Skip to content
Reference

Introduction to Endpoint Manager for Cisco ISE

Looking for scope, requirements, roles, and licensing in one place? See the formal Endpoint Manager service description.

Endpoint Manager for ISE is a cloud-based extension to Cisco Identity Services Engine (ISE) developed by Netgraph. It enables an organisation that already operates Cisco ISE to delegate the day-to-day administration of endpoints — adding, updating, batch-importing, retiring — to the teams or vendors that own the equipment, without giving any of them an ISE login.

The service sits next to Cisco ISE, not in front of it. All authentication and authorization (802.1X, MAB, iPSK, profiling, authorization policies) continue to be performed by your Cisco ISE deployment using its existing identity sources, certificate authorities, and policy sets. Endpoint Manager covers only the per-endpoint, per-group administrative work you choose to delegate.

The core idea — distributed administration of ISE Endpoint Identity Groups

Section titled “The core idea — distributed administration of ISE Endpoint Identity Groups”

A Cisco ISE Context in Endpoint Manager connects to one Cisco ISE deployment and surfaces its Endpoint Identity Groups. Each group can be opted in to managed administration, and one or more Self-Service Users can be invited per group. Common deployment shapes:

  • IP_Phones administered by the telephony vendor.
  • Cameras administered by the security contractor.
  • Conference_Room_Displays administered by the AV integrator.
  • Digital_Signage administered by the marketing agency.

Each Group Administrator sees only the group they belong to, manages MACs and per-endpoint attributes there, and never accesses Cisco ISE directly. The Organization administrator retains a single, audited view of every managed group, owner, and endpoint.

Endpoint Manager for ISE is positioned for organisations that:

  • Operate Cisco ISE as their on-premises authentication and authorization platform.
  • Authorise non-802.1X endpoints (IP phones, IP cameras, IoT, BYOD, lab equipment) via MAB or iPSK — where the per-endpoint record matters more than the credential.
  • Need to delegate the maintenance of those records to internal owners, vendors, contractors or agencies — without granting Cisco ISE access.
  • Require a transparent audit trail of who added, moved or removed what endpoint.
  • Not a RADIUS service. Cisco ISE continues to authenticate and authorise every endpoint on the wire.
  • Not a replacement for the Cisco ISE admin UI. Policy work, identity sources, certificates and profiling rules remain in ISE.
  • Not a Netgraph RADIUSaaS. If you need a cloud-hosted RADIUS for 802.1X or iPSK rather than delegated administration of an existing on-premises ISE, see EntryPoint.
  • Not a per-unit Wi-Fi PSK tool. For single-SSID, per-unit PSK on Cisco Meraki or Catalyst 9800, see EasyPSK.

Next