154-ise 1 3 whats new v3 cmh partners
DESCRIPTION
News about Cisco ISE version 1.3TRANSCRIPT
-
Cisco ISE 1.3 Whats New Preview
Christopher Heffner, CCIE #8211 SAMPG Technical Marketing Engineer
August 14, 2014
-
Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved.
Forward-Looking Statements
Many of the products and features described herein remain in varying stages of development and will be
offered on a when-and-if-available basis.
This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for
delay in the delivery or failure to deliver any of the products or features set forth in this document.
-
How
What
Who
Where
When
Delivering the Visibility and Control for Secure Network Access
Network
Partner Context Data
Consistent Secure Access Policy
Cisco ISE
Cisco ISE is the Market Leader
-
Cisco ISE is Core to Cisco Security
ISE Provides Visibility, Context, and Control Across the Entire Continuum
BEFORE Control Enforce Harden
DURING AFTER Detect Block
Defend
Scope Contain
Remediate
Attack Continuum
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web + Email Security
Advanced Malware Protection
Network Behavior Analysis
pxGrid + ISE Ecosystem
-
Single Plane of Glass Management with Cisco Prime
ONE MANAGEMENT
ISE Provides ONE Policy for Unified Access
ONE NETWORK
Simplified, Unified Policy Management
with Cisco ISE
ONE POLICY
CISCO UNIFIED ACCESS
Integrated Wired and Wireless
in ONE Physical Infrastructure,
with ONE Operating System & Open APIs
-
Why Cisco ISE?
Visibility Driven Accurately Identify and Assess Network Users & Devices
Access Control Grant/Limit access to align with appropriate business policy
Threat Focused Minimize the spread of network threats & the impact of data breaches
Cisco ISE Provides Comprehensive, Unified Policy Management and Enforcement to Ensure Secure Wired, Wireless, and VPN Access
-
The Different Ways Customers Use ISE
Guest Access Management Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterprise Mobility Seamlessly & securely onboard devices with the right levels of access
Secure Access across the Entire Network Simplify & unify enterprise network access policy across wired, wireless, & VPN
With Cisco TrustSec Identity-aware Network Segmentation and Access Policy Enforcement
-
Cisco Confidential 8 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE 1.3 Priorities
User Experience Simplified Integration
Context and Speed
All New Guest Experience Introducing Admin Work Centers BYOD & Certificate Management Made Easy
Multi-Forest Active Directory
Streamlined VPN
AnyConnect Unified Agent
Streamlined Threat Defense
Streamlined Operation with new REST APIs
Serviceability Enhancements
-
Cisco Confidential 9 2013-2014 Cisco and/or its affiliates. All rights reserved.
User Experience
All New Guest Experience Introducing Admin Work Centers BYOD & Certificate Management Made Easy
-
Cisco Confidential 10 2013-2014 Cisco and/or its affiliates. All rights reserved.
STREAMLINED PERSONAL DEVICE PORTAL: Gives end-users control over managing all of their devices from just one easy-to-use self-service portal
IMPROVED DEVICE RECOGNITION: Superior, market-leading profiling technology and feed service reduces unknown devices to less than 1%
BRANDED EXPERIENCES: For guests, employees, and administrators across your pages, including banners and advertising
OUT-OF-THE-BOX ONBOARDING: Accelerates user productivity through simplified device onboarding and easy, self-service device management
Simplifying Enterprise Mobility with ISE 1.3 Reducing the Complexity of Managing BYOD and Device Onboarding
Desktop & Mobile Ready!
-
Cisco Confidential 11 2013-2014 Cisco and/or its affiliates. All rights reserved.
Basic Supported Guest Flows
1.Hotspot 2.Self Service 3.Self Service Sponsor Approved 4.Sponsored
-
Cisco Confidential 12 2013-2014 Cisco and/or its affiliates. All rights reserved.
Hotspot Guest Flow #1
Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next time so you dont get in their way.
44:6D:77:B4:FD:01!
I Agree
Acceptable Use Policy!I promise to be good.!
Day Ends
44:6D:77:B4:FD:01!
-
Cisco Confidential 13 2013-2014 Cisco and/or its affiliates. All rights reserved.
Acceptable Use Policy
The primary purpose of a website disclaimer is to limit or attempt to limit the liabilities that a website owner or publisher may suffer arising out of the website. Examples of the kinds of liability that we publishers must contend with include libel/defamation, copyright infringement and breach of privacy. Most legal systems strictly control the effects of limitations and exclusions of liability. For this reason you should take local legal advice if you believe you may have to rely upon the limits of liability in our free website disclaimer document.
AUP
-
Cisco Confidential 14 2013-2014 Cisco and/or its affiliates. All rights reserved.
Secret Code Controls Access to Guest Wi-Fi
Secret code: chemist
chemist
Registration code: require the user to enter a code before completing a self service registration.
Access code: require the user
to enter a code before accessing a hotspot or logging in using guest credentials.
-
Cisco Confidential 15 2013-2014 Cisco and/or its affiliates. All rights reserved.
Hotspot Example Portal
-
Cisco Confidential 16 2013-2014 Cisco and/or its affiliates. All rights reserved.
Fill In A Simple Form Check Your Email Connect to WFI
hansolo nerfherder
Self Service with Email Verification Guest Flow #2
-
Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved.
Self Service with SMS Guest Flow #2
Goal: Get them on the Internet as long as you have a 3rd party identifier that proves who the user is.
optionaloptional
-
Cisco Confidential 18 2013-2014 Cisco and/or its affiliates. All rights reserved.
Self Registration with Sponsored Approval Guest Flow #3
Approved! credentials
username: trex42 password: littlearms
Visiting email?
ISE sends email requesting approval
Logs into Sponsor Portal and Approves or
rejects
-
Cisco Confidential 19 2013-2014 Cisco and/or its affiliates. All rights reserved.
Approving Self Registration Requests
DESKTOP Mobile
-
Cisco Confidential 20 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sponsored Flow Guest Flow #4
Hi! Can I get on your
Wi-Fi? Sure. I just need a little information.
Print, email & SMS
credentials. Cool!
-
Cisco Confidential 21 2013-2014 Cisco and/or its affiliates. All rights reserved.
Create a Guest Account Sponsor Desktop
-
Cisco Confidential 22 2013-2014 Cisco and/or its affiliates. All rights reserved.
Create a Guest Account Sponsor Desktop Once the sponsor clicks Create the account is created! They are then presented with the guest info and have the option to notify the guest. The sponsor can then click Notify and choose to deliver credentials via branded printout, email, and/or SMS.
-
Cisco Confidential 23 2013-2014 Cisco and/or its affiliates. All rights reserved.
Pre-Expiration Notification
You are about to expire! Go here. http://bit.ly/reup
DESKTOP Mobile
-
A Guest Button With our new navigation, getting to the Guest admin has never been easier.
Prepackaged Flows Ships with the default flows used by 90% of our customers: Hotspot, Self-Service (with or without approval), & Sponsored.
One Stop Setup Once youre there, all the pieces you need are accessed in one place.
The All New Guest Administration
-
Guest Flow Settings Made Easy
End User Visibility Ever wonder how changing a setting will affect your guests? ISE makes the end user experience crystal clear as it updates the guest flow diagram in real time with each settings change.
Admin Friendly Through extensive user research were made guest settings so easy to find that setting up a guest flow can be done in just a few clicks.
-
Simple Customization of Guest Pages
Themes! Themes give you complete control over the look and feel of your guest pages. Use our out-of-the-box themes or create your own using ThemeRoller for jQuery Mobile or standard CSS.
Live Preview See your pages as the guests will see them as you customize.
Full Page Control Use our defaults or customize every field in multiple languages.
-
Sponsoring Guests - Made Easy for Employees
Branding with Themes! Themes give you complete control over the look and feel of your sponsor Portal.
Mobile Sponsors You are free to move about the cabin! Create a guest account on the fly from your smartphone / tablet away from your desk.
Streamlined Guest Creation Set up your sponsor portal to show only the fields you need for your business.
Create Accounts Create Accounts
Print Email SMS
-
Cisco Confidential 28 2013-2014 Cisco and/or its affiliates. All rights reserved.
-
Cisco Confidential 29 2013-2014 Cisco and/or its affiliates. All rights reserved.
Where can I send Guests after the connect?
Custom ISE Success Page
Page they tried to reach.
Example: google.com
Predefined URL such as the
company page.
-
Cisco Confidential 30 2013-2014 Cisco and/or its affiliates. All rights reserved.
What happens when a Guest exceeds their device limit?
-
Cisco Confidential 31 2013-2014 Cisco and/or its affiliates. All rights reserved.
-
Cisco Confidential 32 2013-2014 Cisco and/or its affiliates. All rights reserved.
Walk Through BYOD Onboarding
Out of the box flow walks users through onboarding.
Fully customizable user experience with Themes.
My Devices gives end users control to add an manage their devices.
Mobile and desktop ready out of the box.
-
Cisco Confidential 33 2013-2014 Cisco and/or its affiliates. All rights reserved.
Java-Less Provisioning
-
Cisco Confidential 34 2013-2014 Cisco and/or its affiliates. All rights reserved.
Downloads as DMG Double-Click to Run
App
Java-Less Provisioning
-
Cisco Confidential 35 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE 1.3: Internal Certificate Authority
Managing certificates for BYOD adds significant complexity and expense when using Microsoft Public Key Infrastructure.
The ISE Certificate Authority is designed to work in concert as a self contained solution or with your existing Enterprise PKI to simplify BYOD deployments.
Single Management Console Manage endpoints and their certs. Delete an endpoint ISE deletes the cert.
Simplified deployment Supports stand alone and subordinate deployments. Removes corporate PKI team from every BYOD interaction.
Simplifying certificate management for BYOD devices
*Designed for BYOD and MDM use-cases only, not a general purpose CA
Optional Enterprise!Root!
Self Contained or Optional Subordinate!
Cisco ISE Certificate Authority!
-
Cisco Confidential 36 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simplified Integration
Multi-Forest Active Directory
Streamlined VPN
AnyConnect Unified Agent
-
Cisco Confidential 37 2013-2014 Cisco and/or its affiliates. All rights reserved.
-
Cisco Confidential 38 2013-2014 Cisco and/or its affiliates. All rights reserved.
MultiForest Active Directory Support
Support for 50 concurrent Active Directory join points
No need for 2-way trust relationship between domains
Advanced algorithms for dealing with identical usernames.
ISE 1.3 is designed for growing businesses. With support for multiple Active Directory domains, ISE 1.3 enables authentication and attribute collection across the largest enterprises.
example-1.com
example-2.com
example-n.com
ISE!
-
Cisco Confidential 39 2013-2014 Cisco and/or its affiliates. All rights reserved.
-
Cisco Confidential 40 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Posture Agents
Cisco NAC Agent Cisco AnyConnect 4.0
-
Cisco Confidential 41 2013-2014 Cisco and/or its affiliates. All rights reserved.
An ISE posture AnyConnect module Windows and OS X support
Integration with the AC end-user experience (single posture tile for ISE and ASA posture) Further strengthened by ISE 1.3 Posture Lease functionality
AC deployment from ISE Including an AC ISE posture module profile editor
Coexistence with NAC Agent for ease of migration This will help existing ISE and NAC Appliance customers
Monthly compliance module updates Same as today with the NAC Agent
AnyConnect 4.0 ISE Posture
-
Cisco Confidential 42 2013-2014 Cisco and/or its affiliates. All rights reserved.
Context and Speed
Streamlined Threat Defense
Streamlined Operation with new REST APIs
Serviceability Enhancements
-
Cisco Confidential 43 2013-2014 Cisco and/or its affiliates. All rights reserved.
Integrating One System to One Other System
I have NBAR info! I need identity
I have firewall logs! I need identity
I have sec events! I need reputation
I have NetFlow! I need entitlement
I have reputation info! I need threat data
I have MDM info! I need location
I have app inventory info! I need posture
I have identity & device-type! I need app inventory & vulnerability
I have application info! I need location & auth-group
I have threat data! I need reputation
I have location! I need identity
SIO
Proprietary APIs arent
the solution We need to share data
TRADITIONAL APIs One Integration at a Time Single-purpose function = need for many APIs/dev (and lots of testing) Not configurable = too much/little info for interface systems (scale issues) Pre-defined data exchange = wait until next release if you need a change Polling architecture = cant scale beyond 1 or 2 system integrations Security can be loose
-
Cisco Confidential 44 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enabling the Potential of Network-Wide Context Sharing
INFRASTRUCTURE FOR A ROBUST ECOSYSTEM Single framework develop once,
instead of multiple APIs
Customize and secure what context gets shared and with which platforms
Bi-directional share and consume context
Enables any pxGrid partner to share with any other pxGrid partner
Integrating with Cisco ONE SDN for broad network control functions
SIO
Single, Scalable Framework
Direct, Secured Interfaces
pxGrid Context Sharing
-
Cisco Confidential 45 2013-2014 Cisco and/or its affiliates. All rights reserved.
Faster Remediation of Threats with SIEM
Extension of Access Policy & Compliance with MDM
Endpoint Vulnerability Remediation
Context-driven OT Policy and Segmentation for IoT
Simplified Network Troubleshooting and Forensics
SSO Secure Access to Sensitive Data on Mobile Devices
The Next Wave of Cisco pxGrid Partnerships Sharing Context with an Even Broader Ecosystem
-
Cisco Confidential 46 2013-2014 Cisco and/or its affiliates. All rights reserved.
SIEM/Threat Defense Integra8on Using pxGrid: With NetIQ and/or Lancope
Use Case: Iden8ty and device aware threat management Increase condence around event severity levels in SIEMs and TD consoles; make events acAonable in the network. SIEM/TD share worst oenders with ISE for user/device policy decisions.
SIEM/TD PlaJorm
Policy: Detect sensitive data access on mobile devices; quarantine such users
Context: Share with SIEM USER : DEVICE TYPE : CONN STATUS
Data: Sensitive Data Type: Mobile Device
Cisco ISE ISE QuaranAnes/Remediates User/Trac
-
Cisco Confidential 47 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE REST APIs Internal ISE User API Create and Manage ISE users programmatically. Session Directory API Access to all the details for a given MAC or IP
address. Endpoints API Input new endpoints and assign them to groups. Ex. add
corporate printers
Guest API Create and Manage Guest accounts. NAD/NDG (Network access device & network device group) API Add
and manage access control network devices configured within ISE. Ex. (teleworker devices)
Bulk Operation Support for Internal User, Endpoint, NAD and Guest APIs Extended EPS API manage Endpoint Protection pxGrid Enabling the potential of network wide context sharing.
-
Cisco Confidential 48 2013-2014 Cisco and/or its affiliates. All rights reserved.
-
Cisco Confidential 49 2013-2014 Cisco and/or its affiliates. All rights reserved.
Serviceability Enhancements
Tree View Live Log / Live Session Filters
Debug Endpoint
Export Policy in XML
Bypass Suppression per Endpoint
Right-Click Copy / Bypass / Details
Filtered Support Bundle
Endpoint Purge
-
Cisco Confidential 50 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tree View
AuthC Protocols
Identity Store
-
Cisco Confidential 51 2013-2014 Cisco and/or its affiliates. All rights reserved.
Live Log / Live Session Filters Regex in Filters
-
Cisco Confidential 52 2013-2014 Cisco and/or its affiliates. All rights reserved.
Right Click in Live Log & Live Sessions
-
Cisco Confidential 53 2013-2014 Cisco and/or its affiliates. All rights reserved.
Debug Endpoint
Creates debug file of all activity for all services related to that specific endpoint
Executes and stored per PSN
Can be downloaded as separate files per-PSN
Or Merged as a single file
-
Cisco Confidential 54 2013-2014 Cisco and/or its affiliates. All rights reserved.
Export Policy in XML
Quick Link Access
-
Cisco Confidential 55 2013-2014 Cisco and/or its affiliates. All rights reserved.
Export Policy in XML Example
-
Cisco Confidential 56 2013-2014 Cisco and/or its affiliates. All rights reserved.
Bypass Suppression per Endpoint
Disable event suppression per identity context is an added functionality to the Collection Filter, located under Administration > Logging > Collection Filter
Duration is only relevant for a bypass suppression and will not appear under any other filter type duration range is between 5 and 480 minutes(8 hours), default value is 60 minutes
-
Cisco Confidential 57 2013-2014 Cisco and/or its affiliates. All rights reserved.
A Bypass suppression collection filter can also be created by right clicking an identity in the M&T logs.
Modify collection filters If a bypass suppression collection filter already exists with the selected user as its value, the page will be redirected to the edit page of the existing collection filter. If such a collection filter does not exists, the page will be redirected to an edit page of a new bypass suppression collection filter with the selected user as its value.
Bypass Suppression Filtering for 1 hour will create a bypass suppression collection filter with the selected user as its value with a duration of 60 minutes(no redirection will occur).
Bypass Suppression Right click
-
Cisco Confidential 58 2013-2014 Cisco and/or its affiliates. All rights reserved.
Filtered Support Bundle
Date Filter
Support Bundle Options
-
Cisco Confidential 59 2013-2014 Cisco and/or its affiliates. All rights reserved.
Endpoint Purging
Matching Conditions Purge by: # Days After Creation # Days Inactive Specified Date
On Demand Purge
-
Questions ?
-
Thank You !