Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
12089
Views
25
Helpful
2
Comments

Cisco Identity Services Engine (ISE) 2.6 Release

thomas
Cisco Employee
Cisco Employee

‎02-19-2019 12:52 PM - edited ‎02-21-2020 10:03 PM

image.png

 

 

 

Download

Existing customers may download the Cisco Identity Services Engine (ISE) 2.6 which was released on February 18, 2019.

For 90-day evaluations of ISE, please see How to Get ISE Evaluation Software & Licenses.

 

 

Features

From the New Features section of the ISE 2.6 Release Notes :

Feature

Description

Business Outcome

Base Licensing Features

IPv6 Phase 3 Support

ISE Management

You can now install and access ISE with either IPv4 or IPv6 addresses. The following ISE functionalities are supported over IPv6:

  • Setup: Configure IPv6 for eth0 along with IPv4.
  • Manage (modify/add/remove/bonding) IPv4 or IPv6 address via CLI for any interface.
  • SSH manageability.
  • ISE Admin UI access over IPv4 or IPv6.
  • Restrict Admin UI and CLI access by IP.
  • CLI CDP visibility.
  • ISE Node Management (registration, manual-sync, replication, etc).
  • CLI: Configure multiple IPv6 addresses on any interface.

Network Time Protocol Support

You can configure and access the NTP server with an IPv4 or an IPv6 address.

  • Primary PAN NTP configuration is not replicated to secondary nodes.
  • Each node in a deployment can be configured with different NTP servers.
  • An ISE node can be configured with IPv4, IPv6 or FQDN NTP servers, or a mix of these.
  • Administrator can configure NTP Authentication Keys and can be associated to primary/secondary/tertiary NTP servers by marking the keys as trusted.
  • When ISE isn’t able to sync with all configured NTP servers (either IPv4 or IPv6), ISE raises an alarm called NTP Sync Failure.
  • When NTP service on Cisco ISE does not work, Cisco ISE raises an alarm called NTP Service Failure.

The following ISE functionalities are supported over IPv6:

  • Setup: Configure NTP server with IPv4, IPv6 or FQDN.
  • CLI: Admin can manage primary/secondary/tertiary NTP servers via IPv4, IPv6 or FQDN.
  • NTP server configuration sync between CLI and UI.
  • NTP alarms are triggered if all NTP servers are not configured.
  • NTP alarms are triggered if service itself is affected.
  • NTP fallback mechanism from primary to secondary, and from secondary to tertiary NTP servers.
  • NTP authentication mechanism.

Domain Name System Support

You can configure a combination of IPv4 and IPv6 Domain Name System (DNS) servers. Failover between all combinations is also possible. For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6.

The following ISE functionalities are supported over IPv6:

  • Setup: Allow IPv4 or IPv6-based DNS server during setup wizard.
  • CLI: Managing IPv4 or IPv6-based DNS servers.
  • Configuring a combination of IPv4 and IPv6-based DNS server.
  • Configure static hostnames with IPv6 addresses.
  • Failover between DNS servers.

External Repositories

You can now add an external repository with an IPv6 address on ISE. For further details, see Cisco Identity Services Engine Administrator Guide, Release 2.6. Communication between an ISE node and an IPv6 external repository is only possible if the node has an IPv6 address configured to Eth0.

Repositories configured with an FQDN will communicate over IPv4 or IPv6 based on:

  • Whether or not ISE is in dual stack.
  • Whether FQDN external repository is getting resolved to IPv4 or IPv6 or both.

Audit Logs and Reports

You can now view logs of login/logout, password change, and operational changes by IPv6 users in the relevant audit reports generated.

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) servers can now be contacted via IPv6 addresses.

  • ISE supports NMS/SNMP server.
  • Configuration is allowed only from CLI. 
  • Admin can configure IPv4 or IPv6-based SNMP server.
  • Admin can also configure IPv4 or IPv6 based SNMP server hosted with v1/v2c/v3.
  • Admin can configure multiple SNMP servers.
  • Admin can send SNMP traps to SNMP server over IPv4 or IPv6.
  • Admin can configure multiple SNMP servers (a mix of IPv4 and IPv6 SNMP servers is possible).
  • ISE can send TRAPS or MIBs information with IPv6 (for example, CDP IPv6 info) to IPv4 or IPv6 SNMP servers.

The following ISE functionalities are supported over IPv6:

  • CLI: Managing configuration of SNMP servers (IPv4 or IPv6) from CLI.
  • CLI: Configure SNMP server hosted on IPv4 or IPv6 with v1/v2c/v3 compatibility.
  • UI: Configure SNMP server from UI.
  • CLI: Support for SNMP queries snmp-get, getmany, and getBulk from IPv4 or IPv6 SNMP servers to an ISE node.
  • Traps can be sent to IPv4 or IPv6 SNMP servers.
  • Traps or MIBs info having IPv6 details send to IPv4 or IPv6 SNMP servers.
  • Multiple SNMP servers support.

Access Control Lists

You can now define Access Control Lists (ACLs) and Airespace ACLs with IPv6 addresses.

Dynamic Access Control Lists

You can now define Dynamic Access Control Lists (DACLs) with IPv6 addresses.

Active Directory

You can now connect to IPv6 deployments of Active Directory from ISE.

External Restful Service Portal

You can now specify an IPv6 address or hostname to connect with External Restful Service (ERS).

Syslog Client or Logging Targets

You can connect to IPv6 syslog targets.

Posture

ISE can connect to RADIUS servers with an IPv6 address.

 Allows you to migrate to IPv6-based network for the above mentioned ISE features.

REST Support for External Administrators

 From Cisco ISE 2.6, External RESTful Services (ERS) users could be either internal user or belong to an external Active Directory. The Active Directory group to which the external user belongs should be mapped to either ERS Admin or ERS Operator group. With this enhancement, administrators no longer need to create an internal user counterpart for external users that need access to ERS services, making this feature easier to use. Simplified process of enabling external administrators to access RESTful services.

Japanese Version of the Administrator Portal

 The Administration console currently supports two languages, Japanese and English. You can select either Japanese or English view under Account Settings. Suitable for Japanese administrators to configure and use Cisco ISE.

TrustSec Deployment Verification Report

 You can use this report to verify whether the latest TrustSec policies are deployed on all network devices or if there are any discrepancies between the policies configured on Cisco ISE and the network devices. Can easily verify whether the latest TrustSec policies are deployed on the network devices or if there are any discrepancies.

CLI Access by External Identity Store

 ISE supports authentication of CLI Administrators by external identity sources, such as Active Directory. Manage a single source for passwords without the need to manage multiple password policies and administer internal users within ISE, thereby reducing time and effort.

Support for MUD

 Manufacturer Usage Descriptor (MUD) is an architecture for IoT devices. MUD is tracked by IETF, and the spec is available here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/.

For release 1.0, ISE supports identification of IoT devices, and automatic creation of profiling policies and Endpoint Identity Groups. ISE gets IoT attributes as a MUD-URL in DHCP and LLDP packets, which are delivered by Cisco network devices.

ISE does unsigned classification of IoT devices, and accessed through profiler policies. ISE does not store the MUD attributes, the attributes are only used in the current session. In the Endpoints display under Context and Visibility, you can filter IoT devices by the Endpoint profile name.

 The number of IoT devices that are connected to enterprise networks is increasing, and, until now, ISE could not classify those devices. With ISE 2.6, ISE can classify and display the IoT devices that are connected to your network, with an automated process.

Syslog over ISE Messaging

Cisco ISE 2.6 offers MnT WAN Survivability for UDP syslog collection. System logs are recorded using ISE Messaging Services. Remote Logging Targets uses the port TCP 8671 and Secure Advanced Message Queuing Protocol (AMQPs) for sending syslog to MnT.

By default, the ISE Messaging Service option is disabled.

 Operational data will be retained for a finite duration even when MnT node is unreachable.

PSN Light Session Directory

 The Light Session Directory can be used to store user session information and replicate it across the Policy Service Nodes (PSNs) in a deployment, thereby eliminating the need to be totally dependent on Primary Administration Node (PAN) or Monitoring and Troubleshooting (MnT) nodes for user session details. The Light Session Directory stores only the session attributes required for Change of Authorization (CoA). To enable the Light Session Directory feature, choose Administration > Settings > Light Session Directory and select the Enable Light Session Directory check box. Improved performance and scalability.

Plus Licensing Features
     

Apex Licensing Features

Identify Managed Devices with Dynamic MAC Addresses

AnyConnect 4.7 now provides a Unique Device ID (UDID) to identify a connected user. The UDID value can be mapped with information from Mobile Device Management (MDM) providers to help identify users who have the same MAC address. MAC address sharing is common in open offices, where more than one person shares a dock or USB dongle.

 You can develop a solution that uses the UDID to uniquely identify a user, when device connections are shared.

Flexible Remediation Notification

 Go to Policy > Posture > Delay Notification to delay the grace period prompt from being displayed to the user until a specific percentage of grace period has elapsed. For example, if the Delay Notification field is set to 50 percent and the configured grace period is 10 minutes, Cisco ISE checks the posture status after 5 minutes and displays the grace period notification if the endpoint is found to be noncompliant. Grace period notification is not displayed if the endpoint status is compliant. If the notification delay period is set to 0 percent, the user is prompted immediately at the beginning of the grace period to remediate the problem. However, the endpoint is granted access until the grace period expires. Flexible Grace Period Remediation prompts start for endpoints. Prevents unnecessary remediation prompts for endpoints waiting for JAMF or Microsoft System Center Configuration Manager (SCCM) updates.

Generic or Custom Messaging through Cisco AnyConnect

 More informative messages can now be displayed by Cisco AnyConnect, when it is used for ISE Posture. End users can now see messages about posture status and errors. You can also modify the content that is displayed in AnyConnect posture profiles. Note that this requires Cisco AnyConnect Version 4.7. Better communication with the end user.

 

 

image.png  Upgrades

You can directly upgrade to Release 2.6 from the following Cisco ISE releases:

  • 2.1
  • 2.2
  • 2.3
  • 2.4

If you are on a version earlier than Cisco ISE, Release 2.1, you must first upgrade to one of the releases listed above and then upgrade to Release 2.6.

 
It is recommended that you upgrade to the latest patch in the existing version before starting the upgrade.

 

 

  Documents

 

 

Videos

See our CiscoISE YouTube Channel for our latest videos!

 

 

Resources

For Cisco Partners and Sales Engineers

Comments
Damien Miller
VIP Alumni
VIP Alumni
‎02-19-2019 01:15 PM

Is table 1 correct on this page, it doesn't look right. 
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html

 

and 2 node standalone deployment scale to 2 million.

hybrid scale with 7 nodes up to 2 million.
Dedicated deployment, 500k.

 

The SNS datasheet indicates 50k on standalone 3695, or 100k per PSN in dedicated. 

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-726524.pdf

thomas
Cisco Employee
Cisco Employee
‎02-19-2019 03:03 PM
Thank you, Damien! That definitely looks like a document error! I'll submit that to the doc team for correction.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents