Support for Network Time Security for NTP server configuration

Network Time Security (NTS) is supported for NTP server configurations. NTS provides authentication for NTP servers and clients, increasing the security of time synchronization.

You can enable the Trust for Network Time Security (NTS) option in the Trust Store in the Cisco ISE GUI for certificates to authenticate NTP servers or clients that use NTS.

You can also enable NTS support through the Cisco ISE CLI by using these configuration options added to the ntp server command:

• nts: Enables NTS for the NTP server.

• port: Specifies the NTS port number. The range is 1 through 65535, with a default value of 4460. This option is applicable only when NTS is enabled.

Refer to Specify System Time and Network Time Protocol Server Settings.

SGACL syntax validation check

You can use the syntax validation feature in Cisco ISE to check your SGACL commands for accurate policy configuration. SGACL syntax can be validated while creating or editing ACLs by clicking the Validate Syntax. You can verify commands against standard IPv4 and IPv6 formats.

Refer to Add security group access control lists.

Support for SSH key-based passwordless authentication

SSH key-based authentication is supported for Active Directory, REST ID sSore, and Internal Users providing a secure alternative to traditional password-based methods. This feature utilizes cryptographic key pairs, allowing Cisco ISE to securely store public keys and eliminating the need for password transmission over the network. By reducing the risk of interception and brute-force attacks, this enhancement supports automated workflows and scalable, unattended logins through strong encryption and improved access management.

Refer to Enable SSH key-based passwordless authentication in Active Directory,To Add Users, and Configure SSH key-based passwordless authentication in REST ID store respectively.

Support for SMB version 3.x

From Cisco ISE release 3.6, SMB version 3.x is used by default.

If Active Directory does not permit SMB version 3.x, Cisco ISE automatically falls back to SMB version 2.x.

Refer to SMB protocol usage and fallback behavior in Cisco ISE.

Continuous reassessment

Continuous reassessment helps you monitor endpoint health and posture in real time using Cisco Secure Client. When you enable this option, Cisco Secure Client performs continuous reassessment and detects posture changes as they occur for certain events and at regular intervals of 10 minutes for others.

This capability helps you quickly identify dynamic posture changes and enhances visibility into endpoint behavior through continuous monitoring and reporting.

Refer to Continuous reassessment.

Export and import posture policies

You can now efficiently manage posture policies and maintain compliance across multiple environments with the export and import feature in Cisco ISE. This capability facilitates the seamless transfer of posture policy definitions between Cisco ISE instances, simplifying migrations and ensuring consistent configurations. The import process includes guided conflict resolution for rules and conditions, while exported files are secured with AES-GCM-256 encryption to maintain data integrity during transit.

Refer to Export the posture policies and Import the posture policies.

TrustSec policy download status

TrustSec policy downloads are optimized to reduce unnecessary data transfers in large deployments. When a device returns with a different generation ID (gen ID) than the one it was previously recognized with, the system automatically returns only the difference in the policy data rather than the entire policy set. If no changes have occurred, Cisco ISE responds with an HTTP 304 status code, indicating no changes.

Refer to Available Reports.

Policy refresh optimization

You can now monitor deployment status using the new tracker. Accessing this tracker allows you to view the list of devices included in the configuration push. For each push, the system tracks the specific changes sent to each device. Once a device sends an acknowledgment (ack), it automatically provides a detailed report back to Cisco ISE. This report confirms the changes applied and the current policy status, enabling you to verify successful deployment and troubleshoot if necessary.

Refer to Security Groups Configuration.

You can integrate webhooks with Cisco ISE to automatically send real-time data to other applications when alarms are triggered in Cisco ISE. Webhook integration uses web requests to deliver information in real time to configured endpoints.

The updated Alarms tab features new Details and Summary views, enabling you to search, acknowledge, and mute alarms based on severity, node, or time range. These enhancements ensure you receive timely, actionable alerts for critical system events.