We are very proud to announce Cisco ISE 3.4 Patch 1 a much-awaited General Availability release for COMMON POLICY.
Following are the features and enhancements as part of this patch release.
Common Policy:
Common Policy can be your universal translator that connects the entirety of your network through one consistent language using Security Group Tags(SGT). It solves Network/Security administrator’s pain point of maintaining consistent security policy across network and security domains.
Introduction:
Typically, context information is created closer to the domain where it resides: the access layer for users and devices and in the data center or cloud for application workloads. This context is received and normalized to a group construct, namely a Security Group Tag (SGT), providing a unified mechanism to facilitate creating a consistent security policy in multiple domains. The normalized user, device, and app workload context is sent to each domain using Cisco ISE as the exchange hub. This enables security administrators to create consistent access and segmentation policies regardless of which domain they choose to enforce policy.
For Common policy, ISE 3.4 patch 1 introduces Workload Connectors and support for multiple SGT's for workload classification rules.
Workload Connector:
This allows you to automatically classify cloud workloads and dynamically assign security group tags (SGTs) to be used in creating and enforcing access and segmentation policies. Initial providers will be Amazon Web Services (AWS), Azure, VMware vCenter and Google Cloud Platform (GCP).
Common Policy at a glance
pxGrid Direct enhancements:
Building on the pxGrid Direct framework introduced in Cisco ISE 3.2, which simplified integration with Configuration Management Database (CMDB) servers lacking native pxGrid support, Cisco ISE 3.4 Patch 1 will bring forth several key enhancements:
- Trigger Change of Authorization (CoA) upon attribute change: This will enable the triggering of CoA whenever an endpoint attribute is modified after Cisco ISE learns it through pxGrid Direct. Administrators will have the flexibility to specify which attributes should initiate a CoA when their values change.
- Tags support: Moving beyond simple key-value pairs, pxGrid Direct in Cisco ISE 3.4 Patch 1 will embrace tags, which are arrays of values. This empowers administrators to create more complex conditions for refined policy enforcement. For instance, they can easily define conditions based on a user belonging to one or more groups.
- Calculate reauthentication timers: Administrators can now establish dynamic reauthentication timers from CMDB using a timestamp learned from pxGrid Direct when an endpoint connects to the network. This enables the simultaneous disconnection of a group and its associated endpoints, providing a convenient way to enforce disconnections during weekends or at the end of the workday.
Use Integration Catalog Integrate Cisco pxGrid Cloud applications:
This feature simplifies the user experience in provisioning pxGrid Cloud configuration using a nice workflow in Cisco ISE integration catalog. Cisco ISE integration catalog is a portal that facilitates easy integration with external systems/applications using pxGrid Cloud and other mechanisms in future.
Please use the references below to plan your upgrade.
References:
Software download
Release Notes
Administration Guide
Upgrade Guide