Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Role-Based Secure Access with ISE
Confidential
Patient Records
Who: Doctor
What: Laptop
Where: Office
Internal Employee
Intranet
Who: Doctor
What: iPad
Where: Office
Internet
Who: Guest
What: iPad
Where: Office
ü  Acquires Important Context & Identity from the Network
ü  Implements Context-Aware Classification & Policy
ü  Provides Differentiated Access to the Network
The Different Ways Customers Use ISE
Guest Access Management
Easily provide visitors secure guest Internet access
BYOD and Enterprise Mobility
Seamlessly classify & securely onboard devices with the right levels of access
Secure Access Control across the Entire Network
Streamline enterprise network access policy over wired, wireless, & VPN
Cisco TrustSec® Software-Defined Segmentation
Simplify Network Segmentation and Enforcement to Contain Network Threats
Context and Policy Architecture
Improve Security Operations with Deeper Visibility and Shared Context through Cisco pxGrid
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Goals of the User Interface Update in ISE 2.0
•
ISE 2.0 has begun a transition to a new UI to:
•
•
•
Modernize the UI Technologies for better Browser & Technology Support
Bring the UI into a more homogeneous design pattern
The Navigation framework was changed first
•
•
•
•
Some of the pages remain the same, and just the navigation has changed
Systematically replacing the old pages and “widgets”
The re-vamped GUI will be a multi-release process
Flash is being phased out. J
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5
Example: Revamped the Endpoints Identity Page
Clicking
Filters
Below
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Simplify security management with role-based access
TACACS+ Device Administration Support for ISE 2.0
What’s new for ISE 2.0?
TACACS+ Device Administration
Customers can now use Terminal
Access Controller Access Control
System Plus (TACACS+) with ISE to
simplify device administration and
enhance security through flexible,
granular control of access to network
devices.
Role-based access control
Security Admin Team
TACACS+
Work Center
Benefits
Simplified, centralized device
administration
Increase security, compliancy,
auditing for a full range of
administration use cases
TACACS+
Work Center
Network Admin Team
Flexible, granular control
Control and audit the
configuration of network devices
Capabilities
Holistic, centralized visibility
Get a comprehensive view
of TACACS+ configurations with
the TACACS+ administrator work
center
•
•
•
•
•
Role-based access control
Flow-based user experience
Command level authorization with detailed logs for auditing
Dedicated TACACS+ workcenter for network administrators
Support for core ACS5 features
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
8
ISE T+ versus ACS T+
Feature
IPv6 T+
Customizable ports
Reason
--It’s fixed as 49 in 2.0,
customization comes in 2.1
Max Sessions Per Node
Coming in 2.1
Command-Set Import/Export Coming in 2.1
No Hit Counts & Policy Table Different UI
Customization
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
9
Device Admin Service is not Enabled by Default
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10
Device Administration License
Up to Max # of Network Devices
One License. NTE $4500
Requires 1+ Base To Enable ISE Product
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
11
Migration Tool
•
Download from the Overview page for Device Administration
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
12
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
New Upgrade
ForYour
Your
For
Reference
Reference
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
14
New Upgrade
ForYour
Your
For
Reference
Reference
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
15
New Upgrade
ForYour
Your
For
Reference
Reference
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
16
Pre-Defined Policy
Elements, Rules and Flows
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
17
Pre-Configured Default Rules
•
In 1.3 & 1.4 we added some pre-built defaults
•
•
We continued that mission within 2.0
Goal: To speed up time to deployment
•
The most common things are created FOR the customer/partner/CSE out
of the box now
•
Goal: To show customers what is possible
•
Rules for: BYOD, Guest, MDM
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
18
Other Serviceability
Enhancements
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
19
Test Repository from GUI
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
20
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Rapid threat containment
With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
What’s new for ISE 2.0?
Automatically defend against threats with FMC and ISE
Cisco FireSIGHT Management Center
integration with ISE identifies and
addresses suspicious activity, based
on pre-defined security policies.
Corporate user
downloads file
FMC scans the
user activity and
downloaded file
FMC detects
suspicious file and
alerts ISE using
pxGrid by changing
the Security Group
Tag (SGT) to
suspicious
Based on the new
tag, ISE
automatically
enforces policy on
the network
Device is contained
for remediation or
mitigation—access
is denied per
security policy
Benefits
Detect threats early
FireSight scans activity and
publishes events to pxGrid
Automate threat defense
Leveraging ISE ANC to alert the
network of suspicious activity
according to policy
Leverage a growing ecosystem
of partners that provide rapid
threat containment by integrating
with ISE
Capabilities
•  Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
•  Trigger quarantine actions, per policy with Cisco FireSight and ISE integration
•  Admit or deny access to contractor portal
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
22
Cisco Rapid Threat Containment Solution:
FMC and ISE
§  Cisco ASA with
Firepower Services
§  Firepower NGIPS
Appliances
§  Cisco AMP for Networks
§  Firepower on Cisco ISR
§  Cisco FireSIGHT
Management Center
§  Automated Contextual
Analysis and Threat
Qualification
§  Continuous Threat
Intelligence Updates to
Threat Sensors
Advanced Threat Sensors
Threat Visibility: FMC
§  Cisco FireSIGHT and
Cisco ISE Automate
Containment
§  Policy Enforcement
from Cisco TrustSec,
Downloadable ACL,
or VLAN
Automated Enforcement: ISE
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
23
What versions are Required?
ISE
FMC
Version 1.3 and later
5.4.x supported
6.0 does not support RTC
6.1 (summer 2016) will support RTC
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
24
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Streamline management using a single workspace
With TrustSec’s new user interface
What’s new for ISE 2.0?
TrustSec updated user experience,
based on a new work center, allows
simplified and streamlined deployment,
troubleshooting and monitoring.
.
Intuitive work center
and access policy matrix
TrustSec Work Center
Access policy matrix
Destination
Source
Internet
Contractor
Resources
Employee
Resources
HR Server
Remediation
Permit IP
Deny IP
Deny IP
Deny IP
Permit IP
Permit IP
Permit IP
Deny IP
Deny IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP
Permit IP
Deny IP
Deny IP
Deny IP
Deny IP
Permit IP
Guest
Benefits
Contractor
Simplify management
with a dedicated work centers,
allowing you to visualize,
comprehend and manage policy
in a single place
Automate configuration
of new SGT policies and
authorization rules
Enable TrustSec rapidly
for initial use cases, including
user-to-datacenter access control
and user-to-user segmentation
Employee
Infected
Capabilities
•  New TrustSec administrator console and services
–  TrustSec dashboard
–  Matrix overhaul
–  Automatic SGT creation
–  ISE as SXP speaker / listener
•  Revised UX
–  Improved menu structure for ease of navigation
–  Search capability within the GUI
•  Enhanced reporting
–  PDF print and local save reintroduced
–  Improved filtering for live log and reports
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
26
New TrustSec Dashboard & WorkCenter
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
27
Improved Matrix, Color Coded + Condensed
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
28
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Certificate Provisioning Portal
•
In ISE 1.4, added the Certificate provisioning API.
•
Now, in 2.0 – we have a customizable portal.
•
•
Customize it to look like the guest portals
Configure which templates may be used like you would sponsor groups to
a portal page..
•
Signing CSR’s
•
Generating Full Key-Pairs
•
Multiple choices for download
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
30
Admin UI
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
31
CoA-Terminate after Certificate
revocation
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
32
ISE 1.3/1.4 Device is Using a Cert Issued By ISE
ISE Cube
Traffic is Still
Flowing Until
Next Re-Auth
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
Admin Revokes
Certificate
ISE Admin
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
33
ISE 2.0 Device is Using a Cert Issued By ISE
2. If Cert has
Active Session,
Send CoA
ISE Cube
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
1. Admin Revokes
Certificate
ISE Admin
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
34
ISE 2.0 Device is Using a Cert Issued By ISE
X
2. If Cert has
Active Session,
Send CoA
ISE Cube
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
ISE Admin
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
35
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
What is Posture?
Are my Endpoints Compliant with the Company
Security Policy ?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
37
Posture for all Devices
Desktop Posture vs Mobile Posture
Desktop Compliance checks for Windows and OSx
Variety of Checks ranging from OS, Hotfix, AV / AS,
Patch Management and More…
Desktop Posture
Focused on Mobile Devices Posture ONLY
Requires devices to comply with MDM policy
PINLock, JailBroken, APP check and More …
SOLUTION
Mobile Posture
ISE + MDM
Together
ISE can enforce
Network Access based on Compliance
ISE can enforce
Network Access based on MDM Compliance
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
38
MDM Enhancements
Are My Mobile Endpoints Compliant?
ISE 2.0 Highlights
Description
Better flows for onboarding in Brown Field
Environments
Devices are Pre-Enrolled in to MDM before ISE Authentication
Meraki Integration
Enhanced on-boarding experience
Differentiated portal for
MDM X
Vendor based logo display on MDM pages
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
Desktop Posture Enhancements
Are My Desktop Endpoints Compliant?
ISE 2.0 Highlights
Description
File Check Enhancements
Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories
such as “Desktop” and “User Profile”
OSx Daemon Check
User Agent Check , User based process check
Disk Encryption Check
Checks can be based on Installation, location and Disk Encryption State
Reporting
Report based on Condition name and Condition State
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Enhance control with location-based authorization
With the integration of Cisco Mobility Services Engine (MSE)
What’s new for ISE 2.0?
The integration of Cisco Mobility
Services Engine (MSE) allows
administrators to leverage ISE to
authorize network access based on
user location.
Location-based authorization
Admin defines location
hierarchy and grants users
specific access rights
based on their location.
Patient
data
Patient data
access locations
Benefits
Granular control
of network access with
location-based authorization for
individual users
Enhanced policy enforcement
with automated location check
and reauthorization
Simplified management
by configuring authorization with
ISE management tools
Lobby
Patient
room
ER
Lab
Lab
ER
No access Access to No access Access to
Doctor to patient patient
to patient patient
data
data
data
data
Patient
room
Lobby
Capabilities
•  Enables configuration of location hierarchy across all location entities
•  Applies MSE location attributes in authorization policy
•  Checks MSE periodically for location changes (5 mins), one way communication from ISE to MSE.
•  Reauthorizes access based on new location (i.e. if the location changes apply COA)
•  Requires a PLUS license in ISE
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
42
Location Based Authorization
Authorize user access to the Network based on their location
ISE 2.0
UI to Configure MSE
MSE 8.0
I have Location Data
Campus:Building:Floor:Zone
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
43
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
TLS Version Support
On a Topic Related to TLS Support…
•  ISE 1.3/1.4 support TLS 1.0 Only
•  ISE 2.0 adds support for TLS 1.1 and 1.2
•  ISE 2.0 negotiates TLS 1.2 as preferred
TLS version.
•  Downgrade to TLS 1.0 / 1.1 is still
supported during version negotiation
between client and ISE for compatibility
with legacy clients.
•  The lower versions of the protocol (SSL 3
and below) are not supported.
•  Clients not capable of TLS 1.0 or higher
will be rejected.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
45
EAP-TTLS
What Is It? Why Would I Use It?
•  EAP-TTLS = “Tunneled” TLS
•  Developed by Funk (now Juniper) and Certicom (now RIM)
•  EAP type that uses TLS to securely pass AV pairs such as client credentials (inner identity) over a
secure tunnel established using TLS.
•  Supports virtually any EAP type for inner method (inc. clear text) while not exposing client identity.
•  Client authenticates server using TLS. Client auth using certs to secure TLS tunnel optional, so
no cert required on client.
•  Most popular usage is EduRoam, but prevalence of PEAP support across broader client platforms
has reduced general usage. Specific EduRoam participants may still use EAP-TTLS to
authenticate local user base, but support not required by RADIUS proxies.
•  Native support for EAP-TTLS in Windows 8 and ISE will likely result in uptake of its deployment.
•  Whitepaper on PEAP vs EAP-TTLS: http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
46
EAP-TTLS
Native Supplicant Support
•  Microsoft
•  Windows v8+
•  Microsoft Windows Phone v8.1+
•  Note: Windows Mobile does not support EAP-TTLS
•  Apple
•  Mac OS
•  iOS version 3.1.3+ (default EAP type = MSCHAPv2)
•  Android v2.1 and higher
•  Google Chrome OS (for Chromebooks)
•  Blackberry 6A+
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
47
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Get the same great security across more devices
With non-Cisco device integration
What’s new for ISE 2.0?
ISE services now available for non-Cisco network access devices
Customers can now deploy ISE
services such as Profiling, Posture,
Guest and BYOD on Network Access
Devices (NADs) manufactured by nonCisco vendors.
Benefits
Maximize value
Realize additional value from
your existing infrastructure
Protect consistently
Deploy ISE across network
devices, including non-Cisco
NADs
Simplify administration
Leverage pre-configured profile
templates for automatically
configuring non-Cisco
NAD access
ISE 1.0
802.1x
New
with ISE
2.0
Profiling
Posture
Guest
BYOD
Compatible device vendors*
Capabilities
Aruba Wireless
HP Wireless
•  Templatized MAB configuration for select
non-Cisco vendor devices
Motorola Wireless
Brocade Wired
•  CoA and URL re-direction to work with ISE
Ruckus Wireless
•  Non-Cisco NADs enabled to drive regular
802.1x operations
HP Wired
*For additional information, refer to the Cisco Compatibility Matrix
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
49
“Smart” Conditions
Match Flow Conditions for Multiple Vendors in Single Rule !
•  No need to create separate Policy Rule for each vendor’s
implementation for MAB, 802.1X, or WebAuth
•  ISE matches request based on NAD profile configuration.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
50
Current Vendor Test Results
Supported / Validated use cases
Vendor
Verified Series
Tested Model /
Firmware
CoA
Profiler
Aruba Wireless
7000, InstantAP
7005-US/6.4.1.0
✔
✔
✔
✔
Motorola Wireless
RFS 4000
Wing v5.5
✔
✔
✔
✔
HP Wireless
830 (H3C)
8P/3507P35
✔
✔
✔
✔
HP Wired
HP 5500 HI Switch
Series (H3C)
A5500-24G-4SFP HI/
5.20.99
✔
✖
✖
✖
HP Wired
HP 3800 Switch
Series (ProCurve)
3800-24G-POE-2SFP
(J9573A)
KA.15.16.000. 6
✖
✖
✖
✖
Brocade Wired
ICX 6610
24/08.0.20aT7f3
✔
✔
✖
✖
Ruckus Wireless
ZD1200
9.9.0.0 build 205
✔
✔
✖
✖
✔
Requires
CoA
support
Requires
CoA & urlredirect
support
Requires
CoA & urlredirect
support
Additional 3rd party NAD Support:
v  Requires identification of device properties/capabilities and to creation of a
custom NAD profile in ISE. More detailed guide to be published.
Posture
Guest
/BYOD
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
51
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Simplify access management while staying secure
With ISE Easy Wired Access (EWA)
What’s new for ISE 2.0?
Capabilities
Identity mapping
The addition of Easy Wired Access
(EWA) offers customers enhanced
attachment of ISE security to wired
ports and deployments.
•  Active-session monitoring
across both AD and Network
log-ins
Admin 1
User 1
Enforcement–Mode
Monitor-only mode
User 1
Identity
mapping
Benefits
Flexible deployment
that doesn’t require a supplicant
or PKI, allowing ISE to issue COA
for added security
Increased visibility
into active network sessions
authenticated against AD
Enhanced control
with options for Monitoring-only
Mode or Enforcement-Mode
ISE
Active Directory
Login
Network
Login
•  Session maintenance from
Wired MAB clients to NADs
•  Directory notification publication
via PxGrid
•  Appointment of VLANs, dACLs,
SGTs and more for users
authorized via EWA
Publish to pxGrid
EWA, a secure alternative to whitelisting
Basic
Better and flexible
Most secure
with whitelisting
with ISE Easy Wired Access
with integrated 802.1x, supplicants
and certificates
Security Complexity
Access
Access
Security Complexity
Security
Access
Complexity
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
53
What’s Easy About EWA?
•  NO Supplicant required to implement this technology!
•  NO PKI/cert requirements!
•  Leverages existing AD logins to provide identity to network connections
•  Visibility mode only needs RADIUS Accounting or Device Sensor on switch
•  Enforcement mode requires only basic MAB config on switch
•  AD lookups and authorization based on AD login identity without RADIUS
authentication (802.1X, MAB, etc) so more seamless and transparent to client
•  Simple integration with pxGrid for publishing session info related to Identity
Mapping and EWA
•  Seamless integration with TrustSec via ISE SXP for AD-authenticated sessions
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
54
What’s Not So Easy About EWA?
•  Configuring AD domain controllers
•  Each DC that services logins must be configured to allow
WMI from ISE
•  Patches/Registry changes/DCOM updates/FW rules verified
•  Non-Windows/headless endpoints
•  EWA is for Microsoft AD joined computers – primarily
Windows only
•  EWA identity based on AD User login, not AD Machine login
•  EWA and MAB Authentication are mutually exclusive
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
55
Easy Wired Access
Differentiator
Major Technical Outcome
Major Business Outcome
Easy Wired Access
Deploying ISE w/o Configuring Endpoints
Shorter time to PoV
Streamlined Enterprise Rollouts
Identity Services Engine
Non-intrusive
Passive Login, FULL
Control (No 802.1X)
SXP
User Mappings
Derived from AD
Logins
Uses What’s Already There (AD)
Full Visibility/Control w/o Touching
Endpoints
Faster, Simpler Deployments for softwaredefined segmentation
Rest of Network
Network Access Devices
w/o 802.1X
AD Logins
Microsoft
Active Directory
Domain Controllers
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
56
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Cisco ISE Base vs. Cisco ISE Express
Cisco ISE Base
Features/Capabilities?
High availability
Platform Included
with Licensing?
List Price?
Cisco ISE Express
ü  Guess Access; RADIUS/
AAA
ü  Same
ü  YES
ü  NO
ü  NO—Purchase HW or VM
and Licensing
ü  YES—Bundle Includes One
(1) ISE VM + 150 Licenses
ü  $6,990 US
(ISE VM: $5,990 + Base:
$1,000, for 200 Licenses)
ü  $2,500 US
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
58
Cisco ISE Express
Enterprise Guest for Less
Easy, Affordable Guest Services
*SKU upgrade planned so the VM can be
used for up to 10,000 endpoints and in high
availability and distribution.
Now Available: Entry-Level Bundle for the
Market-Leading Cisco ISE
The Offer:
One (1) ISE VM (5,000 Active Licensed
Endpoints) with ISE Base Licenses
for 150 Endpoints* for Single Site
Deployment (Non-Distributed, No
High-Availability)
The Features: Guest, RADIUS/AAA, Unlimited
Custom Portals with ISE Portal Builder;
Easy Installation Guide
The Price:
$2,500 US
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
59
What’s New
ISE Express Installation Wizard
•
Free, downloadable application
•
Simplifies ISE and wireless controller
installation
•
Provisions Hotspot, Self-Registered or
Sponsor services
•
Modifies guest portals with logo and colors
•
Go to ISE Cisco Software Download
on CCO
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
60
Agenda
§
ISE 2.0 - overview
§
Posture / MDM Enhancements
§
UI Update with Work Centers
§
Location / MSE Integration
§
TACACS+ and Device Admin Work
Center
§
EAP-TTLS
§
3rd Party NAD Support
§
Easy Wired Access (EWA)
§
Deployment / Operational
Enhancements
§
pxGrid, ANC, Fire & ISE
§
ISE Express
§
TrustSec Enhancements & Work
Center
§
Q&A
§
BYOD / Certificate Enhancements
and the New Portal
Tech updates and Webinar - DK
http://www.cisco.com/web/DK/learn_events/seminarkalender2016.html
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
62
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
63