03-29-2018 01:51 PM - edited 12-17-2018 10:23 AM
Existing customers may download the Cisco Identity Services Engine (ISE) 2.4 which was released on March 29, 2018.
For 90-day evaluations of ISE, please see How to Get ISE Evaluation Software & Licenses.
From the New Features section of the ISE 2.4 Release Notes :
Feature |
Description |
Business Outcome |
---|---|---|
Base Licensing Features |
||
Active Directory Domain Controller Failover Mechanism |
The Domain Controller (DC) failover mechanism is managed based on the DC priority list, which determines the order in which the DCs are selected in case of failover. If a DC is offline or not reachable due to some error, its priority is decreased in the priority list. When the DC comes back online, its priority is adjusted accordingly (increased) in the priority list. |
Results in higher serviceability as a Network Access Control solution and increases reliability of the Cisco ISE connection to Active Directory deployments. |
Kerberos Authentication for the Sponsor Portal |
Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE. |
You can use Kerberos to authenticate a sponsor for access to the sponsor portal. |
Some Dashlets Removed to Resolve Performance Issues |
The following dashlets have been decommissioned to prevent performance issues when displaying large datasets:
|
A large number of endpoints caused performance problems with some dashlets. |
IPv6 Support Expanded |
IPv6 addresses are now supported for RADIUS configurations. The IP Address field in the Administration > Network Resources > Network Devices page and the Host IP field in the Administration > Network Resources > External RADIUS Server page now support both IPv4 and IPv6 addresses for RADIUS configurations. |
Additional support for IPv6 addressing:
|
Large Virtual Machine for Monitoring Persona |
Cisco ISE introduces a large VM for Monitoring nodes. Starting from Release 2.4, the large VM is required for any deployment that handles greater than 500,000 sessions. Note: This form factor is available only as a VM in Release 2.4 and above, and requires a large VM license. |
Deploying Monitoring persona on a large VM offers the following advantages:
|
TrustSec Enhancements |
You can select the ISE node from which the configuration changes must be sent to the network device while adding the network device (under Advanced TrustSec Settingssection). You can select the PAN or PSN node. If the PSN node that you selected is down, the configuration changes are sent to this device using the PAN.
While deploying the IP SGT static mappings, you can select the devices or the device groups to which the selected mappings must be deployed. You can select all the devices if required. You can use the filter option to search for the devices that you want. If you do not select any device, the selected mappings are deployed on all TrustSec devices. You can use the Check Status option to check if different SGTs are assigned to the same IP address for a specific device. You can use this option to find the devices that have conflicting mappings, IP address that is mapped to multiple SGTs, and the SGTs that are assigned to the same IP address. This option can be used even if device groups, FQDN, hostname, or IPv6 addresses are used in the deployment. You must remove the conflicting mappings or modify the scope of deployment before deploying these mappings. Verify TrustSec deployment option in the General TrustSec Settings page helps you to verify whether the latest TrustSec policies are deployed on all the network devices. Alarms are displayed in the Alarms dashlet (under Work Centers > TrustSec > Dashboard), if there are any discrepancies between the policies configured on Cisco ISE and the network device. The following alarms are displayed in the TrustSec dashboard:
The Verify Deployment option is also available on the following pages:
Check the Automatic Verification After Every Deploy check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process is started after the time that you specify in the Time after Deploy Process field. The current verification process is cancelled if a new deployment request is received during the waiting period or when the verification is in progress. Click Verify Now to start the verification process immediately. IPv6 addresses can be used in IP SGT static mappings. These mappings can be propagated using SSH or SXP to specific network devices or network device groups. If FQDN and hostnames are used, Cisco ISE looks for the corresponding IP addresses in the PAN and PSN nodes while deploying the mappings and checking the deployment status. You can use the IP SGT Static Mapping of Hostnames option in the General TrustSec Settings window to specify the number of mappings created for the IP addresses returned by the DNS query. You can select one of the following options:
|
Enhanced IP SGT workflow:
|
Support for Two Shared Secrets Per IP for RADIUS NAD Clients |
You can specify two shared secrets (keys) to be used by the network device and Cisco ISE. You can configure the shared secrets in the RADIUS authentication settings section for a NAD in the Administration > Network Resources > Network Devices page in Cisco ISE. | Replace Shared Secrets on network devices:
You can now replace shared secrets on network devices independently without Cisco ISE. Changing a RADIUS secret is now simplified and allows you to enter a new shared secret. |
Support for Sending Separate SNMP CoA Packets |
You can check the Send SNMP COA Separate Request check box in the Administration > Network Resources > Network Device Profiles > Change of Authorization (CoA) page to send the SNMP CoA packets to the NAD as two packets. |
Increased compatibility with devices:
Provides support for older Cisco and third party NADs that mandate the sending of SNMP CoA packets as two packets (for the shutdown and no shutdown interface configuration commands). |
Plus Licensing Features |
||
Profiler Enhancements |
|
Effective classification of devices:
|
Cisco ISE Can Pull IoT Device Context and Session Data from Cisco IND |
Cisco ISE can profile and display the status of devices attached to a Cisco Industrial Network Director (IND). Cisco Platform Exchange Grid (pxGrid) is used to communicate the endpoint (Internet of Things [IoT]) data between Cisco ISE and Cisco IND. pxGrid is used to receive the context from Cisco IND and query Cisco IND to update endpoint type. | Effective network monitoring and full visibility and control of industrial networks offer:
|
Control Permissions for pxGrid Clients |
You can create pxGrid authorization rules for controlling the permissions for the pxGrid clients (under Administration > pxGrid Services > Permissions).
Use these rules to control the services that are provided to the clients. You can create different types of groups and map the services provided to clients to these groups. Use the Manage Groups option in the Permissions window to add new groups. You can view the predefined authorization rules that use predefined groups (such as EPS, ANC) on the Permissions window. You can update only the Operations field in the predefined rules. |
Better pxGrid backward compatibility:
|
Apex Licensing Features |
||
Posture Enhancements |
|
Improved security alerts and enforcement:
|
Endpoint API Enhancements for Mobile Device Management (MDM) Attributes |
MDM attributes are made available through the endpoints API to enable additional synchronization capability between Cisco ISE and a third-party MDM server. |
Helps customers to better integrate third party systems with ISE and provide better user experience for end users using mobile devices that are managed by an MDM server. |
See our CiscoISE YouTube Channel for our latest videos!
For Cisco Partners and Sales Engineers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: