The time is NOW to Migrate from Cisco Identity Services Engine 2.X to 3.X
Cisco Identity Services Engine (ISE) version 3.X brings enhanced visibility, improved simplicity and enables journey to ...
Cisco Identity Services Engine (ISE) version 3.X brings enhanced visibility, improved simplicity and enables journey to the cloud. ISE is the Policy Decision Point (PDP) for Cisco's Zero Trust for the workplace, allowing organization to deploy zero trust to wired, wireless, remote access VPN and even device administration. Authentication, Authorization and Accounting (AAA) is performed using RADIUS and TACACS+ in the control plane to remove implicit trust and enforce least privilege. ISE 3.0, at the time writing, is the suggested release, meaning you will see that the download link has a blue-on-yellow star next to it, marking 3.0 as the release Cisco's product team recommends customers to download and deploy. Check out a quick overview ISE featuring some of the new 3.0 features from the ISE Homepage: cisco.com/go/ise
Video 1: ISE Overview
The following represents the top reasons, organizations are/should migrate to ISE 3.X:
- Simplified Management with a new UI & APIs
- Enhanced Posture capabilities including Agentless Posture & Endpoint Scripts
- Cloud Ready using AWS ISE Instances, VMware Cloud Support, & Azure AD Integration
Simplified Management
New Administrative User Interface (ISE 3.0)
Simplified configuration & management via a new User Interface that includes new Walk-throughs, troubleshooting via Debug Wizard, and many more new features.
SAML-Based Admin Login (ISE 3.1)
Most organizations are using SAML for authentication and SSO for many applications. Now ISE is one of those applications too. Admins can use their enterprise credentials and SAML to sign on to ISE. A full configuration example:
Configure ISE 3.1 ISE GUI Admin Login Flow via SAML SSO Integration with Azure ADGlobally Unique Identification (GUID) to track endpoints (ISE 3.0)
This ISE feature helps solve random & changing MAC address challenges caused by vendors introducing privacy features for consumers. This feature is leveraged in multiple services in ISE, e.g. Authentication, Posture, MDM Integration, SCCM Integration, etc. This also helps with devices that have multiple interfaces and the usage of dongles on laptops to connect to the network. HINT: Don't forget about endpoint purge policies to keep ISE endpoints clear of random MAC addresses.
Enhanced Posture
Agentless Posture & Endpoint Scripts (ISE 3.0)
This new posture type delivers a smaller footprint, and the temporary posture agent is not visible to the customer. AnyConnect is not required. Check out a demo of Agentless Posture below.
The Endpoint Scripts Wizard allows you to run scripts on connected endpoints to carry out administrative tasks that comply with your organization’s requirements. This includes tasks such as uninstalling obsolete software, starting or terminating processes or applications, and enabling or disabling specific services. Easily carry out administrative tasks on connected endpoints to comply with your organization’s requirements.
Linux Systems Posture (ISE 3.1)
Posture is a service in Cisco ISE that allows you to check the state of all the endpoints that are connecting to a network for compliance with corporate security policies. Cisco ISE 3.1 supports the following Linux operating system versions, in addition to Windows and Mac operating systems:
- Ubuntu: 18.04, 20.04
- Red Hat: 7.5, 7.9, 8.1, 8.2, 8.3, 8.5(ISE 3.1)
- SUSE: 12.3, 12.4, 12.5, 15.0, 15.1, 15.2
`Only custom remediation script is supported for Linux
Custom Remediation Scripts (ISE 3.1)
Endpoint scripts are also useful for posture remediation. Anything that can be performed in shell or PowerShell can be used to automate the remediation process of devices.
- Endpoint connects to the network
- Once trust has been established the script will be downloaded
- The script is triggered after verifying the hash
Scripts supported:
- Windows - Power shell - "".ps1""
- macOS - Shell Script - "".sh""
- Linux - Shell Script - "".sh""
Cloud Ready
Not only can you now run ISE in multiple clouds via VMware Cloud, but you can now deploy ISE on AWS natively starting in ISE 3.1. ISE has also added Zero Touch Provisioning utilizing orchestration and automation tools, such as AWS CloudFormation, HashiCorp's Terraform and RedHat's Ansible. If organizations have developers on their network or security operations teams, new openAPI support and software development kits(SDK) have been released allowing easy code integration using Python, go, or the developer's favorite language.
Also, starting in ISE 3.0, ISE can authenticate network access users with Azure Active Directory Support. 802.1X requires authentication for authorized network access but SAML/OAuth assumes connectivity for brokering between the user, SP, and IdP. ISE 3.0 allows you to authenticate users with 802.1X directly to Azure AD using OAuth Resource Owner Password Credentials (ROPC). ChallengePassword is sent unencrypted in EAP-TTLS tunnel.
Check out more info on cloud support in Cisco's overview video of ISE 3.1!
TIP ModernCyber's NAC as a Service (NACaaS) utilizes the capabilities in ISE 3.1 to gives organizations the freedom to adopt NAC and ISE without the hassles of managing ISE Infrastructure components, spending your weekends upgrading or patching ISE, or finding ISE experts for your organization. |
Full ISE 3.X List of Features
ISE 3.X brings a ton of new features laid out in the release notes. Release Notes for Cisco Identity Services Engine, Release 3.0
- Debug Wizard by Function
- SAML SSO for Multi-Factor Authentication
- Support for Cisco ISE on VMware Cloud on Amazon Web Services and Azure VMware Solution
- Multiple Attributes Lookup for ODBC Identity Store
- Cisco ISE API Gateway
- Certificate Fingerprinting
- MSRPC Protocol for Passive ID Service
- Health Check
- Telemetry Updates
- TCP Dump Enhancements
- Resource Owner Password Credentials Flow to Authenticate Users with Azure Active Directory
- Interactive Help
- New pxGrid Pages
- Configuration of Baseline Policies from Desktop Device Manager
- Cisco ISE ACI-SDA Integration with VN Awareness
- Minimum Version of Antivirus and Antimalware
- Posture Session Sharing
- Agentless Posture
- Multi-DNAC Support
- Endpoint Scripts Wizard
- Android Settings for Native Supplicant Profile
- Enhancements in Audit Logs
- Bidirectional Posture Flow
- Obtain Configuration Backup Using Cisco Support Diagnostics Connector
- Configuration of Authorization Result Alarm
- Configuration of Preferred Domain Controllers
- Context Visibility Enhancements
- Full Upgrade and Split Upgrade Options Added to Cisco ISE GUI
- Cisco ISE on Amazon Web Services
- Virtual Appliance Licenses
- Download or Upload Files from Local Disk
- MacOS Versions in Posture Policy Configurations
- OpenAPI Service
- Posture Support for Linux Operating System
- ERS Service Auto Enabled on VMware Cloud Environment
- pxGrid Client Auto Approval API
- Configuration of Maximum Password Attempts for Active Directory Account
- Handle Random and Changing MAC Addresses with Mobile Device Management Servers
- MAC Randomization for BYOD
- Endpoint API Enhancement
- Posture Script Remediation
- RHEL 8.2 Support
- SAML-Based Admin Login
- Specific License Reservation
- Upgrade to pxGrid 2.0
- Zero Touch Provisioning
You can also check out the great videos where each of the new features are explored by the ISE technical marketing engineers:
- What's new in ISE 3.0 Webinar
- What's new in ISE 3.1 Webinar
- What's new in ISE 3.2 Webinar - Part 1
- What's new in ISE 3.2 Webinar - Part 2
Summary
Whether you are running ISE 2.4, 2.6, 2.7 or aren't running ISE/NAC yet, it is time to start evaluating ISE 3.X. It is also the time to start exploring using Infrastructure as Code (IaC), Security Policy as Code (SPoC) and configuration automation to lower operating costs and delivering a more secure and scalable Network Access Control (NAC) architecture.