ISE 2.1 Just Released

I'm definitely going to go over this more in future posts after I'm done with my StealthWatch series. I'll just post this high level information about some of the additional features of ISE 2.1 which I'm pretty excited about.

Dashboards

 Better dashboards that make it very easy to see the different kinds of endpoints, users, devices, and OSes in your network and the ability to create customized dashboards. Here are some examples:

Summary Dashboard

Endpoints and Users Dashboard

Guests Dashboard

Vulnerability Dashboard

Threats Dashboard

Custom dashboard and dashlets

 

Easy Connect

Simplifies network authorization without implementing 802.1x on the endpoints, wired or wireless. Active Directory logins are used to map user information onto network connections, which is then used for authorizing users on the network even when ISE is not involved in the authentication process. Easy Connect can also be used as backup authentication method to reduce help desk calls. 

Example of an EasyConnect policy using Passive ID

 

 

TrustSec workflow enhancements

Introduces capabilities for change management and configuration rollback as well as gradual deployment of new policies to different parts of the network that allow simplified integration of TrustSec into current IT systems.

TrustSec Overview

 

Context visibility

 Designed for easy initial installation or proof of concept - get ISE up and running with a few simple bits of information. From there, ISE discovers endpoints and network devices on the network. Provides a quick and easy way to understand the various users and endpoints on your network. Context Directory starts with overview of ISE deployment providing administrators with selectable dashlets. Administrators can click on the dashlets to get detailed drill downs with additional graphs and tabular data.

Context Visibility

 

expanded profiling capabilities

ISE now supports a new Active Directory probe and SMB discovery providing definitive operating system information eliminating guesswork. Custom ports, service and version information provide better information to shrink the pool of devices that stubbornly defy classification.

Active Directory profiler

 

acs to ise migration features

Delivers baseline features with Cisco Secure ACS and tools for customers to migrate from their existing ACS 4.x or later deployments to ISE.  These features include support SNMP MIB for disk utilization, support all SNMP traps, support ability to enable or disable activation/operation of IPv6 protocol, ability to have multiple administrators with each administrator controlling a group, Open Database Connectivity (ODBC) support, Configurable TACACS+ ports, Persistent MAR cache, NIC teaming for increased high availability per node, and features to manage internal user database.

ACS Migration Tool

 

expanded workcenters

ISE continues the theme of task-oriented workcenters started in ISE 2.0 adding guest, BYOD, posture, profiling, and CA to the existing Trustsec and device administration. Work-centers ease day-to-day configuration and management burden centralizing work associated with a given task in one area called a work-center.

Expanded workflows

 

threat-centric nac

Allows threat-centric network access control via ISE policy for vulnerability and threat detection utilizing Cisco Advanced Malware Protection pushing high fidelity Indications of Compromise (IoC) to ISE. This allows ISE to change the privilege and context of an endpoint dynamically, notifying the network and other applications of the change so that access to resources can be restricted.

Threat Centric NAC Configuration

Threat-based ISE Policy

 

trustsec-aci policy plane integration

Shares policy groups between TrustSec and ACI environments using common group identifiers that simplify policy management across TrustSec-enabled campus, branch and DC networks and ACI-enabled data centers.

ACI-TrustSec Integration

 

enhanced third-party nad support

Additional enhancements to provide a VLAN-based solution that restricts user access and sends user traffic directly to the ISE PSN to provide initial authentication, CWA, Posture assessment, etc. Once registration, posture, and captive portal process is completed, then user is authorized into an Access VLAN.

ISE 3rd Party NAD Support

 

guest enhancements

ISE Guest portals now support single-sign-on (SSO) against SAML-compliant identity providers. This functionality allows employees to authenticate against the organization's SAML identity provider when logging into the ISE portals.

 

microsoft intune & sccm integration

 ISE integrates with Intune and SCCM enabling IT to gather information about endpoints that are trying to connect into the network to reduce the potential security risks into the network.

 

usb connectivity check on windows

Includes an additional category for USB connectivity.  You can check for USB mass storage connectivity on Windows OS with ability to remediate by disabling the connection (will require AnyConnect 4.3 ISE Posture module).

USB Condition Check

 

odbc authorization support

Ability to retrieve Group and User Attributes from an ODBC database and use them in ISE authorization policies, including the ability to show groups of a specific user and attributes of a specific user and save them as a template, and add attributes and groups stored procedures.

ODBC Support

 

chromebook support

Making it even easier for organizations to select Chromebooks as their device of choice through ISE and Google Chrome Device Management., more manageable for IT, and more powerful for users. 

Chromebook Support

 

saml-sso enhancements

Support additional SAML-compliant identity providers (IdP), fetching attributes and groups from Azure AD, SecureAuth, PingID, PingFederate, and Oracle IdPs.

ISE SAML Enhancements

 

control enhancements

From the Context dashboard, it's very easy to quarantine an endpoint. 

Compromised Endpoints Dashboard and assigning a policy to an endpoint

Assigning a Quarantine policy

 

.... and there are many other enhancements and features. Eventually I'll write more posts digging into this newest version of ISE in much more detail.