cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco Identity Services Engine (ISE) 2.4 Release

13004
Views
10
Helpful
0
Comments

 

 

Download

 

Existing customers may download the Cisco Identity Services Engine (ISE) 2.4 which was released on March 29, 2018.

For 90-day evaluations of ISE, please see How to Get ISE Evaluation Software & Licenses.

 

 

Features

 

From the New Features section of the ISE 2.4 Release Notes :

 

Feature

Description

Business Outcome

Base Licensing Features

Active Directory Domain Controller Failover Mechanism

The Domain Controller (DC) failover mechanism is managed based on the DC priority list, which determines the order in which the DCs are selected in case of failover. If a DC is offline or not reachable due to some error, its priority is decreased in the priority list. When the DC comes back online, its priority is adjusted accordingly (increased) in the priority list.

Results in higher serviceability as a Network Access Control solution and increases reliability of the Cisco ISE connection to Active Directory deployments.

Kerberos Authentication for the Sponsor Portal

Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.
Note: Kerberos authentication is NOT supported for the Guest portal.

You can use Kerberos to authenticate a sponsor for access to the sponsor portal.

Some Dashlets Removed to Resolve Performance Issues

The following dashlets have been decommissioned to prevent performance issues when displaying large datasets:

  • Context Visibility > Endpoint > Compliance: Status Trend
  • Home > Endpoints > Endpoint
A large number of endpoints caused performance problems with some dashlets.

IPv6 Support Expanded

IPv6 addresses are now supported for RADIUS configurations. The IP Address field in the Administration > Network Resources > Network Devices page and the Host IP field in the Administration > Network Resources > External RADIUS Server page now support both IPv4 and IPv6 addresses for RADIUS configurations.

Additional support for IPv6 addressing:
  • Allows you to migrate your network to IPv6-based networks. You can migrate to IPv6 addressing if you have fragmented networks or have exhausted IPv4 addresses.
  • Facilitates more efficient routing, packet processing, security, and simplified network configuration.

Large Virtual Machine for Monitoring Persona

Cisco ISE introduces a large VM for Monitoring nodes. Starting from Release 2.4, the large VM is required for any deployment that handles greater than 500,000 sessions.

Note: This form factor is available only as a VM in Release 2.4 and above, and requires a large VM license.

Deploying Monitoring persona on a large VM offers the following advantages:
  • Supports greater than 500,000 sessions and is scalable
  • Improved performance in terms of faster response to live log queries and report completion

TrustSec Enhancements

You can select the ISE node from which the configuration changes must be sent to the network device while adding the network device (under Advanced TrustSec Settingssection). You can select the PAN or PSN node. If the PSN node that you selected is down, the configuration changes are sent to this device using the PAN.

While deploying the IP SGT static mappings, you can select the devices or the device groups to which the selected mappings must be deployed. You can select all the devices if required. You can use the filter option to search for the devices that you want. If you do not select any device, the selected mappings are deployed on all TrustSec devices.

You can use the Check Status option to check if different SGTs are assigned to the same IP address for a specific device. You can use this option to find the devices that have conflicting mappings, IP address that is mapped to multiple SGTs, and the SGTs that are assigned to the same IP address. This option can be used even if device groups, FQDN, hostname, or IPv6 addresses are used in the deployment. You must remove the conflicting mappings or modify the scope of deployment before deploying these mappings.

Verify TrustSec deployment option in the General TrustSec Settings page helps you to verify whether the latest TrustSec policies are deployed on all the network devices. Alarms are displayed in the Alarms dashlet (under Work Centers > TrustSec > Dashboard), if there are any discrepancies between the policies configured on Cisco ISE and the network device. The following alarms are displayed in the TrustSec dashboard:

  • An alarm with an Info icon is displayed whenever the verification process is started or completed.
  • An alarm with an Info icon is displayed if the verification process is cancelled due to a new deployment request.
  • If the verification process resulted in an error (for instance, failed to open SSH connection with the network device, or the network device is unavailable), or if there is any discrepancy between the policies configured on Cisco ISE and the network device, an alarm with a Warning icon is displayed for each of these network devices.

The Verify Deployment option is also available on the following pages:

  • Work Centers > TrustSec > Components > Security Groups
  • Work Centers > TrustSec > Components > Security Group ACLs
  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix
  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree
  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree

Check the Automatic Verification After Every Deploy check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process is started after the time that you specify in the Time after Deploy Process field. The current verification process is cancelled if a new deployment request is received during the waiting period or when the verification is in progress. Click Verify Now to start the verification process immediately.

IPv6 addresses can be used in IP SGT static mappings. These mappings can be propagated using SSH or SXP to specific network devices or network device groups.

If FQDN and hostnames are used, Cisco ISE looks for the corresponding IP addresses in the PAN and PSN nodes while deploying the mappings and checking the deployment status. You can use the IP SGT Static Mapping of Hostnames option in the General TrustSec Settings window to specify the number of mappings created for the IP addresses returned by the DNS query. You can select one of the following options:
  • Create mappings for all IP addresses returned by DNS query
  • Create mappings only for the first IPv4 address and the first IPv6 address returned by DNS query
Enhanced IP SGT workflow:
  • Improves network device misconfiguration error handling and operational efficiency through Check Status option.
  • Verifies TrustSec configuration on Network Devices.
  • Selectively deploy the IP SGT static mappings.
  • Create IP static mappings with IPv6 addresses.
  • Create mappings for first or all known IP addresses based on DNS FQDN query.

Support for Two Shared Secrets Per IP for RADIUS NAD Clients

You can specify two shared secrets (keys) to be used by the network device and Cisco ISE. You can configure the shared secrets in the RADIUS authentication settings section for a NAD in the Administration > Network Resources > Network Devices page in Cisco ISE. Replace Shared Secrets on network devices:

You can now replace shared secrets on network devices independently without Cisco ISE. Changing a RADIUS secret is now simplified and allows you to enter a new shared secret.

Support for Sending Separate SNMP CoA Packets

You can check the Send SNMP COA Separate Request check box in the Administration > Network Resources > Network Device Profiles > Change of Authorization (CoA) page to send the SNMP CoA packets to the NAD as two packets.

Increased compatibility with devices:

Provides support for older Cisco and third party NADs that mandate the sending of SNMP CoA packets as two packets (for the shutdown and no shutdown interface configuration commands).

Plus Licensing Features

Profiler Enhancements

  • Added 512 new profile policies from vendors, including ADtranz, AudioCode, Barracuda, BlackBerry, Brother, Hewlett Packard, Lexmark, NetApp, Samsung, and Xerox.
  • Added additional conditions to 189 profile policies to support additional probes. For example, DHCP conditions are added to Xerox devices such that customers who do not want to profile Xerox devices based on SNMP, can profile Xerox devices using DHCP.
  • Reorganized profiles into families for better identification of new devices. For example, HP-LaserJet-4350 was previously profiled directly under HP-Device. It is now profiled under HP-LaserJet, which in turn is profiled under HP-Device. When Hewlett Packard introduces a new Hewlett Packard LaserJet printer model, Cisco ISE will classify the new model as HP-LaserJet, and not as HP-Device until a new profile policy for that exact LaserJet printer model is added.
Effective classification of devices:
  • Helps you gain visibility of previously unknown devices, such as Xerox printers or Vista link printers with improved profiler efficacy.

Cisco ISE Can Pull IoT Device Context and Session Data from Cisco IND

Cisco ISE can profile and display the status of devices attached to a Cisco Industrial Network Director (IND). Cisco Platform Exchange Grid (pxGrid) is used to communicate the endpoint (Internet of Things [IoT]) data between Cisco ISE and Cisco IND. pxGrid is used to receive the context from Cisco IND and query Cisco IND to update endpoint type. Effective network monitoring and full visibility and control of industrial networks offer:
  • Full visibility and control of automation endpoints, such as controllers, IO devices, and human machine interfaces (HMIs).
  • Lowered asset management cost and improved operator productivity with Cisco IND and Cisco ISE integration.

Control Permissions for pxGrid Clients

You can create pxGrid authorization rules for controlling the permissions for the pxGrid clients (under Administration > pxGrid Services > Permissions).

Use these rules to control the services that are provided to the clients. You can create different types of groups and map the services provided to clients to these groups. Use the Manage Groups option in the Permissions window to add new groups.

You can view the predefined authorization rules that use predefined groups (such as EPS, ANC) on the Permissions window. You can update only the Operations field in the predefined rules.

Better pxGrid backward compatibility:
  • Significantly shortens the integration time with Cisco ISE to collect context information and initiate Adaptive Network Control (ANC) actions through Cisco ISE.
  • Helps control the services that are provided to the clients.

Apex Licensing Features

Posture Enhancements

  • Grace Period for Noncompliant Devices — Cisco ISE provides an option to configure grace time for devices that become noncompliant.

    Cisco ISE caches the results of posture assessment for a configurable amount of time. If a device is found to be noncompliant, Cisco ISE looks for the previously known good state in its cache and provides grace time for the device, during which the device is granted access to the network. You can configure the grace time period in minutes, hours, or days (up to a maximum of 30 days).

    The Posture Assessment by Endpoint report is updated and displays a Grace Compliant status for an endpoint that is currently not compliant, but is under the grace period.

  • Posture Rescan —AnyConnect users now have the option to manually restart posture at any point of time.
  • AnyConnect Stealth Mode Notifications —Several new failure notifications are added for AnyConnect stealth mode deployment to help users identify issues with their VPN connection.
  • Disabling UAC Prompt on Windows —You can choose to disable the User Access Control (UAC) prompts on Windows endpoints from the AnyConnect posture profile.
    Note: By default, this value is set to No while configuring the Anyconnect Profile. When you change it to Yes, the UAC prompts are disabled and the Windows users no longer receive these prompts. If you want to enable the UAC prompt again, you should change this setting to No in the Anyconnect Profile. This setting takes effect only when the Windows endpoint is restarted.
  • New URL for Downloading Client Provisioning and Posture Updates—The client provisioning and posture feed URL has changed. The new URL for Posture Updates is https://www.cisco.com/web/secure/spa/posture-update.xml and for Client Provisioning is https://www.cisco.com/web/secure/spa/provisioning-update.xml
  • File Condition Enhancements —A new operator, within, is introduced under File Condition to check for the changes in a file within a certain period of time.
  • Certificate Attributes in Client Provisioning and Posture Policies —Certificate attributes are now available in the client provisioning and posture policy pages.
Improved security alerts and enforcement:
  • Provides admin users with more flexible options for educating end users about posture condition failures including grace-period-specific messaging scenarios.
  • Helps effective management of some posture checks and remediations that require additional privileges and prompts the user for such privileges.

Endpoint API Enhancements for Mobile Device Management (MDM) Attributes

MDM attributes are made available through the endpoints API to enable additional synchronization capability between Cisco ISE and a third-party MDM server.

Helps customers to better integrate third party systems with ISE and provide better user experience for end users using mobile devices that are managed by an MDM server.

 

 

 

  Documents

 

 

 

 

Videos

 

See our CiscoISE YouTube Channel for our latest videos!

 

 

 

Resources

 

For Cisco Partners and Sales Engineers