坐在我的酒店房间,酒”和战争故事的一个晚上之后的家伙 - 有什么更好的事,然后写博客条目大家阅读,并希望享受?
At the time of this writing, Cisco's ISE 2.0 has been in BETA is soon to be released to the public. This may be the single most anticipated release ever, so why not go through some of the cool things that are in it? Here's my top 10 list. Some are big items, and some are just small little gems that I think everyone will love:
1. TACACS +支持设备管理AAA
这已经不是什么秘密,我一直反对增加设备管理AAA到被设计为一个网络接入解决方案AAA产品公开发声。如果你有任何疑问,只是检查出我的RADIUS vs. TACACS blog entry from last year!
它似乎并没有不管我的意见是关于这一主题,市民要求加入T +到ISE,他们得到了它。是什么让这个ISE 2.0的#1很酷的功能是绝对惊人的工作,思科已经做装修T +到ISE。它已经坚如磐石,是一些什么会希望是1点哦,功能简单极了。
2. The new Endpoints Identity page
乍一看,这是一个看似很小的事情,但是这是在所有ISE的一个最经常浏览的网页。也有人用最大的痛苦之一。这是第一页ISE 2.0进行完善的之一,它是在一个伟大的方式改组。一些非常有用的饼图顶部还抱着一个小秘密:单击饼图切片,它会自动过滤它下面的表格。该表本身是完全重新编写并记住,当你点击进入了细节的端点,然后回到表你在哪里。
Aaron Woland
Endpoint Identity Page
3. New Navigation Framework
ISE is a complex system with tremendous power. A system like that cannot normally come with a User Interface that is contained within only a few pages. Most often a solution like this needs to have a menu system, and many levels of navigation. ISE is certainly afflicted with the need to have many menus with sub-levels and a simply put: a lot of navigation. That's all well and good, but the GUI framework in ISE 1.0 was pretty painful. Incremental updates to the GUI have taken steps to speed up the experience, but were still just not fast enough for a modern day application. ISE 2.0 rips out the entire navigational framework and replaces it with one that is modern and lightening fast. It's obviously the start of a complete UI overhaul - where some functional areas and their pages are also re-written, and I would expect that the entire UI refresh will be complete in the next release or two. The first time you log into ISE 2.0, you immediately see the difference with snappy "mega menus" and side navigation.
Aaron Woland
新导航
4.升级向导
It's no secret that upgrade is a complex procedure for any large distributed system. Many solutions do not even offer an upgrade - instead they require you to reinstall and restore the configuration from backup. However, ISE has always supported upgrade and has made significant improvements with each release. ISE 2.0 adds a new Wizard-based GUI to handle the upgrades. You can specify which repository each node in the deployment should use, pre-stage the upgrade files, and control the order in which each node is upgraded. All within the GUI.
Aaron Woland
升级向导
5. Support Tunnels
直接从惊人的维修思科IronPort设备拍摄,支持隧道已添加到ISE。对于那些谁不熟悉的IronPort设备此功能,它允许管理员启用思科TAC的安全隧道远程访问设备的根操作系统。嗯,这是简单的解释。这是梦幻般的,因为这意味着与思科TAC远程看到一个客户的ISE部署的UI少的WebEx会议 - 直接当且仅当客户已启用了支持隧道和提供的唯一密钥TAC工程师,他们可以查看它。
6. Stacking of Command Sets
Along the lines of #1, which is the support of T+ for device administration AAA, ISE allows for multiple command sets to be sent in response to an authorization request. Brilliantly, the command sets will stack, where a permit statement shall always outweigh a deny statement - unless its a "deny_always" statement.
Aaron Woland
堆栈命令集
7. Network Device Profiles
Network Device Profiles are completely brilliant and provide something that some of us have been asking for in ISE since the very beginning, the ability to customize the settings for network devices, including the way it handles Change of Authorizations, URL-Redirections and more. The implementation of NAD profiles allows for them to be imported and exported so they can be shared. ISE 2.0 ships with a slew of pre-built profiles for many network devices, including Aruba, Alcatel, Brocade, and more.
Aaron Woland
NAD Profiles
8.本机EAP-TTLS支持
EAP-TTLS is a tunneled EAP protocol that is fairly popular with universities that use eduroam. Prior to ISE version 2.0 it was one of the only popular EAP types that was missing support in ISE, even though there was support for it in Cisco's supplicant: the Cisco AnyConnect Network Access Module.
Aaron Woland
EAP-TTLS
9. Certificate Provisioning Portal
ISE 1.3 added the built-in Certificate Authority for BYOD endpoint certificates. It would create endpoint certificates for devices that underwent the Cisco BYOD on-boarding process only. In ISE 1.4 an API was added to allow the creation of priv/pub certificate key-pairs that could be imported into devices that couldn't go through the BYOD flows. Now in ISE 2.0 there is a full-blown customizable portal that allows the creation of individual certificate key-pairs, submitting and signing Certificate Signing Requests (CSRs), or even the bulk creation of certificates.
Aaron Woland
Cert Portal
10.踢端点客网络时证书被吊销
当ISE颁发证书到BYOD端点,以及该证书被吊销,自然会被拒绝在下次认证访问。然而端点将保持在网络上,直到下一次重新认证时间。ISE 2.0增加了辅酶A终止(断开),以任何终端与活动会话谁的证书已被吊销,从而立即踢他们断网。
虽然10这个名单是很酷,它肯定不是包括所有的很好的补充在ISE 2.0。它只是一些掘金的小单子,我想我会分享。
下次再见。
Aaron