PVT Summer2014SecurityPartnerVirtualTeam PVT LiveEvent GeneralSession Jul09 2014 ISE1 3 PDF

New Features in ISE 1.
3
Technical Update
Security
2014 Partner VT
New Features in ISE 1.3
Technical Update
Imran Bashir, SAMPG TME
Paul Forbes Bigbee, Product Manager
June 24, 2014
Cisco Confidential 3 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE 1.3 Mobile UX Experience
Guest Revamped
Internal Certificate Authority
Simplified Client Provisioning
Endpoint Management
Authorization Enhancements
Simplified Integration
Multi-AD Forests/Domains
Streamlined VPN*
AnyConnect Unified Agent*
Serviceability Enhancements
Context and Speed
pxGrid
AD Identity Mapping
New REST APIs
Miscellaneous
New Partner Tools
Roadmap
Summary / Additional
Resources
At the end of the session, participants should be able to:
Identify key User Experience enhancements in ISE 1.3
Define the key features that deliver Streamlined Integration
Describe how ISE 1.3 delivers Context and Speed
ISE 1.3 Priorities
User Experience
Context and Speed
From our new Guest
Administration to our
built-in Certificate
Authority, ISE 1.3 has
been designed to make
turning your business
goals into functioning
network policy easy.
Streamlined VPN delivers
compliance policies
without additional boxes;
Support for Multiple Active
Directory domains
provides support for the
most complex AD
environments.
Managing large networks requires
coordination between services and teams.
From pxGrid for context sharing and
threat defense integration to REST APIs
for streamlined Ops, ISE is more open
and programmable than ever.
Mobility User Experience
All New Guest Experience
(Introducing Admin WorkCenters)
Certificate Management and BYOD
Made Easy
Internal CA
Simplified Provisioning
Client Provisioning Updates
Endpoint Management Features
ISE Guest
Reloaded
ISE 1.3 Guest Enhancements
Complete Makeover and UX Update
Workcenters consolidate all tasks in one place
Simple Customization and Themes for all user-
facing portals using CSS / jQuery ThemeRoller
WYSIWIG Portal Pages w/ realtime flow display
Web Portal Test option; Notification Test options
Simplified Language Support inc. custom portals
Selectable interface(s), port, and cert per portal
Per portal Simplified URL for Sponsor/MDP
Out-of-box Guest Portals/Flows, Guest Types,
and Sponsor Roles with Smart Defaults
Guest API for Create/Update/Delete/Suspend
Login Passcode Access & Registration Codes
Granular AUP options including same-page AUP,
up to 50k characters.
Up to 1M concurrent guest accounts
Auto-Device Registration and Purge
Approver for Self-Registration Flow
Email, SMS, or Print Notification for all Guest
Types inc. Self-Reg and Imported + Bulk Print
Customizable Notifications and Messages inc.
free-form HTML and variable data substitution.
Post Redirect to original URL or landing page
Locations to auto-map time zones
Sponsor can supply guest with SSID info
Sponsor Group Tags to provide optional grouping
for search and report
SMS support for SMTP and HTTP APIs with
preconfigured list of major gateway providers
Limit # Guest logins by number (not just 1/)
Limit sponsor guest creation via import/random
Max guest login attempts with rate limiting
Optional BYOD Bypass for Employees
Popup Help & direct page links to related setup
Account Expiry Notification via SMS/email
Simplifying Guest Access
ISE 1.2 ISE 1.3
A Guest Button
With our new navigation,
getting to the Guest admin has
never been easier.
Prepackaged Flows
Guest now ships with default
flows and settings used by
90% of our customers.
One Stop Setup
Once youre there, all the
pieces you need are accessed
in one place.
The All New Guest Administration
Setup a Guest experience in 5 minutes!
Built-in Templates for Sponsor and Guest
Built in Guest Types Built in Sponsor Templates
Create/Edit
/Duplicate
existing
templates
No more Time
Profiles
Day/Time
restrictions now
defined under
Guest Type
Ever wonder how changing a
setting will affect your
guests? ISE makes the
end user experience crystal
clear as it updates the guest
flow diagram in real time with
each settings change.
End User Visibility
Admin Friendly
Through extensive user
research were made guest
settings so easy to find that
setting up a guest flow can
be done in just a few clicks.
Guest Flow Settings Made Easy
Themes!
Gives you complete control
over look & feel of your guest
pages. Use out-of-the-box
themes or create your own
using ThemeRoller for jQuery
Mobile or standard CSS.
Live Preview
See your pages as the guests
will see them as you
customize.
Full Page Control
Use our defaults or customize
every field in multiple
languages.
Customizable Guest Pages
Preconfigured Guest Portals for Major Use Cases
Hotspot
- No Auth Required
- Optional AUP, Access
Code, or Device Registration
- Replaces DRW
Sponsored +
Self Registration
- Similar to Sponsored Only
plus Self-Registration and
Sponsor Approver flow
Sponsored Only
- Authenticated Access
- Feature rich portal options
including BYOD & Posture
Hotspot Portal Example
No more Language Templates
Import New or Export/Edit/Reimport
language property files
Each portal can be
run on unique HTTPS
port, interface, and
SSL certificate
Hotspot Authorization Profile New URL Redirect Option
Hotspot Redirect
Replaces DRW
Branding with Themes!
Mobile Sponsors
You are free to move about the cabin!
Create and manage guest accounts
from your mobile phone or tablet.
Streamlined Guest Creation
Quickly create single or
multiple accounts
Create Accounts
Create Accounts
Print Email SMS
Streamlined Sponsor Portals
Guest Receipts with Your Brand
Whether youre delivering guest
credentials on the printed page, over
email or SMS, ISE makes it easy to
deliver your complete branded
experience.
SMS Notifications
Send credentials directly to a guests mobile phone.
Email Notifications
Do you have Guests visiting? Send
them login credentials before they
even arrive!
Your credentials
username: trex42
password: littlearms
Branded Guest Receipts & NotificationsInc. Self-Service
Built-In Support for Major SMS Gateway Providers
SMTP Gateway - Original method
New HTTP API method supports
other popular providers
Registration and Access Code
125478
Registration code: Require
user to enter a code before
completing a self-service
registration.
Access code: Require user
to enter a code before
accessing a hotspot or
logging in using guest
credentials.
Guest Self-Service with SMS
Self-service Verified guest is a flow in
which the user attempting to get on the
Internet completes the flow of getting on
the Internet without interaction from any
outside person.
1 Self Service Sing-up
The first step asks the user to provide
personal information including an email
address or phone number this information
is usable for verifying the identity of the
person and for reporting purposes at future
date
2 Verified Credentials
The user receives their credentials be at
SMS at the phone number provided
proving they have provided a real phone
number that reaches them.
3 Logging In
The user is asked to provide these
credentials either at a web login page or in
the devices needed supplicant.
4 Success & Redirect
The user is successfully logged in and now
has Internet access. In many cases it is
desirable to redirect the user to the URL
they initially attempted to visit.
AUP Optional Step
The user could have been presented with
an AUP in step #1 or Step #3.
Goal: Get user on the Internet as long as you have a 3
rd
party
identifier to prove user is validThey are who they say they are.
Working on support
to skip this step with
a link that jumps user
from #2 to #4
Approved Self-Service Guest
Approved self service
provides a mechanism for a
user to request a guest
account. The request is
emailed to a sponsor who is
responsible for approving or
rejecting the request. Only
after the sponsor has
approved the request does
the guest receive their
credentials.
Flow Mechanics
1) The guest user requests
an account. The guest
may provide a specific
employee (sponsor) email
address
2) The sponsor receives an
email containing a links to
approve or reject the
request.
3) If approved the guest
receives access
credentials.
Additional Fields available
for reporting including:
First Name
Last Name
MAC/IP address
Email
Phone Number
Company
AUP Acceptance
New Guest Reports
Internal CA Details
ISE 1.3: Internal Certificate Authority
Managing certificates for BYOD adds significant complexity
and expense when using Microsoft Public Key Infrastructure.
The ISE Certificate Authority is designed to work in concert
with your existing PKI to simplify BYOD deployments.
Single Management Console Manage endpoints and their
certs. Delete an endpoint ISE deletes the cert.
Simplified deployment Supports stand alone and
subordinate deployments. Removes corporate PKI team from
every BYOD interaction.
Simplifying certificate management for BYOD devices
Enterprise CA
Cisco ISE CA
Subordinate
Optional
*Designed for BYOD & MDM use-cases only, not a general purpose CA
PKI Hierarchy and Roles
PSN PSN PSN PSN
Primary
ISE CA
Enterprise Root
(optional)
PAN
Primary PAN is Root CA for ISE
deployment
All PSNs are Subordinate CAs to
PAN
PSNs are SCEP Registration Authorities
(RAs)
ISE PAN may be Subordinate to an
existing Root CA or may be
Standalone Root.
Promotion of Standby PAN:
Will not have any effect on operation of
the subordinate CAs.
For Standby to become Root CA must
manually install the Private/Public keys
from Primary PAN.
Standby PAN
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Native Supplicant Profile
Define Internal or
External CA
Set the Key Sizes
SAN Field Options
UUID
DNS Name
MAC Address
Serial #
(No Free-Form Input)
Set length of
validity
Certificate Template(s)
Revoke Certificates from ISE
Automatically Revoked when an Endpoint is marked as Lost
Certificates may be Manually Revoked
Simplified Client Provisioning
Walk Through BYOD Onboarding
Out of the box flow walks
users through onboarding.
Fully customizable user
experience with Themes.
My Devices gives end
users control to add and
manage their devices.
Mobile and desktop ready
out of the box.
Java-Less Provisioning
Certificate Renewals
Works Comments
Before Expiry
iOS
Android
Windows
MAC-OSX
After Expiry
iOS
Android
Windows Supplicant will not use an expired cert
MAC-OSX Not tested yet
1.2.1 1.2.1
Allowing Expired Certificates
Option to allow expired certs for:
Pure EAP-TLS
EAP-TLS as an Inner Method
1.2.1 1.2.1
Redirect Expired Certs
Everything Else
Windows
1.2.1 1.2.1
Certificate Renewal: Optional Message
1.2.1 1.2.1
Guest/Sponsor
Portals configured
under Guest
Workcenter
Other Portals
configured here:
Blacklist
BYOD
Client Provisioning
(Posture)
MDM
My Devices
Portal Customization for Other User Facing Pages
Endpoint Management
Endpoints for Administrators
Full endpoint detail in one
page.
Take action on the
endpoint.
Description field for admin
notes NEW!
Validate authenticating device belongs to same user that registered it!
Portal User Attribute Exposed to Authorization Policy
Endpoint Purging
Matching Conditions
Purge by:
# Days After
Creation
# Days Inactive
Specified Date
Endpoint Purging Examples
On Demand Purge
Matching Conditions
Purge by:
# Days After
Creation
# Days Inactive
Specified Date
Once postured compliant, user may disconnect/
reconnect multiple times before re-posture Posture Lease
7
802.1X + CWA Chaining 802.1X + CWA Chaining
Enhanced Certificate Attribute Matching Enhanced Certificate Attribute Matching
Mobile Device w/ Certificate
What Identifies the Actual User?
Mobile Device
w/ Certificate
There are many needs to determine Machine AND the User
Windows is the only current OS that can run EAP-Chaining (with AnyConnect)
What about Mac, iOS or Android based tablets?
Chain together 802.1X with Centralized Web Authentication (CWA)
Validate the Device Using Standard 802.1X Choose Your Weapon: EAP-TLS or EAP-
PEAP, etc.
After Device is Authenticated, Prompt ACTUAL USER to Authenticate Using Captive
Portal
Authorize Based on BOTH Authentications:
Use Attributes from the 802.1X Session
Use Windows AD / LDAP Groups from the CWA Session
Authorization Rule can Refer to 802.1X, CWA, or Both
Dual-Authentication Why Bother?
802.1X and CWA Chaining
Rule Name Conditions Permissions
IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
Employee_CWA if
CWA:CWA_ExternalGroup=
Employees
then
Employee &
SGT
Employee_1X if
Employee & Network Access:
EAPAuthentication = EAP-TLS
then CWAchain
Default if no matches, then WEBAUTH
PSN
NAD
SWITCHPORT
RADIUS Access-Request
[EAP-Protocol= TLS]
EAP-ID Response
802.1X User Identity = employee1
CN=employee1 || Cert is Valid
RADIUS Access-Accept
[AVP:url-redirect, dacl]
1. EAP-TLS Authentication 1. EAP-TLS Authentication
2. ISE Sends Access-Accept
w/ URL-Redirect
PSN
NAD
SWITCHPORT
CWA User Identity = employee1
3. User Enters Uname/PWD
4. ISE Sends CoA-reauth
employee1
RADIUS CoA
[AVP:reauth]
EAP-ID Req
Employee_CWA if
Employees
then
Employee &
SGT
Employee_1X if
then CWAchain
Employee_CWA if
Employees
then
Employee &
SGT
Employee_1X if
then CWAchain
5. Supplicant Responds with Cert
5. Supplicant Responds with Cert
6. ISE sends Accept, dACL & SGT
PSN
NAD
SWITCHPORT
RADIUS Access-Request
[EAP-Protocol= TLS]
EAP-ID Response
CN=employee1 || Cert is Valid
802.1X User Identity = employee1
RADIUS Access-Accept
[AVP: dacl + SGT]
Access-Granted
CWA User Identity = employee1
Enhanced Certificate Attribute
Matching
Key Usage (KU) Key Usage (KU)
Extended Key Usage (EKU) Extended Key Usage (EKU)
Microsoft-CA Certificate
Template
Microsoft-CA Certificate
Template
Enhanced Certificate Matching in AuthZ Policy
Use Case #1 Different Profiles for Specific Certificates
Use Case #2 Only Allow BYOD Certificates
& Operation
Multi Forest Active Directory
Streamlined VPN
AnyConnect Unified Agent
Serviceability Enhancements
MultiForest Active Directory Support
Join up to 50 Forests or Domains without mutual trusts
No need for 2-way trust relationship between domains
Advanced algorithms for dealing with identical usernames
SID-Based Group Mapping
PAP via MS-RPC
Support for disjointed DNS namespace
Scales AD Integration through Multiple Join Points and Optimized Lookups
59
domain-1.com domain-2.com domain-n.com
ISE
AD Authentication Flow
AuthC
Policy to
AD
Scope
(Optional)
Scope
(Optional)
AD Join
Point
AD Join
Point
Domain List
(Optional)
Identity
Rewrite
(Optional)
Identity
Rewrite
(Optional)
Target
AD
Test Authentication
Can run
from
scope
level
Can run from
AD Join Point
Test Authentication
Different authentication types Different authentication types
ISE node can be selected to run the test auth ISE node can be selected to run the test auth
Can provide group & attribute details if options are
selected
Can provide group & attribute details if options are
selected
Streamlining VPN and AnyConnect
Unified Agent Updates
AnyConnect ISE Posture Agent Agenda
ASA 9.2.1 CoA with ISE 1.2
AnyConnect with ISE Posture Agent
ASA 9.2.1 adds Change of
Authorization (CoA)
Remove the need for the Inline Posture Node (IPN)
Facilitate posture assessment between ISE and ASA for
AnyConnect VPN users
Support policy push as opposed to requiring the user to re-
authenticate or reconnect
Support periodic interim accounting updates (notifies ISE
server of active sessions)
Microsoft.com
Change of Authorization
6
ISE Policy
Server
VPN
CoA allows ASA to dynamically apply ISE policies
based on new endpoint identity context, e.g. a
posture status change
CoA
ASA
Posture
Agent
Limited Access Full Access
Non-Compliant Compliant
ASA 5500-X series, 5505 and Virtual ASA with ASA code
9.2.1
ISE 1.2 Patch 5
AnyConnect Recommend 3.1 MR 5 (Desktop) for VPN
AnyConnect Current Releases (Mobile) for VPN
Any NAC Agent which supports ISE - (future) AnyConnect
ISE
CoA Flow
VPN Initiated From AnyConnect to ASA
RADIUS Authentication
AuthC OK
Posture Unknown
AuthC OK
Posture Unknown
Access-Accept: dACL & URL-Redirection
Accounting Start (Client Identity Information)
Enterprise Network Enterprise Network
NAC Agent ISE Posture Assessment
Limited Access Limited Access
Posture
Compliant
Posture
Compliant
CoA Policy Push (new dACL)
Full Network Access
VPN
User
VPN
User
ASA ASA ISE ISE
AnyConnect 3.1 adds Identity Extension to Core VPN
platform
platformversion
devicetype
deviceuniqueid
macaddress[0]
macaddress[1]
VPN ACIDex
= win, win-mobile, mac, apple-ios, android
= Operating System Version 6.1.7601 Service Pack 1
= iPAD, Lenovo
= Unique ID for mobile is OS provided for desktop it is derived
= adapter XX-XX-XX-XX-XX-XX
= adapter XX-XX-XX-XX-XX-XX
<device-id platform-version=6.2 device-type=Intel x86 unique-id=
f6c0a54ed7ac2527e91cc53a232ed65b291ea437>win
</device-id>
<mac-address-list>
<mac-address>40-6C-8F-3A-42-79</mac-address>
<mac-address>CA-FE-C0-FF-EE-00</mac-address>
</mac-address-list>
Example
Sample ACIDEX Attributes Received by ISE
Android
iOS
Windows
Serviceability
Serviceability User-Stories
To make ISE easier to troubleshoot To make ISE easier to troubleshoot
To make ISE easier to deploy To make ISE easier to deploy
To make ISE easier to use To make ISE easier to use
Tree View
Live Log / Live Session Filters
Per-Endpoint Debugs
Export Policy in XML
Bypass Suppression per Endpoint
Right-Click Copy / Bypass / Details
Filtered Support Bundle
Centralized Certificate Management
Increase Speed to PoC (Probes & Default Settings Changed)
Serviceability User Stories
Other Deployment
Enhancements
Policy Set Rule Copy
Node Groups No Multicast
Filters in Live Log & Live Sessions
At Long Last! Regex in Filters
CSCul48352 Adds Right-Click > Copy for the EndpointID & Identity Fields in Live Log
Right Click in Live Log & Live Sessions
Debug Endpoint
Creates debug file of all
activity for all services
related to that specific
endpoint
Executes and stored per
PSN
Can be downloaded as
separate files per-PSN
Or Merged as a single file
Per-Endpoint Time-Constrained Suppression
Right
Click
Off-Line Examination of
Customer Configuration
Exportable Policy
Off-Line Examination of Customer Configuration
Quick Link to
Export Page from
Auth Policy Page
Export Auth Policy as XML
Miscellaneous Serviceability
Finally! We have supported OVA Templates
Ensures customers will not misconfigure their VMware settings
Preset: Reservations, vCPUs, Storage
Based on following Specs:
VMware OVA Templates!
ISE-1.3.x.x-Eval-100-endpoint.ova:
2 CPU cores
4 GB RAM
200 GB disk
4 NICs
ISE-1.3.x.x-Virtual-SNS-3415.ova:
4 CPU cores
16 GB RAM
600 GB disk
4 NICs
ISE-1.3.x.x-Virtual-SNS-3495.ova:
8 CPU cores
32 GB RAM
600 GB disk
4 NICs
ISE 1.2
ISE 1.3
Web Proxy Authentication and Proxy Bypass
Authentication
Hosts/Domains to Bypass
TLS (TCP/7800 and TCP/7802) used for node group communications
Multicast config no longer required
Secures inter-node communications from tampering
PSN Node Group Communication Change
Context and Speed
Streamlined Threat Defense
Identity Based Firewall
& Web Security
Streamlined Operation
with new REST APIs
Context Sharing with pxGrid
Platform Exchange Grid pxGrid
Enabling the Potential of Network-Wide Context Sharing
I have firewall logs!
I need identity
I have threat data!
I need reputation
I have sec events!
I need reputation
I have NetFlow!
I need entitlement
I have reputation info!
I need threat data
That Didnt
Work So Well!
I have NBAR info!
I need identity
SIO
I have location!
I need identity
I have MDM info!
I need location
I have app inventory info!
I need posture
I have identity & device-type!
I need app inventory & vulnerability
I have application info!
I need location & auth-group
Announced Platform Exchange Grid (pxGrid)
Enabling the Potential of Network-Wide Context Sharing
I have NBAR info!
I need identity
SIO
I have location!
I need identity
I have MDM info!
I need location
I have app inventory info!
I need posture
I have identity & device-type!
I need app inventory & vulnerability
I have firewall logs!
I need identity
I have threat data!
I need reputation
I have sec events!
I need reputation
I have NetFlow!
I need entitlement
I have reputation info!
I need threat data
I have application info!
I need location & auth-group
pxGridContext
Sharing
SingleFramework
Direct,SecuredInterfaces
pxGrid Components
pxGrid
Controller
pxGrid
Publisher
pxGrid
Subscriber
IPS
WWW
Cisco WSA
ASA-CX
IPAM
Threat
Defense
pxGrid Architecture
Grid Publish
SF-IPS
WSA
StealthWatch
IDS, Firewalls,
Threat Defense, etc.
Grid
Subscribe
ISE
ISE is the only Publisher
Session Directory is only Topic
Future versions will allow Pub & Sub
In 1.0 of pxGrid:
Certificate Based Auth Certificate Based Auth
pxGrid: Configuration
Enable pxGrid
on Primary
node
pxGrid: Manage and Monitor Subscribers
IP Address & DNS Management
User, Group and Device Based Monitoring & Reporting
Use Case: Simplify IPAM and DNS reporting
Supplement IP and MAC address-based DHCP and DNS monitoring and reporting
with who, what and where. This reduces manual reporting or in-house
development by IT orgs.
IPAM&DNS
Report:
Who is accessing XYZ
domain?
What devices and
OSs are on the network?
Context: Subscribe to Session Topic
USER : DEVICE TYPE : GROUP
CiscoPSN
CiscoPAN
pxGrid Enabled pxGrid Client
User & Device
Control
User & Device
Control
SIEM/Threat Defense Integration
UseCase:Identityanddeviceawarethreatmanagement
IncreaseconfidencearoundeventseveritylevelsinSIEMsandTDconsoles;make
eventsactionableinthenetwork.SIEM/TDshareworstoffenderswithISEfor
user/devicepolicydecisions.
SIEM/TD
Platform
Policy: Detect sensitive data
access on mobile devices;
quarantine such users
Context: Share with SIEM
USER : DEVICE TYPE : CONN STATUS
Data: Sensitive Data
Type: Mobile Device
CiscoISE
ISEQuarantines/Remediates
User/Traffic
Identity Mapping
Part of pxGrid
Provides ability to enrich the Session Directory (SD) for non-RADIUS
Microsoft AD user auths
Uses WMI to retrieve login events from Microsoft AD domain controllers
AD user login will generate a pseudo session entry in the SD
Allows subscriber devices (WSA, ISR, ...) to use pxGrid (not RADIUS)
to retrieve both RADIUS and non-RADIUS User:IP mappings from a
single source.
Identity Mapping (or CDA on ISE)
Configuration: Add Domain Controller
Exempt (Blacklist) Mapping of Specific Users / IPs
ERS API Updates
ERS API Updates
Must first create/edit admin accounts
with ERS API permissions
Configurable from Admin UI
No longer requires CLI to Enable/Disable
Monitor APIs run against MnT, but
ERS APIs run against PPAN (r/w)
or other nodes (PSNsr/o)
Must first create/edit admin accounts
with ERS API permissions
Sponsor functions
available via API
including Create,
Retrieve, Update, and
Delete guest users
Uses the credential of
the sponsor
API permissions based
on sponsor group
assignment of sponsor
ISE 1.3 All New ERS Guest API
Licensing
Enhancements
Final Pricing, SKUs,
Migration, Feature
Info Forthcoming
ISE 1.3 Licensing
New Admin page
tracking license usage
The screen shot is an
example of an admin
page showing the
status for Wired,
Wireless and VPN.
Eval License
shown before
connections
Actual Licensing
Page
Cisco Employee and
ATP Partner Tools
(Not For Customer Use)
Available Now!
@ isegpb.cisco.com
Create and Share
Custom Portals
Choose from 4
Pre-Built Portal
Layouts
For Use with
ISE 1.2 Only!
Drag and drop exported
portal files from
Template Builder here
All portal files
automatically uploaded
and appear here
Navigate to new
portal (match
name exactly)
File Upload Add-on Tool for Firefox
Coming Soon!
Multiple Report
Templates for
various use
cases
Collect Once,
Report Many
Use simple
report Viewer, or
export to Excel
Endpoint
Analysis
Tool (EAT)
ISE Roadmap
Many of the products and features described
herein remain in varying stages of development
and will be offered on a when-and-if-available
basis. This roadmap is subject to change at the
sole discretion of Cisco, and Cisco will have no
liability for delay in the delivery or failure to deliver
any of the products or features set forth in this
document.
Forward-Looking Statements
Delivered Planning Committed
CY2013
ISE 1.2 / AnyConnect3.0.x
September 2014
ISE 1.3 / AnyConnect 4.0
1HCY15
ISE 1.4
Stability and Reliability All New, Revamped Guest Experience TrustSec WorkCenter
MDM Integration
with Leading Vendors
BYOD + Native Certificate Authority
with Easy Management
ISE + MSE
for zone-based policy
Device Profile Feed Service
pxGrid: 8 ecosystems including
SIEM / Threat Defense
Deployment Tooling
SIEM Vendor Integration; pxGrid
Announced
Streamlined VPN with off-premise device
onboarding
ISE Cube & UCS Hardware - Scale
up to 250K concurrent endpoints
AnyConnect Desktop Unified Agent
Multi-vendor MAB Support Updated Licensing
AnyConnect: Windows 8.1, iOS 7
and iPhone 5S
Context Share with WSA
Multi-Forest Active Directory
USGv6
Per-App VPN for Mobile [ASA / AC] +1Q
Cisco Confidential NDA Only
Cisco Confidential NDA Only
PARTNERS
Cisco Identity Services Engine (ISE) Roadmap
Summary
The Key Takeaways of this presentation were:
ISE 1.3 delivers an all-new User Experience for Guest Services from customized portals
and personal branding to streamlined workflows.
Internal Certificate Authority simplifies and expedites BYOD deployments
Numerous Endpoint Management features such as Java-less programming and auto-
registration and purge improve end user experience and control
Multi-AD Forests and Domain allows greater flexibility and scalability in AD deployments.
VPN access is truly integrated through ASA enhancements and unified agent
pxGrid offers next generation integration and context sharing across the network.
Serviceability enhancements make ISE easier to manage and support.
New Licensing model helps accelerate adoption of advanced ISE services.
ISE Product - http://www.cisco.com/go/ise
TrustSec - http://www.cisco.com/go/trustsec
TrustSec Design and How-To Guides:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
ISE 1.2 Demos - https://communities.cisco.com/community/partner/security/content
dCloud BYOD Hosted Demos http://www.cisco.com/go/byoddemo
Free NFR Lab Software for Partners (1.2 Available)
Cisco Marketplace - $35 VMware image, perpetual license, 20 endpoints http://cisco.mediuscorp.com/ise
PDI Helpdesk - Webpage: http://www.cisco.com/go/pdihelpdesk
Program-related questions: pdihd-bn@cisco.com
Your Cisco PDM and CSE
dCloud: http://dcloud.cisco.com/
ISE / NFR POC Kit on MarketPlace: http://cisco.mediuscorp.com/ise
ISE Configured Limited Deployment (COLD) Program: https://communities.cisco.com/docs/DOC-32999
QuickStart Demo Series on YouTube CiscoISE channel: https://www.youtube.com/user/CiscoISE
Public Scheduled and On-Demand Demos:
http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html
POC / NFR Kit files https://communities.cisco.com/docs/DOC-36078
TrustSec / NFR Kit Files: https://communities.cisco.com/docs/DOC-52753
Partners you will need to request access to the download site above by sending your company name and
CCO credentials to ise_nfr_partner_bundle@cisco.com
ISE Configured Limited Deployment Guides (COLD): https://communities.cisco.com/docs/DOC-32999
ISE Portal builder http://isegpb.cisco.com
Your local Security SE or Regional Security CSE (AT Security Team)
Find the trained ATP SE in your region If no one, then need to get someone trained in that role
Sales Assistance Center (SAC) -- 24 x 7 All countries, All timezones
Email: sac-support@cisco.com
Phone: +1-408-902-4872 (International)
800-225-0905 (US Toll Free )
8-902-4872 (within Cisco)
Live Chat: http://tinyurl.com/sacise
Website: sac.cisco.com (Cisco Internal)
Cisco Support Communities: supportforums.cisco.com
Where To Go for Interactive Help
Questions?
Thank you.

PVT Summer2014SecurityPartnerVirtualTeam PVT LiveEvent GeneralSession Jul09 2014 ISE1 3 PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

PVT Summer2014SecurityPartnerVirtualTeam PVT LiveEvent GeneralSession Jul09 2014 ISE1 3 PDF

Caricato da

Copyright:

Formati disponibili

New Features in ISE 1.

Potrebbero piacerti anche