History for ISE/ISE-PIC

Feature

Minimum Management Center

Minimum Threat Defense

Details

Quick configuration

2024MMDD

7.6.0

You can optionally configure ISE using only the user name and password of a user in the External RESTful Services (ERS) Operator group. (This feature is available for ISE only, not ISE-PIC.)

Upgrade impact. Any ISE or ISE-PIC identity source you created before upgrade is still available on the Advanced Configuration (Old) tab page. Quick configuration affects only new ISE identity sources created after the upgrade.

New/modified screens: Integration > Other Integrations > Identity Sources > Identity Services Engine. There are two tab pages: Quick Configuration (New) and Advanced Configuration (Old).

New/modified CLI commands: none

Proxy

Any

7.2.0

One or more managed devices that can communicate with Cisco Security Cloud Control in the event Cisco Security Cloud Control cannot communicate with the ISE/ISE-PIC server.

New/updated screen: Integration > Other Integrations > Realms > Proxy Sequence

pxGrid 2.0 is the default for supported ISE/ISE-PIC versions

Any

6.7.0

Note the following:

  • Supported ISE/ISE-PIC versions: 2.6 patch 6 or later, 2.7 patch 2 or later

  • Adaptive Network Control (ANC) policies replace Endpoint Protection Service (EPS) remediations. If you have EPS policies configured in the management center, you must migrate them to use ANC.

Optionally exclude subnets from receiving user-to-IP and Security Group Tag (SGT)-to-IP mappings from ISE. You should typically do this for lower-memory managed devices to prevent Snort identity health monitor memory errors.

Any

6.7.0

New command: configure identity-subnet-filter { add | remove}

Destination Security Group Tag matching (SGT)

Any

6.5.0

Feature introduced. Enables you to use ISE SGT tags for both source and destination matching criteria in access control rules.

SGT tags are tag-to-host/network mappings obtained by ISE.

New/modified screens:

  • New options to configure Destination SGT matching:

    System > Integration > Identity Sources > ISE/ISE-PIC

    • Session Directory Topic: Subscribe to ISE user session information.

    • SXP Topic: Subscribe to SGT tag updates on the ISE server.

  • New and renamed columns in Analysis > Connections > Events

    • Renamed: Security Groups Tags renamed to Source SGT

    • New: Destination SGT

Integration with ISE-PIC

Any

6.2.1

You can now use data from ISE-PIC.

SGT tags for user control.

Any

6.2.0

You no longer need to create a realm or identity policy to perform user control based on ISE Security Group Tag (SGT) data.

Integration with ISE.

Any

6.0

Feature introduced. By subscribing to Cisco’s Platform Exchange Grid (PxGrid), the Firepower Management Center can download additional user data, device type data, device location data, and Security Group Tags (SGTs) —a method used by ISE to provide network access control).