We’ve been waiting patiently for Cisco ISE 1.2 to be released, and it’s finally here! This is a major ISE update from Cisco and there are a significant changes within this release that you’re going to want to know about. Let’s discuss a few.
New Simplified Upgrade Process
Prior to ISE 1.2, upgrading ISE 1.1 was a little slow and time-consuming. In the latest release, this processes has been eased a bit. The database on each PSN is no longer upgraded as part of the process. And we no longer need to deregister each PSN as part of the upgrade process.
New and Improved Replication Model
In ISE 1.1, incremental replication between ISE nodes, particularly over a WAN took a long time. In fact, some really bad things could happen if a replication connection was broken in the middle of a full synch – like crossing the streams bad. This is in addition to a whole slew of inefficiencies in 1.1 related to replication such as debugging requiring root access, high CPU usage with large databases, and purging of data when replication stopping (taking a freakishly long time). And the biggie, the replication model simply was not flexible enough for many distributed customer environments.
In. 1.1, we had all kinds of back and forth checking of state and changes between the administration and services nodes. Think ping pong at a protocol level. In a high latency environment, this replication model didn’t work well.
With ISE 1.2 replication, Cisco has introduced a Message-Base Publisher/Subscriber Model, which is not affected by latency. It’s essentially similar to an RSS feed notion, where the services nodes join an administration subscription to receive state and change information. The other really cool thing about this is that changes can be processed in parallel – this is a very big deal.
In ISE 1.1, ISE would issue a change to the update through a queuing system. Each change had to be complete before the next change could be processed. Hence, changes would start stacking up in the queue, which in turn drove up the CPU on the processor, and ultimately caused all kinds of interesting things to happen. This is a serial replication model. Couple this with constant state and change checking between the nodes, and it’s recipe to approach distributed deployments with a high degree of caution.
By moving to a parallel replication model, it will likely remove the barrier to distributed ISE deployments, and significantly increase performance of existing ISE implementations.
Mobile Device Management (MDM) Integration
For folks that have an existing MDM solution and want to leverage the value of the MDM and ISE solutions together, you’re in luck. Cisco has introduced the capability to integrate directly with MobilieIron, Airwatch, and others.
The integration capability introduces bi-directional functionality. ISE can check the MDM solution to see if the device is managed, compliant, and or has the right apps running on it. This is essentially a form of posturing for mobile devices. ISE is simply checking the MDM system for the information, and is using this as part of it’s decision-making process.
Want to stop jailbroken devices from jumping on the network? No problem. Want only managed devices access to the Data Center? Piece of cake. Need to deploy a certificate as part of the on-boarding process with MDM? Get it done. Want to limit Angry Birds from taking over the company? Good luck.
ISE 1.2 can also initiate an action to the supported MDM solution, albeit it’s limited. If for the inevitable reason you need to issue a full or limited wipe, or PIN lock for a specific device, the capability is there.
Supported MDM vendors in the ISE 1.2 release are MobileIron, AirWatch, Good, MaaS 360, SAP Afaria, and Zenprise. See here for more information.
Search and Session Trace Tool
For whatever reason ISE 1.1 really didn’t have a search function, and seemed mildly difficult to find some really interesting information. It had magnifying glasses everywhere, but they didn’t do much. Now they do.
Want to find an iPad? Maybe a Droid? Wondering who has what where and using what policy? Type it in. Simply searching for ‘ipad’ will list all known iPads, the user, the MAC, and every other tidbit of information ISE has learned (connection status, policy, group membership, etc.) It’s very valuable and very helpful.
New Hardware (UCS Based Appliance)
Cisco has also recently introduced ISE on UCS appliances. Prior to this release, ISE could be purchased on three different sized appliances and (non-UCS) platforms. These were the same appliances used to also host Cisco NAC and ACS. Now, there are only two platforms available; SNS-3415-K9 and SNS-3495-K9.
It’s probably no surprise to see Cisco move to their own computer platform to run Cisco ISE. The UCS platforms are offering a huge performance increase over the previous generation’s appliances and fit squarely into Cisco’s Data Center strategy. However, it maybe a bit surprising to see that Cisco has already issued EoL/EoS notices for the 33×5 series platforms. Cisco will continue to support the 33×5 platforms for the lifecycle of the product, and will continue to develop ISE images that support this appliance. For all new customers, or customers that are upgrading, the UCS platforms are the right choice.
External RESTful Services (ERS) API
Like to get creative with scripting? With ISE 1.2 you’ll have mostly full API support to solve more interesting problems. For example, as part of a desktop imaging process, the script that is used to kick-off the image could also hook the ISE API to update the identity group with the MAC address so it can access the imaging server. Essentially, automating the white-listing of a device during the imaging process.
Other really cool stuff includes a dACL Checker, mobile support for the Guest Portal, and a Live Session Log. Much of this is covered in the release notes.
So are you excited for this new Cisco ISE 1.2 release? Leave a comment below on what new feature you’re most excited about.