ISE – Apronets

Simplified Operations

New Split Update: Upgrading Cisco ISE has never been easier. With the new Split Upgrade feature, customers now have complete control over the upgrade process from the UI, allowing them to upgrade specific ISE nodes in parallel, with multiple iterations, at their convenience without experiencing any downtime. Say goodbye to complex and time-consuming upgrades.

Control Application Restart: Minimize Downtime, Maximize Efficiency. Downtime during certification renewals can be disruptive. Cisco ISE 3.3 introduces Controlled Application Restart, which allows customers to plan the renewals of the ISE administrative certificate, eliminating the need to reboot the entire ISE deployment at once without control. Schedule updates during low network usage periods, ensuring a smoother security update process without impacting operations.

Navigation improvement: ISE admins use the ISE UI in order to perform their job. ISE 3.3 introduces a new and improved navigation, allowing ISE admin to faster perform their tasks, with fewer clicks and without hiding their screen while navigating throughout ISE pages. Each ISE admin can now save the pages he or she is using most frequently on ISE and reduce the time it takes them to access those pages.

IPv6 Support: in addition to the RADIUS, TACACS+, and ISE management over IPv6, customers can now enable additional services over IPv6: the ISE guest portal can now be accessed over IPv6 address and serve guests on the IPv6 network. profiling of IPv6-enabled endpoints and doing posture checks is also available for IPv6-enabled endpoints.

Enhanced Platform Security

TPM Chip: Strengthen Security with the TPM Chip Security is paramount. Cisco ISE 3.3 with SNS-3700 (or virtual machines supporting VTPM) introduces the TPM Chip, a dedicated and secure storage location for sensitive information. With true random number generation for key generation, the TPM Chip enhances the security of stored data, providing you with peace of mind.

ISE Cipher Control: By allowing ISE admins to disable unwanted and weak ciphers manually, ISE 3.3 helps customers to meet compliance and regulations without the need to wait for the next release or a patch.

TLS 1.3 for ISE admins: ISE admins can now connect to ISE UI over TLS 1.3. TLS 1.3 provides enhanced security and improved performance by reducing latency and eliminating outdated cryptographic algorithms, ensuring stronger encryption and more efficient communication between clients and servers.

Certificate-Based Authentication for API calls: ISE 3.3 supports Certificate-based authentication for API calls. Certificate-based authentication offers stronger security by eliminating the vulnerabilities associated with traditional username and password authentication methods. It provides robust protection against credential theft, unauthorized access, and phishing attacks, ensuring a higher level of trust and authentication for users accessing sensitive systems or resources.

Visibility and Compliance

AI/ML based Profiling: Effortlessly Identify Unknown Endpoints with AI/ML Profiling Unidentified endpoints on the network can be a challenge. Cisco ISE 3.3 employs AI/ML Profiling and multi-factor classification (MFC) to swiftly identify clusters of similar unknown endpoints. This cloud-based ML engine helps customers categorize these devices accurately, making it easier to determine their nature and apply appropriate policies.

Unlock Valuable Insights with Wi-Fi Edge Analytics

Our exclusive Wi-Fi Edge Analytics feature enables customers, who use the Cisco Catalyst 9800 wireless controllers, to exchange data between ISE 3.3 and the controller and get profiling information from Apple, Intel, and Samsung devices, enhancing endpoint profiling.

This information includes endpoint-specific attributes such as model, operating system version, and firmware.

Multi Factor Classification: ISE 3.3 introduces a new way to profile endpoints on the network. The profile is no longer a descriptive string of the endpoint. Instead of that ISE uses MFC – Multi Factor Classification which breaks the profile into 4 categories: Manufacturer, Device Type, Model and OS. This allows our customers to build more granular policies, based on the different MFCs.

Posture for ARM based Windows: for customers who move to computers based on ARM processor, ISE 3.3 can now perform posture checks in order to check compliance status before letting those endpoints access to the network.

Cloud Availability

ISE 3.3 is going to be available on all the supported platforms: AWS, Azure, and Oracle Cloud. Release dates depend on the different cloud vendors:

ISE 3.3 on Azure – Already available

ISE 3.3 on OCI – Already Available

ISE 3.3 on AWS – Already Available

ISE 3.3 Resources:

ISE 3.3 download page

ISE 3.3 release notes

Below is the prep work for migrating from ISE2.4 to ISE3.1+ for AWS, and the migration steps are here, but I have summarize them below.

Cisco ISE is available as an infrastructure-as-code solution leveraging AWS CloudFormation making the deployment of ISE a very light lift. I’ll be walking you through how to deploy ISE on AWS in a later post.

Step 1 – Base, Plus, Apex, and Device Admin licenses need to be migrated to Smart Licenses
Step 2 – VM licenses need to be converted
Step 3 – Migration can occur. Once licenses are prepped and converted, you go to the AWS Marketplace ISE BYOL listing and choose your deployment size.

Cisco ISE on AWS Marketplace

ISE Licensing

AWS ISE requires ISE 3.1+
1. If upgrading to 3.1 from an existing 2.X release, it is required that a customer migrate their existing licenses to the new licenses and then upgrade to the 3.0 release. I.e. These are the Base, Plus, and Apex license that need to be upgraded. Device Admin licenses are grandfathered and need to be upgraded to a Smart License as well.
This requires a Cisco Smart License Account.
Please refer to the Migration Guide for instructions.

ISE VM – You need to register the VM Common license for ISE 3.1 and later.

Customers need to migrate their ISE License to the new “Common License.”
1. To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade Product ID (PID), “L-ISE-VMC-UPG=, from Cisco. This is the same PID regardless of what current size of VM license you have today.
2. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-migration-guide-og.html

2. To obtain a VM Common License for a net new deployment you’ll need the new VM PID, “R-ISE-VMC-K9=” Refer to the table below for a 1:1 mapping.

These VM licenses are valid in Cisco ISE 3.0 and earlier releases. Again, when you upgrade your Cisco ISE to Release 3.1, you will need to have VM Common license.

Upgrade From	Upgrade To	Ratio
R-ISE-VML-K9=	R-ISE-VMC-K9=	1:1
R-ISE-VMM-K9=	R-ISE-VMC-K9=	1:1
R-ISE-VMS-K9=	R-ISE-VMC-K9=	1:1

How to migrate license

To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade PID, “L-ISE-VMC-UPG=,” in CCW. See ISE Licensing Migration Guide for the detailed process.

Support for VM and License

Q. What support do customers receive with the new ISE licenses?

A. The same as with current subscription licenses. With the new ISE software licenses, customers receive embedded SWSS—which covers 24x7x365 Cisco Technical Assistance Center (TAC) support and software updates. However, now Essentials will also have this support.

More Question and Answers here

Support associated with the legacy VM licenses

When customers upgrade the version of their legacy VM to VM Common license, they can continue to receive support based on the support contract purchased on legacy VM license PID. They can renew the support until the legacy VM license PID is EOL and reaches the last service renewal date per the EOL bulletin. There is no support for migration. For seamless support, the customer should request the legacy VM PID to be replaced with the desired VM PID in order to renew and receive support.

Mike