- New and Changed Information
- Overview of Cisco ISE
- Licensing
- Deployment of Cisco ISE
- Basic Setup
- Maintain and Monitor
- Device Administration
- Guest and Secure WiFi
- Asset Visibility
- Bring Your Own Device (BYOD)
- Secure Access
- Segmentation
- Compliance
- Threat Containment
- Cisco pxGrid
- Integration
- Troubleshoot
New and Changed Information
The following table summarizes the new and changed features and tells you where they are documented.
Feature |
Description |
||
---|---|---|---|
Cisco ISE Release 3.3 Patch 4 |
|||
API keys and certificate authentication support for Tenable Security Center |
From Cisco ISE 3.3 Patch 4 onwards, the following authentication methods are additionally supported for Tenable Security Center:
See API keys and certificate authentication support for Tenable Security Center . |
||
Assign dedicated resources for join points |
From Cisco ISE Release 3.3 Patch 4, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points. |
||
Support for osquery condition |
From Cisco ISE 3.3 Patch 4, you can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint. |
||
Locking identities with repeated authentication failures |
From Cisco ISE Release 3.3 Patch 4, Identity Lock Settings are not supported in the RADIUS Settings page ( ). |
||
Cisco ISE Release 3.3 Patch 2 |
|||
Configure Virtual Tunnel Interfaces (VTI) with Native IPSec |
From Cisco ISE Release 3.3 Patch 2, you can configure VTIs using the native IPSec configuration. You can use native IPSec to establish security associations between Cisco ISE PSNs and NADs across an IPSec tunnel using IKEv1 and IKEv2 protocols. The native IPSec configuration ensures that Cisco ISE is FIPS 140-3 compliant. |
||
End of Support for Legacy IPSec (ESR) |
From Cisco ISE Release 3.3 Patch 2, Legacy IPSec (ESR) is not supported on Cisco ISE. All IPSec configurations on Cisco ISE will be Native IPSec configurations. |
||
Enhanced Password Security |
Cisco ISE now improves password security through the following enhancements:
|
||
Locking Identities with Repeated Authentication failures |
You can now limit the maximum number of unsuccessful authentication attempts an identity (username or hostname) can make while authenticating through the EAP-TLS protocol, by specifying the number of authentication failures after which the identity must be locked. Identities can be locked permanently or for a specific time period. Successful authentications by a locked identity will also be rejected until the identity is unlocked again. See RADIUS Settings. |
||
On-demand pxGrid Direct Data Synchronization using Sync Now |
From Cisco ISE Release 3.3 Patch 2, you can use the Sync Now feature to perform on-demand synchronization of data from pxGrid Direct connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI. See On-demand pxGrid Direct Data Synchronization using Sync Now. |
||
Opening TAC Support Cases in Cisco ISE |
From Cisco ISE Release 3.3 Patch 2 , you can open TAC Support Cases for Cisco ISE directly from the Cisco ISE GUI. |
||
Support for Transport Gateway Removed |
Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:
|
||
TLS 1.3 Support for Cisco ISE Workflows |
Cisco ISE Release 3.3 Patch 2 and later releases allow TLS 1.3 to communicate with peers for the following workflows:
|
||
Cisco ISE Release 3.3 Patch 1 |
|||
Cisco Duo Integration for Multifactor Authentication |
From Cisco ISE Release 3.3 Patch 1, you can directly integrate Cisco Duo as an external identity source for multifactor authentication (MFA) workflows. In earlier releases of Cisco ISE, Cisco Duo was supported as an external RADIUS proxy server and this configuration continues to be supported. This Cisco Duo integration supports the following multifactor authentication use cases:
See Integrate Cisco Duo With Cisco ISE for Multifactor Authentication. |
||
Customer Experience Surveys |
Cisco ISE now presents customer satisfaction surveys to its users within the administration portal. The periodic administration of customer satisfaction surveys helps us better understand your Cisco ISE experiences, track what is working well, and identify areas of improvement. After you submit a survey, you are not presented with another survey for the next 90 days. The surveys are enabled by default in all Cisco ISE deployments. You can disable the surveys at a user level or for a Cisco ISE deployment. |
||
Cisco ISE Release 3.3 |
|||
IPv6 Support for Agentless Posture |
Cisco ISE Release 3.3 adds IPv6 support for Agentless Posture. Windows and Mac clients are currently supported. See Agentless Posture. |
||
Option to Disable Specific Ciphers |
Check the Manually Configure Ciphers List check box in the Security Settings window if you want to manually configure ciphers for communication with the following Cisco ISE components: admin UI, ERS, OpenAPI, secure ODBC, portals, and pxGrid. A list of ciphers is displayed with allowed ciphers already selected. For example, if the Allow SHA1 Ciphers option is enabled, SHA1 ciphers are enabled in this list. If the Allow Only TLS_RSA_With_AES_128_CBC_SHA option is selected, only this SHA1 cipher is enabled in this list. If the Allow SHA1 Ciphers option is disabled, none of the SHA1 ciphers are enabled in this list. You can select and unselect ciphers as required. |
||
Navigation Improvement |
The Cisco ISE home page GUI has been modified for a better user experience. When you click the menu icon at the left-hand corner of the home page, a pane is displayed. Hovering your cursor over each of the options on the pane displays the following submenus to choose from.
Click Dashboard for the home page. The left pane also contains a Bookmarks tab where you can save your recently viewed pages. Click the menu icon again to hide the pane. If you log out when the left pane is displayed, and log in again, the pane continues to be displayed. However, if you log out after the pane is hidden, and log in again, you must click the menu icon for the pane to be displayed again. You can now use the icon on the homepage to access the Search Pages option to search for a new page or visit recently searched pages. See Basic Setup. |
||
Multi-Factor Classification for Enhanced Endpoint Visibility |
You can now create nuanced authorization policies using four specific attributes from the endpoints connecting to your network.
The Multi-Factor Classification (MFC) profiler uses various profiling probes to fetch four new endpoint attributes to the
Cisco ISE authorization policy creation workflows: MFC Endpoint Type, MFC Hardware Manufacturer, MFC Hardware Model, and MFC
Operating System.
See Multi-Factor Classification for Enhanced Endpoint Visibility. |
||
Cisco AI-ML Rule Proposals for Endpoint Profiling |
Cisco ISE now provides profiling suggestions based on continuous learning from your network, helping you to enhance endpoint profiling and management. You can use these suggestions to reduce the number of unknown or unprofiled endpoints in your network. |
||
Posture and Client Provisioning Support for ARM64 Version of Agent |
From Cisco ISE Release 3.3, posture policies and client-provisioning policies are supported for ARM64 endpoints. You can upload the ARM64 version of agent for ARM64 endpoints. See Configure Client-Provisioning Policy for ARM64 Version of Agent. |
||
RADIUS Step Latency Dashboard |
The RADIUS Step Latency dashboard (Analytics > Dashboard) displays the maximum and average latencies for the RADIUS authentication flow steps for the specified time period. You can also view the maximum and average latencies for the Active Directory authentication flow steps (if Active Directory is configured on that node) and the Top N RADIUS authentication steps with maximum or average latencies. See Log Analytics. |
||
Schedule Application Restart After Admin Certificate Renewal |
After you renew an admin certificate on the primary PAN, all the nodes in your deployment must be restarted. You can either restart each node immediately or schedule the restarts later. This feature allows you to ensure that no running processes are disrupted by the automatic restarts, giving you greater control over the process. You must schedule node restarts within 15 days of certificate renewal. See Schedule Application Restart After Admin Certificate Renewal. |
||
pxGrid Direct Enhancements |
pxGrid Direct is no longer a controlled introduction feature. Before you upgrade to Cisco ISE Release 3.3 from Cisco ISE Releases 3.2 or 3.2 Patch 1, we recommend that you delete all configured pxGrid Direct connectors and any authorization profiles and policies that use data from pxGrid Direct connectors. After you upgrade to Cisco ISE Release 3.3, reconfigure pxGrid Direct connectors. If you do not delete the configured pxGrid Direct connectors, the connectors are automatically deleted during the upgrade. This deletion results in uneditable and unusable authorization profiles and policies that you must delete and replace with new ones. See Cisco pxGrid Direct. |
||
Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller |
You can create profiling policies, authorization conditions, and authentication conditions and policies for Apple, Intel, and Samsung endpoints, using device analytics data from the Cisco Wireless LAN Controllers integrated with your Cisco ISE. See Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller |
||
Access the Cisco ISE Admin GUI using TLS 1.3 |
From Cisco ISE Release 3.3, you can access the Cisco ISE Admin GUI using the TLS 1.3 version. |
||
Configure Native IPSec in Cisco ISE |
From Cisco ISE Release 3.3, you can configure IPSec using the native IPSec configuration. You can use native IPSec to establish security associations between Cisco ISE PSNs and NADs across an IPSec tunnel using IKEv1 and IKEv2 protocols. The native IPSec configuration ensures that Cisco ISE is FIPS 140-3 compliant. |
||
Disable Endpoint Replication to all the nodes in a Cisco ISE Deployment |
From Cisco ISE, Release 3.3, dynamically discovered endpoints are not replicated to all the nodes in the Cisco ISE deployment automatically. You can choose to enable or disable the replication of dynamically discovered endpoints across all nodes in your Cisco ISE deployment. See Data Replication from Primary to Secondary Cisco ISE Nodes. |
||
Link External LDAP Users to Cisco ISE Endpoint Groups |
From Cisco ISE Release 3.3, you can assign external LDAP user groups to Endpoint Identity Groups for guest devices using the Dynamic option. |
||
Managing Passwords of Cisco ISE Users |
From Cisco ISE Release 3.3, as an internal user of Cisco ISE, you can choose to add the Date Created and Date Modified columns to the Network Access User table in the Network Access Users window. See Cisco ISE Users. |
||
Meraki Connector for Cisco ISE |
Cisco ISE and cloud-based Cisco Meraki are TrustSec-enabled systems that are policy administration points for TrustSec policies. If you use both Cisco and Meraki network devices, you can connect one or more Cisco Meraki dashboards to Cisco ISE to replicate TrustSec policies and elements from Cisco ISE to the Cisco Meraki networks belonging to each organization. |
||
Data Connect |
From Cisco ISE Release 3.3, the Data Connect feature uses the admin certificate to provide database access to Cisco ISE using an Open Database Connectivity (ODBC) or Java Database Connectivity (JDBC) driver, so that you can directly query the database server to generate reports of your choice. See Data Connect. |