Cisco ISE 3.5 dropped in late September 2025, and while 3.4 Patch 3 is still the suggested release for production environments, the new features in 3.5 are worth getting excited about. Before we dive in, a quick reminder: if you're still running ISE 3.2 or earlier, it's time to upgrade—those versions have reached end-of-life milestones.
Now let's break down the features that are going to make the biggest difference in your day-to-day operations. We'll go deep on the features we are most excited about in follow up blog posts.
ISE has expanded TLS 1.3 support across more areas of the platform, strengthening the encrypted tunnels for traffic entering and leaving your deployment. But keep in mind that TLS 1.2 remains the default and cannot be disabled. Why? If your network devices haven't been updated to support TLS 1.3, they won't be able to communicate with ISE. So TLS 1.2 stays as the foundation, with 1.3 available when you're ready to enable it.
A few things to note when enabling TLS 1.3:
ISE 3.5 introduces the Cloud Multi-Factor Classification (MFC) Profiler, and this is a big deal.
Here's what makes it different:
You'll need a CCO account with MFA enabled, and obviously, this won't work for air-gapped networks. But for everyone else, this is a genuine improvement to profiling accuracy and ease of use.
ISE 3.5 adds SNMP-based endpoint profiling with support up to SNMPv3. This is perfect for IoT devices that can't do proper authentication—printers, cameras, building automation systems, and the like.
The workflow is straightforward:
For those who do create custom profiles, the certainty factor profiler interface has been completely redesigned. It now looks and works like your RADIUS policy sets—you can use AND/OR operators, match on different attributes, and assign MFC attributes directly.
In ISE 3.5 you can now set specific authoritative sources for device attributes from different integrations. Got Jamf MDM integrated? ServiceNow via pxGrid Direct? You can configure which system ISE should trust for specific MFC attributes. If Jamf says a device is a MacBook Pro, ISE will believe Jamf over its own certainty factor profiling. This eliminates conflicts and gives you confidence in your device classifications.
ISE 3.5 has doubled the supported network device count from 100,000 to 200,000 devices for both RADIUS and TACACS+.
ISE could already authorize users against Microsoft Entra (formerly Azure AD) attributes and groups. Starting in 3.5, you can now authorize devices connecting over EAP-TLS and TEAP-TLS based on Entra device attributes. (Note: this requires ISE Premier licenses and may require Entra Premier licenses depending on which attributes you're leveraging.)
There's also a monitoring feature that continuously polls Entra (configurable from 5 to 1,440 minutes) for attribute changes. When a user's group membership or device compliance status changes in Entra, ISE automatically issues a Change of Authorization (CoA) to re-evaluate the endpoint. But note that currently this monitoring feature only works for SAML-authenticated users, not EAP-TLS.
ISE 3.5 supports full IPv6 single-stack deployments (not just dual-stack like before). During the setup wizard, you can configure ISE with IPv6 addresses for the management interface, default gateway, DNS servers, and NTP servers. But note your entire infrastructure—network devices, syslog servers, Active Directory, DHCP, HTTP repositories—needs to support IPv6 for this to work.
The Active Directory lockout prevention feature has been around for RADIUS traffic. Now in ISE 3.5 it supports TACACS+ as well.
The concept is simple: configure ISE to stop sending authentication requests to AD before the failed attempt threshold is reached. If your AD is set to lock accounts after 6 failed attempts, configure ISE to stop at 5. ISE will deny access locally instead of passing the request to AD, preventing lockouts.
If you're using Tenable for vulnerability assessments, ISE 3.5 brings significant improvements including new authentication methods and the ability to retrieve 20+ vulnerability attributes beyond CVSS base and temporal scores.
Additionally, instead of selecting scan policies and repositories separately, you can now choose Tenable configuration templates, which significantly reduces the number of scans appearing in Tenable.
Finally, ISE now checks if Tenable already has recent scan data for an endpoint before requesting a new scan, dramatically speeding up the authorization process—from minutes to 20-30 seconds in many cases.
All these attributes are available to use in authorization policies, giving you much more granular control over access based on vulnerability posture.
Previously, integrating ISE with CMDB systems via pxGrid Direct required basic username/password authentication. ISE 3.5 adds support for API keys and OAuth authentication. This opens the door to integrations with CrowdStrike, Microsoft Defender for Endpoint, and other platforms that don't support basic authentication for API access.
IP-to-SGT mapping has been around for a while. Now you can map FQDNs (fully qualified domain names) to SGTs.
Why does this matter? In multi-regional deployments, the same hostname might resolve to different IP addresses depending on which DNS server responds. By mapping the FQDN directly, you ensure consistent SGT enforcement regardless of which regional IP address gets resolved.
You select which PSN performs the DNS resolution, and ISE maintains the hostname-to-IP-to-SGT bindings automatically.
ISE 3.5 includes several features under the "resiliency" umbrella:
Noisy neighbor detection: ISE now generates alarms when network devices send excessive authentication requests or accounting updates—helping you identify misconfigurations before they impact performance.
Decoupled DNS logging: DNS resolution issues are now logged separately from other system logs, making troubleshooting faster.
Time-limited debug logging: When you enable debug logging to generate a TAC support bundle, you can now set it to automatically reset to default after a specified time (like 15 minutes). This prevents the all-too-common problem of leaving debug logging enabled indefinitely and consuming excessive resources.
ISE 3.5 makes license consumption more accurate and transparent with the following features:
The licensing page now updates every 30 minutes and provides clear visibility into Essential, Advantage, and Premier license consumption by endpoint and service.
ISE 3.5 delivers meaningful improvements across profiling, integration flexibility, scale, and operational visibility. While 3.4 Patch 3 remains the suggested release for now, 3.5 is available for those who want to start testing these features. The cloud profiler alone is worth investigating, and the Entra device authorization capabilities open up new Zero Trust architecture possibilities.
Need help planning your ISE upgrade or want to discuss how these features apply to your environment? Reach out to the ModernCyber team.