cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Announcing ISE 2.6

9875
Views
30
Helpful
17
Comments
Cisco Employee

It gives me great pleasure to announce the availability of Cisco Identity Services Engine (ISE) 2.6. This release is all about solving more for customers – better features and scale to deal with the Enterprise IoT era, better security and better ability to understand how your network access services and policy are deployed. Among other capabilities, being part of the Cisco DNA offer, ISE 2.6 is yet another big stride towards a better Software Defined Access.

 

What’s new in ISE 2.6:

 

  • Two million concurrent authentications - Our customers deal with the proliferation of IoT devices in their Enterprise networks– and with ISE 2.6, ISE allows them to understand what’s on the network and securely connect all of these devices – up to 2 million of these endpoints in a single ISE deployment, or “ISE cube” as we fondly call it

 

  • Faster, more powerful, fault-tolerant appliances - Managing and controlling all your user and device sessions requires some serious processing power. That’s why ISE 2.6 introduces new Cisco Secure Network Server (SNS) 36xx-Series appliances. These all-new, high-performance models are ideal for the largest deployments. While the 3615 is the 3515’s replacement and provides the same horsepower and concurrent endpoint count, the SNS-3655 handles medium-sized deployments (up to 50,000 concurrent sessions in a single PSN) and replaces the 3595. The new SNS-3695 is fully packed with 256GB memory, to be able to both act as a Policy Administration Node (PAN) and/or Monitoring and Troubleshooting Node (MnT) and can at the same time handle large-sized deployments (up to 100,000 concurrent sessions)

 

  • New ISE management support on IPv6 networks - More and more organizations are adopting IPv6 to uniquely address the massive number of new devices on their networks. With ISE 2.6, you can now manage ISE itself on a native IPv6 network, including connecting to the ISE management interface (both web and command-line) and to Active Directory and other management protocols

  

  • Identify managed devices with dynamic MAC address - Open seating environments with shared docking stations and ethernet dongles pose a challenge as the same MAC address is now linked to many different users and devices each day. That’s why ISE 2.6 with AnyConnect 4.7 now uses a Unique Device Identifier in order to uniquely identify the device, no matter what MAC address it uses

 

  • More flexible grace periods and custom user notifications - While customers try to ensure that all connected endpoints are compliant, there are situations where organizations would allow endpoints to connect while they improve their posture to meet corporate compliance requirements. ISE 2.6 and AnyConnect 4.7 now offers extended grace periods to allow users to connect and update their systems while presenting a customizable message to the end explaining their compliance status

 

  • TrustSec deployment reports. ISE 2.6 reports show the propagation of TrustSec deployment after a change was made in the TrustSec matrix, and allows administrators to verify that all their TrustSec enabled network devices are up-to-date with the latest policy

 

  •  Active Directory Authentication for CLI & REST API calls - AD authentication is now available for both our REST APIs and command-line product administration

 

  • MUD Support. Manufacturer Usage Descriptor (MUD) is an architecture for IoT devices. Based on information derived from MUD, ISE 2.6 supports increased identification of IoT devices, and automatic creation of profiling policies and Endpoint Identity Groups

 

  • Quality Improvements – as part of our ongoing quality improvement process, ISE 2.6 includes a host of quality improvements – from customer-found defects, thru rewriting areas of code that were found to be too squeaky to improving the architecture and infrastructure of the product – all of them reinforce our commitment to providing the best in class product while ensuring best quality, resiliency and stability

 

Where is ISE 2.5?

As we are announcing a new generation of appliances (SNS-36XX) together with ISE 2.6, we wanted to ensure that the ISE release that goes with it is a Long Term Release (LTR) as described in “Cisco Identity Services Engine Software Release Lifecycle”. As our LTR releases are typically even-numbered, we decided to just renumber the ISE 2.5 release to be called ISE 2.6. There is no difference in the release’s content – what was supposed to be part of ISE 2.5 is still there, just called ISE 2.6.

EOL Announcement for legacy ISE PIDs

With the release of ISE 2.6, the Mobility Upgrade PIDs, ISE Advanced PIDs, ISE Express PIDs, Legacy Plus and Apex PIDs, Legacy Base and Device Admin PIDs and Legacy Virtual Machine PIDs all reach their actual End of Sales milestone. The End of Sales announcement for these PIDs can be found here. Furthermore, do notice End of Sales that was announced for ISE releases 2.0, 2.0.1, 2.1 and 2.3, available at the same location.

 

Resources:

ISE 2.6 Release Notes
ISE 2.6 Download

 

Are you excited as we are for the new stuff in ISE 2.6? Want to learn more? Check out our ISE page at www.cisco.com/go/ise

17 Comments
VIP Advocate

@yshchory : Great news! Is there a date when the 36xx series becomes orderable? CCW shows that the new SKU are not not available for purchase through commerce workspace.

 

ise-ccw.PNG

Cisco Employee

@Rahul Govindan - thank you for your question. We expect the new appliances to be order-able around end of this month or so.

Contributor

Thanks for the update!

VIP Advisor

This is a great thing. I did saw it on cco and downloaded right away to update a lab.

Unfortunately, the 1st upgrade went bad 😂 for our lab ise with all features enabled.

 

Beginner

Hi there

 

During first install on VMWare we saw this error message.

It could be normal, but I want to notice it)

 

Initiating application install...
No rules
enabled 1
failure 1
pid 723
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
enabled 1
failure 1
pid 723
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
chmod: cannot access /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt (No such file or directory)
Adding elastic search fields to elasticsearch.yml file...

 

 

Regads,

Artem Zhukov

Cisco Employee

Artem, Francesco,

Sorry to hear that and thank you for the heads up. I suggest openning a TAC case to get this resolved.


Yuval

Cisco Employee

Artem, I filed defect CSCvo48356 for the behavior.  Please do call in to TAC so that we can gather your logs to correct the issue for you, and the rest of the community, as soon as possible.

 

Francesco, we'd also like to here more about what happened via a TAC case.

 

-Eric A. Nygren

Beginner

Does C9200L support TrustSec?

 

It seems not support it by below document. Feel confused !

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/compatibility/b_ise_sdt_26.html

Cisco Employee

servicepro.ian,

 

Yes, the Cat9200 and 9200L are fully TrustSec capable and supported by TAC.

That document/matrix shows all of the features that have been tested and verified against ISE 2.6, not just if the switch is capable.  If you try it and run into issues, we are there for you.

 

-Eric A. Nygren

 

VIP Advocate

@servicepro.ian Adding to Eric's response, I asked the same question to one of my contacts, they are currently testing/validating the Cat 9200 TrustSec scale.  It will eventually get added to the matrix and guides. Similar to the 9300 support, but expect lower SGT, SGACE entries, and ip-sgt mappings. 

You can watch for it here. 
https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html

Beginner

So, finally TAC confirmed that installation error is not known to cause any issues and hence , it can be safely ignored.

 

Artem

Cisco Employee

Hello, will SNS 36xx support also 2.4 version?


VIP Advocate

@mhabrcet 
2.4 is not supported on the SNS 36xx platforms.  The common messaging right now it to provide the feedback via http://cs.co/ise-feedback . Maybe if enough interest is there then 2.4 will be certified on the 3600's, no one has come out yet and point blank said that it won't work, just that it's not supported. Here's hoping that there is a strong enough business case to assign resources to look at it for us. 

Cisco Employee

@Damien Miller @mhabrcet 

 

It will not work (and if it does, it's a bug, I kid you not, and you DO NOT want it to work currently).

 

As Damien pointed out - it is unsupported currently. I believe Product Management has enough feedback around the requirement. 

 

 

Yuval

Beginner

@Damien Miller Thanks for your answer to my question.

 

After checking the link you provided, and have further question on the latest document below.

Cisco Group Based Policy - TrustSec 6.4 System Bulletin

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-6-4-system-bulletin.pdf

 

Does C9300 Support SGT over MACsec ?

Does C9500 Support SGT over MACsec ?

 

I wonder if I could enable both TrustSec and MACsec simultaneously on C9K ?

SGT over MACsec is supported on C3K/C4K/C6K ,

but I didn't see it is supported for C9K in this document 

 

@Eric A Nygren 

Thanks for your answer and I am very happy to know that you will support me if I run to issues.

Thanks again.