10 cool things about ISE 2.0

Sitting in my hotel room, after an evening of Sake’ and war stories with the guys – what better thing to do then write a blog entry for you all to read and hopefully enjoy?  

At the time of this writing, Cisco’s ISE 2.0 has been in BETA is soon to be released to the public. This may be the single most anticipated release ever, so why not go through some of the cool things that are in it? Here’s my top 10 list. Some are big items, and some are just small little gems that I think everyone will love:

1. TACACS+ support for Device Administration AAA

It’s no secret that I have been publicly vocal against adding device administration AAA to a product that is designed to be a Network Access AAA solution. If you had any doubts, just check out my RADIUS vs. TACACS blog entry from last year!  

It doesn’t seem to matter what my opinion was on the subject, the public demanded the addition of T+ to ISE, and they got it. What makes this the #1 cool feature of ISE 2.0 is the absolutely phenomenal job that Cisco has done fitting T+ into ISE. It’s been rock solid and is simply terrific for what some would expect to be a 1 dot oh feature.  

2. The new Endpoints Identity page

At first glance, this is a seemingly small thing, but this is the single most frequently viewed page in all of ISE. It was also one of the biggest pains to use. It was one of the first pages to be revamped in ISE 2.0, and it was revamped in a great way. Some very usable pie charts at the top also hold a small secret: click on the pie slices and it automatically filters the table below it. The table itself is completely re-written and remembers where you were when you click into an endpoint for details and then go back to the table.

Aaron Woland

3. New Navigation Framework

ISE is a complex system with tremendous power. A system like that cannot normally come with a User Interface that is contained within only a few pages. Most often a solution like this needs to have a menu system, and many levels of navigation. ISE is certainly afflicted with the need to have many menus with sub-levels and a simply put: a lot of navigation. That’s all well and good, but the GUI framework in ISE 1.0 was pretty painful. Incremental updates to the GUI have taken steps to speed up the experience, but were still just not fast enough for a modern day application. ISE 2.0 rips out the entire navigational framework and replaces it with one that is modern and lightening fast. It’s obviously the start of a complete UI overhaul – where some functional areas and their pages are also re-written, and I would expect that the entire UI refresh will be complete in the next release or two. The first time you log into ISE 2.0, you immediately see the difference with snappy “mega menus” and side navigation. 

Aaron Woland

4. Upgrade Wizard

It’s no secret that upgrade is a complex procedure for any large distributed system. Many solutions do not even offer an upgrade – instead they require you to reinstall and restore the configuration from backup. However, ISE has always supported upgrade and has made significant improvements with each release. ISE 2.0 adds a new Wizard-based GUI to handle the upgrades. You can specify which repository each node in the deployment should use, pre-stage the upgrade files, and control the order in which each node is upgraded. All within the GUI.

Aaron Woland

5. Support Tunnels

Taken directly from the amazingly serviceable Cisco IronPort appliances, support tunnels have been added to ISE. For those who aren’t familiar with this feature on the IronPort appliances, it allows the admin to enable a secure tunnel for Cisco’s TAC to remotely access the appliance’s root operating system. Well, that’s the simple explanation. This is fantastic, because it means fewer WebEx sessions with Cisco TAC remotely seeing the UI of a customer’s ISE deployment – they can view it directly if and only if the customer has enabled the support tunnel & provided the TAC engineer with the unique key. 

6. Stacking of Command Sets

Along the lines of #1, which is the support of T+ for device administration AAA, ISE allows for multiple command sets to be sent in response to an authorization request. Brilliantly, the command sets will stack, where a permit statement shall always outweigh a deny statement – unless its a “deny_always” statement.

Aaron Woland

7. Network Device Profiles

Network Device Profiles are completely brilliant and provide something that some of us have been asking for in ISE since the very beginning, the ability to customize the settings for network devices, including the way it handles Change of Authorizations, URL-Redirections and more. The implementation of NAD profiles allows for them to be imported and exported so they can be shared. ISE 2.0 ships with a slew of pre-built profiles for many network devices, including Aruba, Alcatel, Brocade, and more. 

Aaron Woland

8. Native EAP-TTLS Support

EAP-TTLS is a tunneled EAP protocol that is fairly popular with universities that use eduroam. Prior to ISE version 2.0 it was one of the only popular EAP types that was missing support in ISE, even though there was support for it in Cisco’s supplicant: the Cisco AnyConnect Network Access Module. 

Aaron Woland

9. Certificate Provisioning Portal

ISE 1.3 added the built-in Certificate Authority for BYOD endpoint certificates. It would create endpoint certificates for devices that underwent the Cisco BYOD on-boarding process only. In ISE 1.4 an API was added to allow the creation of priv/pub certificate key-pairs that could be imported into devices that couldn’t go through the BYOD flows. Now in ISE 2.0 there is a full-blown customizable portal that allows the creation of individual certificate key-pairs, submitting and signing Certificate Signing Requests (CSRs), or even the bulk creation of certificates.

Aaron Woland

10. Kick Endpoints off Network when Certificate is Revoked

When ISE issued the certificate to a BYOD endpoint, and that certificate was revoked, it would naturally be denied access at the next authentication. However the endpoint would remain on the network until the next re-authentication time. ISE 2.0 adds a CoA-Terminate (a disconnection) to any endpoint with an active session who’s certificate has been revoked, thereby immediately kicking them off the network. 

While this list of 10 is pretty cool, it is certainly not inclusive of all the great additions in ISE 2.0.  It’s simply a small list of some nuggets that I thought I’d share.  

See you next time.

Aaron