What is the big difference between the ACS and the ISE? We just purchased an ACS server to start locking down ports on our switches and use the Radius functions to better secure our wireless environment. It has been ordered but not yet arrived. I had a discussion with management today about preventing the IPads / IPhones / Smartphones / etc. of the world from accessing the network. If the user knows the credentials for getting their laptop onto the network then they can use these same credentials to get their IPad on the network. How do we detect and prevent is the current question.
In discussing with others the ISE comes up. The questions now become what is the big difference between this and the ACS. Do they work together or independently since they both seem to have "radius on steroids". Can I configure the ACS to do the same functions? I figure this will have to be something on a MAC address level anyway. Oh and one other thing. My wireless infrastructure is not Cisco.
To put it simply I usually say ACS = RADIUS, ISE = NAC.
ISE will do RADIUS functions as well as NAC functions. Eventually you'll probably see ACS go away and be simply replaced by ISE.
ISE will do posturizing and profiling of a device to see if it truly meets requirements to be on a certain VLAN. For your example if you were to my credentials on my own smart device I would have access. ISE could profile this device to see if it truly is a corporate owned device or not. If it wasn't ISE can switch the network that the device connects to, say a guest network.
ISE can also do captive web portals for wired/wireless guest access.
I wouldn't rely on any type of MAC address authentication as I can easily spoof that.