Guest

Cisco Identity Services Engine

Release Notes for Cisco Identity Services Engine, Release 1.0.4

  • Viewing Options

  • PDF (553.2 KB)
  • Feedback
Release Notes for Cisco Identity Services Engine, Release 1.0.4

Table Of Contents

Release Notes for Cisco Identity Services Engine, Release 1.0.4

Contents

Cisco Identity Services Engine Releases

Introduction

Node Types, Personas, Roles, and Services

Cisco ISE Deployment Terminology

Types of Nodes

Hardware Requirements

Supported Hardware

Supported Virtual Environments

Supported Browsers

Additional Support Information

Installing Cisco ISE Software

Upgrading Cisco ISE Software

Cisco Secure ACS to Cisco ISE Migration

Cisco ISE License Information

Key Features in Maintenance Release 1.0.4

Cisco ISE Installation and Upgrade Process Updates

Wireless License Options

Cisco ISE Upgrade and Backup and Restore Enhancements

Administrator Lockout and Administrator Password Reset

Windows IE 9 and Firefox 4.x Browsers Support

Statically Assigned Endpoint Behavior Enhancement

Correlating Endpoint IP and MAC Addresses with DHCP and RADIUS Probes

Integrating with Cisco NAC Appliance, Release 4.9

Cisco Secure ACS to Cisco ISE Migration Updates

Cisco ISE Install Files, Updates, and Client Resources

Cisco ISE Downloads from the Cisco Download Software Center

Cisco ISE Live Updates

Cisco ISE Offline Updates

Cisco ISE Antivirus and Antispyware Support

Cisco ISE Patch Release Updates

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 5

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 4

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 2

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 1

Cisco ISE Release 1.0.4 Open Caveats

Cisco ISE Release 1.0.4.573 Appliance Open Caveats

Cisco ISE Release 1.0.4.573 Agent Open Caveats

Cisco ISE Release 1.0.4 Resolved Caveats

Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats

Cisco ISE Release 1.0.4.573 Agent Resolved Caveats

Known Issues

Known Issue with Upgrade from Cisco ISE Release 1.0.3.377

Windows Internet Explorer 8 Known Issues

Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines

Known Incompatibility Issue with WLC Firmware Version 7.0.116.0

Issues With 2k Message Size in Monitoring and Troubleshooting

Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently

Inline Posture Restrictions

Cisco IP phones using EAP-FAST

Documentation Updates

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Obtaining Documentation and Submitting a Service Request


Release Notes for Cisco Identity Services Engine, Release 1.0.4


Revised: August 14, 2013, OL-25482-01

Contents

These release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (ISE) Maintenance Release 1.0.4. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics:

Cisco Identity Services Engine Releases

Introduction

Node Types, Personas, Roles, and Services

Hardware Requirements

Installing Cisco ISE Software

Upgrading Cisco ISE Software

Cisco Secure ACS to Cisco ISE Migration

Cisco ISE License Information

Key Features in Maintenance Release 1.0.4

Cisco ISE Install Files, Updates, and Client Resources

Cisco ISE Antivirus and Antispyware Support

Cisco ISE Patch Release Updates

Cisco ISE Release 1.0.4 Open Caveats

Cisco ISE Release 1.0.4 Resolved Caveats

Known Issues

Documentation Updates

Related Documentation

Cisco Identity Services Engine Releases

Date
Release

18 May, 2011

Cisco Identity Services Engine Release 1.0.0.377

26 August, 2011

Cisco Identity Services Engine Maintenance Release 1.0.4.558

30 September, 2011

Cisco Identity Services Engine Maintenance Release 1.0.4.573


Introduction

The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. Cisco ISE offers authenticated network access, profiling, posture, guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE ships on a range of physical appliances with different performance characterization and also allows the addition of more appliances to a deployment for performance, scale, and resiliency. Cisco ISE has a highly available and scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. Cisco ISE also allows for configuration and management of distinct Cisco ISE personas and services. This feature gives you the ability to create and apply Cisco ISE services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.

Node Types, Personas, Roles, and Services

Cisco Cisco ISE provides a highly available and scalable architecture that supports both standalone and distributed deployments. In a distributed environment, you configure one primary Administration node and the rest are secondary nodes. The topics in this section provide information about Cisco ISE terminology, supported node types, distributed deployment, and the basic architecture.

Cisco ISE Deployment Terminology

Table 1-1 describes some of the common terms used in Cisco Cisco ISE deployment scenarios.

Table 1-1 Cisco Cisco ISE Deployment Terminology

Term
Description

Service

A service is a specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring.

Node

A node is an individual instance that runs the Cisco Cisco ISE software. Cisco Cisco ISE is available as an appliance and also as a software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco Cisco ISE software is called a node.

Node type

A node can be of two types: ISE node and Inline Posture node. The node type and persona determine the type of functionality provided by that node.

Persona

The persona or personas of a node determine the services provided by a node. An Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring.

Role

Determines if a node is a standalone, primary, or secondary node. Applies only to Administration and Monitoring nodes.


Types of Nodes

A Cisco ISE network has only two types of nodes:

Cisco ISE node—An ISE node could assume any of the following three personas:

Administration—Allows you to perform all administrative operations on Cisco ISE. It handles all system-related configuration and configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have only one or a maximum of two nodes running the Administration persona. The Administration persona can take on any one of the following roles: standalone, primary, or secondary. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona.

Policy Service—Provides network access, posture, guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there would be more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer share a common multicast address and can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability.


Note At least one node in your distributed setup should assume the Policy Service persona.


Monitoring—Enables Cisco ISE to function as the log collector and store log messages from all the Administration and Policy Service personas on the ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.

A node with this persona aggregates and correlates the data that it collects to provide you with meaningful information in the form of reports. Cisco Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.


Note At least one node in your distributed setup should assume the Monitoring persona.


Inline Posture node—A gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and virtual private network (VPN) concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles Change of Authorization (CoA) requests that a WLC or VPN are unable to accommodate. Cisco Cisco ISE allows you to have two Inline Posture nodes that can take on primary or secondary roles for high availability.


Note An Inline Posture node is dedicated solely to that service, and cannot operate concurrently with other ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.



Note Each ISE node in a deployment can assume more than one of the three personas (Administration, Policy Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated gatekeeping role.


In a distributed deployment, you can have the following combination of nodes on your network:

Primary and secondary Administration nodes

Primary and secondary Monitoring nodes

One or more Policy Service nodes

One or more Inline Posture nodes

You can change the persona of a node. See the "Setting Up ISE in a Distributed Environment" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4 for information on how to configure these personas on Cisco ISE nodes.

Hardware Requirements

This section describes the following topics:

Supported Hardware

Supported Virtual Environments

Supported Browsers

Cisco ISE License Information

Additional Support Information


Note For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.


Supported Hardware

Cisco ISE software is packaged with your appliance or image for installation. After installation, you can configure Cisco ISE as any of the specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms that are listed in Table 2.

Table 2 Supported Hardware and Personas 

Hardware Platform
Persona
Configuration

Cisco ISE-3315-K9 (small)

Any

1x Xeon 2.66 GHz quad-core processor

4 GB RAM

2 x 250 GB SATA1 HDD2

4x 1 GB NIC3

Cisco ISE-3355-K9 (medium)

Any

1x Nehalem 2.0 GHz quad-core processor

4 GB RAM

2 x 300 GB 2.5 in. SATA HDD

RAID4 (disabled)

4x 1 GB NIC

Redundant AC power

Cisco ISE-3395-K9 (large)

Any

2x Nehalem 2.0 GHz quad-core processor

4 GB RAM

4 x 300 GB 2.5 in. SAS II HDD

RAID 1

4x 1 GB NIC

Redundant AC power

Cisco ISE-VM-K9 (VMware)

Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)

CPU—Intel Dual-Core; 2.13 GHz or faster

Memory—4 GB RAM5

Hard Disks (minimum allocated memory):

Stand-alone—200 GB

Administration—200 GB

Policy Service and Monitoring—200 GB

Monitoring—200 GB

Policy Service—60 GB

Note Cisco does not recommend allocating any more than 600 GB maximum space for any node.

NIC—1 GB NIC interface required (4 NICs are recommended)

Supported VMware versions include:

ESX 4.x

ESXi 4.x

Note For an evaluation or production version, the minimum disk space is 60 GB.

1 SATA = Serial Advanced Technology Attachment

2 HDD = hard disk drive

3 NIC = network interface card

4 RAID = redundant array of independent disks

5 Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.


If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large deployments.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

VMware Server v2.0 (Demo Only)

VMware ESX 4.x

VMware ESXi 4.x

Supported Browsers

You can access the Cisco ISE administrative user interface using the following browsers:

Mozilla Firefox 3.6

Microsoft Internet Explorer 8

Additional Support Information

Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4 for information on supported devices and agents.

Installing Cisco ISE Software

The following steps summarize how to install new Cisco ISE Release 1.0.4 DVD software on supported hardware platforms (see Supported Hardware for support details).

With Cisco ISE Release 1.0.4, installation occurs in two phases:

1. The software is installed from the DVD, and when complete, the DVD is ejected from the appliance.

2. The administrator logs in and performs the initial configuration.


Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You might be required to provide your Cisco.com login credentials.

Step 2 Navigate to Security > Identity Management > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Step 3 Download the appropriate Cisco ISE .ISO image (for example. ise-1.0.4.573.i386.iso) and burn the image as a bootable disk to a DVD-R.

Step 4 Insert the DVD into the DVD-R drive of each appliance, and reboot the appliance to initiate the Cisco ISE DVD installation process.

Step 5 (If necessary) Install a valid FlexLM product license file and perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4. Before you run the setup program, ensure that you know the configuration parameters listed in Table 3.


Table 3 Identity Services Engine Network Configuration Parameters for Setup 

Prompt
Description
Example

Hostname

Must not exceed 19 characters. Valid characters include alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the first character must be an alphabetic character.

Note Cisco does not recommend using mixed case and hyphens in the hostname.

ise-node1

(eth0) Ethernet interface address

Must be a valid IPv4 address for the eth0 Ethernet interface.

10.12.13.14

Netmask

Must be a valid IPv4 address for the netmask.

255.255.255.0

Default gateway

Must be a valid IPv4 address for the default gateway.

10.12.13.1

DNS domain name

Cannot be an IP address. Valid characters include ASCII characters, any numbers, hyphen (-), and period (.).

mycompany.com

Primary name server

Must be a valid IPv4 address for the primary Name server.

10.15.20.25

Add/Edit another name server

Must be a valid IPv4 address for an additional Name server.

(Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid NTP server in a domain reachable from Cisco ISE.1

clock.nist.gov

Add/Edit another NTP server

Must be a valid NTP server in a domain reachable from Cisco ISE.1

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone

Must be a valid time zone. Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4 for a table of time zones that Cisco ISE supports. The default value is UTC.2

Note The table lists the frequently used time zones. You can run the show timezone command from the Cisco ISE CLI for a complete list of supported time zones.

UTC

Username

Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default, you must create a new username, which must be from 3 to 8 characters in length, and be composed of valid alphanumeric characters (A-Z, a-z, or 0-9).

admin (default)

Password

Identifies the administrative password used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

MyIseYP@@ss

Database Administrator Password

Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Note Once you configure this password, Cisco ISE uses it "internally." That is, you do not have to enter it when logging into the system at all.

ISE4adbp@ss

Database User Password

Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Note Once you configure this password, Cisco ISE uses it "internally." That is, you do not have to enter it when logging into the system at all.

ISE5udbp@ss

1 Changing the NTP server specification after Cisco ISE installation will likely affect the entire deployment.

2 Changing the time zone specification after Cisco ISE installation will likely affect the entire deployment.



Note For additional information on configuring and managing Cisco ISE, use the list of documents in Release-Specific Documents to access other documents in the Cisco ISE documentation suite.


Upgrading Cisco ISE Software

If you installed Cisco Identity Services Engine Release 1.0 or Cisco Identity Services Engine Maintenance Release 1.0.4.558 previously and are planning to upgrade to the latest Cisco ISE Maintenance Release 1.0.4, be sure to follow the upgrade instructions in the "Upgrading Cisco ISE" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.


Note There is a known issue regarding default "admin" administrator user interface access following upgrade from Cisco Identity Services Engine Release version 1.0.3.377 to Cisco Identity Services Engine Maintenance Release 1.0.4.573. See Known Issue with Upgrade from Cisco ISE Release 1.0.3.377 for details.



Note If you want to replace a Cisco ISE appliance running Cisco Identity Services Engine Maintenance Release 1.0.4.558 with a new Cisco ISE running Cisco Identity Services Engine Maintenance Release 1.0.4.573, you must upgrade the appliance running version 1.0.4.558 to 1.0.4.573 before creating a database backup image, which you can then restore on the new appliance running version 1.0.4.573.


Cisco Secure ACS to Cisco ISE Migration


Note You must upgrade your Cisco Secure ACS deployment to Release 5.1 or 5.2 before you attempt to perform the migration process to Cisco Identity Services Engine.

After you have moved your Cisco Secure ACS 5.1 or 5.2 database over, you will notice some differences in existing data types and elements as they appear in the new Cisco Identity Services Engine Maintenance Release 1.0.4.573 environment.

The only currently supported browser for downloading the migration tool files is Firefox version 3.6.x. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.


Complete instructions for moving your Cisco Secure ACS 5.1 or 5.2 database to Cisco Identity Services Engine Maintenance Release 1.0.4.573 are covered in the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.

Cisco ISE License Information

Cisco ISE comes with a 90-day Base and Advanced package evaluation license already installed on the system. After you have you have installed the Cisco ISE software and initially configured the primary Administration persona, you must obtain and apply a Base, Base and Advanced, or Wireless license for your Cisco ISE. Table 4 summarizes the Cisco ISE license types. (Although the evaluation license allows you to provide support for both wired and wireless users, purchasing and applying a Wireless License option cuts off support for any wired users you may have been supporting during the evaluation period.)

Table 4 Cisco ISE License Types and Supported Services

Cisco ISE License Type
Supported Services

Base package—Provides authenticated network access, guest life-cycle management, and advanced monitoring and troubleshooting.

Basic Network Access

Guest Management

Link encryption

Advanced package—Provides posture, profiling, advanced monitoring and troubleshooting, and security group access services. You cannot add advanced licenses before adding base licenses, and the number of advanced licenses cannot exceed the number of base licenses.

Profiler

Posture

Security Group Access

Wireless package—Provides a flexible option to exclusively wireless service providers that not only offers the essential Base License functions like basic network access (authentication and authorization), Guest services, and link encryption, but also all Advanced License services, including Profiler, Posture, and Security Group Access services.

Basic Network Access

Guest Management

Link encryption

Profiler

Posture

Security Group Access



Note Wireless Licenses cannot coexist on an Administration ISE node with Base or Base and Advanced Licenses.


Licenses are centrally managed by the Administration ISE node. In a distributed deployment, where two Cisco ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.

For more detailed information on license types and obtaining licenses for Cisco ISE, see "Performing Post-Installation Tasks" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.

For specific information on adding, modifying, and removing license files, see the "Managing Licenses" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.

For detailed information and license part numbers available for Cisco ISE, including licensing options for new installations as well as migration from an existing Cisco security product like Cisco Secure Access Control System, see the Cisco Identity Services Engine Ordering Guidelines at http://www.cisco.com/en/US/products/ps11195/prod_bulletins_list.html.

Key Features in Maintenance Release 1.0.4

Cisco ISE Maintenance Release 1.0.4 offers the following features and services:

Cisco ISE Installation and Upgrade Process Updates

Wireless License Options

Cisco ISE Upgrade and Backup and Restore Enhancements

Administrator Lockout and Administrator Password Reset

Windows IE 9 and Firefox 4.x Browsers Support

Statically Assigned Endpoint Behavior Enhancement

Correlating Endpoint IP and MAC Addresses with DHCP and RADIUS Probes

Integrating with Cisco NAC Appliance, Release 4.9

Cisco Secure ACS to Cisco ISE Migration Updates

For more information on key features of Cisco ISE, see the Overview chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.

Cisco ISE Installation and Upgrade Process Updates

Cisco has updated the installation and upgrade processes in Cisco Identity Services Engine Maintenance Release 1.0.4. During fresh installation of the 1.0.4.573 .ISO image and upgrade from 1.0.3.377 or 1.0.4.558, Cisco ISE now asks you to specify and verify database administrator and user passwords that protect database communication access among multiple Cisco ISE nodes in a distributed deployment.

For more details, see:

The "Configuring the Cisco ISE 3300 Series Appliance" and "Upgrading Cisco ISE" chapters of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4

The Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4


Note If you want to replace a Cisco ISE appliance running Cisco Identity Services Engine Maintenance Release 1.0.4.558 with a new Cisco ISE running Cisco Identity Services Engine Maintenance Release 1.0.4.573, you must upgrade the appliance running version 1.0.4.558 to 1.0.4.573 before creating a database backup image, which you can then restore on the new appliance running version 1.0.4.573.


Wireless License Options

The new Wireless License options available in Cisco ISE Maintenance Release 1.0.4 enable the same number of endpoints on both the existing Base and Advanced license package. However, the devices that are supported with this type of license are restricted to wireless devices. It is possible to subsequently remove this restriction by installing a Wireless Upgrade license that enables the base and advanced package feature support for all types of devices.

For more information on the new Wireless License options, see the "Performing Post-Installation Tasks" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.

Cisco ISE Upgrade and Backup and Restore Enhancements

The Cisco ISE, Release 1.0.4 implements the upgrade of Cisco ISE from a previous release that has patches already installed on it or from any maintenance release. You can upgrade Cisco ISE 1.0 release to Cisco ISE Maintenance Release 1.0.4. In addition, you can also migrate from Cisco Secure Access Control System (ACS) 5.1 and 5.2 releases to Cisco ISE, Release 1.0. After you migrate to Cisco ISE, Release 1.0, you can then upgrade Cisco ISE to the latest release.

For more information on the upgrade and backup procedures, see the "Upgrading Cisco ISE" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.

Administrator Lockout and Administrator Password Reset

In Cisco ISE, Release 1.0.4, if you enter an incorrect password for your specified administrator user ID enough times, the Cisco ISE user interface "locks you out" of the system, adds a log entry in the Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report, and suspends the credentials for that administrator ID until you have an opportunity to reset the password associated with that administrator ID. The number of failed attempts required to disable the administrator account is configurable according to the guidelines described in the "Configuring a Password Policy for Administrator Accounts" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.

The instructions on how to reset the "locked" administrator password are described in the "Performing Post-Installation Tasks" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.

Windows IE 9 and Firefox 4.x Browsers Support

The Cisco ISE, Release 1.0.4 supports Windows IE 9 and Firefox 4.x browsers for the client and sponsor portals.

For more information on the supported browsers and OS, see Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4.

Statically Assigned Endpoint Behavior Enhancement

The Cisco ISE, Release 1.0.4 implements a change that Cisco ISE cannot consume advanced licenses when endpoints are statically assigned to a profile. The number of endpoints that are dynamically profiled can only be compared against the limit of the advanced licenses. The endpoints that are statically assigned to a profile are now excluded from utilizing licenses included in the advanced license package, but they are still compared against the limit of base licenses. Earlier in the Cisco ISE, Release 1.0, it compares the total number of concurrent endpoints across the entire deployment against the limit of the advanced licenses.

Correlating Endpoint IP and MAC Addresses with DHCP and RADIUS Probes

The Cisco ISE, Release 1.0.4 implements an ARP cache in the profiler service so that you can reliably map IP addresses and MAC addresses of endpoints. For the ARP cache to function, you must enable either the DHCP probe or the RADIUS probe. The DHCP and RADIUS probes carry IP addresses and MAC addresses of endpoints in the payload data. The dhcp-requested address attribute in the DHCP probe and Framed-IP-address attribute in the RADIUS probe carry the IP addresses of endpoints along with their MAC addresses, which can be mapped and stored in the ARP cache.

Integrating with Cisco NAC Appliance, Release 4.9

The Cisco ISE, Release 1.0.4 now supports integration with Cisco Network Admission Control (NAC) Appliance, Release 4.9. The integration support is compatible only with the Cisco NAC Appliance, Release 4.9 and available when you have installed an advanced or wireless license on the maintenance release of Cisco ISE.

Integrating Cisco ISE, Release 1.0.4 with Cisco NAC Appliance, Release 4.9 allows you to utilize the Cisco ISE profiler services in a Cisco NAC deployment. The Cisco ISE profiler is similar to the Cisco Network Admission Control (NAC) Profiler in a Cisco NAC deployment, which manages endpoints in an enterprise network. This integration allows you to replace the existing Cisco NAC Profiler that is installed in a Cisco NAC deployment. It allows you to synchronize profile names from the Cisco ISE profiler, as well as the result of endpoint classification into the Cisco Clean Access Manager (CAM).

Cisco Secure ACS to Cisco ISE Migration Updates

Authentication and Authorization policies are not migrated. It is the responsibility of the administrator performing migration to define the policies manually.

For more information on the migration policies, see Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.

Cisco ISE Install Files, Updates, and Client Resources

There are three resources you can use to download installation packages, update packages, and other client resources necessary to provision and provide policy service in Cisco ISE:

Cisco ISE Downloads from the Cisco Download Software Center

Cisco ISE Live Updates

Cisco ISE Offline Updates

Cisco ISE Downloads from the Cisco Download Software Center

In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE on your appliance as described in Installing Cisco ISE Software, you can use the same software download location to retrieve other vital Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules. Use this portal to get your first software packages prior to configuring your Cisco ISE deployment.


Note The downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment.


To access the Cisco Download Software Center and download the necessary software from Cisco:


Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You might be required to provide your Cisco.com login credentials.

Step 2 Navigate to Security > Identity Management > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Choose from the following Cisco ISE installers and software packages available for download:

Cisco ISE installer .ISO image

Windows client machine agent installation files (including MST and MSI versions for manual provisioning)

Mac OS X client machine agent installation files

AV/AS compliance modules

Step 3 Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE deployment.


Cisco ISE Live Updates

Cisco ISE Live Update locations allow you to automatically download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. These live update portals should be configured in ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the ISE appliance.

Prerequisite:

If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in the Administration > System > Settings > Proxy before you are able to access the Live Update locations. For more information on proxy settings, see the "Specifying Proxy Settings in Cisco ISE" section in the "Configuring Client Provisioning Policies" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.

Client Provisioning and Posture Live Update portals:

Client Provisioninghttps://www.cisco.com/web/secure/pmbu/provisioning-update.xml

The following software elements are available at this URL:

Windows and Mac OS X versions of the latest Cisco ISE persistent and temporal agents

ActiveX and Java Applet installer helpers

AV/AS compliance module files

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Downloading Client Provisioning Resources Automatically" section of the "Configuring Client Provisioning Policies" chapter in the Cisco Identity Services Engine User Guide, Release 1.0.4.

Posturehttps://www.cisco.com/web/secure/pmbu/posture-update.xml

The following software elements are available at this URL:

Cisco predefined checks and rules

Windows and Mac OS X AV/AS support charts

Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Dynamic Posture Updates" section of the "Configuring Client Posture Policies" chapter in the Cisco Identity Services Engine User Guide, Release 1.0.4.

If you do not enable the automatic download capabilities described above in Cisco ISE, you can choose offline updates. See Cisco ISE Offline Updates.

Cisco ISE Offline Updates

Cisco ISE offline updates allow you to manually download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates in environments where direct Internet access to Cisco.com from the ISE appliance is not available or not permitted by security policy.

To upload offline client provisioning resources, complete the following steps:


Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You might be required to provide your Cisco.com login credentials.

Step 2 Navigate to Security > Identity Management > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Choose from the following Off-Line Installation Packages available for download:

compliancemodule-<version>-isebundle.zip — Off-Line Compliance Module Installation Package

macagent-<version>-isebundle.zip — Off-Line Mac Agent Installation Package

nacagent-<version>-isebundle.zip — Off-Line NAC Agent Installation Package

webagent-<version>-isebundle.zip — Off-Line Web Agent Installation Package

Step 3 Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE deployment.


For more information on adding the downloaded Installation Packages to Cisco ISE, refer to "Adding Client Provisioning Resources from a Local Machine" section of the "Configuring Client Posture Policies" chapter in the Cisco Identity Services Engine User Guide, Release 1.0.4.

You can update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information offline from an archive on your local system using the posture updates.

For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use this portal once you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.

To upload offline posture updates, complete the following steps:


Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html.

The File Download window appears. From the File Download window, you can choose to save the posture-offline.zip file to your local system. This file is used to update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information.

Step 2 Access the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 3 Click the arrow to view the settings for posture.

Step 4 Choose Updates. The Posture Updates page appears.

Step 5 From the Posture Updates page, choose the Offline option.

Step 6 From the File to update field, click Browse to locate the single archive file (posture-offline.zip) from the local folder on your system.


Note The File to update field is a required (mandatory) field and it cannot be left empty. You can only select a single archive file (.zip) that contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed.


Step 7 Click the Update Now button.

Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.


Cisco ISE Antivirus and Antispyware Support

See the following Cisco ISE documents for specific antivirus and antispyware support details:

Cisco Identity Services Engine Release 1.0.4 Supported Windows AV/AS Products

Cisco Identity Services Engine Release 1.0.4 Supported Mac OS X AV/AS Products

Cisco ISE Patch Release Updates

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 5

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 4

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 2

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 1

Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 6

Table 5 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 6.

You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 6 is a cumulative patch. you can apply it to any of the following maintenance release versions:

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 5

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 4

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 3

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 2

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 1

Cisco Identity Services Engine Maintenance Release 1.0.4.573 (no patches yet applied)

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

Table 5 Cisco ISE Patch Version 1.1.1.268—Patch 6 Resolved Caveats

Caveat
Description

CSCui22841

Apache Struts2 command execution vulnerability

Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product.


Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 5

Table 6 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 5.

You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 5 is a cumulative patch. you can apply it to any of the following maintenance release versions:

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 4

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 3

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 2

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 1

Cisco Identity Services Engine Maintenance Release 1.0.4.573 (no patches yet applied)

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.0.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.

Table 6 Cisco ISE Patch Version 1.0.4.573—Patch 5 Resolved Caveats 

Caveat
Description

CSCtz46247

After deregistering a secondary node from the deployment, there is no valid license

An issue exists where, if the system has been operational for more than 90 days, then after the secondary server is deregistered during upgrade and restarts in standalone mode, it is not then possible to access the administrator user interface because the machine now has an "expired" evaluation license. This fix ensures that in such a situation, a valid temporary license is retained for upgrade purposes.

CSCtz54548

Evaluation license validity date is wrong on de-registered secondary node

This resolution provides for a fix to enable a temporary 30-day evaluation license on a secondary node that is de-registered during upgrade from an earlier version of Cisco ISE.

Note This issue has observed using both three- and five-year Base and Advanced term licenses.


Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 4

Table 7 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 4.

You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 4 is a cumulative patch. you can apply it to any of the following maintenance release versions:

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 3

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 2

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 1

Cisco Identity Services Engine Maintenance Release 1.0.4.573 (no patches yet applied)

To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.

Table 7 Cisco ISE Patch Version 1.0.4.573—Patch 4 Resolved Caveats 

Caveat
Description

CSCtt24622

IP table rules not persistent across reboot

When the Guest SSL port is changed from 8443 to another value (like 4443, for example) the change takes place and guest authentication is successful to the new port. After Cisco ISE gets rebooted, however, port 4443 is still open but no traffic is accepted by the port because the "iptables" rule does not persist through reboot.

CSCtu95775

Showtech.out file does not include show version output

"show version" command output now accompanies RPM versions listed in the show tech.out file in a support bundle. This helps the engineers more easily see what version the customer is running and what patches (if any) are installed.

CSCtw61515

Cisco ISE does not display a message when attempting to add a node with a different database password

When you add a node with a different admin and user db password, Cisco ISE now displays an error message. (This fix also addresses issues where the administrator database passwords are the same but user database passwords are different and vice versa.)

CSCtx21412

Cisco ISE does not recover when the LDAP connection closes without notification

This fix addresses an issue where LDAP connections were passing through a third-party firewall that closed the connection due to an idle timeout setting without notice to either Cisco ISE or the LDAP server. Cisco could not assume that the connection would remain open after a period of inactivity, nor get notified that connection was closed.


Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 3

Table 8 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 3.

You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 3 is a cumulative patch. you can apply it to any of the following maintenance release versions:

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 2

Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 1

Cisco Identity Services Engine Maintenance Release 1.0.4.573 (no patches yet applied)

To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.

Table 8 Cisco ISE Patch Version 1.0.4.573—Patch 3 Resolved Caveats 

Caveat
Description

CSCts19672

Inline Posture not handling third-party controller RADIUS Access-Request calls correctly

A "tcpdump" from the Inline Posture node reveals that Cisco ISE is receiving RADIUS Access-Request from third-party controllers, but is not forwarding that request to the associated Policy Service node.

CSCts56992

Not all debug logs included in support bundles

After using the Cisco ISE administrator user interface to create a support bundle file and to include all debug logs, discovered that the bundle was missing certain files, such as ad_agent.log and ise-tracking.log. By comparison, all files of the backup files created under /opt/CSCOcpm/logs are included as designed.

CSCts57010

User interface "undo_tablespace" function takes up too much file system space

This issue was observed on a VMware installation operating as an Administrative ISE node, Monitoring node, and Policy Service node combination. The file system memory usage was severe enough to even disable simple administrator browser login sessions.

CSCtt47520

Cisco ISE Wireless license does not accurately count wireless devices

This fix addresses an issue where Cisco ISE has been designed to display the same Base license user count as the Wireless user count, but is actually displaying only the Base Evaluation license count.

Note The Advanced license user count shows only the Wireless user count, as designed.


Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 2

Table 9 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 2.

To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.


Note This patch application process requires the Cisco ISE primary Administration node to restart multiple times, due to an ADE-OS update. If you are installing or rolling back from the primary Administration ISE node user interface, the node restarts once again after the patch has been installed in all of the secondary nodes in your deployment. You can verify the current status of the Cisco ISE using the "show application status ise" CLI command after the patch application process is complete. In addition, because the primary Administration ISE node restarts more than once, you may observe erroneous alarms triggered on the dashboard, indicating that the patch install/rollback failed on a secondary node, when in reality the patch application has taken place correctly. If such an alarm appears, please verify status using the show version CLI command on the secondary node in question, or check the node status indicated on the patch management page in the primary node administrator user interface to verify whether the secondary node has the patch successfully installed.


Table 9 Cisco ISE Patch Version 1.0.4.573—Patch 2 Resolved Caveats 

Caveat
Description

CSCto66151

Cisco ISE application server function remains in "initializing" state perpetually

This fix addresses and issue where multiple transactions were locking up on the secondary node. The transactions would all initiate simultaneously and wind up waiting on the same Cisco ISE resource.

CSCtr87810

Issue updating RBAC policy

This fix addresses an issue seen while editing a custom RBAC policy in a way that would change the permission level (either Menu or Data). Cisco ISE would sometimes return error messages, and the new permission settings would not get applied to the policy.

CSCts82012

Edit Data Access Permission returns console terminal exceptions

This fix allows users to edit "Data Access Permissions" during RBAC policy configuration. Previously, Cisco ISE could occasionally return error messages when you tried to edit existing "Data Access Permission" settings.

CSCtt16149

Submenus and links showing even when set to "Hide" under RBAC Menu Access

This fix addresses an issue involving inconsistent behavior in third-level menu item appearance and display while specifying admin user menu permissions. While navigating to third-level menu items and selecting the Show Permission option, Cisco ISE was saving more than that specific menu item. Now the administrator is able to view only the specified third-level menu item.

CSCtt19362

Sponsor should see Guest details/password only before first login

After the password has been modified by the guest user and is no longer randomly generated, the sponsor then cannot view the password anymore.


Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 1

Table 10 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 1.

To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.

Table 10 Cisco ISE Patch Version 1.0.4.573—Patch 1 Resolved Caveats 

Caveat
Description

CSCtj88493

Exception observed after enabling probes in deployment

This fix resolves an issue where Profiler probes were returning led to repeated "Error: Too many instances, exceeds 10" messages, when probes were configured on multiple interfaces and changing often. In addition, the probe would usually also stop working.

No more of these types of exceptions should appear following this fix.

CSCts32219

Netflow probe not working until restarting Cisco ISE services

This resolution fixes an issue where newly enabled NetFlow probes were not collecting flows as designed until restarting Cisco ISE services on the appliance where the probes are configured.

CSCts82913

Unexpected error detected by Java Runtime Environment

This fix addresses an issue where Profiler probes would occasionally crash while being enabled.

CSCts98931

Policy Service node crashing when DHCP span probe is enabled on all interfaces

This fix addresses an issue where enabling Profiler probes on all of the interfaces on the Policy Service node would cause the node to fail and not restart.

CSCtt12870

No alarm email notifications since upgrading to version 1.0.4.573

This fix addresses a problem were Monitoring and Troubleshooting nodes that were not co-located with the primary Administrative ISE node were not sending out alarms via e-mail as configured.


Cisco ISE Release 1.0.4 Open Caveats

Cisco ISE Release 1.0.4.573 Appliance Open Caveats

Cisco ISE Release 1.0.4.573 Agent Open Caveats

Cisco ISE Release 1.0.4.573 Appliance Open Caveats

Table 11 Cisco ISE Release 1.0.4.573 Appliance Open Caveats 

Caveat
Description

CSCtc70053

Browser "Back" button not working properly

This issue has been observed in the Cisco ISE list page when switching from the list view to edit view (i.e., when you click the Create or Edit button).

Workaround   There is no known workaround for this issue.

CSCtj00178

Group QuickFilters not working as designed

After the administrator runs and saves an advanced filter, Cisco ISE does not display the "Successful Save" pop-up after the filter is saved.

This issue has been observed using the Admin Groups, User Identity Groups, Endpoint Identity Groups, and Guest Sponsor Groups filter options.

Workaround   There is no known workaround for this issue.

CSCtj25158

Exported admin should not be imported back as Network Access User

This problem occurs when Cisco ISE promote Network Access Users to Administrators, and then export those users. When you re-import those users, they appear as Network Access Users only. Cisco ISE does not import the promoted users as Administrators.

Workaround   There is no known workaround for this issue.

CSCtj37325

Profiler Attribute value exceeds maximum 4000 character length

Endpoints are not profiled nor are new attributes updated when at least one Profiler Endpoint Attribute is greater than 4000 characters in length.

CSCtj76835

Unable to retrieve a saved Authentication Trend report

Symptom    Two steps are necessary to save an Authentication Trend report:

1. Select the folder.

2. Name the file.

If you do not select a folder from the list that is presented, the report should be saved in the root folder and should appear in the Reports tab. You can observe that the files are saved, but they do not appear in the left side pane and there is no option to retrieve the files.

Conditions   Saving an Authentication Trend report without selecting a folder.

Workaround   Do not save the report under the root folder. Always choose a subfolder.

CSCtj81255

Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.

Symptom    Two MAC addresses are detected on the switch interface connected to an ACS 1121 Appliance although only one interface is connected on the ACS 1121 Server eth0.

Conditions   Only one Ethernet interface, eth0 is connected between ACS and Switch.

Workaround   Disable BMC (Baseboard Management Controller) feature using BIOS setup.


Caution To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco ISE console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.

CSCtj94813

Left side administrator user interface pane "Search Result" option is not working as expected

1. If you enter available data and click the search option, it does not display properly.

2. If the option displays some data and if you enter another value, it does not refresh the data properly.

3. The option does not display the layered/structured model as designed.

In addition, you are not able to go back to previous menu.

Workaround   There is no known workaround for this issue.

CSCtk17648

IE8—Network Device Management missing from the Cisco ISE Administrator Tab

This issue has been observed when changing the zoom setting in Internet Explorer 8 using the control and plus (+)/minus (-) keys.

Workaround   If the menu is missing, change the zoom to the default value and refresh the page.

CSCtk32480

Local certificate export failed after deleting trusted certificate

After you delete a trusted certificate, local certificate export operation fails. Administration > System > Certificates > Local Certificates > Export. Instead of being prompted for the export file destination, nothing happens.

Workaround   Reload the page using the browser reload function. This should reload all of the Javascript files for the page and allow you to export the local certificate.

CSCtk37360

Administrator is not able to customize report in Internet Explorer 8

Monitoring and troubleshooting reporting functions related to column selection and entry deletion/aggregation, etc. are not working as designed.

This issue can come up using the following versions of Internet Explorer 8:

IE 8.0.6001.18702 on Windows XP

IE 8.0.6001.18702IC on Windows XP

Workaround   There is no known workaround other than to avoid using the problematic browser versions.

CSCtk46958

Cisco ISE does not display a warning when navigating away from a modified page without saving

When a user changes configuration context, there is no warning indicating that the information configured on the current page is not saved, nor is there a warning indicating that all configuration changes will be lost when the user completes that context change.

Workaround   Save before navigating away from the page in question.

CSCtk82864

AAA Servers incorrectly filter with "Contains" option

When AAA servers are added to the AAA servers list (for example: a, ab) and a filter is added which includes regular expressions, Cisco ISE generates an incorrect filtered list.

Workaround   Do not use regular expressions in filters.

CSCtl56724

Network access users display filter sorted by status does not work

An issue exists in the Administration > Identity Management > Identities > Users page where Cisco ISE does not appropriately filter Network Access User entries when you click on the filter and try to specify "sort by status."

Workaround   There is no known workaround for this issue.

CSCtl70056

"Today" is not validated against the Cisco ISE Monitoring node End Date

Reports run with a custom time range (where "today" is the specified End Date) does not work and the Monitoring node returns a validation error. This issue has been observed where the time on the client machine (where a browser session is active) is earlier than that of the Cisco ISE node (for example, where the client is on PST and the Cisco ISE node is on UTC time zone).

Workaround   Change the time zone or clock on the client machine so that the current time on that server is the same or ahead of the Monitoring node.

CSCtl77592

Unable to create authorization policy with RadiusCallingStation ID condition

When the administrator uses a MAC address with a xx-xx-xx-xx-xx-xx format as the right hand side (RHS) of a condition with RADIUS "Calling station ID" dictionary attribute, it fails to match the policy decision.

Cisco ISE does not perform validation on the string value that is entreated on the RHS when constructing a condition.

Workaround   Use the MAC address format xx:xx:xx:xx:xx:xx when defining conditions.

CSCtl78424

Blank right hand Network Devices pane with vertical scroll

The Network Device page contains the navigation pane on the left of the page and the network devices table on the right of the page. If there are more than 500 devices configured and the following steps have been taken, the devices table does not appear as it should:

1. Move the vertical scroll all the way to the bottom and wait a few seconds.

2. Move vertical scroll to the top and then back to the bottom again (and repeat if necessary) until the table disappears.

3. The table remains empty (blank) for 30 minutes or more.

Workaround   Manually refresh the devices page.

CSCtn42397

The Network Access Users "Delete All" function when used on a filtered list should only delete filtered (displayed) Network Access Users

The "Delete All" function in the Administration > Identity Management > Identities > Users page deletes all the users, regardless of whether they are filtered or existing (non-filtered) users.

Workaround   There is no known workaround for this issue.

CSCtn44427

No progress indicator is displayed when importing collections of random or CSV guests

Workaround   There is no known workaround for this issue. The administrator must simply wait for the process to complete.

CSCtn53084

Incorrect export of DER imported server and trusted certificate authority certificates

When exporting a local certificate using the Administration > System > Certificates > Local Certificates > Export page, the administrator may find that the certificate is in Distinguished Encoding Rules (DER) format when another format like Privacy Enhanced Mail (PEM) is desired.

The certificate export function exports a certificate using the same format it had when imported. In CIsco ISE, there is no format conversion option available.

Note One way to avoid this is to simply import all certificates in PEM format. You can convert DER to PEM using tools like openssl, and your certificate authority may have an option for PEM output.

CSCtn59529

Network Access User filters do not work on the Status or Admin columns using the Quick and Advanced filters

Cisco ISE search functions are not supported on columns which have images or icons. The Status and Admin columns use images and icons instead of text, therefore filtering does not work.

Workaround   There is no known workaround for this issue,

CSCtn62141

A script on the Administration > Identity Management > Groups page causes Internet Explorer 8 to run slowly. If it continues to run indefinitely, your computer could become unresponsive. (This problem has not been observed using Mozilla Firefox.)

Workaround   There are three ways to fix this issue:

1. Implement Virtual Scrolling in the Object Selector.

2. Change the time-out value as follows:

a. Using a Registry Editor such as Regedt32.exe, open the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles key.

b. Create a new DWORD value called "MaxScriptStatements" under this key and set the value to the desired number of script statements. If you are unsure of what value you need to set this to, you can set it to a DWORD value of 0xFFFFFFFF to completely avoid the dialog.

3. Install and apply the following patch from Microsoft:

http://support.microsoft.com/kb/175500#FixItForMeAlways

CSCtn65437

Report timestamp incorrect with Asia/Kolkata time zone

This behavior has been observed only using the Asia/Kolkata time zone. The result is minus 5.30 hours when compared to the actual record in the Cisco ISE database.

Workaround   There is no workaround for this issue at this time.

CSCtn73422

Network Access User filters filtering correctly

The filter display does not conform to the expected alphanumeric order. For example, create four users with the following IDs:

2234567890a

a214567890

2b34567890-2

a214-25678

Use either the Quick/Advanced Filter with a "Name: Contains _2" attribute. The resulting list is returned as follows:

2234567890a

2b34567890-2

a214-25678

a214567890

CSCtn78676

When a user name has a space between words and another similar name contains two or more spaces, Cisco ISE displays the same user name for both users.

Workaround   There is no known workaround for this issue. Even though the multiple spaces are trimmed and shown as one space in the UI, the data is saved correctly in the database.

CSCtn78899

When a user group name has a space between words and another similar user group name contains two or more spaces, Cisco ISE displays the same user group name for both groups.

Workaround   Avoid giving spaces in the name field while creating Identity Group.

CSCtn83738

Session status summary report failing for Wireless LAN Controllers

It appears that Cisco ISE may not be appropriately handling public/private community stings.

Workaround   There is no known workaround for this issue.

CSCtn92594

Quickpicker filters are not working correctly during Client Provisioning policy configuration

This issue has been observed with the following three filter options:

Identity Groups

Operating Systems

Other conditions

Workaround   There is no known workaround for this issue.

CSCtn92602

Filters are not working under QuickPickers during Posture Policy configuration

The following QuickPicker filters are not working during Posture Policy configuration:

Operating System

Other Conditions

Requirements

When using any of these QuickPickers to search for text, Cisco ISE returns invalid search results.

Workaround   There is no known workaround for this issue.

CSCtn95127

Client provisioning report does not show the policy matched

The report shows which agent is downloaded, but it does not indicate which policy has been applied.

This happens if a network access request has been redirected to the client provisioning portal and the client provisioning service applies a policy that determines which agent needs to be installed on the client machine.

Workaround   There is no known workaround for this issue.

CSCtn95548

Filter behaving case sensitive for Network Device groups

The results for network device group filtering in the network device group (NDG) page are incorrect. This is because the filtering in the network device group page is case sensitive.

Workaround   Enter network device groups values using lower-case letters.

CSCtn99145

An authorization policy matching multiple rules does not appropriately match the existing ACCESS_ACCEPT rule

When an authorization policy use the "multiple rule match" option, and any of the matched policy rules contain ACCESS_REJECT, the ACCESS_REJECT rule overrides the ACCESS_ACCEPT rule, regardless of where the two rules appear in relation to one another.

Workaround   There is no known workaround for this issue.

CSCto03813

No "Cisco ISE Config Changes" alarm generated using Authentication > Simple Condition > Edit/Add/Delete

Workaround   There is no known workaround for this issue.

CSCto05172

The Profiler detail log does not display some attributes.

"Certainty Matrix," "Matched Rule," and "Endpoint Action" name values are not updated in the Profiler endpoint detail log.

Workaround   There is no known workaround for this issue.

CSCto06361

Changing the User Identity Group name case should not return error upon search

After you Create a User Identity Group called "mickeymousegroup," edit the name to be "MickeyMouseGroup." Cisco ISE displays the following error:

"Identity Group with name `NAC Group:NAC:IdentityGroups:User Identity Groups:MickeyMouseGroup' already exists."

Workaround   Delete and recreate the User Identity Group.

CSCto09989

Cisco ISE browser session redirects to Monitoring login page using Internet Explorer 8

As soon as you login to Cisco ISE via IE8 the page gets redirected to a Monitoring node administrator login page (even before the initial page displays completely).

Note This issue has also been observed using Mozilla Firefox, but the redirection in Firefox only takes place after a couple of minutes of inactivity.

Workaround   Immediately after entering your login credentials,. navigate from the main Cisco ISE page to any configuration page (like Posture, Authorization, or Client Provisioning, for example).

For more information, see Issue Accessing the Cisco ISE Administrator User Interface.

CSCto10678

Administrator user should not be able to delete self policy

If self-policies get deleted, the administrator cannot log in.

Workaround   The Cisco ISE administrator should not delete their own access policy.

CSCto10855

IE8 with default option settings is not working

This issue arises when the default URL has been specified in Administration > System > Setting > Posture Updates.

Workaround   There is no known workaround for this issue.

Note This functionality is working as designed using a Firefox browser.

CSCto13102

No "Cisco ISE Configuration Changes" message dialogs are displayed for certain guest/sponsor configuration

Certain dialogs are missing for guest and sponsor configuration changes, hence, Cisco ISE does not confirm when changes have been made and accepted.

CSCto13235

File Condition Advanced Filter does not return correct result

This issue has been observed in the Advanced Filter function of the Posture Simple Condition and Remediation pages. The "Match All/Any of the Following Rules" selection is not working as expected.

Workaround   There is no known workaround for this issue.

CSCto13986

IE8—Error when clicking the "Action" button on the Requirement page

Go to Policy > Policy Elements > Results > Posture > Remediation Action and click on the Requirement in the left hand navigation pane. Once the page loads, then click on the "Action" button. A Java script error is returned when accessing the page via Internet Explorer 8.

Note This is an issue with Internet Explorer 8 and is working as expected.

CSCto15508

Filter in Security Group Access Egress Policy is not working correctly

Workaround   There is no known workaround for this issue.

CSCto17461

Invalid Simple Condition error message in Guest configuration

If you duplicate, but do not rename a new Simple Condition in the Policy Elements > Conditions > Guest > Simple Condition page, Cisco ISE returns an error message indicating that the condition has not been saved.

Workaround   Change the name of the condition that is being duplicated before saving it.

CSCto22671

HTTPS communication fails if the certificate is deleted from the primary Administration ISE node

The following operations on the primary Administration ISE node fail unexpectedly:

- Restoration of a backup

- Manual sync

- Node deregistration

If the certificate(s) required to validate the HTTPS certificate of a registered node have been removed from the primary Administration ISE node trust store, they must be reimported in to the trust store before attempting restore database material, perform manual sync, or deregister other policy service nodes.

CSCto24105

A Network Access User can be created with a name longer than 25 characters via network access user import, but Cisco ISE cannot reliably handle user names that long.

Workaround   There is no known workaround for this issue.

CSCto24430

Details of guest RADIUS authentication failure are not available when searching via the guest username

This issue has been observed where the guest user has logged in with space appended to the beginning or end of the user name.

Workaround   The guest user must enter the user name without any additional spaces entered at the beginning or end.

CSCto27568

Cannot enable checkboxes in the right hand Filtered Network Devices pane

The administrator is not able to select a checkbox under the following conditions:

1. The browser window is not open to its maximum size.

2. A filter is applied to the network device table.

Workaround   Apply filters to the network device table only when the browser window is maximized.

CSCto29479

Cisco NAC Web Agent fails to validate Registry Condition

Registry condition check does not work correctly on 64-bit Windows operating systems.

Workaround   There is no known workaround for this issue.

CSCto33037

Allowed character sets between policy conditions and element conditions are different

When conditions are created inside policies, the allowed character sets are not the same. Condition policies allow alphanumeric, hyphen(-), underscore(_), or period(.), The condition page itself allows letters, numbers and "_".

Workaround   Use the common characters of both sets: letters, numbers, and "_".

CSCto33973

Joining Cisco ISE to an Active Directory domain locks up when the Global Catalog is down or unreachable

Having a Global Catalog active is essential for Cisco ISE operation with Active Directory. If there is no Global Catalogs available, the Cisco ISE user interface locks up for a long time in certain operations. This issue applies to a single domain environment.

CSCto41078

Cannot create an Identity Group using the gear icon during Client Provisioning policy configuration

Workaround   Create the Identity Group using the Administration > Identity Management > Groups page before configuring the policy.

CSCto41340

Authentication Policy replication failure from Primary to Secondary if the time zone changes after installation

CSCto42182

Profiling HTTP requests for 802.1X scenarios may not include agent

This issue occurs when the initial HTTP request for 802.1X authentication and posture services are redirected to the gateway via HTTPS.

Workaround   Try using URL redirection over port 8080 for the gateway.

CSCto43825

Synchronization fails with time zones other than UTC

During installation, if you specify a time zone other than UTC, replication fails during registration and Synchronization status shows "OUT OF SYNC."

Workaround   To avoid this issue, change the time zone to UTC, enter the reset-config command via CLI, and reregister the node.

CSCto45372

Default Sponsor Groups do not allow the Sponsor to create users or view passwords.

Workaround   Navigate to the Guest Management > Sponsor Groups page and change the Sponsor Groups to allow appropriate access rights to Sponsors in these groups.

CSCto48657

Profiled endpoints are not all deleted

If you delete endpoints that have recently been imported (before Cisco ISE can finish Profiling all of the new endpoints), Cisco ISE does not delete them all.

Workaround   Wait until all endpoints have been profiled before trying to delete them, or try to delete the remaining endpoints again after the initial attempt.

CSCto49359

Filters not working correctly on Guest conditions page

Filters are not getting saved in the Policy Elements > Conditions > Guest > Simple Conditions page.

Workaround   Re-enter the filter to get Cisco ISE to perform the list filtering correctly.

CSCto54536

Local certificates disappear on the secondary node following "application reset-config ise" command in CLI

When displaying the local certificates on the Administration > System > Certificates > Local Certificates page of a deregistered node that is now in Standalone mode.

The administrator should not reset the configuration of a node prior to de-registering it. The correct process is as follows:

1. Node A is registered.

2. Node A is deregistered.

3. Enter "application reset-config ise" in node A CLI.

Workaround   If the node is reset before deregistration, you can make the local certificates reappear by entering the following commands in the CLI:

application stop ise

application start ise

CSCto59976

Sync with NTP server during initial set-up shows failure although NTP server is reachable.

This issue occurs if an invalid or unreachable NTP server was first specified during initial installation and is then corrected (reconfigured) with an NTP server which has less characters than the initial invalid NTP server entry.

Workaround   When the set-up shows "Sync with primary NTP server failed," press CTRL+C and restart the set-up from scratch, this time providing the valid and reachable NTP Server in the initial prompt itself.

CSCto60148

Java crashes during high posture load

This issue has been observed under extreme load condition where Cisco ISE is hit with large number of concurrent users for posture.

Workaround   None. You must restart the Cisco ISE Policy Service.

CSCto60636

Favorite reports are not preserved after executing "application reset-config ise" in the Cisco ISE CLI

After the reset-config operation is complete, you can manually add the corresponding reports to favorites again.

CSCto63749

The Cisco ISE dashboard does not display endpoints entered via the Administrator user interface

Endpoint display behavior works as designed for imported or detected Endpoints.

Workaround   Define the endpoint(s) in a CSV file and import the CSV file.

CSCto64028

"Fail to receive server response..." seen when deleting profiling policy

A "Fail to receive server response due to the network error (ex. HTTP timeout)" error message may appear when deleting Profiling policies, and some of the policies may not be deleted.

Workaround   Log out from Cisco ISE, log back in, and try deleting the policies again.

CSCto68519

Sorting / Filtering Does Not Work in Egress Table

Can not filter or sort Egress policy table data

Workaround   There is no known workaround for this issue.

Note It is not possible to filter the Egress policy table data based on source / destination security group. In addition sorting is not available as well

CSCto70968

Fast reconnect is not working for PEAP-TLS protocol

When the supplicant is eligible for PEAP-TLS fast reconnect after establishing a PEAP tunnel, Cisco ISE does not allow the fast reconnect function and falls back to the standard inner method.

The following messages appear in the customer log:

22044 Identity policy result is configured for certificate based authentication methods but received password based

12317 PEAP fast-reconnect failed; starting inner method

Workaround   There is no known workaround for this issue.

CSCto72521

Save failed for child group assignment during Client Provisioning policy configuration

An exception dialog box appears, displaying a "Invalid identity group in policy <policy name>. There were errors in the save" message.

Workaround   Use first-level identity groups whenever possible.

Note Identity Group selection is more than one level deep. For example, if an administrator creates hierarchal groups like "Employee" or "Accounting" and selects "Accounting" as an Identity Group when creating or updating a client provisioning policy.

CSCto72594

Cisco ISE cannot save a Posture Policy when the Identity Group is the child of one or more other Identity Groups

Cisco ISE returns a "Policy Policy_Check_For_AV_Installation_Win: Error - class com.cisco.cpm.posture.exceptions.PostureValidationException: invalid role" message and does not save the Posture Policy in question.

Workaround   Use only first-level Identity Groups.

CSCto73439

Restart required upon completion of Monitoring node database restoration

This issue has been observed with both scheduled and incremental backup and restore functionality.

After completing a Monitoring node database restoration, manually synchronizing a Secondary node from the Primary node does not work because the Secondary Administration ISE node data has been changed by the Monitoring node restoration operation.

Workaround   There are two possible workarounds for this issue:

Log into the Cisco ISE CLI with admin privilege and execute the following commands:

a. application stop ise

b. application start ise

Log into the Cisco ISE CLI with admin privilege and execute the reload command.

CSCto74356

Self-registered Guest role does not appear associated with the Guest account

If the administrator creates a new Identity Group (group role) and specifies this role as the default group role on the Guest Portal Policy page for self registration, the newly created Identity Group is not added to the identity group list for a sponsor group.

This issue can occur in both standalone and distributed deployment.

Workaround   Add the new Identity Group to the Sponsor Group to which the sponsor is mapped, which shows the correct Identity Group in the Edit panel of the Guest account.

CSCto82519

Saving your Active Directory configuration while the DNS is down takes a very long time

Cisco ISE requires connectivity to Active Directory (including DNS) when saving the configuration. If the DNS is not reachable, then the save function may time out before it can complete.

Workaround   Ensure that the DNS is available and reachable before saving your Active Directory configuration.

CSCto82631

Clicking the "Name" field in the Cisco ISE User Identity Group page yields unexpected download behavior

Workaround   There is no known workaround for this issue.

CSCto83897

Client machine authentication shift to user authentication not updating Active Directory groups

During a Wireless LAN Controller (WLC) login session, the client machine authenticates with Cisco ISE correctly and the corresponding authorization profile is picked up. During user authentication, however, (although system log entries indicate that user authentication has happened correctly) the previous authorization profile (for machine authentication) is applied to the user session again.

This issue has been observed during wireless login scenarios where the WLC is running firmware version 7.0.116.0.

Workaround   If you do not require the new WLC features (such as NAC-RADIUS) introduced in firmware version 7.0.116.0, Cisco recommends restoring the WLC version to 7.0.98.218 until a new firmware version becomes available.

For more information, see Known Incompatibility Issue with WLC Firmware Version 7.0.116.0.

CSCto87755

Guest accounting report appears only once, even though Guest logs in multiple times

This issue has been observed when Guest users have logged in using the same endpoint multiple times. The report shows only the user's first login details, not the most recent login.

Workaround   There is no known workaround for this issue.

CSCto87799

Guest authentication failing

Guest authentication fails and the LiveLogs on Cisco ISE show the reason as "session cache entry missing." The most common explanation for this issue is that the browser is using old session information.

Workaround   The user just needs to launch a new browser session and get redirected to the appropriate Guest portal.

CSCtq00096

Compound condition from a Sponsor Group Policy has a different name after it is saved

This new name can erase the existing condition in the Cisco ISE configuration and the administrator must assign the condition again.

Workaround   If you are editing conditions in the Sponsor Group Policy, specifically reassign the compound condition.

CSCtq07776

In Posture Policy, Click Save Symbol getting error message.

When you attempt to configure Dictionary Compound Condition using Posture Policy configuration, Cisco ISE returns a "configured dictionary compound condition already exists" error message, even though the specified Dictionary Compound Condition does not yet actually exist.

Workaround   The administrator needs to click on the OK button several times, or reload the page to work through this issue.

CSCtq09004

Windows 7 guest access not successful from IE8 and Chrome 10

Guest access fails over a wireless LAN controller connection. The login session does not appropriately redirect the user authentication request. This is likely due to IE8 and Chrome10 browsers on Windows 7 being unable to redirect the RADIUS authentication request to the controller.

Note This issue has not been observed using Mozilla Firefox.

Workaround   Ensure that the certificates in the controller are accepted by the IE8 browser on the Windows 7 client correctly.

CSCtq09655

Dictionary Attribute duplication is not happening as designed during Authentication Policy configuration

Dictionary Attributes are not being duplicated appropriately within a rule during Authentication Policy configuration. Only the "operator" and "condition" values are getting duplicated.

Workaround   You must manually specify the Dictionary Attribute to complete the configuration.

CSCtq11650

The primary Administration ISE node has database links to Inline Posture nodes following promotion from secondary to primary

The newly-promoted primary node attempts to replicate with Inline Posture nodes and saves the undeliverable messages in its local database. This issue has been observed in a distributed deployment with Inline Posture nodes associated with an Administration ISE node that has been promoted from secondary to primary.

Workaround   Use root patch and SQLPlus to clean it.

CSCtq17744

Exception policy not getting created first time in Authorization policy

When you create the first new exception policy under an Authorization Policy, an error pops up indicating that the operation has failed.

This issue has been observed when there are no items in the exception policy pane and the user clicks Create New. After the user submits the change, an error message comes up.

Workaround   There are two possible workarounds for this issue:

1. Use the Duplicate function to add a second exception policy below the first one, and then delete the first exception. Once all the changes are done, then save the policy.

2. Similar to the first option above, use the Insert function to insert a second exception policy below the first one, and then delete the first exception. Once all the changes are done, then save the policy.

CSCtq22779

Cisco ISE allows saving authorization compound conditions with the same names

If you create two authorization compound conditions called "C1" and "C2," then change the name of "C2" to "C1," Cisco ISE does not return an error and you end up with two compound conditions called "C1." This happens only for authorization compound conditions.

The potential impact of this problem is that the contents of the original "C1" compound condition is always picked up and enforced in authorization policies that use "C2."

Workaround   There is no known workaround for this issue. You must be sure to create conditions with unique names. If you do end up creating two or more conditions with the same name, you can always rename them appropriately at any time.

CSCtq53690

Scheduled Monitoring and Troubleshooting incremental backup switches off following failed backup attempt

Workaround   If one of the scheduled Monitoring and Troubleshooting node backup events fails, the administrator needs to enable the "Incremental Backup" option again in the Administration > System > Operations > Monitoring Node > Scheduled Backup page.

CSCtq80912

Issues with Guest accounting report functions

After at least one full day of traffic, round trip Guest sessions include non-guest events in the logs.

Note There is no known workaround for this issue.

CSCtr09694

MAC address search at Reports > Query and Run should not be case sensitive

While launching reports, the MAC address search is case sensitive, but should not be.

Note There is no known workaround for this issue.

CSCtr24825

Numerous Alarms entitled "ISE Alarm (CRITICAL): Alarm caused by ISE - System Health threshold" with high numbers in "CPU Utilization (%)"

The same alert message is being used for both real system resource overloads and normal operations like system backup and restore.

Note There is no known workaround for this issue.

CSCtr29490

Endpoint does not get profiled correctly with HTTP traffic following posture assessment

Following a VLAN change, traffic may not be mapped to the endpoint due to a missing IP address in the RADIUS accounting message.

Workaround   Use a DHCP probe for profiling. Alternatively, RADIUS interim accounting should correct the situation on the next accounting update.

CSCtr38300

"Admin" login account is disabled and cannot be unlocked

After you enter the wrong password for the administrator user ID at least 5 times (though the actual value is configurable), the administrator cannot use the "admin" login credentials to access the user interface and Cisco ISE displays the following message:

"Your account has been locked after too many consecutive unsuccessful attempts. Please contact your system administrator for assistance."

Workaround   When you regain access to the user interface, create another administrator ID (different credentials) with same permissions and login using that one.

Note This is a new security function of Cisco ISE Maintenance Release 1.0.4 and is working as designed.

CSCtr39545

Endpoint update function may execute before endpoint creation

Alarms generated on replication failures; DEBUG entries from Profiler show endpoint update failures due to absent record.

Note There is no known workaround for this issue.

CSCtr51053

Back button use is not working correctly under compound conditions after upgrade

When you add a new compound condition in the Policy > Conditions > Posture > Compound Condition configuration page and then navigate through the condition list, the back button will lead to the Cisco ISE home (Monitoring) page instead of the previous level.

CSCtr53954

Configure ISE for MAB + Posture flow

After successful MAB Authentication, the client endpoint is moved to its assigned VLAN. Then the posture function initiates and the endpoint sends a "compliant" report back to Cisco ISE, which triggers CoA for that session and sends an new VLAN assignment back to the associated NAD. The problem is that the endpoint fails to re-fresh its IP address. (Make sure the Endpoint is put in to different VLAN after moving to compliant/noncompliant state.)

Note The same IP-refresh on VLAN change is working in an 802.1X environment with posture functions.

Workaround   If we enable the "Agent IP refresh after VLAN change" option in the Agent profile, then the IP address gets refreshed after moving to compliant/noncompliant state

CSCtr57280

IP-to-MAC address binding fails in wireless environment with RADIUS and HTTP probe

RADIUS accounting messages from a WLC do not send the endpoint IP address. This is different from the RADIUS accounting messages from wired infrastructure. This makes the RADIUS method ineffective for IP-to-MAC address binding on Cisco ISE.

CSCtr58604

Cisco Administration ISE node backup size exceeds 8 GB

Backup files are very large and at times larger than 8 GB each. This has been observed performing both scheduled and on-demand full backups from CLI or administrator user interface.

Note There is no known workaround for this issue.

CSCtr58811

Need to log out and log back in to get Advanced License functionality

After installing an Advanced License on top of an existing Base license, the administrator is not able to view advanced feature pages such as Posture, Profiler, and Security Group Access.

Workaround   Log out and log back in again to view Advanced feature pages.

CSCtr59589

Exception Actions are triggering multiple CoA reauthentication events

An exception action experienced under high traffic volume may be triggering multiple times and issuing multiple CoA events on the same session. By design, only the first CoA event will be acted upon—the subsequent ones are ignored by the infrastructure.

CSCtr60200

Error while editing predefined AV/AS compound conditions

After you update Cisco ISE to release 1.0.4 and edit a pre-existing Av/AS compound condition, the configuration will be saved, but when you try to go back and view or edit the same compound condition, the "Allow virus definition checks to be..." option becomes disabled (unchecked).

Although there is no impact when generating the XML file with the modified data for the pre-defined AS compound condition, this issue leads to confusion.

CSCtr66122

Policy could not be saved

Cisco ISE can return an error message when you try to save a policy where the same identity group appears more than once.

Workaround   Manually remove duplicate identity group entries from the policy and save the policy again.

CSCtr66929

Selected month and year while configuring file "Date" condition

If you specify either just the year or month in the "Date" field of the Policy > Policy Element > Conditions > File Condition configuration window, the date does not get saved along with the policy.

Workaround   Always specify the correct date.

CSCtr68491

Windows Internet Explorer 8 Info button on compound condition format is empty

When you hover over the "Info" button in the Go to Policy > Policy Elements > Conditions > Posture > Compound Condition page, the pop-up bubble remains empty.

This issue has been observed using IE8, but the text appears as designed in Mozilla Firefox.

CSCtr79440

Authorization policy not matched when condition to match parent device group location used

This issue can come up when you define an authorization rule which has a condition containing the operand "DEVICE:Location equal AllLocation#<group name>."

Note There is no known workaround for this issue.

CSCtr82311

Administrator user interface password reset failed upon first login attempt

This condition is only seen if the first default credentials ("admin"/"cisco") have not yet been changed. After the admin user gets disabled, the password reset function may fail on the first attempt.

Workaround   Try resetting the password again using the application reset-passwd ise CLI command. Another workaround if it's the 'admin' user in question, just login as 'admin/cisco' and set the first credentials.

CSCtr84378

Guest role text box can be removed in sponsor group object

When only one group role exists, the Guest Role can still be removed when configuring the sponsor group, which prevents the user from selecting any Guest Role at all. (If the administrator clicks on the minus (-) operator on the Guest Role tab in the sponsor group configuration with only one existing group role, then the field is removed.)

Workaround   Do not click the minus (-) operator during Guest Role selection during Sponsor Group configuration if only one group role exists. If the situation does occur, then you need to manually create a new sponsor role.

CSCtr84493

Cisco ISE inaccurately reports that a specified policy name already exists

This issue arises when you try to create a sponsor group policy name containing regular spaces (like "xx yyy zzz 1") that is identical to an existing name using underscores (like "xx_yyy_zzz_1"). The resulting error message form ISE reads: "Policy with name xx_yyy_zzz_1 already exists."

Workaround   To avoid this issue, reverse the order in which you create these two similar names:

1. Create a sponsor group policy using spaces ("xx yyy xxx 1) and click Save.

2. Create another sponsor group policy using underscores (xx_yyy_zzz_1 and click Save.

The error message should not appear.

CSCtr94724

Browser becomes inaccessible after creating Authorization profile

This occasional issue has been observed when scrolling down the page before the page loads completely

Workaround   Cisco recommends allowing a few extra seconds for the page to completely load before scrolling down the page.

CSCtr96694

SGA Security Group column is empty following SGA authentication

When performing CTS authentication, the unparsed CTS security tag is returned in the authentication response and is displayed in the CTS authentication report viewer.

Note There is no known workaround for this issue.

CSCts03935

Need to recreate the Support Bundle if the Admin session times out

If the administrator is creating a Support Bundle and their login session times out, the Support Bundle is not created correctly and the administrator must produce a new one after logging back in again.

Workaround   Alternatively if the Support Bundle takes a long time to generate, you can also generate it using the backup-logs CLI command.

CSCts08980

The Cisco ISE posture report dashlet returns an error code

After clicking a sparkline from the Posture Compliance dashlet, the Cisco ISE Monitoring page returns the following:

"Cannot execute the statement.

SQL statement does not return a ResultSet object.

SQL error #1: ORA-06502: PL/SQL: numveric or value error: character string buffer too small.

ORA-06512: at "MNT.FILTER", line 27

ORA-06512: at "MNT.GETPOSTUREDATA", line 17

posturereport contains some special characters."

Workaround   You can avoid this issue by running the report directly without filtering from the Monitoring > Reports > Catalog > Posture > Posture Detail Assessment page.

CSCts10036

Issue with Inline Posture static route configuration

Certain static address settings at Inline Posture static route configuration page result in the Cisco ISE user interface returning an error and admin not being able to remove the erroneous route.

Note Restarting the Inline Posture node following this event might result in the node not being available to the administrator at all.

This issue can occur when you configure an invalid static route where the static route's destination network address overlaps with the network address (based on the IP Address / Subnet Mask combination) of the Inline Posture node's trusted or untrusted interface.

Workaround   If this situation occurs, deregister the Inline Posture node from the primary Administration ISE node (or both Inline Posture nodes of the HA pair) and then reregister.

CSCts10323

Internet Explorer running slow during client provisioning

Internet Explorer has an option where you can turn the "check for revocation lists" function on or off.

When this option is enabled and the dACL simultaneously does not allow access to CDP servers, Internet Explorer "freezes up" for about a minute while it tires to access the requisite CDPs.

CSCts19211

After backup/restore, the administrator not able to access the Service Policy node

After restoring the database from prior version of the software, one or more of the nodes in the deployment becomes inaccessible from the administrator user interface.

The issue is related to restoring a backup image from one version onto a deployment running a newer version of Cisco ISE.

Workaround   Deregister, execute the reset-config CLI command, then reregister the node in question.

Note This issue can be avoided completely by using the 'application upgrade' CLI on each node of the deployment. If this is done, there is no need to restore from an order version of the software.

CSCts20529

Authorization profile getting saved with incomplete information

This issue occurs when using the "auto-smart-port," "Filter_ID," "wireless lan controller," or "Posture Discovery" fields in the configuration page.

Note Because of this mismatch in attribute values, the resulting authorization policy may not work properly.

Workaround   Click anywhere in the window while creating an authorization profile when using any of the above mentioned attributes. The authorization profile is then saved properly.

CSCts22154

RBAC menus on secondary nodes are incorrect immediately after upgrade

This issue can occur when the upgrade process on a secondary node is delayed and there is a large number of pending messages in Primary node queued up for replication to the secondary node.

Workaround   Minimize the time period between the upgrade process on the primary node and secondary nodes.

Note If the RBAC menu is not available following upgrade, wait until the replication status for the problematic node shows "complete" and the RBAC menu should be correctly visible.

CSCts25521

Cisco ISE repeatedly returns an error when a Dictionary Compound Condition is added during posture policy configuration

When you attempt to configure Dictionary Compound Condition using Posture Policy configuration, Cisco ISE returns a "configured dictionary compound condition already exists" error message, even though the specified Dictionary Compound Condition does not yet actually exist.

Workaround   The administrator needs to click on the OK button several times, or reload the page to work through this issue.

CSCts78093

Active Directory attributes are not inherited from Cisco ACS 5.1/5.2 to Cisco ISE 1.0 or Cisco ISE 1.0.4 during migration

This issue has been observed for Active Directory attributes that are not of the data type "String." (Cisco ISE supports only "String" Active Directory attributes. Other data types, such as integers, are not moved over.)

Note In Cisco ACS 5.1/5.2, you can define different types of Active Directory attributes—String, IP, and integer.

CSCts99778

Posture configuration options not available with Advanced License

After installing or upgrading to Cisco Identity Services Engine Maintenance Release 1.0.4.573, posture config options on Policy > Policy Elements > Conditions, Policy > Policy Elements > Results, and the Posture tab of the Policy > Posture page are not shown.

Workaround   Enter the application stop ise and application start ise CLI commands. All posture-related configuration items should now appear as designed.

CSCts57010

File system runs out of available space

When logging in via the CLI, the administrator sees a "% Error: Unable to launch ADE-OS shell. Disk full." message. This could be caused by an "undo_tablespace" function automatically extending without any imposed limit.

Note There is no known workaround for this issue.

CSCtr95156

The guest account password was reset after the user changed their password and the Sponsor subsequently modified the account

Workaround   The Guest user should log in to the guest portal before the sponsor modifies their account.

CSCts45591

Unable to collect info from interface with no IP address

Cisco ISE is unable to collect TCP dump information on interfaces with no IP address configured.

Note There is no known workaround for this issue.

CSCts57027

Newly added network interface for VMware ISE appears as "__tmpXXXXX"

This issue has been observed when viewing the newly-added network interface using the "show interface" CLI command on a VMWare machine.

Workaround   Try a different adapter setting like E1000 instead of "Flexible."

CSCts59228

Internet Explorer 8 fails to Generate a CSV Template when importing endpoints

Workaround   Cisco recommends trying the process again using Mozilla Firefox if you encounter this issue.

CSCts77187

No Alarm activates when replication fails due to database communication errors

This issue has been observed when the primary administration or monitoring node is unable to communicate with the secondary node for Oracle database replications.

Note There is no known workaround for this issue.

CSCts45441

Unexpected behavior when creating a guest account using start and end time settings

This issue has been observed where the sponsor is trying to create a guest account that includes the time profile type "STARTEND." (During test, Cisco used the current date for the "start date" and the next day as the end date.

Workaround   When creating the guest account, use the "FROMCREATION" time profile with a 1 day duration.

CSCts45547

Administrator user interface does not display an appropriate error msg during node registration

Note There is no known workaround for this issue.

CSCtw67841

Debug logs bundle is not getting downloaded in Mozilla Firefox version 3.6.24

When the administrator tries to download an individual log via the Operations > Download Logs > Node > Debug Logs page, Cisco ISE prompts the administrator to enter their credentials in the browser. After entering the username and password, no download dialog pops up, and the requested log file cannot be downloaded. This issue has been observed using Mozilla Firefox version 3.6.24.

Workaround   Download the entire support bundle and then you can choose to view the individual log file.

Note Windows Internet Explorer version 8 does not have this issue.


Cisco ISE Release 1.0.4.573 Agent Open Caveats

Table 12 Cisco ISE Release 1.0.4.573 Agent Open Caveats 

Caveat
Description

CSCti60114

The Mac OS X agent 4.9.0.x install is allowing downgrade

The Mac OS X NAC Agent is allowing downgrades without warnings.

Note Mac OS X Agent builds differ in minor version updates only. For example, 4.9.0.638 and 4.9.0.637.

CSCti71658

The Mac OS X Agent shows user as "logged-in" during remediation

The menu item icon for Mac OS X Agent might appear logged-in before getting full network accesses

The client endpoints are connecting to an ISE 1.0 network or NAC using device-filter/check with Mac OS X Agent 4.9.0.x.

Workaround   Please ignore the icon changes after detecting the server and before remediation is done.

CSCtj22050

Certificate dialog seen multiple times when certificate is not valid

When the certificate used by the agent to communicate with the server is not trusted, the error message can be seen multiple times.

Workaround   Make sure you have a valid certificate installed on the server and that it has also been accepted and installed on the client.

Note The additional certificate error message is primarily informational in nature and can be closed without affecting designed behavior.

CSCtj31552

Pop-up Login windows option not used with 4.9 Agent and Cisco ISE

When right clicking on the Windows taskbar tray icon, the Login option is still present, but is not used for Cisco ISE. The login option should be removed or greyed out.

Workaround   There is no known workaround for this issue.

CSCtj39429

No posture on Mac OS X Agent in multi-NIC setup

This issue has been observed on Mac OS 10.6 clients in a multi-NIC setup where the wired NIC is connected to a switch and the wireless NIC connects to an Inline Posture node in bridged mode.

Note Because the wireless NIC is the preferred connection, the agent is supposed to perform posture assessment via the wireless NIC.

Workaround   There is no known workaround for this issue.

CSCtj59635

Cisco NAC agent pops up even when popup login window is unchecked

Workaround   There is no known workaround for this issue.

CSCtk34851

XML parameters passed down from server are not using the mode capability

The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite. Mac OS X agent is not processing the mode correctly. Instead, the complete file is overwritten each time.

Workaround   To use a unique entry, the administrator must set up a different user group for test purposes, or set the file to read only on the client machine and manually make the necessary changes to the local file.

CSCtl53966

Agent icon stuck on Windows taskbar

The taskbar icon should appear when the user is already logged in.

Workaround   Right-click on the icon in the taskbar tray and choose Properties or About. After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes away.

CSCtn39974

An IP configuration error during logout may keep agent from appearing to the user

The agent login processing does not start after the IP refresh error occurs during the logout processing in an Out-of-Band environment.

Workaround   Exit and re-launch the agent.

CSCto03644

Tray icon flickers click focus if user changes applications from login OK

Following successful login, when the Agent login dialog goes away, click focus appears in the Windows taskbar tray. (It may flicker fast so that you are not able to see it.) If the user clicks on the icon when this happens, the "please wait" dialog appears, and at this time, the Agent icon options are available for use.

This issue has been observed if the user changes to a different application while the successful login OK button is displayed.

Workaround   The user can log in again and ensure the focus stays on the login process.

CSCto19507

Mac OS X agent does not prompt for upgrade when coming out of sleep mode

Workaround   The user needs to exit and then restart the Cisco NAC Agent to prompt the current version verification function.

CSCto33933

Login Success display does not disappear when user clicks OK

This can occur if the network has not yet settled following a network change.

Workaround   Wait a few seconds for the display to close.

CSCto45199

"Failed to obtain a valid network IP" message does not go away after the user clicks OK

This issue has been observed in a wired NAC network with IP address change that is taking longer then normal. (So far, this issue has only been only seen on Windows XP machines.)

Workaround   None. The user needs to wait for the IP address refresh process to complete and for the network to stabilize in the background.

CSCto48555

Mac OS X agent does not rediscover the network after switch from one SSID to another in the same subnet

Agent does not rediscover until the temporary role (remediation timer) expires.

Workaround   The user needs to click Complete or Cancel in the agent login dialog to get the agent to appear again on the new network.

CSCto63069

The nacagentui.exe application memory usage doubles when using "ad-aware"

This issue has been observed where the nacagentui.exe memory usage changes from 54 to 101MB and stays there.

Workaround   Disable the Ad-Watch Live Real-time Protection function.

CSCto84932

The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and NAC agent.

Workaround   Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCto97422

Auto Popup does not happen after clicking Cancel during remediation failure

Workaround   Click on the login option in the system tray.

CSCto97486

The Mac OS X VLAN detect function runs between discovery, causing a delay

VLAN detect should refresh the client IP address after a VLAN detect interval (5) X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec.

This issue has been observed in both a wired and wireless deployment where the Cisco NAC agent changes the client IP address in compliant or non-compliant state since Mac OS X supplicant cannot.

An example scenario involves the user getting a "non-compliant" posture state where the Cisco ISE authorization profile is set to Radius Reauthentication (default) and session timer of 10 min (600 sec). After 10 min the session terminates and a new session is created in the pre-posture VLAN. The result is that the client machine still has post-posture VLAN IP assignment and requires VLAN detect to move user back to the pre-posture IP address.

Workaround   Disconnect and then reconnect the client machine to the network.

CSCtq02332

Windows agent does not display IP refresh during non-compliant posture status

The IP refresh is happening on the client machine as designed, but the Agent interface does not display the change appropriately (for example, following a move from preposture (non-compliant) to postposture (compliant) status).

Workaround   There is no known workaround for this issue.

CSCtq02533

The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and Cisco NAC agent.

Workaround   Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCtq15958

Windows Agent VPN tunnel dropping after initial connection

Workaround   The user needs to reestablish the VPN tunnel.

CSCtq16716

Windows wireless move from post-posture to pre-posture VLAN detect IP not refreshed

The client machine has no connectivity because the NIC's IP address is in the complaint/non-compliant VLAN when it should be in the pre-posture/pending VLAN.

This issue has been observed using a wireless supplicant that does not support IP address change when the client machine relies on the Cisco NAC Agent to change the IP address.

Workaround   Disconnect and reconnect wireless NIC on the client machine.

For more information, see Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines.

CSCts80116

OPSWAT SDK 3.4.27.1 causes memory leak on some PCs

Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may experience excessive memory usage.

Note This has only been observed with version 8.2.0 of Avira AntiVir Premium or Personal. Later versions of the application do not have this issue.

Workaround   Install later version of Avira AntiVir Premium or Personal.


Cisco ISE Release 1.0.4 Resolved Caveats

Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats

Cisco ISE Release 1.0.4.573 Agent Resolved Caveats

Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats

Table 13 Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats 

Caveat
Description

CSCth07037

CPM crash after configuring AD1 and starting RADIUS authentications

CSCtn26819

Unable to reset the CLI password of a "locked" user account

CSCtn80646

Cisco ISE does not display a purge confirmation message after purging is completed

CSCto05028

Issues when saving customized details reports (cannot retrieve reports after saving)

CSCto22872

Endpoints are not profiled correctly when there is a router in the network

CSCto75963

No alert message is displayed in Cisco ISE when the Client Provisioning Update Feed URL (or proxy, if specified) is unreachable

CSCto80921

Invalid PCAP format for inactive Monitoring and Troubleshooting nodes

CSCto83078

Guest Accounting and Sponsor Summary report errors returned during report generation

CSCto92848

Report generation fails when custom range in Security Group Access - > Top_N_SGT_Assignments is specified

CSCtq03906

Condition duplication during Authorization Policy configuration does not work properly

CSCtq05485

AnyConnect Supplicant from AnyConnect 2.5/3.0 client application

CSCtq06649

Getting "Connection reset," message when adding a secondary node

CSCtq07398

Internal user-name should not be case-sensitive

CSCtq08234

Airespace-QoS-Level configured on Cisco ISE does not override WLAN QoS level

CSCtq21992

Active Directory guest user login displays an application malfunction error

CSCtq22287

WSUS check is failing on Windows 7 64- and 32-bit systems

CSCtq24831

Guest user can not log into newly created account

CSCtq26502

Windows XP client machines need to be updated for NAC agent to work

CSCtq27834

Monitoring COPY_RESOURCE_HIERARCHY exception errors and replication failures

CSCtq27834

Cisco ISE is generating replication alarms

CSCtq45022

The Deployment Nodes page takes a very long time to load in scale deployment

CSCtq66518

Deleting the SGACL mapping from Cisco ISE does not clear the downloaded policy

CSCtq79343

Heap memory is completely used up and system becomes unusable

CSCtq84962

Mobile devices/Linux appliances do not work through VPN deployment

CSCtq88761

The Authorization Profile page takes 6 minutes or more to load

CSCtq89875

Administrators cannot enable the password-lockout CLI function via SSH connection

CSCtq95286

Report issues with Guest Accounting

CSCtr01270

Active endpoint information is not correct in the Monitoring and Troubleshooting dashboard

CSCtr21259

Administrators are not able to log into the user interface after a reboot/restart

CSCtr29815

Axis MessageContext.finalize() entry causing memory usage issue

CSCtr75664

Specifying a new remote logging target can crash a Policy Service node

CSCts19809

Cannot import Advanced License on top of Base License

CSCts27128

"show app status ise" reports wrong status when database instance is dead

CSCts45559

Incorrect information displayed when eth1 interface selected

CSCts45675

Profiler does not see DHCP SPAN traffic encapsulated with 802.1Q

CSCts46545

Cisco ISE high EPM database usage alarm

CSCts46937

Unable to access Inline Posture node—error message displayed while reading DHCP/DNS config object

CSCts51536

Admin is not able to download dump info on eth1 interface

CSCts54380

ORA-600/ORA-4031 error code displayed due to memory allocation for Oracle streams

CSCts59135

Cisco ISE database has a static Oracle DB password

CSCts79733

Getting Error parsing DHCP "[V4] option [subnet-mask (1)]; Expected [4] b"

CSCui22841

Apache Struts2 command execution vulnerability


Cisco ISE Release 1.0.4.573 Agent Resolved Caveats

Table 14 Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats 

Caveat
Description

CSCtg97488

Client running Cisco NAC Agent does not disconnect after Windows logoff

CSCto34354

Cisco NAC Web Agent fails to validate Registry Conditions


Known Issues

Known Issue with Upgrade from Cisco ISE Release 1.0.3.377

Windows Internet Explorer 8 Known Issues

Issue Accessing the Cisco ISE Administrator User Interface

Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8

User Identity Groups User Interface Issue With IE 8

Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines

Known Incompatibility Issue with WLC Firmware Version 7.0.116.0

Issues With 2k Message Size in Monitoring and Troubleshooting

Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently

Inline Posture Restrictions

Cisco IP phones using EAP-FAST

Known Issue with Upgrade from Cisco ISE Release 1.0.3.377

This issue can affect Cisco ISE customers who have not changed their default "admin" account password for administrator user interface login since first installing Cisco Identity Services Engine Release 1.0.3.377. Upon upgrading to Cisco Identity Services Engine Maintenance Release 1.0.4.573, administrators can be "locked out" of the Cisco ISE administrator user interface when logging in via the default "admin" account where the password has not yet been updated from the original default value.

To avoid this issue, Cisco recommends you do one or more of the following:

1. Verify they have changed password per the instructions in the "Managing Identities" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4 prior to upgrade.

2. Disable or modify the password lifetime setting in the Administration > System > Admin Access > Password Policy page of the administrator user interface prior to upgrade to ensure the upgraded policy behavior does not impact the default "admin" account.

3. Enable password lifetime setting reminders in the Administration > System > Admin Access > Password Policy page to alert admin users of imminent expiry. Administrators should change the password when notified.


Note Although the above conditions apply to all administrator accounts, the change in behavior from Cisco ISE version 1.0.3.377 to version 1.0.4.573 only impacts the default "admin" account.


Windows Internet Explorer 8 Known Issues

Issue Accessing the Cisco ISE Administrator User Interface

Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8

User Identity Groups User Interface Issue With IE 8

Issue Accessing the Cisco ISE Administrator User Interface

When you access the Cisco ISE administrator user interface using the host IP address as the destination in the Internet Explorer 8 address bar, the browser automatically redirects your session to a different location. This situation occurs when you install a real SSL certificate issued by a Certificate Authority like VeriSign.

If possible, Cisco recommends using the Cisco ISE hostname or fully qualified domain name (FQDN) you used to create the trusted SSL certificate to access the administrator user interface via Internet Explorer 8.

For more information see CSCto09989.

Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8

There is a known migration consideration that affects successful migration of Cisco Secure ACS 5.1/5.2 data to the Cisco ISE appliance using the Cisco Secure ACS 5.1/5.2-ISE 1.0 Migration Tool.

The only currently supported browser for downloading the migration tool files is Firefox version 3.6.x. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported for this function.

For more information, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.

User Identity Groups User Interface Issue With IE 8

If you create and operate 100 User Identity Groups or more, a script in the Cisco ISE administrator user interface Administration > Identity Management > User Identity Groups page can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running script. (If the script continues to run, your computer might become unresponsive.)

Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines

There is a known issue with the Intel Supplicant version 12.4.x for Windows client machines with regard to VLAN change for wireless deployments. The client machine has no connectivity because the NIC's IP address is in the complaint/non-compliant VLAN when it should be in the pre-posture/pending VLAN.


Note This issue affects any supplicant that cannot perform IP address refresh on a VLAN change in a wireless environment. This issue is related to the VLAN detect (Access VLAN to Authentication VLAN change) functionality, where the Cisco NAC Agent is not working correctly with wireless adapters.


For more information, see CSCtq16716.

Known Incompatibility Issue with WLC Firmware Version 7.0.116.0

Cisco has discovered a known issue that can occur during a Wireless LAN Controller (WLC) login session, where the client machine authenticates with Cisco ISE correctly and the corresponding authorization profile is picked up, but during user authentication the previous authorization profile (for machine authentication) is applied to the user session again.

This issue has been observed during wireless login scenarios where the WLC is running firmware version 7.0.116.0, and unless you require new features available only in version 7.0.116.0, Cisco recommends returning your WLC firmware version to 7.0.98.218 until Cisco releases an up-to-date firmware version later in 2011.

For more information see CSCto83897.

Issues With 2k Message Size in Monitoring and Troubleshooting

Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection performance messages of 8k in size. As a result, you may notice a slightly different message performance rate when compiling 2k message sizes regularly.

Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently

Although more than three concurrent users can log into Cisco ISE and view monitoring and troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages taking excessive amounts of time to launch, and the application sever restarting on its own.

Inline Posture Restrictions

Inline Posture is not supported in a virtual environment, such as VMware.

The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture.

The Cisco Discovery Protocol (CDP) is not supported by Inline Posture.

Cisco IP phones using EAP-FAST

Cisco ISE, Release 1.0 does not support Cisco IP phones that are using EAP-FAST with certificates. Cisco recommends using EAP-TLS with IP phones in your network.

Documentation Updates

Table 15 Updates to Release Notes for Cisco Identity Services Engine, Release 1.0.4

Date
Description

8/14/13

Added Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 6

9/7/12

Added Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 5

3/7/2012

Added Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 4

12/15/2011

Updated Cisco ISE Install Files, Updates, and Client Resources

12/8/2011

Added Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 3

Added caveat CSCtw67841 to Cisco ISE Release 1.0.4.573 Appliance Open Caveats

11/3/2011

Added Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 2

10/21/2011

Added Cisco Identity Services Engine Releases

Added Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 1

Updated trademarks block under Obtaining Documentation and Submitting a Service Request

10/13/2011

Added CSCts57010, CSCtt16149, CSCtr95156, CSCts45591, CSCts57027, CSCts59228, CSCts77187, CSCts45441, and CSCts45547 to Cisco ISE Release 1.0.4.573 Appliance Open Caveats

Updated Upgrading Cisco ISE Software

Added Known Issue with Upgrade from Cisco ISE Release 1.0.3.377

9/30/2011

Content updates for Cisco Identity Services Engine Maintenance Release 1.0.4 Update (version 1.0.4.573):

Updated Table 3

Cisco ISE Installation and Upgrade Process Updates

Added caveats CSCts78093, CSCts98931, and CSCts99778 to Cisco ISE Release 1.0.4.573 Appliance Open Caveats

Added caveat CSCts80116 to Cisco ISE Release 1.0.4.573 Agent Open Caveats

Added caveats CSCth07037, CSCto80921, CSCts19809, CSCts27128, CSCts45559, CSCts45675, CSCts46545, CSCts46937, CSCts51536, CSCts54380, CSCts59135, and CSCts79733 to Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats

8/26/2011

Cisco Identity Services Engine Maintenance Release 1.0.4 (version 1.0.4.558):


Related Documentation

Release-Specific Documents

General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.

Table 16 Product Documentation for Cisco Identity Services Engine 

Document Title
Location

Release Notes for the Cisco Identity Services Engine, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine Troubleshooting Guide, Release 1.0.4

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html


Platform-Specific Documents

Links to Policy Management Business Unit documentation are available at the following locations:

Cisco ISE
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Secure ACS
http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html

Cisco NAC Appliance
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

Cisco NAC Profiler
http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html

Cisco NAC Guest Server
http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.


This document is to be used in conjunction with the documents listed in the "Related Documentation" section.