Repositories configured with an FQDN will communicate over IPv4 or IPv6 based on:
Whether or not ISE is in dual stack.
Whether FQDN external repository is getting resolved to IPv4 or IPv6 or both.
Audit Logs and Reports
You can now view logs of login/logout, password change, and operational changes by IPv6 users in the relevant audit reports generated.
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) servers can now be contacted via IPv6 addresses.
ISE supports NMS/SNMP server.
Configuration is allowed only from CLI.
Admin can configure IPv4 or IPv6-based SNMP server.
Admin can also configure IPv4 or IPv6 based SNMP server hosted with v1/v2c/v3.
Admin can configure multiple SNMP servers.
Admin can send SNMP traps to SNMP server over IPv4 or IPv6.
Admin can configure multiple SNMP servers (a mix of IPv4 and IPv6 SNMP servers is possible).
ISE can send TRAPS or MIBs information with IPv6 (for example, CDP IPv6 info) to IPv4 or IPv6 SNMP servers.
The following ISE functionalities are supported over IPv6:
CLI: Managing configuration of SNMP servers (IPv4 or IPv6) from CLI.
CLI: Configure SNMP server hosted on IPv4 or IPv6 with v1/v2c/v3 compatibility.
UI: Configure SNMP server from UI.
CLI: Support for SNMP queries snmp-get, getmany, and getBulk from IPv4 or IPv6 SNMP servers to an ISE node.
Traps can be sent to IPv4 or IPv6 SNMP servers.
Traps or MIBs info having IPv6 details send to IPv4 or IPv6 SNMP servers.
Multiple SNMP servers support.
Access Control Lists
You can now define Access Control Lists (ACLs) and Airespace ACLs with IPv6 addresses.
Dynamic Access Control Lists
You can now define Dynamic Access Control Lists (DACLs) with IPv6 addresses.
You can now connect to IPv6 deployments of Active Directory from ISE.
External Restful Service Portal
You can now specify an IPv6 address or hostname to connect with External Restful Service (ERS).
Syslog Client or Logging Targets
You can connect to IPv6 syslog targets.
ISE can connect to RADIUS servers with an IPv6 address.
Allows you to migrate to IPv6-based network for the above mentioned ISE features.
REST Support for External Administrators
From Cisco ISE 2.6, External RESTful Services (ERS) users could be either internal user or belong to an external Active Directory. The Active Directory group to which the external user belongs should be mapped to either ERS Admin or ERS Operator group. With this enhancement, administrators no longer need to create an internal user counterpart for external users that need access to ERS services, making this feature easier to use.
Simplified process of enabling external administrators to access RESTful services.
Japanese Version of the Administrator Portal
The Administration console currently supports two languages, Japanese and English. You can select either Japanese or English view under Account Settings.
Suitable for Japanese administrators to configure and use Cisco ISE.
TrustSec Deployment Verification Report
You can use this report to verify whether the latest TrustSec policies are deployed on all network devices or if there are any discrepancies between the policies configured on Cisco ISE and the network devices.
Can easily verify whether the latest TrustSec policies are deployed on the network devices or if there are any discrepancies.
CLI Access by External Identity Store
ISE supports authentication of CLI Administrators by external identity sources, such as Active Directory.
Manage a single source for passwords without the need to manage multiple password policies and administer internal users within ISE, thereby reducing time and effort.
For release 1.0, ISE supports identification of IoT devices, and automatic creation of profiling policies and Endpoint Identity Groups. ISE gets IoT attributes as a MUD-URL in DHCP and LLDP packets, which are delivered by Cisco network devices.
ISE does unsigned classification of IoT devices, and accessed through profiler policies. ISE does not store the MUD attributes, the attributes are only used in the current session. In the Endpoints display under Context and Visibility, you can filter IoT devices by the Endpoint profile name.
The number of IoT devices that are connected to enterprise networks is increasing, and, until now, ISE could not classify those devices. With ISE 2.6, ISE can classify and display the IoT devices that are connected to your network, with an automated process.
Syslog over ISE Messaging
Cisco ISE 2.6 offers MnT WAN Survivability for UDP syslog collection. System logs are recorded using ISE Messaging Services. Remote Logging Targets uses the port TCP 8671 and Secure Advanced Message Queuing Protocol (AMQPs) for sending syslog to MnT.
By default, the ISE Messaging Service option is disabled.
Operational data will be retained for a finite duration even when MnT node is unreachable.
PSN Light Session Directory
The Light Session Directory can be used to store user session information and replicate it across the Policy Service Nodes (PSNs) in a deployment, thereby eliminating the need to be totally dependent on Primary Administration Node (PAN) or Monitoring and Troubleshooting (MnT) nodes for user session details. The Light Session Directory stores only the session attributes required for Change of Authorization (CoA). To enable the Light Session Directory feature, choose Administration > Settings > Light Session Directory and select the Enable Light Session Directory check box.
Improved performance and scalability.
Plus Licensing Features
Apex Licensing Features
Identify Managed Devices with Dynamic MAC Addresses
AnyConnect 4.7 now provides a Unique Device ID (UDID) to identify a connected user. The UDID value can be mapped with information from Mobile Device Management (MDM) providers to help identify users who have the same MAC address. MAC address sharing is common in open offices, where more than one person shares a dock or USB dongle.
You can develop a solution that uses the UDID to uniquely identify a user, when device connections are shared.
Flexible Remediation Notification
Go to Policy > Posture > Delay Notification to delay the grace period prompt from being displayed to the user until a specific percentage of grace period has elapsed. For example, if the Delay Notification field is set to 50 percent and the configured grace period is 10 minutes, Cisco ISE checks the posture status after 5 minutes and displays the grace period notification if the endpoint is found to be noncompliant. Grace period notification is not displayed if the endpoint status is compliant. If the notification delay period is set to 0 percent, the user is prompted immediately at the beginning of the grace period to remediate the problem. However, the endpoint is granted access until the grace period expires.
Flexible Grace Period Remediation prompts start for endpoints. Prevents unnecessary remediation prompts for endpoints waiting for JAMF or Microsoft System Center Configuration Manager (SCCM) updates.
Generic or Custom Messaging through Cisco AnyConnect
More informative messages can now be displayed by Cisco AnyConnect, when it is used for ISE Posture. End users can now see messages about posture status and errors. You can also modify the content that is displayed in AnyConnect posture profiles. Note that this requires Cisco AnyConnect Version 4.7.
Better communication with the end user.
You can directly upgrade to Release 2.6 from the following Cisco ISE releases:
If you are on a version earlier than Cisco ISE, Release 2.1, you must first upgrade to one of the releases listed above and then upgrade to Release 2.6.
It is recommended that you upgrade to the latest patch in the existing version before starting the upgrade.