- New and Changed Information
- Overview of Cisco ISE
- Licensing
- Deployment of Cisco ISE
- Basic Setup
- Maintain and Monitor
- Device Administration
- Guest and Secure WiFi
- Asset Visibility
- Bring Your Own Device (BYOD)
- Secure Access
- Segmentation
- Compliance
- Threat Containment
- Cisco pxGrid
- Integration
- Troubleshoot
New and Changed Information
The following table summarizes the new and changed features and tells you where they are documented.
Feature |
Description |
||
---|---|---|---|
Cisco ISE Release 3.4 Patch 2 |
|||
Use enhanced Endpoint Topics Settings to share Cisco ISE data |
You can enhance network visibility and security by sharing endpoint attribute data with Cisco AI Endpoint Analytics and Cisco pxGrid Cloud using the enhanced Endpoint Topics Settings feature. See Create Authorization Policies with Endpoint-Analytics Attributes. |
||
Support for TACACS over TLS authentication |
You can enable TACACS over TLS authentication for the network devices to enforce additional security. Cisco ISE supports validating the IP address (iPAddress), DNS name (dNSName), and directory name (directoryname) attributes of the certificate. If any of these attributes match, validation is successful, otherwise, validation fails. For each SAN attribute, multiple values are supported. |
||
API keys and certificate authentication support for Tenable Security Center |
From Cisco ISE 3.4 patch 2 onwards, the following authentication methods are additionally supported for Tenable Security Center:
See API keys and certificate authentication support for Tenable Security Center. |
||
Remote support authorization |
The remote support authorization allows a Cisco ISE administrator to authorize a specific Cisco TAC specialist to remotely and securely access the Cisco ISE deployment through CLI, UI, or both to troubleshoot and gather information. |
||
Time restricted debug enabling |
The time restricted debug enabling feature allows you to select a log level from a drop-down list and set a reset timer to revert to default settings. The selected node reverts to the default state after the timer expires. |
||
Support for osquery condition |
From Cisco ISE 3.4 patch 2, you can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint.
|
||
Cisco ISE Release 3.4 Patch 1 |
|||
Assign dedicated resources for join points |
From Cisco ISE Release 3.4 Patch 1, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points. |
||
Change of Authorization (CoA) for dictionary attributes using pxGrid Direct |
From Cisco ISE Release 3.4 Patch 1, you can enable Change of Authorization (CoA) for dictionary attributes using pxGrid Direct. When the value of a CoA-enabled dictionary attribute changes, a CoA Port Bounce or Reauthentication is performed on the impacted endpoint. See Change of Authorization (CoA) for dictionary attributes using pxGrid Direct. |
||
Dynamic Reauthorization Scheduler |
Starting with Cisco ISE Release 3.4 Patch 1 release, you can enhance access control by setting a predetermined expiration date and time for each session, ensuring sessions remain active only until the specified expiration, thereby preventing unauthorized access. |
||
Enable PAP/ASCII in FIPS Mode |
From Cisco ISE Release 3.4 Patch 1, Cisco ISE allows configuration of the PAP/ASCII protocol in FIPS mode. You can enable RADIUS DTLS settings when configuring network devices to support the PAP/ASCII protocol in FIPS mode. |
||
Integrate pxGrid Cloud applications using Integration Catalog |
From Cisco ISE Release 3.4 Patch 1, you can use a native integration catalog interface on Cisco ISE to integrate with pxGrid cloud applications for a simplified integration experience. pxGrid Cloud apps can be integrated with Cisco ISE using the Integration Catalog ( ). See Integration Catalog. |
||
Inbound and Outbound SGT Domain Rules |
You can create inbound SGT domain rules to map incoming SGT bindings with specific SGT domains. If no rules are defined, bindings received from workload connectors are sent to the default SGT domain. You can create outbound SGT domain rules to designate target destinations for specific SGT bindings. See Add inbound SGT domain rules and Add outbound SGT domain rules. |
||
Preview Portal Customization |
After making the changes in the Portal Page Customization page, you must click Render Preview to preview your content. You must click Refresh Preview every time to view the updated content. |
||
Support ACI for Global Security Group |
The naming convention for External EPGs (EEPGs) has changed from Cisco ISE Release 3.4 to Cisco ISE Release 3.4 Patch 1. In Cisco ISE Release 3.4, EEPGs are named "ISE_SGT_<SGT_TAG>", with "ISE_SGT_" as a constant prefix followed by the Security Group Tag (SGT). In Cisco ISE Release 3.4 Patch 1, the format changes to "ISE_<SG_NAME>", using "ISE_" as the constant prefix followed by the Security Group (SG) name.
|
||
Workload Classification Rules |
Workload classification rules can be used to classify the workloads and to assign primary and secondary SGTs to the workloads. The primary SGT is marked as “Security Group” in the pxGrid session topic and is used to publish IP-to-SGT mappings via SXP. Secondary SGTs are included in the pxGrid session topic as an ordered array named “Secondary Security Groups”. |
||
Workload Connectors |
Common Policy is a framework for building and enforcing consistent access and segmentation policies, regardless of the domain. Workload Connectors are used in this framework to build secure connections with on-premise and cloud data centers, import application workload context, normalize that context into SGTs, and share the context with other domains for building policies. See Workload Connectors. |
||
Workloads Live Session |
The Workloads Live Session page displays the details about the live workload sessions. To view this page, in the Cisco ISE GUI, click the Menu icon and choose Operations > Workloads > Workloads Live Session. |
||
Cisco ISE Release 3.4 |
|||
Cisco ISE Resiliency |
From Cisco ISE Release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE. See Cisco ISE Alarms. |
||
Configure Debug Log Settings |
You can configure the maximum file size and the maximum number of files allowed for each debug log component. You can also specify the date and time after which these values must be reset to default. |
||
Create a URL Pusher pxGrid Direct Connector Type |
You can create a pxGrid Direct connector using the Cisco ISE GUI. There are two types of pxGrid Direct connector types: URL Fetcher and URL Pusher. From Cisco ISE Release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the pxGrid Direct Push APIs to push endpoint data to Cisco ISE. From Cisco ISE Release 3.4, you can also configure an authorization profile using connector attributes containing arrays. |
||
End of Support for Legacy IPsec (ESR) |
From Cisco ISE Release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE Release to avoid any loss of tunnel and tunnel configurations. |
||
Enforcing Domain Controller Selection with Priority |
You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover. When this option is enabled, Cisco ISE overrides the existing priority values and selects the next domain controller in the preferred list in the order of input from left to right. |
||
Enhanced Password Security |
Cisco ISE now improves password security through the following enhancements:
|
||
On-demand pxGrid Direct Data Synchronization using Sync Now |
From Cisco ISE Release 3.4, you can use the Sync Now feature to perform on-demand synchronization of data from pxGrid Direct connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI. See On-demand pxGrid Direct Data Synchronization using Sync Now. |
||
Option to Add Identity Sync After Creating Duo Connection |
If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly. After you create a Duo connection, you can add identity sync configurations at any time. See Integrate Cisco Duo With Cisco ISE for Multifactor Authentication. |
||
Per-user Dynamic Access Control List Behavior Change |
While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE Release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard. See Downloadable ACLs. |
||
Support for Multiple Cisco Application Centric Infrastructure Connectors |
Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs), endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco ISE. You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and Cisco ACI connectors. Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics. See Connect Cisco Application Centric Infrastructure with Cisco ISE. |
||
pxGrid Direct Support for Arrays in Dictionary Groups for Authorization Policy |
From Cisco ISE Release 3.4, you can also use pxGrid Direct Connector data with arrays as dictionary attributes to configure an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy. The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR" conditions. |
||
RADIUS Suppression and Reports Enhancement |
From Cisco ISE Release 3.4, the RADIUS Suppression and Reports have been enhanced to facilitate easier RADIUS ( ) configurations.See RADIUS Settings. |
||
Support for Transport Gateway Removed |
Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:
|
||
TLS 1.3 Support for Cisco ISE Workflows |
Cisco ISE Release 3.4 allows TLS 1.3 to communicate with peers for the following workflows:
|