NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco Identity Services Engine (ISE) V2.6

Certificate Date:  2019.12.17

Validation Report Number:  CCEVS-VR-VID10978-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.1
  Extended Package for Authentication Servers Version 1.0

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Product Description

This section provides an overview of the Cisco Identity Services Engine (ISE) v2.6 Target of Evaluation (TOE) and a brief description of the capabilities of the ISE product. ISE is a consolidated policy-based access control system that combines authentication, authorization, accounting (AAA), posture, profiler, and guest management in one appliance. ISE v2.6 software runs on the Cisco Application Deployment Engine (ADE) Release 3.0 operating system (ADE-OS). ADE-OS is a Cisco-proprietary Red Hat Enterprise Linux based Operating system [RHEL v7.5]

The TOE also includes an instance of the Embedded Services Router 5921 [ESR], running IOS 15.5(3)M8. The ESR is a software-only solution for routing capabilities. The ESR provides IPsec session capabilities for ISE v2.6 to secure the channel between the TOE and NAS. The IOS image runs as a process on the RHEL bundle included in the ADE-OS.

Network access has evolved beyond just simple user name and password verifications. Additional attributes related to users and their devices are used as decision criteria in determining authorized network access. Additionally, network service provisioning can be based on data such as the type of device accessing the network, including whether it is a corporate or personal device. Cisco ISE is a scalable solution that helps network administrators meet complex network access control demands by managing the many different operations that can place heavy loads on applications and servers, including:

·         Authorization and authentication requests

·         Queries to identity stores such as Active Directory and LDAP databases

·         Device profiling and posture checking

·         Enforcement actions to remove devices from the network

·         Reporting


ISE delivers secure access control across wired, wireless, and VPN connections. ISE can reach deep into the network to deliver visibility into who and what are accessing resources. Through the device profiler feed service, ISE delivers automatic updates of Cisco’s validated device profiles for various IP-enabled devices from multiple vendors which simplifies the task of keeping an up-to-date library of the newest IP enabled devices.

Evaluated Configuration

The Cisco Secure Network Server (SNS) is based on the Cisco UCS® C220 Rack Server and is configured specifically to support the Cisco Identity Services Engine (ISE) security application. The Secure Network Server supports these applications in five versions. The Cisco Secure Network Server 3515 and 3615 are designed for small deployments. The Secure Network Server 3595, 3655, and 3695 has several redundant components such as hard disks and power supplies, making it suitable for larger deployments that require highly reliable system configurations. The Secure Network Server 3615, 3655, and 3695 are recommended for new installations whereas the Secure Network Server 3515 and 3595 are recommended for existing installations.

Apart from the SNS models described above, ISE is also available as a Vitual Machine running on ESXi 6.7 on UCSC-C220-M5SX. Cisco ISE supports the following virtual environment platforms, but only the ESXi 6.7 environment is a part of the evaluated configuration:

  • ESXi 6.7
  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
  • KVM on RHEL 7.3

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Identity Services Engine (ISE) v2.6 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1.  The product, when delivered configured as identified in the AGD, satisfies all the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in TBD.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

  1. Security Audit
  2. Cryptographic Support
  3. Communications
  4. Identification and Authentication
  5. Security management
  6. Protection of the TSF
  7. TOE Access
  8. Trusted path/channels


1.1       Security Audit

The TOE’s Audit security function supports audit record generation and review. The TOE provides date and time information that is used in audit timestamps. The events generated by the TOE include indication of the logging starting and stopping, cryptographic operations, attempts to log onto the TOE, all commands/ web-based actions executed by the Security Administrator, and other system events.

The TOE can store the generated audit data on itself and it can be configured to send syslog events to other devices, including other iterations of ISE, using a TLS protected collection method.  Logs are classified into various predefined categories.  The TOE also provides the capability for the administrator to customize the logging output by editing the categories with respect to their targets, severity level, etc.   The logging categories help describe the content of the messages that they contain.  Access to the logs is restricted only to the Security Administrator, who has no access to edit them, only to copy or delete (clear) them. Audit records are protected from unauthorized modifications and deletions.

The logs can be viewed by using the Operations -> Reports page on the ISE administration interface, then select the log from the left side and individual record (message).  The log record includes the category name, the message class, the message code (type of event), the message text (including a date/time stamp, subject (user) associated with the event, outcome of the event, etc.) and the severity level associated with the message. The previous audit records are overwritten when the allocated space for these records reaches the threshold.


1.2       Cryptographic Support

The TOE provides cryptography support for secure communications and protection of information.    The cryptographic services provided by the TOE include: symmetric encryption and decryption using AES; asymmetric key generation; cryptographic key establishment using RSA-based and ECDSA key establishment schemes and DH key establishment; digital signature using RSA; cryptographic hashing using SHA1 (and other sizes); random bit generation using DRBG and keyed-hash message authentication using HMAC-SHA (multiple key sizes). ISE uses the Cisco FIPS Object Module (FOM) crypto library as its cryptographic module. The TOE implements the secure protocols - SSH and TLS/HTTPS on the server side and TLS on the client side. The TOE also provides cryptography in support of VPN connections. The TOE provides IPsec session capabilities for ISE v2.6 to secure the channel between the TOE and NAS. The algorithm certificate references are listed in the table below –


 Table 2: CAVP Certificate References



Mode Supported

CAVP Cert. #


Used for symmetric encryption/decryption


CBC (128 and 256 bits)

CTR (128 and 256 bits)

GCM (128, and 256 bits)


SHS (SHA-1, SHA-256, SHA-384, and SHA-512)

Cryptographic hashing services

Byte Oriented



Keyed hashing services and software integrity test

Byte Oriented




Deterministic random bit generation services in accordance with ISO/IEC 18031:2011





Signature Verification

FIPS PUB 186-4, “Digital Signature Standard (DSS)”



Signature Verification and key transport

FIPS PUB 186-4 Key Generation (2048-bit key, 4096-bit key)



Signature generation and Signature verification

FIPS PUB 186-4, “Digital Signature Standard (DSS)” (256 bits, 384 bits and 521 bits)

NIST curves- P-256, P-384 and P-512




Key Agreement

NIST Special Publication 800-56A



Key Agreement

NIST Special Publication 800-56A


1.3       Communications

The TOE has the ability to validate the NAS and prevent it from being spoofed. It receives the transmitted Access-Request and identifies where it’s sent from. The TOE is able to validate the authenticity of the NAS by verifying the Message Authenticator that is computed in part using a shared secret known to both the NAS and the TOE as defined in RFC 3579. It then returns a valid response to the NAS upon receipt of an Access-Request. The response contains the necessary information to the recipient of that message that identifies the TOE as the valid recipient of the original Access-Request and the Access-Request that elicited the response from the TOE.

1.4       Identification and Authentication

All users wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services other than the display of the warning banner. Once a user attempts to access the management functionality of the TOE, the TOE prompts the user for a user name and password for remote password-based authentication. The identification and authentication credentials are confirmed against a local user database or an optional remote authentication store (part of the IT Environment). Other authentication options include public key authentication. For remote X.509 certificate-based authentication to the administration application, an Active Directory or LDAP Server identity source (remote authentication store) is required to perform the association of the credentials to an ISE Role Based Access Control role. For the SSH public key authentication method, the public keys configured by the EXEC CLI command "crypto key import" command will be used for signature verification. The user information is from the local user database. In all cases only after the Administrator presents the correct identification and authentication credentials will access to the TOE functionality be granted. The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for TLS/HTTPS connections.

The TOE provides the capability to set password minimum length rules.  This is to ensure the use of strong passwords in attempts to protect against brute force attacks.  The TOE also accepts passwords composed of a variety of characters to support complex password composition. During authentication, no indication is given of the characters composing the password.

1.5       Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure session, a terminal server or a local console connection. The TOE provides the ability to perform the following actions:

·         Administer the TOE locally and remotely

·         Configure the access banner

·         Configure the cryptographic services

·         Update the TOE and verify the updates using digital signature capability prior to installing those updates

·         Specify the time limits of session inactivity 


All these management functions are restricted to the Security Administrator of the TOE, which covers all administrator roles (see table for FMT_SMR.2 in Section 6.1). The Security Administrators of the TOE are individuals who manage specific type of administrative tasks. The Security Administrators are dependent upon the admin role assigned to them, which limits the network access or tasks they can perform (a role-based access approach).

The primary management interface is the HTTPS Cisco ISE user interface. The Cisco ISE user interface provides an integrated network administration console from which you can manage various identity services. These services include authentication, authorization, posture, guest, profiler, as well as monitoring, troubleshooting, and reporting. All these services can be managed from a single console window called the Cisco ISE dashboard. The navigation tabs and menus at the top of the window provide point-and-click access to all other administration features. A Command Line Interface (CLI) is also supplied for additional administration functionality like system-level configuration in EXEC mode and other configuration tasks in configuration mode and to generate operational logs for troubleshooting. This interface can be used remotely over SSHv2.


1.6       Protection of the TSF

The TOE can terminate inactive sessions after a Security Administrator configurable time-period.  Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.  The TOE provides protection of TSF data (authentication data and cryptographic keys).  In addition, the TOE internally maintains the date and time. This date and time is used as the time stamp that is applied to TOE generated audit records.  This time can be set manually. The TOE is also capable of ensuring software updates are from a reliable source.  Finally, the TOE performs testing to verify correct operation.

For updates to be installed on the TOE, an administrator must use the digital signature mechanism to confirm the integrity of the product.


1.7       TOE Access

The TOE can terminate inactive sessions after a Security Administrator configurable time-period. The TOE also allows users to terminate their own interactive session. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. 

The TOE can also display a Security Administrator specified banner on the CLI and the web-based management interface prior to allowing any administrative access to the TOE.


1.8       Trusted path/Channels

The TOE establishes a trusted path between the ISE and the administrative web-based UI using TLS/HTTPS, and between the ISE and the CLI using SSH.  The TOE also establishes a secure connection for sending syslog data to other IT devices using TLS and other external authentication stores using TLS-protected communications.



2         Excluded Functionality

The following functionality is excluded from the evaluation.

Table 3 Excluded Functionality (refer ST)

Excluded Functionality

Exclusion Rationale

Non-FIPS mode of operation

This mode of operation includes non-FIPS allowed operations.

Guest Management

Not within the scope of the evaluation

The device profiler feed service

Not within the scope of the evaluation


This version of TOE cannot provide secure NTP channel.

Virtual environment Microsoft Hyper-V on Microsoft Windows Server 2012 R2 for ISE-VM

Only ESXi 6.7 virtual environment will be tested

Virtual environment KVM on RHEL 7.3 for ISE-VM

Only ESXi 6.7 virtual environment will be tested


These services will be disabled by configuration. The exclusion of this functionality does not affect compliance to the collaborative Protection Profile for Network Devices Version 2.1.

Vendor Information

Cisco Systems, Inc.
Cert Team
Site Map              Contact Us              Home