In this long overdue post, I'm going to go over the newest version of ISE: 2.3. I planned to write this a month or two ago but got a bit busy with work and other stuff so I'm catching up a little now. I wanted to throw out a few blog posts on ISE 2.3 before the next version of ISE comes out.
If anyone has read through the release notes of ISE 2.3, they would notice there wasn't a TON of brand new features but I will get into the features momentarily. However, there were a lot of UI tweaks and fixes to various issues which has proven to make it pretty stable in my experience. The first patch hasn't even come out for it yet but I do have several clients running it in production and who are very happy with it so far.
So let's go ahead and break down what's new in ISE 2.3:
- Enhanced Policy Sets - I went over this quite a bit in my previous blog post here so I won't go over it again. I am very happy with the new policy sets now that I've had the chance to play around with them.
- Read-Only Admin Accounts - This seems like a very small change but it really is long overdue. This role gives the user the ability to look at everything in the ISE UI but make absolutely no changes at all.
In order to configure this role, you can either create a local account under Administration>System>Admin Access>Administrators>Admin Users and during the creation of the local account, you would check the box next to Read Only
Or you could associate an external user group such as an Active Directory group membership or internal user group to the new Read Only Admin Policy under Administration>System>Admin Access>Authorization>Permissions>Policy
- Exported Report Summary - This is a small feature but it grants the user the ability to see details of the recently exported reports which includes details about the name of the report, who exported it, if was a scheduled report or not, when it was triggered, what repository it was sent to, etc. Admins will have the ability to cancel any reports that are in progress or queued from here. To view the export summary, navigate to Operations>Reports>Export Summary
- Social Login - This is a new feature to allow social media credentials to be used to login for guest access. This speeds up the guest login and registration is optional. It also add some great marketing options. To configure social media login, you would navigate to Administration>Identity Management>External Identity Source>Social Login and start the configuration there.
Social media login uses OAuth which is an open standard for access delegation for internet users to grant websites or applications access to their information on other sites without sharing their passwords. In this version of ISE, it only is working with Facebook but OAuth is used with Google, Microsoft, Twitter, etc so I wouldn't be surprised if that's expanded in the next version.
Some of the different options you have with social media login for guest include:
- No Registration - This is where you click "Sign in with Facebook" and it allows the user to login with their Facebook credentials
- With Registration - Where they still sign in with their Facebook credentials but they have to complete a registration form for tracking with ISE. Details might include things like full name, company, phone number, who they are visiting, etc. Theyr'e still not going to have a regular username/password like with other guest types but it provides you the ability to gather a little more information about the guest than their social media information
- Registration and Sponsor Approval - Just like registration above but instead of allowing immediate access, it will need a sponsor to approve the access.
Reauthentication after the user is allowed access happens if the user is no longer part of the Guest Endpoints group which can happen if their guest account has expired or they've been manually removed from the group.
In order to configure social media login, you would need to do the following:
1. Create a Facebook application at Facebook. For instructions on how to do so, click here. Be sure to make your app public.
2. Create the Facebook Social Login in ISE under External Identity Source (pictured above) using your newly created App ID.
3. Under the guest portal configuration on Login Page Settings, check the box next to Allow social login and choose the newly created Facebook external identity source.
4. (Optional) Under Registration form settings on the portal, choose any details you want to require with registration if you choose to use registration. Be sure to keep username unchecked though.
5. Make sure to inport the Facebook CA into the Trusted Certificate store in ISE under Administration>System>Certificates>Certificate Management>Trusted Certificates
6. On the Facebook app site, update your URI list.
7. One the wireless controller, update your ACL for web redirect to allow Facebook's public IP range which is 188.8.131.52/16.
- ISE Upgrade Readiness Tool (URT) - In the earlier versions of ISE, the biggest pain that you could experience was database corruption and gremlin issues during an upgrade. The creators of ISE decided to take a page from the FTD guy's book and add an upgrade readiness tool to check for hidden database gremlins prior to upgrade so you can resolve them without hours of downtime. The URT tool can be downloaded from the ISE download page on Cisco.com here.
The URT can be run on the secondary admin node without any downtime. You would want to transfer it over to the ISE appliance and then run it using the following command:
application install <URT-bundle-name> disk
The URT tooll will run and tell you if there are any outstanding issues. Below you can see examples of a pass and fail with the URT tool:
- Posture - With ISE 2.3, there are some features and better viewing that has been added to posture.
Improved Application Visibility - One of the enhancements is a new screen under Context Visibility which shows the applications at a high level. If you remember in ISE 2.2, it was simply a pie chart under Compliance but now you can actually have a menu of all the applications on your network and drill into which endpoints have what applications
Hardware Visibility - ISE now will inventory the hardware on the endpoint including CPU usage (%), number of cores, number of processors, memory, memory usage (%), HD size, HD free space, HD usage (%), processor name, BIO manufacturer, BIO serial number, attached devices, etc. The inventory can be viewed at Context Visibility>Endpoints>Hardware as seen below and you can do filtered searches on any of the above.
Temporal Agent - This replaces the outdated NAC agent and is an alternative to AnyConnect for posture. It will run once during connection and then uninstalls. It does not require admin privileges to use and it provides the same rich posture checks that AnyConnect does but it only provides the information at initial connection instead of periodic checks. There are also a couple checks it cannot do that AnyConnect can:
- MAC: System Daemon check
- MAC: Daemon or user agent check
- Patch Management up-to-date check
- Patch Management enabled check
- Disk Encryption check
The creators of ISE also added some default Posture conditions that are disabled by default but make it easier to switch them on for common Posture conditions that most clients want:
- ACS Parity - With the latest update with ISE, you can now migrate your configurations from ACS 4.2 and later onto ISE using the ACS Migration Tool. Other added features include:
- IPv6 TACACS Support for:
- Network Devices
- TACACS Authentication
- TACACS Authorization
- TACACS Accounting
- Connection modes
- Live Logs and Reporting
- Proxy (AAA, Accounting- local, remote)
- MAR cache synchronization among PSN clusters
- Network Devices and Network Device Groups
- Network Devices - Support for IP ranges in all octects and exclusions
- Network Device Groups - Better scalability with support for 10,000 Network Device Groups and support for 6-level hierarchy with 32 characters
- Reporting - New reports include:
- Authentication Summary
- Active Sessions
- Top N Authentication report by Failure Reason
- Top N Authentication report by Network Device
- Top N Authentication report by User
- User Support
- Caching of internal username/user-specific attributes (authorization only)
- Password policy violation message
- Logging and Management
- Read-Only ERS API For ISE administrators
- Syslog message export
- Scheduling policy export
- Import/Export of Command set
- Endpoint attribute support: Date, IP, Enum
- Migration Tool
- With the tool, you can now migrate network devices with IPv6, external proxy with IPv6, policies with time and data and support of policy sets with conditions including AND and OR.
- IPv6 TACACS Support for:
So that's a quick runthrough of the changes in ISE 2.3. Compared to previous versions of ISE, it actually wasn't a large jump in features but it did add a lot of enhancements that people wanted to see in terms of usability and fixed a lot of little issues out there. Thanks for reading!