Cisco ISE 3.4 starts June with a bang


June has always been one of my favorite times of the year. When I was younger, it always meant that school was finally ending. Now that I’m a little older, the latter reason doesn’t matter as much, but I still love the season. Plus, there’s a yearly June occurrence that has taken the place of the last days of school.

That’s Cisco Live, and the launching of the next version of Identity Services Engine (ISE)!

Every year there’s a host of new features and functionalities that I’m very excited to talk about, and 2024 is no exception, as we are announcing a strategy called Common Policy that is going to be a true game changer.

Common Policy = Common language

It’s still in Beta release now, but the first iteration of Common Policy is expected to be available to the general public in the Fall. So now you know when you’ll be able to get it, but what is Common Policy?

It’s important to set the scene first before we get into exactly what Common Policy does. Access patterns have changed, and users are logging in from different locations every day, accessing application that are running in the cloud or the local data center. For an organization that is serious about a strong zero trust solution, an administrator must make sure that the security policies for all devices, users and application workloads are consistent over the entirety of the network and other products such as Application Centric Infrastructure (ACI). The issue is that depending on where the administrator enforces policy, each domain has its own structure for implementing access and segmentation policy and not all of them are speaking the same language.

This is where Common Policy steps in as it provides administrators with the ability to send each domain the same user, endpoint, and application workload context so that they have the flexibility to enforce policies on the domain of their choice. Common Policy makes sure that everything is speaking the same language.

Cisco ISE as Exchange Hub

Make no mistake, Common Policy is not a new pane of glass solution. Cisco ISE sits in the middle of the strategy as an exchange hub that integrates with both the network and the security domains. As you know, identity—it’s the first word in the ISE acronym—is what’s used to enforce policies across domains and that’s because identifiers such as location, posture, amongst others are embedded inside context.

Context information is created closer to the domain where it resides, in the access layer for users and devices, and in the data center or cloud for application workloads. We normalize this context to a group construct—such as a security group tag (SGT)—that is understood across the domains. The normalized user, device, and app workload context is sent to each domain using Cisco ISE as the exchange hub. This enables security administrators to create consistent access and segmentation policy irrespective of which domain they choose to enforce policy.

It’s a snap for ISE to get that information because it already has pxGrid—one of the industry’s largest ecosystems for context sharing—ISE can raise visibility by sharing the data with other products it gathers from end devices on the network. Not to mention that pxGrid consumes information learned from other products. All of that data allows for more detailed, targeted policies to be built.

With Common Policy the network becomes more modern and more holistic. An administrator can provide certain users with access to certain workloads as well as enterprise and corporate assets on their sites. Not only that but sending context and enforcing polices on ACI has improved too. Security group tags (SGT) can be translated into External Endpoint Groups (EEPG) and be assigned contracts all from within Cisco ISE.

Common Policy is allowing the ecosystem to expand so that application workloads can be brought in from external on premises and cloud providers with VMware, AWS, Azure and application workload identity information. Within Cisco ISE customers can assign these workloads to SGTs and then send them out to other domains—including ACI, Cisco Secure Access, SD-WAN and more—to use in segmentation building and access policies.

Cisco ISE 3.4 Enhancements

But while Common Policy certainly takes the headline for this year’s release, there’s plenty of other great features that will be beneficial to all our customers. Another benefit is that finally everyone is speaking the same language. Oftentimes—especially in large organizations—there are multiple administrators working on different areas of the network. Each administrator, through no fault of their own, is often in charge of their fiefdom and are creating policies with different languages. Common Policy helps these administrators all speak the same language.

Cisco ISE Reboot reduction time

It doesn’t happen very frequently but when Cisco ISE reboots, it can take a little bit of time. Now that time has been reduced by up to 40%. On the one hand, it’s great that your network is up and running lickety-split. But on the other hand, your coffee break may need to shorten too.

Dynamic Reauthentication

If you work in an organization where it’s common for guests to stay an extended amount of time, providing them with full access to your network might not be the best idea. But at the same time, they need more than the guest network. With Dynamic Reauthentication, your problem is solved. This is a temporary policy where a group of devices are placed in a bucket where parameters are defined, and access is provided for a determined amount of time. Once that time is complete, the devices are automatically dumped from the bucket.

For example, if a retail store has to disconnect all of the endpoints, or a specific endpoint, at the end of the day. So once the store is closed and the devices are not needed, they automatically disconnect from the network. The next day as the owner returns to their store to get ready for their day, the devices all automatically connect. Aside from the initial parameter definition, the administrator does not have to worry about this day-to-day task again.

pxGrid Direct enhancements

The already-strong synergy between Cisco ISE and pxGrid grows even stronger thanks to these new features.

The first enhancement, called pxGrid Direct Sync Now, will allow customers to immediately synchronize data from pxGrid Direct Connectors. Currently Cisco ISE can synchronize a full data base update once a week or less (minimum once every 12 hours), with incremental updates every day (incremental updates minimum once every hour). With immediate synchronization, there is no longer a need to wait for large changes in the network to be made.

The second enhancement grants the ability to push updates immediately to Cisco ISE. This new feature is called pxGrid Direct URL Pusher and will allow ISE to directly integrate with Configuration Management Data Base (CMDB) servers that support JSON format. This will allow customers to skip the CMDB server, especially if they don’t have one, and push the JSON file directly to Cisco ISE.

Protected Access Credentials (PAC)-less communication

Cisco ISE uses a PAC file during the EAP-FAST authentication between ISE and a TrustSec Network Device. During the initial authentication process, a PAC file is generated. In some cases, some TrustSec devices may have issues with processing the PAC file. For these cases, starting Cisco ISE 3.4 it is now possible to use PAC-less communication between ISE and the TrustSec devices and this results in a reduction of management overhead.

In all, there are 15 new features that Cisco ISE 3.4 premiered this month, but these are just a couple of the highlights.  So while school’s out for some, Cisco ISE 3.4 is in for all!

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:



Leave a Reply

Your email address will not be published. Required fields are marked *