Guest

Cisco Identity Services Engine

Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4

  • Viewing Options

  • PDF (145.4 KB)
  • Feedback

Table of Contents

Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4

Supported Network Access Devices

Supported External Identity Sources

Supported Administrative User Interface Browsers

Supported Client Machine Operating Systems, Supplicants, and Agents

Supported Operating Systems and Browsers for Cisco ISE Guest Services

Documentation Updates

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Obtaining Documentation and Submitting a Service Request

Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4

Revised: October 17, 2014, OL-25483-01

This document describes Cisco Identity Services Engine (ISE) compatibility with switches, wireless LAN controllers, and other policy enforcement devices, as well as client machine operating systems with which Cisco ISE interoperates in the network. This document covers the following topics:

Supported Network Access Devices

Cisco ISE supports interoperability with any (Cisco or non-Cisco) RADIUS client NAD that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication. For a list of supported authentication methods, see the “Configuring Authentication Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4 .

Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices. In addition, certain other advanced functions like central web authentication (CWA), Change of Authorization (CoA), Security Group Access, and downloadable ACLs, are only supported on Cisco devices. For a full list of supported Cisco devices, see Table 1 .

The NADs that are not explicitly listed in Table 1 and that do not support RADIUS Change of Authorization (CoA) must use inline posture.

For information on enabling specific functions of Cisco ISE in your network switches, see the Switch Configuration Required to Support Cisco ISE Functions appendix of the Cisco Identity Services Engine User Guide, Release 1.0.4 .


Note Some switch models and IOS versions may have reached their Cisco end-of-maintenance milestones, hence interoperability may not be fully supported for these switch types.



Caution To support the Cisco ISE Profiling service, Cisco recommends using the latest version of NetFlow (version 9), which has additional functionality that is needed to operate the Profiler. If you use NetFlow version 5 in your network, then you can use version 5 only on the primary NAD at the access layer, as it will not work anywhere else.

 

Table 1 Supported Network Access Devices

Device
Minimum OS Version 1
MAB
802.1X
Web Auth
Session CoA
VLAN
DACL
SGA
Access Switches

Catalyst 2940

IOS v12.1(22)EA1

Yes

Yes

No

No

Yes

No

No

Catalyst 2950

IOS v12.1(22)EA1

No

Yes

No

No

Yes

No

No

Catalyst 2955

IOS v12.1(22)EA1

No

Yes

No

No

Yes

No

No

Catalyst 2960, Catalyst 2960S, ISR EtherSwitch ES2

IOS v12.2(52)SE LAN Base

Yes

Yes

Yes

Yes

Yes

Yes

No

Catalyst 2960, Catalyst 2960S

IOS v12.2(52)SE LAN Lite2

Yes

Yes

No

No

Yes

No

No

Catalyst 2970

IOS v12.2(25)SE

Yes

Yes

No

No

Yes

No

No

Catalyst 2975

IOS v12.2(52)SE

Yes

Yes

No

No

Yes

No

No

Catalyst 3550

IOS v12.2(44)SE

Yes

Yes

No

No

Yes

Yes

No

Catalyst 3560

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 3560-E, ISR EtherSwitch ES3

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 3560-X

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 3750

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 3750-E

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 3750 Metro

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 3750-X

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 4500

IOS v12.2(54)SG

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 6500

IOS v12.2(33)SX17

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Data Center Switches

Catalyst 4900

IOS v12.2(54)SG

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Nexus 70003

Yes

Yes

Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node) 4 5

Wireless LAN Controller (WLC) 2100, 4400, and 5500 Series

7.0.116.0

No

Yes

Yes

Yes

Yes

Yes

WiSM Blade for 6500

7.0.116.0

No

Yes

Yes

Yes

Yes

Yes

WLC for ISR (ISR2 ISM, SRE700, and SRE900)

7.0.116.0

No

Yes

Yes

Yes

Yes

Yes

WLC for 3750

7.0.116.0

No

Yes

Yes

Yes

Yes

Yes

1.For 802.1X authentications, you need IOS version 12.2(55)SE3.

2.Does not support posture and profiling services.

3.SGA only

4.Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support the requirements for Inline Posture Node as they do not send Framed-IP-Address. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.

5.An issue has been observed during wireless login scenarios where the WLC is running firmware version 7.0.116.0. Unless you require new features available only in version 7.0.116.0, Cisco recommends returning your WLC firmware version to 7.0.98.218. For more information, see the Release Notes for the Cisco Identity Services Engine, Release 1.0.4.

Supported External Identity Sources

Table 2 lists the external identity sources supported with Cisco ISE.

 

Table 2 Supported External Identity Sources

External Identity Source
OS/Version
Active Directory 6

Microsoft Windows Active Directory 2003

32-bit only

Microsoft Windows Active Directory 2003 R2

32-bit and 64-bit

Microsoft Windows Active Directory 2008

32-bit and 64-bit

Microsoft Windows Active Directory 2008 R2

64-bit only

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

Linux LDAP Directory Server

Version 4.1

Cisco NAC Profiler

Version 2.18 or later

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x series

Any RADIUS RFC 2865-compliant token server

6.Tested Microsoft Windows Active Directory versions are 2003, 2008 and 2008R2. Microsoft Windows Active Directory version 2000 or its functional level are not supported by Cisco ISE.

Supported Administrative User Interface Browsers

You can access the Cisco ISE administrative user interface using the following browsers:

  • Windows Internet Explorer 8

For a collection of known issues regarding Windows Internet Explorer 8, see the “Known Issues” section of the Release Notes for the Cisco Identity Services Engine, Release 1.0.4 .

  • Mozilla Firefox 3.6 (applicable for Windows, Mac OS X, and Linux-based operating systems)

Supported Client Machine Operating Systems, Supplicants, and Agents

This section lists the supported client machine operating systems, browsers, and Agent versions supporting each client machine type for the following Operating Systems:


Note All standard 802.1X supplicants can be used with Cisco ISE 1.0 standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. (For information on allowed authentication protocols, see the “Configuring Authentication Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.) For the VLAN Change authorization feature to work in a wireless deployment the supplicant must support IP address refresh on VLAN Change.


 

Table 3 Apple Mac OS X

Client Machine Operating System
End User Browser
Supplicants (802.1X)
Mac OS X Agent
VPN

Apple Mac OS X 10.5

  • Apple Safari 4, 5
  • Google Chrome 11
  • Mozilla Firefox 3.6, 4, 5

Apple Mac OS X Supplicant 10.5

4.9.0.647

AnyConnect version 3.0.3041, 2.5.30417

Apple Mac OS X 10.6

  • Apple Safari 4, 5
  • Google Chrome 11
  • Mozilla Firefox 3.6, 4, 5

Apple Mac OS X Supplicant 10.6

4.9.0.647

AnyConnect version 3.0.3041, 2.5.3041 1

Apple Mac OS X 10.7

  • Apple Safari 5.1
  • Google Chrome 11
  • Mozilla Firefox 3.6, 4, 5

Apple Mac OS X Supplicant 10.7

4.9.0.647

AnyConnect version 3.0.3041

7.Anyconnect version 2.5.3041 is required to support “PowerPC” Macintosh systems.

Table 4 Microsoft Windows

Client Machine Operating System
End User Browser
Supplicants (802.1X)
Cisco NAC Agent version
Cisco NAC Web Agent version
VPN

Microsoft Windows 78

  • Google Chrome 11
  • Microsoft IE 9, 10 9
  • Mozilla Firefox 3.6, 4, 5
  • Microsoft Windows 7 802.1X Client
  • AnyConnect Network Access Manager

4.9.0.32

4.9.0.19

AnyConnect version 3.0.3041

Microsoft Windows Vista 1

  • Google Chrome 8, 9, 11
  • Microsoft IE 6, 7, 8
  • Mozilla Firefox 3.6, 4, 5
  • Microsoft Windows Vista 802.1X Client
  • Cisco Secure Services Client (SSC) 5.x
  • AnyConnect Network Access Manager

4.9.0.32

4.9.0.19

AnyConnect version 3.0.3041

Microsoft Windows XP 1

  • Google Chrome 8, 9
  • Microsoft IE 6, 7, 8
  • Mozilla Firefox 3.6
  • Microsoft Windows XP 802.1X Client
  • Cisco Secure Services Client (SSC) 5.x
  • AnyConnect Network Access Manager

4.9.0.32

4.9.0.19

AnyConnect version 3.0.3041

8.Cisco ISE does not support the Windows Embedded versions available from Microsoft.

9.When Internet Explorer 10 is installed on Windows 7, to get full network access, you need to update to March 2013 Hotfix ruleset.

Table 5 Others

Client Machine Operating System
End User Browser
Supplicants (802.1X)
Agent
VPN

Red Hat Enterprise Linux (RHEL) 5

  • Google Chrome 11
  • Mozilla Firefox 3.6, 4, 5

No official support 10

Ubuntu

Mozilla Firefox 3.6

No official support

10.Although not supported by Cisco, the WPA_Supplicant and Open1X Supplicant are available for use with Linux.

Supported Operating Systems and Browsers for Cisco ISE Guest Services

The Cisco ISE Guest services support the following operating system and browser combinations.

 

Table 6 Cisco ISE Guest Services - Supported Operating Systems and Browsers

Supported Operating System
Browser Versions

Microsoft Windows 711

Microsoft IE 9, Mozilla Firefox 3.6, 4, 5, Google Chrome 11

Microsoft Windows Vista, Microsoft Windows XP

Microsoft IE 6, IE 7, IE 8, Mozilla Firefox 3.6, Google Chrome 5

Apple Mac OS X 10.5, 10.6, 10.7

Mozilla Firefox 3.6, 4, 5, Safari 4,5 Google Chrome 11

Red Hat Enterprise Linux (RHEL) 5

Mozilla Firefox 3.6, 4, 5, Google Chrome 11

Ubuntu

Mozilla Firefox 3.6

11.Cisco ISE does not support the Windows Embedded 7 versions available from Microsoft.


Note When a guest user tries to login using Google Chrome on Windows 7 OS, the login fails. It is recommended to upgrade the browser to Chrome 11.


Documentation Updates

 

Table 7 Cisco Identity Services Engine Network Component Compatibility Documentation Updates

Date
Update Description

04/08/13

Added support for Internet Explorer 10 on Windows 7

3/8/2012

Footnote added to Table 2 “Supported External Identity Sources”

9/30/2011

Cisco Identity Services Engine Maintenance Release 1.0.4.573; No content updates made.

9/21/2011

Minor update to Table 1 “Supported Network Access Devices”

9/13/2011

Minor update to Table 1 “Supported Network Access Devices”

9/1/2011

Minor updates to Table 3 “ Apple Mac OS X”

8/26/2011

Content updates for Cisco Identity Services Engine Maintenance Release 1.0.4.558:

Related Documentation

Release-Specific Documents

Table 8 lists the product documentation available for the Cisco ISE Release. General product information for Cisco ISE is available at http://www.cisco.com/go/ise . End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html .

 

Table 8 Product Documentation for Cisco Identity Services Engine

Document Title
Location

Release Notes for the Cisco Identity Services Engine, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine Troubleshooting Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.