Cisco ISE Release 3.4 Patch 2

Use enhanced Endpoint Topics Settings to share Cisco ISE data

You can enhance network visibility and security by sharing endpoint attribute data with Cisco AI Endpoint Analytics and Cisco pxGrid Cloud using the enhanced Endpoint Topics Settings feature.

See Create Authorization Policies with Endpoint-Analytics Attributes.

Support for TACACS over TLS authentication

You can enable TACACS over TLS authentication for the network devices to enforce additional security. Cisco ISE supports validating the IP address (iPAddress), DNS name (dNSName), and directory name (directoryname) attributes of the certificate.

If any of these attributes match, validation is successful, otherwise, validation fails. For each SAN attribute, multiple values are supported.

See Network Device Definition Settings.

API keys and certificate authentication support for Tenable Security Center

From Cisco ISE 3.4 patch 2 onwards, the following authentication methods are additionally supported for Tenable Security Center:

• API Keys: Enter the Access key and Secret key of the user account that has access privileges in Tenable Security Center.

  API keys authentication is supported for Tenable Security Center 5.13.x and later releases.

• Certificate Authentication: From the Authentication Certificate drop-down list, choose the required certificate.

  After successful authentication, Cisco ISE will retrieve the customer configured template from Tenable Security Center.

See API keys and certificate authentication support for Tenable Security Center.

Remote support authorization

The remote support authorization allows a Cisco ISE administrator to authorize a specific Cisco TAC specialist to remotely and securely access the Cisco ISE deployment through CLI, UI, or both to troubleshoot and gather information.

See Remote Support Authorization.

Time restricted debug enabling

The time restricted debug enabling feature allows you to select a log level from a drop-down list and set a reset timer to revert to default settings. The selected node reverts to the default state after the timer expires.

See Configure debug log settings.

Support for osquery condition

From Cisco ISE 3.4 patch 2, you can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint.

See Add an osquery condition.

Cisco ISE Release 3.4 Patch 1

Assign dedicated resources for join points

From Cisco ISE Release 3.4 Patch 1, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points.

See Assign dedicated resources for join points.

Change of Authorization (CoA) for dictionary attributes using pxGrid Direct

From Cisco ISE Release 3.4 Patch 1, you can enable Change of Authorization (CoA) for dictionary attributes using pxGrid Direct. When the value of a CoA-enabled dictionary attribute changes, a CoA Port Bounce or Reauthentication is performed on the impacted endpoint.

See Change of Authorization (CoA) for dictionary attributes using pxGrid Direct.

Dynamic Reauthorization Scheduler

Starting with Cisco ISE Release 3.4 Patch 1 release, you can enhance access control by setting a predetermined expiration date and time for each session, ensuring sessions remain active only until the specified expiration, thereby preventing unauthorized access.

See Dynamic Reauthorization Scheduler.

Enable PAP/ASCII in FIPS Mode

From Cisco ISE Release 3.4 Patch 1, Cisco ISE allows configuration of the PAP/ASCII protocol in FIPS mode. You can enable RADIUS DTLS settings when configuring network devices to support the PAP/ASCII protocol in FIPS mode.

Integrate pxGrid Cloud applications using Integration Catalog

From Cisco ISE Release 3.4 Patch 1, you can use a native integration catalog interface on Cisco ISE to integrate with pxGrid cloud applications for a simplified integration experience. pxGrid Cloud apps can be integrated with Cisco ISE using the Integration Catalog (Administration > System > Deployment > Integration Catalog).

See Integration Catalog.

Inbound and Outbound SGT Domain Rules

You can create inbound SGT domain rules to map incoming SGT bindings with specific SGT domains. If no rules are defined, bindings received from workload connectors are sent to the default SGT domain.

You can create outbound SGT domain rules to designate target destinations for specific SGT bindings.

See Add inbound SGT domain rules and Add outbound SGT domain rules.

Preview Portal Customization

After making the changes in the Portal Page Customization page, you must click Render Preview to preview your content. You must click Refresh Preview every time to view the updated content.

See Preview Portal Customization.

Support ACI for Global Security Group

The naming convention for External EPGs (EEPGs) has changed from Cisco ISE Release 3.4 to Cisco ISE Release 3.4 Patch 1. In Cisco ISE Release 3.4, EEPGs are named "ISE_SGT_<SGT_TAG>", with "ISE_SGT_" as a constant prefix followed by the Security Group Tag (SGT). In Cisco ISE Release 3.4 Patch 1, the format changes to "ISE_<SG_NAME>", using "ISE_" as the constant prefix followed by the Security Group (SG) name.

Workload Classification Rules

Workload classification rules can be used to classify the workloads and to assign primary and secondary SGTs to the workloads. The primary SGT is marked as “Security Group” in the pxGrid session topic and is used to publish IP-to-SGT mappings via SXP. Secondary SGTs are included in the pxGrid session topic as an ordered array named “Secondary Security Groups”.

See Add workload classification rules.

Workload Connectors

Common Policy is a framework for building and enforcing consistent access and segmentation policies, regardless of the domain. Workload Connectors are used in this framework to build secure connections with on-premise and cloud data centers, import application workload context, normalize that context into SGTs, and share the context with other domains for building policies.

See Workload Connectors.

Workloads Live Session

The Workloads Live Session page displays the details about the live workload sessions. To view this page, in the Cisco ISE GUI, click the Menu icon and choose Operations > Workloads > Workloads Live Session.

See Workloads live session.

Cisco ISE Release 3.4

Cisco ISE Resiliency

From Cisco ISE Release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE.

See Cisco ISE Alarms.

Configure Debug Log Settings

You can configure the maximum file size and the maximum number of files allowed for each debug log component. You can also specify the date and time after which these values must be reset to default.

See Configure Debug Log Settings.

Create a URL Pusher pxGrid Direct Connector Type

You can create a pxGrid Direct connector using the Cisco ISE GUI. There are two types of pxGrid Direct connector types: URL Fetcher and URL Pusher. From Cisco ISE Release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the pxGrid Direct Push APIs to push endpoint data to Cisco ISE.

From Cisco ISE Release 3.4, you can also configure an authorization profile using connector attributes containing arrays.

See Create a URL Pusher Connector Type.

From Cisco ISE Release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE Release to avoid any loss of tunnel and tunnel configurations.

See Migrate from Legacy IPsec to Native IPsec on Cisco ISE.

Enforcing Domain Controller Selection with Priority

You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover. When this option is enabled, Cisco ISE overrides the existing priority values and selects the next domain controller in the preferred list in the order of input from left to right.

See Configure Preferred Domain Controllers.

Enhanced Password Security

Cisco ISE now improves password security through the following enhancements:

• You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during editing:

  Under Network Devices,

  • RADIUS Shared Secret

  • Radius Second Shared Secret

  Under Native IPsec,

  • Pre-shared Key

  See Configure security settings.

• To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.

  See Network Devices Import Template Format.

On-demand pxGrid Direct Data Synchronization using Sync Now

From Cisco ISE Release 3.4, you can use the Sync Now feature to perform on-demand synchronization of data from pxGrid Direct connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.

See On-demand pxGrid Direct Data Synchronization using Sync Now.

Option to Add Identity Sync After Creating Duo Connection

If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly.

After you create a Duo connection, you can add identity sync configurations at any time.

See Integrate Cisco Duo With Cisco ISE for Multifactor Authentication.

Per-user Dynamic Access Control List Behavior Change

While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE Release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard.

See Downloadable ACLs.

Support for Multiple Cisco Application Centric Infrastructure Connectors

Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs), endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco ISE.

You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and Cisco ACI connectors.

Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics.

See Connect Cisco Application Centric Infrastructure with Cisco ISE.

pxGrid Direct Support for Arrays in Dictionary Groups for Authorization Policy

From Cisco ISE Release 3.4, you can also use pxGrid Direct Connector data with arrays as dictionary attributes to configure an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy. The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR" conditions.

See Configure Authorization Policies.

RADIUS Suppression and Reports Enhancement

From Cisco ISE Release 3.4, the RADIUS Suppression and Reports have been enhanced to facilitate easier RADIUS (Administration > System > Settings > Protocols > RADIUS > RADIUS Settings) configurations.

See RADIUS Settings.

Support for Transport Gateway Removed

Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:

• Cisco ISE Smart Licensing

  If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE Release 3.4. You must choose a different connection method as Cisco ISE Release 3.4 does not support Transport Gateway. If you update to Cisco ISE Release 3.4 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.

• Cisco ISE Telemetry

  Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.

TLS 1.3 Support for Cisco ISE Workflows

Cisco ISE Release 3.4 allows TLS 1.3 to communicate with peers for the following workflows:

• Cisco ISE is configured as an EAP-TLS server

• Cisco ISE is configured as a TEAP server

  Attention

  TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE Release 3.4, TEAP TLS 1.3 is not supported by any available client OS.

• Cisco ISE is configured as a secure TCP syslog client

See Configure security settings.