August 20, 2019
Exploring Key Features of Cisco ISE Release 2.6
The latest version of this cybersecurity tool offers unique device identification and an IoT protocol.
In February 2019, Cisco released version 2.6 of Identity Search Engine (ISE). While this version can be a direct upgrade from ISE releases 2.1 to 2.4, organizations should ensure their ISE is on the latest patch level for its version number before upgrading.
First, What Happened to ISE v.2.5?
You might have noticed that Cisco skipped over v.2.5 and went directly to v.2.6. Cisco plans for v.2.6 to be a long-term release of the ISE software. LTRs are usually indicated by even numbers in Cisco’s numbering scheme. An advantage of the LTR is that it has an extended support period, typically four years. Learn more about ISE version numbers in the Cisco Identity Services Engine Software Release Lifecycle Product Bulletin, or keep reading to explore key features found in v.2.6.
Unique Device Identification for Open Seating Environments
Today, many offices have shared Ethernet devices such as dongles and docking stations. These devices make it harder to identify individual users through traditional methods, such as MAC address alone. Cisco has added a feature where a workstation itself can be assigned a unique device ID. The UDID feature allows the user and device to be identified even when using shared Ethernet connectors. Taking advantage of this feature requires that the workstation have the AnyConnect 4.7 client deployed and that the ISE be licensed at the Apex level.
Increased Identification of IoT Devices
In ISE v.2.6, Cisco added support for manufacturer usage descriptor, an open protocol documented in RFC8520 that enables devices to describe more about themselves. The MUD protocol is designed to be used with Internet of Things devices, allowing for more visibility into the function of a device. This functionality will improve ISE’s ability to profile IoT devices connected to the network and is included in the Basic license level. The following devices support sending MUD data to Cisco ISE:
- Cisco Catalyst 3850 Series switches running Cisco IOS XE version 16.9.1 and 16.9.2
- Cisco Catalyst Digital Building Series switches running Cisco IOS version 15.2(6)E2
- Cisco Industrial Ethernet 4000 Series switches running Cisco IOS version 15.2(6)E2
- IoT devices with embedded MUD functionality
New High-Performance SNS 3600 Series Appliances
In conjunction with the v.2.6 release, Cisco announced a new revision of the Secure Network Server (SNS) appliance, which is the set of hardware that ISE can be deployed on. The new 3600 series appliances upgrade to the newer revision of the Cisco UCS C220 platform and replace the 3500 series appliances for new installations. The scaling numbers for the appliances have not changed based on the new hardware. The new hardware, at the time of release, was only supported in v.2.6 of the ISE software. Detailed hardware specifications can be found in the Cisco Secure Network Server Data Sheet and end-of-life dates for the 3500 series revision are also available.
Preparing for an Upgrade
There are a lot of other great features in v.2.6 on top of what I have discussed here. For more information, visit the following links:
As with any new version of software, there are many considerations to sort through before upgrading. CDW offers many services to assist our customers in moving to the best version of the software for their environments. And if you are looking for some insights into ISE deployment, check my colleague Paul Haferman’s blog post, What to Consider When Implementing a Cisco ISE Solution.