New and Changed Information

The following table summarizes the new and changed features and tells you where they are documented.

Table 1. New and Changed Features in Cisco ISE Release 3.4

Feature

Description

Cisco ISE Resiliency

From Cisco ISE Release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE.

See Cisco ISE Alarms.

Configure Debug Log Settings

You can configure the maximum file size and the maximum number of files allowed for each debug log component. You can also specify the date and time after which these values must be reset to default.

See Configure Debug Log Settings.

Create a URL Pusher pxGrid Direct Connector Type

You can create a pxGrid Direct connector using the Cisco ISE GUI. There are two types of pxGrid Direct connector types: URL Fetcher and URL Pusher. From Cisco ISE Release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the pxGrid Direct Push APIs to push endpoint data to Cisco ISE.

From Cisco ISE Release 3.4, you can also configure an authorization profile using connector attributes containing arrays.

See Create a URL Pusher Connector Type.

End of Support for Legacy IPsec (ESR)

From Cisco ISE Release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE Release to avoid any loss of tunnel and tunnel configurations.

See Migrate from Legacy IPsec to Native IPsec on Cisco ISE.

Enforcing Domain Controller Selection with Priority

You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover. When this option is enabled, Cisco ISE overrides the existing priority values and selects the next domain controller in the preferred list in the order of input from left to right.

See Configure Preferred Domain Controllers.

Enhanced Password Security

Cisco ISE now improves password security through the following enhancements:

  • You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during editing:

    Under Network Devices,

    • RADIUS Shared Secret

    • Radius Second Shared Secret

    Under Native IPsec,

    • Pre-shared Key

    See Configure Security Settings.

  • To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.

    See Network Devices Import Template Format.

On-demand pxGrid Direct Data Synchronization using Sync Now

From Cisco ISE Release 3.4, you can use the Sync Now feature to perform on-demand synchronization of data from pxGrid Direct connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.

See On-demand pxGrid Direct Data Synchronization using Sync Now.

Option to Add Identity Sync After Creating Duo Connection

If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly.

After you create a Duo connection, you can add identity sync configurations at any time.

See Integrate Cisco Duo With Cisco ISE for Multifactor Authentication.

Per-user Dynamic Access Control List Behavior Change

While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE Release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard.

See Downloadable ACLs.

Support for Multiple Cisco Application Centric Infrastructure Connectors

Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs), endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco ISE.

You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and Cisco ACI connectors.

Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics.

See Connect Cisco Application Centric Infrastructure with Cisco ISE.

pxGrid Direct Support for Arrays in Dictionary Groups for Authorization Policy

From Cisco ISE Release 3.4, you can also use pxGrid Direct Connector data with arrays as dictonary attributes to configure an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy. The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR" conditions.

See Configure Authorization Policies.

RADIUS Suppression and Reports Enhancement

From Cisco ISE Release 3.4, the RADIUS Suppression and Reports have been enhanced to faciliatite easier RADIUS (Administration > System > Settings > Protocols > RADIUS > RADIUS Settings) configurations.

See RADIUS Settings.

Support for Transport Gateway Removed

Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:

  • Cisco ISE Smart Licensing

    If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE Release 3.4. You must choose a different connection method as Cisco ISE Release 3.4 does not support Transport Gateway. If you update to Cisco ISE Release 3.4 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.

  • Cisco ISE Telemetry

    Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.

TLS 1.3 Support for Cisco ISE Workflows

Cisco ISE Release 3.4 allows TLS 1.3 to communicate with peers for the following workflows:

  • Cisco ISE is configured as an EAP-TLS server

  • Cisco ISE is configured as a TEAP server

    Attention

     

    TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE Release 3.4, TEAP TLS 1.3 is not supported by any available client OS.

  • Cisco ISE is configured as a secure TCP syslog client

See Configure Security Settings.