Discover the latest features and updates in ISE 3.4 that are revolutionizing the industry.
Cisco ISE is a powerful tool for managing and securing network access in a wide range of environments. By providing centralized policy enforcement, robust device profiling, and integration with other security tools, ISE helps organizations maintain a secure, compliant, and efficient network.
ISE 3.4 is slated to be released this summer, most likely at the end of July/beginning of August. This new version of ISE will come with several new features and enhancements aimed at improving performance, scalability, and user experience.
The ISE team recently uploaded a Webinar detailing what’s new in ISE 3.4. This blog post serves as a concise write up of their announcement.
Restarting Cisco Identity Services Engine (ISE) should be done with caution, as it can disrupt network access and services. However, there are several circumstances under which a restart might be necessary or beneficial, such as applying updates and patches, or certain configuration changes. One of the issues with ISE is that a restart can take anywhere from 15 to 20 minutes. However, with the ISE 3.4 build, restart times have been reduced to between 5-7 minutes.
ISE 3.4 makes UI changes persistent per user. This means, in particular, that any personalization you make to a table in ISE, e.g., change column width or location, will be permanent.
ISE uses Protected Access Credentials (PACs) as part of its TrustSec architecture to establish secure communications and enforce network access policies. PACs are used to establish a secure TLS (Transport Layer Security) tunnel. All subsequent communication, including policy updates and SGT assignments, occurs over this encrypted tunnel. One of the problems with this architecture is that it uses TLS 1.0, which is less secure.
ISE 3.4 introduces the option of using PAC-less RADIUS communication between ISE and NADs running the soon to be released IOS-XE 17.15.1.
As touched on above, a problem with PAC-based communication is that it does not use the latest version of TLS, which is version 1.3. With ISE 3.4, support for TLS 1.3 has been extended to EAP-TLS, TEAP-TLS, and Secure TCP Syslog.
ISE 3.4 introduces several enhancements to pxGrid Direct, which allows ISE integration with Configuration Management Databases (CMDB) to fetch asset attributes using APIs.
Previously, the minimum interval for synchronization was 12 hours. ISE 3.4 introduces the option to manually sync databases on demand.
pxGrid in ISE 3.4 has significantly improved scalability. Notably, there is no longer an upper limit on the number of supported connectors, which used to be 10. In addition, previously, ISE could only support a maximum of 500,000 endpoints per connector; in ISE 3.4 the maximum number of endpoints has been expanded to 2,000,000 per connector. Last but not least, pxGrid can now process 15-20 attributes per connector, whereas previously it could only process 15-20 attributes in total.
ISE 3.4 introduces a new way besides URL Fetcher to facilitate a pxGrid Direct Connector. This is URL Pusher. URL Pusher eliminates the need to issue a GET request to the database; instead the external server sends the API request to ISE in JSON format. The other notable architectural difference is that attributes are stored in ISE’s persistent database, not the endpoint database, which is often purged.
One of the challenges for customers who use different Cisco Security solutions in their deployments is that each solution does policy in its own (different) way. A consistent, unified policy experience across multiple domains does not exist. For security architects, this makes Implementing consistent policies for users and device access to applications a cumbersome process. Common Policy is the envisioned solution to this, with ISE at its center.
The Common Policy rollout will take some time. ISE 3.4 introduces integrations with Application Centric Infrastructure (ACI), Catalyst Center (DNAC), and SD-WAN.
Generally speaking, the way that a Common Policy integration works is by using a common language of SGTs. The Context Exchange hub in ISE will be used to ‘translate’ different policies - for example, as embodied in EPGs/ESGs used in ACIs - into the idiom of SGT.