154-ise 1 3 whats new v3 cmh partners

Cisco ISE 1.3 Whats New Preview

Christopher Heffner, CCIE #8211 SAMPG Technical Marketing Engineer

August 14, 2014

Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved.

Forward-Looking Statements

Many of the products and features described herein remain in varying stages of development and will be

offered on a when-and-if-available basis.

This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for

delay in the delivery or failure to deliver any of the products or features set forth in this document.

How

What

Who

Where

When

Delivering the Visibility and Control for Secure Network Access

Network

Partner Context Data

Consistent Secure Access Policy

Cisco ISE

Cisco ISE is the Market Leader

Cisco ISE is Core to Cisco Security

ISE Provides Visibility, Context, and Control Across the Entire Continuum

BEFORE Control Enforce Harden

DURING AFTER Detect Block

Defend

Scope Contain

Remediate

Attack Continuum

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web + Email Security

Advanced Malware Protection

Network Behavior Analysis

pxGrid + ISE Ecosystem

Single Plane of Glass Management with Cisco Prime

ONE MANAGEMENT

ISE Provides ONE Policy for Unified Access

ONE NETWORK

Simplified, Unified Policy Management

with Cisco ISE

ONE POLICY

CISCO UNIFIED ACCESS

Integrated Wired and Wireless

in ONE Physical Infrastructure,

with ONE Operating System & Open APIs

Why Cisco ISE?

Visibility Driven Accurately Identify and Assess Network Users & Devices

Access Control Grant/Limit access to align with appropriate business policy

Threat Focused Minimize the spread of network threats & the impact of data breaches

Cisco ISE Provides Comprehensive, Unified Policy Management and Enforcement to Ensure Secure Wired, Wireless, and VPN Access

The Different Ways Customers Use ISE

Guest Access Management Easily provide guests limited-time, limited-resource Internet access

BYOD and Enterprise Mobility Seamlessly & securely onboard devices with the right levels of access

Secure Access across the Entire Network Simplify & unify enterprise network access policy across wired, wireless, & VPN

With Cisco TrustSec Identity-aware Network Segmentation and Access Policy Enforcement


ISE 1.3 Priorities

User Experience Simplified Integration

Context and Speed

All New Guest Experience Introducing Admin Work Centers BYOD & Certificate Management Made Easy

Multi-Forest Active Directory

Streamlined VPN

AnyConnect Unified Agent

Streamlined Threat Defense

Streamlined Operation with new REST APIs

Serviceability Enhancements


User Experience

All New Guest Experience Introducing Admin Work Centers BYOD & Certificate Management Made Easy


STREAMLINED PERSONAL DEVICE PORTAL: Gives end-users control over managing all of their devices from just one easy-to-use self-service portal

IMPROVED DEVICE RECOGNITION: Superior, market-leading profiling technology and feed service reduces unknown devices to less than 1%

BRANDED EXPERIENCES: For guests, employees, and administrators across your pages, including banners and advertising

OUT-OF-THE-BOX ONBOARDING: Accelerates user productivity through simplified device onboarding and easy, self-service device management

Simplifying Enterprise Mobility with ISE 1.3 Reducing the Complexity of Managing BYOD and Device Onboarding

Desktop & Mobile Ready!


Basic Supported Guest Flows

1.Hotspot 2.Self Service 3.Self Service Sponsor Approved 4.Sponsored


Hotspot Guest Flow #1

Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next time so you dont get in their way.

44:6D:77:B4:FD:01!

I Agree

Acceptable Use Policy!I promise to be good.!

Day Ends

44:6D:77:B4:FD:01!


Acceptable Use Policy

The primary purpose of a website disclaimer is to limit or attempt to limit the liabilities that a website owner or publisher may suffer arising out of the website. Examples of the kinds of liability that we publishers must contend with include libel/defamation, copyright infringement and breach of privacy. Most legal systems strictly control the effects of limitations and exclusions of liability. For this reason you should take local legal advice if you believe you may have to rely upon the limits of liability in our free website disclaimer document.

AUP


Secret Code Controls Access to Guest Wi-Fi

Secret code: chemist

chemist

Registration code: require the user to enter a code before completing a self service registration.

Access code: require the user

to enter a code before accessing a hotspot or logging in using guest credentials.


Hotspot Example Portal


Fill In A Simple Form Check Your Email Connect to WFI

hansolo nerfherder

Self Service with Email Verification Guest Flow #2


Self Service with SMS Guest Flow #2

Goal: Get them on the Internet as long as you have a 3rd party identifier that proves who the user is.

optionaloptional


Self Registration with Sponsored Approval Guest Flow #3

Approved! credentials

username: trex42 password: littlearms

Visiting email?

ISE sends email requesting approval

Logs into Sponsor Portal and Approves or

rejects


Approving Self Registration Requests

DESKTOP Mobile


Sponsored Flow Guest Flow #4

Hi! Can I get on your

Wi-Fi? Sure. I just need a little information.

Print, email & SMS

credentials. Cool!


Create a Guest Account Sponsor Desktop


Create a Guest Account Sponsor Desktop Once the sponsor clicks Create the account is created! They are then presented with the guest info and have the option to notify the guest. The sponsor can then click Notify and choose to deliver credentials via branded printout, email, and/or SMS.


Pre-Expiration Notification

You are about to expire! Go here. http://bit.ly/reup

DESKTOP Mobile

A Guest Button With our new navigation, getting to the Guest admin has never been easier.

Prepackaged Flows Ships with the default flows used by 90% of our customers: Hotspot, Self-Service (with or without approval), & Sponsored.

One Stop Setup Once youre there, all the pieces you need are accessed in one place.

The All New Guest Administration

Guest Flow Settings Made Easy

End User Visibility Ever wonder how changing a setting will affect your guests? ISE makes the end user experience crystal clear as it updates the guest flow diagram in real time with each settings change.

Admin Friendly Through extensive user research were made guest settings so easy to find that setting up a guest flow can be done in just a few clicks.

Simple Customization of Guest Pages

Themes! Themes give you complete control over the look and feel of your guest pages. Use our out-of-the-box themes or create your own using ThemeRoller for jQuery Mobile or standard CSS.

Live Preview See your pages as the guests will see them as you customize.

Full Page Control Use our defaults or customize every field in multiple languages.

Sponsoring Guests - Made Easy for Employees

Branding with Themes! Themes give you complete control over the look and feel of your sponsor Portal.

Mobile Sponsors You are free to move about the cabin! Create a guest account on the fly from your smartphone / tablet away from your desk.

Streamlined Guest Creation Set up your sponsor portal to show only the fields you need for your business.

Create Accounts Create Accounts

Print Email SMS


Where can I send Guests after the connect?

Custom ISE Success Page

Page they tried to reach.

Example: google.com

Predefined URL such as the

company page.


What happens when a Guest exceeds their device limit?


Walk Through BYOD Onboarding

Out of the box flow walks users through onboarding.

Fully customizable user experience with Themes.

My Devices gives end users control to add an manage their devices.

Mobile and desktop ready out of the box.


Java-Less Provisioning


Downloads as DMG Double-Click to Run

App

Java-Less Provisioning


ISE 1.3: Internal Certificate Authority

Managing certificates for BYOD adds significant complexity and expense when using Microsoft Public Key Infrastructure.

The ISE Certificate Authority is designed to work in concert as a self contained solution or with your existing Enterprise PKI to simplify BYOD deployments.

Single Management Console Manage endpoints and their certs. Delete an endpoint ISE deletes the cert.

Simplified deployment Supports stand alone and subordinate deployments. Removes corporate PKI team from every BYOD interaction.

Simplifying certificate management for BYOD devices

*Designed for BYOD and MDM use-cases only, not a general purpose CA

Optional Enterprise!Root!

Self Contained or Optional Subordinate!

Cisco ISE Certificate Authority!


Simplified Integration

Multi-Forest Active Directory

Streamlined VPN

AnyConnect Unified Agent


MultiForest Active Directory Support

Support for 50 concurrent Active Directory join points

No need for 2-way trust relationship between domains

Advanced algorithms for dealing with identical usernames.

ISE 1.3 is designed for growing businesses. With support for multiple Active Directory domains, ISE 1.3 enables authentication and attribute collection across the largest enterprises.

example-1.com

example-2.com

example-n.com

ISE!


Cisco ISE Posture Agents

Cisco NAC Agent Cisco AnyConnect 4.0


An ISE posture AnyConnect module Windows and OS X support

Integration with the AC end-user experience (single posture tile for ISE and ASA posture) Further strengthened by ISE 1.3 Posture Lease functionality

AC deployment from ISE Including an AC ISE posture module profile editor

Coexistence with NAC Agent for ease of migration This will help existing ISE and NAC Appliance customers

Monthly compliance module updates Same as today with the NAC Agent

AnyConnect 4.0 ISE Posture


Context and Speed

Streamlined Threat Defense

Streamlined Operation with new REST APIs



Integrating One System to One Other System

I have NBAR info! I need identity

I have firewall logs! I need identity

I have sec events! I need reputation

I have NetFlow! I need entitlement

I have reputation info! I need threat data

I have MDM info! I need location

I have app inventory info! I need posture

I have identity & device-type! I need app inventory & vulnerability

I have application info! I need location & auth-group

I have threat data! I need reputation

I have location! I need identity

SIO

Proprietary APIs arent

the solution We need to share data

TRADITIONAL APIs One Integration at a Time Single-purpose function = need for many APIs/dev (and lots of testing) Not configurable = too much/little info for interface systems (scale issues) Pre-defined data exchange = wait until next release if you need a change Polling architecture = cant scale beyond 1 or 2 system integrations Security can be loose


Enabling the Potential of Network-Wide Context Sharing

INFRASTRUCTURE FOR A ROBUST ECOSYSTEM Single framework develop once,

instead of multiple APIs

Customize and secure what context gets shared and with which platforms

Bi-directional share and consume context

Enables any pxGrid partner to share with any other pxGrid partner

Integrating with Cisco ONE SDN for broad network control functions

SIO

Single, Scalable Framework

Direct, Secured Interfaces

pxGrid Context Sharing


Faster Remediation of Threats with SIEM

Extension of Access Policy & Compliance with MDM

Endpoint Vulnerability Remediation

Context-driven OT Policy and Segmentation for IoT

Simplified Network Troubleshooting and Forensics

SSO Secure Access to Sensitive Data on Mobile Devices

The Next Wave of Cisco pxGrid Partnerships Sharing Context with an Even Broader Ecosystem


SIEM/Threat Defense Integra8on Using pxGrid: With NetIQ and/or Lancope

Use Case: Iden8ty and device aware threat management Increase condence around event severity levels in SIEMs and TD consoles; make events acAonable in the network. SIEM/TD share worst oenders with ISE for user/device policy decisions.

SIEM/TD PlaJorm

Policy: Detect sensitive data access on mobile devices; quarantine such users

Context: Share with SIEM USER : DEVICE TYPE : CONN STATUS

Data: Sensitive Data Type: Mobile Device

Cisco ISE ISE QuaranAnes/Remediates User/Trac


ISE REST APIs Internal ISE User API Create and Manage ISE users programmatically. Session Directory API Access to all the details for a given MAC or IP

address. Endpoints API Input new endpoints and assign them to groups. Ex. add

corporate printers

Guest API Create and Manage Guest accounts. NAD/NDG (Network access device & network device group) API Add

and manage access control network devices configured within ISE. Ex. (teleworker devices)

Bulk Operation Support for Internal User, Endpoint, NAD and Guest APIs Extended EPS API manage Endpoint Protection pxGrid Enabling the potential of network wide context sharing.



Tree View Live Log / Live Session Filters

Debug Endpoint

Export Policy in XML

Bypass Suppression per Endpoint

Right-Click Copy / Bypass / Details

Filtered Support Bundle

Endpoint Purge


Tree View

AuthC Protocols

Identity Store


Live Log / Live Session Filters Regex in Filters


Right Click in Live Log & Live Sessions


Debug Endpoint

Creates debug file of all activity for all services related to that specific endpoint

Executes and stored per PSN

Can be downloaded as separate files per-PSN

Or Merged as a single file


Export Policy in XML

Quick Link Access


Export Policy in XML Example


Bypass Suppression per Endpoint

Disable event suppression per identity context is an added functionality to the Collection Filter, located under Administration > Logging > Collection Filter

Duration is only relevant for a bypass suppression and will not appear under any other filter type duration range is between 5 and 480 minutes(8 hours), default value is 60 minutes


A Bypass suppression collection filter can also be created by right clicking an identity in the M&T logs.

Modify collection filters If a bypass suppression collection filter already exists with the selected user as its value, the page will be redirected to the edit page of the existing collection filter. If such a collection filter does not exists, the page will be redirected to an edit page of a new bypass suppression collection filter with the selected user as its value.

Bypass Suppression Filtering for 1 hour will create a bypass suppression collection filter with the selected user as its value with a duration of 60 minutes(no redirection will occur).

Bypass Suppression Right click


Filtered Support Bundle

Date Filter

Support Bundle Options


Endpoint Purging

Matching Conditions Purge by: # Days After Creation # Days Inactive Specified Date

On Demand Purge

Questions ?

Thank You !

154-ise 1 3 whats new v3 cmh partners

Documents