Cisco Identity Services Engine (ISE) v2.4

Cisco Identity Services Engine v2.4 was released last week, bringing a number of changes to the platform.  The biggest changes to be aware of are;

VM Hosts are now licensed.

Previously the number of VM hosts deployed within a cluster wasn’t controlled.  Sure, Cisco asked you to buy a SKU for each VM ISE, but it wasn’t enforced by the appliaction until now.  With ISE v2.4, each ISE VM requires its own licenses and the licenses are specific to the size of the VM(s) you have deployed;

Small (<=16GB RAM, <=6 Cores)
Medium (16-64GB RAM, 7-8 Cores)
Large (>64GB RAM, >8 Cores)

If you’re planning an upgrade to v2.4 from an earlier release and you bought the proper VM SKUs, e-mail ise-vm-license@cisco.com with your order numbers and they’ll send you the licenses you need.  If you didn’t buy the correct VM SKUs, you’ll need to buy them from your Cisco partner first.

TACACS+ licensing change

Prior to v2.4, TACACS+ was a cluster-wide, on/off feature… you either had TACACS+ enabled or you didn’t.  From ISE v2.4 onwards, TACACS+ is licensed per PSN that you enabled TACACS+ on.

Larger VM MNT

A new ‘Large’ (huge!) VM appliance is available, specifically for the MNT role, significantly improving performance when it comes to the Live Log and Reporting.

Other enhancements

ISE v2.4 also brings a number of small enhancements;

  • Enhanced IPv6 support – Network Devices can now be defined with IPv4 and/or IPv6 addresses
  • Posture enhancements – Additional of a Grace Period and various enhancements to AnyConnect Posture module behaviour
  • Various TrustSec & pxGrid enhancements
  • ISE can now pull data from Cisco Industrial Network Director (Cisco IND)
  • Improvements to the profiler database

Personal view

There are some nice new features added in v2.4, particularly for those using Posture Assessment and those with larger estates, but I’d wait until the first Maintenance Patch or two have been released before deploying it in to a production environment.  If you can’t wait that long, do at least run it in a lab first and check it’s all fine and make sure you have a rollback plan in case there are any issues with it.

Further reading

Cisco ISE v2.4 Release Notes
Cisco ISE v2.4 Order Guide

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s