and full audit | Consolidates network access and infrastructure admin on one platform, retiring legacy standalone TACACS servers. |
HPE Aruba ClearPass and the legacy Microsoft Network Policy Server (NPS) are the named alternatives in this category. Microsoft has effectively retired NPS as a strategic NAC platform, with Entra ID handling user identity and partner-driven NAC handling network enforcement. ClearPass remains a serious competitor in multi-vendor estates with heavy non-Cisco switching.
ISE is a distributed system. A production deployment uses four node personas.
PAN (Policy Administration Node). The single management console where administrators write and publish policy. Up to two PANs (primary and secondary) for redundancy.
PSN (Policy Service Node). Talks RADIUS to switches and wireless controllers, makes authentication and authorisation decisions in real time. Distributed PSNs sit close to the network they serve. Up to 50 PSNs in a single deployment.
MnT (Monitoring and Troubleshooting Node). Aggregates audit logs across the deployment. Up to two MnTs.
pxGrid (Platform Exchange Grid). Exchanges identity context with SIEM, EDR, vulnerability scanners and Cisco XDR. Up to four pxGrid controllers.
| Deployment Size | PANs | PSNs | MnTs | pxGrid | Typical Use |
|---|---|---|---|---|---|
| Small (under 5,000 endpoints) | Standalone or two-node | Co-located on PAN | Co-located on PAN | Co-located | Single-site mid-enterprise |
| Medium (5,000 to 25,000 endpoints) | Two dedicated PANs | 2 to 4 dedicated PSNs | Two dedicated MnTs | Two pxGrid | Multi-site enterprise |
| Large (25,000 to 500,000 endpoints) | Two dedicated PANs | 4 to 50 dedicated PSNs, regionally placed | Two dedicated MnTs | Four pxGrid | National enterprise, large BPO, BFSI |
ISE runs on Cisco Secure Network Server hardware (3700 and 3800 series) or as a virtual appliance on VMware ESXi, Microsoft Hyper-V, KVM and the major cloud providers, with Nutanix AHV support on selected releases.
ISE Inside the Wider Cisco Zero Trust Stack
| Layer | Cisco Product | What ISE Adds |
|---|---|---|
| User identity and MFA | Cisco Duo | Duo verifies who the user is; ISE decides what they can reach |
| Endpoint posture | EDR vendors via pxGrid | ISE consumes posture state and gates network access |
| Cloud-side SSE and ZTNA | Cisco Secure Access | Secure Access handles cloud-app access; ISE handles on-network access |
| Switching and wireless | Cisco Catalyst, Meraki | ISE pushes SGT policy that the network enforces |
| Campus controller plane | Cisco Catalyst Center | Pushes ISE-defined TrustSec policy to the campus fabric and provides client-health telemetry back to ISE |
| OT visibility | Cisco Cyber Vision | Cyber Vision discovers OT devices; ISE applies policy to them |
| Cross-domain detection | Cisco XDR | ISE provides identity context that turns generic alerts into named-user investigations |
A network without ISE is a network where Duo, Secure Access and XDR each see the user differently. A network with ISE is a network where every layer speaks one identity language.
A 5,000-endpoint Indian enterprise, two cities, BFSI or large ITeS profile, looks like this.
Two PANs, one in each city, with HA replication. Two PSNs per city, sized for the campus authentication load (refer to Cisco's ISE scalability guide for the specific SNS-3700 or SNS-3800 tier; a mid-platform PSN typically supports tens of thousands of concurrent sessions with sustained authentication rates in the low hundreds per second). Two MnTs, geographically split. Two pxGrid controllers integrated with the SIEM and the EDR. Wired access via Cisco Catalyst 9300 with 802.1X and MAB. Wireless via Catalyst 9800 controllers with EAP-TLS for managed endpoints. Remote-access VPN via Cisco Secure Client with ISE as the RADIUS authority. TrustSec SGTs defined for employees, contractors, IoT, OT, guests and quarantined endpoints, enforced across the campus fabric. Posture policy gates Windows endpoints on patch level, EDR running and disk encryption. Cisco Cyber Vision feeds OT device context to ISE through pxGrid.
The same architecture scales up by adding PSNs and out by adding regions. The pattern does not change.
Ninety-Day Deployment Outline
| Phase | Days | Activity |
|---|---|---|
| Foundation | 1 to 20 | Endpoint and device inventory. Identity source integration (AD, Entra ID, Okta). Certificate authority preparation for EAP-TLS. Hardware or VM provisioning. |
| Pilot | 21 to 45 | Deploy ISE in monitor mode on one campus VLAN. Profile every device. Tune profiling policies. No enforcement yet. |
| Authorisation rollout | 46 to 70 | Move pilot VLAN to low-impact enforcement. Validate every device class. Roll to the wider campus in waves of 500 endpoints. Enable posture checks for managed Windows endpoints. |
| Segmentation | 71 to 85 | Define and roll out SGTs for the priority identity classes. Apply on the campus fabric. Validate east-west enforcement. |
| Steady state | 86 to 90 | Hand over to operations. Document break-glass procedures. Establish review cadence for new device classes and policy drift. |
Ninety days is the realistic target for a single-region rollout. Multi-region or BFSI deployments with strict change-control add 30 to 60 days. The biggest accelerator we see in field rollouts is having a complete endpoint inventory on day one. The biggest delayer is discovering, in week six, that the certificate authority is missing or that Active Directory has duplicate identities.
Proactive Data Systems is a Preferred Partner under the Cisco 360 Partner Program across Networking, Security, Collaboration, Cloud & AI, and Services. We have run ISE pilots and full rollouts for Indian enterprises in BFSI, manufacturing and ITeS, paired with Duo for MFA, Catalyst Center for campus policy, Cyber Vision for OT and XDR for detection.
Book an ISE Readiness Workshop. Two days on site at one of your campuses. Endpoint inventory, identity-source assessment, sizing calculation, certificate-authority readiness and a costed ninety-day rollout plan, in your hands within ten working days.
We'll get back to you shortly.
