Author: Fatih Ermis | Senior Solution Consultant
With ISE 3.0, a simpler interface has been created, more user-friendly and easier on the eyes than the old interface.
In the new interface, while the top row of menu items is removed, a hamburger button is added to the upper left corner, and it can be easily said that ISE 3.0 has a completely new look that was not in previous versions. It is worth mentioning that all configurations can be made under the menu.
It can be said that the dark mode is a different touch and gives a new image to the ISE interface, while the previous versions were all blue tones on a white background, dark colors were included with ISE 3.0. However, the “Make a Wish” feedback that we know from Meraki has not been forgotten in the menu, I think this feature, which I think Cisco will integrate into all its products from now on, especially for user / administrator feedback, is really very important for both parties.
At the same time, thanks to the search tab added to this menu, ISE 3.0 is one step ahead, both user-friendly and very fast access to the desired configuration. Shortcuts have been added to the lower left corner of the Dark Mode, so it is very easy to open or close the Menu.
In addition, it is noticeable that the switching speed between tabs in ISE 3.0 is much faster than before.
We mentioned that the Make a Wish section was added to the bottom section for both user/admin experience and easy feedback (complaints, requests or suggestions). Cisco actually says to users, ‘We listen to you, we improve our systems with your suggestions’, with this tradition we are used to from Meraki, and this gives users/admins the opportunity to be a part of these developments, I think it is a fast feedback feature that brings both the producer and the users together from the same perspective.
One of the user-friendly features that comes with ISE 3.0 is the “interactive help” feature, which can be accessed both from the Help Menu in the upper right corner and from the tab in the lower right corner.
This feature, which is not available in older versions of Cisco ISE, actually provides the user with a faster and easier use in many ways. For example, we want to configure Posture, when we click on the Posture section, it brings up all the tabs we need regarding Posture.
When we click on the Agentless Posture feature, a wizard appears before us, showing us all the necessary steps for configuration step by step. Thus, everything that needs to be done to make Agentless Posture is provided very easily, when we complete each step and click on the (Next) option, we can move on to the next step, while at the same time it provides the opportunity to define the configurations starting from the desired step.
All components needed throughout the configuration process are presented to you by these wizards and you are asked to complete the relevant configurations.
It is important to remember that you must have the correct licenses for the relevant configurations.
- Agentless Posture Windows and MacOS Feature:
Agentless posture can be used with ISE 3.0 for “Microsoft and Apple” devices without installing anyconnect agents on endpoints.
- End User Visibility and Custom Script Feature
Thanks to this feature, special scripts can be written for Windows and Mac end users, points to be considered;
o Only admins with SuperAdmin authority can run these scripts,
o You must have Domain Admin information and/or Local admin user information,
o PowerShell for Windows machines,
o SSH access for Mac,
o CURL 34+ for both Mac and Windows
- ODBC Multiple Attributes Lookup Feature
Instead of specifying attributes manually, the authorization profile can be conveniently configured to use VLAN from the ODBC database based on specified entry attributes (such as MAC address, username, called-station-ID, or device location).
- Certificate Fingerprinting for Multiple CA s Feature
Thanks to this feature that comes with ISE 3.0, a secure mechanism is provided for multiple certificates to support different domains, and thus the reliability of many domains will be increased by multiple certificates.
- PassiveID and Windows Event API Feature
With Cisco ISE Version 3.0, the MS-Eventing API or Microsoft Remote Assistance Call (MSRPC) protocol can be used for Passive Identity. Cisco ISE uses the MSRPC protocol to establish node communication and monitor heartbeats between nodes. This option is in addition to the WMI protocol for Passive Identity service. With this feature coming with ISE 3.0, Passive Identity will significantly improve overall performance by using MS RPC APIs instead of WMI.
- API Gateway Feature
The Cisco ISE (API Gatwey) gateway is a new feature in ISE 3.0, an API management solution that acts as a single entry point to multiple Cisco ISE Service APIs to provide better security and traffic management. API requests from external clients are routed to the API gateway in Cisco ISE, and requests are also routed to the Cisco ISE Nodes that run their APIs, providing service according to the rules configured in the API Gateway.
- Device Identifier Change Feature for Windows Devices
A new device identifier based on CN/SAN certificate attributes used between ISE and MDM is used to query compliance independent of the MAC address on end-user devices. (UDID: Unique Device Identifier)
- Baseline Policies Feature with Microsoft SCCM
With ISE 3.0, ISE Admins can select specific base policies and have only those policies checked for compliance.
- Posture AV/AM Minimum Version Control Feature
There are many different Anti-virus and many different Anti-malware products, the policies created at this stage were either very general or very specific, with ISE 3.0, AV/AMs can be specified as a minimum version and be compliant on the relevant version. It should not be overlooked that OPSWAT support is mandatory here.
- Health Check Feature
One of the most frequently used features by admins coming with ISE 3.0 will undoubtedly be the Health Check feature. ISE 3.0 offers an optional system health check option to diagnose all nodes in your distribution. Running a health check on all nodes before any operation helps identify critical issues that may cause an outage, if any. Health Check shows the operating status and health status of all dependent components. In the event of a component failure, the operation is carried out smoothly and offers troubleshooting suggestions to resolve the issue. Another innovation in ISE 3.0 is that
It is worth mentioning that it is an excellent solution for detecting and solving many problems before upgrades and for performing upgrades without any problems.
- Debugging Feature in Profiles by Function
The Debug Wizard contains predefined debug templates that you can use to troubleshoot issues on ISE Nodes. You can easily configure Debug Profiles and Debug Logs from here. Another plus of this feature is that Cisco TAC can now easily enable debug logs across multiple Nodes in a Cisco ISE deployment. This feature will help in faster troubleshooting. Also, the created debug profiles can be used across multiple Nodes.
- More functional TCP Dump Feature
With ISE 3.0, you can control the collected data by specifying the file size, number of files, processing time, on which interfaces the dump file should be created (always in raw format / TCP dump format), including connected interfaces.
· ISE 3.0 Supported Platforms ( SNS 35XX series EOL )
- Platform Supports – Cloud
o Amazon Vmware Cloud
o SAML SSO Support with Azure Active Directory
Now available via the ISE web portal Azure AD SAML 2.0 MFA feature can be used with ISE 3.0. (Guest, BYOD and My Devices Portal)
ROPC using 802.1X Azure AD (Resource Owner Password Credentials)
With ISE 3.0 802.1X, users can be authenticated directly to Azure AD using OAuth ROPC.
