Cisco ISE 2.0 Support for TACACS+ & additional features

Home / ISE / Cisco ISE 2.0 Support for TACACS+ & additional features

Cisco Identity Services Engine (ISE) 2.0 came with lot of latest features , the most popular being the support for Device Administration via TACACS+.  Here is a list of the new features that come bundled with ISE 2.0 according to the official release notes listed HERE.

ISE 2.0 Release Notes

Further details are listed below :

Device Administration via TACACS+:

ISE can now leverage the TACACS+ security protocol to control and audit the configuration of network device. This requires an additional license [Device Administration license] to use the TACACS+ service.An ISE administrator can create policy sets that allow TACACS results, such as command sets and shell profiles, to be selected in authorization policy rules in a device administration access service.

Third-Party Device Support:

Many more 3rd-party vendors have been added to Device Support list including wireless & wired devices. Examples being Aruba 7000, InstantAP , Brocade ICX 6610 & many more

TrustSec Dashboard :

A centralized & dedicated dashboard for deploying and monitoring trustsec configuration.

TrustSec Matrix Enhancements :

Cisco ISE 2.0 now allows you to create, name, and save the custom views

TrustSec Work Center:

All TrustSec-related options are consolidated under the TrustSec Work Center menu (Work Centers > TrustSec)

Automatic SGT Creation:

Cisco ISE allows you to create SGTs automatically while creating the authorization policy rules. The auto created SGTs are named based on the rule attributes.

Support for SXP:

Source Group Tag (SGT) Exchange Protocol (SXP) is used to propagate the SGTs across network devices that do not have hardware support for TrustSec.

Location Based Authorization:

Cisco ISE integrates with Cisco Mobility Services Engine (MSE) to introduce physical location-based authorization. Cisco ISE uses information from MSE to provide differentiated network access based on the actual location of the user, as reported by MSE.

Support for Boolean Attributes:

Cisco ISE supports retrieving Boolean attributes from Active Directory and LDAP identity stores

Support for EAP-TTLS Protocol:

EAP-TTLS is a two-phase protocol that extends the functionality of EAP-TLS protocol. Phase 1 builds the secure tunnel and derives the session keys used in Phase 2 to securely tunnel attributes and inner method data between the server and the client.

KVM Hypervisor Support:

Cisco ISE supports KVM hypervisor on Red Hat Enterprise Linux (RHEL) 7.0.

Cisco ISE Telemetry:

The Cisco ISE Telemetry banner appears as soon as you log in to the Admin portal.

Certificate Provisioning Portal:

The Certificate Provisioning portal allows employees to request certificates for devices that cannot go through the on-boarding flow.

Certificate Template Extension:

The Cisco ISE Internal CA includes an extension to represent the certificate template that was used to create the endpoint certificate.

Cisco ISE Internal CA Issues Certificates to ASA VPN Users:

The Internal ISE CA can issue certificates to client machines that connect over ASA VPN. Cisco ISE uses the Simple Certificate Enrollment Protocol (SCEP) for enrollment and to provision certificates to the client machines.

GUI-Based Upgrade:

Cisco ISE offers a GUI-based centralized upgrade from the Admin portal. The upgrade process is much simplified and the progress of the upgrade and the status of the nodes are displayed on screen

Technical Support Tunnel for Advanced Troubleshooting:

Cisco ISE uses the Cisco IronPort Tunnel infrastructure to create a secure tunnel for Cisco technical support engineers to connect to an ISE server in your deployment and troubleshoot issues with the system

Mobile Device Management Enhancements:

Cisco ISE 2.0 allows endpoints that were enrolled on an active MDM server outside of an ISE network to connect to an ISE network without needing to re-enroll with the MDM server.

Support for Meraki Mobile Device Management:

Cisco ISE supports Meraki MDM server.

pxGrid Enhancements:

ISE 2.0 allows a pxGrid client to create and set up a new capability without needing to update all of the other participants in the grid.

Guest Enhancements:

A sponsor can now change the guest type of an existing guest account in the Sponsor portal

Profiler Enhancements:

IPv6 addressing is supported for some features.

Posture Enhancements:

Cisco ISE supports the following profiler enhancements : Disk Encryption Check , SHA-256 File Check , Property List File Check , Daemon Check Enhancement, Additional Variables for File Check etc.

Client Provisioning Enhancements:

You can configure multiple WiFi SSIDs (NSP profiles) with a single run of the SPW.

IPv6 Support:

Cisco ISE, Release 2.0 supports the following IPv6 capabilities i.e. Support for IPv6-enabled Endpoints , IPv6 Support in Reports, IPv6 Support in CLI etc.

Check out the ISE2.0 release notes here for further information







Leave a Reply