What's New in ISE 3.0 Webinar

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone good morning and good afternoon thank you so much for joining us today my name is rigo villa community manager on the cisco learning network and i'll be your host for this webinar in today's session we will be covering what's new in ice 3.0 with our presenter thomas howard but before we get this presentation underway i wanted to share a couple of quick housekeeping notes first i do want to let our attendees know that our presenters are currently working from home so if you're running to any technical issues during the live webinar we'll we'll do our very best to resolve it as soon as possible so we just want to thank you in advance for your patience and understanding next if you have any questions during the session we ask you to please post them in the question and answer panel as that will help our panelists keep track of all of your questions and would also allow them to provide you with a much more timely response also if you experience any audio issues during the live presentation i do recommend using the call and telephone number that i will be posting in the chat window here shortly also at the end of this webinar you will get a pop-up survey with a couple of questions about today's presentation and we would really appreciate it if you can just take a moment to fill it out and share with us any thoughts or feedback that you may have i also want to let our attendees know that this session will be recorded and will be available for on-demand viewing within about five business days after today and i'll be sure to post some more information on that in the chat window a little bit later on and last but not least we will be launching some poll questions throughout this presentation and when we are ready to launch one of these polls we'll announce it live and then you will see it pop up on your webinar event screen and then that's when you'll have an opportunity to submit your answers so uh we hope that you all can participate and now i'm going to go ahead and turn it over to our presenter to get us started so thomas if you're ready please take it away thank you rigo ah my mouse is so sensitive uh thanks all for joining today i'm hoping to give you a great overview of what is new in ice 3.0 so the idea here is we have uh done a major release uh so i think why it's such a popular topic today uh the idea is we want to show you how we've made ice more simple giving you more visibility and are starting to enable ice for the cloud so i'm thomas howard i'm one of the technical marketing engineers here with ice and let's get started so boy so the list of features that we have are are quite large um this is just kind of an overview just want to give you all a sense of all the things we're going to talk about today and we'll touch on each of these as we go through the first one is the new ice interface so we can't have a major new release without a new gui so real quick i want to show you what that looks like so this is the new ice interface it looks pretty much the same in terms of all the dashboard elements and things those are all the same what's different is obviously the menus across the top are gone what we've done is we tried to make this look like cisco dna center and we put all the menus under this hamburger menu over here so all the menus that you know and love and ice are still there they're all the same the urls to each of the pages are the same it's just been relocated under the hamburger menu now what's really nice is we've added a search bar so if there's something you're searching for you can just simply type it in and rather than having to go figure out where in all those menus it is you can hopefully have a shorter list to have to go through and when you find what you're looking for you can click on it and it'll take you right there the other thing is as you're working in ice we have this recent pages list so if you're flipping between say your policy sets and you're trying out a new policy and then you want to go back and you want to look at your live logs you know you can do that very very quickly also we've added the ability to use shortcuts so keyboard shortcuts so if you don't want to use your mouse to get into this initially you can actually hit escape and then i'll just hit ctrl forward slash and i it puts me right in top at the menu and if i want to type something it'll be right there and i can click on the on the menu i want and go finally in the gui we've also added this make a wish feature down here so if i click on make a wish you now have the ability to tell us about something you really like in the product or if you want to tell us about something you really don't like in the product and hopefully one of you or more will get your wishes granted and we'll implement it in the product so this is a way for you to directly provide feedback to us so another thing i want to show you is in ice 2.7 we implemented this interactive help and it was this little tab that popped out from the side we actually added it to this help icon in the in the upper right now and you can see that we have all these different categories of help for you and one of the things i'm going to be showing you today is actually with posture and compliance and we've implemented this nice little agentless posture wizard so i'm going to show you that agentless posture capability a little bit later today and if you want to play with it we have this wizard that will actually take you through all the configuration steps necessary uh that you would want to play with and if you have already done some of these things right if you already added active directory you already have a network device configured you can actually just start at one of these and you can go right to that that point and it will show you exactly what field you need to add in ice to get this working so that's a really nice little wizard that's available for you i encourage you to explore the interactive health capabilities in ice again we have that in ice 2.6 2.7 and also in 3.0 so with that i'm actually going to get back to our presentation and we'll come back to that in our in our demo so first thing to know about ice 3.0 is the platform support so everything is the same with the addition of ice on vmware cloud in aws so this is our first foray into cloud enabled support with ice so it's still running on vmware cloud and aws we're working towards giving you native support in aws and other cloud providers but we didn't do it in 3.0 quite yet we're hoping to do it by the next release so that will be coming one other thing to remind you is you can install 3.0 on the 3500 series platforms but they are end of life and so if you are installing 3.0 from the beginning starting out fresh we encourage you to use the 3600 series platforms when you build it up so ice has been able to do saml single sign-on for most of the 2.x releases what we weren't able to do is multi-factor authentication uh so we were able to add that in ice 3.0 basically because in two dot x we were a little bit overspecific in how we told the identity providers such as azure active directory exactly how we wanted to authenticate the request using something called the authentication context class reference what we did in 3.0 is we simply removed that requirement it freed up the identity provider so that they could in fact provide multi-factor authentication so now you are able to do mfa with azure active directory in 3.0 so one of the things i want to ask everybody is what identity stores do you use specifically around active directory are you using ad only are you looking at doing azure active directory are you doing both or you don't use ad at all i would love to hear what you're doing for your identity stores with ice so there's a poll question that regal has just popped up on your screen that'll run for the next 45 seconds or so and then we'll hear what the answers are from you so another thing we've added with respect to azure active directory is the ability to do 802.1x based authentications directly into the cloud using something called oauth resource owner password credentials or roxy so as people are now starting to work from home more they're not in they're not in their offices this idea of using the cloud for doing becoming more and more popular and so we've enabled this capability in in ice 3.0 so the way this works is we have a user um and normally on the internet you would use something called saml or oauth these protocols basically do the exact same thing the only difference is one is xml based and the other is json based but the idea is you've got a user a resource owner that's using their client you know basically it's a web browser and they have a network connection so they're able to request access of a particular site or resource in this case it's ice and they also have an identity provider that they need to go authenticate with now we use them on an identity provider separately because in a lot of cases you don't want to give your username and password directly to the authorization server it doesn't need to know who you are for privacy reasons sometimes they just need to know that you're um that you are allowed to access it so you authenticate with the identity provider and then you take a token back to the um authorization server and then it can also verify that token with the identity provider and then provide you access this three-legged stool is is basically how these protocols work on the internet when you're trying to log into different websites now this won't necessarily work when you're trying to get network access because of this thing called 802.1x you don't have an ip address until you authenticate with 802.1x so you can't talk to all these websites and provide your identity and get a token and pass it along things like that so the idea here is we want to figure out a way to get around this and still let you use azure ad in the cloud as your identity provider so the way we do this is we use ttls with pap because we need to pass along your credentials in clear text we use the pap protocol but it is secured inside of a ttls tunnel your credentials will get passed through to ice we can then proxy those credentials using oauth ropc out to azure active directory and authenticate your user identity and then do a second request to find out what groups you are a member of we can then use that to determine your level of access in your policy and your authorization result and then apply that to give you network access so uh this is something that isn't super easy to do out of the box you will need to manually configure these things uh in basically all the major operating systems uh windows 10 if you're doing it on wireless for example this is not obvious you can't just double click and choose some properties so it is does take some effort and in the case of apple products apple os's you must use an mdm it's not even available to you in any of the settings so you need to use an mdm or somehow provision a mobile config to these devices so if this is something you're interested in we actually have set up a website for you as part of the customer connection program or ccp uh in our communities hopefully all you all know about our communities and you go visit there regularly so we set up this community the idea is we would love to hear about your experiences uh answer your questions about this and and see how you're using it and hopefully help you over some of these challenges so i've put some of the the things to be aware of here uh so far one of the things i'll also tell you about is if you are trying to do this you will need to add the digicert global root g2 certificate uh basically microsoft updated their their graph api with a new certificate authority just before ice 3.0 went out the door and so if you don't have that cert in there you're not going to be able to retrieve the groups from from microsoft azure active directory so this is something that interests you i encourage you to go out to the community sign up and hope we'll have some more information out there for you and with that i'd like to show you what this looks like so what we're going to do is first i'm going to go check out settings here for rest id store i enabled this rest id basically it's like a rest call we're making out for the oauth ropc call then i added the azure ad as an external identity store and when you provide the credentials basically ice has to tell azure active directory what its client id is what a secret is its tenant id things like that you provide a nice little button to test your connection if everything's good that's great and you can actually load the groups and then you have the ability here to choose what groups you want to check for and i will tell you that if you didn't load that digicert certificate that i just told you about the load groups will not work because it doesn't have a certificate to trust that connection so be aware of that and then i've added my my azure active directory domain you know ice out here so now we can do an authentication against that domain and after directory so the other thing i will show you real quick is our policy so in my policy set i just added a simple rule for azure av ropc right here and basically what i'm checking for is i'm being very specific saying that the eat tunnel must be ttos and i'm looking for a group in that identity store that matches the group employees and if that's good i will permit access and also apply an employee's group tag so very straightforward very simple you don't even need to be specific and specify the the ttls tunnel i just did that for the example and to show you that we are using that that tunneling method so i'm going to switch over and i've got my windows computer here what i'm going to do is let me hide this screen i want to show this for the next demo we're going to be doing and i'm going to switch over i'm going to do a no shut on my interface and do it virtually as well here there we go so now on my windows computer okay attempting to authenticate and windows has this fun little bug um where i actually need to there is it there we go i gotta hide this and actually show you the authentication screen there we go that's what i'm looking for and i'm gonna log in as local admin all right hopefully that works let's go back to ice let's see how we did in the live logs all right there we are so what happened is we authenticated his local admin you can see a profile of the microsoft workstation we authenticated with 802.1x we matched that azure authentication policy and permitted access for that endpoint right so that's how we were able to do it with an authentication to azure active directory using oauth ropc all right the other big feature uh we believe is the biggest feature we've added in in this release is agentless posture this is something people have wanted for a very long time and and we um provided it because it does provide you great visibility so you can see what is on the endpoints of your employees coming into your network uh i say employees because it does require this to be a managed device because ultimately what we're doing is connecting to that device using a master username or pat and password to that device so we have to have a domain administrator kind of account on that device or we need to have a a local administrative account that we can use to log into that device using powershell or ssh in the case of mac os and we're able to then log into that device provision our agentless plugin that we're going to run on that device to determine the compliance against the the ice policy uh we don't have support yet for linux we're working on that hopefully you'll see that in the next release of ice but one of the things i wanted to walk you through and kind of show you is what the different options are now because we have quite a few options now that we have agentless so if you look at this chart we have anyconnect which is our standard agent for doing a posture module when you connect with your vpn or our wired wireless we also have any connect stealth so if you don't want to bother your users with with pop-ups or or managing the connections any connect stuff we'll just do that in the background for them temporal is it's also agentless but it requires a redirection of the of the user to a particular website to get the temporal agent they have to download it so it involves the the user whereas agent list the user doesn't know really what's happening it's all in the background they don't see anything and so those are your different options today and if you look above that line you know pretty much you get all the same capabilities so where the agentless is great is for getting visibility you don't have to deploy any connect if you don't have it you don't have to deploy the posture on top of any kinect so it it saves you the administrator a lot of effort uh you can just as long as you've got that master password to log in and and connect agentlessly it's and you have the ability to you have to have some exceptions in the firewall of course on the on the computers but if you've got that hopefully that's a lot easier for you to administer right to get that initial visibility so that's a great feature what you're going to find though is if you use this to enforce compliance i wouldn't necessarily recommend it i'm going to show you why here in a little bit the experience that your users have if you lock them out quarantine them while you're checking to see if they are compliant they're going to be out there for probably 30 to 60 seconds or maybe more uh waiting for that compliance determination and in that time they're like waiting to join their webex uh waiting to join a call and 60 seconds can be a very long time when you're when you're trying to join a call first thing in the morning right you're kind of anxious just want to get on and get it going so that can be a bit of a problem and then finally if you're really looking to ensure that your devices are compliant and secure you are going to want an agent on there because that gives you the remediation capabilities that you want notice all those red x's over there right you can't do this you can't do remediation with the temporal agent um or the the agentless option uh you need that agent on there to do those kinds of things and even to do continual reassessment you need those so when you look at this in this totality i just want to remind everybody i think if you want to get visibility on your endpoints you authenticate them and then push that agent out there see what's going on but don't block their access if you do block their access keep in mind your users are going to be sitting out there for a bit of a bit of time waiting for that to happen and of course you are going to want to have an agent for remediation purposes so keep this in mind when you're looking at deploying agentless posture so with that let's do a demo so back over here on ice i want to go back to my policy set and what i did is i configured some rules for agentless posture and i am going to simply disable this azure ad ropc policy i'm disabling that um because this is one i use just to check for employees first now we're going to do we're going to pass through this one and we're going to check for compliance with that same employee group in azure ad so we're going to be using azure ad with posture now and we're going to see if they're compliant if so we'll permit access and assign them to the employees group if they are non-compliant then we'll check that and then we will put them in the posture non-compliant authorization state if we don't know yet because they don't have a posture agent it can't report to us whether it's compliant or not we're actually going to say oh it's just a employee we don't know what the posture is it's unknown and so we're going to deploy this agentless posture unknown profile to them and let me save this and i'll show you what that looks like okay then let's go take a look at our authorization profiles and what we did is here's our agentless posture unknown what we did in 3.0 is we added this agentless posture option when you check this box that says go try and log into that box that you just authorized on the network ice and let's try and get the posture compliance from it using the agentless posture method okay so notice that i'm not enforcing anything here if you did want to enforce compliance you would you know push an acl or assign an acl you would assign a vlan assign an sgt whatever you need to do there i'm not going to block access based on the compliance result i just want to get visibility of that endpoint so i'm just going to say give me some visibility with ageless posture and then accept them into the network because i know it's a trusted employee i authenticated them as an employee right so that's the plan real quick i also want to show you what we did for the posture rules so if i go look at client provisioning and posture what i did is we have this windows agentless option and it will deploy the agentless windows agent so yes if there is a piece of software that we have to push to that device when they log in um you can't just remotely poke at it and figure out what the compliance is you actually have to get on the box and figure this out so we we use this this agent or plugin to agentlessly do this same thing with mac os i've also done it for mac os but i'll just be showing you windows today then if we look at the posture policy i've enabled a couple of rules for application visibility so if i scroll down there we go so we're going to get application visibility for our windows device using the agentless option and the other thing i want to show you real quick is that i told you in order to log in we need a master password right so if i go into the administration settings and we look over here at endpoint scripts and look at login configuration you will notice that we have an option if you want to log in as a windows domain user so maybe there's a master domain account on your windows devices that you use to log into this or if you don't have that maybe you can have your windows administrator provision you a local user account on those devices specifically for ice to be able to log in and get that that compliance information and if you have macs then you can go ahead and provision one there we're only going to do it with our windows local user you saw i did it with the local admin account earlier authenticated we're gonna do it again with this today so with that let's go see if we can re-authenticate and get some compliance information application visibility uh over here all right there's our computer i'm going to just disable this network adapter shut down the port to clear the radius session and then let's enable it again all right let's go back to our windows machine and hopefully he's going to yeah there it is okay local admin and the password okay while that's going on because we're going to or it's going to take some time there to do that that compliance thing i just want to show you that ahead of time i came in here and i also had to open up the windows firewall and create a rule that allowed me to connect into powershell on this device using tcp port 5985 that's the port for powershell so i need to allow connectivity from ice into this box on that port so that's something to keep in mind and then something i didn't do earlier was show you the adapter configuration if you care about that if i go into the adapter config i look at this i just want to show you that we have the authentication tab we have provisioned 802.1x we provision the supplicant to talk ttls again because we're talking to azure active directory and if i look at the settings in there you should see that we're using that pap inner method okay i just wanted to show you that detail because that's how we were doing the authentication with the directive directory all right so with that let me go back over to ice just close all this out and we should have authenticated we should see the results in the live log all right all right so here we go so look what happened we authenticated as local admin microsoft workstation and this time we matched posture unknown and so we authorized them with the posture unknown profile that kicked off that agentless process and then at some point later it came back and it did a basically it's a change of authorization and reauthenticated again and now we authenticated with local admin and we are now compliant so first i said you're unknown we're going to trigger that agentless posture and then once it got the result back it re-authenticated them and said they were compliant so one thing to note here is the time it took remember how i said it take some time and if you were to enforce this on your users they'd be sitting waiting for a little bit of time check this out so looks like it was at 4 27 26 um 4 27 59 so this one happened within 30 seconds that's actually pretty quick that's one of the fastest ones i've seen i've had to take as long as two minutes doing the demo i thought my demo failed um but it just took two minutes to complete the effort so that's something to be aware of uh when you're when you're doing this the other thing i want to show you is if we go look at context visibility for the end points and we look at compliance i told you we're going to get some application visibility right that's the rule we configured for posture look at the installed applications you can see for this endpoint we have 29 installed applications and if i go look at that list right there's the inventory the application inventory for this device and everything looks pretty normal nothing too crazy uh other than he's got this adobe flash player you should probably get rid of um because that's just now we're waiting to happen right so otherwise looks like we're able to understand what's on our users computers uh what kind of applications they're running if there's anything crazy we can try and flag that maybe write some other posture rules to deal with those okay so there you go there's agentless posture with ice and even using azure active directory all right next thing very similar to agentless posture is this custom scripts capability so since we now have this this mechanism to have ice log in to these endpoints as they come into the network and run agentless posture we've also given you this capability to run custom scripts of your own and so the way this works is there's like a little wizard you can select you run that and it will pop up here and then you can choose uh what type of device uh which endpoints whether it's mac or windows and then what scripts you want to run on them and so just like with agentless posture you need to have some kind of domain administrator credentials or local credentials that you can use to log in make sure that you open the port for ssh or powershell and uh it does need to have curl because that's how we're able to transfer the results of the assessments from the endpoint back to ice so this is a capability really curious how people are going to use this you do need to write your own scripts provide your own scripts for this um so it's really up to you and what you want to do with it so it's a way to check for things or if you want to turn on certain features you could provision a script and go do that on certain endpoints it's really up to you on how you want to use this so we're going to see what people do with it another new feature we've done odbc forever in ice being able to connect to an external database using odbc what's new in 3.0 is we've added this advanced settings button and that lets you provide some input query parameters and get some output data back from the odbc query and you can use this basically to map into your authorization rules so where this is really handy is if you find yourself writing a whole bunch of different authorization rules because you have a bunch of different employees and a bunch of different scenarios you might be able to use odbc to query the database and have it provide the different combinations of authorization rules for acls sgt's vlans url redirection things like that using the odbc database if that's easier for you we find this happening with contracting companies they've got a lot of employees working with a lot of different customers they need to make sure each one is secure and segmented from the other um and but rather than writing you know 300 rules on ice we can use the database to do this and they can map it internally with their different projects so this is an option for you if you find yourself having to write a bunch of rules with different authorization results certificate fingerprinting is something people have been asking for because they want to identify and authorize certain end users or endpoints with one certificate authority and then another group of users or endpoints with a different certificate authority you can now do that in ice using certificate fingerprints so if we go look in the trusted store we'll take an example ca here we'll look at baltimore and we look inside you can see we have these different fingerprints that uniquely identify these certificate authority certificates so if we take that we can now use it in a condition in our authorization rule to see if this certificate being used matches or not and so of course you wouldn't use a standalone you would probably use it in combination with other endpoint profiles or or group memberships or things like that but once you did that you would be able to to authorize them with that certificate match and if you wanted to see what a particular fingerprint was in the ice authentication details we have it entered there for you as well um another new thing uh you know what rigo we didn't get the results from the last time i just kept talking so what's the result with active directory yeah thank you thomas um so yeah so before we move on to the next poll question um so for the result of poll number one and just as a reminder the previous question was do you use azure active directory and i can see here that an overwhelming number of participants are using active directory only and then this was followed by those who said they are using a d plus assure ad all right yeah very typical um i've i would say probably 98 99 percent of our customers use active directories so that's not surprising to say it's overwhelmingly um but we are starting to see people beginning to use azure active directory and we want to be at the beginning of that wave of people moving to the cloud we're enabling ice to use the the cloud and so that's the beginning of it we've got more coming hopefully you can see by installing ice in the cloud as well so the next uh where is last go um the next question we have for you is passive identity um is anybody using passive identity um go ahead and answer in the the new poll question that rivo is going to pop up there for you let us know if you're using it are you using ice pick um or not so what we've done with respect to passive identity in ice 3.0 is we've added a new eventing api this is a new agent that you install onto your active directory domain controller and it will report login events to ice now the idea here is if you're using 802.1x you get an authentication event directly from the network device and ice will authenticate it but when we do it passively we're able to get an active directory login basically when you do that control alt delete and you log into your your computer we're able to get that login event via ad and we treat that as a basically a a trusted event from ad and that's how we know that a user at a particular ip address just logged in and we're able to use that and share it out over pxgrid to other security services so that's how passive id works within ice and we're using this new microsoft eventing api because it's it's basically more reliable allows us to do high availability um and it works better than the old wmi does so there you go along the lines of being able to do more things out in the cloud we're trying to simplify how you access ice and use api so today we have many different apis using many different ports on many different nodes in ice so rather than have all that we want to simplify it as much as possible using an api gateway so now you'll be able to connect into ice using simply port 443 pick a node and depending on what you're trying to access it will magically get routed to the appropriate node this is only working with the user interface and the mnt apis today but we're going to improve this with all the other rest apis and things going forward and then rigo what do people say about passive identity hey thomas so um for passive identity i can see based on the results or tap on our top answer shows that our participants are not using passive identity and then coming in at number two and not so far behind we have those that are still a little bit more clarification as to what passive identity is okay um so they need clarification about what it is yeah it's uh the number two was what is passive identity what is that okay exactly um so i hopefully i explained that to you sufficiently the idea is we are passively obtaining a login event from active directory rather than performing an active authentication with iso 802.1x some people like to do this when they're just trying to get visibility they deploy what's called the passive identity connector it's a it's a version of ice that's basically licensed to only do passive identity and it cannot do active identity uh if you did want to upgrade from pick to the regular ice it's just a it's just adding a license to it nothing fancy it's basically the same software just license restricted to do passive identity only and for some customers this is a great way for them to get visibility without doing 802.1x just to understand who's logging into their network and the passive information onto other security uh devices and services so there you go so one of the things we're seeing is a lot of randomized mac addresses either because you have mac addresses tied to your dongles for your your workstations or we're starting to see mobile devices uh that are doing randomized mac addresses due to user privacy concerns so we started working with microsoft on on this to come up with a unique device identifier when talking to them and their sccm server for managing workstations so this is a problem that goes beyond just microsoft sccm to all enterprise management or mobile device management use cases where we've been using a mac address as a primary key when communicating with them so this is something where we're starting with microsoft we're going to get that that udid solved we've got some proposals out to uh mdm vendors on how to solve it with them to come up with a unique identifier uh that's not in 3.0 hopefully we're going to see that in 3.1 but that's what we're trying to do to solve this problem and we've done it with sccm for now also with sccn baseline policies so obviously you can check for a lot of different things with sccm to make sure the box is compliant with whatever configuration rules or policies you have and what we try to do is roll all those up into these different baselines and now with ice you can simply check which of these baseline policies is compliance and then that's all you need to check in your in your rule is what's the baseline policy if they're complying with that they can come on in and leave the rest to sccm along the same lines checking for antivirus anti-malware just checking for a minimal version keep it simple for you if all you care is they're using this version or above and they're and they're compliant fantastic you don't have that option to keep it simple posture status sharing is something we've added on to our lightweight session directory that we implemented in ice 2.6 so in 2.6 we basically transformed the way the ice nodes communicate with each other in a much more efficient way that communication bus on keeping things synchronized especially with things like profiling that worked out really really well and so we added the ability to synchronize the posture session state so we've got these different posture compliance statuses so now we have are propagating that information as well as as part of the the session state we've found this so useful we've even back ported it in a couple of patches to ice 2.6 and 2.7 so if you're running two six pass patch six or two seven patch two you'll also benefit from this capability if you're doing posture one of the things we wanted to do is to make upgrade easier for you in 3.0 we didn't quite get the whole upgrade process completed but what we were able to do is to get the health checks built into ice 3.0 so before we had something called the upgrade readiness tool or urt what this did was it would check each node you'd run against a single node and it would tell you if there were problems or not in ico we've actually done this for the entire deployment it's built in you don't have to run a separate tool it will check all the nodes not each node individually and it will warn you if there's you know expired certs or license problems or um maybe disk problems anything like that so you once you detect any issues you can then file attack case get that resolved so that you won't spend um a lot of time when you're actually going through the your your upgrade window you won't burn time that way hopefully you've got everything fixed ahead of time so we are looking to improve the upgrade process um hopefully that's going to come again in the next release of 3.x we'll see if it makes it in there but we are working on making your life simpler and easier with the ice upgrades so when you are doing uh debugging it's really nice to be able to create these different debug profiles because you don't need all the logs all the time at debug level so you can turn them off or turn them on depending on what you need and you create these profiles and you can apply them to different ice nodes so when you're doing debugging you only collect the essential nodes you need so that's a great feature hopefully again save you time and simplify things and then in terms of helping you with troubleshooting we've made some improvements to the tcp dump so the number of files the file size how long you want to collect it for we've got all those things in there now it will tell you when it's completed and you can go ahead and just download right away and look at the packet capture in something like wireshark right there on your box very nice so we're not only doing all these features in ice in the gui but we're also continuing to improve the rest apis again as we're moving towards the cloud we're going to be making a lot more improvements to the apis and so in 3.0 we've added some new things there in terms of aci and also the rest identity store i showed you earlier for azure active directory that now has its own object so you can provision it through an api as well so if you are interested in playing with the apis go to the links above either on your box or we've got it out there in devnet for you you can take a look and see what's possible with apis so um along with the major release we've also got some new licensing so um what licensing are you all using right now go ahead and answer the poll question rega is going to pop up and we'll talk about ice 3.0 licensing there it is there's the poll tell us what you're using for licenses today and with that we have a new licensing model in 3.0 so first and most important thing is 3.0 and beyond uses smart licensing only so if you upgrade or migrate from 2.x to 3.x there will be a license migration that happens from the pack based licenses to smart licensing if you're already using smart licensing fantastic that's great um that much less work to be done but the big thing i think people are gonna notice is the model is a little bit different in terms of the lego model that we had before where you had to have base licenses for everything and then you had the ability to add plus or apex licenses depending upon the additional capabilities instead we're now moving to this nested doll model again this maps to our our subscription model similar to what uh cisco's dnac does so we have the essential licenses basically same functionality as the base is just now called essentials advantage used to be called plus now it's called advantage um so everything you you knew before it just got remapped in terms of its name and then in terms of apex to premiere same thing there so the difference is that when you buy these subscriptions in 3.0 you have premier licenses encompassing all the features of the others so if you buy a premier license you get everything an advantage and you get everything in essentials so that's the the most important thing to know and we're going to go through some examples in the next slide all of these licenses are term-based or subscription right so when you migrate or move to 3.0 your existing base licenses in ice2.x will be converted to a term based essentials license that set of licenses that get converted to turn based for essentials those will all expire in october of 2023 so when you move to 3.x by october 2023 you will need to purchase a new subscription or term for even your base licenses okay that's something to keep in mind the the plus and apex your terms that you already have so some people say what if i just bought a five-year license that five-year term still applies as you move to the to the new um advantage and premier licenses so you'll keep those the other thing to note is that device administration is still node based as are the vm licenses vm licenses are also node based so real quick some examples if you just have base licenses basically they're going to kind of translate from base to essentials and again that term will expire in october 2023 they'll need to purchase a new subscription for them then if you've got base and some plus licenses first we're going to translate the plus licenses you're going to get 50 advantage which includes 50 essentials and then you'll also have the other 50 essentials licenses some people actually just have the premiere and the base so if that's the case you're going to get your 50 premieres which also would include the advantage and the essentials and then you'll get the remainder as just essentials and then if you have a little bit of everything first we're going to move the premiere so you get all the capabilities then you get advantage and the essentials and then finally just the essentials so that's how it's all going to get moved over uh so again i mentioned that you are going to need to migrate so if you want to do that if you want to go from pack based to smart based licensing file support case they'll do the conversion for you you'll get a virtual account if you don't already have it you can then perform your upgrade and you've got all your licenses that you can provision to your ice deployment in smart licensing uh so i want to remind you all you know we've got um all the resources out there in the community for you um we are making some some updates and look and feel of that page so um i actually did that the other day so it doesn't quite look like that anymore so if you go to the ice resources page the same resources are there just that top part looks a little bit different with all the icons and then please make use of our licensing guide also known as the ordering guide we also have an additional licensing faq and a license migration guide for you that you can take advantage of so the youtube channel continues to be extremely popular we just surpassed 11 000 subscribers so we encourage you to go take a look there and we also post the recordings of these webinars in the youtube channel so if you subscribe there you'll also get to see the webinar recordings there when they're posted um one more thing i wanted to share with you before we go today is we have a new icon so it's not just that we released ice 3.0 but it's also that cisco secure has rebranded all of the security products within cisco and so if you start to see these new names um using cisco secures let's go secure emails and specific firewall um and also ice for network access ice is still going to be called ice we haven't changed the name uh but i just wanted you to be aware of that new icon so when you start to see that you'll know that it is in fact ice out there so uh with that i think let's head into some questions rico oh rigo we didn't find out the the base and the essential licenses and all that what's going on with licensing yep i got those available right here thomas thank you what's up so uh for the previous question uh just as a reminder to our attendees we had which ice licenses do you use and uh based on these results i can see that our clear winner here is base and plus and apex licenses and then for our second place winner we got bass and plus licenses all right good so i'm glad you hear that we have people using the more advanced features they're trying to do more with ice than just basic authentication that's great to see so good so are there any questions that i can potentially answer or has the panel already taken care of all those yeah well uh our panelists always does a great job in answering all these questions so so thank you to all of our panelists uh and just you know for our attendees if you do have any questions for our speaker thomas that you would like to have answered maybe something you need some more clarification on uh please do post your questions in the q a panel and we'll go ahead and take them from there but for right now let me see what we have thomas okay so i do see a question here uh this one's from daniel and he's wondering is 2.0 to 3.0 upgrades supported so 2.0 to 3.0 not directly no you would not be able to do that without doing an interim upgrade to i want to say 2.4 is the cut off 2 4 2 6 and 2 7 is the versions that you can go directly from into 3.0 if you're on an earlier version you would need to either upgrade to those and then to 3.0 or you might want you you might be able to do a backup and restore i don't know if doing on that old of a version would work um but you could try it and see if that worked for you um otherwise no you need to do an interim upgrade awesome thank you very much um we do have another question here uh does ice 2.6 and 2.7 works fine with new licenses um so the thing to keep in mind is basically smart licensing so yes you can do smart licensing with 2.6 and 2.7 so if you wanted to convert now to smart licensing you could absolutely do that and save yourself the the hassle in the future so yeah you can use smart licensing today the thing to note is you will i don't know when the exact cut off date is but at some point in the future you will no longer be able to buy face plus and apex licenses you will only be able to buy essentials advanced and premier licenses and those can be basically back ported in licensing to the older older model so that's those kinds of questions should be covered in the migration guide and the faq hey thomas uh this is a meteor shot a little more color there yes please yeah so um the 2.x releases require you to use the base plus and apex licenses as you are currently using 3.0 is where you have to move to the new essentials advantage and premiere licenses you cannot use the new licenses on the 2.x releases or you cannot use the old licenses on the 3.0 releases so that that's the thing that i do want to call out thomas did mention this absolutely accurately 2.4 2.2 and above i believe you can actually use smart licenses as well with the base plus apex 3.0 goes all smart only thanks thank you amin that's great all right thank you so much so let me see what else we have here from our audience i i just saw a question pop up from brent asking when is the 2.x train going to be end of life um i we don't have a specific date for that uh brent at least i don't i don't know for me if you got any insight on that um but what i would look at is if you think about that october 2023 date it's probably going to be somewhere around there so you've got a couple more years still for 2.x yeah i mean all our releases so there's actually another question so let me try and answer that one as well there's a question on whether we should do the odd and even releases uh when is 3.0 going to be suggested release and so on so forth so let me try and answer all of them um 2.7 is our suggested release uh currently we do not have the long-term short-term approach anymore um all releases um i think from products six or 2.7 on what i forget when are all four year releases that means they're supported for four years um the life cycle is actually posted um the july cycle is posted online as well so you can take a look at that 2.7 will have a four year lifespan so as thomas mentioned october 2023ish i think is the timeline for four years it really released it in uh this november of 2019 if i'm not mistaken so you know november 2023 at least is definitely where it will continue uh we haven't had any discussions on that at this point so i would not necessarily say that that's the date but i would expect somewhere around that time 3.0 is not the suggested release for today it's still 2.7 we generally see approximately six month-ish um timeline from the time a release is fcs to the time it becomes a suggested release it all depends on various metrics that we actually track but approximately six months is what we anticipate this one we don't know 3.0 might be a little longer especially because of code because one of the things that we do track our deployment numbers and what we are hearing is that you know not many customers are probably upgrading because you know there are other things to worry about at this point but i would expect about six months out there about i hope that answered you know there's multiple questions on on that topic yeah no doubt thank you i mean yeah thank you very much um so it looks like we are near the top of the hour we might have uh just time for one last question uh and let me see what else we have here from our audience uh so there's a question here um when approximately will the version 3.0 become the recommended version so amin just talked about that it typically takes about six months from release before that happens we look for a lot of different things you know we want to make sure the that there aren't a lot of new bugs coming in for a particular release you want to make sure that it's had some soap time with customers so that there are no major issues found we want to make sure that it's you know we we know from actual deployment that it is stable and those are some of the things that we look for but also we want to make sure we've got one or two patches under our belt so that there are any major things those are taken care of so we don't have a specific date on it but those are the kinds of things that we look for to make sure it is stable enough excellent thank you so much all right so um it looks like that's uh all the time we have for our live q a i want to thank uh you uh thomas for speaking about this important topic with our audience i hope that everyone found great value in the information and resources that were shared here today i would also like to extend a big thank you to each and every one of our panelists for lending us a hand with all of the questions throughout this webinar we really appreciate it and just a quick reminder to our attendees that you will receive a short pop-up survey as soon as you exit the webinar and we would be so grateful if you can just take a few minutes to complete it and let us know how you like today's presentation we always look forward to receiving your valuable and again for those of you who are interested in revisiting this session again we will have the recording available for on-demand viewing within about five business day center today uh i'm going to go ahead and post the link to the chat window in the chat window in just a moment or you'll be able to find that recording uh and but if not then you will also be receiving a follow-up email within about 15 to 20 minutes that will contain that very same link so please do keep an eye on your email inbox for that uh thanks again to our presenter and to our panelists and to all of the attendees who joined us here today um i hope that you all have a great rest of your day thank you and sorry and just one last note um in our uh post-webinar survey uh you do have an opportunity to vote for our next deep dive session for next month's webinar so actually this will be chosen directly by our audience so we really really do encourage you to participate in that service or help us select the topics that we'll discuss in december's webinar so please please do share your feedback with us and we look forward to it all right everybody uh thank you again and please enjoy the rest of your day thank you you

Info

Channel: Cisco ISE - Identity Services Engine

Views: 14,124

Rating: undefined out of 5

Keywords: ise, security, azure, agentless, posture, licensing, ropc, saml, aws, demo, gui, wish, features, odbc, certificates, udid, sccm, icon

Id: 92ncCo3_M84

Channel Id: undefined

Length: 61min 31sec (3691 seconds)

Published: Mon Nov 16 2020