I design and install a lot of ISEs. I know you're supposed to provide feature requests via TAC, but as a Partner engineer this isn't always as easy as it sounds. When customers buy SmartNET we seldom get added to the contract and when customers buy PSS, partners seem to be discouraged from raising TAC cases... can't win! Hopefully this forum will get visibility of the in to the right part of Cisco and encourage others in a similar boat to also speak up.
Here's my current wish list - feel free to add your own.
Make providing feedback easier
Since the demise of the ATP and TIP, and since changing employers, it has got harder to provide general feedback in to Cisco about how ISE is behaving. Can we have more 'I wish this page would' or 'provide feedback' features please.
SMTP
1. Add support for authenticated SMTP - nobody likes giving out none-authenticated SMTP access these days.
2. Improve support for sending test emails - having to do it via the test facility inside a portal isn't great. Why can't you sen a test mail from the SMTP Server Settings page where you configure the SMTP Server FQDN?
3. Improve granularity of SMTP testing - ISE only sends SMTP from whatever node you're currently logged in to. When you have a whole bunch of nodes in an ISE deployment, all of which may need to send e-mails for one reason or another, makes testing convulted at best. Why, on the page where the SMTP Server hostname is configured, can't you have a test facility that lets you specify which node you want to send a test e-mail from? This would make testing a LOT easier.
4. Why isn't there an SMTP E-mail failed to send alarm / alert? This would help day to day operations people, and it would help during installs / testing. In one recent case, failing to send an e-mail to a Guest when a Sponsor approved an access request produced a very unhelpful error on the Sponsor's browser and it took a lot of log hunting to work out what was going on.
ISE Upgrade Readiness Assessment Tool
1. Why, when it hits an error, doesn't it tell you what it was doing when the error was produced?
In a recent case, it errored and didn't show anything useful about why. I then had to crank up the debugging level, repeat the process and await the error, then spend ages trawling through the (undocumented!) logs to find out that it knew exactly what was wrong - there was a particular Authentication Condition it didn't like. The debug log contained the condition name so once I'd found it, I could delete it, do the upgrade then re-create it. If the tool showed the name of the thing that failed directly, insted of hiding it in a debug log, people would be able to fix their own problems much easier and quicker. This would also reduce the number of TAC cases people raise.
Device Administration
Why can't you reboot an ISE from the GUI? Sure you can force a sync which ultimately forces a reload, but what about when you only have one node in the deployment? Or when it's the Primary Admin that you want to reload?
PI integration with ISE
<rant>This is broken AGAIN. Why is it so hard to get two Cisco products to talk to each other after all the chat we've had about how you're improving product quality? Sorry - slightly ranty - but it's a great idea, ruined by poor implementation.</rant>
Proxy RADIUS
Improve logging - Proxy RADIUS always feels like it could contain more info than it does... particularly when weird errors are happening. Detail is needed because services like eduroam and GovWifi rely exclusively on proxy RADIUS. A lack of info makes troubleshooting hard.
No Certs in Backups
1. I understand that this is probably a security thing, but as many customers don't do much with Certs once it's all installed and running, they are seldom able to efficiently re-install the certs and their Portal Tags when doing a restore. It would be nice if there was an option to include Certs in the backup file.
CRLs
It'd be useful if you could review the current CRL used by ISE for a given issuing CA.
It'd also be useful if it gave a more insightful error message when a CRL fails to download.
Import/Export Specific Policy Set Conditions
Every time anybody in the UK creates a new ISE and integrates it with eduroam, they have to build this rather long authentication condition - URL below. It's the same at every customer, yet I have to type it out manually every time. It'd be nice if you could export/import individual conditions to provide consitency and to speed up installs.
https://community.jisc.ac.uk/library/janet-services-documentation/filtering-invalid-realms
Update default RADIUS dictionary
On a similar note to the previous, every eduroam install in the UK (so basically every University and most colleges) requires you to insert an Operator-Name attribute in to the request before you Proxy it. This attribute isn't included in the default dictionary so everytime anybody installs an ISE to support eduroam, they have to faff around updating the Dictionary before they can insert the attribute in to the outbound Proxied request.
Details here;
https://community.jisc.ac.uk/library/janet-services-documentation/advisory-injection-operator-name-attribute
