What’s new in ISE 3.4

Discover the latest features and updates in ISE 3.4 that are revolutionizing the industry.

Discover the latest features and updates in ISE 3.4 that are revolutionizing the industry.

Cisco ISE is a powerful tool for managing and securing network access in a wide range of environments. By providing centralized policy enforcement, robust device profiling, and integration with other security tools, ISE helps organizations maintain a secure, compliant, and efficient network.

ISE 3.4 is slated to be released this summer, most likely at the end of July/beginning of August. This new version of ISE will come with several new features and enhancements aimed at improving performance, scalability, and user experience.

The ISE team recently uploaded a Webinar detailing what’s new in ISE 3.4. This blog post serves as a concise write up of their announcement.

Improved Restart Time


Restarting Cisco Identity Services Engine (ISE) should be done with caution, as it can disrupt network access and services. However, there are several circumstances under which a restart might be necessary or beneficial, such as applying updates and patches, or certain configuration changes. One of the issues with ISE is that a restart can take anywhere from 15 to 20 minutes. However, with the ISE 3.4 build, restart times have been reduced to between 5-7 minutes.

Making UI Changes Persistent per User

ISE 3.4 makes UI changes persistent per user. This means, in particular, that any personalization you make to a table in ISE, e.g., change column width or location, will be permanent.

PAC-less Communication for TrustSec


ISE uses Protected Access Credentials (PACs) as part of its TrustSec architecture to establish secure communications and enforce network access policies. PACs are used to establish a secure TLS (Transport Layer Security) tunnel. All subsequent communication, including policy updates and SGT assignments, occurs over this encrypted tunnel. One of the problems with this architecture is that it uses TLS 1.0, which is less secure.

ISE 3.4 introduces the option of using PAC-less RADIUS communication between ISE and NADs running the soon to be released IOS-XE 17.15.1.

TLS 1.3 Support


As touched on above, a problem with PAC-based communication is that it does not use the latest version of TLS, which is version 1.3. With ISE 3.4, support for TLS 1.3 has been extended to EAP-TLS, TEAP-TLS, and Secure TCP Syslog.

pxGrid Direct Enhancements

ISE 3.4 introduces several enhancements to pxGrid Direct, which allows ISE integration with Configuration Management Databases (CMDB) to fetch asset attributes using APIs.

Sync Now


Previously, the minimum interval for synchronization was 12 hours. ISE 3.4 introduces the option to manually sync databases on demand.

Scale Updates


pxGrid in ISE 3.4 has significantly improved scalability. Notably, there is no longer an upper limit on the number of supported connectors, which used to be 10. In addition, previously, ISE could only support a maximum of 500,000 endpoints per connector; in ISE 3.4 the maximum number of endpoints has been expanded to 2,000,000 per connector. Last but not least, pxGrid can now process 15-20 attributes per connector, whereas previously it could only process 15-20 attributes in total.

URL Pusher


ISE 3.4 introduces a new way besides URL Fetcher to facilitate a pxGrid Direct Connector. This is URL Pusher. URL Pusher eliminates the need to issue a GET request to the database; instead the external server sends the API request to ISE in JSON format. The other notable architectural difference is that attributes are stored in ISE’s persistent database, not the endpoint database, which is often purged.

Common Policy


One of the challenges for customers who use different Cisco Security solutions in their deployments is that each solution does policy in its own (different) way. A consistent, unified policy experience across multiple domains does not exist. For security architects, this makes Implementing consistent policies for users and device access to applications a cumbersome process. Common Policy is the envisioned solution to this, with ISE at its center.

The Common Policy rollout will take some time. ISE 3.4 introduces integrations with Application Centric Infrastructure (ACI), Catalyst Center (DNAC), and SD-WAN.


Generally speaking, the way that a Common Policy integration works is by using a common language of SGTs. The Context Exchange hub in ISE will be used to ‘translate’ different policies - for example, as embodied in EPGs/ESGs used in ACIs - into the idiom of SGT.

Debug Log File Management


ISE 3.4 introduces better control of debug logs. You can now configure the maximum file size and the number of files for each debug log component. These settings can then be restored to more manageable (less resource intensive) default settings after debugging is complete.


Active Directory Preferred Domain Controller


ISE selects the preferred Active Directory Domain Controller algorithmically. But customers with large deployments may require better control of the DC selection process. ISE 3.4 now allows administrators to override ISE’s selection algorithm and set priorities for each AD per PSN.


Cisco ISE 3.4 brings a host of new features and enhancements designed to meet the evolving needs of modern networks. As networks continue to grow and become more complex, the updates in ISE 3.4 provide the tools needed to manage these challenges effectively. Please get in touch if you have any comments or questions about using these enhancements in your deployments.

Similar posts