Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Role-Based Secure Access with ISE Confidential Patient Records Who: Doctor What: Laptop Where: Office Internal Employee Intranet Who: Doctor What: iPad Where: Office Internet Who: Guest What: iPad Where: Office ü Acquires Important Context & Identity from the Network ü Implements Context-Aware Classification & Policy ü Provides Differentiated Access to the Network The Different Ways Customers Use ISE Guest Access Management Easily provide visitors secure guest Internet access BYOD and Enterprise Mobility Seamlessly classify & securely onboard devices with the right levels of access Secure Access Control across the Entire Network Streamline enterprise network access policy over wired, wireless, & VPN Cisco TrustSec® Software-Defined Segmentation Simplify Network Segmentation and Enforcement to Contain Network Threats Context and Policy Architecture Improve Security Operations with Deeper Visibility and Shared Context through Cisco pxGrid Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Goals of the User Interface Update in ISE 2.0 • ISE 2.0 has begun a transition to a new UI to: • • • Modernize the UI Technologies for better Browser & Technology Support Bring the UI into a more homogeneous design pattern The Navigation framework was changed first • • • • Some of the pages remain the same, and just the navigation has changed Systematically replacing the old pages and “widgets” The re-vamped GUI will be a multi-release process Flash is being phased out. J © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Example: Revamped the Endpoints Identity Page Clicking Filters Below © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Simplify security management with role-based access TACACS+ Device Administration Support for ISE 2.0 What’s new for ISE 2.0? TACACS+ Device Administration Customers can now use Terminal Access Controller Access Control System Plus (TACACS+) with ISE to simplify device administration and enhance security through flexible, granular control of access to network devices. Role-based access control Security Admin Team TACACS+ Work Center Benefits Simplified, centralized device administration Increase security, compliancy, auditing for a full range of administration use cases TACACS+ Work Center Network Admin Team Flexible, granular control Control and audit the configuration of network devices Capabilities Holistic, centralized visibility Get a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center • • • • • Role-based access control Flow-based user experience Command level authorization with detailed logs for auditing Dedicated TACACS+ workcenter for network administrators Support for core ACS5 features © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 ISE T+ versus ACS T+ Feature IPv6 T+ Customizable ports Reason --It’s fixed as 49 in 2.0, customization comes in 2.1 Max Sessions Per Node Coming in 2.1 Command-Set Import/Export Coming in 2.1 No Hit Counts & Policy Table Different UI Customization © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Device Admin Service is not Enabled by Default © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Device Administration License Up to Max # of Network Devices One License. NTE $4500 Requires 1+ Base To Enable ISE Product © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Migration Tool • Download from the Overview page for Device Administration © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal New Upgrade ForYour Your For Reference Reference © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 New Upgrade ForYour Your For Reference Reference © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 New Upgrade ForYour Your For Reference Reference © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Pre-Defined Policy Elements, Rules and Flows © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Pre-Configured Default Rules • In 1.3 & 1.4 we added some pre-built defaults • • We continued that mission within 2.0 Goal: To speed up time to deployment • The most common things are created FOR the customer/partner/CSE out of the box now • Goal: To show customers what is possible • Rules for: BYOD, Guest, MDM © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Other Serviceability Enhancements © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Test Repository from GUI © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE) What’s new for ISE 2.0? Automatically defend against threats with FMC and ISE Cisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity, based on pre-defined security policies. Corporate user downloads file FMC scans the user activity and downloaded file FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious Based on the new tag, ISE automatically enforces policy on the network Device is contained for remediation or mitigation—access is denied per security policy Benefits Detect threats early FireSight scans activity and publishes events to pxGrid Automate threat defense Leveraging ISE ANC to alert the network of suspicious activity according to policy Leverage a growing ecosystem of partners that provide rapid threat containment by integrating with ISE Capabilities • Integrate with Cisco Advanced Malware Protection (AMP) for malware protection • Trigger quarantine actions, per policy with Cisco FireSight and ISE integration • Admit or deny access to contractor portal © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Cisco Rapid Threat Containment Solution: FMC and ISE § Cisco ASA with Firepower Services § Firepower NGIPS Appliances § Cisco AMP for Networks § Firepower on Cisco ISR § Cisco FireSIGHT Management Center § Automated Contextual Analysis and Threat Qualification § Continuous Threat Intelligence Updates to Threat Sensors Advanced Threat Sensors Threat Visibility: FMC § Cisco FireSIGHT and Cisco ISE Automate Containment § Policy Enforcement from Cisco TrustSec, Downloadable ACL, or VLAN Automated Enforcement: ISE © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 What versions are Required? ISE FMC Version 1.3 and later 5.4.x supported 6.0 does not support RTC 6.1 (summer 2016) will support RTC © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Streamline management using a single workspace With TrustSec’s new user interface What’s new for ISE 2.0? TrustSec updated user experience, based on a new work center, allows simplified and streamlined deployment, troubleshooting and monitoring. . Intuitive work center and access policy matrix TrustSec Work Center Access policy matrix Destination Source Internet Contractor Resources Employee Resources HR Server Remediation Permit IP Deny IP Deny IP Deny IP Permit IP Permit IP Permit IP Deny IP Deny IP Permit IP Permit IP Permit IP Permit IP Deny IP Permit IP Deny IP Deny IP Deny IP Deny IP Permit IP Guest Benefits Contractor Simplify management with a dedicated work centers, allowing you to visualize, comprehend and manage policy in a single place Automate configuration of new SGT policies and authorization rules Enable TrustSec rapidly for initial use cases, including user-to-datacenter access control and user-to-user segmentation Employee Infected Capabilities • New TrustSec administrator console and services – TrustSec dashboard – Matrix overhaul – Automatic SGT creation – ISE as SXP speaker / listener • Revised UX – Improved menu structure for ease of navigation – Search capability within the GUI • Enhanced reporting – PDF print and local save reintroduced – Improved filtering for live log and reports © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 New TrustSec Dashboard & WorkCenter © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Improved Matrix, Color Coded + Condensed © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Certificate Provisioning Portal • In ISE 1.4, added the Certificate provisioning API. • Now, in 2.0 – we have a customizable portal. • • Customize it to look like the guest portals Configure which templates may be used like you would sponsor groups to a portal page.. • Signing CSR’s • Generating Full Key-Pairs • Multiple choices for download © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Admin UI © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 CoA-Terminate after Certificate revocation © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 ISE 1.3/1.4 Device is Using a Cert Issued By ISE ISE Cube Traffic is Still Flowing Until Next Re-Auth PSN-1 MnT NGFW PSN-2 PAN i-Net Admin Revokes Certificate ISE Admin © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 ISE 2.0 Device is Using a Cert Issued By ISE 2. If Cert has Active Session, Send CoA ISE Cube PSN-1 MnT NGFW PSN-2 PAN i-Net 1. Admin Revokes Certificate ISE Admin © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 ISE 2.0 Device is Using a Cert Issued By ISE X 2. If Cert has Active Session, Send CoA ISE Cube PSN-1 MnT NGFW PSN-2 PAN i-Net ISE Admin © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal What is Posture? Are my Endpoints Compliant with the Company Security Policy ? © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Posture for all Devices Desktop Posture vs Mobile Posture Desktop Compliance checks for Windows and OSx Variety of Checks ranging from OS, Hotfix, AV / AS, Patch Management and More… Desktop Posture Focused on Mobile Devices Posture ONLY Requires devices to comply with MDM policy PINLock, JailBroken, APP check and More … SOLUTION Mobile Posture ISE + MDM Together ISE can enforce Network Access based on Compliance ISE can enforce Network Access based on MDM Compliance © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 MDM Enhancements Are My Mobile Endpoints Compliant? ISE 2.0 Highlights Description Better flows for onboarding in Brown Field Environments Devices are Pre-Enrolled in to MDM before ISE Authentication Meraki Integration Enhanced on-boarding experience Differentiated portal for MDM X Vendor based logo display on MDM pages © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 Desktop Posture Enhancements Are My Desktop Endpoints Compliant? ISE 2.0 Highlights Description File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories such as “Desktop” and “User Profile” OSx Daemon Check User Agent Check , User based process check Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State Reporting Report based on Condition name and Condition State © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Enhance control with location-based authorization With the integration of Cisco Mobility Services Engine (MSE) What’s new for ISE 2.0? The integration of Cisco Mobility Services Engine (MSE) allows administrators to leverage ISE to authorize network access based on user location. Location-based authorization Admin defines location hierarchy and grants users specific access rights based on their location. Patient data Patient data access locations Benefits Granular control of network access with location-based authorization for individual users Enhanced policy enforcement with automated location check and reauthorization Simplified management by configuring authorization with ISE management tools Lobby Patient room ER Lab Lab ER No access Access to No access Access to Doctor to patient patient to patient patient data data data data Patient room Lobby Capabilities • Enables configuration of location hierarchy across all location entities • Applies MSE location attributes in authorization policy • Checks MSE periodically for location changes (5 mins), one way communication from ISE to MSE. • Reauthorizes access based on new location (i.e. if the location changes apply COA) • Requires a PLUS license in ISE © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Location Based Authorization Authorize user access to the Network based on their location ISE 2.0 UI to Configure MSE MSE 8.0 I have Location Data Campus:Building:Floor:Zone © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal TLS Version Support On a Topic Related to TLS Support… • ISE 1.3/1.4 support TLS 1.0 Only • ISE 2.0 adds support for TLS 1.1 and 1.2 • ISE 2.0 negotiates TLS 1.2 as preferred TLS version. • Downgrade to TLS 1.0 / 1.1 is still supported during version negotiation between client and ISE for compatibility with legacy clients. • The lower versions of the protocol (SSL 3 and below) are not supported. • Clients not capable of TLS 1.0 or higher will be rejected. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 EAP-TTLS What Is It? Why Would I Use It? • EAP-TTLS = “Tunneled” TLS • Developed by Funk (now Juniper) and Certicom (now RIM) • EAP type that uses TLS to securely pass AV pairs such as client credentials (inner identity) over a secure tunnel established using TLS. • Supports virtually any EAP type for inner method (inc. clear text) while not exposing client identity. • Client authenticates server using TLS. Client auth using certs to secure TLS tunnel optional, so no cert required on client. • Most popular usage is EduRoam, but prevalence of PEAP support across broader client platforms has reduced general usage. Specific EduRoam participants may still use EAP-TTLS to authenticate local user base, but support not required by RADIUS proxies. • Native support for EAP-TTLS in Windows 8 and ISE will likely result in uptake of its deployment. • Whitepaper on PEAP vs EAP-TTLS: http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 EAP-TTLS Native Supplicant Support • Microsoft • Windows v8+ • Microsoft Windows Phone v8.1+ • Note: Windows Mobile does not support EAP-TTLS • Apple • Mac OS • iOS version 3.1.3+ (default EAP type = MSCHAPv2) • Android v2.1 and higher • Google Chrome OS (for Chromebooks) • Blackberry 6A+ © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Get the same great security across more devices With non-Cisco device integration What’s new for ISE 2.0? ISE services now available for non-Cisco network access devices Customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD on Network Access Devices (NADs) manufactured by nonCisco vendors. Benefits Maximize value Realize additional value from your existing infrastructure Protect consistently Deploy ISE across network devices, including non-Cisco NADs Simplify administration Leverage pre-configured profile templates for automatically configuring non-Cisco NAD access ISE 1.0 802.1x New with ISE 2.0 Profiling Posture Guest BYOD Compatible device vendors* Capabilities Aruba Wireless HP Wireless • Templatized MAB configuration for select non-Cisco vendor devices Motorola Wireless Brocade Wired • CoA and URL re-direction to work with ISE Ruckus Wireless • Non-Cisco NADs enabled to drive regular 802.1x operations HP Wired *For additional information, refer to the Cisco Compatibility Matrix © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 “Smart” Conditions Match Flow Conditions for Multiple Vendors in Single Rule ! • No need to create separate Policy Rule for each vendor’s implementation for MAB, 802.1X, or WebAuth • ISE matches request based on NAD profile configuration. © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 Current Vendor Test Results Supported / Validated use cases Vendor Verified Series Tested Model / Firmware CoA Profiler Aruba Wireless 7000, InstantAP 7005-US/6.4.1.0 ✔ ✔ ✔ ✔ Motorola Wireless RFS 4000 Wing v5.5 ✔ ✔ ✔ ✔ HP Wireless 830 (H3C) 8P/3507P35 ✔ ✔ ✔ ✔ HP Wired HP 5500 HI Switch Series (H3C) A5500-24G-4SFP HI/ 5.20.99 ✔ ✖ ✖ ✖ HP Wired HP 3800 Switch Series (ProCurve) 3800-24G-POE-2SFP (J9573A) KA.15.16.000. 6 ✖ ✖ ✖ ✖ Brocade Wired ICX 6610 24/08.0.20aT7f3 ✔ ✔ ✖ ✖ Ruckus Wireless ZD1200 9.9.0.0 build 205 ✔ ✔ ✖ ✖ ✔ Requires CoA support Requires CoA & urlredirect support Requires CoA & urlredirect support Additional 3rd party NAD Support: v Requires identification of device properties/capabilities and to creation of a custom NAD profile in ISE. More detailed guide to be published. Posture Guest /BYOD © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Simplify access management while staying secure With ISE Easy Wired Access (EWA) What’s new for ISE 2.0? Capabilities Identity mapping The addition of Easy Wired Access (EWA) offers customers enhanced attachment of ISE security to wired ports and deployments. • Active-session monitoring across both AD and Network log-ins Admin 1 User 1 Enforcement–Mode Monitor-only mode User 1 Identity mapping Benefits Flexible deployment that doesn’t require a supplicant or PKI, allowing ISE to issue COA for added security Increased visibility into active network sessions authenticated against AD Enhanced control with options for Monitoring-only Mode or Enforcement-Mode ISE Active Directory Login Network Login • Session maintenance from Wired MAB clients to NADs • Directory notification publication via PxGrid • Appointment of VLANs, dACLs, SGTs and more for users authorized via EWA Publish to pxGrid EWA, a secure alternative to whitelisting Basic Better and flexible Most secure with whitelisting with ISE Easy Wired Access with integrated 802.1x, supplicants and certificates Security Complexity Access Access Security Complexity Security Access Complexity © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 What’s Easy About EWA? • NO Supplicant required to implement this technology! • NO PKI/cert requirements! • Leverages existing AD logins to provide identity to network connections • Visibility mode only needs RADIUS Accounting or Device Sensor on switch • Enforcement mode requires only basic MAB config on switch • AD lookups and authorization based on AD login identity without RADIUS authentication (802.1X, MAB, etc) so more seamless and transparent to client • Simple integration with pxGrid for publishing session info related to Identity Mapping and EWA • Seamless integration with TrustSec via ISE SXP for AD-authenticated sessions © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 What’s Not So Easy About EWA? • Configuring AD domain controllers • Each DC that services logins must be configured to allow WMI from ISE • Patches/Registry changes/DCOM updates/FW rules verified • Non-Windows/headless endpoints • EWA is for Microsoft AD joined computers – primarily Windows only • EWA identity based on AD User login, not AD Machine login • EWA and MAB Authentication are mutually exclusive © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 Easy Wired Access Differentiator Major Technical Outcome Major Business Outcome Easy Wired Access Deploying ISE w/o Configuring Endpoints Shorter time to PoV Streamlined Enterprise Rollouts Identity Services Engine Non-intrusive Passive Login, FULL Control (No 802.1X) SXP User Mappings Derived from AD Logins Uses What’s Already There (AD) Full Visibility/Control w/o Touching Endpoints Faster, Simpler Deployments for softwaredefined segmentation Rest of Network Network Access Devices w/o 802.1X AD Logins Microsoft Active Directory Domain Controllers © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Cisco ISE Base vs. Cisco ISE Express Cisco ISE Base Features/Capabilities? High availability Platform Included with Licensing? List Price? Cisco ISE Express ü Guess Access; RADIUS/ AAA ü Same ü YES ü NO ü NO—Purchase HW or VM and Licensing ü YES—Bundle Includes One (1) ISE VM + 150 Licenses ü $6,990 US (ISE VM: $5,990 + Base: $1,000, for 200 Licenses) ü $2,500 US © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 Cisco ISE Express Enterprise Guest for Less Easy, Affordable Guest Services *SKU upgrade planned so the VM can be used for up to 10,000 endpoints and in high availability and distribution. Now Available: Entry-Level Bundle for the Market-Leading Cisco ISE The Offer: One (1) ISE VM (5,000 Active Licensed Endpoints) with ISE Base Licenses for 150 Endpoints* for Single Site Deployment (Non-Distributed, No High-Availability) The Features: Guest, RADIUS/AAA, Unlimited Custom Portals with ISE Portal Builder; Easy Installation Guide The Price: $2,500 US © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 What’s New ISE Express Installation Wizard • Free, downloadable application • Simplifies ISE and wireless controller installation • Provisions Hotspot, Self-Registered or Sponsor services • Modifies guest portals with logo and colors • Go to ISE Cisco Software Download on CCO © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 Agenda § ISE 2.0 - overview § Posture / MDM Enhancements § UI Update with Work Centers § Location / MSE Integration § TACACS+ and Device Admin Work Center § EAP-TTLS § 3rd Party NAD Support § Easy Wired Access (EWA) § Deployment / Operational Enhancements § pxGrid, ANC, Fire & ISE § ISE Express § TrustSec Enhancements & Work Center § Q&A § BYOD / Certificate Enhancements and the New Portal Tech updates and Webinar - DK http://www.cisco.com/web/DK/learn_events/seminarkalender2016.html © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63