Cisco ISE release 3.5 patch 3

The Workload Connector Endpoints page in Context Visibility enables you to efficiently gather, analyze, and report data related to Workload connectors. This tab displays endpoint attribute information collected from the Workload Connectors page. By clicking on an endpoint's IP address, you can access or download detailed attribute information for endpoint analysis.

Refer to The Workload Connector Endpoints dashboard.

High availability and failover support for TC-NAC nodes in Cisco ISE

High availability and failover support for TC-NAC nodes is now available, ensuring continuous Cisco ISE service in the event of a primary TC-NAC node failure. You can configure up to two TC-NAC nodes per deployment: one primary and one secondary, with the primary node assuming the active TC-NAC role. If only one TC-NAC node is present, it automatically becomes primary and assumes the active role. All role changes are tracked in the Change Configuration Audit for compliance.

Refer to General node settings

Include Message-Authenticator in all Cisco ISE RADIUS response packets

Cisco ISE now allows including the Message-Authenticator RADIUS attribute in all response packets (Access-Accept, Access-Reject, and Access-Challenge). This setting can be enabled per-NAD or through Default Device settings.

Refer to Network device definition settings.

OAuth support for MDM vendors

You can enhance security by using OAuth 2.0 to integrate with MDM vendors. When adding a server, you can choose from two new authentication types: OAuth - Client Credentials - Intune or OAuth - Client Credentials - Generic.

Refer to Configure MDM servers in Cisco ISE.

SGACL syntax validation check

You can use the syntax validation feature in Cisco ISE to check your SGACL commands for accurate policy configuration. SGACL syntax can be validated while creating or editing ACLs by clicking the Validate Syntax. You can verify commands against standard IPv4 and IPv6 formats.

Refer to Add security group access control lists.

Support for Windows Server 2025

You can use Windows Server 2025 Active Directory domains as an external identity source in Cisco ISE for your identity management needs. This support allows you to integrate with the latest Windows Server infrastructure to manage user and machine authentications. Due to enhanced security settings in Windows Server 2025, password changes done through EAP-MS-CHAPv2 and EAP-GTC are disabled by default.

Refer to Modify password changes, machine authentications, and machine access restriction settings and Allowed protocols.

Enhanced FQDN ACLs with post-auth ACLs

You can use IP and hostname SGT static mappings in Cisco ISE to deploy SGT information across your TrustSec environment. These mappings can be configured in Cisco ISE to ensure that all resolved IP addresses for a specific hostname are captured and mapped to the correct SGT. This feature is particularly useful for global deployments where a single hostname may resolve to different IP addresses depending on the location.

Refer to IP and hostname SGT static mapping.

Allow server EKU certificates for Cisco pxGrid and IMS

Cisco ISE now supports using server certificates with only the server authentication EKU for Cisco pxGrid and IMS. This update ensures your services remain compatible with new public CA standards.

Refer to Allow server EKU certificates for Cisco pxGrid and IMS

Support for HTTP 2.0

From Cisco ISE release 3.5 patch 3, the API gateway supports HTTP 2.0-based requests.

Refer to Set up the Cisco ISE API Gateway.

Continuous reassessment

Continuous reassessment helps you monitor endpoint health and posture in real time using Cisco Secure Client. When you enable this option, Cisco Secure Client performs continuous reassessment and detects posture changes as they occur for certain events and at regular intervals of 10 minutes for others. This capability helps you quickly identify dynamic posture changes and enhances visibility into endpoint behavior through continuous monitoring and reporting.

Refer to Continuous reassessment of endpoints.

IPv6 Support for TrustSec Policy download and servers list via RADIUS

Cisco ISE now supports IPv6 for TrustSec AAA Servers in addition to IPv4. This enhancement enables TrustSec devices to authenticate against Cisco ISE servers using IPv6 addresses, thereby improving network flexibility and deployment options.

Refer to Configure Cisco TrustSec AAA Servers.

IPv6 support for SXP

You can now enable the SXP service for IPv6 nodes by selecting the Enable SXP Service check box under Deployment Settings. The IPv6 Address field is automatically populated when you select the network interface, and a new field called Node ID has been added. The Node ID is an IPv4 address that uniquely identifies the SXP node within the network. If the interface has an IPv4 address or is configured as dual-stack, the Node ID is auto-populated. However, if the interface uses only an IPv6 address, you must manually enter an IPv4 address for the Node ID.

Refer to General node settings.

Cisco ISE release 3.5 patch 2

There are no new features in Cisco ISE release 3.5 patch 2.

Cisco ISE release 3.5 patch 1

USB disk encryption condition

You can use the All External USB Drives option (under Policy > Policy Elements > Conditions > Posture > Disk Encryption Condition) to check if external disk drives are encrypted with the selected product.

When a USB drive is inserted, Cisco ISE dynamically detects the insertion, immediately evaluates the USB drive condition, and checks the compliance status of the endpoint. This process ensures continuous monitoring and enforcement of posture policies related to USB devices while the endpoint remains within the Cisco ISE-controlled network.

Refer to Disk Encryption Condition settings.

OAuth support for SMTP

You can enable or disable authentication settings for your Simple Mail Transfer Protocol (SMTP) servers in the Cisco ISE GUI. This release adds support for Microsoft OAuth authentication, in addition to basic password authentication.

Refer to Configure SMTP Server to Support Notifications.

Enhancements to user attribute monitoring for CoA

For CoA based on Microsoft Entra ID attribute updates, these enhancements are now available for user attribute monitoring:

• New date and time attributes are added to the list of existing user attributes.

• You can now select custom directory extension attributes in this format: extension_<GUID>_<attributeName> available in the User Attributes tab.

Refer to CoA based on Microsoft Entra ID attribute updates.

OpenID Connect authentication for self-registered guest portal

Cisco ISE supports OpenID Connect (OIDC) authentication for self-registered guest portals. You can configure Microsoft Entra ID or a generic OIDC identity provider, such as Okta, as the identity store for authenticating the endpoints in the guest flow.

If you have selected Microsoft Entra ID as the identity provider, you can fetch the groups and attributes from Microsoft Entra ID using the Microsoft Graph API. You can also use the ID token or the UserInfo Endpoint API to fetch the groups and attributes from Microsoft Entra ID.

Refer to OpenID Connect authentication for self-registered guest portal.

Cisco ISE release 3.5

Cloud Multi-Factor Classification Profiler

The Cloud Multi-Factor Classification (MFC) Profiler in Cisco ISE enhances endpoint classification by sharing observed attributes with the cloud for analysis. It improves endpoint labeling, grouping, and policy application, supporting both standalone and distributed deployments.

To register the Cisco ISE instance on the cloud, go to Administration > FeedService > Cloud Multi-Factor Classification Profiler, select the region, and click Enable. You will then be redirected to the Cisco authentication portal and prompted to enter Cisco login credentials.

Refer to Cloud Multi-Factor Classification Profiler.

DoDIN APL support

Cisco ISE release 3.5 undergoes testing for Department of Defense Approved Products List (DoDIN APL) certification in the Network Access Controller (NAC) category. After Cisco completes testing and receives certification, Cisco posts the certification details on the DoDIN APL website.

Refer to Federal or Security Certifications.

Assign dedicated resources for join points.

You can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points.

Refer to Assign dedicated resources for join points.

Addition of country code dropdown when resetting the guest password

From Cisco ISE release 3.5, the password reset process for self-registered guests includes a new country code drop-down. Now, when a self-registered guest selects the "Phone" option to reset their password, the system displays a country code drop-down. The guest user can select an appropriate country code before entering their phone number.

Refer to Login Page Settings for Credentialed Guest Portals

Federal or security certifications

Cisco ISE release 3.5 enhances its support for key federal and security certifications. This release aligns with the Network Device Collaborative Protection Profile (NDcPP) v3.0e for Common Criteria certification, with testing including Secure Shell (SSH) and authentication server PP-Modules.

Additionally, Cisco ISE release 3.5 is planned for:

• DoDIN APL certification,

• FIPS 140-3 compliance review, and

• USGv6 certification and IPv6 Ready logo certification in the host category.

Refer to Federal or Security Certifications

FIPS 140-3 support

Cisco ISE now supports FIPS 140-3 mode. This mode enhances cryptographic security and compliance. It enforces FIPS-compliant protocols, algorithms, and key sizes. FIPS mode disables non-compliant cipher suites and protocols, including IPsec, SSHv2, LDAPS, pxGrid, pxGrid Direct, TC-NAC Tenable, and pxGrid Cloud components.

Refer to Federal Information Processing Standards Mode Support.

OAuth2 authentication support for pxGrid Direct

Cisco pxGrid Direct now supports three authentication methods— Basic, API Key, and OAuth2— when creating a URL Fetcher pxGrid Direct Connector through the Cisco ISE GUI.

Refer to Create a URL Fetcher Connector Type.

Monitor profiler traffic probes

New enhancements are introduced to improve the resiliency and stability of the Cisco ISE profiler under high traffic deployments.

• A new mechanism for managing chatty endpoints pauses probe-related processing for a predefined cool-off period, reducing system strain.

• Profiler queue utilization is managed based on defined thresholds (moderate, high, and maximum load).

  This ensures critical tasks are prioritized and system stability is maintained during peak loads.

Refer to Monitor profile traffic probes.

New alarms for slow external resources and excessive TACACS+ activity

Five new alarms are introduced to enhance system monitoring and troubleshooting in Cisco ISE.

These alarms help identify and address issues such as delays in external systems or excessive communication traffic from TACACS+ devices:

• High ping latency between ISE nodes

• Slow Active Directory detected

• Slow LDAP connection detected

• Slow ODBC connection detected

• Excessive TACACS communication detected

Refer to Cisco ISE Alarms.

New profiling service for improved efficacy

You can create Multi-Factor Classification (MFC)-based profiling policies in Cisco ISE to categorize unidentified endpoints using rule-based classification. Labels are automatically assigned through custom or direct mapping rules, ensuring a consistent endpoint categorization process:

Custom Rules: Allow you to define profiling criteria specific to specific organizational needs, providing precise control over classification based on tailored attributes.

Direct Mapping Rules: Allow you to use specific attributes or identifiers (e.g., mdmOSVersion or mdmManufacturer) to classify devices directly.

Additionally, Cisco ISE continues to support AI/ML and system rules from earlier releases for enhanced profiling capabilities.

Refer to Profiling policies.

Send CoA after EntraID attribute is changed

Cisco ISE allows you to monitor changes in user or device attributes within your Microsoft Entra ID instance and dynamically enforce updated network access policies. By defining authorization policies with monitored attributes and using SAML to fetch them, Cisco ISE can detect attribute changes, trigger a CoA, and reapply updated access permissions after reauthentication. This ensures alignment between authorization decisions and the latest attribute changes.

Refer to Configure attribute monitoring rules for Microsoft Entra ID.

Time restricted debug enabling

The time restricted debug enabling feature allows you to select a log level from a drop-down list and set a reset timer to revert to default settings. The selected node reverts to the default state after the timer expires.

Refer to Configure debug log settings.

Dynamic reauthorization scheduler

You can enhance access control by setting a predetermined expiration date and time for each session, ensuring sessions remain active only until the specified expiration, thereby preventing unauthorized access.

Refer to Dynamic reauthorization scheduler.

Support ACI for Global Security Group

The naming convention for External EPGs (EEPGs) has changed in Cisco ISE release 3.5. In Cisco ISE release 3.4, EEPGs were named "ISE_SGT_<SGT_TAG>", with "ISE_SGT_" as a constant prefix followed by the Security Group Tag (SGT).

In Cisco ISE release 3.5, the format changes to "ISE_<SG_NAME>", using "ISE_" as the constant prefix followed by the Security Group (SG) name.

Probe Status dashboard

The Probe Status dashboard in Operations > System 360 > Log Analytics > Dashboards displays all the active profiling probes, network access device (NAD) probe status, and endpoint probe details received by Cisco ISE. Use the filters to choose a specific PSN, PSN group, or NAD for more granular results.

You can verify whether the NADs are configured properly by analyzing the probes generated for each PSN or NAD. You can analyze the probe packets generated and update the probe and NAD configurations accordingly.

Refer to Log Analytics.

Profile infrastructure endpoints using SNMP

The Simple Network Management Protocol (SNMP) scan classifies network endpoints and creates profiling policies. It uses probe data to perform scheduled or on-demand SNMP scans across specific subnets or IP address ranges. It collects detailed OS and hardware information using SNMP.

Refer to SNMP Scans for Endpoint Profiling.

Remote support authorization

The remote support authorization allows a Cisco ISE administrator to authorize a specific Cisco TAC specialist to remotely and securely access the Cisco ISE deployment through CLI, UI, or both to troubleshoot and gather information.

Refer to Remote Support Authorization.

TACACS+ support to prevent Active Directory user lockout

The Prevent Active Directory User Lockout option reduces the frequency of lockouts resulting from multiple incorrect password attempts. This option is supported by both RADIUS and TACACS+ protocols.

Refer to Configure Maximum Passwords Attempts for Active Directory.

User and device authorization using Entra ID EAP-TLS and TEAP-TLS

From Cisco ISE release 3.5, certificate-based authentication is supported for both user and device flows. You can create authorization policies to authorize both users and devices through EAP or TEAP chaining. Cisco ISE evaluates the certificate presented by the device or user during authentication, without directly accessing Microsoft Entra ID. REST ID store attribute condition or REST ID store group can be used in the authorization policies. Cisco ISE queries Microsoft Entra ID to retrieve groups and attributes of the user or device, and device-related information.

Refer to EAP-TLS and TEAP Authentication with Microsoft Entra ID.

Use enhanced Endpoint Topics Settings to share Cisco ISE data.

You can enhance network visibility and security by sharing endpoint attribute data with Cisco AI Endpoint Analytics and Cisco pxGrid Cloud using the enhanced Endpoint Topics Settings feature.

Refer to Create Authorization Policies with Endpoint-Analytics Attributes.

Support for TACACS over TLS authentication

You can enable TACACS over TLS authentication for the network devices to enforce additional security. Cisco ISE supports validating these SAN attributes:

• IP address (iPAddress)

• DNS name (dNSName)

• directory name (directoryName)

If any of these attributes match, validation is successful, otherwise, validation fails. For each SAN attribute, multiple values are supported.

Refer to Network Device Definition Settings.

TLS 1.3 support for additional Cisco ISE workflows

Cisco ISE release 3.5 supports TLS 1.3 for:

• Portals (Self-Registered Guest portal, Sponsor portal, and Hotspot portal)

• pxGrid

• TACACS+

• Cisco Catalyst Center integration

• Cisco Meraki integration

• Cisco Duo integration

• PEAP workflows

• posture feed service communication

Refer to Configure security settings.

Workload Connectors

Common Policy is a framework for building and enforcing consistent access and segmentation policies, regardless of the domain. Workload Connectors are used in this framework to build secure connections with on-premise and cloud data centers, import application workload context, normalize that context into SGTs, and share the context with other domains for building policies.

Refer to Workload Connectors.

Integrate pxGrid Cloud applications using Integration Catalog

You can use a native integration catalog interface on Cisco ISE to integrate with pxGrid cloud applications for a simplified integration experience. pxGrid Cloud apps can be integrated with Cisco ISE using the Integration Catalog (Administration > System > Deployment > Integration Catalog).

Refer to Integrate pxGrid Cloud apps with Integration Catalog.

Change of Authorization (CoA) for dictionary attributes using pxGrid Direct

You can enable Change of Authorization (CoA) for dictionary attributes using pxGrid Direct. When the value of a CoA-enabled dictionary attribute changes, a CoA Port Bounce or Reauthentication is performed on the impacted endpoint.

Refer to Change of Authorization (CoA) for dictionary attributes using pxGrid Direct.

Security service insertion

Security service insertion enhances network security by steering the traffic through firewalls based on predefined policies. This supports a zero-trust security solution. Security service insertion supports wired and wireless deployments and is compatible with Cisco and third-party firewalls, including on-premises and cloud-hosted solutions.

Cisco ISE APIs play a crucial role in security service insertion by facilitating policy creation and allowing network devices to retrieve and enforce policies based on the configured source security groups.

New TrustSec telemetry attributes

New TrustSec telemetry attributes have been added to enhance the monitoring of your deployment and collect data on how TrustSec and Cisco ISE are used.

Refer to Information that Telemetry Gathers.

Export all network devices to repository

While exporting network devices from Cisco ISE, you can choose Export All to Repository to export all the network devices to a remote repository. An email with instructions on how to access the exported data is sent to the registered email address.

Refer to Export Network Devices from Cisco ISE.

Changes in Cisco ISE licensing strategy

From Cisco ISE release 3.5, some features of the Cisco ISE Advantage licensing such as pxGrid, pxGrid Direct, Profiling services, and TrustSec will consume licenses according to the number of active endpoints using each feature. However, note that license enforcement for out-of-compliance licenses is not implemented currently.

Support for osquery condition

You can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint.

Refer to Add an osquery condition.

API keys and certificate authentication support for Tenable Security Center

These authentication methods are additionally supported for Tenable Security Center:

• API Keys: Enter the Access key and Secret key of the user account that has access privileges in Tenable Security Center.

  API keys authentication is supported for Tenable Security Center 5.13.x and later releases.

• Certificate Authentication: From the Authentication Certificate drop-down list, choose the required certificate.

  After successful authentication, Cisco ISE will retrieve the customer configured template from Tenable Security Center.

Refer to API keys and certificate authentication support for Tenable Security Center.

Inbound and Outbound SGT Domain Rules

You can create inbound SGT domain rules to map incoming SGT bindings with specific SGT domains. If no rules are defined, bindings received from workload connectors are sent to the default SGT domain.

You can create outbound SGT domain rules to designate target destinations for specific SGT bindings.

Refer to Add inbound SGT domain rules and Add outbound SGT domain rules.

Workload Classification Rules

Workload classification rules can be used to classify the workloads and to assign primary and secondary SGTs to the workloads. The primary SGT is marked as “Security Group” in the pxGrid session topic and is used to publish IP-to-SGT mappings via SXP. Secondary SGTs are included in the pxGrid session topic as an ordered array named “Secondary Security Groups”.

Refer to Add workload classification rules.

Workload Connectors

Common Policy is a framework for building and enforcing consistent access and segmentation policies, regardless of the domain. Workload Connectors are used in this framework to build secure connections with on-premise and cloud data centers, import application workload context, normalize that context into SGTs, and share the context with other domains for building policies.

Refer to Workload Connectors.

Workloads Live Session

The Workloads Live Session page displays the details about the live workload sessions. To view this page, in the Cisco ISE GUI, click the Menu icon and choose Operations > Workloads > Workloads Live Session.

Refer to Workloads live session.