Benjamin Zimbleman | November 9, 2020
Cisco released its third version of Identity Services Engine (ISE) back in September. If you are not familiar with Cisco ISE, it is an industry leading Network Access Control (NAC) system that provides security policy management and access to your network infrastructure. Cisco ISE enables you to gather real-time contextual information from the users and devices that connect to your network. Having this information allows you to create granular proactive policies regarding how and when users and devices connect to your network and what parts of the network they have access to. In other words, it gives network administrators visibility of who, what, where, when and how users and devices connect to the network and allows them to create network access policies based on those attributes.
Feature changes or updates with Cisco ISE 3.0
There are too many updates to list, but here are few to highlight in detail and few more to just call out:
The ISE dashboard has gotten a makeover
- It looks similar to Cisco’s Digital Network Architecture Center (DNAC) dashboard
- A new search bar has been added to look up features
- Most features have moved to the hamburger menu
- The help menu has moved. You can type in a feature and it will provide all related documentation
- There is a new Make a Wish feature button which enables you to make requests to add new features
The licensing structure for ISE 3.0 is changing from ISE 2.0
- ISE 2.0 used Base, Plus and Apex licenses. 3.0 is transiting to Essentials, Advantage and Premier license
- ISE 3.0 is 100% term based licensing. The bottom tier license, Essentials, is NOT perpetual
- There are some changes when it comes supported features per license tier. So when migrating from 2.0 to 3.0, you need to make sure you have comparative features
- ISE 2.0 used a consumption model where licenses were consumed in a Lego model. This meant as you consumed a feature, you consumed the licenses tied to that feature. For example, if a user used AAA to authenticate, it consumed a Base license. If that user used Profiling as well, it would also consume a Plus license. With 3.0, licenses are consumed by each licensing tier. So if you use Profiling and AAA features, you will consume only one Advantage license
- TACACS+ (Network Device Administration) licenses do not require 100 Base licenses in 3.0
- There is a migration process to migrate existing 2.0 licenses to 3.0 licenses
Note: Some of these licensing changes can be a little confusing. Please reach out if you need a deeper understanding of the licenses.
ISE nodes supported with 3.0
- You can still use Cisco SNS appliances, but be aware SNS 3515 & 3595 are end of life
- Virtual appliances are supported on VMware, KVM and Hyper-V
- You can also support a cloud deployment platform using VMware Cloud in AWS. Other clouds will be supported in the near future.
Agentless Posturing is now supported on Windows & macOS
- You can enforce endpoint compliance without an agent on the endpoint
- There are caveats with this – you need admin credentials and there is no support for remediation, grade periods, and re-assessments
- It is still recommended to use an agent, like AnyConnect, to perform posturing on a device. There is not full feature comparison between agent and agentless deployments.
Here are a few other new features I wanted to bring to your attention:
- 802.1X with Azure AD using OAuth-ROPC (Resource Owner Password Credentials)
- Cisco’s new ISE API Gateway provides a new single point to interface and manage API calls
- Certificate Fingerprinting using SHA256 to evaluate certificates. This allows you to use multiple trusted certificates.
- Health Checks – run an on-demand health check to diagnose all the nodes in your deployment, helping you to identify critical issues and avoid downtime
- Interactive Help that provides tips and step-by-step guidance to complete tasks
- pxGrid has a new interface
- SAML SSO for Multi-Factor Authentication
I hope you found some of these new features beneficial. Before upgrading to ISE 3.0, make sure you convert your existing licenses to the new 3.0 licenses. If you need a hand or would like to learn more, reach out to myself and the Arraya team today.