154-Ise 1 3 Whats New v3 CMH Partners

Cisco ISE 1.
3 Whats New Preview

Christopher Heffner, CCIE #8211
SAMPG Technical Marketing Engineer
August 14, 2014
Forward-Looking Statements
Many of the products and features described herein
remain in varying stages of development and will be
offered on a when-and-if-available basis.
This roadmap is subject to change at the sole
discretion of Cisco, and Cisco will have no liability for
delay in the delivery or failure to deliver any of the
products or features set forth in this document.
2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Delivering the Visibility and Control for Secure Network Access

Network
Partner
Context Data
Who
What
Where
When
Cisco ISE
Consistent Secure
Access Policy
How
Cisco ISE is the Market Leader
Cisco ISE is Core to Cisco Security

Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall
VPN
NGIPS
NGFW
UTM
Web + Email Security
NAC + Identity Services
Advanced Malware Protection

Network Behavior Analysis
pxGrid + ISE Ecosystem
ISE Provides Visibility, Context, and Control Across the Entire

Continuum
ISE Provides ONE Policy for Unified Access

ONE MANAGEMENT
ONE NETWORK
Integrated
Wired and Wireless
in ONE Physical
Infrastructure,
with ONE Operating
System & Open APIs
CISCO
UNIFIED
ACCESS
Single Plane of Glass

Management with
Cisco Prime
ONE POLICY
Simplified, Unified Policy
Management
with Cisco ISE
Why Cisco ISE?

Cisco ISE Provides Comprehensive, Unified Policy Management and
Enforcement to Ensure Secure Wired, Wireless, and VPN Access
Visibility Driven Accurately

Identify and Assess Network Users &
Devices
Access Control Grant/Limit access

to align with appropriate business
policy
Threat Focused Minimize the spread of

network threats & the impact of data
breaches
The Different Ways Customers Use ISE

Guest Access Management
Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterprise Mobility
Seamlessly & securely onboard devices with the right levels of access
Secure Access across the Entire Network
Simplify & unify enterprise network access policy across wired, wireless, & VPN
With Cisco TrustSec
Identity-aware Network Segmentation and Access Policy Enforcement
ISE 1.3 Priorities

User Experience
All New Guest Experience
Introducing Admin Work Centers
BYOD & Certificate
Management Made Easy
Simplified Integration
Multi-Forest Active Directory
Streamlined VPN
AnyConnect Unified Agent
Context and Speed

Streamlined Threat Defense
Streamlined Operation
with new REST APIs
Serviceability Enhancements
Cisco Confidential
User Experience
All New Guest Experience
Introducing Admin Work Centers
BYOD & Certificate Management
Made Easy
Cisco Confidential
Simplifying Enterprise Mobility with ISE 1.3
Reducing the Complexity of Managing BYOD and Device Onboarding

IMPROVED DEVICE RECOGNITION:
Superior, market-leading profiling technology and feed service
reduces unknown devices to less than 1%
BRANDED EXPERIENCES:
For guests, employees, and administrators across your pages,
including banners and advertising
OUT-OF-THE-BOX ONBOARDING:
Accelerates user productivity through simplified device
onboarding and easy, self-service device management
Desktop
& Mobile
Ready!
STREAMLINED PERSONAL DEVICE PORTAL:

Gives end-users control over managing all of their devices from
just one easy-to-use self-service portal
Cisco Confidential
10
Basic Supported Guest Flows
1.Hotspot
2.Self Service
3.Self Service Sponsor Approved
4.Sponsored
Cisco Confidential
11
Hotspot
Guest Flow #1
Acceptable
Use Policy!
I promise
to be good.!
I Agree
Day Ends
44:6D:77:B4:FD:01!
44:6D:77:B4:FD:01!
Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next
time so you dont get in their way.
Cisco Confidential
12
Acceptable Use Policy
AUP
The primary purpose of a website disclaimer is to limit or

attempt to limit the liabilities that a website owner or
publisher may suffer arising out of the website. Examples
of the kinds of liability that we publishers must contend
with include libel/defamation, copyright infringement and
breach of privacy. Most legal systems strictly control the
effects of limitations and exclusions of liability. For this
reason you should take local legal advice if you believe
you may have to rely upon the limits of liability in our free
website disclaimer document.
Cisco Confidential
13
Secret Code Controls Access to Guest Wi-Fi

Registration code: require the
user to enter a code before
completing a self service
registration.
Access code: require the user
to enter a code before
accessing a hotspot or
logging in using guest
credentials.
Secret
code:
chemist
chemist
Cisco Confidential
14
Hotspot Example Portal
Cisco Confidential
15
Self Service with Email Verification

Guest Flow #2
Fill In A Simple Form
Check Your Email
Connect to WFI
hansolo
nerfherder
Cisco Confidential
16
Self Service with SMS

Guest Flow #2
optional
optional
Goal: Get them on the Internet as long as you have a 3rd

party identifier that proves who the user is.
Cisco Confidential
17
Self Registration with Sponsored Approval

Guest Flow #3
ISE sends email

requesting
approval
Visiting email?
Approved! credentials
username: trex42
password: littlearms
Logs into Sponsor

Portal and Approves or
rejects
Cisco Confidential
18
Approving Self Registration Requests
DESKTOP
Mobile
Cisco Confidential
19
Sponsored Flow
Guest Flow #4
Hi! Can I
get on your
Wi-Fi?
Sure. I just
need a little
information.
Print, email
& SMS
credentials.
Cool!
Cisco Confidential
20
Create a Guest Account Sponsor Desktop
Cisco Confidential
21
Create a Guest Account Sponsor Desktop
Once the sponsor clicks Create the

account is created!
They are then presented with the guest
info and have the option to notify the
guest.
The sponsor can then click Notify and
choose to deliver credentials via branded
printout, email, and/or SMS.
Cisco Confidential
22
Pre-Expiration Notification
You are about to

expire! Go here.
http://bit.ly/reup
DESKTOP
Mobile
Cisco Confidential
23
The All New Guest Administration

A Guest Button
With our new navigation, getting
to the Guest admin has never
been easier.
One Stop Setup

Once youre there, all the pieces
you need are accessed in one
place.
Prepackaged Flows
Ships with the default flows used
by 90% of our customers:
Hotspot, Self-Service (with or
without approval), & Sponsored.
Guest Flow Settings Made Easy

Admin Friendly
Through extensive user
research were made guest
settings so easy to find that
setting up a guest flow can
be done in just a few clicks.
End User Visibility

Ever wonder how changing a
setting will affect your
guests? ISE makes the end
user experience crystal clear
as it updates the guest flow
diagram in real time with
each settings change.
Simple Customization of Guest Pages

Themes!
Themes give you complete
control over the look and feel of
your guest pages. Use our outof-the-box themes or create
your own using ThemeRoller for
jQuery Mobile or standard CSS.
Full Page Control

Use our defaults or customize
every field in multiple languages.
Live Preview
See your pages as the guests
will see them as you customize.
Sponsoring Guests - Made Easy for Employees

Branding with Themes!
Themes give you complete
control over the look and feel of
your sponsor Portal.
Streamlined Guest Creation

Set up your sponsor portal to
show only the fields you need for
your business.
Mobile Sponsors
You are free to move about the cabin!
Create a guest account on the fly from your
smartphone / tablet away from your desk.
Create Accounts
Create Accounts
Print
Email
SMS
Cisco Confidential
28
Where can I send Guests after the connect?

Page they
tried to
reach.
Example:
google.com
Predefined URL
such as the
company page.
Custom ISE
Success Page
Cisco Confidential
29
What happens when a Guest exceeds

their device limit?
Cisco Confidential
30
Cisco Confidential
31
Walk Through BYOD Onboarding

Out of the box flow walks
users through onboarding.
Fully customizable user
experience with Themes.
My Devices gives end
users control to add an
manage their devices.
Mobile and desktop ready
out of the box.
Cisco Confidential
32
Java-Less Provisioning
Cisco Confidential
33
Java-Less Provisioning
Downloads as DMG
Double-Click to Run
App
Cisco Confidential
34
ISE 1.3: Internal Certificate Authority

Simplifying certificate management for BYOD devices
Optional
Enterprise!
Root!
Managing certificates for BYOD adds significant complexity

and expense when using Microsoft Public Key
Infrastructure.
The ISE Certificate Authority is designed to work in concert
as a self contained solution or with your existing Enterprise
PKI to simplify BYOD deployments.
Self Contained or
Optional Subordinate!
Cisco ISE
Certificate
Authority!
Single Management Console Manage endpoints and
their certs. Delete an endpoint ISE deletes the cert.

Simplified deployment Supports stand alone and
subordinate deployments. Removes corporate PKI team

from every BYOD interaction.
*Designed for BYOD and MDM use-cases only, not a general purpose CA
Cisco Confidential
35
Simplified Integration
Multi-Forest Active Directory
Streamlined VPN
AnyConnect Unified Agent
Cisco Confidential
36
Cisco Confidential
37
MultiForest Active Directory Support

ISE 1.3 is designed for growing businesses. With
support for multiple Active Directory domains, ISE
1.3 enables authentication and attribute collection
across the largest enterprises.
example-1.com
Support for 50 concurrent Active

Directory join points
ISE!
No need for 2-way trust relationship

between domains
Advanced algorithms for dealing with

identical usernames.
example-2.com
example-n.com
Cisco Confidential
38
Cisco Confidential
39
Cisco ISE Posture Agents

Cisco NAC Agent
Cisco AnyConnect 4.0
Cisco Confidential
40
AnyConnect 4.0 ISE Posture
An ISE posture AnyConnect module
Integration with the AC end-user experience (single posture tile for ISE
and ASA posture)
Including an AC ISE posture module profile editor
Coexistence with NAC Agent for ease of migration
Further strengthened by ISE 1.3 Posture Lease functionality
AC deployment from ISE
Windows and OS X support
This will help existing ISE and NAC Appliance customers
Monthly compliance module updates
Same as today with the NAC Agent
Cisco Confidential
41
Context and Speed

Streamlined Threat Defense
Streamlined Operation
with new REST APIs
Cisco Confidential
42
Integrating One System to One Other System

I have reputation info!
I need threat data
I have application info!
SIO
I need location & auth-group
TRADITIONAL
APIs One Integration at a TimeI have NBAR info!
I have sec events!
I need reputation
I need identity
Single-purpose function = need for many APIs/dev (and
lots of testing)
I have NetFlow!
Proprietary
I have location!
We
need
tointerface systems
APIs
arent
NotI need
configurable
info
for
(scale issues)
entitlement = too much/little
I need identity
the solution
share
data
I have threatdata
data!exchange = wait until next release ifI have
Pre-defined
you MDM
needinfo!
a change
I need location
I need reputation
PollingI have
architecture
= cant scale beyond 1 or 2 system
firewall logs!
I have appintegrations
inventory info!
I need identity
I need posture
Security can
be loose
I have identity & device-type!
I need app inventory & vulnerability
Cisco Confidential
43
Enabling the Potential of Network-Wide Context Sharing

SIO
INFRASTRUCTURE FOR A
ROBUST ECOSYSTEM
Direct, Secured
Interfaces
pxGrid
Context
Sharing
Single, Scalable
Framework
Single framework develop once,
instead of multiple APIs
Customize and secure what
context gets shared and with which

platforms
Bi-directional share and consume
context
Enables any pxGrid partner to
share with any other pxGrid partner
Integrating with Cisco ONE SDN
for broad network control functions
Cisco Confidential
44
The Next Wave of Cisco pxGrid Partnerships

Sharing Context with an Even Broader Ecosystem
Faster Remediation of Threats with SIEM

Extension of Access Policy & Compliance with MDM
Context-driven OT Policy and Segmentation for IoT
Endpoint Vulnerability Remediation
Simplified Network Troubleshooting and Forensics
SSO Secure Access to Sensitive Data on Mobile Devices
Cisco Confidential
45
SIEM/Threat Defense Integra8on Using pxGrid:

With NetIQ and/or Lancope
Use Case: Iden8ty and device aware threat management
Increase condence around event severity levels in SIEMs and TD consoles; make
events acAonable in the network. SIEM/TD share worst oenders with ISE for
user/device policy decisions.
SIEM/TD
PlaJorm
Policy: Detect sensitive data
access on mobile devices;
quarantine such users
Cisco ISE
Data: Sensitive Data

Type: Mobile Device
ISE QuaranAnes/Remediates
User/Trac
Context: Share with SIEM

USER : DEVICE TYPE : CONN STATUS
Cisco Confidential
46
ISE REST APIs

Internal ISE User API Create and Manage ISE users programmatically.
Session Directory API Access to all the details for a given MAC or IP
address.
Endpoints API Input new endpoints and assign them to groups. Ex. add
corporate printers
Guest API Create and Manage Guest accounts.
NAD/NDG (Network access device & network device group) API Add
and manage access control network devices configured within ISE. Ex.
(teleworker devices)
Bulk Operation Support for Internal User, Endpoint, NAD and Guest APIs
Extended EPS API manage Endpoint Protection
pxGrid Enabling the potential of network wide context sharing.
Cisco Confidential
47
Cisco Confidential
48
Tree View
Live Log / Live Session Filters
Debug Endpoint
Export Policy in XML
Bypass Suppression per Endpoint
Right-Click Copy / Bypass / Details
Filtered Support Bundle
Endpoint Purge
Cisco Confidential
49
Tree View
AuthC
Protocols
Identity
Store
Cisco Confidential
50
Live Log / Live Session Filters

Regex in Filters
Cisco Confidential
51
Right Click in Live Log & Live Sessions
Cisco Confidential
52
Debug Endpoint
Creates debug file of all activity for
all services related to that specific

endpoint
Executes and stored per PSN
Can be downloaded as separate
files per-PSN
Or Merged as a single file
Cisco Confidential
53

Quick Link Access
Cisco Confidential
54

Example
Cisco Confidential
55
Bypass Suppression per Endpoint
Disable event suppression per identity context is an added functionality

to the Collection Filter, located under Administration > Logging >
Collection Filter
Duration is only relevant for a bypass suppression and will not appear
under any other filter type duration range is between 5 and 480
minutes(8 hours), default value is 60 minutes
Cisco Confidential
56
Bypass Suppression Right click
A Bypass suppression collection filter can also be created by right clicking an

identity in the M&T logs.
Modify collection filters If a bypass suppression collection filter already exists with the selected
user as its value, the page will be redirected to the edit page of the existing collection filter. If such a
collection filter does not exists, the page will be redirected to an edit page of a new bypass
suppression collection filter with the selected user as its value.
Bypass Suppression Filtering for 1 hour will create a bypass suppression collection filter with
the selected user as its value with a duration of 60 minutes(no redirection will occur).
Cisco Confidential
57
Filtered Support Bundle

Support
Bundle
Options
Date Filter
Cisco Confidential
58
Endpoint Purging
Matching Conditions
Purge by:
# Days After Creation
# Days Inactive
Specified Date
On Demand Purge
Cisco Confidential
59
Questions ?
Thank You !

154-Ise 1 3 Whats New v3 CMH Partners

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

154-Ise 1 3 Whats New v3 CMH Partners

Uploaded by

Copyright:

Available Formats

Cisco ISE 1.

3 Whats New Preview

2013-2014 Cisco and/or its affiliates. All rights reserved.

Delivering the Visibility and Control for Secure Network Access

Cisco ISE is the Market Leader

Cisco ISE is Core to Cisco Security

Web + Email Security

NAC + Identity Services

Advanced Malware Protection

pxGrid + ISE Ecosystem

ISE Provides Visibility, Context, and Control Across the Entire

ISE Provides ONE Policy for Unified Access

Single Plane of Glass

Why Cisco ISE?

Visibility Driven Accurately

Access Control Grant/Limit access

Threat Focused Minimize the spread of

The Different Ways Customers Use ISE

Easily provide guests limited-time, limited-resource Internet access

BYOD and Enterprise Mobility

Secure Access across the Entire Network

With Cisco TrustSec

Identity-aware Network Segmentation and Access Policy Enforcement

ISE 1.3 Priorities

Context and Speed

2013-2014 Cisco and/or its affiliates. All rights reserved.

2013-2014 Cisco and/or its affiliates. All rights reserved.

Simplifying Enterprise Mobility with ISE 1.3

Reducing the Complexity of Managing BYOD and Device Onboarding

STREAMLINED PERSONAL DEVICE PORTAL:

Basic Supported Guest Flows

2013-2014 Cisco and/or its affiliates. All rights reserved.

Acceptable Use Policy

The primary purpose of a website disclaimer is to limit or

2013-2014 Cisco and/or its affiliates. All rights reserved.

Secret Code Controls Access to Guest Wi-Fi

2013-2014 Cisco and/or its affiliates. All rights reserved.

Hotspot Example Portal

2013-2014 Cisco and/or its affiliates. All rights reserved.

Self Service with Email Verification

Fill In A Simple Form

Check Your Email

2013-2014 Cisco and/or its affiliates. All rights reserved.

Self Service with SMS

Goal: Get them on the Internet as long as you have a 3rd

Self Registration with Sponsored Approval

ISE sends email

2013-2014 Cisco and/or its affiliates. All rights reserved.

Logs into Sponsor

Approving Self Registration Requests

2013-2014 Cisco and/or its affiliates. All rights reserved.

Create a Guest Account Sponsor Desktop

2013-2014 Cisco and/or its affiliates. All rights reserved.

Create a Guest Account Sponsor Desktop

Once the sponsor clicks Create the

2013-2014 Cisco and/or its affiliates. All rights reserved.

You are about to

2013-2014 Cisco and/or its affiliates. All rights reserved.

The All New Guest Administration

One Stop Setup

Guest Flow Settings Made Easy

End User Visibility

Simple Customization of Guest Pages