Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1 or ISE 1.1MR. ISE 1.1.1 is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).
www.cisco.com/go/ise for more information and
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation
Here is a breakdown of what is new with ISE 1.1.1
- New Default Authorization Profile (“Blacklist”) – ISE 1.1.1 can now “blacklist” user devices that get “lost,” or otherwise become unusable or taken out of circulation, until the device can be reinstated or has been completely removed from the network. Cisco ISE 1.1.1 removes “blacklisted” devices from the network and thay are not allowed back on until the device is reinstated
- Dictionary Attribute-to-Attribute Authorization Policy Configuration – You now have the option, when constructing policy conditions in an Authorization Policy, to specify another Dictionary Attribute to which you can associate the source Attribute during policy configuration
- New Device Registration Task Manager – New visual path through the various Cisco ISE 1.1.1 administration and configuration processes necessary to enable administrators to set Cisco ISE 1.1.1 up to provide multiple, configurable device support for end users
- Native Supplicant Provisioning Profile Configuration – Configure native supplicant profiles for client provisioning in addition to the existing “ISE Posture Agent Profiles” currently available in Cisco ISE Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones/iPads and Android
- Enhanced Client Provisioning Policy Configuration – You can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones/iPads and Android. For the personal device support, specifically, you can configure the policy to upload the appropriate configuration wizard necessary to enable the user’s device to negotiate and register with Cisco ISE 1.1.1 (NOTE: In my example below, I’m using the IOS and Android native while I downloaded from Cisco wizards for MAC OX and Windows.)
- SCEP Authority Profile Configuration Page – Enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE 1.1.1 verifies maintains connectivity with the SCEP authority server(s) you specify, and even performs load-balancing among multiple servers to ensure optimal connectivity for users when they use their personal devices to access the network
- RADIUS Proxy Attribute – Enhance the RADIUS sequence flows and processing. When Access-Accept is received from an external RADIUS server, Cisco ISE 1.1.1 continues to the configured authorization policy for further decisions making based on additional attributes and groups queried from AD and LDAP.
- EAP Chaining – Allows authenticating both machine and user in the same EAP-FAST authentication in a configurable order. When EAP-FAST authentication result is determined, Cisco ISE 1.1.1 allows you to apply authorization policy depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE 1.1.1 performs usual EAP-FAST authentication.
- EAP-TLS as an Inner Method for EAP-FAST- Allows usage of EAP-TLS protocol as an inner method for EAP-FAST protocol. The implementation is equal to usage of EAP-TLS as inner method of PEAP
- Device Registration Portal – A standalone portal that can be completely customized to suite your organization. A network access user who is configured as an employee in an organization can access the portal that allows them to bring in their personal devices into an enterprise network through an employee authentication, and then a device registration process. An employee can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE 1.1.1 adds these devices to the endpoints database, and profile them like any other endpoint. The Cisco ISE 1.1.1 administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports
- New Reports in Cisco ISE 1.1.1
- Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.
- Change of Authorization – Triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by authorization policy. Any change in an endpoint identity group assignment for an endpoint that occurs due to dynamically profiling or a static assignment to an endpoint identity group, a CoA is triggered in both the cases
Go download the latest ISE 1.1.1 release. The upgrade process will take you around 30 minutes to complete. Here what it will look like.
ISE-10MR2/admin# application upgrade ise-appbundle-22.214.171.1248.i386.tar.gz ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade…
Stopping ISE application before upgrade…
Running ISE Database upgrade…
Upgrading ISE Database schema…
Upgrading Session Directory… Completed.
ISE Database schema upgrade completed.
Running ISE Global data upgrade as this node is a STANDALONE…
Running ISE data upgrade for node specific data…
% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully.
The mode is licensed.
% This application Install or Upgrade requires reboot, rebooting now…
Broadcast message from root (pts/0) (Wed Jul 11 15:27:38 2012):
The system is going down for reboot NOW!