cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23912
Views
256
Helpful
178
Comments
vnagarmu
Cisco Employee
Cisco Employee

vnagarmu_0-1664453802837.png

 

Cisco Identity Services Engine v3.x offers major usability benefits across many of its use cases. With better speed and agility, you are able to achieve security resilience with a fully mature zero trust solution while gaining pervasive visibility and dynamic control. 

I am Viraj Nagarmunoli, Solutions Architect with Customer Success and together with Security Customer Success Specialist @Yash Kejariwal, I put together the table below summarising some of the key features of ISE 3.x

Feel free to ask us any questions about Cisco ISE upgrades using the vnagarmu_0-1663924340405.pngbutton below the post. 

Start planning your upgrade here.

If you want to stay up to date with our Software Compliance and key feature articles make sure to subscribe to the label 'Software Upgrades'

 

Capability Feature ISE 2.x ISE 3.x
Cloud Support

Cloud native ISE

Previously, ISE could only be deployed on a physical or a virtual appliance.

Now, you can deploy ISE on public cloud infrastructure including AWS, Azure and Oracle cloud as a native cloud solution. This can help you reduce operational expenses and gives you the ability to scale your deployment on-demand while automating routine tasks.

Policies for Azure AD

Previously ISE supported Azure AD identity provider using SAML and Oauth authentication protocols but there was limited support for dot1x

Now, Cisco ISE 3.x supports EAP-TLS and TEAP authentication with Azure AD.  This means that you can now create policies using group and attribute information when performing dot1x authentication which allows for differentiated and secure access.

Automation and APIs

Open API for system and policy management

Previously, API only exposed basic ISE infrastructure and session related content

With Open API support, ISE 3.x brings you a lot more automation capabilities such as policy and system management (like backups) while still supporting the other types of APIs 

Zero Touch Provisioning

The traditional way of deploying ISE had several touch points and was a manual process. It took several hours setting up a large deployment

Now, the new Zero Touch Provisioning (ZTP) allows you to create a configuration file in which the ISE node can be configured (IP, hostname, DNS, etc.) Likewise, it can automatically install any hot fixes or patches immediately after it is set up. 

Posture and Compliance

Posture on Linux

Previously, ISE Posturing could be performed on Windows and OS X machines.

ISE Posture can now be performed for Linux devices too, along with Windows and OS X. That way, all endpoints on the network can be kept compliant and, if found non-compliant, they can be quarantined and remediated.

Agentless Posture

Previously you had to have an application installed on the endpoint to perform posture checks

By popular request, ISE can now be configured to assess the posture of an endpoint without having to roll out client applications across your entire install base. For you this means you gain all the visibility necessary without the need of an additional application. 

 

Promotion Alert: ISE 3.x offers a streamlined licensing scheme in line with Cisco DNA licensing tiers. Take advantage of the one year free licenses on Cisco limited-time promotion by upgrading your ISE deployment and licenses to version 3.x! 

Ask the Experts Recording: Please watch this VoD as our experts walk you through the steps to prepare, perform, and validate a successful ISE upgrade without headaches. Best practices, strategies to minimise downtime and different methods of upgrades for different types of ISE deployments are covered.

Ask the Experts Live: If you would like to ask the questions to one of our ISE experts live in during webinar, please register to one of the Upgrade Planning and Best Practices: Upgrading ISE Ask the Experts sessions.

Comments
lauvtoronto
Level 1
Level 1

Nice table of features, puts all of the information in a clear format for reference.  Thanks for this great resource.

ChandanVedavyas
Level 1
Level 1

Great Information. Thanks for sharing.

KalebKaleb7906
Level 1
Level 1

great information

ViralPatel7456
Level 1
Level 1

Thanks for sharing information.  its really very useful for me.

ccie29824
Level 1
Level 1

Thanks for sharing

Anil Patil
Level 8
Level 8

Thank you for sharing this info.

arpanp
Level 1
Level 1

Thanks for sharing information

Mariley Reinoso Olivera
Cisco Employee
Cisco Employee

Felipe Patino por favor vea esta pagina con mas informacion del producto: https://www.cisco.com/c/es_mx/products/security/identity-services-engine/index.html

Y esta en espanol  

 

 

 

Tommo80
Level 1
Level 1

Thanks for the info. Very useful.

Is the ISE One Year Free promotion still running? The link appears to be broken

Yash Kejariwal
Cisco Employee
Cisco Employee

@Tommo80 Thanks for the feedback. Yes ISE One year promotion is still running and valid until October 31,2023. Also, the link seems to be working for me. could you check again please?

Yash Kejariwal
Cisco Employee
Cisco Employee

@bearman97 First of all, thanks for your detailed and candid feedback, I really appreciate it. I'll definitely pass this feedback on to the dev team and keep you apprised. Our team is consistently working to make the new API set much more robust and you'll see continuous improvements in functionality and stability. 

Having said that, I have a few follow-up questions for you -:

1. "There are a number of configuration items that are not exposed via API". Could you please let me know what features you're looking for or would be of particular interest to you? Your response would help us prioritize new features that could be exposed via API in the future. 

2. You mentioned that the new service packs broke some functionality based on the patch level. could you please elaborate on which patch version you see the issue on?

Once again, thanks for your feedback.

Yash Kejariwal
Cisco Employee
Cisco Employee

@Dariusz Gora Thanks for your question. While there is no preference given to either method, it totally depends upon your requirement and environment. I would suggest deploying a new instance of ISE on the cloud and validating the use cases you have and then pushing it to production. You can also leverage our professional services team to assist you in this. 

This guide might come in handy for deploying ISE on cloud -: https://www.cisco.com/c/en/us/td/docs/security/ise/ISE_on_Cloud/b_ISEonCloud/m_ISEonCloudOverview.html

Yash Kejariwal
Cisco Employee
Cisco Employee

@fitzie I'm sorry to hear that you're running into trouble with the ISE messaging service. All the issues you mentioned do seem to be interrelated. Did you try working with Cisco TAC on these issues? I'm confident that they'll help you with these.

As a preliminary check -:

1. Check if the system and trusted certificates in ISE under Administration --> Certificates are valid. 

2. From the ISE PAN CLI, issue the command - "show application status ise", please verify if the ISE indexing engine is running or not. 

Also, share the result of the above two steps with cisco TAC to expedite the solution. 

Thanks.

 

Yash Kejariwal
Cisco Employee
Cisco Employee
@dkelcher There are some known limitations depending on which cloud infrastructure you deploy ISE on. Here is the document where you'll find all relevant information -: https://www.cisco.com/c/en/us/td/docs/security/ise/ISE_on_Cloud/b_ISEonCloud/m_ISEonCloudOverview.html
 

Thanks 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: