Cisco ISE 3.4 – Here and Now!
If you were at Cisco Live US in June—and even if you weren’t—you heard the good news: the release announcement of Cisco Identity Services Network (ISE) 3.4.
For a lot of network and security administrators, hearing about the new functions of the latest version of Cisco ISE can be a bit of a tease—we know that you want to get your hands on it and see how it’s going to strengthen your network. Today is the realization of those long weeks of waiting as Cisco ISE 3.4 is ready for you to download and deploy on your network.
If you haven’t heard about what’s available in the latest iteration of Cisco ISE 3.4, let this be your primer. The biggest takeaway is Common Policy which involves solving one of our customers’ biggest problems: fragmented and inconsistent policies across disparate domains.
Common Policy is designed to streamline and unify security policy enforcement across an organization’s entire network. This solution enables administrators to seamlessly apply consistent access and segmentation controls to all devices, users, and applications. These segmentation and access policies are built based on the exchanged information garnered from these end devices.
Using Cisco ISE as a central exchange hub, the solution integrates network and security domains, normalizes contextual information, and facilitates secure communication between different components. This innovative approach enhances zero-trust security across diverse access patterns and locations by simplifying the management of complex network environments. Currently in beta, Common Policy is anticipated for general release this fall.
As part of the Common Policy solution, we re-wrote our integration with Application Centric Infrastructure (ACIs), allowing the users to set up a bi-directional connection to multiple APIC Data Centers—including single pod and multi-pod fabrics—directly from Cisco ISE and start exchanging SGT/EPG/ESG context.
In addition to Common Policy, the Cisco ISE 3.4 release is jam-packed with many other features too.
Active Directory preferred DC selection
Starting with Cisco ISE 3.4, administrators can now manually prioritize Domain Controllers (DC), giving them more control over which DC is used for authentication and authorization. In the event of an Active Directory failure, Cisco ISE will automatically switch to the next DC on the list, ensuring that users can still access resources. Once the preferred DC is available again, Cisco ISE will seamlessly failback, restoring the original priority order.
Great news for those who hate waiting! With the release of Cisco ISE 3.4, system restart times have been dramatically reduced to mere minutes, varying slightly depending on the specific role of each node. No more long coffee breaks between reboots.
Building on the pxGrid Direct framework introduced in Cisco ISE 3.2, which simplified integration with Configuration Management Database (CMDB) servers lacking native pxGrid support, Cisco ISE 3.4 will bring forth several key enhancements:
- Sync now: In scenarios where significant changes occur within the CMDB, administrators will no longer need to wait for scheduled updates. Cisco ISE 3.4 will empower admins to initiate on-demand synchronization, guaranteeing Cisco ISE access to the most up-to-date endpoint information.
- URL pusher and persistent database: Customers will now have the flexibility to directly push a JSON file containing endpoint data into Cisco ISE’s persistent database. This opens new possibilities for those without a CMDB, as they can still leverage pxGrid Direct by conveniently pushing data into Cisco ISE. Unlike the internal endpoint database, this database will be persistent and won’t be purged.
Retention of use settings
In previous versions of Cisco ISE, any customizations to table displays, like column selection, order, or width, would be reset upon leaving the page. With Cisco ISE 3.4, the preferred table settings will be saved and retained, even when switching browsers or devices. No more repetitive adjustments – the personalized view is here to stay.
Localized ISE Installation
This enhancement allows administrators to reinstall ISE directly from a local ISO file stored on the ISE server, significantly reducing the installation time from the traditional 5-7 hours to just 1-2 hours. This streamlined process is particularly beneficial in scenarios where a reinstall is necessary, such as system recovery or upgrades. By minimizing downtime and accelerating the installation process, the Localized ISE Installation feature enhances operational efficiency, ensures quicker recovery times, and ultimately saves valuable time for IT teams. This improvement underscores Cisco’s commitment to providing robust, user-friendly solutions that optimize the performance and reliability of the network security infrastructure.
FQDN to SGT Mapping
In Cisco ISE 3.4, we’ve tackled the challenges faced by TrustSec administrators in scenarios with geo-distributed or cloud deployments, where the same Fully Qualified Domain Name (FQDN) might resolve to different IP addresses depending on the DNS server. This can make it difficult to consistently apply the same SGT to all instances of the FQDN.
Cisco ISE 3.4 introduces an enhanced FQDN-to-SGT mapping feature. Administrators can now select multiple nodes to resolve the FQDN, ensuring that all resulting IP addresses are accurately associated with the corresponding SGT. This new capability streamlines policy enforcement across diverse network environments, regardless of variations in DNS resolution.
Pac-less Communication between Cisco ISE and TrustSec NADs
Cisco ISE 3.4 introduces Pac-less Communication, a simplified approach to communication between Cisco ISE and TrustSec network devices. This innovation eliminates the need for administrators to manage PAC files, reducing overhead and streamlining the process. Pac-less communication requires Cisco IOS-XE 17.5.1 or later, on network devices, but no configuration changes are needed on the Cisco ISE side. The network devices themselves will inform Cisco ISE of their supported capabilities, further simplifying deployment and management.
Log file management
We have heard from you that troubleshooting Cisco ISE under a heavy load can be a challenge, especially when log files fill up rapidly and critical information might get buried. Cisco ISE 3.4 addresses this with enhanced log management capabilities. Now, administrators have granular control, allowing them to set both maximum file size and the number of log files to keep per component. This means no more worries about missing crucial details during peak times.
Lua scripting
Recognizing the need for greater customization, Cisco ISE 3.4 introduces a powerful new feature for advanced users: Lua scripting for RADIUS attribute manipulation. With this enhancement, customers can now execute Lua scripts directly after processing authorization profiles, allowing them to modify or add RADIUS attributes as needed. This flexibility empowers Cisco ISE Admins to tailor Cisco ISE to their unique use cases and requirements, going beyond the capabilities of the standard policy engine. The Lua script provides access to all RADIUS attributes, granting full control over the authorization process.
As you can tell there’s a lot packed into the latest version of Cisco ISE that is going to make your job easier. Click here for more information on Cisco ISE.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: