Cisco ISE release 3.4 patch 5

There are no new features in Cisco ISE release 3.4 patch 5.

Workload Connector Endpoints dashboard

The Workload Connector Endpoints page in Context Visibility enables you to efficiently gather, analyze, and report data related to Workload connectors. This tab displays endpoint attribute information collected from the Workload Connectors page. By clicking on an endpoint's IP address, you can access or download detailed attribute information for endpoint analysis.

See The Workload Connector Endpoints dashboard.

OAuth support for SMTP

You can enable or disable authentication settings for your Simple Mail Transfer Protocol (SMTP) servers in the Cisco ISE GUI. This release adds support for Microsoft OAuth authentication, in addition to basic password authentication.

See Configure SMTP Server to Support Notifications.

USB disk encryption condition

You can use the All External USB Drives option (under Policy > Policy Elements > Conditions > Posture > Disk Encryption Condition) to check if external disk drives are encrypted with the selected product.

When a USB drive is inserted, Cisco ISE dynamically detects the insertion, immediately evaluates the USB drive condition, and checks the compliance status of the endpoint. This process ensures continuous monitoring and enforcement of posture policies related to USB devices while the endpoint remains within the Cisco ISE-controlled network.

See Disk Encryption Condition settings.

New alarm for excessive TACACS+ activity

A new alarm is introduced to enhance system monitoring and troubleshooting in Cisco ISE.

The Excessive TACACS communication detected alarm identifies excessive communication traffic from TACACS+ devices and helps users address these issues.

See Cisco ISE Alarms.

TACACS+ support to prevent Active Directory user lockout

The Prevent Active Directory User Lockout option reduces the frequency of lockouts resulting from multiple incorrect password attempts. This option is supported by both RADIUS and TACACS+ protocols.

See Configure Maximum Password Attempts for Active Directory Account.

Monitor profiler traffic probes

New enhancements are introduced to improve the resiliency and stability of the Cisco ISE profiler under high traffic deployments.

• A new mechanism for managing chatty endpoints pauses probe-related processing for a predefined cool-off period, reducing system strain.

• Profiler queue utilization is managed based on defined thresholds (moderate, high, and maximum load).

  This ensures critical tasks are prioritized and system stability is maintained during peak loads.

See Monitor profile traffic probes.

User and device authorization using Entra ID EAP-TLS and TEAP-TLS

Certificate-based authentication is now supported for both user and device flows. You can create authorization policies to authorize both users and devices through EAP or TEAP chaining. Cisco ISE evaluates the certificate presented by the device or user during authentication, without directly accessing Microsoft Entra ID. REST ID store attribute condition or REST ID store group can be used in the authorization policies. Cisco ISE queries Microsoft Entra ID to retrieve groups and attributes of the user or device, and device-related information.

See EAP-TLS and TEAP Authentication with Microsoft Entra ID.

Security service insertion

Security service insertion enhances network security by steering the traffic through firewalls based on predefined policies. This supports a zero-trust security solution. Security service insertion supports wired and wireless deployments and is compatible with Cisco and third-party firewalls, including on-premises and cloud-hosted solutions.

Cisco ISE APIs play a crucial role in security service insertion by facilitating policy creation and allowing network devices to retrieve and enforce policies based on the configured source security groups.

Use enhanced Endpoint Topics Settings to share Cisco ISE data

You can enhance network visibility and security by sharing endpoint attribute data with Cisco AI Endpoint Analytics and Cisco pxGrid Cloud using the enhanced Endpoint Topics Settings feature.

See Create Authorization Policies with Endpoint-Analytics Attributes.

Support for TACACS over TLS authentication

You can enable TACACS over TLS authentication for the network devices to enforce additional security. Cisco ISE supports validating the IP address (iPAddress), DNS name (dNSName), and directory name (directoryname) attributes of the certificate.

If any of these attributes match, validation is successful, otherwise, validation fails. For each SAN attribute, multiple values are supported.

See Network Device Definition Settings.

API keys and certificate authentication support for Tenable Security Center

From Cisco ISE 3.4 patch 2 onwards, the following authentication methods are additionally supported for Tenable Security Center:

• API Keys: Enter the Access key and Secret key of the user account that has access privileges in Tenable Security Center.

  API keys authentication is supported for Tenable Security Center 5.13.x and later releases.

• Certificate Authentication: From the Authentication Certificate drop-down list, choose the required certificate.

  After successful authentication, Cisco ISE will retrieve the customer configured template from Tenable Security Center.

See API keys and certificate authentication support for Tenable Security Center.

Remote support authorization

The remote support authorization allows a Cisco ISE administrator to authorize a specific Cisco TAC specialist to remotely and securely access the Cisco ISE deployment through CLI, UI, or both to troubleshoot and gather information.

See Remote Support Authorization.

Time restricted debug enabling

The time restricted debug enabling feature allows you to select a log level from a drop-down list and set a reset timer to revert to default settings. The selected node reverts to the default state after the timer expires.

See Configure debug log settings.

Support for osquery condition

From Cisco ISE 3.4 patch 2, you can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint.

See Add an osquery condition.

Cisco ISE release 3.4 patch 1

Assign dedicated resources for join points

From Cisco ISE release 3.4 patch 1, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points.

See Assign dedicated resources for join points.

Change of Authorization (CoA) for dictionary attributes using pxGrid Direct

From Cisco ISE release 3.4 patch 1, you can enable Change of Authorization (CoA) for dictionary attributes using pxGrid Direct. When the value of a CoA-enabled dictionary attribute changes, a CoA Port Bounce or Reauthentication is performed on the impacted endpoint.

See Change of Authorization (CoA) for dictionary attributes using pxGrid Direct.

Dynamic Reauthorization Scheduler

Starting with Cisco ISE release 3.4 patch 1 release, you can enhance access control by setting a predetermined expiration date and time for each session, ensuring sessions remain active only until the specified expiration, thereby preventing unauthorized access.

See Dynamic Reauthorization Scheduler.

Enable PAP/ASCII in FIPS Mode

From Cisco ISE release 3.4 patch 1, Cisco ISE allows configuration of the PAP/ASCII protocol in FIPS mode. You can enable RADIUS DTLS settings when configuring network devices to support the PAP/ASCII protocol in FIPS mode.

Integrate pxGrid Cloud applications using Integration Catalog

From Cisco ISE release 3.4 patch 1, you can use a native integration catalog interface on Cisco ISE to integrate with pxGrid cloud applications for a simplified integration experience. pxGrid Cloud apps can be integrated with Cisco ISE using the Integration Catalog (Administration > System > Deployment > Integration Catalog).

See Integrate pxGrid Cloud apps with Integration Catalog.

Inbound and Outbound SGT Domain Rules

You can create inbound SGT domain rules to map incoming SGT bindings with specific SGT domains. If no rules are defined, bindings received from workload connectors are sent to the default SGT domain.

You can create outbound SGT domain rules to designate target destinations for specific SGT bindings.

See Add inbound SGT domain rules and Add outbound SGT domain rules.

Preview Portal Customization

After making the changes in the Portal Page Customization page, you must click Render Preview to preview your content. You must click Refresh Preview every time to view the updated content.

See Preview Portal Customization.

Support ACI for Global Security Group

The naming convention for External EPGs (EEPGs) has changed from Cisco ISE release 3.4 to Cisco ISE release 3.4 patch 1. In Cisco ISE release 3.4, EEPGs are named "ISE_SGT_<SGT_TAG>", with "ISE_SGT_" as a constant prefix followed by the Security Group Tag (SGT). In Cisco ISE release 3.4 patch 1, the format changes to "ISE_<SG_NAME>", using "ISE_" as the constant prefix followed by the Security Group (SG) name.

Workload Classification Rules

Workload classification rules can be used to classify the workloads and to assign primary and secondary SGTs to the workloads. The primary SGT is marked as “Security Group” in the pxGrid session topic and is used to publish IP-to-SGT mappings via SXP. Secondary SGTs are included in the pxGrid session topic as an ordered array named “Secondary Security Groups”.

See Add workload classification rules.

Workload Connectors

Common Policy is a framework for building and enforcing consistent access and segmentation policies, regardless of the domain. Workload Connectors are used in this framework to build secure connections with on-premise and cloud data centers, import application workload context, normalize that context into SGTs, and share the context with other domains for building policies.

See Workload Connectors.

Workloads Live Session

The Workloads Live Session page displays the details about the live workload sessions. To view this page, in the Cisco ISE GUI, click the Menu icon and choose Operations > Workloads > Workloads Live Session.

See Workloads live session.

Cisco ISE release 3.4

Cisco ISE Resiliency

From Cisco ISE release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE.

See Cisco ISE Alarms.

Configure Debug Log Settings

You can configure the maximum file size and the maximum number of files allowed for each debug log component. You can also specify the date and time after which these values must be reset to default.

See Configure debug log settings.

Create a URL Pusher pxGrid Direct Connector Type

You can create a pxGrid Direct connector using the Cisco ISE GUI. There are two types of pxGrid Direct connector types: URL Fetcher and URL Pusher. From Cisco ISE release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the pxGrid Direct Push APIs to push endpoint data to Cisco ISE.

From Cisco ISE release 3.4, you can also configure an authorization profile using connector attributes containing arrays.

See Create a URL Pusher Connector Type.

From Cisco ISE release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE release to avoid any loss of tunnel and tunnel configurations.

See Migrate from Legacy IPsec to Native IPsec on Cisco ISE.

Enforcing Domain Controller Selection with Priority

You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover. When this option is enabled, Cisco ISE overrides the existing priority values and selects the next domain controller in the preferred list in the order of input from left to right.

See Configure Preferred Domain Controllers.

Enhanced Password Security

Cisco ISE now improves password security through the following enhancements:

• You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during editing:

  Under Network Devices,

  • RADIUS Shared Secret

  • Radius Second Shared Secret

  Under Native IPsec,

  • Pre-shared Key

  See Configure security settings.

• To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.

  See Network Devices Import Template Format.

On-demand pxGrid Direct Data Synchronization using Sync Now

From Cisco ISE release 3.4, you can use the Sync Now feature to perform on-demand synchronization of data from pxGrid Direct connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.

See On-demand pxGrid Direct Data Synchronization using Sync Now.

Option to Add Identity Sync After Creating Duo Connection

If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly.

After you create a Duo connection, you can add identity sync configurations at any time.

See Integrate Cisco Duo with Cisco ISE for multifactor authentication.

Per-user Dynamic Access Control List Behavior Change

While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard.

See Downloadable ACLs.

Support for Multiple Cisco Application Centric Infrastructure Connectors

Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs), endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco ISE.

You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and Cisco ACI connectors.

Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics.

See Connect Cisco Application Centric Infrastructure with Cisco ISE.

pxGrid Direct Support for Arrays in Dictionary Groups for Authorization Policy

From Cisco ISE release 3.4, you can also use pxGrid Direct Connector data with arrays as dictionary attributes to configure an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy. The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR" conditions.

See Configure Authorization Policies.

RADIUS Suppression and Reports Enhancement

From Cisco ISE release 3.4, the RADIUS Suppression and Reports have been enhanced to facilitate easier RADIUS (Administration > System > Settings > Protocols > RADIUS > RADIUS Settings) configurations.

See RADIUS Settings.

Support for Transport Gateway Removed

Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:

• Cisco ISE Smart Licensing

  If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE release 3.4. You must choose a different connection method as Cisco ISE release 3.4 does not support Transport Gateway. If you update to Cisco ISE release 3.4 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.

• Cisco ISE Telemetry

  Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.

TLS 1.3 Support for Cisco ISE Workflows

Cisco ISE release 3.4 allows TLS 1.3 to communicate with peers for the following workflows:

• Cisco ISE is configured as an EAP-TLS server

• Cisco ISE is configured as a TEAP server

  Attention

  TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE release 3.4, TEAP TLS 1.3 is not supported by any available client OS.

• Cisco ISE is configured as a secure TCP syslog client

See Configure security settings.