Guest

Cisco Identity Services Engine

Release Notes for Cisco Identity Services Engine, Release 1.1.x

  • Viewing Options

  • PDF (1.2 MB)
  • Feedback

Table of Contents

Release Notes for Cisco Identity Services Engine, Release 1.1.x

Contents

Introduction

Node Types, Personas, Roles, and Services

Cisco ISE Deployment Terminology

Types of Nodes and Personas

Hardware Requirements

Supported Hardware

Supported Virtual Environments

Supported Devices, Browsers, and Agents

Supported Microsoft Active Directory

FIPS Compliance

Installing Cisco ISE Software

Configuring CIMC

Creating a Bootable USB Drive

Upgrading Cisco ISE Software

Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4

Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3

Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3

Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2

Upgrade from Cisco ISE, Release 1.1 to release 1.1.1

Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture

Upgrade from Cisco ISE, Release 1.0.3.377

Cisco Secure ACS to Cisco ISE Migration

Cisco ISE License Information

New Features in Cisco ISE, Release 1.1.4

New Features in Cisco ISE, Release 1.1.3

New Features in Cisco ISE, Release 1.1.2

Global Setting for Endpoint Attribute Filter

New Features in Cisco ISE, Release 1.1.1

New Default Authorization Profile (“Blacklist”)

Dictionary Attribute-to-Attribute Authorization Policy Configuration

New Device Registration Task Navigator

Native Supplicant Provisioning Profile Configuration Page

Enhanced Client Provisioning Policy Configuration

SCEP Authority Profile Configuration Page

RADIUS Proxy Attribute

EAP Chaining

EAP-TLS as an Inner Method for EAP-FAST

Device Registration Portal

New Reports in Cisco ISE, Release 1.1.1

Change of Authorization

Creating Activated Guests

Cisco ISE Install Files, Updates, and Client Resources

Cisco ISE Downloads from the Cisco Download Software Center

Cisco ISE Live Updates

Cisco ISE Offline Updates

Support for Windows 8.1 and Mac OS X 10.9

Cisco ISE, Release 1.1.4 Patch Updates

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5

Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4

Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1

Cisco ISE, Release 1.1.3 Patch Updates

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1

Cisco ISE, Release 1.1.2 Patch Updates

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2

Cisco ISE, Release 1.1.1 Patch Updates

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1

Cisco ISE Antivirus and Antispyware Support

Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine

Integration with Cisco Prime Network Control System

Cisco ISE Release 1.1.x Open Caveats

Cisco ISE Release 1.1.x Resolved SPW Caveats

Cisco ISE Release 1.1.4 Resolved Caveats

Cisco ISE Release 1.1.3 Resolved Caveats

Cisco ISE Release 1.1.2 Resolved Caveats

Cisco ISE Release 1.1.1 Resolved Caveats

Known Issues

Cisco ISE Release 1.1.3 and Earlier Does Not Support Google Chrome For the Administrative User Interface

Cisco ISE Hostname Character Length Limitation with Active Directory

Windows Internet Explorer 8 Known Issues

Issues With 2k Message Size in Monitoring and Troubleshooting

Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently

Inline Posture Restrictions

Cisco IP phones using EAP-FAST

Internationalization and Localization

Issues with Monitoring and Troubleshooting Restore

Documentation Updates

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Release Notes for Cisco Identity Services Engine, Release 1.1.x

Revised: June 2, 2014, OL-26136-01

These release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (Cisco ISE), Release 1.1.1, 1.1.2, 1.1.3, and 1.1.4. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release.

Cisco Identity Services Engine, Release 1.1.4

Cisco ISE, Release 1.1.4 provides support for the Cisco SNS-3400 Series appliance. In addition to the hardware support for installation on the SNS-3400 Series appliance, Cisco ISE 1.1.4 supports all the features in Cisco ISE 1.1.3. You can also install Cisco ISE 1.1.4 on previously supported appliances, such as ISE-3315-K9, ISE-3355-K9, and ISE-3395-K9.

Cisco Identity Services Engine, Release 1.1.3

Cisco ISE, Release 1.1.3 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, 1.1.1, and 1.1.2 while rolling patch fixes for Cisco ISE, Release 1.1.1 and 1.1.2 into 1.1.3.

Cisco Identity Services Engine, Release 1.1.2

Cisco ISE, Release 1.1.2 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, and 1.1.1, while rolling three patch fixes for Cisco ISE, Release 1.1.1 into 1.1.2.

Cisco Identity Services Engine, Release 1.1.1

Cisco ISE, Release 1.1.1 features a number of important product function enhancements and new capabilities, as well as critical bug fixes derived from Cisco ISE, Release 1.0.4 and 1.1.

Contents

Introduction

The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. Cisco ISE offers authenticated network access, profiling, posture, guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE ships on a range of physical appliances with different performance characterization and also allows the addition of more appliances to a deployment for performance, scale, and resiliency. Cisco ISE has a highly available and scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. Cisco ISE also allows for configuration and management of distinct Cisco ISE personas and services. This feature gives you the ability to create and apply Cisco ISE services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.

Node Types, Personas, Roles, and Services

Cisco ISE provides a highly available and scalable architecture that supports both standalone and distributed deployments. In a distributed environment, you configure one primary Administration node and the rest are secondary nodes. The topics in this section provide information about Cisco ISE terminology, supported node types, distributed deployment, and the basic architecture.

Cisco ISE Deployment Terminology

Table 1 describes some of the common terms used in Cisco ISE deployment scenarios.

 

Table 1 Cisco Cisco ISE Deployment Terminology

Term
Description

Service

A service is a specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring.

Node

A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as a software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node.

Node type

A node can be of two types: ISE node and Inline Posture node. The node type and persona determine the type of functionality provided by that node.

Persona

The persona or personas of a node determine the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring.

Role

Determines if a node is a standalone, primary, or secondary node. Applies only to Administration and Monitoring nodes.

Types of Nodes and Personas

A Cisco ISE network has only two types of nodes:

  • Cisco ISE node—An ISE node could assume any of the following three personas:

Administration—Allows you to perform all administrative operations on Cisco ISE. It handles all system-related configuration and configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have only one or a maximum of two nodes running the Administration persona. The Administration persona can take on any one of the following roles: standalone, primary, or secondary. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona.

Policy Service—Provides network access, posture, guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there would be more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer share a common multicast address and can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability.


Note At least one node in your distributed setup should assume the Policy Service persona.


Monitoring—Enables Cisco ISE to function as the log collector and store log messages from all the Administration and Policy Service personas on the ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.

A node with this persona aggregates and correlates the data that it collects to provide you with meaningful information in the form of reports. Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.


Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and report launching.


  • Inline Posture node—A gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and virtual private network (VPN) concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles Change of Authorization (CoA) requests that a WLC or VPN are unable to accommodate. Cisco ISE allows up to 10,000 Inline Posture Nodes in a deployment. You can pair two Inline Posture nodes together for high availability as a failover pair.

Note An Inline Posture node is dedicated solely to that service, and cannot operate concurrently with other ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.



Note Each ISE node in a deployment can assume more than one of the three personas (Administration, Policy Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated gatekeeping role.


The following table lists the recommended minimum and maximum number of nodes/personas in a distributed deployment:

 

Table 2 Deployment Nodes/Personas

Node / Persona
Minimum Number in a Deployment
Maximum Number in a Deployment

Admin

1

2 (Configured as an HA pair)

Monitor

1

2 (Configured as an HA pair)

Policy Service

1

  • 2 — when all personas (Admin/Monitor/Policy Service) are on same appliance
  • 5 — when Admin and Monitor personas are on same appliance
  • 40 — when each persona is on a dedicated appliance

Inline Posture

0

10k for maximum NADs per deployment

  • One primary Administration node and one secondary Administration node
  • One primary Monitoring node, with an optional secondary node
  • One or more Policy Service nodes
  • One primary Inline Posture node, with an optional secondary node

You can change the persona of a node. See the “Setting Up ISE in a Distributed Environment” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x for information on how to configure these personas on Cisco ISE nodes.

Hardware Requirements

This section describes the following topics:


Note For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.


Supported Hardware

Cisco ISE software is packaged with your appliance or image for installation. After installation, you can configure Cisco ISE as any of the specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms that are listed in Table 3 .

 

Table 3 Supported Hardware and Personas

Hardware Platform
Persona
Configuration

Cisco ISE-3315-K9 (small)

Any

  • 1x Xeon 2.66 GHz quad-core processor
  • 4 GB RAM
  • 2 x 250 GB SATA1 HDD2
  • 4x 1 GB NIC3

Cisco ISE-3355-K9 (medium)

Any

  • 1x Nehalem 2.0 GHz quad-core processor
  • 4 GB RAM
  • 2 x 300 GB 2.5 in. SATA HDD
  • RAID4 (disabled)
  • 4x 1 GB NIC
  • Redundant AC power

Cisco ISE-3395-K9 (large)

Any

  • 2x Nehalem 2.0 GHz quad-core processor
  • 4 GB RAM
  • 4 x 300 GB 2.5 in. SAS II HDD
  • RAID 1
  • 4x 1 GB NIC
  • Redundant AC power

Cisco SNS-3415-K9

Any

Inline Posture is not supported

  • Cisco UCS C220 M3
  • Single socket Intel E5-2609 2.4Ghz CPU, 4 total cores, 4 total threads
  • 16-GB RAM
  • 1 x 600-GB disk
  • No RAID
  • 4 GE network interfaces

Cisco SNS-3495-K9

Stand-alone Administration, Monitoring, and Policy Service

Inline Posture is not supported

  • Cisco UCS C220 M3
  • Dual socket Intel E5-2609 2.4Ghz CPU, 8 total cores, 8 total threads
  • 32-GB RAM
  • 2 x 600-GB disk
  • RAID 0+1
  • 4 GE network interfaces

Cisco ISE-VM-K9 (VMware)

Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)

  • CPU—Intel Dual-Core; 2.13 GHz or faster
  • Memory—4 GB RAM5
  • Hard Disks (minimum allocated memory):

Stand-alone—600 GB

Administration—200 GB

Policy Service and Monitoring—600 GB

Monitoring—500 GB

Policy Service—100 GB

Note For an evaluation and demo purposes, the minimum required disk space is 60 GB to support 100 endpoints. Cisco does not recommend allocating any more than 600 GB maximum space for any node.

  • NIC—1 GB NIC interface required (you can install up to 4 NICs)
  • Supported VMware versions include:

ESX 4. x

ESXi 4. x

ESXi 5. x

1.SATA = Serial Advanced Technology Attachment

2.HDD = hard disk drive

3.NIC = network interface card

4.RAID = redundant array of independent disks

5.Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.

If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large deployments.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • VMware ESX 4. x
  • VMware ESXi 4. x
  • VMware ESXi 5. x

Supported Devices, Browsers, and Agents

Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.1.x for information on supported devices, browsers, and agents.

Supported Microsoft Active Directory

Cisco ISE, Release 1.1. x is tested with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, and 2012 at all functional levels. Microsoft Active Directory version 2000 or its functional level are not supported by Cisco ISE.

FIPS Compliance

Product Cisco Identity Services Engine, Release 1.1.x uses embedded FIPS 140-2 validated cryptographic modules Cisco Common Cryptographic Module (Certificate #1643) and Network Security Services (NSS) Cryptographic Module (Certificate #1497) running on a Cisco ADE-OS platform. For details of the FIPS compliance claims, read the compliance letter for Cisco Identity Services Engine (ISE) 1.1 listed under Current Certifications at the following URL: http://wwwin.cisco.com/osp/gov/ggsg_eng/gct/fips.shtml.

Installing Cisco ISE Software

The following steps summarize how to install new Cisco ISE Release 1.1. x DVD software on supported hardware platforms (see Supported Hardware for support details).

With Cisco ISE Release 1.1. x , installation occurs in two phases:

1. The software is installed using the following options:

  • For the Cisco ISE 3300 Series appliance, the software is installed from the DVD. When the installation completes, the DVD is ejected from the appliance.
  • For the Cisco ISE 3400 Series appliance (SNS 3415 or 3495 Hardware), the software is installed using CIMC or by creating a bootable USB drive to begin the installation process.

Note For more information on using CIMC, refer to the following section in the ISE 1.1.4 Installation Guide: http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1136661. Also, see Configuring CIMC. For more information on the USB boot option, see Creating a Bootable USB Drive.


2. The administrator logs in and performs the initial configuration.

You can re-image a Cisco SNS-3400 series appliance over the Cisco Integrated Management Controller Interface (CIMC) or with a USB key installation. You can download the ISE_114_USB_Installation_tools.zip file from the Cisco download page, unzip the file, and follow the instructions in the README.txt that is included with the zip file to create a bootable USB key.

The following sections describe how to configure CIMS and the process of creating a bootable USB key:

For more information on the Installation of ISE 3400 Series hardware, refer to the following sections in the ISE 1.1.4 Installation Guide:


Note When using virtual machines (VMs), Cisco recommends that the guest VM have the correct time set using an NTP server before installing the .ISO image on the VMs.



Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm . You might be required to provide your Cisco.com login credentials.

Step 2 Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software .

Step 3 Download the appropriate Cisco ISE .ISO image (for example. ise-1.1.1.268.i386.iso ) and burn the image as a bootable disk to a DVD-R.

Step 4 Insert the bootable device.

  • For the Cisco ISE 3300 Series appliance, insert the DVD into the DVD-R drive of each appliance, and reboot the appliance to initiate the Cisco ISE DVD installation process.
  • For the Cisco ISE 3400 Series appliance, use the USB boot option to initiate the Cisco ISE installation process. For more information on the USB boot option, see Creating a Bootable USB Drive. For more information on CIMC, see Configuring CIMC.

Step 5 (If necessary) Install a valid FlexLM product license file and perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x . Before you run the setup program, ensure that you know the configuration parameters listed in Table 4 .


 

 

Table 4 Identity Services Engine Network Configuration Parameters for Setup

Prompt
Description
Example

Hostname

Must not exceed 19 characters. Valid characters include upper- and lower-case alphanumeric characters (A-Z, a-z, 0-9) with the requirement that the first character must be an alphabetic character.

isenode1

(eth0) Ethernet interface address

Must be a valid IPv4 address for the eth0 Ethernet interface.

10.12.13.14

Netmask

Must be a valid IPv4 address for the netmask.

255.255.255.0

Default gateway

Must be a valid IPv4 address for the default gateway.

10.12.13.1

DNS domain name

Cannot be an IP address. Valid characters include ASCII characters, any numbers, hyphen (-), and period (.).

mycompany.com

Primary name server

Must be a valid IPv4 address for the primary Name server.

10.15.20.25

Add/Edit another name server

Must be a valid IPv4 address for an additional Name server.

(Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid NTP server in a domain reachable from Cisco ISE.6

clock.nist.gov

Add/Edit another NTP server

Must be a valid NTP server in a domain reachable from Cisco ISE. 1

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone

Must be a valid time zone. Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x for a table of time zones that Cisco ISE supports. The default value is UTC.7

Note The table lists the frequently used time zones. You can run the show timezone command from the Cisco ISE CLI for a complete list of supported time zones.

PST

Username

Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default, you must create a new username, which must be from 3 to 8 characters in length, and be composed of valid alphanumeric characters (A-Z, a-z, or 0-9).

admin (default)

Password

Identifies the administrative password used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

MyIseYP@@ss

Database Administrator Password

Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Note Once you configure this password, Cisco ISE uses it “internally.” That is, you do not have to enter it when logging into the system at all.

ISE4adbp@ss

Database User Password

Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Note Once you configure this password, Cisco ISE uses it “internally.” That is, you do not have to enter it when logging into the system at all.

ISE5udbp@ss

6.Changing the NTP server specification after Cisco ISE installation will likely affect the entire deployment.

7.Changing the time zone specification after Cisco ISE installation will likely affect the entire deployment.


Note For additional information on configuring and managing Cisco ISE, use the list of documents in Release-Specific Documents to access other documents in the Cisco ISE documentation suite.


Configuring CIMC

You can perform all operations on the Cisco ISE 3400 series appliances through the CIMC. To do this, you must first configure an IP address and IP gateway to access the CIMC from a web-based browser.


Step 1 Plug in the power cord.

Step 2 Press the Power button to boot the server. Watch for the prompt to press F8 as shown in TBD.

 

 

Step 3 During boot up, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following screen appears.

 

Step 4 Set the NIC mode to your choice for which ports to use to access the CIMC for server management (see Figure 1-3 on page 1-3 for identification of the ports):

Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select NIC redundancy None and select IP settings.

Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the factory default setting, along with Active-active NIC redundancy and DHCP enabled.

Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You must select a NIC redundancy and IP setting.


Note The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC (N2XX-ACPCI01) that is installed in PCIe slot 1. Refer to the following section in the Cisco UCS C220 Server Installation and Service Guide: Special Considerations for Cisco UCS Virtual Interface Cards.


Step 5 Use this utility to change the NIC redundancy to your preference. This server has three possible NIC redundancy settings:

None—The Ethernet ports operate independently and do not fail over if there is a problem.

Active-standby—If an active Ethernet port fails, traffic fails over to a standby port.

Active-active—All Ethernet ports are utilized simultaneously.

Step 6 Choose whether to enable DHCP for dynamic network settings, or to enter static network settings.


Note Before you enable DHCP, your DHCP server must be preconfigured with the range of MAC addresses for this server. The MAC address is printed on a label on the rear of the server. This server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on the label is the beginning of the range of six contiguous MAC addresses.


Step 7 Optional: Use this utility to make VLAN settings, and to set a default CIMC user password.


Note Changes to the settings take effect after approximately 45 seconds. Refresh with F5 and wait until the new settings appear before you reboot the server in the next step.


Step 8 Press F10 to save your settings and reboot the server.


Note If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on the console screen during boot up.



 

Creating a Bootable USB Drive

The Cisco ISE 1.1.4 ISO image contains an “images” directory that has a Readme file and a script to create a bootable USB to install Cisco ISE 1.1.4.

Before You Begin

  • Ensure that you have read the Readme in the “images” directory
  • You need the following:

Linux machine with RHEL-5 or above, CentOS 5.x or above. If you are going to use your PC or MAC, ensure that you have installed a Linux VM on it.

An 8-GB USB drive

The iso-to-usb.sh script


Step 1 Plug in your USB drive into the USB port.

Step 2 Copy the iso-to-usb.sh script and the Cisco ISE 1.1.4 ISO image to a directory on your linux machine.

Step 3 Enter the following command:

iso-to-usb.sh source_iso usb_device

For example, # ./iso-to-usb.sh ise-1.1.4.218.i386.iso /dev/sdb where iso-to-usb.sh is the name of the script, ise-1.1.4.218.i386.iso is the name of the ISO image, and /dev/sdb is your USB device.

Step 4 A screen appears prompting you to specify the type of appliance (Cisco SNS 3415 or Cisco SNS 3495) that you want to install.

Step 5 Enter a value corresponding to your appliance type to create a bootable USB drive.

Step 6 Enter Y to continue.

Step 7 A success message appears.

Step 8 Unplug your USB drive.


 

Upgrading Cisco ISE Software

If you installed Cisco Identity Services Engine Release 1.0 or Cisco Identity Services Engine Maintenance Release 2 (MR2) previously and are planning to upgrade to the latest Cisco ISE release, review the open caveats in this section before following the upgrade instructions in the “Upgrading Cisco ISE” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x .


Note When you upgrade to Cisco ISE, Release 1.1.x, you may be required to open some network ports you may not have been using in previous releases of Cisco ISE. Ensure you consult the table of required ports to open in Cisco ISE in the “Cisco ISE 3300 Series Appliance Ports Reference” appendix of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.


This section covers the following upgrade issues:

Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4

Prerequisite

Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140.

You can upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4 normally, as described in the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x .

Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3

Prerequisite

Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140.

You can upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3 normally, as described in the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x .

Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3

Prerequisite

Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140.

Before you can upgrade to Cisco ISE, Release 1.1.3, you must first be sure you have upgraded your machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x .

Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2

Prerequisite

Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140.

Before you can upgrade to Cisco ISE, Release 1.1.2, you must first be sure you have upgraded your machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x .

Upgrade from Cisco ISE, Release 1.1 to release 1.1.1

Prerequisite

Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140.

Before you can upgrade to Cisco ISE, Release 1.1.1 from Release 1.1, you must first be sure you have applied Cisco Identity Services Engine Cumulative Patch 3 to your Release 1.1 machine(s). For information on obtaining Cisco ISE, Release 1.1 patch 3, see the Release Notes for the Cisco Identity Services Engine, Release 1.1 . For specific instructions on performing the upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x .

Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture

In Cisco ISE 1.1.1, the Inline Posture node uses certificate based authentication and cannot connect to the Administrative ISE node. Therefore you are required to disconnect the Inline Posture node from the deployment prior to starting the upgrade procedure, then reconfigure the Inline Posture node after the upgrade. To do so, follow the procedure outlined in this section.


Warning You must have the proper certificates in place for your Inline Posture deployment to mutually authenticate.


Prerequisite

Record all the configuration data for your Inline Posture node before you de-register the node. Alternatively, you can save screenshots of each of the Inline Posture tabs (in the Admin user interface) to record the data. Having this data on hand speeds up the process of re-registering the Inline Posture node to complete the following task.

To upgrade to Cisco ISE 1.1.1 with Inline Posture, complete the following steps:


Step 1 From the Cisco Administration ISE node, de-register the Cisco Inline Posture node.


Note You can verify that the Inline Posture node has returned to ISE node status by going to the CLI and entering the following command: show application status ise If you discover that the node has not reverted to an ISE node, then you can enter the following at the command prompt: pep switch outof-pep However, it is recommended that you only do this as a last resort.


Step 2 Upgrade the Cisco Administration ISE node to 1.1.1, as described in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x .

Step 3 Import CA root certificate, make CSR, create certificates on the Administration ISE node.


Note Certificates must have extended key usage for both client authentication and server authentication. For an example of this type of extended key usage, see the Microsoft CA Computer template.


Step 4 Perform a fresh installation of ISE 1.1.1 on the ISE node (that was the former Inline Posture node), as described in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x .

Step 5 Import CA root certificate, make CSR, create certificates on the ISE node (that was the former Inline Posture node), now in standalone mode.


Note Certificates must have extended key usage; client authentication and server authentication. For example, select the computer template from Microsoft CA.


Step 6 Register the newly upgraded ISE Node as an Inline Posture node.

Step 7 Reconfigure the Cisco Inline Posture node.


 

Upgrade from Cisco ISE, Release 1.0.3.377

Prerequisite

Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140.

There is a known issue regarding default “admin” administrator user interface access following upgrade from Cisco Identity Services Engine Release version 1.0.3.377. This issue can affect Cisco ISE customers who have not changed their default “admin” account password for administrator user interface login since first installing Cisco Identity Services Engine Release 1.0.3.377.

Upon upgrading, administrators can be “locked out” of the Cisco ISE administrator user interface when logging in via the default “admin” account where the password has not yet been updated from the original default value.

To avoid this issue, Cisco recommends you do one or more of the following:

1. Verify they have changed password per the instructions in the “Managing Identities” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x prior to upgrade.

2. Disable or modify the password lifetime setting in the Administration > System > Admin Access > Password Policy page of the administrator user interface prior to upgrade to ensure the upgraded policy behavior does not impact the default “admin” account.

3. Enable password lifetime setting reminders in the Administration > System > Admin Access > Password Policy page to alert admin users of imminent expiry. Administrators should change the password when notified.


Note Although the above conditions apply to all administrator accounts, the change in behavior from Cisco ISE version 1.0.3.377 only impacts the default “admin” account.


Cisco Secure ACS to Cisco ISE Migration

Complete instructions for moving your Cisco Secure ACS 5.1 or 5.2 database to Cisco ISE, Release 1.1. x are covered in the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x .


Note You must upgrade your Cisco Secure ACS deployment to Release 5.1 or 5.2 before you attempt to perform the migration process to Cisco Identity Services Engine.


After you have moved your Cisco Secure ACS 5.1 or 5.2 database over, you will notice some differences in existing data types and elements as they appear in the new Cisco ISE environment. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.

Cisco ISE License Information

For detailed information on license types and obtaining licenses for Cisco ISE, see “Performing Post-Installation Tasks” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x .

New Features in Cisco ISE, Release 1.1.4

Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series appliance. For details on the installing and configuring the Cisco SNS 3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the following location:

New Features in Cisco ISE, Release 1.1.3

Cisco ISE, Release 1.1.3 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, 1.1.1, and 1.1.2 while rolling patch fixes for Cisco ISE, Release 1.1.1 and 1.1.2 into 1.1.3.

New Features in Cisco ISE, Release 1.1.2

Cisco ISE, Release 1.1.2 offers the following features and services:

Global Setting for Endpoint Attribute Filter

In Cisco ISE, Release 1.1.2, you can globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. This enhancement introduces a new function called a “whitelist,” which drops any attributes that are not present in the whitelist to ensure Cisco ISE database replication takes place as efficiently as possible. The whitelist is a dynamic list of attributes based on the attribute(s) you use in your profiling policies. When profiling is enabled, the Policy Service nodes in your deployment collect information from various probes and send it to the Administration ISE node. The Administration ISE node then stores and replicates this information. Earlier releases of Cisco ISE do not feature any control over which attributes can be saved, and as a result, would collect a significant amount of unnecessary information.

New Features in Cisco ISE, Release 1.1.1

Cisco ISE, Release 1.1.1 offers the following features and services:

For more information on key features of Cisco ISE, see the “Overview of Cisco ISE” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x .

New Default Authorization Profile (“Blacklist”)

The Cisco ISE administrator can now “blacklist” wireless user devices that get “lost,” or otherwise become unusable or are taken out of circulation, until the device is reinstated or is completely removed from the network. Cisco ISE removes “blacklisted” devices from the network, and they are not allowed on the network again until the device is reinstated. In order to set up the authorization policy in Cisco ISE, you also must ensure you add a compatible dynamic ACL on any associated network access devices in your deployment to manage these wireless users.

This new default authorization profile is available in the Policy > Authorization Policy page of the Cisco ISE administrator user interface.

Dictionary Attribute-to-Attribute Authorization Policy Configuration

In Cisco ISE, Release 1.1.1, you now have the option, when constructing policy conditions in an authorization policy, to specify another dictionary attribute to which you can associate the source attribute during policy configuration. Traditionally, you could only specify a text entry following the requisite operators when setting conditions in authorization policies.

This enhancement affects the Policy > Authorization Policy page of the Cisco ISE administrator user interface.

New Device Registration Task Navigator

The Device Registration Task Navigator in Cisco ISE, Release 1.1.1 provides a visual path through the various Cisco ISE administration and configuration processes that are necessary to enable administrators to set up Cisco ISE to provide multiple, configurable device support for end users. (As with previous Task Navigator implementation, the linear presentation of the Task Navigator outlines the order in which the tasks should be completed, while also providing direct links to the pages that are needed to perform the tasks.)

Native Supplicant Provisioning Profile Configuration Page

In Cisco ISE, Release 1.1.1, you can now configure native supplicant profiles for client provisioning, in addition to the existing “ISE Posture Agent Profiles” that are currently available in Cisco ISE, Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones, iPads, and Android devices.

Enhanced Client Provisioning Policy Configuration

In Cisco ISE, Release 1.1.1, you can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones, iPads, and Android devices. For specific personal device support, you can configure the policy to upload the appropriate configuration wizard that is necessary to enable the personal device to negotiate and register with Cisco ISE.

SCEP Authority Profile Configuration Page

To support enhanced personal device registration functions, Cisco ISE Release 1.1.1 enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE verifies and maintains connectivity with the SCEP authority servers that you specify, and it even performs load balancing among multiple servers to ensure optimal connectivity for users when they access the network using their personal devices.

RADIUS Proxy Attribute

The RADIUS proxy attribute in Cisco ISE, Release 1.1.1 is used to enhance the RADIUS sequence flows and processing. When the “Access-Accept” packet is received from an external RADIUS server, Cisco ISE continues to the configured authorization policy for further decision-making that is based on additional attributes and groups that are queried from Active Directory and LDAP.

EAP Chaining

In Cisco ISE, Release 1.1.1, Extensible Authentication Protocol (EAP) chaining solution allows you to authenticate both the machine and user in the same EAP-FAST authentication in a configurable order. When an EAP-FAST authentication result is determined, Cisco ISE allows you to apply an authorization policy, depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE performs the usual EAP-FAST authentication.

EAP-TLS as an Inner Method for EAP-FAST

This feature in Cisco ISE, Release 1.1.1 allows you to use the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocol as an inner method for the EAP-FAST protocol. The implementation is the same as using EAP-TLS as the inner method for Protected Extensible Authentication Protocol (PEAP).

Device Registration Portal

The device registration portal is a standalone portal that can be completely customized to suit your organization. A network access user who is configured as an employee in an organization can access the portal which allows the user to bring personal devices into an enterprise network. This is done through an employee authentication and device registration process. Employees can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE adds these devices to the endpoints database and profiles them like any other endpoint. Cisco ISE administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports.

A default authorization policy exists in Cisco ISE that does not allow devices to access an enterprise network when they are marked “lost” in the device registration portal, and identified as blacklisted in an endpoint identity group. An employee can also reinstate a blacklisted device in the device registration portal, and register again to access the network.

New Reports in Cisco ISE, Release 1.1.1

Cisco ISE, Release 1.1.1 offers the following new reports:

  • Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.
  • Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time.

Change of Authorization

Cisco ISE triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by an authorization policy. A CoA is also triggered when an endpoint identity group assignment changes due to either dynamic profiling or a static assignment.

Creating Activated Guests

Sponsor user can create activated guests by assigning them to the ActivatedGuest identity group. This is a default identity group in Cisco ISE 1.1.1. Sponsor user should belong to a sponsor group that allows for assigning of guests to ActivatedGuest identity group.

Cisco ISE Install Files, Updates, and Client Resources

There are three resources you can use to download installation packages, update packages, and other client resources necessary to provision and provide policy service in Cisco ISE:

Cisco ISE Downloads from the Cisco Download Software Center

In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, you can use the same software download location to retrieve other vital Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules.

Use this portal to get your first software packages prior to configuring your Cisco ISE deployment. Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment.

To access the Cisco Download Software Center and download the necessary software from Cisco:


Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm . You might be required to provide your Cisco.com login credentials.

Step 2 Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software .

Choose from the following Cisco ISE installers and software packages available for download:

  • Cisco ISE installer .ISO image
  • Windows client machine agent installation files (including MST and MSI versions for manual provisioning)
  • Mac OS X client machine agent installation files
  • AV/AS compliance modules

Step 3 Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE deployment.


 

Cisco ISE Live Updates

Cisco ISE Live Update locations allow you to automatically download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. These live update portals should be configured in ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the ISE appliance.

Prerequisite

If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in the Administration > System > Settings > Proxy before you are able to access the Live Update locations. For more information on proxy settings, see the “Specifying Proxy Settings in Cisco ISE” section in the “Configuring Client Provisioning Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x .

Client Provisioning and Posture Live Update portals:

The following software elements are available at this URL:

Windows and Mac OS X versions of the latest Cisco ISE persistent and temporal agents

ActiveX and Java Applet installer helpers

AV/AS compliance module files

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Client Provisioning Resources Automatically” section of the “Configuring Client Provisioning Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x .

The following software elements are available at this URL:

Cisco predefined checks and rules

Windows and Mac OS X AV/AS support charts

Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Dynamic Posture Updates” section of the “Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x .

If you do not enable the automatic download capabilities described above in Cisco ISE, you can choose offline updates. See Cisco ISE Offline Updates.

Cisco ISE Offline Updates

Cisco ISE offline updates allow you to manually download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates in environments where direct Internet access to Cisco.com from the ISE appliance is not available or not permitted by security policy.

To upload offline client provisioning resources, complete the following steps:


Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm . You might be required to provide your Cisco.com login credentials.

Step 2 Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software .

Choose from the following Off-Line Installation Packages available for download:

  • compliancemodule- <version> -isebundle.zip — Off-Line Compliance Module Installation Package
  • macagent- <version> -isebundle.zip — Off-Line Mac Agent Installation Package
  • nacagent- <version> -isebundle.zip — Off-Line NAC Agent Installation Package
  • webagent- <version> -isebundle.zip — Off-Line Web Agent Installation Package

Step 3 Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE deployment.


 

For more information on adding the downloaded Installation Packages to Cisco ISE, refer to “Adding Client Provisioning Resources from a Local Machine” section of the “Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x .

You can update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information offline from an archive on your local system using the posture updates.

For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use this portal once you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.

To upload offline posture updates, complete the following steps:


Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html .

The File Download window appears. From the File Download window, you can choose to save the posture-offline.zip file to your local system. This file is used to update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information.

Step 2 Access the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture .

Step 3 Click the arrow to view the settings for posture.

Step 4 Choose Updates . The Posture Updates page appears.

Step 5 From the Posture Updates page, choose the Offline option.

Step 6 From the File to update field, click Browse to locate the single archive file ( posture-offline.zip ) from the local folder on your system.


Note The File to update field is a required (mandatory) field and it cannot be left empty. You can only select a single archive file (.zip) that contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed.


Step 7 Click the Update Now button.

Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.


 

Support for Windows 8.1 and Mac OS X 10.9

Cisco ISE 1.1.4 Patch 8 and 1.1.3 Patch 8 supports clients using the Windows 8.1 and Mac OS X 10.9 operating systems.

See Cisco ISE Release 1.1.x Open Caveats for workarounds for issues with Safari 7 and Internet Explorer 11.

Cisco ISE, Release 1.1.4 Patch Updates

The following patch releases apply to Cisco ISE release 1.1.4:

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11

Table 5 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 11.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 5 Cisco ISE Patch Version 1.1.4.218—Patch 11 Resolved Caveats

Caveat
Description

CSCuo40875

Cisco ISE 1.1.x Not Able to Handle New User Agent Format

This fix addresses an issue where Cisco ISE 1.1.x considered the user agent string sent by a 4.9.4.3 agent machine as user agent from a non-agent machine and redirected to client provisioning page

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10

Table 6 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 10.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 6 Cisco ISE Patch Version 1.1.4.218—Patch 10 Resolved Caveats

Caveat
Description

CSCui57374

ISE IPEP Invalid RADIUS Authenticator error during high load

This fix addresses an issue where the NAC agent stopped popping up for the clients when there was a high load on the IPEP. Invalid RADIUS Authenticator errors were recorded in the logs.

CSCun25178

Fetching Group Information Takes a Long Time Because of SIDHistory

This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group names if the SIDHistory belonged to a trusted domain/forest.

The large number of SIDHistory values in the user's token used to cause long delay (2-5 minutes) during user authentication.

CSCun77904

iPEP interfaces Issues After Upgrading to 1.1.4 Patch 9

This fix addresses an “interface flapping” issue with the eth0 and eth1 interfaces on 3315 and 3355 appliances that resulted from upgrading to Cisco ISE 1.1.4 patch 9.

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9

Table 7 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 9.


Note Cisco Recommends upgrading to Cisco ISE 1.1.4 patch 10 instead of patch 9 due to caveat CSCui57374.


To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

 

Table 7 Cisco ISE Patch Version 1.1.4.218—Patch 9 Resolved Caveats

Caveat
Description

CSCub35046

CSCub62481

ISE custom guest portal results page includes unused fields

This fix addresses an issue where unused, optional fields were displayed on the guest self registration results page when using a custom self registration page and specifying 'Unused' for the Optional Data fields in the Guest Details Policy.

CSCug90502

ISE Blind SQL Injection Vulnerability

This fix addresses an issue where the Cisco Identity Services Engine (ISE) was vulnerable to blind SQL injection. This could allow a remote, authenticated user to modify information in the database.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6/5.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C

CVE ID CVE-2013-5525 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5525

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui67495

Uploaded Filenames/Content Not Properly Sanitized

This fix addresses an issue where filenames and content uploaded to Cisco Identity Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted in a file of incorrect type being uploaded to ISE or the filename leading to a potential cross-site scripting (XSS) issue.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C

CVE ID CVE-2013-5541 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5541

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui67511

Certain File Types are not Filtered and are Executable

This fix addresses an issue where, due to insufficient filtering and access control, potentially malicious file types could have been uploaded to, and executed within, the Cisco Identity Services Engine (ISE) web interface.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C

CVE ID CVE-2013-5539 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5539

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul02860

Struts Action Mapper Vulnerability

Previous versions of ISE Cisco ISE included a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4310

Cisco has analyzed these vulnerabilities and concluded that the product is not impacted, however the affected component has been updated as harden measure.

PSIRT Evaluation

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul03127

Struts 2 Dynamic Method Invocation Vulnerability

Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4316

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

CVE ID CVE-2013-4316 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8

Table 8 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 8.

ISE 1.1.4 patch 8 also includes support for Windows 8.1 and Mac OS X 10.9. See Support for Windows 8.1 and Mac OS X 10.9 for more information.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 8 Cisco ISE Patch Version 1.1.4.218—Patch 8 Resolved Caveats

Caveat
Description

CSCuj45431

ISE Support for Mac OS X 10.9 NAC Agent

ISE 1.1.3 patch 8 supports a NAC Agent for Mac OS X 10.9.

CSCuj60796

ISE Support for IE 11

ISE 1.1.3 patch 8 supports Internet Explorer 11.

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7

Table 9 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 7.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 9 Cisco ISE Patch Version 1.1.4.218—Patch 7 Resolved Caveats

Caveat
Description

CSCud83514

ISE session database growing too large, causing homepage blank

To resolve this issue, run the application configure ise command using the Reset M&T Session Database option.

When the Monitoring and Session Database becomes corrupted, Cisco ISE may be variably slow, unusable, have a full disk, become unable to perform replication, or register/join a distributed deployment. You may observe alert(s) from the ISE appliance with the title “Session directory write failed.” where the body of the alert email states that the disk is full.

CSCue28066

IP address field is missing during editing/duplicating NADs

This fix addresses the issue where you cannot edit or duplicate NADs in the Network Devices List page when the IP address field is not displayed in the Cisco ISE user interface.

CSCue62940

Incremental Backup without Full Backup gets stuck in running state

This fix addresses the issue where an incremental backup fails in the absence of a full backup file in the repository.

CSCug20065

Unable to enforce RBAC as desired to a custom admin

This fix addresses the issue where an admin user (custom created) cannot add endpoints to an endpoint identity group (custom created) even after assigning the correct role-based access control policy.

CSCug68792

Incomplete Backup Process Status in UI

This fix addresses the issue where the status of backup is still shown as running in the user interface even though the process is interrupted in the middle of a backup.

CSCug77406

Increase retention of ASA VPN sessions to 120 hours (5 days)

This fix retains RADIUS active sessions up to 120 hours.

CSCug99304

ISE replication gets disabled due to expired certificates even though they are valid

This fix addresses the issue where you cannot perform manual synchronization to secondary nodes, if the certificate has expired in any one of the secondary nodes in a deployment.

CSCuh12487

Null value associated with SNMP GET after call from NMAP fails

This fix addresses the issue with MIB when mapping an endpoint profiling policy with the device MAC address after an NMAP scan.

CSCuh43440

ISE needs to improve logging mechanism to keep track of backup failures

This fix addresses the issue where you can track information on previous backup exceptions, which can be queried using "IncrBackupUtil" or "incrbackup" as a key for incremental backup related errors in the ise-psc.log because the IncrBackupRestoreException.log is overwritten every time an exception occurs during backup.

CSCui75669

Endpoint update calls from guest-portal causing replication issues

This fix addresses the issue where the Guest portal generates endpoint update calls on every redirect to the Guest portal login page for the same user-agent.

CSCuj35109

LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6

This fix addresses the issue where LWA fails for Apple (iOS7) devices in the Cisco ISE 1.1.3 patch 6.

CSCuj51094

Captured TCPDump file is not working.

This fix addresses the issue where you are unable to open the captured TCPDump.pcap file in Wireshark.

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6

Table 10 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 6.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 10 Cisco ISE Patch Version 1.1.4.218—Patch 6 Resolved Caveats

Caveat
Description

CSCuf20919

Guests can view accounts from each other through self-service

Guest users can view other accounts that are created using the Self Service feature in a custom guest portal or through the default portal.

CSCuh67300

ISE redirects to default guest pages when configured for custom pages

When using Google Chrome, guest users are redirected to the default guest portal though Cisco ISE is configured to redirect users to the custom guest portal.

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5

Table 11 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 5.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 11 Cisco ISE Patch Version 1.1.4.218—Patch 5 Resolved Caveats

Caveat
Description

CSCtx35984

Profiler unable to save into DB - SSL Handshake exception error

This fix addresses SSL Handshake related issues when a secondary PAN is registered in a deployment.

CSCui41569

BYOD Supplicant Provisioning Status query should be optimized

This fix improves the response time for querying the monitoring database if the device has been successfully provisioned or pending provisioning and to check the status of device registration.

CSCui56071

ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0) to reduce replication.

Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4

Table 12 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 4.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 12 Cisco ISE Patch Version 1.1.4.218—Patch 4 Resolved Caveats

Caveat
Description

CSCuh70984

Database purging alarms on Cisco ISE due to open cursors exceeded

This fix addresses the database purging alarm issue where an hourly database purge fails due to the maximum number of open cursors exceeding the threshold of 1500 per user session in the Monitoring node.

CSCui22841

Apache Struts2 command execution vulnerability

Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product.

Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3

Table 13 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 3.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 13 Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats

Caveat
Description

CSCth95432

All OUIs in IEEE need to be resolved to names by profiler

This fix addresses that all OUIs are resolved to organization names by the Cisco ISE profiler.

CSCuc29014

Profiling conditions edit throws null error with NullPointerException

This fix addresses the null error issue that occurs when editing a profiler condition. This issue occurred when the policy rule existed in the profiler cache even after the endpoint profiling policy that contained the rule was deleted.

CSCuc74270

Authorization policy match fails following Active Directory password change

This issue has been observed where users authenticate against Active Directory and are prompted to change to a new password. The password change is successful in Active Directory, but Cisco ISE fails to match with the appropriate authorization policy based on session attributes.

This is most likely due to attributes used in authentication not being available for authorization policy evaluation following a change in the Active Directory password.

CSCue41912

NAC agent is not triggered on Windows 8 client

Ensure that you install the new NAC agent 4.9.0.52 on Windows 8 clients along with the Cisco ISE 1.1.3 patch 3.

This fix addresses that you must install the Cisco ISE certificate on the Windows 8 client that allows the NAC agent to pop-up. Unlike Windows 7 and XP clients, Windows 8 does not display the trust certificate dialog box to allow the NAC agent to pop-up, if Cisco ISE is using the self-signed certificate, and if the Cisco ISE certificate is not previously installed on the Windows 8 client.

CSCue59806

'NAC Server not available' error is thrown - EAP failure error (No response)

This fix addresses EAP timeout issue when it occurred on the session, but the session is already accepted and the protocol runtime (prrt) will not remove any session attribute.

If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture session attributes. The posture runtime service, which looks for session attributes will fail to fetch the session information.

CSCue60442

Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE

This fix addresses the issue where you can modify the name of the user-defined endpoint identity groups and this does not impact the Authorization Policy page.

If you modify the name of the parent endpoint identity group (user-defined) when you have referenced the child endpoint identity groups in the authorization policies, the Authorization Policy page is empty and the configured authorization policies are not displayed.

CSCue67900

Termination-Action returns RADIUS-Request

The fix addresses the issue where Termination-Action=Radius-Request in Access-Accept is set only for the Inline Posture node.

Cisco ISE sends Termination-Action=Radius-Request in Access-Accept, which indicates that re-authentication should occur on expiration of the Session-Time or the session was terminated.

CSCue73865

Cisco ISE is unable to authenticate users against Active Directory with SmbServerNameHardeningLevel=1

This fix addresses the issue that occurred when authenticating users against Active Directory with SmbServerNameHardeningLevel=1. Authentications failed against Active Directory with SmbServerNameHardeningLevel set to 1 with an error "24444 Active Directory operation has failed because of an unspecified error."

CSCuf56635

HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe

This fix addresses incorrect profiling of an HP Jetdirect Printer using DHCP probe.

If you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy, endpoints are not profiled as expected and you might encounter cache-related exceptions.

Workaround Use static endpoint profiling for HP printers when you have issues with dynamic profiling using DHCP probe

CSCug06716

Cisco ISE Centrify AD domain whitelisting breaks machine authentication

Centrify version is upgraded to 4.6.0.114. This fix addresses the issue where machine authentication fails against Active Directory whitelisted domains, if Cisco ISE is configured with AD domains whitelist.

Run the application configure ise command to configure the AD whitelist domains.

ise/admin# application configure ise
Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
[6]Exit

Use the option 3 to configure the AD domains whitelist.

You are about to configure Active Directory settings.
Are you sure you want to proceed? y/n [n]: y
Parameter Name: adclient.included.domains
Parameter Value: abc.com
Active Directory internal setting modification should only be performed if approved by ISE support. Please confirm this change has been approved y/n [n]: y
Active Directory settings were modified.
Settings will take effect after choosing apply option from menu.
 

Use the option 5 to clear the Centrify cache and restart for the new configuration options to take effect.

CSCug69605

BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via SCEP

This fix addresses the issue where BYOD certificate-provisioning fails for all clients with an error when CA certificate is retrieved via the SCEP server.

CSCug72958

Profiling functionality is broken while editing policies

This fix addresses incorrect profiling of endpoints when you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy.

CSCug74166

Identity groups are corrupted after changing the parent identity group name

This issue occurs only when editing the parent identity group name with the same name of the child identity group.

Workaround We recommend that you create parent and child identity groups with different names.

CSCug76995

Unable to add user after changing the parent user identity group name

This fix addresses the issue where you cannot add users to the user identity group even after changing the parent user identity group name.

CSCug79181

Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when the secure SSID was not broadcasted

This error occurs when a device connects to an open network using IOS, gets redirected to CWS, and provides credentials, the device is registered, and the profile is installed successfully. The user is then be prompted with a message to connect to “XXXX SSID and try the original url.” If the profile was modified with PEAP, once the boarding process is completed, the secure SSID is then visible, and you can connect to the secure SSID.

Workaround There is no known workaround for this issue.

CSCug95429

Profiler: IP attribute unnecessarily being updated

This fix addresses the issue where the endpoint IP address was updated for the following conditions:

  • If Framed-IP-Address attribute contains the limited connectivity IP (169.254.0.0/16) address, it is ignored by the RADIUS probe.
  • If endpoint IP address is assigned to 0.0.0.0 by the DHCP probe, it is ignored.

CSCug98513

Integrate components to support AD 2012 or mixed mode (2008)

Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012 environments.

CSCuh17560

Suppress Accounting update packets in Cisco ISE 1.1.x

This fix controls the recording of accounting updates from the network access devices (NADs) that causes the MnT database to grow larger, if NADs are configured to send periodic accounting updates.

By default, no RADIUS accounting updates are recorded in the accounting report.

CSCuh23189

ISE: Using Internal Identity User can gain access to Admin Dashboard

This fix addresses the issue where internal users gain access to the Cisco ISE Admin portal Home page when they are not mapped to any Cisco ISE administrator group.

CSCuh29915

ID group add button window shrinks

This fix addresses the issue where you cannot add endpoints to the endpoint identity group from the Endpoints object selector.

CSCuh36595

Custom Guest Self Registration Result should not write to file system

This fix addresses the issue where the client browsers display the same credentials for all guest users instead of displaying credentials for respective guest users after self-registration.

CSCuh43470

Cisco ISE Authentication failures alarm threshold definition

This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm.

CSCuh43528

Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details

This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm.

CSCuh54747

Search is not working in object selector if we change the views

The fix addresses the issue where you cannot search endpoints or users in the object selector when you switch back to the list-view from the tree-view.

CSCuh56861

Cisco ISE Active Endpoints count on dashboard home page does not decrease

The fix addresses the issue where the active endpoint count is not decreasing on the Cisco ISE dashboard if the session purge is not running properly.

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2

Table 14 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 2.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

While upgrading from Cisco ISE Release 1.1.4 patch 1 to patch 2, the log targets configured for ‘Authentication Flow Diagnostics’ might get removed. You need to manually reconfigure the log targets. See Also CSCuh81724.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 14 Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats

Caveat
Description

CSCud65479

Device registration Change of Authorization loop with posturing enabled

This fix addresses the device registration flow issue where the Cisco ISE Admin node issues a second CoA after the endpoint becomes compliant and is authorized.

When a client connects to the SSID, authenticates, and is redirected to device registration portal, the user agrees to the Acceptable Use Policy and is mapped to the predetermined endpoint group and the client status changes to compliant. After a few seconds, however, the client undergoes another Change of Authorization.

CSCue25407

Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x

Before this fix, when 802.1x authentication happened for the employee user after device registration over MAB in a wired device on-boarding case, authentication policy matched for the user automatically resumed using MAB when it should have started 802.1x. As a result, the end user received a “Windows Cannot connect to the network” message.

The workaround was that once the device is not able to connect via 802.1x and the user receives an error message, the user could try disconnecting the wire and connecting again.

CSCue49305

Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms.

This fix allows the JavaScript to be disabled without disabling the device registration.

CSCue49317

SCEP enrolment failure if the user name is prefixed with AD domain name

Before this fix, the device on-boarding process would return an error after registering as part of certificate enrollment. This would occur during personal device registration, when a username must be entered in the format <domain>\<username> .

This issue has only been observed when using the <domain>\<username> format to connect via 802.1x.

The workaround was to connect using just the username without the domain name.

CSCue50838

An arrayOutOfBoundException occurs during Certificate provisioning.

This exception no longer occurs.

CSCue71407

Guest and Sponsor language templates disappear from database.

Before this fix, all configured field values in the language templates for both the Sponsor and Guest portals would disappear. The portals would display the correct themes and images, but not text. The names of the language templates would also not appear in the "SEC_RES_MASTER" table.

CSCue83454

In CWA, ISE is not able to learn guest user IP address

In CWA, the NAD has no knowledge of the guest username, so RADIUS accounting cannot do the username-IP mapping. However, ISE can fetch the client IP address and show it in the Live Authentications or in the Guest reports.

CSCue90444

When an active IPEP node fails, the VPN traffic drops.

This fix ensures that VPN traffic is not dropped. The error occurred because when the standby IPEP device becoming active as a result of a failure of an active IPEP node, the VPN session information was not being updated.

The workaround was to disconnect and then reconnect the VPN session.

CSCuf05267

BYOD usability - Provide API to poll BYOD status.

An API has been provided to poll the BYOD Status, which can be used by the Guest Service.

CSCuf08298

Collect only the attributes that are used in profiling policies

This is an enhancement to CSCua89503, which was resolved in 1.1.2. It enhances the ability to globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. Now any attributes that are not present in the whitelist are dropped when attribute filtering is enabled.

CSCuf47857

BYOD enhancements

This fix provides BYOD usability enhancements for guest CR

CSCuf66747

Guest user notification substitution uses system timezone instead of user timezone

Guest user notifications use system timezone for account-start-time and account-end-time when the %starttime% and %endtime% variables are used in guest user notification within the Sponsor portal language templates. This substitution uses start-time and end-time adjusted to the Cisco ISE system timezone instead of guest user timezone.

CSCuf71124

PAP admin login failed for consecutive purge operations

This issue was intermittent. Before this fix, when there were successful data purges of the Management node, attempts to log into the PAP admin UI would fail with the following error message: “Authentication failed due to zero RBAC Group.”

CSCuf90492

ISE cannot process large SGT matrices or send radius messages larger than 4k

ISE now supports large SGT matrices. It no longer displays the following error message in the AAA diagnostics: “Invalid attributes in outgoing radius packet - possibly some attributes exceeded their size limit.”

CSCuf90513

Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage.

When multiple Policy Service nodes receive the same profiling data from an endpoint, each Policy Service node attempts to write to the Cisco ISE database. However, only one Policy service node can write data to the database, and therefore CPU utilization will be high in other Policy Service nodes when they are not able to write data to the database during reprofiling endpoints.

This might result in disabling the data replication from the Administration ISE node.

CSCug04743

The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome

Before this fix, when a policy was inserted or duplicated on either the Posture Policy page, CP Policy page, or Authentication Policy. After the policy was saved, and you returned to the Policy page, the policies would be listed in a different order.

This issue occurred only when there are more than 10 policies.

CSCug15615

BYOD CR: Error message needs to be modified for a disabled NSP policy (NSPMsg.FAIL_NSP_DISABLE)

The following error message has been enhanced to indicate that the error occurs when the NSP policy is configured but disabled: “System administrator has not configured a policy for your device. Contact your system administrator.” The new error message is: “System administrator has not configured a policy or has to enable a policy for your device. Contact your system administrator.”

CSCug34981

Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth

The authorization policy match for Self Service Guests is now correct.

CSCug35133

The attribute Service-Type is changing often with the radius probe and causing high CPU usage

This is not a key attribute and it has been removed from the static list. It is no longer triggering frequent profiling updates on EndPoints.

CSCug37245

SCEP enrolment fails when using certificates from different CAs

SCEP enrolment can now use certificates from different CAs.

CSCug44228

BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser

Before this fix, a BYOD success message would be received too early, and sometimes when an attempt was made to browse the Internet, an error message was shown stating that the client cannot connect to network.

This issue would occur when a BYOD device would connect to an Open SSID with PEAP initially and browse the Internet. This would cause the device to be redirected to the device registration page and would be asked to download a profile. Once the device was registered and the profile was downloaded, a success message was shown. However, this occurred before CoA had happen.

CSCug78350

To install the NAC Agent on IE 10, you must enable compatible mode

This fix ensures that you no longer have to enable compatibility mode to install the NAC Agent. This issue would occur after authenticating to ISE, opening IE 10 as an administrator, redirecting to the CP page, and clicking Install. Only Active-x would be installed and no error messages were displayed on the server.

The workaround was to enable Compatibility Mode on IE.

CSCug78636

Disable Diagnostics Issue

Before this fix, it was recommended that diagnostics be disabled to improve the response time of the UI. You can now leave the diagnostics at the default setting of logging only warning or error level messages.

CSCug79123

Messages are displaying in vertical format in IE

The following BYOD flow message is no longer displaying in vertical format on the device registration page when the CP policy was disabled: “The system administrator has not configured a policy or has to enable a policy for your device.” The message now displays correctly in the horizontal format. The message always displayed correctly for Chrome and Firefox.

CSCug80970

Wrong button is displayed when the session is lost during NSPWizard installation process

Before this fix, the Run Network Setup Assistant button was displayed when the session was staled in a dual SSID scenario.

This fix now allows only the Try Again button to be displayed, as expected because the session does not exist in server, and stops the Run Network Setup Assistant button from being displayed. This occurs when a dual SSID flow is Configured, a Windows device is redirected to the guest portal, the Register button is clicked to start the NSP Wizard installation, and the session is staled during NSP Wizard installation. Then when you exit the NSP profile window and go back to browser, the correct message is displayed.

Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1

Table 15 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 1.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 15 Cisco ISE Patch Version 1.1.4.218—Patch 1 Resolved Caveats

Caveat
Description

CSCuc07816

Must be able to purge MnT data from CLI

This fix allows Cisco ISE administrators to purge monitoring and troubleshooting operational data on demand using the application configure ise command.

CSCuc48613

Google Chrome can cause reordering of Authorization Policy rules

This fix addresses the issue where after upgrade to Cisco ISE 1.1.1, if you use the Google Chrome browser to edit the authorization policy rules, you find the rules reordered and some of the rules appear grayed out.

CSCuc58992

IP address of the endpoints is not getting updated correctly

Cisco ISE Release 1.1. x uses the following authoritative attributes to create IP address-to-MAC address mapping:

  • DHCP-REQUESTED-ADDRESS
  • FRAMED-IP-ADDRESS
  • CDPCACHEADDRESS

In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only the requested address is visible, and in some cases, the server responds with a different address than the requested one. To address some of the inaccuracies with the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better preference than the dhcp-request-address.

CSCue14864

Endpoint statically assigned to ID group may appear in different group

This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The potential issue is that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result.

This issue has been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static.

CSCue16774

Profiler purge process is not running, EndPoint Cache grows past memory limits

This fix addresses the Cisco ISE application restart issue that occurs if purge process in profiler has stopped and EndPoint Cache size increases beyond the memory limit.

CSCue31190

Sponsor users editing guest accounts may cause internal server errors

This fix addresses the issue where an "internal server error" message would appear in the Cisco ISE Administrator User Interface when attempting to edit a guest user via the Cisco ISE Sponsor portal.

CSCue53508

Limit SNMP Query based of RADIUS Acct Start Event

Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP query on that port. If too many messages come in, the server can get overwhelmed. Cisco has added a time-out parameter to control how often Cisco ISE performs SNMP queries for particular endpoints. (At most one query per day per endpoint.)

CSCue58842

Valid email refused in Cisco ISE Guest Portal

This fix validates the email address entered in the Cisco ISE Guest portal.

If you enter a valid email address such as abc.x@abc.com and there is only one character after the period in the username, Cisco ISE refuses it as an invalid email address for a sponsored guest email ID.

CSCue71478

Remove ACS-Session-ID from attribute suppression white-list

The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node issues a Change of Authorization. This attribute changes frequently in case of failed authorization events because new sessions are created. This means that even with attribute suppression enabled, because this attribute is essential, Cisco ISE generates a database replication event for it. The fix is to drop the attribute and instead extract the AAA server attribute, which corresponds to the node that evaluates the request.

For example:

AAA-Server1-admin
 

Previously, Cisco ISE would use the ACS-Session-ID which would have been:

AcsSessionID positron-mehdi/151281952/12
 

In the context of very high Accounting or Authorization failures, this should reduce the number of database events.

CSCue71874

Re-profiling process check continuously running

Due to the 60 second buffering in persistence to allow for replication events reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay is now disabled for the Primary node where re-profiling occurs.

CSCue86661

Cisco ISE does not match a compound condition with multiple conditions in a policy rule

This fix addresses the issue where Cisco ISE evaluates only the last compound condition in a policy rule with multiple conditions.

Earlier, the workaround was to remove the compound condition from the policy rule and add it again.

CSCue96626

Address purging issues

Purge failure and the resulting impact on Monitoring operations are addressed in this fix.

Cisco ISE, Release 1.1.3 Patch Updates

The following patch releases apply to Cisco ISE release 1.1.3:

The following patch releases apply to Cisco ISE release 1.1.2 and have been rolled into release 1.1.3:

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11

Table 16 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 11.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 16 Cisco ISE Patch Version 1.1.3.124—Patch 11 Resolved Caveats

Caveat
Description

CSCuo40875

Cisco ISE 1.1.x Not Able to Handle New User Agent Format

This fix addresses an issue where Cisco ISE 1.1.x considered the user agent string sent by a 4.9.4.3 agent machine as user agent from a non-agent machine and redirected to client provisioning page

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10

Table 17 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 10.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 17 Cisco ISE Patch Version 1.1.3.124—Patch 10 Resolved Caveats

Caveat
Description

CSCun25178

Fetching Group Information Takes a Long Time Because of SIDHistory

This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group names if the SIDHistory belonged to a trusted domain/forest.

The large number of SIDHistory values in the user's token used to cause long delay (2-5 minutes) during user authentication.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9

Table 18 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 9.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 18 Cisco ISE Patch Version 1.1.3.124—Patch 9 Resolved Caveats

Caveat
Description

CSCub35046

CSCub62481

ISE Custom Guest Portal Results Page Includes Unused Fields

This fix addresses an issue where unused, optional fields were displayed on the guest self registration results page when using a custom self registration page and specifying 'Unused' for the Optional Data fields in the Guest Details Policy.

CSCug90502

ISE Blind SQL Injection Vulnerability

This fix addresses an issue where the Cisco Identity Services Engine (ISE) was vulnerable to blind SQL injection. This could allow a remote, authenticated user to modify information in the database.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6/5.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C

CVE ID CVE-2013-5525 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5525

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui57374

ISE IPEP Invalid RADIUS Authenticator error during high load

This fix addresses an issue where the NAC agent stopped popping up for the clients when there was a high load on the IPEP. Invalid RADIUS Authenticator errors were recorded in the logs.

CSCui67495

Uploaded Filenames/Content Not Properly Sanitized

This fix addresses an issue where filenames and content uploaded to Cisco Identity Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted in a file of incorrect type being uploaded to ISE or the filename leading to a potential cross-site scripting (XSS) issue.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C

CVE ID CVE-2013-5541 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5541

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui67511

Certain File Types are not Filtered and are Executable

This fix addresses an issue where, due to insufficient filtering and access control, potentially malicious file types could have been uploaded to, and executed within, the Cisco Identity Services Engine (ISE) web interface.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C

CVE ID CVE-2013-5539 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5539

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul02860

Struts Action Mapper Vulnerability

Previous versions of ISE Cisco ISE included a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4310

Cisco has analyzed these vulnerabilities and concluded that the product is not impacted, however the affected component has been updated as harden measure.

PSIRT Evaluation

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul03127

Struts 2 Dynamic Method Invocation Vulnerability

Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4316

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

CVE ID CVE-2013-4316 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8

Table 19 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 8.

ISE 1.1.3 patch 8 also includes support for Windows 8.1 and Mac OS X 10.9. See Support for Windows 8.1 and Mac OS X 10.9 for more information.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 19 Cisco ISE Patch Version 1.1.3.124—Patch 8 Resolved Caveats

Caveat
Description

CSCuj45431

ISE Support for Mac OS X 10.9 NAC Agent

ISE 1.1.3 patch 8 supports a NAC Agent for Mac OS X 10.9.

CSCuj60796

ISE Support for IE 11

ISE 1.1.3 patch 8 supports Internet Explorer 11.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7

Table 20 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 7.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 20 Cisco ISE Patch Version 1.1.3.124—Patch 7 Resolved Caveats

Caveat
Description

CSCud83514

ISE session database growing too large, causing homepage blank

To resolve this issue, run the application configure ise command using the Reset M&T Session Database option.

When the Monitoring and Session Database becomes corrupted, Cisco ISE may be variably slow, unusable, have a full disk, become unable to perform replication, or register/join a distributed deployment. You may observe alert(s) from the ISE appliance with the title “Session directory write failed.” where the body of the alert email states that the disk is full.

CSCue28066

IP address field is missing during editing/duplicating NADs

This fix addresses the issue where you cannot edit or duplicate NADs in the Network Devices List page when the IP address field is not displayed in the Cisco ISE user interface.

CSCue62940

Incremental Backup without Full Backup gets stuck in running state

This fix addresses the issue where an incremental backup fails in the absence of a full backup file in the repository.

CSCug20065

Unable to enforce RBAC as desired to a custom admin

This fix addresses the issue where an admin user (custom created) cannot add endpoints to an endpoint identity group (custom created) even after assigning the correct role-based access control policy.

CSCug68792

Incomplete Backup Process Status in UI

This fix addresses the issue where the status of backup is still shown as running in the user interface even though the process is interrupted in the middle of a backup.

CSCug77406

Increase retention of ASA VPN sessions to 120 hours (5 days)

This fix retains RADIUS active sessions up to 120 hours.

CSCug99304

ISE replication gets disabled due to expired certificates even though they are valid

This fix addresses the issue where you cannot perform manual synchronization to secondary nodes, if the certificate has expired in any one of the secondary nodes in a deployment.

CSCuh12487

Null value associated with SNMP GET after call from NMAP fails

This fix addresses the issue with MIB when mapping an endpoint profiling policy with the device MAC address after an NMAP scan.

CSCuh43440

ISE needs to improve logging mechanism to keep track of backup failures

This fix addresses the issue where you can track information on previous backup exceptions, which can be queried using "IncrBackupUtil" or "incrbackup" as a key for incremental backup related errors in the ise-psc.log because the IncrBackupRestoreException.log is overwritten every time an exception occurs during backup.

CSCui75669

Endpoint update calls from guest-portal causing replication issues

This fix addresses the issue where the Guest portal generates endpoint update calls on every redirect to the Guest portal login page for the same user-agent.

CSCuj35109

LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6

This fix addresses the issue where LWA fails for Apple (iOS7) devices in the Cisco ISE 1.1.3 patch 6.

CSCuj51094

Captured TCPDump file is not working.

This fix addresses the issue where you are unable to open the captured TCPDump.pcap file in Wireshark.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6

Table 21 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 6.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 21 Cisco ISE Patch Version 1.1.3.124—Patch 6 Resolved Caveats

Caveat
Description

CSCuf20919

Guests can view accounts from each other through self-service

Guest users can view other accounts that are created using the Self Service feature in a custom guest portal or through the default portal.

CSCuh67300

ISE redirects to default guest pages when configured for custom pages

When using Google Chrome, guest users are redirected to the default guest portal though Cisco ISE is configured to redirect users to the custom guest portal.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5

Table 22 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 5.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 22 Cisco ISE Patch Version 1.1.3.124—Patch 5 Resolved Caveats

Caveat
Description

CSCtx35984

Profiler unable to save into DB - SSL Handshake exception error

This fix addresses SSL Handshake related issues when a secondary PAN is registered in a deployment.

CSCui41569

BYOD Supplicant Provisioning Status query should be optimized

This fix improves the response time for querying the monitoring database if the device has been successfully provisioned or pending provisioning and to check the status of device registration.

CSCui56071

ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0) to reduce replication.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4

Table 23 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 4.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 23 Cisco ISE Patch Version 1.1.3.124—Patch 4 Resolved Caveats

Caveat
Description

CSCuh70984

Database purging alarms on Cisco ISE due to open cursors exceeded

This fix addresses the database purging alarms issue where an hourly database purging fails due to the maximum number of open cursors exceeds the threshold of 1500 per user session in the Monitoring ISE node.

CSCui22841

Apache Struts2 command execution vulnerability

Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3

Table 24 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 3.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 24 Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats

Caveat
Description

CSCth95432

All OUIs in IEEE need to be resolved to names by profiler

This fix addresses that all OUIs are resolved to organization names by the Cisco ISE profiler.

CSCuc29014

Profiling conditions edit throws null error with NullPointerException

This fix addresses the null error issue that occurs when editing a profiler condition. This issue occurred when the policy rule existed in the profiler cache even after the endpoint profiling policy that contained the rule was deleted.

CSCuc74270

Authorization policy match fails following Active Directory password change

This issue has been observed where users authenticate against Active Directory and are prompted to change to a new password. The password change is successful in Active Directory, but Cisco ISE fails to match with the appropriate authorization policy based on session attributes.

This is most likely due to attributes used in authentication not being available for authorization policy evaluation following a change in the Active Directory password.

CSCue41912

NAC agent is not triggered on Windows 8 client

Ensure that you install the new NAC agent 4.9.0.52 on Windows 8 clients along with the Cisco ISE 1.1.3 patch 3.

This fix addresses that you must install the Cisco ISE certificate on the Windows 8 client that allows the NAC agent to pop-up. Unlike Windows 7 and XP clients, Windows 8 does not display the trust certificate dialog box to allow the NAC agent to pop-up, if Cisco ISE is using the self-signed certificate, and if the Cisco ISE certificate is not previously installed on the Windows 8 client.

CSCue59806

'NAC Server not available' error is thrown - EAP failure error (No response)

This fix addresses EAP timeout issue when it occurred on the session, but the session is already accepted and the protocol runtime (prrt) will not remove any session attribute.

If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture session attributes. The posture runtime service, which looks for session attributes will fail to fetch the session information.

CSCue60442

Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE

This fix addresses the issue where you can modify the name of the user-defined endpoint identity groups and this does not impact the Authorization Policy page.

If you modify the name of the parent endpoint identity group (user-defined) when you have referenced the child endpoint identity groups in the authorization policies, the Authorization Policy page is empty and the configured authorization policies are not displayed.

CSCue67900

Termination-Action returns RADIUS-Request

The fix addresses the issue where Termination-Action=Radius-Request in Access-Accept is set only for the Inline Posture node.

Cisco ISE sends Termination-Action=Radius-Request in Access-Accept, which indicates that re-authentication should occur on expiration of the Session-Time or the session was terminated.

CSCue73865

Cisco ISE is unable to authenticate users against Active Directory with SmbServerNameHardeningLevel=1

This fix addresses the issue that occurred when authenticating users against Active Directory with SmbServerNameHardeningLevel=1. Authentications failed against Active Directory with SmbServerNameHardeningLevel set to 1 with an error "24444 Active Directory operation has failed because of an unspecified error."

CSCuf56635

HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe

This fix addresses incorrect profiling of an HP Jetdirect Printer using DHCP probe.

If you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy, endpoints are not profiled as expected and you might encounter cache-related exceptions.

Workaround Use static endpoint profiling for HP printers when you have issues with dynamic profiling using DHCP probe

CSCug06716

Cisco ISE Centrify AD domain whitelisting breaks machine authentication

Centrify version is upgraded to 4.6.0.114. This fix addresses the issue where machine authentication fails against Active Directory whitelisted domains, if Cisco ISE is configured with AD domains whitelist.

Run the application configure ise command to configure the AD whitelist domains.

ise/admin# application configure ise
Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
[6]Exit

Use the option 3 to configure the AD domains whitelist.

You are about to configure Active Directory settings.
Are you sure you want to proceed? y/n [n]: y
Parameter Name: adclient.included.domains
Parameter Value: abc.com
Active Directory internal setting modification should only be performed if approved by ISE support. Please confirm this change has been approved y/n [n]: y
Active Directory settings were modified.
Settings will take effect after choosing apply option from menu.
 

Use the option 5 to clear the Centrify cache and restart for the new configuration options to take effect.

CSCug69605

BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via SCEP

This fix addresses the issue where BYOD certificate-provisioning fails for all clients with an error when CA certificate is retrieved via the SCEP server.

CSCug72958

Profiling functionality is broken while editing policies

This fix addresses incorrect profiling of endpoints when you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy.

CSCug74166

Identity groups are corrupted after changing the parent identity group name

This issue occurs only when editing the parent identity group name with the same name of the child identity group.

Workaround We recommend that you create parent and child identity groups with different names.

CSCug76995

Unable to add user after changing the parent user identity group name

This fix addresses the issue where you cannot add users to the user identity group even after changing the parent user identity group name.

CSCug79181

Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when the secure SSID was not broadcasted

This error occurs when a device connects to an open network using IOS, gets redirected to CWS, and provides credentials, the device is registered, and the profile is installed successfully. The user is then be prompted with a message to connect to “XXXX SSID and try the original url.” If the profile was modified with PEAP, once the boarding process is completed, the secure SSID is then visible, and you can connect to the secure SSID.

Workaround There is no known workaround for this issue.

CSCug95429

Profiler: IP attribute unnecessarily being updated

This fix addresses the issue where the endpoint IP address was updated for the following conditions:

  • If Framed-IP-Address attribute contains the limited connectivity IP (169.254.0.0/16) address, it is ignored by the RADIUS probe.
  • If endpoint IP address is assigned to 0.0.0.0 by the DHCP probe, it is ignored.

CSCug98513

Integrate components to support AD 2012 or mixed mode (2008)

Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012 environments.

CSCuh17560

Suppress Accounting update packets in Cisco ISE 1.1.x

This fix controls the recording of accounting updates from the network access devices (NADs) that causes the MnT database to grow larger, if NADs are configured to send periodic accounting updates.

By default, no RADIUS accounting updates are recorded in the accounting report.

CSCuh23189

ISE: Using Internal Identity User can gain access to Admin Dashboard

This fix addresses the issue where internal users gain access to the Cisco ISE Admin portal Home page when they are not mapped to any Cisco ISE administrator group.

CSCuh29915

ID group add button window shrinks

This fix addresses the issue where you cannot add endpoints to the endpoint identity group from the Endpoints object selector.

CSCuh36595

Custom Guest Self Registration Result should not write to file system

This fix addresses the issue where the client browsers display the same credentials for all guest users instead of displaying credentials for respective guest users after self-registration.

CSCuh43470

Cisco ISE Authentication failures alarm threshold definition

This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm.

CSCuh43528

Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details

This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm.

CSCuh54747

Search is not working in object selector if we change the views

The fix addresses the issue where you cannot search endpoints or users in the object selector when you switch back to the list-view from the tree-view.

CSCuh56861

Cisco ISE Active Endpoints count on dashboard home page does not decrease

The fix addresses the issue where the active endpoint count is not decreasing on the Cisco ISE dashboard if the session purge is not running properly.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2

Table 25 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 2.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 25 Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats

Caveat
Description

CSCud65479

Device registration Change of Authorization loop with posturing enabled

This fix addresses the device registration flow issue where the Cisco ISE Admin node issues a second CoA after the endpoint becomes compliant and is authorized.

When a client connects to the SSID, authenticates, and is redirected to device registration portal, the user agrees to the Acceptable Use Policy and is mapped to the predetermined endpoint group and the client status changes to compliant. After a few seconds, however, the client undergoes another Change of Authorization.

CSCue25407

Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x

Before this fix, when 802.1x authentication happened for the employee user after device registration over MAB in a wired device on-boarding case, authentication policy matched for the user automatically resumed using MAB when it should have started 802.1x. As a result, the end user received a “Windows Cannot connect to the network” message.

The workaround was that once the device is not able to connect via 802.1x and the user receives an error message, the user could try disconnecting the wire and connecting again.

CSCue49305

Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms.

This fix allows the JavaScript to be disabled without disabling the device registration.

CSCue49317

SCEP enrolment failure if the user name is prefixed with AD domain name

Before this fix, the device on-boarding process would return an error after registering as part of certificate enrollment. This would occur during personal device registration, when a username must be entered in the format <domain>\<username> .

This issue has only been observed when using the <domain>\<username> format to connect via 802.1x.

The workaround was to connect using just the username without the domain name.

CSCue50838

An arrayOutOfBoundException occurs during Certificate provisioning.

This exception no longer occurs.

CSCue71407

Guest and Sponsor language templates disappear from database.

Before this fix, all configured field values in the language templates for both the Sponsor and Guest portals would disappear. The portals would display the correct themes and images, but not text. The names of the language templates would also not appear in the "SEC_RES_MASTER" table.

CSCue83454

In CWA, ISE is not able to learn guest user IP address

In CWA, the NAD has no knowledge of the guest username, so RADIUS accounting cannot do the username-IP mapping. However, ISE can fetch the client IP address and show it in the Live Authentications or in the Guest reports.

CSCue90444

When an active IPEP node fails, the VPN traffic drops.

This fix ensures that VPN traffic is not dropped. The error occurred because when the standby IPEP device becoming active as a result of a failure of an active IPEP node, the VPN session information was not being updated.

The workaround was to disconnect and then reconnect the VPN session.

CSCuf05267

BYOD usability - Provide API to poll BYOD status.

An API has been provided to poll the BYOD Status, which can be used by the Guest Service.

CSCuf08298

Collect only the attributes that are used in profiling policies

This is an enhancement to CSCua89503, which was resolved in 1.1.2. It enhances the ability to globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. Now any attributes that are not present in the whitelist are dropped when attribute filtering is enabled.

CSCuf47857

BYOD enhancements

This fix provides BYOD usability enhancements for guest CR

CSCuf66747

Guest user notification substitution uses system timezone instead of user timezone

Guest user notifications use system timezone for account-start-time and account-end-time when the %starttime% and %endtime% variables are used in guest user notification within the Sponsor portal language templates. This substitution uses start-time and end-time adjusted to the Cisco ISE system timezone instead of guest user timezone.

CSCuf71124

PAP admin login failed for consecutive purge operations

This issue was intermittent. Before this fix, when there were successful data purges of the Management node, attempts to log into the PAP admin UI would fail with the following error message: “Authentication failed due to zero RBAC Group.”

CSCuf90492

ISE cannot process large SGT matrices or send radius messages larger than 4k

ISE now supports large SGT matrices. It no longer displays the following error message in the AAA diagnostics: “Invalid attributes in outgoing radius packet - possibly some attributes exceeded their size limit.”

CSCuf90513

Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage.

When multiple Policy Service nodes receive the same profiling data from an endpoint, each Policy Service node attempts to write to the Cisco ISE database. However, only one Policy service node can write data to the database, and therefore CPU utilization will be high in other Policy Service nodes when they are not able to write data to the database during reprofiling endpoints.

This might result in disabling the data replication from the Administration ISE node.

CSCug04743

The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome

Before this fix, when a policy was inserted or duplicated on either the Posture Policy page, CP Policy page, or Authentication Policy. After the policy was saved, and you returned to the Policy page, the policies would be listed in a different order.

This issue occurred only when there are more than 10 policies.

CSCug15615

BYOD CR: Error message needs to be modified for a disabled NSP policy (NSPMsg.FAIL_NSP_DISABLE)

The following error message has been enhanced to indicate that the error occurs when the NSP policy is configured but disabled: “System administrator has not configured a policy for your device. Contact your system administrator.” The new error message is: “System administrator has not configured a policy or has to enable a policy for your device. Contact your system administrator.”

CSCug34981

Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth

The authorization policy match for Self Service Guests is now correct.

CSCug35133

The attribute Service-Type is changing often with the radius probe and causing high CPU usage

This is not a key attribute and it has been removed from the static list. It is no longer triggering frequent profiling updates on EndPoints.

CSCug37245

SCEP enrolment fails when using certificates from different CAs

SCEP enrolment can now use certificates from different CAs.

CSCug44228

BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser

Before this fix, a BYOD success message would be received too early, and sometimes when an attempt was made to browse the Internet, an error message was shown stating that the client cannot connect to network.

This issue would occur when a BYOD device would connect to an Open SSID with PEAP initially and browse the Internet. This would cause the device to be redirected to the device registration page and would be asked to download a profile. Once the device was registered and the profile was downloaded, a success message was shown. However, this occurred before CoA had happen.

CSCug78350

To install the NAC Agent on IE 10, you must enable compatible mode

This fix ensures that you no longer have to enable compatibility mode to install the NAC Agent. This issue would occur after authenticating to ISE, opening IE 10 as an administrator, redirecting to the CP page, and clicking Install. Only Active-x would be installed and no error messages were displayed on the server.

The workaround was to enable Compatibility Mode on IE.

CSCug78636

Disable Diagnostics Issue

Before this fix, it was recommended that diagnostics be disabled to improve the response time of the UI. You can now leave the diagnostics at the default setting of logging only warning or error level messages.

CSCug79123

Messages are displaying in vertical format in IE

The following BYOD flow message is no longer displaying in vertical format on the device registration page when the CP policy was disabled: “The system administrator has not configured a policy or has to enable a policy for your device.” The message now displays correctly in the horizontal format. The message always displayed correctly for Chrome and Firefox.

CSCug80970

Wrong button is displayed when the session is lost during NSPWizard installation process

Before this fix, the Run Network Setup Assistant button was displayed when the session was staled in a dual SSID scenario.

This fix now allows only the Try Again button to be displayed, as expected because the session does not exist in server, and stops the Run Network Setup Assistant button from being displayed. This occurs when a dual SSID flow is Configured, a Windows device is redirected to the guest portal, the Register button is clicked to start the NSP Wizard installation, and the session is staled during NSP Wizard installation. Then when you exit the NSP profile window and go back to browser, the correct message is displayed.

Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1

Table 26 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 1.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 26 Cisco ISE Patch Version 1.1.3.124—Patch 1 Resolved Caveats

Caveat
Description

CSCuc07816

Must be able to purge MnT data from CLI

This fix allows Cisco ISE administrators to purge monitoring and troubleshooting operational data on demand using the application configure ise command.

CSCuc48613

Google Chrome can cause reordering of Authorization Policy rules

This fix addresses the issue where after upgrade to Cisco ISE 1.1.1, if you use the Google Chrome browser to edit the authorization policy rules, you find the rules reordered and some of the rules appear grayed out.

CSCuc58992

IP address of the endpoints is not getting updated correctly

Cisco ISE Release 1.1. x uses the following authoritative attributes to create IP address-to-MAC address mapping:

  • DHCP-REQUESTED-ADDRESS
  • FRAMED-IP-ADDRESS
  • CDPCACHEADDRESS

In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only the requested address is visible, and in some cases, the server responds with a different address than the requested one. To address some of the inaccuracies with the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better preference than the dhcp-request-address.

CSCue14864

Endpoint statically assigned to ID group may appear in different group

This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The potential issue is that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result.

This issue has been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static.

CSCue16774

Profiler purge process is not running, EndPoint Cache grows past memory limits

This fix addresses the Cisco ISE application restart issue that occurs if purge process in profiler has stopped and EndPoint Cache size increases beyond the memory limit.

CSCue31190

Sponsor users editing guest accounts may cause internal server errors

This fix addresses the issue where an "internal server error" message would appear in the Cisco ISE Administrator User Interface when attempting to edit a guest user via the Cisco ISE Sponsor portal.

CSCue53508

Limit SNMP Query based of RADIUS Acct Start Event

Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP query on that port. If too many messages come in, the server can get overwhelmed. Cisco has added a time-out parameter to control how often Cisco ISE performs SNMP queries for particular endpoints. (At most one query per day per endpoint.)

CSCue58842

Valid email refused in Cisco ISE Guest Portal

This fix validates the email address entered in the Cisco ISE Guest portal.

If you enter a valid email address such as abc.x@abc.com and there is only one character after the period in the username, Cisco ISE refuses it as an invalid email address for a sponsored guest email ID.

CSCue71478

Remove ACS-Session-ID from attribute suppression white-list

The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node issues a Change of Authorization. This attribute changes frequently in case of failed authorization events because new sessions are created. This means that even with attribute suppression enabled, because this attribute is essential, Cisco ISE generates a database replication event for it. The fix is to drop the attribute and instead extract the AAA server attribute, which corresponds to the node that evaluates the request.

For example:

AAA-Server1-admin
 

Previously, Cisco ISE would use the ACS-Session-ID which would have been:

AcsSessionID positron-mehdi/151281952/12
 

In the context of very high Accounting or Authorization failures, this should reduce the number of database events.

CSCue71874

Re-profiling process check continuously running

Due to the 60 second buffering in persistence to allow for replication events reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay is now disabled for the Primary node where re-profiling occurs.

CSCue86661

Cisco ISE does not match a compound condition with multiple conditions in a policy rule

This fix addresses the issue where Cisco ISE evaluates only the last compound condition in a policy rule with multiple conditions.

Earlier, the workaround was to remove the compound condition from the policy rule and add it again.

CSCue96626

Address purging issues

Purge failure and the resulting impact on Monitoring operations are addressed in this fix.

Cisco ISE, Release 1.1.2 Patch Updates

The following patch release applies to Cisco ISE release 1.1.2

The following patch releases apply to Cisco ISE release 1.1.2 and have been rolled into release 1.1.3:

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10

Table 28 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 10.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 27 Cisco ISE Patch Version 1.1.2.145—Patch 10 Resolved Caveats

Caveat
Description

CSCuj51094

Captured TCPDump file is not working

This fix addresses an issue where an exception occured when opening a captured TCPDump file.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9

Table 28 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 9.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 28 Cisco ISE Patch Version 1.1.2.145—Patch 9 Resolved Caveats

Caveat
Description

CSCui22841

Apache Struts2 command execution vulnerability

Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8

Table 29 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 8.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 29 Cisco ISE Patch Version 1.1.2.145—Patch 8 Resolved Caveats

Caveat
Description

CSCue59806

'NAC Server not available' error is thrown - EAP failure error (No response)

This fix addresses EAP timeout issue when it occurred on the session, but the session is already accepted and the protocol runtime (prrt) will not remove any session attribute.

If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture session attributes. The posture runtime service, which looks for session attributes will fail to fetch the session information.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7

Table 30 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 7.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 30 Cisco ISE Patch Version 1.1.2.145—Patch 7 Resolved Caveats

Caveat
Description

CSCue60442

Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE

This fix addresses the issue where you can modify the name of the user-defined endpoint identity groups and this does not impact the Authorization Policy page.

If you modify the name of the parent endpoint identity group (user-defined) when you have referenced the child endpoint identity groups in the authorization policies, the Authorization Policy page is empty and the configured authorization policies are not displayed.

CSCuf56635

HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe

If you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy, endpoints are not profiled as expected and you might encounter cache-related exceptions.

Workaround To prevent such issues, you must create a new profiling policy instead of modifying an existing policy.

  • If a secondary node has any profiling issue as described above, perform a manual synchronization of nodes, which might resolve the issue.
  • If an existing profiling policy creates an issue as described above, delete the existing policy and create a new profiling policy with the same set of attributes and conditions.

If both of the workarounds listed here do not work, contact Cisco TAC for assistance.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6

Table 31 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 6 (Revision Number 77241).

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 31 Cisco ISE Patch Version 1.1.2.145—Patch 6 Resolved Caveats

Caveat
Description

CSCud65479

Device registration Change of Authorization loop with posturing enabled

This fix addresses the device registration flow issue where the Cisco ISE Admin node issues a second CoA after the endpoint becomes compliant and is authorized.

When a client connects to the SSID, authenticates, and is redirected to device registration portal, the user agrees to the Acceptable Use Policy and is mapped to the predetermined endpoint group and the client status changes to compliant. After a few seconds, however, the client undergoes another Change of Authorization.

Cisco ISE registers a “CoAHandler][] cisco.profiler.infrastructure.profiling.CoAHandler- About to issue CoA on <MAC address> due to Identity Group change.” entry repeatedly in the profiler.log file:

CSCuf08298

Collect only the attributes that are used in profiling policies

Earlier releases of Cisco ISE do not feature any control over which attributes can be saved, and as a result, would collect a significant amount of unnecessary information.

In Cisco ISE, Release 1.1.2, you can globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. This enhancement introduces a new function called a “whitelist,” which drops any attributes that are not present in the whitelist to ensure Cisco ISE database replication takes place as efficiently as possible.

CSCuf66747

Guest user notification substitution uses system timezone instead of user timezone

Guest user notifications use system timezone for account-start-time and account-end-time when the %starttime% and %endtime% variables are used in guest user notification within the Sponsor portal language templates. This substitution uses start-time and end-time adjusted to the Cisco ISE system timezone instead of guest user timezone.

CSCuf90513

Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage.

When multiple Policy Service nodes receive the same profiling data from an endpoint, each Policy Service node attempts to write to the Cisco ISE database. However, only one Policy service node can write data to the database, and therefore CPU utilization will be high in other Policy Service nodes when they are not able to write data to the database during reprofiling endpoints.

This might result in disabling the data replication from the Administration ISE node.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5

Table 32 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 5.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 32 Cisco ISE Patch Version 1.1.2.145—Patch 5 Resolved Caveats

Caveat
Description

CSCuc58992

IP address of the endpoints is not getting updated correctly

Cisco ISE Release 1.1. x uses the following authoritative attributes to create IP address-to-MAC address mapping:

  • DHCP-REQUESTED-ADDRESS
  • FRAMED-IP-ADDRESS
  • CDPCACHEADDRESS

In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only the requested address is visible, and in some cases, the server responds with a different address than the requested one. To address some of the inaccuracies with the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better preference than the dhcp-request-address.

CSCue53508

Limit SNMP Query based of RADIUS Acct Start Event

Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP query on that port. If too many messages come in, the server can get overwhelmed. Cisco has added a time-out parameter to control how often Cisco ISE performs SNMP queries for particular endpoints. (At most one query per day per endpoint.)

CSCue71478

Remove ACS-Session-ID from attribute suppression white-list

The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node issues a Change of Authorization. This attribute changes frequently in case of failed authorization events because new sessions are created. This means that even with attribute suppression enabled, because this attribute is essential, Cisco ISE generates a database replication event for it. The fix is to drop the attribute and instead extract the AAA server attribute, which corresponds to the node that evaluates the request.

For example:

AAA-Server1-admin
 

Previously, Cisco ISE would use the ACS-Session-ID which would have been:

AcsSessionID positron-mehdi/151281952/12
 

In the context of very high Accounting or Authorization failures, this should reduce the number of database events.

CSCue71874

Re-profiling process check continuously running

Due to the 60 second buffering in persistence to allow for replication events reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay is now disabled for the Primary node where re-profiling occurs.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4

Table 33 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 4.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 33 Cisco ISE Patch Version 1.1.2.145—Patch 4 Resolved Caveats

Caveat
Description

CSCue14864

Endpoint statically assigned to ID group may appear in different group

This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The potential issue is that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result.

This issue has been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static.

Workaround The end users must manually authenticate the endpoint again.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3

Table 34 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 3.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 34 Cisco ISE Patch Version 1.1.2.145—Patch 3 Resolved Caveats

Caveat
Description

CSCud43467

Periodic Reassessment check functionality not working

This resolution addresses an issue where no periodic posture reassessment was initiated on certain client machines logged into the Cisco ISE network.

Note There is no known workaround for this issue.

Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2


Note There is no Patch 1 available for general deployment on the Cisco Download Software Site. Patch 1 was a limited availability patch which is now superseded by Patch 2.


Table 35 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 2.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 35 Cisco ISE Patch Version 1.1.2.145—Patch 2 Resolved Caveats

Caveat
Description

CSCto28988

Session cache entry not found with failed authentication entries

This fix addresses an issue where Cisco ISE would intermittently return session failures citing the wrong password, unknown user, and/or EAP protocol failures.

Before this resolution, you would need to disconnect and reconnect to any wired interface experiencing this issue, and (for wireless connections) either disconnect from the interface and wait five minutes before reconnecting, or ask your network administrator to manually clear the client session from a Wireless LAN Controller.

Note This issue was not unique to guest login session flows.

CSCub32594

Inline posture node does not accept a policy from the associated Policy Service node

This resolution addresses an issue that could occur when multiple user sessions trigger concurrent exchanges of RADIUS messages between the Inline Posture node and the Policy Service node (in the case of an “Authorize-Only” query or DACL download, for example) due to a race condition between two simultaneous threads. To reproduce this issue, the best way is to generate many concurrent RADIUS sessions.

Note Historically, this issue might only occur on a very infrequent basis, possibly taking months between subsequent occurrences.

CSCuc13075

Endpoints are being saved with EndpointPolicy as Unknown

This update fixes an issue where endpoint profiles were appearing in the Cisco ISE administrator interface as designed, reading “Apple-Device,” but upon editing the endpoint entry, the endpoint attributes “Endpoint Policy” and “Matched Policy” appeared as “UNKNOWN.”

CSCuc21814

Incorrect profiler policy with Rate limiter delayed updates in few cases

This fix addresses an issue where the Cisco ISE profiling policy represents to an incorrect value in certain cases due to delayed profiling updates by the previously-implemented Rate Limiter enhancement.

CSCuc46719

High CPU usage observed when profiling data cannot be written to database

When profiler fails to write data to the Cisco ISE database, the process does not drop that data and, instead, keeps trying to update the database, driving up CPU usage due to the extra services required. One example recorded involved a RADIUS probe where each user had a very large Active Directory group membership field. The value of this field was larger than what the Cisco ISE database could store reliably, and when Profiler tried repeatedly to add the data, the result was extremely high CPU usage.

CSCud04633

Java causing “Out of Memory” errors in Cisco ISE

This issue was observed in Cisco ISE, Release 1.1.1 where client machines were attempting to register with Cisco ISE using the EAP-TLS and PEAP protocols, as well as during standard profiling functions.

Before this fix addressed the issue, you would have to manually restart services on the Cisco ISE node in question to remedy the situation.

CSCud11139

XSS Vulnerability in Cisco ISE Guest Portal

A security scan of the Cisco ISE Guest Portal indicated that the product could be vulnerable to an XSS cross-scripting attack. This issue was observed on Cisco ISE, Release 1.1.1 and has now been addressed in this patch release.

Note There is no known workaround for this issue.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C

CVE ID CVE-2012-5744 has been assigned to document this issue.

Additional information on Cisco’s security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCud12095

Purge job fails to complete in Cisco ISE, Release 1.1.1

This fix addresses an issue resulting in an “explosion” of Monitoring and Troubleshooting node tables reaching as high as 150GB in size, and the presence of many associated “database failure” messages in the Cisco ISE alarm entries.

Prior to this fix, you would need to contact the Cisco TAC to get instructions necessary to manually clean the oversized Monitoring and Troubleshooting node tables.

CSCud20871

Session cache entry missing during Guest authentication

This fix addresses an issue with Cisco ISE Guest authentication failures returning “86107-Session cache entry missing” errors from the Guest Portal.

In order to resolve the issue prior to this fix, you would have to:

1. Manually remove the Guest login session from the access point.

2. Wait for the resulting idle-timeout or session timeout to elapse on the access point, and then attempt to re-establish the connection.

Cisco ISE, Release 1.1.1 Patch Updates

The following patch releases apply to Cisco ISE release 1.1.1

The following patch releases apply to Cisco ISE release 1.1.1 and 1.1.3:

The following patch releases apply to Cisco ISE release 1.1.1 and have been rolled into release 1.1.2 and 1.1.3:

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7

Table 36 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 7.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 36 Cisco ISE Patch Version 1.1.1.268—Patch 7 Resolved Caveats

Caveat
Description

CSCuj51094

Captured TCPDump file is not working

This fix addresses an issue where an exception occured when opening a captured TCPDump file.

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6

Table 37 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 6.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 37 Cisco ISE Patch Version 1.1.1.268—Patch 6 Resolved Caveats

Caveat
Description

CSCui22841

Apache Struts2 command execution vulnerability

Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product.

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5

Table 38 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 5.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 38 Cisco ISE Patch Version 1.1.1.268—Patch 5 Resolved Caveats

Caveat
Description

CSCub32594

Inline posture node does not accept a policy from the associated Policy Service node

This resolution addresses an issue that could occur when multiple user sessions trigger concurrent exchanges of RADIUS messages between the Inline Posture node and the Policy Service node (in the case of an “Authorize-Only” query or DACL download, for example) due to a race condition between two simultaneous threads. To reproduce this issue, the best way is to generate many concurrent RADIUS sessions.

Note Historically, this issue might only occur on a very infrequent basis, possibly taking months between subsequent occurrences.

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4


Note To properly apply patch 4 to your Cisco ISE nodes and gain the benefits of CSCua55485, you must install the patch according to whether your nodes are deployed in different network domains:

  • If all of your Cisco ISE nodes are deployed are in same domain, you can apply patch 4 using the standard administrator user interface method described below.
  • If your Cisco ISE nodes are deployed in different domains, you must install this patch on your Cisco ISE nodes via the administrator CLI. Once the patch has been applied on the deployment, you can then apply future patches using the standard Administrator user interface method.


 

Table 39 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 4.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 39 Cisco ISE Patch Version 1.1.1.268—Patch 4 Resolved Caveats

Caveat
Description

CSCua55485

Cisco ISE distributed deployment does not work with split-domain configuration

This fix addresses an issue users can experience while adding nodes to an existing distributed deployment. If the existing Cisco ISE nodes belong to different domains (or even different sub-domains), you may not be able to introduce new nodes to the deployment as designed. The primary cause of this failure involves Cisco ISE using the hostnames from different domains to resolve to the IP address rather than using the proper FQDN during registration.

Note If all of your Cisco ISE nodes are deployed are in same domain, you can apply this patch using the standard administrator user interface method. If your Cisco ISE nodes are deployed in different domains, however, you must install this patch on the Cisco ISE nodes via the administrator CLI. Once the patch has been applied on the deployment, you can then apply future patches using the standard Administrator user interface method.

CSCuc13075

Endpoints are being saved with EndpointPolicy as Unknown

This update fixes an issue where endpoint profiles were appearing in the Cisco ISE administrator interface as designed, reading “Apple-Device,” but upon editing the endpoint entry, the endpoint attributes “Endpoint Policy” and “Matched Policy” appeared as “UNKNOWN.”

CSCuc46719

High CPU usage observed when profiling data cannot be written to database

When profiler fails to write data to the Cisco ISE database, the process does not drop that data and, instead, keeps trying to update the database, driving up CPU usage due to the extra services required. One example recorded involved a RADIUS probe where each user had a very large Active Directory group membership field. The value of this field was larger than what the Cisco ISE database could store reliably, and when Profiler tried repeatedly to add the data, the result was extremely high CPU usage.

CSCuc64732

Detecting a name change behaves case-sensitive

This fix addresses an issue involving user names in Active Directory using a different case format than the user names stored in the session Cache. The result of this mismatch led to users experiencing a “loop” because the name comparison failed repeatedly.

Workaround Without applying this patch, you must ensure that you use only lower case names in Active Directory as well as when authenticating via a native supplicant.

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3

Table 40 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 3.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 40 Cisco ISE Patch Version 1.1.1.268—Patch 3 Resolved Caveats

Caveat
Description

CSCuc19682

Cisco ISE purge operation corrupts indexes in some database tables

This fix addresses an issue where a large number of authentication failures result due to the Network Access Device pointing to the Policy Service Node for RADIUS. One of the primary symptoms, however, involves the fact that those failures do not then appear in the Administrative ISE node user interface. Prior to this fix, to resolve the issue, you would have had to work with the Cisco escalation team to manually purge some of these tables.

CSCuc51338

Sessions leak when rule-based policy performed with proxy result

This fix addresses an issue where Cisco ISE restarts periodically because of an “Out Of Memory” condition due to a large number of authentication sessions when the Authentication policy is configured as a “Rule-Based” policy and Cisco ISE is configured to proxy requests through an external AAA server. Cisco ISE has a default limit of 15,000 concurrent sessions, but when authentication requests are proxied in this way, the number of sessions can grow beyond that limit.

Prior to this resolution, you would ordinarily have to periodically restart the Cisco ISE server before reaching the upper limit of requests.

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2

Table 41 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 2.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 41 Cisco ISE Patch Version 1.1.1.268—Patch 2 Resolved Caveats

Caveat
Description

CSCua64378

Large number of Profiler endpoint update messages causing an issue over WAN deployment

This fix addresses an issue caused by an Oracle AQ limitation over WAN deployments. Cisco ISE now reduces the incoming database updates to the primary Administration ISE node by delaying Profiler endpoint updates so that, instead of sending all the intermediate changes on endpoints, the Profiler just sends the latest update at the end of the delay period. This collates a collection of updates into just one update.

CSCua56980

Primary Administration ISE node is non-responsive over a period of time because of frozen database

Cisco ISE has addressed this issue by sending just one consolidated update from all the probes like DHCP, RADIUS, SNMP,HTTP, etc. that are triggered when a user is coming onto the network. For new endpoints coming onto the network, the behavior remains as it is currently, as there are no issues with delay applied to those sessions.

CSCua50327

Cisco ISE Deployment page takes 40 to 50 seconds to render

This fix resolves an issue in the Cisco ISE administrator user interface where the Administration > System > Deployment page takes approximately 40 to 50 seconds to load between peer nodes deployed over a WAN connection.

CSCub03210

Database connection “leakage” during rollback failure

This fix addresses an issue that comes up when profiler enabled on Policy Service nodes and the Policy Service node keeps profiling endpoints which have already been accounted for and logged in the Administration ISE node.

Where there are multiple Policy Service nodes in a deployment trying to log information with the Administration ISE node and any of these transactions fail, the Policy Service node tries to roll back the transaction, thus resulting in a database connection “leakage.”

Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1

Table 42 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 1.

To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 42 Cisco ISE Patch Version 1.1.1.268—Patch 1 Resolved Caveats

Caveat
Description

CSCua92153

Cisco ISE does not validate Certificate Signing Requests correctly

This fix addresses an issue where Cisco ISE generates a CSR from a native supplicant during device registration and uses the identity name as part of the request subject. Cisco ISE, however, does not appropriately validate the identity. As a result, an attacker can create a CSR with any name, and if there is a policy based on “cert:subject name.” then Cisco ISE may authenticate the false user ID because the policy allows it.

Cisco ISE Antivirus and Antispyware Support

See the following Cisco ISE documents for specific antivirus and antispyware support details using Cisco NAC Agent and NAC Web Agent:

Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine

The Cisco NAC Agent versions 4.9.4.3 and later can be used on both Cisco NAC Appliance Releases 4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.

Integration with Cisco Prime Network Control System

Cisco Identity Services Engine, Release 1.1. x integrates with Cisco Prime Network Control System (Prime NCS), Release 1.2 to manage wired and wireless networks.

Cisco ISE Release 1.1.x Open Caveats

 

Table 43 Cisco ISE Release 1.1.x Open Caveats

Caveat
Description

CSCul13185

When installing the NAC/Web Agent using ActiveX in Internet Explorer11, the browser shows the loading symbol indefinitely without downloading the agent.

Workaround Close and reopen the browser.

CSCuj61976

Admin UI fails to display certain pages using Firefox 25

The ISE admin UI pages with tree view are not displayed correctly when using FF25 and above versions.</B>

Workaround Downgrade to Firefox 24.

CSCuj80131

ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9)

Java Applet fails to install SPW/Agent from Client Provisioning page on Safari browser version 7 available with Mac OSX 10.9.

Explicitly let it run by changing the website settings on the browser. The default setting encourages users to whitelist individual sites/pages where JAVA is used.

Workaround To let the applet install agent/SPW, connect to ISE and get re-directed to Client Provisioning page. Before clicking Click to Install Agent, go to: Safari->Preferences->Security->Manage Website Settings->Java->Click on your ISE URL->Run in unsafe mode.

CSCtc70053

Browser “Back” button not working properly

This issue has been observed in the Cisco ISE list page when switching from the list view to edit view (i.e., when you click the Create or Edit button).

Workaround There is no known workaround for this issue.

CSCti60114

The Mac OS X agent 4.9.0. x install is allowing downgrade

The Mac OS X NAC Agent is allowing downgrades without warnings.

Note Mac OS X Agent builds differ in minor version updates only. For example, 4.9.0.638 and 4.9.0.637.

CSCti71658

The Mac OS X Agent shows user as “logged-in” during remediation

The menu item icon for Mac OS X Agent might appear logged-in before getting full network accesses

The client endpoints are connecting to an ISE 1.0 network or NAC using device-filter/check with Mac OS X Agent 4.9.0. x .

Workaround Please ignore the icon changes after detecting the server and before remediation is done.

CSCtj00178

Group QuickFilters not working as designed

After the administrator runs and saves an advanced filter, Cisco ISE does not display the “Successful Save” pop-up after the filter is saved.

This issue has been observed using the Admin Groups, User Identity Groups, Endpoint Identity Groups, and Guest Sponsor Groups filter options.

Workaround There is no known workaround for this issue.

CSCtj22050

Certificate dialog seen multiple times when certificate is not valid

When the certificate used by the agent to communicate with the server is not trusted, the error message can be seen multiple times.

Workaround Make sure you have a valid certificate installed on the server and that it has also been accepted and installed on the client.

Note The additional certificate error message is primarily informational in nature and can be closed without affecting designed behavior.

CSCtj25158

Exported admin should not be imported back as Network Access User

This problem occurs when Cisco ISE promote Network Access Users to Administrators, and then export those users. When you re-import those users, they appear as Network Access Users only. Cisco ISE does not import the promoted users as Administrators.

Workaround There is no known workaround for this issue.

CSCtj31552

Pop-up Login windows option not used with 4.9 Agent and Cisco ISE

When right clicking on the Windows taskbar tray icon, the Login option is still present, but is not used for Cisco ISE. The login option should be removed or greyed out.

Workaround There is no known workaround for this issue.

CSCtj76835

Unable to retrieve a saved Authentication Trend report

Symptom Two steps are necessary to save an Authentication Trend report:

1. Select the folder.

2. Name the file.

If you do not select a folder from the list that is presented, the report should be saved in the root folder and should appear in the Reports tab. You can observe that the files are saved, but they do not appear in the left side pane and there is no option to retrieve the files.

Conditions Saving an Authentication Trend report without selecting a folder.

Workaround Do not save the report under the root folder. Always choose a subfolder.

CSCtj81255

Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.

Symptom Two MAC addresses are detected on the switch interface connected to an ACS 1121 Appliance although only one interface is connected on the ACS 1121 Server eth0.

Conditions Only one Ethernet interface, eth0 is connected between ACS and Switch.

Workaround Disable BMC (Baseboard Management Controller) feature using BIOS setup.


Caution To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco ISE console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.

CSCtj94813

Left side administrator user interface pane “Search Result” option is not working as expected

1. If you enter available data and click the search option, it does not display properly.

2. If the option displays some data and if you enter another value, it does not refresh the data properly.

3. The option does not display the layered/structured model as designed.

In addition, you are not able to go back to previous menu.

Workaround There is no known workaround for this issue.

CSCtk34851

XML parameters passed down from server are not using the mode capability

The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite. Mac OS X agent is not processing the mode correctly. Instead, the complete file is overwritten each time.

Workaround To use a unique entry, the administrator must set up a different user group for test purposes, or set the file to read only on the client machine and manually make the necessary changes to the local file.

CSCtk37360

Administrator is not able to customize report in Internet Explorer 8

Monitoring and troubleshooting reporting functions related to column selection and entry deletion/aggregation, etc. are not working as designed.

This issue can come up using the following versions of Internet Explorer 8:

  • IE 8.0.6001.18702 on Windows XP
  • IE 8.0.6001.18702IC on Windows XP

Workaround There is no known workaround other than to avoid using the problematic browser versions.

CSCtk46958

Cisco ISE does not display a warning when navigating away from a modified page without saving

When a user changes configuration context, there is no warning indicating that the information configured on the current page is not saved, nor is there a warning indicating that all configuration changes will be lost when the user completes that context change.

Workaround Save before navigating away from the page in question.

CSCtk82864

AAA Servers incorrectly filter with “Contains” option

When AAA servers are added to the AAA servers list (for example: a, ab) and a filter is added which includes regular expressions, Cisco ISE generates an incorrect filtered list.

Workaround Do not use regular expressions in filters.

CSCtl53966

Agent icon stuck on Windows taskbar

The taskbar icon should appear when the user is already logged in.

Workaround Right-click on the icon in the taskbar tray and choose Properties or About . After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes away.

CSCtl70056

“Today” is not validated against the Cisco ISE Monitoring node End Date

Reports run with a custom time range (where “today” is the specified End Date) does not work and the Monitoring node returns a validation error. This issue has been observed where the time on the client machine (where a browser session is active) is earlier than that of the Cisco ISE node (for example, where the client is on PST and the Cisco ISE node is on UTC time zone).

Workaround Change the time zone or clock on the client machine so that the current time on that server is the same or ahead of the Monitoring node.

CSCtl77592

Unable to create authorization policy with RadiusCallingStation ID condition

When the administrator uses a MAC address with a xx-xx-xx-xx-xx-xx format as the right hand side (RHS) of a condition with RADIUS “Calling station ID” dictionary attribute, it fails to match the policy decision.

Cisco ISE does not perform validation on the string value that is entreated on the RHS when constructing a condition.

Workaround Use the MAC address format xx:xx:xx:xx:xx:xx when defining conditions.

CSCtn44427

No progress indicator is displayed when importing collections of random or CSV guests

Workaround There is no known workaround for this issue. The administrator must simply wait for the process to complete.

CSCtn53084

Incorrect export of DER imported server and trusted certificate authority certificates

When exporting a local certificate using the Administration > System > Certificates > Local Certificates > Export page, the administrator may find that the certificate is in Distinguished Encoding Rules (DER) format when another format like Privacy Enhanced Mail (PEM) is desired.

The certificate export function exports a certificate using the same format it had when imported. In Cisco ISE, there is no format conversion option available.

Note One way to avoid this is to simply import all certificates in PEM format. You can convert DER to PEM using tools like openssl, and your certificate authority may have an option for PEM output.

CSCtn65437

Report timestamp incorrect with Asia/Kolkata time zone

This behavior has been observed only using the Asia/Kolkata time zone. The result is minus 5.30 hours when compared to the actual record in the Cisco ISE database.

Workaround There is no workaround for this issue at this time.

CSCtn76441

Custom conditions are not updated under Rules in profiling policies

If you rename a profiler condition used by a profiling policy, the new name is not reflected in the rule summary display. It is, however, reflected in the associated expanded rule expression.

Workaround If you expand and collapse the rule expression in the anchored overlay and click Save , the correct description displayed in the rule summary repeater will be displayed in the future. If you change the condition name a second time, however, and expand/collapse the summary overlay on the policy page a second time and click Save , the policy page will not reload until and unless you reload the server.

CSCtn78676

When a user name has a space between words and another similar name contains two or more spaces, Cisco ISE displays the same user name for both users.

Workaround There is no known workaround for this issue. Even though the multiple spaces are trimmed and shown as one space in the UI, the data is saved correctly in the database.

CSCtn78899

When a user group name has a space between words and another similar user group name contains two or more spaces, Cisco ISE displays the same user group name for both groups.

Workaround Avoid giving spaces in the name field while creating Identity Group.

CSCtn92594

Quickpicker filters are not working correctly during Client Provisioning policy configuration

This issue has been observed with the following three filter options:

  • Identity Groups
  • Operating Systems
  • Other conditions

Workaround There is no known workaround for this issue.

CSCtn95548

Filter behaving case sensitive for Network Device groups

The results for network device group filtering in the network device group (NDG) page are incorrect. This is because the filtering in the network device group page is case sensitive.

Workaround Enter network device groups values using lower-case letters.

CSCto05172

The Profiler detail log does not display some attributes.

“Certainty Metric,” “Matched Rule,” and “Endpoint Action” name values are not updated in the Profiler endpoint detail log.

Workaround There is no known workaround for this issue.

CSCto09989

Cisco ISE browser session redirects to Monitoring login page using Internet Explorer 8

As soon as you login to Cisco ISE via IE8 the page gets redirected to a Monitoring node administrator login page (even before the initial page displays completely).

Note This issue has also been observed using Mozilla Firefox, but the redirection in Firefox only takes place after a couple of minutes of inactivity.

Workaround Immediately after entering your login credentials,. navigate from the main Cisco ISE page to any configuration page (like Posture, Authorization, or Client Provisioning, for example).

For more information, see Issue Accessing the Cisco ISE Administrator User Interface.

CSCto32002

The Cisco ISE MAC address authentication summary report displays IP addresses where MAC addresses should be

CSCto33933

Login Success display does not disappear when user clicks OK

This can occur if the network has not yet settled following a network change.

Workaround Wait a few seconds for the display to close.

CSCto41340

Authentication Policy replication failure from Primary to Secondary if the time zone changes after installation

In release 1.0 time change is not supported after the deployment is setup because of the dependencies on time synchronization.

Note Support for time change within an existing deployment will be postponed to a later release.

CSCto45199

“Failed to obtain a valid network IP” message does not go away after the user clicks OK

This issue has been observed in a wired NAC network with IP address change that is taking longer then normal. (So far, this issue has only been only seen on Windows XP machines.)

Workaround None. The user needs to wait for the IP address refresh process to complete and for the network to stabilize in the background.

CSCto48555

Mac OS X agent does not rediscover the network after switch from one SSID to another in the same subnet

Agent does not rediscover until the temporary role (remediation timer) expires.

Workaround The user needs to click Complete or Cancel in the agent login dialog to get the agent to appear again on the new network.

CSCto52210

Authorization and authentication policy rules pages load and save times are high

This issue has been observed with 50 or more authentication rules, where each rule has at least conditions. The Load and save times approach one-and-a-half minutes.

CSCto54536

Local certificates disappear on the secondary node following “application reset-config ise” command in CLI

When displaying the local certificates on the Administration > System > Certificates > Local Certificates page of a deregistered node that is now in Standalone mode.

The administrator should not reset the configuration of a node prior to de-registering it. The correct process is as follows:

1. Node A is registered.

2. Node A is deregistered.

3. Enter “application reset-config ise” in node A CLI.

Workaround If the node is reset before deregistration, you can make the local certificates reappear by entering the following commands in the CLI:

  • application stop ise
  • application start ise

CSCto60148

Java crashes during high posture load

This issue has been observed under extreme load condition where Cisco ISE is hit with large number of concurrent users for posture.

Workaround None. You must restart the Cisco ISE Policy Service.

CSCto63069

The nacagentui.exe application memory usage doubles when using “ad-aware”

This issue has been observed where the nacagentui.exe memory usage changes from 54 to 101MB and stays there.

Workaround Disable the Ad-Watch Live Real-time Protection function.

CSCto64028

“Fail to receive server response...” seen when deleting profiling policy

A “Fail to receive server response due to the network error (ex. HTTP timeout)” error message may appear when deleting Profiling policies, and some of the policies may not be deleted.

Workaround Log out from Cisco ISE, log back in, and try deleting the policies again.

CSCto72015

Authorization policy with condition as “Identity grp” does not work

Create an Identity Group with the following attributes:

User Identity Groups:

  • Employee

Location1

Location2

Create Authorization Policy containing the “IdentityGroup:Name Equals Location1” condition and perform user authentication. Authentication fails because the rule in the condition has not been satisfied.

This problem occurs only using the “IdentityGroup:Name” dictionary attribute in the Authorization Policy.

Workaround To implement the workaround:

1. Instead of using a Dictionary Attribute (IdentityGroup:Name) in the policy, specify the Identity Group to be “Location1” in the Identity Group selection rather than “Any.”

2. Assign the “Location1” Identity Group to the Internal User.

3. In the Authorization Policy condition, specify one of the following:

“Internal Users.Identity Group Equals IdentityGroup:User Identity Groups:Employee:Location1”

“Internal Users.Identity Group Matches.*Location1”

CSCto82519

Saving your Active Directory configuration while the DNS is down takes a very long time

Cisco ISE requires connectivity to Active Directory (including DNS) when saving the configuration. If the DNS is not reachable, then the save function may time out before it can complete.

Workaround Ensure that the DNS is available and reachable before saving your Active Directory configuration.

CSCto84932

The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and NAC agent.

Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCto97486

The Mac OS X VLAN detect function runs between discovery, causing a delay

VLAN detect should refresh the client IP address after a VLAN detect interval (5) X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec.

This issue has been observed in both a wired and wireless deployment where the Cisco NAC agent changes the client IP address in compliant or non-compliant state since Mac OS X supplicant cannot.

An example scenario involves the user getting a “non-compliant” posture state where the Cisco ISE authorization profile is set to Radius Reauthentication (default) and session timer of 10 min (600 sec). After 10 min the session terminates and a new session is created in the pre-posture VLAN. The result is that the client machine still has post-posture VLAN IP assignment and requires VLAN detect to move user back to the pre-posture IP address.

Workaround Disconnect and then reconnect the client machine to the network.

CSCtq02332

Windows agent does not display IP refresh during non-compliant posture status

The IP refresh is happening on the client machine as designed, but the Agent interface does not display the change appropriately (for example, following a move from preposture (non-compliant) to postposture (compliant) status).

Workaround There is no known workaround for this issue.

CSCtq02533

The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and Cisco NAC agent.

Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCtq06832

Time and Date conditions need to be updated correctly when changing time zones

Configure the Time Zone in Cisco ISE to be “IndianStandardTime,” for example, and create a Time and Date condition (Ex: From Time 10:00 AM & To Time 8:00 PM). Then update the Time Zone from IST to UTC. The existing Time and Date condition does not get updated per the new specified Time Zone.

This issue comes up when changing the Time Zone after creating the Time and Date condition in the Policy > Conditions > Common > Time and Date page.

Workaround There is no known workaround for this issue.

CSCtq07271

Cisco ISE returns a misleading message after Change of Authorization on an Inline Posture node

When the administrator issues a Change of Authorization Session Termination, Cisco ISE returns a “successful” message, but the Inline Posture node cannot find the session and drops the request.

CSCtq07311

Change of Authorization shows “0” sessions on Policy Service node are down

This issue has been observed where when one or more Policy Service nodes are behind an Inline Posture node, a client machine connected via a particular Policy Service node has authenticated, but has not yet completed posture assessment, and that Policy Service node then goes down (administratively or otherwise).

Note As designed, another Policy Service node in the node group detects that the peer node has gone down and issues a Change of Authorization to terminate the pre-posture session on the client machine, but that measure does not succeed.

Workaround If the client machine re-initiates authentication, the new request goes to another Policy Service nod (assuming that the Network Access Device is configured with multiple RADIUS servers) and authentication and posture assessment should work as designed.

CSCtq09004

Windows 7 guest access not successful from IE8 and Chrome 10

Guest access fails over a wireless LAN controller connection. The login session does not appropriately redirect the user authentication request. This is likely due to IE8 and Chrome10 browsers on Windows 7 being unable to redirect the RADIUS authentication request to the controller.

Note This issue has not been observed using Mozilla Firefox.

Workaround Ensure that the certificates in the controller are accepted by the IE8 browser on the Windows 7 client correctly.

CSCtq12630

Guest page not redirecting to original URL after wireless login using Internet Explorer 8 or 9

Workaround In Internet Explorer 8, end user should click No in the resulting login dialog that pops up to be redirected to the correct page. In Internet Explorer 9, after the login success message appears, re-enter the original URL in the browser address bar.

CSCtq15859

IP address refresh does not work with 64-bit Internet Explorer

IP address refresh via ActiveX is not supported on 64-bit versions of the Internet Explorer browser. Such functions are only available in 32-bit versions of Internet Explorer.

CSCtq53690

Scheduled Monitoring and Troubleshooting incremental backup switches off following failed backup attempt

Workaround If one of the scheduled Monitoring and Troubleshooting node backup events fails, the administrator needs to enable the “Incremental Backup” option again in the Administration > System > Operations > Monitoring Node > Scheduled Backup page.

CSCtr09694

MAC address search at Reports > Query and Run should not be case sensitive

While launching reports, the MAC address search is case sensitive, but should not be.

Note There is no known workaround for this issue.

CSCtr32014

Three-hour Cisco ISE upgrade time on scale configuration

This problem occurs during upgrade from one Cisco ISE running release 1.0 software to release 1.1. x .

Note There is no known workaround for this issue.

CSCtr45402

Server Authentication Summary Report takes more than 1 minute to launch

This issue has been observed when viewing more 30 days worth of data on a larger (3395) Cisco ISE platform running Cisco ISE, Release 1.0.4.

CSCtr57280

IP-to-MAC address binding fails in wireless environment with RADIUS and HTTP probe

RADIUS accounting messages from a WLC do not send the endpoint IP address. This is different from the RADIUS accounting messages from wired infrastructure. This makes the RADIUS method ineffective for IP-to-MAC address binding on Cisco ISE.

Workaround Enable a DHCP probe and configure the setup for Cisco ISE to profile endpoints with DHCP packets.

CSCtr58811

Need to log out and log back in to get Advanced License functionality

After installing an Advanced License on top of an existing Base license, the administrator is not able to view advanced feature pages such as Posture, Profiler, and Security Group Access.

Workaround Log out and log back in again to view Advanced feature pages.

CSCtr66929

Selected month and year while configuring file “Date” condition

If you specify either just the year or month in the “Date” field of the Policy > Policy Element > Conditions > File Condition configuration window, the date does not get saved along with the policy.

Workaround Always specify the correct date.

CSCtr68491

Windows Internet Explorer 8 Info button on compound condition format is empty

When you hover over the “Info” button in the Go to Policy > Policy Elements > Conditions > Posture > Compound Condition page, the pop-up bubble remains empty.

This issue has been observed using IE8, but the text appears as designed in Mozilla Firefox.

CSCtr88091

You may experience slow response times for some user interface elements when using Internet Explorer 8.

Symptom When using Internet Explorer 8, the check- boxes on pop-up dialogs for selecting and deselecting groups and attributes may be slow to respond to clicks for changing states.

Conditions The use of Internet Explorer 8.

Workaround Do any of the following:

  • Consider using an alternative web browser. Firefox does not show the same symptoms.
  • Be patient. The check-boxes in IE8 respond after clicking them several times.
  • Enter the group names manually, and avoid using the pop-up dialogs.

CSCts10323

Internet Explorer running slow during client provisioning

Internet Explorer has an option where you can turn the “check for revocation lists” function on or off.

When this option is enabled and the dACL simultaneously does not allow access to CDP servers, Internet Explorer “freezes up” for about a minute while it tires to access the requisite CDPs.

CSCts20529

Authorization profile getting saved with incomplete information

This issue occurs when using the “auto-smart-port,” “Filter_ID,” “wireless lan controller,” or “Posture Discovery” fields in the configuration page.

Note Because of this mismatch in attribute values, the resulting authorization policy may not work properly.

Workaround Click anywhere in the window while creating an authorization profile when using any of the above mentioned attributes. The authorization profile is then saved properly.

CSCts36792

No “Cisco ISE Configuration Changes” alarms appearing on Conditions

Guest simple and compound conditions can be created, edited, and deleted on the admin UI, but no logs are generated in Cisco ISE accounting.

This problem is limited to creating, modifying, and deleting guest simple and compound conditions in the Policy > Policy Management > Conditions > Guest page

Workaround There is no known workaround for this issue.

CSCts48857

Failed to send notification from UTF-8 Email address

An “Internal error encountered. Please see logs for more details.” error message appears when attempting to notify a Guest user by email of their new account information.

This problem occurs only for user IDs that contain UTF-8 characters outside the US ACSCII range.

Workaround There is no actual workaround at this time, however, you could try substituting a traditional ASCII Email address for the address containing UTF-8 characters.

CSCts80116

OPSWAT SDK 3.4.27.1 causes memory leak on some PCs

Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may experience excessive memory usage.

Note This has only been observed with version 8.2.0 of Avira AntiVir Premium or Personal. Later versions of the application do not have this issue.

Workaround Install later version of Avira AntiVir Premium or Personal.

CSCts89508

Authorization fails when a UTF-8 username and password credentials are used

Microsoft native supplicants for Windows 7, Windows XP and Windows Vista require the following hot fixes in order to support UFT-8 RADIUS user names:

Workaround Cisco AnyConnect 3.1 conducts EAP authentication with UTF-8 username successfully.

CSCtt17378

Cisco NAC Agent does not pop up if TLS 1.0 is not enabled in Internet Explorer settings

The problem occurs when all the following conditions are met:

  • Cisco ISE is operating with a FIPS 140-2 module
  • The client machine “Local security settings > System cryptography: Use FIPS algorithm” is enabled.
  • The client machine Internet Explorer Advanced settings, SSL3.0/TLS 1.0 is option is disabled.

Workaround Ensure TLS 1.0 is enabled in Internet Explorer and restart the Cisco NAC Agent.

CSCtt25262

Externally-authenticated administrator users cannot register nodes

Workaround Cisco ISE will not allow the external administrator to register nodes. Create an internal user to perform the registration process.

CSCtt93787

Files without extensions are not downloaded correctly using Cisco NAC Web Agent

When the Cisco NAC Web Agent invokes file remediation, it does not download the file as designed. Instead, the Agent attempts to open the file.

Workaround There is no known workaround for this issue.

CSCtu39612

Cisco ISE Inline Posture node is not accessible from the Admin ISE node user interface after an upgrade to ISE 1.1. x

Workaround Follow the instructions provided in Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture.

CSCuh75971

Issue running applet with latest Java 7 update 25 on Windows / Mac

If Java 7 update 25 or above is installed, launching of Agents or Network Setup Assistants during client provisioning or onboarding process on Windows or Mac clients would take about 3 minutes as this Java update has Perform revocation checks enabled by default. This causes the applets signed certificates to be verified against issuers CA server, which is currently blocked, and there is no way to open the traffic to CA server on a switch because switch does not support host name based ACL.

Workaround If you are using Java 7 update 25, make sure to turn off Perform certificate revocation checks in Java.

Open Java Control Panel, click the Advanced tab, go to Perform certificate revocation checks on and select Do not check .

CSCuh81724

ISE - Authentication Flow Diagnostics log targets removed in 1.1.4 p2

While upgrading from Cisco ISE Release 1.1.4 patch 1 to patch 2, the log targets configured for ‘Authentication Flow Diagnostics’ might get removed.

Workaround After upgrading to release 1.1.4 patch 2, navigate to Administration > Logging > Logging Categories and re-configure the log targets.

CSCtv17606

Monitoring and Troubleshooting requires an appropriate error message if backup/restore process fails

When you try and perform a Monitoring and Troubleshooting backup/restore from the Cisco ISE administrator user interface, which is intended only to restore Administrator ISE nodes, the message displayed reads, “% Error: Cannot find ise_backup_instance.log in the backup file % Application restore failed.” Instead, a message like “% Error: Cannot ISE M&T backup can only be restored web interface % Application restore failed” would better advise users of the issue.

CSCtv21758

You are unable to Unquarantine an endpoint (with Endpoint Protection Services) using the IP address of the endpoint.

Workaround Use the MAC address to unquarantine the endpoint.

CSCtw79431

Exiting the Cisco Mac Agent while in “pending” state displays the wrong user message

When exiting a Cisco Mac Agent that has not successfully logged in yet, reveals a “successfully logged out from network” message to the user, when in fact there is no log-in status change.

Workaround There is no known workaround for this issue.

CSCtw98454

Guest accounting report filter not working

If you specify a particular username in the Guest user filter in the guest accounting report, Cisco ISE still shows results from other users, as well.

CSCtx03427

Create Alarm Schedule returning XSS error messages

This issue has been observed when the configured alarm name contains “onChange”.

Workaround Rename the alert name to something that does not contain “onChange”.

CSCtx31601

Cannot add Network Access user, but able to import users

When the string “alert” appears in the Network Access user name, the Cisco ISE user interface prevents it from being created.

Workaround If you import a user with that name, it will work.

CSCtx59957

A warning/pop-up appears while creating a Guest Time profile

A pop-up with the message “Warning: Unresponsive script” can appear when adding a time profile in Guest settings under Administration.

Workaround Dismiss the pop-up message and try again.

CSCtx60819

Database restoration runs out of space on VMware systems with only 60 GB disk size

This issue only occurs on unsupported (EVAL) VMware disk installations where the restoration server has a single disk of only about 60-70 GB of disk space.

Workaround Use a VMware server installation with a larger disk size (like 100 GB) if possible.

CSCtx62403

Admin can control sessions on a node on which replication has been disabled

When a Cisco ISE certificate has expired, replication is disabled on that node. When replication is disabled on a node, active sessions affecting that node can be controlled from the Administrator ISE node. Therefore, the Cisco ISE administrator can see active sessions on nodes where replication has been disabled and can issue Change of Authentication for associated endpoints.

Note Certificate validity is validated every 24 hours in a deployment for each node.

CSCtx62657

Cannot deregister an Inline Posture node

On the Deployment List Page, when you attempt to deregister a node by clicking the appropriate button, the administrator user interface is grayed out until a message reading “Deregister is done. Node will be re-started.” appears.

Workaround Log out and log in to the administrator user interface again. The deregistered node is no longer visible in the user interface.

CSCtx68334

Promotion for Secondary Monitoring and Troubleshooting fails if the Primary node is down

While promoting the secondary Monitoring and Troubleshooting node while the primary node is down, then Cisco ISE returns a transition failure and the database rolls back.

Workaround Try to perform the operation again to overcome this issue.

CSCtx69191

Mozilla Firefox does not function with OpenSC middleware software

If you create certificate an authentication profile using the Cisco ISE Active Directory > Groups page, install the OpenSC middleware software, then go to the management station connected to a CAC authentication device and insert the CAC card while attempting to log in via Mozilla Firefox, authentication does not take place as designed.

The key issue is that the e-mail certificate that Cisco ISE normally uses to authenticate the administrator does not appear for selection by the browser, and any other certificate fails during connection.

Note This issue has been observed using OpenSC middleware on Mac OS X (Safari and Chrome both work as designed). CACkey middleware works as designed with Safari, Chrome, and Firefox.

CSCtx79725

Cisco ISE freezes during startup if first DNS does not respond

This issue has been observed if/when primary DNS is misconfigured or down.

Workaround Specify a different (operational) DNS server.

CSCtx80886

When switching to FIPS mode, there is no way to delete the self-signed certificate on an Inline Posture node

This issue occurs when the original self-signed certificates still installed on the Inline Posture node, even though it is not actually used by Cisco ISE.

Note Do not remove the default self signed certificate and join the Inline Posture node to the deployment using FIPS compliant CA certificates.

Workaround Deregister the Inline Posture node, remove the self-signed certificate, and re-register the Inline Posture node.

CSCtx90696

Cisco ISE does not work after updating the IP address

This issue may be that the primary DNS server used by Cisco ISE has not yet been updated with the new IP address.

Note Do not use the no ip address command when you change the Cisco ISE appliance IP address. Instead, simply set the new IP address with the ip address command.

Workaround Use the “ip address” command in the CLI to specify a new IP address. (Make sure the primary DNS server is also updated with new records.)

CSCtx92251

Using the Cisco ISE “Replace” function on a secondary node does not assign protocols or replace the certificate

Using the “Replace” button when replacing a certificate on a secondary node (such as a Monitoring and Troubleshooting or Policy Service node) does not move the protocols to the new certificate or remove the old certificate.

This issue has been observed when you install the certificate on a Monitoring and Troubleshooting node, take the same Certificate Signing Request and have it signed by a different Certificate Authority, then install the certificate on the Monitoring and Troubleshooting node with the “Replace” option enabled.

Note Both certificates are still present on the node and EAP and MGMT protocols are not part of the new certificate from the second Certificate Authority.

Workaround Create a new certificate from the second Certificate Authority, edit protocols, and then delete the old certificate from the original Certificate Authority.

CSCtx93416

Database restoration fails when upgrading from software release 1.0.4 to release 1.1. x

The restore process fails the Cisco ISE Release 1.1. x deployment has been installed via upgrade and the hostnames in the topology have different assigned roles, but hostname of the original primary node name (when the release 1.0.4 backup image was created) is still a node name appearing in the new deployment, but is no longer the primary node in your deployment.

Workaround There are two possible workarounds for this issue:

  • Change hostname on the new release 1.1. x primary node to match what it was during the backup, and try to restore the database again.
  • Change hostname on new release 1.1. x primary node to be something completely new (a name that was not used at all in the original release 1.0.4 deployment).

CSCtx94533

Some endpoints appear as “pending” following posture assessment

It can take up to 10-15 minutes to get the endpoint status updated to reflect a “Registered” state, where the endpoint goes through posture assessment and gains full access to the network.

CSCtx95251

Deployment page load exceeds six minutes when two or more nodes are unreachable

This problem may occur only if the nodes are not reachable, there are lots of pending messages in the secondary node, and if there is possibly a firewall issue.

Workaround Make sure all the nodes are reachable, there are no pending messages, and there are no firewall issues.

CSCty00899

LiveLog Reports cannot be opened

When you drill down on LiveLog details to launch a detail report, Cisco ISE returns an error message.

Note This issue is seen only if you leave your browser idle for more than one day.

Workaround Users can logout and log in again to drill down to report details from live logs.

CSCty02167

IP refresh fails intermittently for Mac OS 10.7 guest users

This problem stems from the way Mac OS 10.7 handles certificates. Marking the certificate as “trusted” in the CWA flow is not good enough to download the java applet required to perform the DHCP refresh function.

Workaround The Cisco ISE certificate must be marked as “Always Trust” in the Mac OS 10.7 Keychain.

CSCty05129

“Monitor All” function does not take effect after policy refresh

When the administrator enables or disables the Monitor All function, devices do not get policy updates as designed. This has been observed in cases where the cells are not updated manually.

Workaround Cisco recommends using the Monitor Mode function on a per cell basis, rather than Monitor All . If you have enabled the Monitor All function, edit at least one cell per column in which a value exists. You can also manually remove the policies from the network device and update them again from Cisco ISE.

CSCty05157

The Cisco ISE dashboard is not working for administrator user names with more than 15 non-English characters contained in the username

This issue has only been observed for user names created using a language other than English.

Workaround Update the administrator user names so that they are less than 15 characters in length.

CSCty08194

The administrator password character list is restricted during the reset-config function

When the administrator tries to perform a “reset-config” function from the Cisco ISE CLI, the password character list for the administrator password is more restricted than at the time of installation. For example, during installation “!” is valid special character accepted for the administrator password. During the “reset-config” operation, however, “!” is not accepted as a valid password character.

CSCty10369

Management functions operate slowly on VM with UCS SATA-2 storage

The following issues have been cited:

  • Importing 1,000 users in a deployment setup takes 8 more minutes than a dedicated hardware appliance (or VM SCSI HDD 10K rpm).
  • Full synchronization functions take up to 12 hours on a VM UCS with SATA2 HDD.
  • Disk latency is up to 50% greater on SATA-2 7200 rpm storage devices.

Workaround Ensure external storage units connected to UCS feature SCSI/SAS 10K or 15K RPM technology.

CSCty10692

Requirement is used by Policy - Need tooltip on OS

When a requirement is used by a policy in Cisco ISE, the operating system of the policy and the requirement need to match. Currently, the requirement operating system field is disabled in the requirement page and the administrator is not able to tell with which operating systems this requirement is associated.

Workaround There is no known workaround for this issue.

CSCty19010

Editing Cisco ISE failure reason information returns error message

If user edit some of the failure reason codes in the Administration > System > Settings > Monitoring > Failure Reason Editor page, Cisco ISE may display an error 500 message.

“12818 Expected TLS acknowledge for last alert but received another message 24466 ISE Active Directory agent is down”

Note This issue can occur when failure reason information includes data that can indicate a cross site scripting attack; such as the string “alert” and “<” and “>” characters.

CSCty19774

Client Provisioning is not working when an Inline Posture node is connected to a VPN

This can happen when the client machine successfully passes authentication and ACLs are downloaded to the Inline Posture node and there is connectivity to Policy Service node, but the URL redirect function is not working correctly.

Note This issue has been observed on a on non-Windows 7 client machine. (XP clients do not update automatically because the root certificate list is not up to date.)

Workaround One way to get around this problem is to do update your root certificates.

CSCty28274

System and RBAC administrator data access permission issue

When an administrator other than the Cisco ISE administrator user created during installation logs into the Administrator ISE node user interface and navigates to Administration > System > Admin Access , they should be able view and update the administrator information when clicking on their own username. Instead, Cisco ISE displays a “Permission Denied” message.

Workaround Administrators facing this issue can click on the logged-in username in the top right corner of the on user interface and edit their details from the pop-up dialog that appears.

CSCty39209

IPsec and SSL VPNs do not work if FIPS function is enabled or the PAP protocol is disabled

If you enable FIPS 140-2 functionality you must also turn off PAP authentication in the Allowed Protocols page.

Once you turn off PAP, then any VPN client that uses group authentication, which always requires PAP, becomes incompatible with Cisco ISE.

CSCty42816

Wireless Guest login fails using Google Chrome browser

Self-service guest users are unable to get on to the network from Chrome Browser during Wireless Local Web Authentication. Cisco ISE displays an error page with user credentials after the self service guest user changes the password and tries to get onto the network.

Workaround Cisco recommends using another browser for this operation.

CSCtw50782

Agent hangs awaiting posture report response from server

Workaround

The issue occurs with Mac OS X 10.7.2 clients.

Kill the CCAAgent Process and then start CCAAgent.app.

Perform the following:

1. Go to Keychain Access.

2. Inspect the login Keychain for corrupted certificates, like certificates with the name “Unknown” or without any data

3. Delete any corrupted Certificates

4. From the pull-down menu, select Preferences and click the Certificates tab

5. Set OCSP and CRL to off.

CSCty51216

Upgrading Mac OS X Agent version 4.9.0.638 to later versions fails.

Workaround

1. Remove the "CCAAgent" folder from temporary directory

2. Reboot the client

3. Connect to Web login page and install the Agent from there

CSCty52694

Mac OS X Agent needs to be installed from Client Provisioning Portal for VPN

When a Mac OS X user connects through VPN, the Mac OS X Agent does not pop up as designed.

This can happen if the Mac OS X Agent has been installed directly from Cisco Connection Online (CCO) or via application installation from an IT department instead of through The Cisco ISE client provisioning portal.

Workaround Uninstall the agent from the system in question and reinstall the agent from the Cisco ISE client provisioning portal.

CSCty61980

Cannot get Out-of-Band Security Gateway Access PAC for network devices after upgrade

This issue can occur on a system that has been upgraded from Cisco ISE, Release 1.0.4 where device definitions were also updated as part of this upgrade. (The PAC file that is downloaded is invalid and Cisco ISE returns an error message.)

Workaround Delete and recreate the network device definition for any device where you need to generate an Out-of-Band PAC. You can do this by creating the necessary entry in the administrator user interface or exporting the device definition, deleting the entry, and adding the device definition again.

CSCty91514

Custom Guest Portal does not enforce Details Policy during Self Service

When creating a custom Guest Portal under Multi-Portal Configurations, which allows Self Service in Cisco ISE 1.1. x , the Details Policy is not enforced when a user creates their Guest Account.

CSCtz01339

Getting directed to Windows client provisioning flow on Android 2.3.3

Following user authentication via the Guest Portal and device registration, the device is going through the Windows client provisioning flow instead of being redirected to the Android Market place.

CSCtz01754

The certificate and Cisco ISE CA names are missing in Android 2.3.3. EAP-TLS

After a user authenticates via the Guest Portal and registers their device, they are then able to download and run the Supplicant Provisioning Wizard from the Android market place. After running the wizard, however, the “name” field is blank in the user certificate and the Cisco ISE certificate is blank as well.

CSCtz21155

Assigned profile is missing under Network > 802.1X on Mac OS 10.6.3 machines

Once the TLS profile gets configured, the end user is presented the following message:

“Device configured. Go to System Preferences, choose Network, choose the wired (Ethernet) network, select <profile name> from the 802.1X menu, and click connect.”

However, the profile is missing under System Preferences > Network > 802.1X, and the user is stranded in that step of the login process.

Workaround Close the Network window and open it again. You should be able to see the appropriate profile under Network > 802.1X. (This is applicable only for wireless deployment scenarios.)

CSCtz25101

Asset Registration Portal login event not shown in Live log

Sponsor Portal login events are showing up as designed, however.

CSCtz28932

Client Provisioning for Supplicant Provisioning flows is broken after upgrade

Policies that were previously working now result in the “register” tab not appearing to users logging in via the Self-Provisioning page for Windows devices.

This issue has been observed using Apple iPhone/iPad over a dual- SSID environment.

CSCtz31672

NullPointer Exception when user redirects to CPP evaluate page from mobile

Cisco ISE returns a “Cisco ISE is unable to determine access privileges in order to access the network. Please contact your system administrator.” message, and exceptions also appear in the ise-psc.log file. This issue is likely because the login session is trying to use an old session for the same device MAC address, which is not found in session directory.

Workaround:

The user logging in via their endpoint must open a new browser instance or clear the existing URL, and type enter the destination URL again to be redirected to the CCP evaluate page with expected device information.

CSCtz36060

ARP authentication should show up in AAA diagnostics even with default log level

MyDevices portal login audit can be seen in the AAA Diagnostics log as long as ARP logging is set to INFO or DEBUG.

CSCtz37988

Two primary Administrative ISE nodes appear in deployment

This issue can occur after the primary Administrative ISE node becomes disconnected and the secondary Administrative ISE node gets promoted to the primary role after 20 minutes or so. Then much (a day or so) later, the original primary is brought back online, two primary and secondary Administrative ISE nodes appear in the deployment setup.

CSCtz40127

Certificate issue after SCEP failover where servers reside in different domains

(This issue has been observed in a Windows 7 environment.)

CSCtz41262

Authorization policy does not match when the MAC address uses the colon delimiter (00:00:00:00:00:00)

When configuring policies using the Calling-Station-ID as a component, the authorization attempt does not match the rule if you use the value in the Cisco ISE report. When configuring this type of policy in Cisco ISE, Release 1.0.4 or 1.1, you will have to rely on the RADIUS packet information and not the ISE report.

Workaround Use the TCPDump function in Cisco ISE to see the correct value that is being sent from the network access device and configure the Calling-Station-Id (MAC address in this case) using the hyphen-delimited format (00-00-00-00-00-00).

CSCtz42775

Java “unknown host” exceptions appear when downloading Client Provisioning resources

Cisco ISE still reflects that the “Resources downloaded successfully” in the bottom right corner of the Cisco ISE administrator user interface.

Workaround Please make sure the DNS server is up and running and the client provisioning Feed Server is reachable from ISE.

Note This issue may occur more commonly where the DNS server has gone down.

CSCtz49846

Cisco ISE does not contain the ASA attribute 146 Tunnel Group Name which is sent on the Access Request

This issue can appear when the name of the attribute added in Cisco ISE includes a “.” character.

Workaround Ensure that the attribute name does not include a “.” character. This also applies to some of the existing attributes in the Cisco-VPN300 dictionary. The attribute names should also be modified so that they do not include a “.” character.

CSCtz55815

Default Gateway is not changed if the new value is a part of old value

If the administrator specifies a new default gateway on the Cisco ISE that is too similar to the old default gateway (like a different address on the same 24-bit subnet for example), the gateway address does not change.

Note This issue was observed on a VMware ESX 4.1 environment.

CSCtz56547

Cisco ISE does not display alarms or notifications on “OutofSync” issues

This has been observed when there is a time-shift event on an Administrative ISE or Policy Service node. Cisco ISE should notify admin user on all arising issues due to NTP dependency, as this issue can consume considerable time to troubleshoot.

CSCtz61792

Administrator Username column in EPS Report shows incorrect data

The Cisco ISE EPS operation history report displays the user as “internal” instead of the actual administrator user ID.

Workaround Cisco recommends using the REST API, instead.

CSCtz63899

Previously registered device is not able to re-connect

Once a device has been registered with Cisco ISE and attempts to connect to the network again (as if a new device), the device should automatically attempt to connect to the secure network. However, the device is able to connect to secure network on second or third attempt. This issue can occur if the device is unable to complete the full EAP handshake with the NAD or WLC.

Workaround Device can connect to closed network automatically in second or third attempts. or user can try flapping the interface to be connected to closed network.

CSCtz67158

IP address is not refreshed after reinstating the device

Reinstating a blacklisted device in the My Devices portal does not refresh the IP address. This can happen when the administrator modifies the default blacklist authorization profile so that it includes ACCESS-ACCEPT and different sets of ACLs and VLANs.

Since reinstating the device issues a CoA and triggers reauthentication, the IP address is not refreshed by the blacklisted device.

Workaround The user can perform an IP address release/renew or turn off Wi-Fi on the device.

CSCtz67372

External Admin Groups are not available until authentication password is changed

This issue can come up when you configures external identity source (LDAP or Active Directory), import groups from the source, and then try to create an “external” RBAC Admin Group that refers to one or more groups imported from the external ID source. (That is, the Identity Source in the Authentication Method' page under 'Administration > System > Admin Access page has not yet been set to the external ID source containing the groups.) As a result, the groups from the external ID source are not shown in the Admin Group page in Cisco ISE.

Per the current design, you can configure multiple identity sources, but only one may be enabled at a time.

Note The External Group section in the Admin Group create/edit page in Cisco ISE only shows groups from the external identity source that are currently enabled.

CSCtz74022

The device registration page is blank on a Windows 7 phone on which a language locale other than English is specified

This issue has been observed when running performing device registration in a single SSID environment.

Workaround Set the client browser locale to English.

CSCtz80240

Secondary node never becomes standalone after de-registration

The secondary node is de-registered successfully but a “The following deregistered nodes are not currently reachable: <name> . Be sure to reset the configuration on these nodes manually, as they may not revert to Standalone on their own.” message appears to the administrator.

Workaround Log in to the administrator user interface with internal Cisco ISE administrator credentials when de-registering a node.

CSCtz81107

Android registration fails if the user modifies the certificate while installing

Android users are able to modify certificate names when installing the Cisco Supplicant Provisioning Wizard. If the user does in fact modify the certificate name, then the device is not able to connect to the secure network.

Note This issue applied to both single- and dual-SSID deployments.

CSCtz83096

Cisco ISE ignores authorization exceptions when working with an option that matches multiple policy rules

If you add a standard rule within an authorization policy, for example, “if Network Access: Username STARTS_WITH letters ‘te’ then DenyAccess,” add an additional Exception Rule like, “Network Access:Username EQUALS ‘testUser’ then PermitAccess,” specify that the policy should operate using the “Multi-Matched” option, and authenticate a user called “testUser,” the result is that Cisco ISE denies access to that user when it should permit access.

CSCtz83530

Android devices must manually connect to the secure network if the user reboots the device

This is due to the fact that users be required to enter storage credentials again to connect to the secure network using certificates that were installed during initial device registration.

CSCtz84351

Cisco ISE stops responding to authentication requests

Cisco ISE intermittently stops authenticating and returns “WARN RADIUS: RADIUS request dropped due to system overload” messages. This issue has been observed even when CPU usage is low and there is plenty of free memory.

Workaround Disable and then re-enable Cisco ISE services.

CSCtz90726

An error appears when attempting to create an inline “Allow Protocols” definition after having previously canceled the operation

This issue can appear when you select the option to create an Allowed Protocols definition, click Cancel during the process, and then attempt to create the definition again.

Workaround Clear the browser cache and attempt to create the definition again.

CSCtz91998

New client provisioning ports need accommodated during upgrade

After upgrade to Cisco ISE, Release 1.1.1, users are unable to download Cisco NAC Agent or NAC Web Agent after clicking the install button if the appropriate client provisioning port (8909) has not been opened across the network.

Workaround Open up ACL for port 8909 to allow client access to ISE server. This ACL can be statically defined on the NAD or dynamically downloaded through ISE authorization policy

CSCtz93520

Exceptions noted in logs while registering a node

In a split domain upgrade older certificate is not working when older secondary is made as primary.

Workaround After upgrade Export the secondary certificate into primary before registration.

CSCtz97075

Device registration session directed to wrong location when Administrative ISE node and Policy Service node become disconnected

As a result, users are not able to complete device registration, account for lost devices, or remove old devices from Cisco ISE.

Users are supposed to be redirected to the self-provisioning portal during both single- and dual-SSID sessions. This function requires an active connection between the Administrative ISE node and Policy Service node. If the two become disconnected, device registration fails. (This also applies to users trying to account for lost devices, or remove old devices from Cisco ISE.)

CSCtz97833

HTTP time out error received during user session quarantine period

Certificates used in Cisco ISE can be PEM- or DER-formatted. Cisco ISE also accepts certificate chains of multiple certificates. Cisco ISE does not, however, accept certificate chains which have a mix of both PEM- and DER- formatted certificates. This error is not reported as precisely in EPS REST calls, it just shows up as generic failed request.

Workaround Check to see whether you are inadvertently mixing both PEM and DER formatted certificates.

CSCtz98295

Opera browser “Back” button displays My Devices portal after user has logged out

After logging out of the My Devices portal, the user can click the back button and the previous page appears.

Workaround Recommend not using Opera if concerned.

CSCtz99443

Policy Service nodes on the other side of WAN links display “IN-PROGRESS” status continuously

This issue can occur on secondary nodes that are deployed over WAN links where there are a large number of replication events generated on the Administrator ISE node.

Note This issue is sometimes due to latency issues impacting WAN links. If there are a significant number of replication events generated by the Administrator ISE node, these events take longer time to be replicated and applied to the Policy Service nodes that are deployed over a WAN link. As a result, replication events accumulate on the node and the replication status appears as though replication is continuously in progress.

CSCua00821

Error messages appear when you configure Active Directory via the CLI

When performing Active Directory configuration via the Cisco ISE CLI, selecting option number 5 (Clear Active Directory Trusts Cache and restart/apply Active Directory settings), the following errors may appear:

  • log4j:WARN No appenders could be found for logger (com.cisco.cpm.acs.nsf.config.handlers.ad.cli.ADAgentRestart).
  • log4j:WARN Please initialize the log4j system properly.

Workaround From the Cisco ISE CLI, enter the “application configure ise” command and select option number 5 again.

CSCua03362

Need to enable automatic connection polling on Mac OS 10.7. x wired connection

The Cisco ISE profile selection dialog does not appear if the “Enable automatic connection” option is not enabled (under System Preferences > Network > Ethernet > Advanced > 802.1X) on the Mac OS X client machine after the supplicant provisioning wizard is downloaded and installed.

Workaround Be sure Mac OS 10.7. x wired device users know to choose the profile manually (like Mac OS 10.6.8, for example).

CSCua03889

Guest users are asked to accept the Acceptable Use Policy twice when first logging into Cisco ISE with password change

When the administrator sets up a multi-portal configuration, sets the Acceptable Use Policy to be accepted on “First Login,” and enables the “Requires guest users to change password at expiration and first option” option, the guest user needs to accept the Acceptable Use Policy twice.

CSCua05003

Service status is not correct if the ARP port number changes

This issue has been observed when an end-user attempts to access the My Devices portal via the configured port, but is not able to.

Note Accessing the My Devices portal via the last configured network port works as designed (although and error message appears).

Workaround If you have changed the port used for the My Devices portal, restart the Administrator ISE node and My Devices portal should restart on the correct port.

CSCua05261

Windows XP 32-bit OS cannot connect to closed network if not broadcasting

This issue can occur when the open network connection mode is set to “Automatically connect to network” (which is a default option on Windows XP.

Note This issue has not been observed in a Windows 7 environment.

Workaround Set the connection mode for Windows XP open networks to “manual” or “on demand”:

1. Select the open network profile.

2. Uncheck the “Connect when this network is in range” option.

CSCua08884

Restore failed in release 1.1.1 with customer backup of 1.0 version

This issue is most likely due to a corrupted backup file resulting from an unknown operating system issue

CSCua12479

HTTP profiling in Cisco ISE, Release 1.1 is performed after Guest Authentication

Cisco ISE, Release 1.1 does not call upon user-to-agent information until the Guest user authenticates via the Guest portal.

Note This behavior is different then what is seen in ISE 1.0.4 where profiling kicks off as soon as the user hits the guest portal.

Workaround You can redirect users to the client provisioning portal. Even if no client provisioning rules exist, the user-to-agent information is called upon when the Guest user reaches that page.

CSCua12479

Profiling via HTTP probes in Cisco ISE, Release 1.1 done after Guest authentication

Cisco ISE, Release 1.1 does not use user-agent information until the Guest user authenticates to the Guest Portal. This behavior is different then what was seen in Cisco ISE, Release 1.0.4 where profiling would initiate as soon as the user hit the Guest Portal.

Workaround Direct users to the Client Provisioning Portal. Even if no Client Provisioning rules exist, the user-agent information will be picked up when the user hits that page.

CSCua18804

Authorization RADIUS packets fail due to incorrect delimiter

Wireless LAN Controllers can send endpoint MAC addresses in RADIUS packets in various formats, including a series of colons, hyphens, or no delimiter at all. Cisco ISE authorization policies look for hyphen-formatted MAC addresses.

Workaround Set the MAC address delimiter on the Wireless LAN Controller for the calling station-id to specify hyphens.

CSCua19003

“hostname” and “ip domain-name” warnings are hard to understand

Cisco ISE returns warnings when you attempt to change the Cisco ISE hostname or domain name after initial setup.

Because the warnings are ambiguous and the affect on the system unknown, Cisco recommends that you do not change the hostname or domain name on any deployed Cisco ISE appliances. If it becomes necessary to change these parameters, the only reliable way to accomplish such a change is to re-image and specify different values for these parameters during initial configuration.

Note There is no known workaround for this issue.

CSCua25187

Employees whose user names are 41 digits long will not see their devices

If the employee name is 41 digits long, then the devices added through the My Devices portal do not show up in the list of employee devices.

Note Using a 40-digit user ID works as designed, as does a 48-alphanumeric character ID and a 40-digit alphanumeric character ID with one leading alphabetical character.

Workaround Use less than 41 digits in the user name policy.

CSCua25333

Unable to login to the administration user interface using the username and password credentials set during the initial setup wizard

After running the initial setup wizard with some specific set of username and password values, this problem will occur. The administrator is, however, able to log in to the Command Line Interface with the same username and password.

Workaround Run the CLI “application reset-passwd” command to reset the administration user interface password to the value specified during the initial setup wizard or another value if desired.

CSCua32575

Firefox browser is not working on Android devices for registration

When the Mozilla Firefox browser is used for registering an Android device, it receives an “unsupported OS device” response From Cisco ISE.

Note When users register the device via the native Android browser, registration completes correctly.

CSCua38966

Policy Service node replication is disabled

Policy service nodes in which large numbers of (bulk) users have been imported display signs of decreased performance. (The performance level of the three (of 40) Policy Service nodes were below that of other appliances.)

Note This issue has been observed on a “large” deployment of 40 nodes.

Workaround Manually synchronize node information.

CSCua40773

IP refresh function is not working in Mac OS X after the session terminates

The VLAN switching function does not take place on Macintosh client machines after Cisco ISE issues the requisite “change of authorization” during login. When Cisco ISE issues the “change of authorization,” and open/authenticated networks are in different VLANs, the Macintosh client does not refresh the IP/switch network (VLAN) automatically following re-authentication.

Workaround The user must manually refresh the IP address:

1. Launch System preferences .

2. In the TCP/IP tab, go to Network > Advanced .

3. Click Renew DHCP Lease button.

CSCua55531

“Anonymous” user authentication fails when operating with CSSC

CSSC expects both “Session Resume” and “Fast Reconnect” PEAP functions. When Cisco ISE transmits a valid TLS Session ID, but either or both of these PEAP functions are disabled or the session time out has elapsed, then CSSC drops the conversation before running the PEAP inner method. The result is that the PEAP outer identity is protected (e.g., “Anonymous”) but the conversation is dropped before revealing the unprotected user US, which then compromises the posture validation process because the user name has been “changed.”

Workaround Enabling both of the “Session Resume” and “Fast Reconnect” options in “PEAP Settings” can reduce the frequency, but this issue will still likely occur when Cisco ISE terminates an expired session. To fully resolve the issue, Cisco recommends upgrading from CSSC to AnyConnect version 3. x .

CSCua60073

Changing the log level for system statistics yields incorrect results

After the log level for “System Statistics” is set to “ERROR,” the “System Summary” area on the Cisco ISE dashboard is empty.

Workaround Do not change the log level for the “System Statistics” logging category. (Continue to use the default “INFO” value.)

CSCua71361

Android 2.3.6 devices are not getting a new IP address following the change of authentication session terminate event

Android devices such as Android RAZR are not refreshing their IP address after moving to a new subnet. This issue has been observed on certain Android O/S such as 2.3.6 and ISE issuing CoA session terminate

Workaround Manually disconnect and reconnect to the network by turning Wi-Fi off and back on again.

CSCua72137

Cisco ISE does not delete old files when the preset localStore size limit is reached

CSCua97013

Apple iOS devices are prompted to accept “Not Verified” certificates

Apple iOS devices (iPhone & iPad) are asked to accept the certificate, appearing to them as “Not Verified,” when connecting to WLAN (802.1X).

By design, Apple iOS devices are prompted to accept a proprietary certificate, but Apple OS X and Android devices work without being prompted to accept a certificate.

This happens even when the certificate is signed by a known CA, as there is an intermediate certificate in the server certificate chain.

Workaround Click Accept to acknowledge the certificate. While browsing any URL, the user is redirected to provision the device. After provisioning, the intermediate certificate is installed on the iDevice.

CSCub01822

Cannot roll back patch when administrator is authenticated using an Active Directory identity store

When the administrator, who is authenticated via an external identity store, applies a patch to Cisco ISE, the patch application process reboots Cisco ISE and the administrator is automatically logged out. After patch application, however, the same administrator cannot them log back into the system and roll back the installed patch.

CSCub16453

Android Self-Provisioning Certificate installation and application erroneously informs the user of a Factory Reset event

This issue has been observed on a device running Android OS version 4.0.3. A pattern lock factory reset message appears when installing the certificate in a device registration flow from the Cisco ISE self-provisioning page. No actual factory reset event actually takes place after the user clicks OK, and the device connects to the network without issues.

Workaround Set a pin lock and then configure back to pattern lock. This time there are no reset messages. This was tested after removing the cert and supplicant config to start fresh

CSCub17140

Upgrade to Cisco ISE 1.1 and 1.1. x fails when policies use the Blacklist_Access authorization profile.

This issue has been observed when you upgrade the following Cisco ISE releases:

  • Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4
  • Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3
  • Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3
  • Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2
  • Upgrade from Cisco ISE, Release 1.1 to release 1.1.1
  • Upgrade from Cisco ISE, Release 1.0.3.377

Workaround Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile.

CSCub17522

IP Phone 802.1X authentication reverts to PAC-based authentication when the “Accept client on authenticated provisioning” option is not enabled

When the “Accept client on authenticated provisioning” option is off then Cisco IP Phone EAP-FAST authentication sessions always end with an Access-Reject event. This requires the IP phone to perform PAC-based authentication to pass authentication. Since Cisco IP Phones perform authentication via authenticated provisioning and not via PAC-based authentication, it is not possible for the phone to authenticate when this option is off.

Workaround Try one of the following:

  • Turn on the Cisco IP Phone “Accept client on authenticated provisioning” option.
  • Switch from EAP-FAST protocol to PAC-less mode.
  • Authenticate Cisco IP Phones via EAP-TLS rather than EAP-FAST.

CSCub18575

Issue with Cisco ISE sponsor-initiated accounts starting with a “0”

If you create a Guest user starting with a “0,” then log out and log back in, you are not able to see the Guest user entry as expected.

Note There is no known workaround for this issue.

CSCub26470

Wireless license shows Advanced and Base license as “Eval”

Cisco ISE may display Base and Advanced license as “Eval” after installing a purchased Wireless license. This is a cosmetic issue, the license is functional and expires in the expected date.

This issue has been observed in Cisco ISE, Release 1.1.1.

CSCub44915

Activated Guest fails RADIUS authentication where the applicable role uses “FromFirstLogin”

Workaround Use time profile “FromCreation,” or log in first via the Web Portal.

CSCub45799

Wired Mac OS X 10.8 clients fail to auto re-connect to the Cisco ISE network using a new profile

After successfully provisioning the Mac OS X 10.8 client machine with an 802.1X profile for wired a network, the client machine may not provide the user an option to select the specified 802.1X network profile.

When the user is not able to select the “Enable automatic connection” checkbox in System Preference > Network > 802.1X for a wired interface, or if the user manually disconnects from the 802.1X network, the client machine may not present the pop up that would enable the user to select the 802.1X network profile.

Workaround The user must manually connect to the 802.1X network:

1. If the System Preference pane is already open, close it.

2. Navigate to System Preference > Network and select “Wired Network” from the left pane.

3. Select the appropriate user profile from the right-hand pane and click Connect under 802.1X.

CSCub45895

Unable to save external LDAP/AD groups

Cisco ISE returns a “UTFDataFormatException” message upon saving LDAP groups with multiple Organizational Units and/or Domain Controllers.

Workaround If possible, reduce the number of Organizational Units and/or Domain Controllers in the deployment.

CSCub56607

Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not

The wireless session in question should be applied against the Base license count. This issue has been observed in Cisco ISE, Release 1.1.1 where the following functions are set:

  • MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
  • Profiling is disabled
  • Posture is disabled
  • The device in question has not been registered via the My Devices Portal

Note There is no known workaround for this issue.

CSCub56607

Cisco ISE, Release 1.1.1 uses Advanced license for web authentication when it should not consume one

This issue has been observed when a wireless user consumes an Advanced license instead of just a Base license slot, MAC Filtering is enabled on the SSID, and the Cisco ISE authorization policy is designed to support Central Web Authentication.

Note There is no known workaround for this issue.

CSCub56814

Unable to provision Android 4.1. x device

When registering a new Android 4.1 (Nexus 7) via the Cisco ISE Network Setup Assistant, Cisco ISE is unable to register the device and the user receives an “Unable to apply the Wi-Fi profile” message.

Note There is no known workaround for this issue.

CSCub57456

Cisco ISE is not sending RADIUS Request messages to external RADIUS server

This issue has been observed in Cisco ISE, Release 1.1 with a wireless-only license. Cisco ISE is not sending the appropriate RADIUS request message to the external RADIUS server, which has been configured as a RADIUS proxy.

Workaround Uninstall Wireless Only license and Install an Advance License.

CSCub70759

Guest Email IDs greater than 24 characters in length are truncated

When Cisco ISE handles Email IDs, the last characters are getting truncated such that all Email IDs are a maximum of 24 characters in length.

Workaround Delete the user entry and create a new user again with correct email ID.

CSCub73901

Cisco AV-pair is not accepted if it contains the term “Alert”

Cisco ISE rejects the AV-pair configuration and returns a “Bad Request Parameters” error message. (Scripts in input fields are not processed.)

Note There is no known workaround for this issue.

CSCub77801

Cisco ISE returns a “Can't create new service” message when adding new allowed protocols

When attempting to add a new Allowed Protocols Service in Cisco ISE, Release 1.1.1, saving a policy without the “Allow EAP-FAST or EAP-TLS” option enabled may result in a “Can't create new service” error.

Workaround Add the Allowed Protocols service with the default protocols first. After saving, go back into the policy and deselect the protocols that you want, and save the service again.

CSCub82418

Dual SSID registration fails when profiled endpoint’s MAC address changes to the Policy Service node MAC address

On reaching the Device registration page, the device MAC addresses is populated using the Policy Service node MAC address. This issue occurs on user devices during registration if there is no MAC address in the Cisco ISE session cache.

Workaround There are two possible workarounds for this issue:

1. The user can contact the system administrator so that the session can be cleared from the Wireless LAN Controller (WLC). (The user must be able to supply the Wi-Fi MAC address from the device to do so.)

2. The user can turn off Wi-Fi for a period of time (equal to slightly more than the session timeout period set on the WLC) and then reactivate Wi-Fi so that the device negotiates a new session with the WLC.

CSCub87687

Acceptable Use policy text character limit in Guest Language Templates

When you attempt to modify the Acceptable Use Policy text under Administration > Web Portal Management > Settings > Guest > Language Template > German_Deutsch , it works as expected if fewer than 4000 characters. If attempting to input larger text content, then upon saving, Cisco ISE returns a “Server Response Language Template successfully saved” message. However, upon refresh, the changes have not been applied to the Acceptable Use Policy text.

Workaround Use fewer than 4000 characters in the Acceptable Use Policy text field on the Language template, or employ a customized portal with its own logos and HTML pages.

CSCub89895

SNMP process stops randomly due to an issue in netsnmp

The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of the Cisco ISE node to fail until the daemon is restarted. This issue has been observed in Cisco ISE, Release 1.1.1.

Workaround Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.

For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694

CSCuc13075

Endpoints are saved with “EndpointPolicy” as “Unknown”

Change of Authorization is continuously sent for an endpoint, causing the CPU usage on the Administration ISE node to run extremely high. (The endpoint may or may no longer be connected to the device the CoA is being sent to.)

This issue can occur in Cisco ISE, Release 1.1.1 where Profiling is enabled as well as CoA.

Note There is no known workaround for this issue.

CSCuc18502

Cisco ISE upgrade from release 1.1 to 1.1.1 fails because of Blacklist authorization

The Cisco ISE support bundle log returns an error message inside the latest isedbupgrade-data-global-date-time.log file:

UpgradeServiceRegistrar terminated with exception java.lang.RuntimeException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: java.lang.NullPointerException

Workaround If the ISE upgrade fails once, then you need to restart everything from scratch.

1. Access the primary appliance that has not been configured yet and create a compound condition called “Wireless_802.1X” manually under Policy > Policy Elements > Conditions > Authorization > Compound Conditions .

2. Configure the rule to include “ Radius:Service-Type Equals Framed AND Radius:NAS-Port-Type Equals Wireless - IEEE 802.11 .”

3. Re-image the secondary appliance that you were trying to upgrade, add the Secondary to the Primary, and wait until the Secondary node gets its configuration from the Primary.

4. Restart the upgrade progress by breaking the pri/sec relation and doing the upgrade on the secondary again.

CSCuc21037

Cisco ISE uses PEAP for outer identity when performing authorization

Traditionally, authorization was accomplished in Cisco ISE, Release 1.1 using PEAP as the inner identity. In release 1.1.1, however, PEAP is used as the outer identity when performing authorization.

Note It seems that the “Network Access:UserName” value is mapping to the “RADIUS Username,” and only applies to PEAP-EAP-TLS authentications.

Workaround If you would like to match on the certificate fields (for example, the Subject field), change the authorization rule to use the “Certificate:Subject” attribute and match on CN\... (rather than using the “Network Access:UserName” attribute). Cisco recommends using the attributes from the Certificate dictionary when matching certificate fields.

CSCuc22732

Cisco ISE drops RADIUS requests with no “calling-station-id” attribute

When using MAB and sending a RADIUS request to Cisco ISE, the packet is dropped if the “calling-station-id” attribute is not included.

Workaround Configure the remote access device to send the “calling-station-id” attribute if possible.

CSCuc44766

My Devices Portal descriptions missing

Periodically, after onboarding devices using the self provisioning flow (NSP) SPW, descriptions of endpoint devices may be missing form the My Devices Portal.

Note There is no known workaround for this issue.

CSCuc50247

Cisco ISE does not recognize the certificate if the Certificate Authority name contains a space

This issue can occur when the SubCA name contains a space. Cisco ISE records “Unknown CA” during processing and adds “%20” to the string, causing EAP-TLS authenticating to fail.

Workaround Since the “Subject” is part of the FQDN or vice versa, do not use spaces in CN.

CSCuc52368

Authenticating users using an alternative UPN fails

In Cisco ISE, Release 1.1.1 with Centrify version 4.5, authenticating users against Active Directory with an alternative UPN fails.

For example:

*. considering a domain name sec.lab and an alternative UPN of sec.alt

*. a user defined in AD as user@sec.alt

Authentication using user@sec.alt fails. The domain name is not stripped from the username prior to authentication and Cisco ISE interprets the username as user@sec.alt@sec.lab (user@2nd_UPN@domain-name).

Workaround Modify all users to use the primary UPN.

CSCuc61143

Cisco ISE redirects to default login portal (instead of custom) when cookies are disabled

Workaround Enable cookies on client browser.

CSCuc62197

Unable to add or edit authorization compound conditions

Adding or editing authorization compound conditions under Policy > Policy Elements > Conditions > Authorization > Compound Condition takes several minutes.

When editing and saving a Condition Expression, the entry is duplicated. If you attempt to delete a Condition Expression, Cisco ISE returns a “Please enter a valid expression for the condition” error, and when adding and saving a Condition Expression, a Condition Expression entry is removed from the Authorization Compound condition expression list.

CSCuc62197

Unable to add or edit authorization compound conditions

The following issues have been observed when attempting to add or edit authorization compound conditions:

  • When editing and saving a Condition Expression, the entry is duplicated.
  • When adding and saving a Condition Expression, a Condition Expression entry gets removed from the Authorization Compound condition expression list.
  • If attempting to delete a Condition Expression, Cisco ISE returns a “Please enter a valid expression for the condition” error.

CSCuc71950

Network device .csv import function fails if Protocol field is “radius”

When importing a .csv file of network devices to Cisco ISE running release 1.1.1 where the Protocol field is “radius,” the import function may fail and leave the network devices user interface page in loading state—not displaying any devices.

Workaround Replace “radius” with “RADIUS,” and try the import operation again.

CSCuc72034

Combined Base and Advanced license generated in incorrect order

This issue has been observed where the administrator is unable to add combination Base-Advanced license file to Cisco ISE via the administrator user interface, and the appliance returns a message indicating that a Base license is required.

Workaround Request individual Base and Advanced license files. If that does not address the issue, contact Cisco Technical Assistance Center (TAC).

CSCuc76477

First-time Guest login fails when using the “DefaultFirstLogin” attribute

This issue has been observed with an activated Group even though the user appears as “Active” on the portal.

Workaround Use other time profiles like “DefaultOneHour” or “DefaultStartEnd.”

CSCuc81940

Cisco ISE database process stops due to internal errors

As a result, you can view “ORA-00600” errors seen in the Cisco ISE database trace logs.

Workaround Restart Cisco ISE services.

CSCuc82135

Guest accounts need to be removed from the network on suspend/delete

When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exist.

Workaround Re-issue the CoA from the Monitoring and Troubleshooting reports page for the sessions associated with that guest user.

CSCuc82135

Guests need to be removed from the network on Suspend/Delete/Expiration

When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists.

Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user.

CSCuc91726

My Devices Portal friendly name is not working

Unable to access My Devices Portal using the URL specified in the “Default My Devices Portal URL” field on the Web Portal Management > Settings > General > Ports page after upgrade to release 1.1.1.

Workaround Go to the Web Portal Management > Settings > General > Ports page and click Save . This will update Cisco ISE tomcat configuration files with the changes necessary for the redirect to work. (Note that this will restart the Cisco ISE appliances.)

CSCuc95915

Cisco ISE, Release 1.1.1 system database becomes full

This issue may be addressed by obtaining the updated Oracle version 11.2.0.2 (Server Patch Set) and applying it to Cisco ISE, which will be available in an upcoming release of Cisco ISE.

CSCud02566

Administration ISE node not able to join non-Administration ISE nodes to Active Directory

When Cisco ISE nodes are deployed in different domains or sub-domains and you attempt to join any Cisco ISE node (except another Administration ISE node) to Active Directory, the operation fails and returns a “No Response from ISE Node” error message.

To ensure the Active Directory join operation is successful, ensure that:

  • The Cisco ISE nodes in your deployment are not in different domains (e.g., Administration ISE node as pap1.sj.cisco.com Policy Service node1: pdp1.hyd.cisco.com, Policy Service node2: pdp2.webex.com would cause this issue)
  • The Cisco ISE node you are trying to join to Active Directory is NOT another Administration ISE node
  • You are not trying to join Active Directory from the Administrator web portal on the Administration ISE node

Workaround Go to the respective Administrator web portal on the non-Administration ISE node and join that node to Active Directory, instead of trying to join using the Administrator web portal on the Administration ISE node.

CSCud08618

Profiler is not recording all of the expected DHCP probe attributes

This issue may come up if padding <0's> appear between fields.

Workaround Use an IOS sensor on the network access device or a combination of other probes to achieve similar results.

CSCud31796

External RBAC fails if user member of group containing apostrophe

When the RBAC function utilizes an external identity store (AD, LDAP), group mapping fails for a user with the correct group(s) to gain access to the administrator user interface, and a “Authentication failure for user: username: No admin groups” message is displayed:

Cisco recommends renaming all groups in the external identity store so that they do not contain apostrophes, and removing any users participating in Cisco ISE administration from any external groups that contain apostrophes.

Note There is no known workaround for this issue.

CSCud36451

Swapped NICs seen on Cisco ISE 3315s

Some Cisco ISE 3315 appliances running Cisco ISE, Release 1. x appear as though NICs have been “swapped” with other NICs. (GigabitEthernet0 maybe end up being eth3, for example.)

Workaround You can try to reimage the machine, but results have been mixed.

CSCue05861

Cisco ISE imports duplicate attributes which corrupt the system

Cisco ISE discarding RADIUS packets and returns a “Network Device Not found” message when duplicate RADIUS attributes are imported in the dictionary.

Workaround Remove any duplicate RADIUS attributes and restart Cisco ISE services.

CSCue11380

Mozilla Firefox18 is not compatible for viewing reports

System administrators running Firefox 18 may not be able to view pie charts in the Operations > Catalog > User > Guest Sponsor Summary Report page. This is likely due to the fact that the current ACCUTE version used in Cisco ISE is not supported by the latest versions of Firefox.

CSCue16801

Cisco ISE Reports do not show all data when the report period crosses years

The Cisco ISE report does not display any entries later than 31 December when the report period spans multiple years.

Workaround You may use a time period falling within a single calendar year.

CSCue38038

Users are unable to log in when cookies are disabled

Users who are not accessing the Cisco ISE network via client provisioning or native supplicant provisioning are unable to log in using the Guest Portal and receive a “Cookies are disabled, please enable cookies” error message on the page.

Note For Android devices (Samsung Galaxy, Motorola Tab) using default browsers, no warning message is displayed if cookies are disabled, and the end user is redirected to the login page without any warning.

Workaround End users may resolve this issue by enabling cookies in their browser.

CSCug66959

Cisco ISE displays Certification Expiration alarms for all nodes in the deployment.

You might receive Certification Expiration warning messages in Cisco ISE, Release 1.1.x deployment. This alarm gets triggered because of an issue in Cisco ISE 1.1. x and can be ignored.

Workaround Delete and import the certificates again.

CSCug79657

Catalyst 3850 fails to profile an endpoint coming from Wireless MAB/MAC-Filtering-ISE

While connecting to wireless MAB from Windows 7 client using Catalyst 3850 switch, the client is not able to connect to MAB SSID due to missing attributed in the RADIUS packet sent by the switch. The endpoints do not get profiled and the MAB request fails.

Workaround Add the additional configuration 'radius-server attribute 31 send nas-port-detail mac-only' in the switch.

CSCug79736

Redirection is unsuccessful intermittently at client from Catalyst 3850 Switch

While authenticating clients with wireless MAB/Dot1x using Catalyst 3850, the redirection to pages like Client Provisioning, Native Supplicant Provisioning, or Guest Portal does not happen automatically.

Workaround Clear the existing session in the switch, and then try again.

CSCug83908

Getting Blank Page for Client Provisioning Redirect if JavaScript is disabled

A blank page is displayed when a Client Provisioning redirect occurs and JavaScript is disabled. This issued occurs on IE, Firefox, or Chrome when a normal dot1X flow is configured and a device connects to a dot1X SSID. It also occurs if a Guest user comes through MAC Address Bypass (MAB) and Client Provisioning is configured for Guest users.

Workaround There is no known workaround for this issue.

CSCug85725

Cisco ISE patch may not work as expected if you run the application reset-config ise command from the CLI after patch installation.

Some of the bug fixes resolved in the patch are uninstalled when you run the application reset-config command after patch installation.

Workaround We recommend that you to uninstall the applied patch(es) first before running the application reset-config command and then install the patch(es) as necessary once the Cisco ISE application configuration is reset.

CSCug85972

Sometimes, the Authorization Policy page is not listing authorization policies in the Mozilla Firefox 20.0.0 browser

The Mozilla Firefox 20.0.0 browser displays authorization policies intermittently while editing endpoint identity groups when they are used in authorization policies. It displays all authorization policies properly, if you navigate away from the Authorization Policy page and return back to the Authorization Policy page.

CSCuh05898

Message should say “Enable JavaScript” instead of “Enable Java” in MAC OSX

This issue occurs on the Mac OSX and the Safari browser when JavaScript is disabled on the client and a single SSID flow is configured. The wrong message is displayed when the Safari browser is redirected to the NSP portal.

Workaround There is no known workaround for this issue.

CSCuh09116

Inconsistent message when JavaScript is disabled in Android browser

When JavaScript is disabled and an Authorization policy is configured for either as single or dual SSID BYOD flows, a message displayed saying that “JavaScript is disabled.” but the instructions for enabling JavaScript are for either the Chrome browser or the Safari browser.

Workaround There is no known workaround for this issue.

CSCuh29820

Windows surface tablets are being detected as Microsoft Workstations EP

Windows surface tablets hit the wrong authentication policy, which leads to issues in the BYOD/Guest Flow.

Workaround There is no known workaround for this issue.

CSCuh37511

Unexpected Acct-Status-Type: [Stop] for method MAB after URL redirect

While trying wired MAB to Dot1x with PEAP flow in a Windows 7 client using WS-C3780-48P-S, it is not redirected to the Client Provisioning page. The issue happens as the switch sends Accounting Stop request before being directed to the Client Provisioning page.

Workaround Disconnect and connect the network adaptor after NSP is finished to get the Client Provisioning page.

CSCuo81045

Changes in Agent Profile not Reflecting in Agent Configuration File

Agent changes are not automatically updated in the agent configuration file.

Workaround Re-map the agent profile using the Client Provisioning page.

Cisco ISE Release 1.1.x Resolved SPW Caveats

The following tables list the resolved SPW caveats in Cisco ISE Release 1.1.x.

 

Table 44 Resolved SPW Caveats for Windows

Caveat
Description
SPW Version

CSCug95980

ISE NSP does not support SDIO based Wireless Adapters

1.0.0.31

CSCug66885

Windows SPW - Trusted Root CA not set in network profile

1.0.0.30

CSCud65260

DualSSID_Win7_PEAP_AutoLogin NSP not connecting to Closed SSID

1.0.0.29

CSCud01247

BYOD: Messages are not localized

1.0.0.28

CSCud56448

PEAP Supplicant Provisioning does not set Validate Server Certificate

1.0.0.28

CSCue38943

BYOD: Characters corrupted. A vertical line appears at the end of the Applying Configuration screen

1.0.0.28

CSCue43405

Windows 8 - Dual SSID is broken (MAB + PEAP), if wrong networking password is entered in SPW”

1.0.0.28

CSCue43413

Login failure message displayed in dual SSID (MAB + PEAP)

1.0.0.28

CSCue47503

Win SPW v1.0.0.27 fails with Wired dual SSID (MAB > PEAP)

1.0.0.28

CSCud05296

NSP installation on Windows 8 failed

1.0.0.26

 

Table 45 Resolved SPW Caveats for Mac OS X

Caveat
Description
SPW Version

CSCuf61159

Wired MAC10.8.3-Fails to auto re-connect to network using new profile

1.0.0.21

CSCug16632

BYOD CR: SPW configures the profile and succeeds even when PDP is down

1.0.0.20

CSCug18081

NSP page does not show status of Mac SPW consistently

1.0.0.20

CSCuf03318

Network Setup Assistant fails, if user clicks ‘Cancel’ in the Config profile Tool

1.0.0.19

CSCue53450

Cisco Network Setup Assistant copy right year should be changed

1.0.0.19

CSCue62005

Mac SPW 1.0.0.17 is not able to configure wired adapters

1.0.0.18

CSCud00349

Translation property file has new line character in the JA translation property file

1.0.0.17

CSCud64592

MAC OSX 10.6.8: Fails to connect to Closed SSID using the TSL Profile

1.0.0.16

CSCub29212

In MAC 10.8, modify Sys network config needs confirmation from sys admin

1.0.0.15

CSCuc42511

Localization for nsp wizards - support for additional languages

1.0.0.14

CSCub27769

ISE does not block both wired and wireless interface MAC for lost devices

1.0.0.13

CSCub65963

Certificate Enrollment is vulnerable to session Hija

1.0.0.12

CSCub29185

MAC 10.8: Agent and SPW fails to install, when "MAC App Store and identified developers" is selected in the Security & Privacy Preference Pane.

1.0.0.11

Cisco ISE Release 1.1.4 Resolved Caveats

The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.4.

 

Table 46 Resolved Caveats in Cisco ISE Release 1.1.4 Patches

Caveat
Description

CSCth95432

All OUIs in IEEE need to be resolved to names by profiler

CSCtx35984

Profiler unable to save into DB - SSL Handshake exception error

CSCuc07816

Must be able to purge MnT data from CLI

CSCuc29014

Profiling conditions edit throws null error with NullPointerException

CSCuc48613

Google Chrome can cause reordering of Authorization Policy rules

CSCuc58992

IP address of the endpoints is not getting updated correctly

CSCuc74270

Authorization policy match fails following Active Directory password change

CSCud65479

Device registration Change of Authorization loop with posturing enabled

CSCud83514

ISE session database growing too large, causing homepage blank

CSCue14864

Endpoint statically assigned to ID group may appear in different group

CSCue16774

Profiler purge process is not running, EndPoint Cache grows past memory limits

CSCue25407

Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x

CSCue28066

IP address field missing during editing/duplicating NADs

CSCue31190

Sponsor users editing guest accounts may cause internal server errors

CSCue41912

NAC agent is not triggered on Windows 8 client

CSCue49305

Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms

CSCue49317

SCEP enrolment failure if the user name is prefixed with AD domain name

CSCue50838

An arrayOutOfBoundException occurs during Certificate provisioning

CSCue53508

Limit SNMP Query based of RADIUS Acct Start Event

CSCue58842

Valid email refused in Cisco ISE Guest Portal

CSCue59806

'NAC Server not available' error is thrown - EAP failure error (No response)

CSCue60442

Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE

CSCue62940

Incremental Backup without Full Backup gets Stuck in Running

CSCue67900

Termination-Action returns RADIUS-Request

CSCue71407

Guest and Sponsor language templates disappear from database

CSCue71478

Remove ACS-Session-ID from attribute suppression white-list

CSCue71874

Re-profiling process check continuously running

CSCue73865

Cisco ISE is unable to authenticate users against Active Directory with SmbServerNameHardeningLevel=1

CSCue83454

In CWA, ISE is not able to learn guest user IP address

CSCue84050

Enhancements to support CARS UDI validation for recognizing incorrect UDI format.

It is observed that PID section of the UDI is not burned properly for NAC 33x5 devices. As a result, ISE installation on those devices fails. These enhancements enable support for ISE Release 1.1.4 installation on certain NAC-33XX units that have a variable length UDI PID

CSCue86661

Cisco ISE does not match a compound condition with multiple conditions in a policy rule

CSCue90444

When an active IPEP node fails, the VPN traffic drops

CSCue96100

Enhancements to support the installation of Cisco SNS-3400 Series (SNS-3415 and SNS-3495) appliances in Cisco ISE Release 1.1.4

CSCue96626

Address purging issues

CSCuf05267

BYOD usability - Provide API to poll BYOD status

CSCuf08298

Collect only the attributes that are used in profiling policies

CSCuf17123

Shell script to create bootable USB is missing

CSCuf20919

Guests can view accounts from each other through self-service

CSCuf47857

BYOD enhancements

CSCuf56635

HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe

CSCuf59973

Swapped NIC problem observed on ISE Release 1.1.4 with CIMC version 1.4.6c and BIOS 1.4.6a.0 during installation of 1.1.4.207 on 3495

CSCuf66747

Guest user notification substitution uses system timezone instead of user timezone

CSCuf71124

PAP admin login failed for consecutive purge operations

CSCuf73365

The show tech-support command shows wrong RAID information

CSCuf90492

ISE cannot process large SGT matrices or send radius messages larger than 4k

CSCuf90513

Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage

CSCug04743

The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome

CSCug06716

Cisco ISE Centrify AD domain whitelisting breaks machine authentication

CSCug15615

BYOD CR: Error message needs to be modified for a disabled NSP policy (NSPMsg.FAIL_NSP_DISABLE)

CSCug20065

Unable to enforce RBAC as desired to a custom admin

CSCug34981

Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth

CSCug35133

The attribute Service-Type is changing often with the radius probe and causing high CPU usage

CSCug37245

SCEP enrolment fails when using certificates from different CAs

CSCug44228

BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser

CSCug68792

Incomplete Backup Process Status in UI

CSCug69605

BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via SCEP

CSCug72958

Profiling functionality is broken while editing policies

CSCug74166

Identity groups are corrupted after changing the parent identity group name

CSCug76995

Unable to add user after changing the parent user identity group name

CSCug77406

Increase retention of ASA VPN sessions to 120 hours (5 days)

CSCug78350

To install the NAC Agent on IE 10, you must enable compatible mode

CSCug78636

Disable Diagnostics Issue

CSCug79123

Messages are displaying in vertical format in IE

CSCug79181

Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when the secure SSID was not broadcasted

CSCug80970

Wrong button is displayed when the session is lost during NSPWizard installation process

CSCug95429

Profiler: IP attribute unnecessarily being updated

CSCug98513

Integrate components to support AD 2012 or mixed mode (2008)

CSCug99304

ISE replication gets disabled due to expired certificates even though they are valid

CSCuh12487

Null value associated with SNMP GET after call from NMAP fails

CSCuh17560

Suppress Accounting update packets in Cisco ISE 1.1.x

CSCuh23189

ISE: Using Internal Identity User can gain access to Admin Dashboard

CSCuh29915

ID group add button window shrinks

CSCuh36595

Custom Guest Self Registration Result should not write to file system

CSCuh43440

ISE needs to improve logging mechanism to keep track of backup failures

CSCuh43470

Cisco ISE Authentication failures alarm threshold definition

CSCuh43528

Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details

CSCuh54747

Search is not working in object selector if we change the views

CSCuh56861

Cisco ISE Active Endpoints count on dashboard home page does not decrement

CSCuh67300

ISE redirects to default guest pages when configured for custom pages

CSCuh70984

Database purging alarms on ISE due to open cursors exceeded

CSCui22841

Apache Struts2 command execution vulnerability

CSCui41569

BYOD Supplicant Provisioning Status query should be optimized

CSCui56071

ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

CSCui75669

Endpoint update calls from guest-portal causing replication issues

CSCuj35109

LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6

CSCuj45431

ISE Support for Mac OS X 10.9 NAC Agent

CSCuj51094

Captured TCPDump file is not working

CSCuj60796

ISE Support for IE 11

Cisco ISE Release 1.1.3 Resolved Caveats

The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.3.

 

Table 47 Resolved Caveats in Cisco ISE, Release 1.1.3 Patches

Caveat
Description

CSCte69572

NAC Web Agent fails when more than one browser is trying to install

CSCth95432

All OUIs in IEEE need to be resolved to names by profiler

CSCto03644

Tray icon flickers click focus if user changes apps from login OK

CSCto49390

NAC Agent 4.8.1.5 takes long time to login

CSCtr28855

Web Agent logs does not show the OPSWAT SDK Version

CSCtw62033

Mac OS X Agent log time should use UTC if not configurable

CSCtw98454

Cisco ISE Guest accounting report filter not working

CSCtx35984

Profiler unable to save into DB - SSL Handshake exception error

CSCty04128

AV Remediation success while def update is blocked, full access granted

CSCua05433

Import of identity groups and identities does not maintain membership

CSCua12479

HTTP profiling in ISE 1.1 is done after Guest Authentication

CSCub05899

ISE cannot import CA cert with non-standard field

CSCub18575

Problem with sponsor accounts starting with a "0"

CSCub26470

Wireless license shows Advanced and Base license as “Eval”

CSCub29212

Mac OS 10.8 clients require confirmation from a system administrator to modify the System network configuration

CSCub32594

ISE: Inline posture node is not accepting policy from PDP

CSCub35046

CSCub62481

ISE custom guest portal results page includes unused fields

CSCub44915

ActivatedGuest fails radius authentication with FromFirstLogin time prof

CSCub45895

UTFDataFormatException upon saving LDAP groups with multiple OUs/DCs

CSCub54464

Unable to delete SSH keys with "ssh delete host" command

CSCub61252

Need to disable list of services through the AXIS configuration file

CSCub70759

Email id of guest users more than 24 chars getting truncated

CSCub74879

NAC posture check fails for IE8 KB2544521

CSCub82418

Dual SSID failing as Profiled endpoints mac is changed to PDP's MAC

CSCub99507

Remediation not working correctly with nacagent / ISE

CSCuc07816

Must be able to purge MnT data from CLI

CSCuc08926

NAC WebAgent posture check fails for IE8 KB2544521

CSCuc13075

Endpoints are being saved with EndpointPolicy as Unknown

CSCuc18502

Cisco ISE upgrade from release 1.1 to 1.1.1 fails because of Blacklist authorization

CSCuc29014

Profiling conditions edit throws null error with NullPointerException

CSCuc31098

Backup should not be triggered when there is no sufficient disk space

CSCuc46719

High CPU usage in ISE if profiling data cannot be written to database

CSCuc48613

Google Chrome can cause reordering of Authorization Policy rules

CSCuc61143

Cisco ISE redirects to default login portal (instead of custom) when cookies are disabled

CSCuc74270

Authorization policy match fails following Active Directory password change

CSCuc84467

When retrieved group with ' AD page indicate problem

CSCud00831

EAP-TLS authentications failing with x509 decrypt error

CSCud04633

Java causing ISE Out of Memory Error

CSCud05296

NSP on Window 8 is broken

CSCud08580

Authentication does not have UserInfo object set in the thread local var

CSCud11139

XSS Vulnerability in ISE Guest portal

CSCud12095

Purge job fails to complete in ISE 1.1.1

CSCud20033

IP phone and workstation profiled as cisco access point

CSCud20871

ISE- 86107-Session cache entry missing during guest authentication.

CSCud21349

Mac CCAAgent Posture Process will not start for non-English languages

CSCud33787

Edit and saving a Guest user fails with internal error

CSCud65479

Device registration Change of Authorization loop with posturing enabled

CSCud83514

ISE session database growing too large, causing homepage blank

CSCud85806

Purge Operation Fails Intermittently

CSCue00010

Configuration backup command need to exclude mnt tablespace

CSCue00631

Add CNA wispr to list of ignored user agents

CSCue16774

Profiler purge process not running. EP Cache growing past memory limits

CSCue25407

Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x

CSCue28066

IP address field missing during editing/duplicating NADs

CSCue29044

Timesten configuration setting change

CSCue30368

Parsing of subject field of certificate fails

CSCue31190

Sponsor users editing guest accounts may cause internal server errors

CSCue33406

Default enable the "Number of authentications exceed threshold" alarm

CSCue41912

NAC agent is not triggered on Windows 8 client

CSCue49305

Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms.

CSCue49317

SCEP enrolment failure if the user name is prefixed with AD domain name

CSCue50838

An arrayOutOfBoundException occurs during Certificate provisioning.

CSCue58842

Valid email refused in ISE Guest Portal

CSCue59806

'NAC Server not available' error thrown - EAP failure error (No response)

CSCue60442

Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE

CSCue62940

Incremental Backup without Full Backup gets Stuck in Running

CSCue67900

Termination-Action returns RADIUS-Request

CSCue71407

Guest and Sponsor language templates disappear from database.

CSCue73865

Cisco ISE is unable to authenticate users against Active Directory with SmbServerHardening=1

CSCue83454

In CWA, ISE is not able to learn guest user IP address

CSCue86661

ISE may not match compound condition with multiple conditions

CSCue90444

When an active IPEP node fails, the VPN traffic drops.

CSCue96626

Address purging issues

CSCue98661

ISE NAC Agent on Windows 8 checks for AV that is not selected

CSCuf05267

BYOD usability - Provide API to poll BYOD status.

CSCuf08298

Collect only the attributes that are used in profiling policies

CSCuf20919

Guests can view accounts from each other through self-service

CSCuf47857

BYOD enhancements

CSCuf56635

HP Jetdirect Printer incorrectly profiled as HP-Device using DHCP probe

CSCuf66747

Guest user notification substitution uses system timezone instead of user timezone

CSCuf71124

PAP admin login failed for consecutive purge operations

CSCuf90492

ISE cannot process large SGT matrices or send radius messages larger than 4k

CSCuf90513

Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage.

CSCug04743

The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome

CSCug06716

Cisco ISE Centrify AD domain whitelisting breaks machine authentication

CSCug15615

BYOD CR: Error message needs to be modified for NSPMsg.FAIL_NSP_DISABLE a disabled NSP policy

CSCug20065

Unable to enforce RBAC as desired to a custom admin

CSCug34981

Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth

CSCug35133

The attribute Service-Type is changing often with the radius probe and causing high CPU usage

CSCug37245

SCEP enrolment fails when using certificates from different CAs

CSCug44228

BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser

CSCug68792

Incomplete Backup Process Status in UI

CSCug69605

BYOD: Fingerprint exception on Cisco ISE when CA cert is retrieved via SCEP

CSCug72958

1.1.2 Patch 7 - Profiling functionality is broken while editing policies

CSCug74166

Identity groups are corrupted after changing the parent identity group name

CSCug76995

Unable to add user after changing the parent user identity group name

CSCug77406

Increase retention of ASA VPN sessions to 120 hours (5 days)

CSCug78350

To install the NAC Agent on IE 10, you must enable compatible mode

CSCug78636

Disable Diagnostic Issue

CSCug79123

Messages are displaying in vertical format in IE

CSCug79181

IOS: not able to see closed SSID if it isn't broadcasted if profile is TLS

CSCug80970

Wrong button is displayed when the session is lost during NSPWizard installation process

CSCug90502

ISE Blind SQL Injection Vulnerability

CSCug95429

Profiler: IP attribute unnecessarily being updated

CSCug98513

Integrate components to support AD 2012 or mixed mode (2008)

CSCug99304

ISE replication gets disabled due to expired certificates even though they are valid

CSCuh12487

Null value associated with SNMP GET after call from NMAP fails

CSCuh17560

Suppress Accounting update packets in ISE 1.1.x

CSCuh23189

ISE: Using Internal Identity User can gain access to Admin Dashboard

CSCuh29915

ID group add button window shrinks

CSCuh36595

Custom Guest Self Registration Result should not write to file system

CSCuh43440

ISE needs to improve logging mechanism to keep track of backup failures

CSCuh43470

ISE Authentication failures alarm threshold definition

CSCuh43528

ISE Alarm Authentication failures count incorrectly shows "%" in details

CSCuh54747

Search is not working in object selector if we change the views

CSCuh56861

ISE Active Endpoints count on dashboard home page does not decrement

CSCuh67300

ISE redirects to default guest pages when configured for custom pages

CSCuh70984

Database purging alarms on ISE due to open cursors exceeded

CSCui22841

Apache Struts2 command execution vulnerability

CSCui41569

BYOD Supplicant Provisioning Status query should be optimized

CSCui56071

ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

CSCui57374

ISE IPEP Invalid RADIUS Authenticator error during high load

CSCui67495

Uploaded Filenames/Content Not Properly Sanitized

CSCui67511

Certain File Types are not Filtered and are Executable

CSCui75669

Endpoint update calls from guest-portal causing replication issues

CSCuj35109

LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6

CSCuj45431

ISE Support for Mac OS X 10.9 NAC Agent

CSCuj51094

Captured TCPDump file is not working

CSCuj60796

ISE Support for IE 11

CSCul02860

Struts Action Mapper Vulnerability

CSCul03127

Struts 2 Dynamic Method Invocation Vulnerability

CSCun25178

Fetching Group Information Takes a Long Time Because of SIDHistory

Cisco ISE Release 1.1.2 Resolved Caveats

The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.2.

 

Table 48 Resolved Caveats in Cisco ISE, Release 1.1.2 Patches

Caveat
Description

CSCtx81905

Cisco ISE returns an error message while registering one node to another

CSCty51260

Active Directory “dn” attribute does not work for authorization policies

CSCty98551

Race condition between CoA event and persistence event during initial endpoint login

CSCtz13306

Monitoring and Troubleshooting collector cannot collect posture audit logs to generate report

CSCtz41452

Evaluation license counter incrementing when wireless license installed

CSCtz67814

Replication disabled for secondary node

CSCtz99077

ISE refuses valid email address as user email field

CSCua05433

The endpoint identity import function does not maintain correct identity group membership

CSCua50327

Cisco ISE Deployment page takes 40 to 50 seconds to render

CSCua50627

Base license removes SGA attributes in device configuration

CSCua55485

ISE distributed deployment does not work with split-domain configuration

CSCua56980

Primary Administration ISE node is non-responsive over a period of time because of frozen database

CSCua64378

Rate limit profiler endpoint updates to reduce the number of messages

CSCua65587

Alarms For Authorization Profile Matches

CSCua79768

EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth

CSCua89503

Collect only the attributes that are used in profiling policies

CSCua92153

Cisco ISE does not validate Certificate Signing Requests correctly

CSCub03210

Alpha- DB Connection leakage when the rollback fails

CSCub19485

RADIUS Dictionary Export does not export “Direction” or “Description”

CSCub28834

Inline Posture node not displaying logs

CSCub71617

IP Phones 7942 with MAC address prefix 5C:50:15 are not profiled on ISE

CSCub85511

IE Protected mode - provisioning without adding site to trusted list

CSCub95755

Backup and cleanup scripts causing failures

CSCuc06431

End point import not working with policy names included in CSV file

CSCuc19682

Cisco ISE purge operation corrupts indexes in some database tables

CSCuc34292

Mac OS 10.8: Both NAC Agents and Supplicant Provisioning Wizards fail to register with Cisco ISE if the “MACAppStore&iden. developer” string is missing

CSCuc44535

EAP Chaining + Posture fails for inner methods other than EAP-MSCHAP

CSCuc51338

Sessions leak when rule based policy performed with proxy result

CSCuc58992

IP address of the endpoints is not getting updated correctly

CSCuc64732

Detecting a name change behaves case-sensitive

CSCud43467

Periodic Reassessment check functionality not working

CSCud65479

ISE DRW COA loop with posturing enabled

CSCue14864

Endpoint statically assigned to ID group may appear in different group

CSCue53508

Limit SNMP Query based of RADIUS Acct Start Event

CSCue59806

'NAC Server not available' error thrown - EAP failure error

CSCue60442

Authorization Policy disappears after modifying Identity Group

CSCue71478

Remove ACS-Session-ID from attribute suppression white-list

CSCue71874

Re-profiling process check continuously running

CSCuf08298

Collect only the attributes that are used in profiling policies

CSCuf56635

HP Jetdirect Printer incorrectly profiled as HP-Device using DHCP probe

CSCuf66747

Guest user notification substitution uses system timezone instead of user timezone

CSCuf90513

Multiple PSN's attempt to write same profile data to db causes high CPU

CSCui22841

Apache Struts2 command execution vulnerability

Cisco ISE Release 1.1.1 Resolved Caveats

The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.1.

 

Table 49 Resolved Caveats in Cisco ISE, Release 1.1.1 Patches

Caveat
Description

CSCto03644

Tray icon flickers click focus if user changes applications from login OK

CSCto19507

Mac OS X agent does not prompt for upgrade when coming out of sleep mode

CSCto87799

Guest authentication fails, if the web browser is using old session information

CSCto97422

Auto Popup does not happen after clicking Cancel during remediation failure

CSCts45441

Weird behavior with creating guest account using start-end time profile

CSCtu05540

Monitoring and Troubleshooting node does not show Active Directory External Groups following authentication failure

CSCtx01136

Cisco NAC Agent is not performing posture assessment

CSCtx07670

Profiler conditions that are edited wind up corrupting Profiler policies

CSCtx25213

IP table entry needs cleanup after deregistering a secondary node

CSCtx33747

RBAC admin cannot access deployment page and perform deployment-related functions

CSCtx51454

Unable to retrieve administrator users list

CSCtx74574

Device Configure Deployment option selected after upgrade from software release 1.0 to release 1.1

CSCtx77149

Disk space issue

CSCtx94839

Clicking on logout link on the AUP page of Device Registration Webauth flow appears to do nothing

CSCtx97190

Cisco 3750 switch is profiled as “Generic Cisco Router”

CSCty02379

Cisco ISE runs out of space due to a backlog of pending messages in the replication queue

CSCty10461

Cannot register a Cisco ISE node with UTF-8 characters in administrator name

CSCty15646

Monitoring and Troubleshooting debug log alert settings get reset to WARN

CSCty16603

Administrator ISE node promotion fails, resulting in disabled replication status

CSCty23790

Internet Explorer 8 is unable to import endpoints from LDAP

CSCty40077

Shared Secret Key for Inline Posture node Network Access Device is not created or updated

CSCty54756

Indexes corrupted in Monitoring and Troubleshooting node database

CSCty59165

SNMPQuery Probe events queue runs out of memory

CSCty80451

Failed to authenticate external admin (AD user) when configured user to change password at the next log in

CSCtz28057

After upgrade to release 1.1, Cisco ISE is still in “initializing” state

CSCtz45714

Incorrect authentication and authorization match on client machine

CSCub29185

Mac Agent not getting installed when the “MAC App Store” and “identified developers” options are enabled on the client

CSCub32594

Inline posture node does not accept a policy from the associated Policy Service node

CSCub82071

Unable to Install/Upgrade Mac agent 4.9.0.654 on Mac OS X 10.7.4 Client

CSCui22841

Apache Struts2 command execution vulnerability

Known Issues

Issue Accessing the Cisco ISE Administrator User Interface

Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8

User Identity Groups User Interface Issue With IE 8

Cisco ISE Release 1.1.3 and Earlier Does Not Support Google Chrome For the Administrative User Interface

Google Chrome is not a supported browser for use with the Administrative User Interface of the Cisco Identity Service Engine (ISE), Release 1.1.3 and earlier versions.

If you use Google Chrome to edit the authorization policy rules, the policy ranking order might change, which impacts authorization of end users.

This issue is limited to authenticated admin users with permissions to manage Cisco ISE authorization polices. This issue does not apply to end users who use Google Chrome for web authentication for network access.

Cisco ISE Hostname Character Length Limitation with Active Directory

It is important that Cisco ISE hostnames be limited to 15 characters or less in length, if you use Active Directory on your network. Active Directory does not validate hostnames larger than 15 characters. This can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters, and are only distinguishable by the characters that follow (the first 15).

Issue Accessing the Cisco ISE Administrator User Interface

When you access the Cisco ISE administrator user interface using the host IP address as the destination in the Internet Explorer 8 address bar, the browser automatically redirects your session to a different location. This situation occurs when you install a real SSL certificate issued by a Certificate Authority like VeriSign.

If possible, Cisco recommends using the Cisco ISE hostname or fully qualified domain name (FQDN) you used to create the trusted SSL certificate to access the administrator user interface via Internet Explorer 8.

Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8

There is a known migration consideration that affects successful migration of Cisco Secure ACS 5.1/5.2 data to the Cisco ISE appliance using the Cisco Secure ACS 5.1/5.2-ISE 1.0 Migration Tool.

The only currently supported browser for downloading the migration tool files is Firefox version 3.6. x . Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported for this function.

For more information, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x .

User Identity Groups User Interface Issue With IE 8

If you create and operate 100 User Identity Groups or more, a script in the Cisco ISE administrator user interface Administration > Identity Management > User Identity Groups page can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running script. (If the script continues to run, your computer might become unresponsive.)

Issues With 2k Message Size in Monitoring and Troubleshooting

Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection performance messages of 8k in size. As a result, you may notice a slightly different message performance rate when compiling 2k message sizes regularly.

Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently

Although more than three concurrent users can log into Cisco ISE and view monitoring and troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages taking excessive amounts of time to launch, and the application sever restarting on its own.

Inline Posture Restrictions

  • Inline Posture is not supported in a virtual environment, such as VMware.
  • The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture.
  • The Cisco Discovery Protocol (CDP) is not supported by Inline Posture.

Cisco IP phones using EAP-FAST

Cisco ISE, Release 1.0 does not support Cisco IP phones that are using EAP-FAST with certificates. Cisco recommends using EAP-TLS with IP phones in your network.

Internationalization and Localization

This section covers the known issues relating to internationalization and localization.

Custom Language Templates

If you create a custom language template with a name that conflicts with a default template name, your template is automatically renamed after an upgrade and restore. After an upgrade and restore, default templates revert back to their default settings, and any templates with names that conflict with defaults are renamed as follows: user_{LANG_TEMP_NAME}.

Issues with Monitoring and Troubleshooting Restore

During the Monitoring and Troubleshooting restore, Cisco ISE application on the Monitoring node restarts and the GUI is unavailable until the restore completes.

Documentation Updates

 

Table 50 Updates to Release Notes for Cisco Identity Services Engine, Release 1.1.x

Date
Description

5/15/14

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11

5/15/14

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11

4/14/14

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10

3/19/14

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10

2/18/14

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9

2/18/14

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9

11/11/13

Added Support for Windows 8.1 and Mac OS X 10.9

11/11/13

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8

11/11/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8

10/21/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10

10/21/13

Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7

10/11/13

Added FIPS Compliance

10/11/13

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7

10/11/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7

8/30/13

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6

8/30/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6

8/27/13

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5

8/23/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5

8/8/13

Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6

8/7/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9

8/2/13

Added Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4

8/2/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4

7/15/13

Added Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3

7/15/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3

6/5/13

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2

6/5/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2

5/21/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8

5/13/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7

5/6/13

Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1

4/26/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6

4/25/13

Cisco Identity Services Engine, Release 1.1.4

4/5/13

Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1

4/5/13

Added Integration with Cisco Prime Network Control System

4/2/13

3/15/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5

2/28/13

Cisco Identity Services Engine, Release 1.1.3

2/25/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4

2/1/13

Added CSCud02566 to Cisco ISE Release 1.1.x Open Caveats

1/11/13

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3

12/21/12

Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2

11/16/12

Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5

11/2/12

Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4

10/31/12

Cisco Identity Services Engine, Release 1.1.2

10/12/12

9/5/12

7/27/12

Added CSCub29185 and CSCub29212 to Cisco ISE Release 1.1.x Open Caveats

7/20/12

7/17/12

7/10/12

Cisco Identity Services Engine, Release 1.1.1

Related Documentation

This section provides lists of related release-specific and platform-specific documentation.

Release-Specific Documents

Table 51 lists the product documentation available for the Cisco ISE Release. General product information for Cisco ISE is available at http://www.cisco.com/go/ise . End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html .

 

Table 51 Product Documentation for Cisco Identity Services Engine

Document Title
Location

Release Notes for the Cisco Identity Services Engine, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Upgrade Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine Troubleshooting Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html

Platform-Specific Documents

Links to other platform-specific documentation are available at the following locations:

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.