Cisco Identity Solutions Engine 1.1 Update Is Now Available ISE
Cisco recently released the latest update for Identity Solutions Engine (ISE). Below are some features and findings. My team has been running this in the lab for a while and so far it’s been rock solid. For those who have seen Cisco Prime Network Control System (NCS), the ISE GUI now has the same theme (see the pictures above and below).
- Common Criteria Certification – This release will be submitted for Common Criteria Certification, which is a requirement for many federal agencies.
- FIPS – ISE 802.1x services with Common Access Card (CAC) including NAC & AnyConnect Agent
- IOS Sensor on 15.0(1) SE1 for Cat 3000 and IOS 15.1(1) SG for CAT 4000. This is a huge for Profiling since it’s the first time Cisco is leveraging the switches for profiling data rather than probing from the ISE server down (like all other profiling type solutions). It makes sense to do this since typical information being probed is already available on switches.* Catalyst 2000 support and DHCP data for IOS Sensor will come later.
- Active Endpoint Scanning – Manual scan and specific scan action per profile template
- Endpoint protection services aka (Blacklisting devices) – Enable administrators to quarantine devices by IP or MAC address.
- Multiple language support for guest, sponsor and client provisioning portals.
- NAC agent, AnyConnect NAM client, ISE user input fields and reports.
- Guest without Logon (Device registration WebAuth). Simple URL for Sponsor Portal Access (A simple, short link). Custom Portal Theme
- OCSP Support
- NTP Server authentication
- External Authentication for Administrators (including CAC)
- ISE VM Appliance will include VMWare Tools
- SGA Out Of Band PAC Provisioning
- SGACL Monitor Mode
- NMAP added to profiling
SOME OTHER THINGS TO NOTE ABOUT THE ISE 1.1 RELEASE:
- There are some Internet Explorer 8 problems that are performance related. The current release notes claim “be patient” and “click several times”.
- There are some disk space and performance issues on the UCS SATA-2 storage systems.
- We have been running it on vshpare 5.0 without a problem even though 4 is the supported platform. Same goes for ISE 1.04
- ISE IPEP will need to be disconnect and use Certificate Based Authetnication to connect to a PAP prior to upgrade http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html#wp248769 - IPEP Bug CSCtu39612
ISE 1.1 release notes can be found HERE