Base Licensing Features

Active Directory Domain Controller Failover Mechanism

The Domain Controller (DC) failover mechanism is managed based on the DC priority list, which determines the order in which the DCs are selected in case of failover. If a DC is offline or not reachable due to some error, its priority is decreased in the priority list. When the DC comes back online, its priority is adjusted accordingly (increased) in the priority list.

Results in higher serviceability as a Network Access Control solution and increases reliability of the Cisco ISE connection to Active Directory deployments.

Kerberos Authentication for the Sponsor Portal

Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.
Note: Kerberos authentication is NOT supported for the Guest portal.

You can use Kerberos to authenticate a sponsor for access to the sponsor portal.

Some Dashlets Removed to Resolve Performance Issues

The following dashlets have been decommissioned to prevent performance issues when displaying large datasets:

• Context Visibility > Endpoint > Compliance: Status Trend
• Home > Endpoints > Endpoint

IPv6 Support Expanded

IPv6 addresses are now supported for RADIUS configurations. The IP Address field in the Administration > Network Resources > Network Devices page and the Host IP field in the Administration > Network Resources > External RADIUS Server page now support both IPv4 and IPv6 addresses for RADIUS configurations.

• Allows you to migrate your network to IPv6-based networks. You can migrate to IPv6 addressing if you have fragmented networks or have exhausted IPv4 addresses.
• Facilitates more efficient routing, packet processing, security, and simplified network configuration.

Large Virtual Machine for Monitoring Persona

Cisco ISE introduces a large VM for Monitoring nodes. Starting from Release 2.4, the large VM is required for any deployment that handles greater than 500,000 sessions.

Note: This form factor is available only as a VM in Release 2.4 and above, and requires a large VM license.

• Supports greater than 500,000 sessions and is scalable
• Improved performance in terms of faster response to live log queries and report completion

TrustSec Enhancements

While deploying the IP SGT static mappings, you can select the devices or the device groups to which the selected mappings must be deployed. You can select all the devices if required. You can use the filter option to search for the devices that you want. If you do not select any device, the selected mappings are deployed on all TrustSec devices.

You can use the Check Status option to check if different SGTs are assigned to the same IP address for a specific device. You can use this option to find the devices that have conflicting mappings, IP address that is mapped to multiple SGTs, and the SGTs that are assigned to the same IP address. This option can be used even if device groups, FQDN, hostname, or IPv6 addresses are used in the deployment. You must remove the conflicting mappings or modify the scope of deployment before deploying these mappings.

Verify TrustSec deployment option in the General TrustSec Settings page helps you to verify whether the latest TrustSec policies are deployed on all the network devices. Alarms are displayed in the Alarms dashlet (under Work Centers > TrustSec > Dashboard), if there are any discrepancies between the policies configured on Cisco ISE and the network device. The following alarms are displayed in the TrustSec dashboard:

• An alarm with an Info icon is displayed whenever the verification process is started or completed.
• An alarm with an Info icon is displayed if the verification process is cancelled due to a new deployment request.
• If the verification process resulted in an error (for instance, failed to open SSH connection with the network device, or the network device is unavailable), or if there is any discrepancy between the policies configured on Cisco ISE and the network device, an alarm with a Warning icon is displayed for each of these network devices.

The Verify Deployment option is also available on the following pages:

• Work Centers > TrustSec > Components > Security Groups
• Work Centers > TrustSec > Components > Security Group ACLs
• Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix
• Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree
• Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree

Check the Automatic Verification After Every Deploy check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process is started after the time that you specify in the Time after Deploy Process field. The current verification process is cancelled if a new deployment request is received during the waiting period or when the verification is in progress. Click Verify Now to start the verification process immediately.

IPv6 addresses can be used in IP SGT static mappings. These mappings can be propagated using SSH or SXP to specific network devices or network device groups.

• Create mappings for all IP addresses returned by DNS query
• Create mappings only for the first IPv4 address and the first IPv6 address returned by DNS query

• Improves network device misconfiguration error handling and operational efficiency through Check Status option.
• Verifies TrustSec configuration on Network Devices.
• Selectively deploy the IP SGT static mappings.
• Create IP static mappings with IPv6 addresses.
• Create mappings for first or all known IP addresses based on DNS FQDN query.

Support for Two Shared Secrets Per IP for RADIUS NAD Clients

You can now replace shared secrets on network devices independently without Cisco ISE. Changing a RADIUS secret is now simplified and allows you to enter a new shared secret.

Support for Sending Separate SNMP CoA Packets

You can check the Send SNMP COA Separate Request check box in the Administration > Network Resources > Network Device Profiles > Change of Authorization (CoA) page to send the SNMP CoA packets to the NAD as two packets.

Provides support for older Cisco and third party NADs that mandate the sending of SNMP CoA packets as two packets (for the shutdown and no shutdown interface configuration commands).

Plus Licensing Features

Profiler Enhancements

• Added 512 new profile policies from vendors, including ADtranz, AudioCode, Barracuda, BlackBerry, Brother, Hewlett Packard, Lexmark, NetApp, Samsung, and Xerox.
• Added additional conditions to 189 profile policies to support additional probes. For example, DHCP conditions are added to Xerox devices such that customers who do not want to profile Xerox devices based on SNMP, can profile Xerox devices using DHCP.
• Reorganized profiles into families for better identification of new devices. For example, HP-LaserJet-4350 was previously profiled directly under HP-Device. It is now profiled under HP-LaserJet, which in turn is profiled under HP-Device. When Hewlett Packard introduces a new Hewlett Packard LaserJet printer model, Cisco ISE will classify the new model as HP-LaserJet, and not as HP-Device until a new profile policy for that exact LaserJet printer model is added.

• Helps you gain visibility of previously unknown devices, such as Xerox printers or Vista link printers with improved profiler efficacy.

Cisco ISE Can Pull IoT Device Context and Session Data from Cisco IND

• Full visibility and control of automation endpoints, such as controllers, IO devices, and human machine interfaces (HMIs).
• Lowered asset management cost and improved operator productivity with Cisco IND and Cisco ISE integration.

Control Permissions for pxGrid Clients

Use these rules to control the services that are provided to the clients. You can create different types of groups and map the services provided to clients to these groups. Use the Manage Groups option in the Permissions window to add new groups.

You can view the predefined authorization rules that use predefined groups (such as EPS, ANC) on the Permissions window. You can update only the Operations field in the predefined rules.

• Significantly shortens the integration time with Cisco ISE to collect context information and initiate Adaptive Network Control (ANC) actions through Cisco ISE.
• Helps control the services that are provided to the clients.

Apex Licensing Features

Posture Enhancements

• Grace Period for Noncompliant Devices — Cisco ISE provides an option to configure grace time for devices that become noncompliant.
  

  Cisco ISE caches the results of posture assessment for a configurable amount of time. If a device is found to be noncompliant, Cisco ISE looks for the previously known good state in its cache and provides grace time for the device, during which the device is granted access to the network. You can configure the grace time period in minutes, hours, or days (up to a maximum of 30 days).

  The Posture Assessment by Endpoint report is updated and displays a Grace Compliant status for an endpoint that is currently not compliant, but is under the grace period.

• Posture Rescan —AnyConnect users now have the option to manually restart posture at any point of time.
• AnyConnect Stealth Mode Notifications —Several new failure notifications are added for AnyConnect stealth mode deployment to help users identify issues with their VPN connection.
• Disabling UAC Prompt on Windows —You can choose to disable the User Access Control (UAC) prompts on Windows endpoints from the AnyConnect posture profile.
  Note: By default, this value is set to No while configuring the Anyconnect Profile. When you change it to Yes, the UAC prompts are disabled and the Windows users no longer receive these prompts. If you want to enable the UAC prompt again, you should change this setting to No in the Anyconnect Profile. This setting takes effect only when the Windows endpoint is restarted.
• New URL for Downloading Client Provisioning and Posture Updates—The client provisioning and posture feed URL has changed. The new URL for Posture Updates is https://www.cisco.com/web/secure/spa/posture-update.xml and for Client Provisioning is https://www.cisco.com/web/secure/spa/provisioning-update.xml
• File Condition Enhancements —A new operator, within, is introduced under File Condition to check for the changes in a file within a certain period of time.
• Certificate Attributes in Client Provisioning and Posture Policies —Certificate attributes are now available in the client provisioning and posture policy pages.

• Provides admin users with more flexible options for educating end users about posture condition failures including grace-period-specific messaging scenarios.
• Helps effective management of some posture checks and remediations that require additional privileges and prompts the user for such privileges.

Endpoint API Enhancements for Mobile Device Management (MDM) Attributes

MDM attributes are made available through the endpoints API to enable additional synchronization capability between Cisco ISE and a third-party MDM server.

Helps customers to better integrate third party systems with ISE and provide better user experience for end users using mobile devices that are managed by an MDM server.