I'm definitely going to go over this more in future posts after I'm done with my StealthWatch series. I'll just post this high level information about some of the additional features of ISE 2.1 which I'm pretty excited about.
Better dashboards that make it very easy to see the different kinds of endpoints, users, devices, and OSes in your network and the ability to create customized dashboards. Here are some examples:
Simplifies network authorization without implementing 802.1x on the endpoints, wired or wireless. Active Directory logins are used to map user information onto network connections, which is then used for authorizing users on the network even when ISE is not involved in the authentication process. Easy Connect can also be used as backup authentication method to reduce help desk calls.
TrustSec workflow enhancements
Introduces capabilities for change management and configuration rollback as well as gradual deployment of new policies to different parts of the network that allow simplified integration of TrustSec into current IT systems.
Designed for easy initial installation or proof of concept - get ISE up and running with a few simple bits of information. From there, ISE discovers endpoints and network devices on the network. Provides a quick and easy way to understand the various users and endpoints on your network. Context Directory starts with overview of ISE deployment providing administrators with selectable dashlets. Administrators can click on the dashlets to get detailed drill downs with additional graphs and tabular data.
expanded profiling capabilities
ISE now supports a new Active Directory probe and SMB discovery providing definitive operating system information eliminating guesswork. Custom ports, service and version information provide better information to shrink the pool of devices that stubbornly defy classification.
acs to ise migration features
Delivers baseline features with Cisco Secure ACS and tools for customers to migrate from their existing ACS 4.x or later deployments to ISE. These features include support SNMP MIB for disk utilization, support all SNMP traps, support ability to enable or disable activation/operation of IPv6 protocol, ability to have multiple administrators with each administrator controlling a group, Open Database Connectivity (ODBC) support, Configurable TACACS+ ports, Persistent MAR cache, NIC teaming for increased high availability per node, and features to manage internal user database.
ISE continues the theme of task-oriented workcenters started in ISE 2.0 adding guest, BYOD, posture, profiling, and CA to the existing Trustsec and device administration. Work-centers ease day-to-day configuration and management burden centralizing work associated with a given task in one area called a work-center.
Allows threat-centric network access control via ISE policy for vulnerability and threat detection utilizing Cisco Advanced Malware Protection pushing high fidelity Indications of Compromise (IoC) to ISE. This allows ISE to change the privilege and context of an endpoint dynamically, notifying the network and other applications of the change so that access to resources can be restricted.
trustsec-aci policy plane integration
Shares policy groups between TrustSec and ACI environments using common group identifiers that simplify policy management across TrustSec-enabled campus, branch and DC networks and ACI-enabled data centers.
enhanced third-party nad support
Additional enhancements to provide a VLAN-based solution that restricts user access and sends user traffic directly to the ISE PSN to provide initial authentication, CWA, Posture assessment, etc. Once registration, posture, and captive portal process is completed, then user is authorized into an Access VLAN.
ISE Guest portals now support single-sign-on (SSO) against SAML-compliant identity providers. This functionality allows employees to authenticate against the organization's SAML identity provider when logging into the ISE portals.
microsoft intune & sccm integration
ISE integrates with Intune and SCCM enabling IT to gather information about endpoints that are trying to connect into the network to reduce the potential security risks into the network.
usb connectivity check on windows
Includes an additional category for USB connectivity. You can check for USB mass storage connectivity on Windows OS with ability to remediate by disabling the connection (will require AnyConnect 4.3 ISE Posture module).
odbc authorization support
Ability to retrieve Group and User Attributes from an ODBC database and use them in ISE authorization policies, including the ability to show groups of a specific user and attributes of a specific user and save them as a template, and add attributes and groups stored procedures.
Making it even easier for organizations to select Chromebooks as their device of choice through ISE and Google Chrome Device Management., more manageable for IT, and more powerful for users.
Support additional SAML-compliant identity providers (IdP), fetching attributes and groups from Azure AD, SecureAuth, PingID, PingFederate, and Oracle IdPs.
From the Context dashboard, it's very easy to quarantine an endpoint.
.... and there are many other enhancements and features. Eventually I'll write more posts digging into this newest version of ISE in much more detail.