Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1 or ISE 1.1MR. ISE 1.1.1  is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).

You can find the ISE 1.1.1 release HERE and latest ISE 1.1.1 documents HERE or go to

www.cisco.com/go/ise for more information and

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation

Here is a breakdown of what is new with ISE 1.1.1

  • New Default Authorization Profile (“Blacklist”) - ISE 1.1.1 can now “blacklist” user devices that get “lost,” or otherwise become unusable or taken out of circulation, until the device can be reinstated or has been completely removed from the network. Cisco ISE 1.1.1 removes “blacklisted” devices from the network and thay are not allowed back on until the device is reinstated Screen Shot 2012 07 11 at 3.28.19 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • Dictionary Attribute-to-Attribute Authorization Policy Configuration - You now have the option, when constructing policy conditions in an Authorization Policy, to specify another Dictionary Attribute to which you can associate the source Attribute during policy configuration Screen Shot 2012 07 11 at 3.32.10 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • New Device Registration Task Manager - New visual path through the various Cisco ISE 1.1.1 administration and configuration processes necessary to enable administrators to set Cisco ISE 1.1.1 up to provide multiple, configurable device support for end usersnew2 Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • Native Supplicant Provisioning Profile Configuration - Configure native supplicant profiles for client provisioning in addition to the existing “ISE Posture Agent Profiles” currently available in Cisco ISE Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones/iPads and AndroidScreen Shot 2012 07 11 at 4.29.25 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • Enhanced Client Provisioning Policy Configuration - You can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones/iPads and Android. For the personal device support, specifically, you can configure the policy to upload the appropriate configuration wizard necessary to enable the user’s device to negotiate and register with Cisco ISE 1.1.1 (NOTE: In my example below, I’m using the IOS and Android native while I downloaded from Cisco wizards for MAC OX and Windows.)newnew Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • SCEP Authority Profile Configuration Page - Enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE 1.1.1 verifies maintains connectivity with the SCEP authority server(s) you specify, and even performs load-balancing among multiple servers to ensure optimal connectivity for users when they use their personal devices to access the networkScreen Shot 2012 07 11 at 4.22.41 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • RADIUS Proxy Attribute - Enhance the RADIUS sequence flows and processing. When Access-Accept is received from an external RADIUS server, Cisco ISE 1.1.1 continues to the configured authorization policy for further decisions making based on additional attributes and groups queried from AD and LDAP.
  • EAP Chaining - Allows authenticating both machine and user in the same EAP-FAST authentication in a configurable order. When EAP-FAST authentication result is determined, Cisco ISE 1.1.1 allows you to apply authorization policy depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE 1.1.1 performs usual EAP-FAST authentication. Screen Shot 2012 07 11 at 4.02.58 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • EAP-TLS as an Inner Method for EAP-FAST- Allows usage of EAP-TLS protocol as an inner method for EAP-FAST protocol. The implementation is equal to usage of EAP-TLS as inner method of PEAP Screen Shot 2012 07 11 at 4.00.15 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • Device Registration Portal - A standalone portal that can be completely customized to suite your organization. A network access user who is configured as an employee in an organization can access the portal that allows them to bring in their personal devices into an enterprise network through an employee authentication, and then a device registration process. An employee can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE 1.1.1 adds these devices to the endpoints database, and profile them like any other endpoint. The Cisco ISE 1.1.1 administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports
    Screen Shot 2012 07 11 at 4.38.34 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • New Reports in Cisco ISE 1.1.1
    • Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.Screen Shot 2012 07 11 at 4.07.51 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update ReviewedScreen Shot 2012 07 11 at 4.08.24 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
    • Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time. Screen Shot 2012 07 11 at 4.09.43 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update ReviewedScreen Shot 2012 07 11 at 4.09.30 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now   Update Reviewed
  • Change of Authorization - Triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by authorization policy. Any change in an endpoint identity group assignment for an endpoint that occurs due to dynamically profiling or a static assignment to an endpoint identity group, a CoA is triggered in both the cases

Go download the latest ISE 1.1.1 release. The upgrade process will take you around 30 minutes to complete. Here what it will look like.

ISE-10MR2/admin# application upgrade ise-appbundle-1.1.1.268.i386.tar.gz ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade…
Stopping ISE application before upgrade…
Running ISE Database upgrade…
Upgrading ISE Database schema…
Upgrading Session Directory… Completed.
ISE Database schema upgrade completed.
Running ISE Global data upgrade as this node is a STANDALONE…
Running ISE data upgrade for node specific data…
% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully.
The mode is licensed.
 % This application Install or Upgrade requires reboot, rebooting now…
 Broadcast message from root (pts/0) (Wed Jul 11 15:27:38 2012):
 The system is going down for reboot NOW!

VN:F [1.9.22_1171]
Rating: 5.0/5 (9 votes cast)
Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now - Update Reviewed, 5.0 out of 5 based on 9 ratings

23 thoughts on “Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

  1. Hi Joey, have you tried to upgrade ISE from 1.1 to 1.1.1 when your ISE deployment is not standalone? There are not any installation guides and common process doesnt work:
    This node is part of an ISE deployment. Please make it a standalone first, then retry upgrade.
    error: %post(CSCOcpm-upgrade-1.1.1-268.i386) scriptlet failed, exit status 1
    % Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
    Thanks, Jan

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Jan. Yep I asked some field engineers and confirmed you have to break the HA via standalone mode before doing the upgrade. It won’t delete the configs or anything. Hope this helps

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • Thank you, Cisco released upgrade guide today:
        http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upg_dis_dep.html

        VA:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
  2. Hi Joey, have you tried that BYOD portal for cert deployment?

    A few months ago, I found this Cisco video from Youtube,

    http://www.youtube.com/watch?v=lgJCJNgFjEM

    It is using these new features in this ISE 1.1.1.

    Have you more info on how to make it happen? I failed to find any doc for it.

    VA:F [1.9.22_1171]
    Rating: 4.0/5 (1 vote cast)
    • Hi Ning,

      Yes it was a little confusing using the beta documents however I found a few internal sources that got me through the process. I need to see what I can publish and what will be publicly available before I can share anything. I’m planning to do a blog post on this shortly so stand by. It will cover multiple use cases for ISE 1.1.1 on boarding.

      To summarize the process, ISE needs a identity certificate that is signed by a CA server so that it can be trusted by endpoints, gateways, and servers (I had to build a CA server for my lab). You need to configure a certificate authentication profile, like that to a new identity source sequence, setup a SCEP profile so endpoints can obtain digital certificates from the CA server, update your authentication flow to leverage the identity sequence and make sure you setup the client provisioning with the appropriate native profiles or wizards (I have a windows and MAC OS wizard however use native for mobile devices). The wireless configuration can very depending on how many SSIDs you want to use and broadcast for your mission. I’ll have more in my on boarding posting. Cisco should have some new docs out shortly as well (i’ve seen some good beta docs)

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • Thank you Joey, looking forward to your more sharing!

        VA:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
  3. Hi and thanks for your nice blog :)

    I am really interested by EAP Chaining. For me, to secure the access to the network, we only have to give access to authorized computer. However, if we want to use dynamic VLAN by user, we have to authenticate the user… The problem is, if the user can authenticate with its AD credentials or certificate, he could use it on a non-controlled computer (personnal computer/smartphone…). So EAP Chaining is perfect, authenticate both….

    Can you recommend this new feature for a big and new deployment ? Is it based on ISE 1.1.1 and AnyConnect v3 only for the moment ?

    Thanks for your help.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  4. Dear Joe,

    I am Running through a PoC on BYOD. In this part we are testing the wireless scenario for Mobile Devices. We are planing to have Mobile Device Management ( MDM ) also in our solution, i could understand from the Cisco Site that they support Few MDM vendors like Airwatch etc,..

    In my Setup i have ISE VM version 1.1MR and ISE Inline Posture as NAC 3315. Am starting the Wireless setup now, i couldn’t find any document on the ISE integration with MDM. It would be a great help if the following questions are answered in addition to any documents.
     Is MDM can be integrated to ISE ?  
     How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
     What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
     If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
     Is MDM will do client provisioning or ISE should do ?
     Is MDM send or update patches of Mobile Devices ?

    As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.

    Regards,
    Arun

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Arun,

      Cisco just announced BYOD as part of their trusted security architecture meaning one TAC case can cover Cisco Wireless, ISE and MDM that is part of their MDM eco system (thats right, a cisco guy will support a non cisco product … aka MDM vendor during a TAC case. It stops the finger pointing between vendors when troubleshooting issues). Currently the trusted MDM vendors are Airwatch, Zenprise, Mobile Iron and Good Technologies. Most likely there will be more added to this group and the assumption is most MDM vendors can work with ISE however TAC will only support the previously listed vendors.

      Today there are some limited MDM integration with ISE. For example, we have Zenprise setup and a policy check to verify the Zenprise agent is installed. ISE can’t verify or react to the status of the MDM agent. Basically the assumption is if the user is in active directory, the device is approved and a MDM agent is installed, the device SHOULD be secure since the MDM agent must be doing its job. If there is a MDM policy violation, ISE can’t identify today (its the MDM’s job).

      Word from the Cisco developers is ISE 1.2 will have a lot more remediation options / integration with leading MDM vendors. I’m being told to expect ISE 1.2 to be capable to verify things like if a device is jailbroken by leveraging the MDM agent and ability to kick those devices off the network. Other features from MDM agents such as verifying if passwords are enabled, apps are / not installed, etc. can also be verified by ISE 1.2. I haven’t see the Alpha code yet but so far it sounds pretty sweet.

      Regarding your management question, ISE controls access to the network and monitors the device status from a network viewpoint. MDM manages mobile devices while they are on and off the network. This is why MDM is around today. Most mobile vendors (blackberry is the exception) give power to the end user meaning users can opt out of security. MDM is one way to deal with locking down mobile devices. Today ISE verifies the agent however the future is leveraging the MDM agent for posture checks.

      Regarding client provisioning, that is handled by the MDM agent however certificates can be provisioned by either ISE or MDM. MDM also handles patches today. The future may have ISE launching the MDM agent to handle patches based on posture checks however thats not available for mobile devices today (only PC and MAC laptops and desktops).

      Hope this helps!

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  5. I was updating my ise from 1.1 to 1.1.1 anyway as it took a long time and I was ssh-ed into it I thought it was stuck (there was nothing indicating that the update was still processing) anyway i hit CTRL-C and it shows me that it failed… i tried do re-do it many times without success. So do not press ctrl c, it takes 30 min or 1 hr depends on what you using ( I am using appliance 3300).
    Anyway if you did press ctrl c or for any reason it didn’t go thru, recreate your repository and reset ise application from command line.

    Hopefully somebody finds it helpful.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Ed. Interesting … I’m using the VMware version however I’m going to forward this to my field members to see if they have seen this. We have a handful of active upgrades happening right now so yes this is helpful to know

      Thank you!

      Joey

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • Hi Ed.

        One of our engineers had a similar issue with the upgrade using SSH. You need to set a keep alive (securecrt will do it) for about every 10 minutes. Or just set a stopwatch and just hit enter. It does take a LONG time. Avoid CTRL-C.

        VN:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
  6. Hi,
    I have just upgraded to 1.1.1 and the Guest Portal does not appear to be in the same location or it is not functioning . If I go to https://server:port/guestportal I get an error and https://server:port/guestportal/gateway yields a different error. I was told by TAC that the /guestportal/gateway was the new URL. Has anyone ran into this issue?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Kyle,

      Check out the latest config guide on http://www.cisco.com/go/ise and look for Multi-Portal Configurations. It states

      A predefined DefaultGuestPortal is available under Multi-Portal Configurations. This portal has the default Cisco look-and-feel that you can choose to customize it through the Cisco ISE Admin user interface, or you can upload HTML pages to create a customized portal. To create a personalized portal with custom HTML pages, you must first add a new portal.

      Guest Portal URL
      The following procedure utilizes the Guest portal URL. For reference, the Guest portal URL for the wired and wireless local web authentication is as follows:
      https://ip:8443/guestportal/portals/PortalName/portal.jsp

      Where the PortalName is the name of the portal as it is created during the upload.

      The Guest portal redirect URL for CWA is:
      https://ip:port/guestportal/gateway?sessionId=SessionIdValue&portal=PortalName&action=cwa

      The `ip’ and `port’ values are updated by the RADIUS server as the URL-redirect is returned to the NAD. These values are the IP address and port number for the Cisco ISE guest portal server

      Hope this helps

      VN:F [1.9.22_1171]
      Rating: 5.0/5 (1 vote cast)
  7. Thanks for having a look at my earlier post.

    I would like to avail your valuable inputs to understand on the Client provisioning part for the Mobile Devices/ Laptop. I understand from your reply that MDM integration is not available in the current release ISE 1.1

    Kindly let me know your views or any documents on the following scenarios with the current release in mind

    User with Mobile devices connecting to Wireless ( both Employee and Guest ) , How the Flow differs for the Employee and Guest. How the client provisioning is done ( i.e. Like Posturing or Compliance Check ).

    User with Laptop connecting to Wireless ( both Employee and Guest ). How the client provisioning is done ( i.e. Like Posturing or Compliance Check ).
    What are advantages of having ISE also in place for Mobile devices, since most of the Mobile related tasks ( like Authentication, Authorization, Profiling and Posture ) are carried out by MDM. I am checking for the significant advantage of having ISE for Client network having only Mobile devices. Kindly clarify.

    Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user authentication as Open ?

    How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?

    We are also looking for VDI ( Citrix, VMware ) solution for the client ( both Employee and Guest ) , how ISE can play a role in securing the VDI environment.
    Is that any integration required with Citrix or VMware. How the VDI can be offered based on the User role ( i.e. Employee, Contractor or Guest ), since Guest database is available only with ISE, how the checks are made from the VDI environment.

    Our solution demands MDM in the integrated solution, As on today ISE cant be integrated with MDM. so what kind of solution we can propose to have MDM and Cisco ISE .Do the clients now enter the network should have already installed the MDM agent (or) any other way of pushing the same to the Client.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Arun,

      First off let me clarify that today with ISE1.1MR, you CAN check to see if a MDM agent is installed and do something about if it is/isn’t installed. What you CAN’T do today is use ISE to view what the MDM agent is looking for. For example, you CAN check to see if Zenprise is installed and based on that with other things, provision specific access. You CAN’T have ISE kick somebody off the network if they fail a MDM policy such as having a iPAD jailbroken. The assumption is, if there is a MDM agent, its probably secure. A future release of ISE is suppose to be able to leverage the MDM agent so you can kick people off the network who fail a MDM policy.

      Regarding your questions, the flows can be designed many different ways. Employee polices can range from checking for how people authenticate, what types of devices they have, searching for things like certificates to verify they have issued devices, etc. Enforcement can be through combinations of VLANs, ACLS, SGAs, dACLs, etc. Guest can be the same way however common practices are to leverage the build in advanced guest services such as web redirection (like a hotel), self provisioning (IE filling out a form and having a password generated), on-boarding (self approving the MAC of the guest device), etc. I’ll be posting more about certificates and on-boarding shortly.

      Posture can be enforced through a Agent or agentless. THe idea is the agent only pops up when it sees somebody is connecting and quickly provides the user posture status. This is also key for sigle sign-on with posture. Without an agent, a system can be assessed with a JAVA or Active X web scanner however it takes a short time to scan and auto remediation is not possible (IE it will tell you to click a link or something similar to get a patch rather than auto patching). Remediation options can also very depending on how you configure the system.

      I do recommend using 802.1x, MAB if 802.1x is not available and default with guest access.

      When you ask about the encryption, are you concerned about man in the middle attacks while guest users authenticate? Please elaborate on what you are looking for.

      VDI aka sandbox is an approach for provisioning access to specific applications from untrusted networks. For the internal network, ISE makes complete sense for locking down who and what is on the network (IE printers, card readers, laptops, etc). For remote access, you may want to control which devices connect to the sandbox (IE only issued devices). Also, you may want to verify there is AV, patches, etc to avoid things like keyloggers that can capture sensitive data during a sandbox session. Some VPN solutions offer these features as well (ex Cisco ASA can do posture and look for keyloggers). The only downside is now you have to manage to systems to identify who and what is coming on the network. The last comment I’ll make on sandboxes is that in many cases, people tend to work around them to be work done (IE email internal docs to personal email, screen shots, etc). Sandboxes are good but having some access control around who can connect to the sandbox is better.

      Regarding pushing out MDM agents, there are different ways depending on the vendor. Most offer methods to email, push SMS, send users to a specific link, etc. ISE can redirect a device without a MDM to a link to download it if it sees the MDM is not present. Pushing MDM can be done many ways.

      Hope this helps

      Joey

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  8. Pingback: [BLOCKED BY STBV] Configuring On-Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1 | Joey Muniz - The Security Blogger

  9. Dear Joey,
    Thanks very much, Am running with busy schedule and back to the post today.
    We are also now planning to extend the BYOD for Ipv6, kindly let us know the support of ISE for Ipv6. Or what else can be showcased for BYOD for ipv6.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Arun,

      Currently ISE 1.1.1 doesn’t support IPV6. Its a roadmap item for next year.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  10. Hi Joey,
    Appreciate your efforts to help out engineers with new ISE deployment. I am running POC in the lab. Can we use ISE 1.1.1 for machine authentication based on certificate instead of AD?
    In my use case, we have to check if there is a company issued cert on Windows laptop or Apple laptop or iPad or Andriod. If the cert is confirmed and the user has valid ID as an employee then the machine will be connected to company’s network. Thanks for your reply in advance. Adil.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Adil,

      Yes you can and its a common use case. I’ve seen people validate that machines are company owned, what version of “ghost” image is running via checking the dates of the cert to verify if a machine has been out in the field too long and other use cases. Its done via a posture check. You can see the workflow of this via the Task Navigator on the top right hand part of the ISE GUI (scroll to CP and Posture). Look under create policy conditions and you will see a registry condition section. Thats were you can look for specific certs. That or you can use MAB to verify approved devices and check for policies via authorization policies once they pass the internal MAB list (IE create a MAB authentication policy for issued devices and specific authorization policies if they fall in that bucket).

      Hope this helps!

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  11. Greetings from Colorado! I’m bored at work so I decided to browse your blog on my iphone during lunch break. I enjoy the info you provide here and can’t wait to take a look when I get home.
    I’m surprised at how quick your blog loaded on my mobile .. I’m not even using WIFI, just 3G .
    . Anyways, excellent blog!

    [WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Leave a Reply

Your email address will not be published.


five + = 13

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image