§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
Role-Based Secure Access with ISE Confidential
Patient Records
Internal Employee Intranet
Internet
ü Acquires Important Context & Identity from the Network ü Implements Context-Aware Classification & Policy ü Provides Differentiated Access to the Network
Who: Guest What: iPad Where: Office
Who: Doctor What: Laptop Where: Office
Who: Doctor What: iPad Where: Office
The Different Ways Customers Use ISE
Guest Access Management Easily provide visitors secure guest Internet access
BYOD and Enterprise Mobility Seamlessly classify & securely onboard devices with the right levels of access
Secure Access Control across the Entire Network Streamline enterprise network access policy over wired, wireless, & VPN
Cisco TrustSec® Software-Defined Segmentation Simplify Network Segmentation and Enforcement to Contain Network Threats
Context and Policy Architecture Improve Security Operations with Deeper Visibility and Shared Context through Cisco pxGrid
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• ISE 2.0 has begun a transition to a new UI to: • Modernize the UI Technologies for better Browser & Technology Support • Bring the UI into a more homogeneous design pattern
• The Navigation framework was changed first • Some of the pages remain the same, and just the navigation has changed • Systematically replacing the old pages and “widgets” • The re-vamped GUI will be a multi-release process • Flash is being phased out. J
Goals of the User Interface Update in ISE 2.0
6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Example: Revamped the Endpoints Identity Page
Clicking Filters Below
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Role-based access control
Simplify security management with role-based access
• Role-based access control • Flow-based user experience • Command level authorization with detailed logs for auditing • Dedicated TACACS+ workcenter for network administrators • Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
What’s new for ISE 2.0? Customers can now use Terminal Access Controller Access Control System Plus (TACACS+) with ISE to simplify device administration and enhance security through flexible, granular control of access to network devices.
Simplified, centralized device administration Increase security, compliancy, auditing for a full range of administration use cases
Flexible, granular control Control and audit the configuration of network devices
Security Admin Team
TACACS+ Work Center
Network Admin Team
TACACS+ Work Center
TACACS+ Device Administration Support for ISE 2.0
Holistic, centralized visibility Get a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
9 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE T+ versus ACS T+
Feature Reason IPv6 T+ --- Customizable ports It’s fixed as 49 in 2.0,
customization comes in 2.1 Max Sessions Per Node Coming in 2.1 Command-Set Import/Export Coming in 2.1 No Hit Counts & Policy Table Customization
Different UI
10 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Device Admin Service is not Enabled by Default
11 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Device Administration License Up to Max # of Network Devices
One License. NTE $4500
Requires 1+ Base To Enable ISE Product
12 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Download from the Overview page for Device Administration
Migration Tool
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
14 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
New Upgrade For Your Reference For Your Reference
15 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
New Upgrade For Your Reference For Your Reference
16 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
New Upgrade For Your Reference For Your Reference
17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pre-Defined Policy Elements, Rules and Flows
18 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• In 1.3 & 1.4 we added some pre-built defaults • We continued that mission within 2.0
• Goal: To speed up time to deployment • The most common things are created FOR the customer/partner/CSE out
of the box now
• Goal: To show customers what is possible
• Rules for: BYOD, Guest, MDM
Pre-Configured Default Rules
19 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Other Serviceability Enhancements
20 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Test Repository from GUI
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
22 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
What’s new for ISE 2.0? Cisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity, based on pre-defined security policies.
Benefits
• Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
• Trigger quarantine actions, per policy with Cisco FireSight and ISE integration
• Admit or deny access to contractor portal
Automate threat defense Leveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats early FireSight scans activity and publishes events to pxGrid
Leverage a growing ecosystem of partners that provide rapid threat containment by integrating with ISE
Capabilities
Automatically defend against threats with FMC and ISE FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigation—access is denied per security policy
Corporate user downloads file
FMC scans the user activity and downloaded file
Based on the new tag, ISE automatically enforces policy on the network
23 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Rapid Threat Containment Solution: FMC and ISE
§ Cisco ASA with Firepower Services
§ Firepower NGIPS Appliances
§ Cisco AMP for Networks § Firepower on Cisco ISR
§ Cisco FireSIGHT Management Center
§ Automated Contextual Analysis and Threat Qualification
§ Continuous Threat Intelligence Updates to Threat Sensors
§ Cisco FireSIGHT and Cisco ISE Automate Containment
§ Policy Enforcement from Cisco TrustSec, Downloadable ACL, or VLAN
Threat Visibility: FMC Automated Enforcement: ISE Advanced Threat Sensors
24 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What versions are Required?
FMC 5.4.x supported 6.0 does not support RTC 6.1 (summer 2016) will support RTC
ISE Version 1.3 and later
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
26 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Streamline management using a single workspace
• New TrustSec administrator console and services – TrustSec dashboard – Matrix overhaul – Automatic SGT creation – ISE as SXP speaker / listener
• Revised UX – Improved menu structure for ease of navigation – Search capability within the GUI
• Enhanced reporting – PDF print and local save reintroduced – Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
What’s new for ISE 2.0? TrustSec updated user experience, based on a new work center, allows simplified and streamlined deployment, troubleshooting and monitoring. .
Benefits
Simplify management with a dedicated work centers, allowing you to visualize, comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases, including user-to-datacenter access control and user-to-user segmentation
With TrustSec’s new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR Server Employee
Resources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IP Deny IP Deny IP
27 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
New TrustSec Dashboard & WorkCenter
28 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Improved Matrix, Color Coded + Condensed
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
30 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• In ISE 1.4, added the Certificate provisioning API. • Now, in 2.0 – we have a customizable portal.
• Customize it to look like the guest portals • Configure which templates may be used like you would sponsor groups to
a portal page..
• Signing CSR’s
• Generating Full Key-Pairs • Multiple choices for download
Certificate Provisioning Portal
31 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Admin UI
32 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CoA-Terminate after Certificate revocation
33 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE 1.3/1.4 Device is Using a Cert Issued By ISE
ISE Cube
PSN-1
PSN-2
PAN
ISE Admin
MnT
i-Net
NGFW
Admin Revokes Certificate
Traffic is Still Flowing Until Next Re-Auth
34 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE 2.0 Device is Using a Cert Issued By ISE
ISE Cube
PSN-1
PSN-2
PAN
ISE Admin
MnT
i-Net
NGFW
1. Admin Revokes Certificate
2. If Cert has Active Session,
Send CoA
35 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE 2.0 Device is Using a Cert Issued By ISE
ISE Cube
PSN-1
PSN-2
PAN
ISE Admin
MnT
i-Net
NGFW
2. If Cert has Active Session,
Send CoA X
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
37 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is Posture? Are my Endpoints Compliant with the Company Security Policy ?
38 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Posture for all Devices Desktop Posture vs Mobile Posture
Focused on Mobile Devices Posture ONLY
Requires devices to comply with MDM policy
PINLock, JailBroken, APP check and More …
ISE + MDM Together
Mobile Posture
SOLUTION
Desktop Compliance checks for Windows and OSx Variety of Checks ranging from OS, Hotfix, AV / AS, Patch Management and More…
ISE can enforce Network Access based on Compliance
Desktop Posture
ISE can enforce Network Access based on MDM Compliance
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MDM Enhancements Are My Mobile Endpoints Compliant?
ISE 2.0 Highlights Description Better flows for on-boarding in Brown Field Environments
Devices are Pre-Enrolled in to MDM before ISE Authentication
Meraki Integration Enhanced on-boarding experience
Differentiated portal for MDM X
Vendor based logo display on MDM pages
Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Desktop Posture Enhancements Are My Desktop Endpoints Compliant?
ISE 2.0 Highlights Description File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories
such as “Desktop” and “User Profile”
OSx Daemon Check User Agent Check , User based process check
Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State
Reporting Report based on Condition name and Condition State
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
42 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enhance control with location-based authorization
Location-based authorization Admin defines location hierarchy and grants users specific access rights based on their location.
Benefits
What’s new for ISE 2.0? The integration of Cisco Mobility Services Engine (MSE) allows administrators to leverage ISE to authorize network access based on user location.
Enhanced policy enforcement with automated location check and reauthorization
Simplified management by configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilities • Enables configuration of location hierarchy across all location entities • Applies MSE location attributes in authorization policy
• Checks MSE periodically for location changes (5 mins), one way communication from ISE to MSE.
• Reauthorizes access based on new location (i.e. if the location changes apply COA)
• Requires a PLUS license in ISE
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
Doctor
No access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
43 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Location Based Authorization Authorize user access to the Network based on their location
ISE 2.0
MSE 8.0 UI to Configure MSE
I have Location Data Campus:Building:Floor:Zone
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
45 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLS Version Support
• ISE 1.3/1.4 support TLS 1.0 Only
• ISE 2.0 adds support for TLS 1.1 and 1.2
• ISE 2.0 negotiates TLS 1.2 as preferred TLS version.
• Downgrade to TLS 1.0 / 1.1 is still supported during version negotiation between client and ISE for compatibility with legacy clients.
• The lower versions of the protocol (SSL 3 and below) are not supported.
• Clients not capable of TLS 1.0 or higher will be rejected.
On a Topic Related to TLS Support…
46 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
EAP-TTLS
• EAP-TTLS = “Tunneled” TLS
• Developed by Funk (now Juniper) and Certicom (now RIM)
• EAP type that uses TLS to securely pass AV pairs such as client credentials (inner identity) over a secure tunnel established using TLS.
• Supports virtually any EAP type for inner method (inc. clear text) while not exposing client identity.
• Client authenticates server using TLS. Client auth using certs to secure TLS tunnel optional, so no cert required on client.
• Most popular usage is EduRoam, but prevalence of PEAP support across broader client platforms has reduced general usage. Specific EduRoam participants may still use EAP-TTLS to authenticate local user base, but support not required by RADIUS proxies.
• Native support for EAP-TTLS in Windows 8 and ISE will likely result in uptake of its deployment.
• Whitepaper on PEAP vs EAP-TTLS: http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf
What Is It? Why Would I Use It?
47 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
EAP-TTLS
• Microsoft • Windows v8+ • Microsoft Windows Phone v8.1+ • Note: Windows Mobile does not support EAP-TTLS
• Apple • Mac OS • iOS version 3.1.3+ (default EAP type = MSCHAPv2)
• Android v2.1 and higher
• Google Chrome OS (for Chromebooks)
• Blackberry 6A+
Native Supplicant Support
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
49 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco vendors.
Get the same great security across more devices
Benefits
What’s new for ISE 2.0?
Protect consistently Deploy ISE across network devices, including non-Cisco NADs
Simplify administration Leverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors*
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
• Templatized MAB configuration for select non-Cisco vendor devices
• CoA and URL re-direction to work with ISE • Non-Cisco NADs enabled to drive regular
802.1x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 1.0 802.1x
New with ISE 2.0
Profiling
Posture
Guest
BYOD
*For additional information, refer to the Cisco Compatibility Matrix
50 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Smart” Conditions
• No need to create separate Policy Rule for each vendor’s implementation for MAB, 802.1X, or WebAuth
• ISE matches request based on NAD profile configuration.
Match Flow Conditions for Multiple Vendors in Single Rule !
51 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Current Vendor Test Results Vendor
Verified Series
Tested Model / Firmware
Supported / Validated use cases
CoA Profiler Posture Guest /BYOD
Aruba Wireless 7000, InstantAP 7005-US/6.4.1.0 ✔ ✔ ✔ ✔ Motorola Wireless RFS 4000 Wing v5.5 ✔ ✔ ✔ ✔
HP Wireless 830 (H3C) 8P/3507P35 ✔ ✔ ✔ ✔ HP Wired HP 5500 HI Switch
Series (H3C) A5500-24G-4SFP HI/5.20.99 ✔ ✖ ✖ ✖
HP Wired HP 3800 Switch Series (ProCurve)
3800-24G-POE-2SFP (J9573A) KA.15.16.000. 6
✖ ✖ ✖ ✖
Brocade Wired ICX 6610 24/08.0.20aT7f3 ✔ ✔ ✖ ✖ Ruckus Wireless ZD1200 9.9.0.0 build 205 ✔ ✔ ✖ ✖
Additional 3rd party NAD Support: v Requires identification of device properties/capabilities and to creation of a
custom NAD profile in ISE. More detailed guide to be published.
✔ Requires CoA
support
Requires CoA & url-
redirect support
Requires CoA & url-
redirect support
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
53 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplify access management while staying secure
Capabilities • Active-session monitoring
across both AD and Network log-ins
• Session maintenance from Wired MAB clients to NADs
• Directory notification publication via PxGrid
• Appointment of VLANs, dACLs, SGTs and more for users authorized via EWA
Identity mapping
Most secure with integrated 802.1x, supplicants and certificates
Basic with whitelisting
Access
Security
Better and flexible with ISE Easy Wired Access
Benefits
What’s new for ISE 2.0? The addition of Easy Wired Access (EWA) offers customers enhanced attachment of ISE security to wired ports and deployments.
With ISE Easy Wired Access (EWA)
Increased visibility into active network sessions authenticated against AD
Enhanced control with options for Monitoring-only Mode or Enforcement-Mode
Flexible deployment that doesn’t require a supplicant or PKI, allowing ISE to issue COA for added security
Complexity
Identity
mapping
Monitor-only mode Enforcement–Mode User 1
Active Directory Login
User 1
Network Login
Publish to pxGrid
Admin 1
ISE
Access Security
Complexity
Access
Security Complexity
EWA, a secure alternative to whitelisting
54 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What’s Easy About EWA?
• NO Supplicant required to implement this technology!
• NO PKI/cert requirements!
• Leverages existing AD logins to provide identity to network connections
• Visibility mode only needs RADIUS Accounting or Device Sensor on switch
• Enforcement mode requires only basic MAB config on switch
• AD lookups and authorization based on AD login identity without RADIUS authentication (802.1X, MAB, etc) so more seamless and transparent to client
• Simple integration with pxGrid for publishing session info related to Identity Mapping and EWA
• Seamless integration with TrustSec via ISE SXP for AD-authenticated sessions
55 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What’s Not So Easy About EWA?
• Configuring AD domain controllers • Each DC that services logins must be configured to allow
WMI from ISE • Patches/Registry changes/DCOM updates/FW rules verified
• Non-Windows/headless endpoints • EWA is for Microsoft AD joined computers – primarily
Windows only • EWA identity based on AD User login, not AD Machine login • EWA and MAB Authentication are mutually exclusive
56 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Easy Wired Access Differentiator Major Technical Outcome Major Business Outcome Easy Wired Access Deploying ISE w/o Configuring Endpoints Shorter time to PoV
Streamlined Enterprise Rollouts Identity Services Engine
Microsoft Active Directory
Domain Controllers
Network Access Devices w/o 802.1X
AD Logins
User Mappings Derived from AD Logins
Passive Login, FULL Control (No 802.1X)
Non-intrusive
Uses What’s Already There (AD)
Full Visibility/Control w/o Touching Endpoints
Faster, Simpler Deployments for software-defined segmentation
SXP
Rest of Network
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
58 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ISE Base vs. Cisco ISE Express
Cisco ISE Base Cisco ISE Express Features/Capabilities? ü Guess Access; RADIUS/
AAA ü Same
High availability ü YES ü NO
Platform Included with Licensing?
ü NO—Purchase HW or VM and Licensing
ü YES—Bundle Includes One (1) ISE VM + 150 Licenses
List Price? ü $6,990 US (ISE VM: $5,990 + Base: $1,000, for 200 Licenses)
ü $2,500 US
59 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ISE Express Enterprise Guest for Less
Easy, Affordable Guest Services Now Available: Entry-Level Bundle for the
Market-Leading Cisco ISE The Offer: One (1) ISE VM (5,000 Active Licensed
Endpoints) with ISE Base Licenses for 150 Endpoints* for Single Site Deployment (Non-Distributed, No High-Availability)
The Features: Guest, RADIUS/AAA, Unlimited Custom Portals with ISE Portal Builder; Easy Installation Guide
The Price: $2,500 US
*SKU upgrade planned so the VM can be used for up to 10,000 endpoints and in high availability and distribution.
60 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Express Installation Wizard • Free, downloadable application • Simplifies ISE and wireless controller
installation • Provisions Hotspot, Self-Registered or
Sponsor services • Modifies guest portals with logo and colors • Go to ISE Cisco Software Download
on CCO
What’s New
§ ISE 2.0 - overview
§ UI Update with Work Centers
§ TACACS+ and Device Admin Work Center
§ Deployment / Operational Enhancements
§ pxGrid, ANC, Fire & ISE
§ TrustSec Enhancements & Work Center
§ BYOD / Certificate Enhancements and the New Portal
Agenda
§ Posture / MDM Enhancements § Location / MSE Integration
§ EAP-TTLS
§ 3rd Party NAD Support
§ Easy Wired Access (EWA)
§ ISE Express
§ Q&A
62 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tech updates and Webinar - DK
http://www.cisco.com/web/DK/learn_events/seminarkalender2016.html
63 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential