New and Changed Information

The following table summarizes the new and changed features and tells you where they are documented.

Table 1. New and Changed Features in Cisco ISE Release 3.3

Feature

Description

Cisco ISE Release 3.3 Patch 4

API keys and certificate authentication support for Tenable Security Center

From Cisco ISE 3.3 Patch 4 onwards, the following authentication methods are additionally supported for Tenable Security Center:

  • API Keys: Enter the Access key and Secret key of the user account that has access privileges in Tenable Security Center.

    API keys authentication is supported for Tenable Security Center 5.13.x and later releases.

  • Certificate Authentication: From the Authentication Certificate drop-down list, choose the required certificate.

    After successful authentication, Cisco ISE will retrieve the customer configured template from Tenable Security Center.

See API keys and certificate authentication support for Tenable Security Center .

Assign dedicated resources for join points

From Cisco ISE Release 3.3 Patch 4, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points.

See Assign dedicated resources for join points.

Support for osquery condition

From Cisco ISE 3.3 Patch 4, you can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint.

See Add an osquery condition.

Locking identities with repeated authentication failures

From Cisco ISE Release 3.3 Patch 4, Identity Lock Settings are not supported in the RADIUS Settings page (Administration > System > Settings > Protocols > RADIUS).

Cisco ISE Release 3.3 Patch 2

Configure Virtual Tunnel Interfaces (VTI) with Native IPSec

From Cisco ISE Release 3.3 Patch 2, you can configure VTIs using the native IPSec configuration. You can use native IPSec to establish security associations between Cisco ISE PSNs and NADs across an IPSec tunnel using IKEv1 and IKEv2 protocols. The native IPSec configuration ensures that Cisco ISE is FIPS 140-3 compliant.

See Configure Native IPsec on Cisco ISE.

End of Support for Legacy IPSec (ESR)

From Cisco ISE Release 3.3 Patch 2, Legacy IPSec (ESR) is not supported on Cisco ISE. All IPSec configurations on Cisco ISE will be Native IPSec configurations.

Enhanced Password Security

Cisco ISE now improves password security through the following enhancements:

  • You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during editing:

    Under Network Devices,

    • RADIUS Shared Secret

    • Radius Second Shared Secret

    Under Native IPSec,

    • Pre-shared Key

    See Configure Security Settings.

  • To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.

See Network Devices Import Template Format.

Locking Identities with Repeated Authentication failures

You can now limit the maximum number of unsuccessful authentication attempts an identity (username or hostname) can make while authenticating through the EAP-TLS protocol, by specifying the number of authentication failures after which the identity must be locked. Identities can be locked permanently or for a specific time period. Successful authentications by a locked identity will also be rejected until the identity is unlocked again.

See RADIUS Settings.

On-demand pxGrid Direct Data Synchronization using Sync Now

From Cisco ISE Release 3.3 Patch 2, you can use the Sync Now feature to perform on-demand synchronization of data from pxGrid Direct connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.

See On-demand pxGrid Direct Data Synchronization using Sync Now.

Opening TAC Support Cases in Cisco ISE

From Cisco ISE Release 3.3 Patch 2 , you can open TAC Support Cases for Cisco ISE directly from the Cisco ISE GUI.

See Open TAC Support Cases.

Support for Transport Gateway Removed

Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:

  • Cisco ISE Smart Licensing

    If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE Release 3.3 Patch 2. You must choose a different connection method as Cisco ISE Release 3.3 Patch 2 does not support Transport Gateway. If you update to Cisco ISE Release 3.3 Patch 2 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.

  • Cisco ISE Telemetry

    Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.

TLS 1.3 Support for Cisco ISE Workflows

Cisco ISE Release 3.3 Patch 2 and later releases allow TLS 1.3 to communicate with peers for the following workflows:

  • Cisco ISE is configured as an EAP-TLS server

  • Cisco ISE is configured as a TEAP server

    Attention

     

    TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE Release 3.3 Patch 2, TEAP TLS 1.3 is not supported by any available client OS.

  • Cisco ISE is configured as a secure TCP syslog client

See Configure Security Settings.

Cisco ISE Release 3.3 Patch 1

Cisco Duo Integration for Multifactor Authentication

From Cisco ISE Release 3.3 Patch 1, you can directly integrate Cisco Duo as an external identity source for multifactor authentication (MFA) workflows. In earlier releases of Cisco ISE, Cisco Duo was supported as an external RADIUS proxy server and this configuration continues to be supported.

This Cisco Duo integration supports the following multifactor authentication use cases:

  1. VPN user authentication

  2. TACACS+ admin access authentication

See Integrate Cisco Duo With Cisco ISE for Multifactor Authentication.

Customer Experience Surveys

Cisco ISE now presents customer satisfaction surveys to its users within the administration portal. The periodic administration of customer satisfaction surveys helps us better understand your Cisco ISE experiences, track what is working well, and identify areas of improvement. After you submit a survey, you are not presented with another survey for the next 90 days.

The surveys are enabled by default in all Cisco ISE deployments. You can disable the surveys at a user level or for a Cisco ISE deployment.

See Customer Experience Surveys

Cisco ISE Release 3.3

IPv6 Support for Agentless Posture

Cisco ISE Release 3.3 adds IPv6 support for Agentless Posture. Windows and Mac clients are currently supported.

See Agentless Posture.

Option to Disable Specific Ciphers

Check the Manually Configure Ciphers List check box in the Security Settings window if you want to manually configure ciphers for communication with the following Cisco ISE components: admin UI, ERS, OpenAPI, secure ODBC, portals, and pxGrid.

A list of ciphers is displayed with allowed ciphers already selected. For example, if the Allow SHA1 Ciphers option is enabled, SHA1 ciphers are enabled in this list. If the Allow Only TLS_RSA_With_AES_128_CBC_SHA option is selected, only this SHA1 cipher is enabled in this list. If the Allow SHA1 Ciphers option is disabled, none of the SHA1 ciphers are enabled in this list. You can select and unselect ciphers as required.

See Configure Security Settings.

Navigation Improvement

The Cisco ISE home page GUI has been modified for a better user experience. When you click the menu icon at the left-hand corner of the home page, a pane is displayed. Hovering your cursor over each of the options on the pane displays the following submenus to choose from.

  • Context Visibility

  • Operations

  • Policy

  • Administration

  • Work Centers

Click Dashboard for the home page.

The left pane also contains a Bookmarks tab where you can save your recently viewed pages. Click the menu icon again to hide the pane.

If you log out when the left pane is displayed, and log in again, the pane continues to be displayed. However, if you log out after the pane is hidden, and log in again, you must click the menu icon for the pane to be displayed again.

You can now use the icon on the homepage to access the Search Pages option to search for a new page or visit recently searched pages.

See Basic Setup.

Multi-Factor Classification for Enhanced Endpoint Visibility

You can now create nuanced authorization policies using four specific attributes from the endpoints connecting to your network. The Multi-Factor Classification (MFC) profiler uses various profiling probes to fetch four new endpoint attributes to the Cisco ISE authorization policy creation workflows: MFC Endpoint Type, MFC Hardware Manufacturer, MFC Hardware Model, and MFC Operating System.

See Multi-Factor Classification for Enhanced Endpoint Visibility.

Cisco AI-ML Rule Proposals for Endpoint Profiling

Cisco ISE now provides profiling suggestions based on continuous learning from your network, helping you to enhance endpoint profiling and management. You can use these suggestions to reduce the number of unknown or unprofiled endpoints in your network.

See Cisco AI-ML Rule Proposals for Endpoint Profiling.

Posture and Client Provisioning Support for ARM64 Version of Agent

From Cisco ISE Release 3.3, posture policies and client-provisioning policies are supported for ARM64 endpoints. You can upload the ARM64 version of agent for ARM64 endpoints.

See Configure Client-Provisioning Policy for ARM64 Version of Agent.

RADIUS Step Latency Dashboard

The RADIUS Step Latency dashboard (Analytics > Dashboard) displays the maximum and average latencies for the RADIUS authentication flow steps for the specified time period. You can also view the maximum and average latencies for the Active Directory authentication flow steps (if Active Directory is configured on that node) and the Top N RADIUS authentication steps with maximum or average latencies.

See Log Analytics.

Schedule Application Restart After Admin Certificate Renewal

After you renew an admin certificate on the primary PAN, all the nodes in your deployment must be restarted. You can either restart each node immediately or schedule the restarts later. This feature allows you to ensure that no running processes are disrupted by the automatic restarts, giving you greater control over the process. You must schedule node restarts within 15 days of certificate renewal.

See Schedule Application Restart After Admin Certificate Renewal.

pxGrid Direct Enhancements

pxGrid Direct is no longer a controlled introduction feature. Before you upgrade to Cisco ISE Release 3.3 from Cisco ISE Releases 3.2 or 3.2 Patch 1, we recommend that you delete all configured pxGrid Direct connectors and any authorization profiles and policies that use data from pxGrid Direct connectors. After you upgrade to Cisco ISE Release 3.3, reconfigure pxGrid Direct connectors.

If you do not delete the configured pxGrid Direct connectors, the connectors are automatically deleted during the upgrade. This deletion results in uneditable and unusable authorization profiles and policies that you must delete and replace with new ones.

See Cisco pxGrid Direct.

Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller

You can create profiling policies, authorization conditions, and authentication conditions and policies for Apple, Intel, and Samsung endpoints, using device analytics data from the Cisco Wireless LAN Controllers integrated with your Cisco ISE.

See Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller

Access the Cisco ISE Admin GUI using TLS 1.3

From Cisco ISE Release 3.3, you can access the Cisco ISE Admin GUI using the TLS 1.3 version.

See Configure Security Settings.

Configure Native IPSec in Cisco ISE

From Cisco ISE Release 3.3, you can configure IPSec using the native IPSec configuration. You can use native IPSec to establish security associations between Cisco ISE PSNs and NADs across an IPSec tunnel using IKEv1 and IKEv2 protocols. The native IPSec configuration ensures that Cisco ISE is FIPS 140-3 compliant.

See Configure Native IPsec on Cisco ISE.

Disable Endpoint Replication to all the nodes in a Cisco ISE Deployment

From Cisco ISE, Release 3.3, dynamically discovered endpoints are not replicated to all the nodes in the Cisco ISE deployment automatically. You can choose to enable or disable the replication of dynamically discovered endpoints across all nodes in your Cisco ISE deployment.

See Data Replication from Primary to Secondary Cisco ISE Nodes.

Link External LDAP Users to Cisco ISE Endpoint Groups

From Cisco ISE Release 3.3, you can assign external LDAP user groups to Endpoint Identity Groups for guest devices using the Dynamic option.

See Create or Edit Guest Types.

Managing Passwords of Cisco ISE Users

From Cisco ISE Release 3.3, as an internal user of Cisco ISE, you can choose to add the Date Created and Date Modified columns to the Network Access User table in the Network Access Users window.

See Cisco ISE Users.

Meraki Connector for Cisco ISE

Cisco ISE and cloud-based Cisco Meraki are TrustSec-enabled systems that are policy administration points for TrustSec policies. If you use both Cisco and Meraki network devices, you can connect one or more Cisco Meraki dashboards to Cisco ISE to replicate TrustSec policies and elements from Cisco ISE to the Cisco Meraki networks belonging to each organization.

See Connect Cisco Meraki Dashboards with Cisco ISE.

Data Connect

From Cisco ISE Release 3.3, the Data Connect feature uses the admin certificate to provide database access to Cisco ISE using an Open Database Connectivity (ODBC) or Java Database Connectivity (JDBC) driver, so that you can directly query the database server to generate reports of your choice.

See Data Connect.