Cisco ISE Resiliency
|
From Cisco ISE Release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE.
See Cisco ISE Alarms.
|
Configure Debug Log Settings
|
You can configure the maximum file size and the maximum number of files allowed for each debug log component. You can also
specify the date and time after which these values must be reset to default.
See Configure Debug Log Settings.
|
Create a URL Pusher pxGrid Direct Connector Type
|
You can create a pxGrid Direct connector using the Cisco ISE GUI. There are two types of pxGrid Direct connector types: URL Fetcher and URL Pusher. From Cisco ISE Release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the pxGrid Direct Push APIs to push endpoint data to Cisco ISE.
From Cisco ISE Release 3.4, you can also configure an authorization profile using connector attributes containing arrays.
See Create a URL Pusher Connector Type.
|
End of Support for Legacy IPsec (ESR) |
From Cisco ISE Release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We
recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE Release to avoid any loss
of tunnel and tunnel configurations.
See Migrate from Legacy IPsec to Native IPsec on Cisco ISE.
|
Enforcing Domain Controller Selection with Priority
|
You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover.
When this option is enabled, Cisco ISE overrides the existing priority values and selects the next domain controller in the
preferred list in the order of input from left to right.
See Configure Preferred Domain Controllers.
|
Enhanced Password Security
|
Cisco ISE now improves password security through the following enhancements:
-
You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during
editing:
Under Network Devices,
Under Native IPsec,
See Configure Security Settings.
-
To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and
export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.
See Network Devices Import Template Format.
|
On-demand pxGrid Direct Data Synchronization using Sync Now
|
From Cisco ISE Release 3.4, you can use the Sync Now feature to perform on-demand synchronization of data from pxGrid Direct connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco
ISE GUI or using OpenAPI.
See On-demand pxGrid Direct Data Synchronization using Sync Now.
|
Option to Add Identity Sync After Creating Duo Connection
|
If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection,
click Skip in the Identity Sync page. You will be taken to the Summary page directly.
After you create a Duo connection, you can add identity sync configurations at any time.
See Integrate Cisco Duo With Cisco ISE for Multifactor Authentication.
|
Per-user Dynamic Access Control List Behavior Change
|
While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco
ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this
information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE Release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard.
See Downloadable ACLs.
|
Support for Multiple Cisco Application Centric Infrastructure Connectors
|
Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs
and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs),
endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco
ISE.
You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and
Cisco ACI connectors.
Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics
through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics.
See Connect Cisco Application Centric Infrastructure with Cisco ISE.
|
pxGrid Direct Support for Arrays in Dictionary Groups for Authorization Policy
|
From Cisco ISE Release 3.4, you can also use pxGrid Direct Connector data with arrays as dictonary attributes to configure
an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy.
The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR"
conditions.
See Configure Authorization Policies.
|
RADIUS Suppression and Reports Enhancement
|
From Cisco ISE Release 3.4, the RADIUS Suppression and Reports have been enhanced to faciliatite easier RADIUS () configurations.
See RADIUS Settings.
|
Support for Transport Gateway Removed
|
Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:
-
Cisco ISE Smart Licensing
If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before
you upgrade to Cisco ISE Release 3.4. You must choose a different connection method as Cisco ISE Release 3.4 does not support
Transport Gateway. If you update to Cisco ISE Release 3.4 without updating the connection method, your smart licensing configuration
is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection
method at any time after the upgrade.
-
Cisco ISE Telemetry
Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is
not impacted by this change.
|
TLS 1.3 Support for Cisco ISE Workflows
|
Cisco ISE Release 3.4 allows TLS 1.3 to communicate with peers for the following workflows:
-
Cisco ISE is configured as an EAP-TLS server
-
Cisco ISE is configured as a TEAP server
Attention
|
TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time
of Cisco ISE Release 3.4, TEAP TLS 1.3 is not supported by any available client OS.
|
-
Cisco ISE is configured as a secure TCP syslog client
See Configure Security Settings.
|