Guest

Cisco Identity Services Engine

Cisco Identity Services Engine Network Component Compatibility, Release 1.1

  • Viewing Options

  • PDF (216.9 KB)
  • Feedback
Cisco Identity Services Engine Network Component Compatibility, Release 1.1

Table Of Contents

Cisco Identity Services Engine Network Component Compatibility, Release 1.1

Supported Network Access Devices

Supported External Identity Sources

Supported Administrative User Interface Browsers

Supported Client Machine Operating Systems, Supplicants, and Agents

Client Machine Operating Systems and Agent Support in Cisco ISE

Supported Operating Systems and Browsers for Cisco ISE Guest Services

Documentation Updates

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Obtaining Documentation and Submitting a Service Request


Cisco Identity Services Engine Network Component Compatibility, Release 1.1


Revised: July 1, 2013, OL-25535-01

This document describes Cisco Identity Services Engine (ISE) compatibility with switches, wireless LAN controllers, and other policy enforcement devices, as well as client machine operating systems with which Cisco ISE interoperates in the network. This document covers the following topics:

Supported Network Access Devices

Supported External Identity Sources

Supported Administrative User Interface Browsers

Supported Client Machine Operating Systems, Supplicants, and Agents

Supported Operating Systems and Browsers for Cisco ISE Guest Services

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

Supported Network Access Devices

Cisco ISE supports interoperability with any (Cisco or non-Cisco) RADIUS client NAD that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication. For a list of supported authentication methods, see the "Configuring Authentication Policies" chapter of the Cisco Identity Services Engine User Guide, Release 1.1.

Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices. In addition, certain other advanced functions like central web authentication (CWA), Change of Authorization (CoA), Security Group Access, and downloadable ACLs, are only supported on Cisco devices. For a full list of supported Cisco devices, see Table 1.

The NADs that are not explicitly listed in Table 1 and that do not support RADIUS Change of Authorization (CoA) must use inline posture.

For information on enabling specific functions of Cisco ISE in your network switches, see the Switch Configuration Required to Support Cisco ISE Functions appendix of the Cisco Identity Services Engine User Guide, Release 1.1.


Note Some switch models and IOS versions may have reached their Cisco end-of-maintenance milestones, hence interoperability may not be fully supported for these switch types.



Caution To support the Cisco ISE Profiling service, Cisco recommends using the latest version of NetFlow (version 9), which has additional functionality that is needed to operate the Profiler. If you use NetFlow version 5 in your network, then you can use version 5 only on the primary NAD at the access layer, as it will not work anywhere else.

Table 1 Supported Network Access Devices 

Device
Minimum OS Version
MAB
802.1X
Web Auth
Session CoA
VLAN
DACL
SGA
IOS Sensor
CWA
LWA
Access Switches
 

Catalyst 2940

IOS v12.1(22)EA1

Yes

Yes

No

No

No

Yes

No

No

No

Catalyst 2950

IOS v12.1(22)EA1

No

Yes

No

No

No

Yes

No

No

No

Catalyst 2955

IOS v12.1(22)EA1

No

Yes

No

No

No

Yes

No

No

No

Catalyst 29601 ISR EtherSwitch ES2

IOS v 15.0.2-SE3 LAN Base

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

Catalyst 29601, Catalyst 2960-S1, Catalyst 2960-C

IOS v12.2(52)SE LAN Lite2

Yes

Yes

No

No

No

Yes

No

No

No

Catalyst 2970

IOS v12.2(25)SE

Yes

Yes

No

No

No

Yes

No

No

No

Catalyst 2975

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

Catalyst 3550

IOS v12.2(44)SE

Yes

Yes

No

No

No

Yes

Yes

No

No

Catalyst 35601, Catalyst 3560-C1

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

15.0 (1) SE

Catalyst 3560-E1, ISR EtherSwitch ES3

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

15.0 (1) SE

Catalyst 3560-X1

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

15.0 (1) SE

Catalyst 37501

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

15.0 (1) SE

Catalyst 3750-E1

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

15.0 (1) SE

Catalyst 3750 Metro1

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

15.0 (1) SE

Catalyst 3750-X1

IOS v12.2(52)SE

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

15.0 (1) SE

Catalyst 4500

IOS v12.2(54)SG1

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Catalyst 6500

IOS v12.2(33)SXI6

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Data Center Switches
 

Catalyst 4900

IOS v12.2(54)SG1

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Nexus 70003

 

Yes

Yes

Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node) 4 5
 

Wireless LAN Controller (WLC) 2100, 4400

7.0.116.0

No6

Yes

No

Yes

Yes

Yes

Yes

No

No

Wireless LAN Controller (WLC) 2500, 5500

7.2.103.0

No6

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

WLC 7500 Series

7.2.103.0 (basic RADIUS auth supported in 7.0.116.0)

Yes6

Yes

No

Yes (local only)

No

Yes

No

No

No

WiSM1 Blade for 6500

7.0.116.0

No6

Yes

No

Yes

Yes

Yes

Yes

No

No

WiSM2 Blade for 6500

7.2.103.0

No6

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

WLC for ISR (ISR2 ISM, SRE700, and SRE900)

7.0.116.0

No6

Yes

No

Yes

Yes

Yes

Yes

No

No

WLC for 3750

7.0.116.0

No6

Yes

No

Yes

Yes

Yes

Yes

No

No

ISR 88x, 89x Series

15.2(2)T

Yes

Yes

No

LWA (L3)

Yes

Yes

No

Yes (IPsec)

No

ISR 19x, 29x, 39x Series

15.2(2)T

Yes

Yes

No

LWA (L3)

Yes

Yes

Yes

Yes (IPsec)

No

1 For 802.1X authentications, you need IOS version 12.2(55)SE3.

2 Does not support posture and profiling services.

3 SGA only

4 Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB).

5 An issue has been observed during wireless login scenarios where the WLC is running firmware version 7.0.116.0. Unless you require features available only in version 7.0.116.0, Cisco recommends returning your WLC firmware version to 7.0.98.218 or upgrade your WLC firmware version to 7.0.220.0. For more information, see the Release Notes for the Cisco Identity Services Engine, Release 1.1.

6 Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like.


Supported External Identity Sources

Table 2 lists the external identity sources supported with Cisco ISE.

Table 2 Supported External Identity Sources 

External Identity Source
OS/Version

Microsoft Windows Active Directory 2003

Microsoft Windows Active Directory 2003 R2

Microsoft Windows Active Directory 2008

Microsoft Windows Active Directory 2008 R2

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

Linux LDAP Directory Server

Version 2.4.23

Cisco NAC Profiler

Version 2.18 or later

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x series

Any RADIUS RFC 2865-compliant token server

1 OCSP functionality is available only on Microsoft Windows Active Directory 2008.

2 Microsoft Windows Active Directory version 2000 or its functional level are not supported by Cisco ISE.


Supported Administrative User Interface Browsers

You can access the Cisco ISE administrative user interface using the following browsers:

Mozilla Firefox 3.6 (applicable for Windows, Mac OS X, and Linux-based operating systems)

Mozilla FireFox 9 (applicable for Windows, Mac OS X, and Linux-based operating systems)

Windows Internet Explorer 8

Windows Internet Explorer 9 (in Internet Explorer 8 compatibility mode)


Note Cisco ISE GUI is not supported on Internet Explorer version 8 running in Internet Explorer 7 compatibility mode. For a collection of known issues regarding Windows Internet Explorer 8, see the "Known Issues" section of the Release Notes for the Cisco Identity Services Engine, Release 1.1.



Note The minimum required screen resolution to view the Cisco ISE GUI and for a better user experience is 1280*800 pixels.


Supported Client Machine Operating Systems, Supplicants, and Agents

This section lists the supported client machine operating systems, browsers, and Agent versions supporting each client machine type.


Note All standard 802.1X supplicants can be used with Cisco ISE 1.1 standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. (For information on allowed authentication protocols, see the "Managing Authentication Policies" chapter of the Cisco Identity Services Engine User Guide, Release 1.1.) For the VLAN Change authorization feature to work in a wireless deployment the supplicant must support IP address refresh on VLAN Change.


Client Machine Operating Systems and Agent Support in Cisco ISE

This section lists the details for the following Operating Systems:

Apple Mac OS X

Microsoft Windows

Others

Table 3 Apple Mac OS X

Client Machine Operating System
Web Browser
Supplicants (802.1X)
Mac OS X Agent
VPN

Apple Mac OS X 10.5

Apple Safari 4, 5

Google Chrome 11, 12, 13, 14, 15, 16 3

Mozilla Firefox 3.6, 4, 5, 9

Apple Mac OS X Supplicant 10.5

4.9.0.650

AnyConnect version 3.0.3041, 2.5.30411

Apple Mac OS X 10.6

Apple Safari 4, 5

Google Chrome 11, 12, 13, 14, 15, 16 3

Mozilla Firefox 3.6, 4, 5, 9

Apple Mac OS X Supplicant 10.6

4.9.0.650

AnyConnect version 3.0.3041, 2.5.3041

Apple Mac OS X 10.7

Apple Safari 5.1, 6.02

Google Chrome 11, 12, 13, 14, 15, 16 3

Mozilla Firefox 3.6, 4, 5, 9

Apple Mac OS X Supplicant 10.7

4.9.0.650

AnyConnect version 3.0.3041

Apple Mac OS X 10.8

Apple Safari 6.0

Mozilla Firefox 14

Apple Mac OS X Supplicant 10.8

4.9.0.654

1 Anyconnect version 2.5.3041 is required to support "PowerPC" Macintosh systems.

2 Apple Safari version 6.0 is only supported on Mac OS X 10.7.4 and later versions of the operating system.

3 If you are using Mac OS X clients with Java 7, you cannot download the Agents using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the Agents.


Table 4 Microsoft Windows 1

Client Machine Operating System
Web Browser
Supplicants (802.1X)
Cisco ISE
Cisco NAC Agent
Cisco NAC Web Agent
VPN

Microsoft Windows 82 ,3

Windows 8

Windows 8 Professional

Windows 8 Enterprise

Microsoft IE 10

Microsoft Windows 8 802.1X Client

1.1

4.9.0.47

4.9.0.27

Microsoft Windows 74

Windows 7 Professional

Windows 7 Professional x64

Windows 7 Ultimate

Windows 7 Ultimate x64

Windows 7 Enterprise

Windows 7 Enterprise x64

Windows 7 Home Premium

Windows 7 Home Premium x64

Windows 7 Home Basic

Windows 7 Starter Edition

Google Chrome 11, 12, 13, 14, 15, 16

Microsoft IE 9, 10 5

Mozilla Firefox 3.6, 4, 5, 9

Microsoft Windows 7 802.1X Client

AnyConnect Network Access Manager

1.1

4.9.0.37

4.9.0.20

AnyConnect version 3.0.3041

Microsoft Windows Vista4

Windows Vista SP1, SP2

Windows Vista x64 SP1, SP2

Google Chrome 8, 9, 11, 12, 13, 14, 15, 16

Microsoft IE 6, 7, 8, 9

Mozilla Firefox 3.6, 4, 5, 9

Microsoft Windows Vista 802.1X Client

Cisco Secure Services Client (SSC) 5.x

AnyConnect Network Access Manager

1.1

4.9.0.37

4.9.0.20

AnyConnect version 3.0.3041

Microsoft Windows XP4

Windows XP Media Center Edition, SP2, SP3

Windows XP Tablet PC, SP2, SP3

Windows XP Home, SP2

Windows XP Professional SP2, SP3

Windows XP Professional x64, SP2

Google Chrome 11, 12, 13, 14, 15, 16

Microsoft IE 6, 7, 8, 9

Mozilla Firefox 3.6, 9

Microsoft Windows XP 802.1X Client

Cisco Secure Services Client (SSC) 5.x

AnyConnect Network Access Manager

1.1

4.9.0.37

4.9.0.20

AnyConnect version 3.0.3041

1 It is recommended to use the Cisco NAC/Web Agent versions along with the corresponding Cisco ISE version.

2 In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable "compatibility mode.")

3 When you create a Cisco ISE client provisioning policy to accommodate Windows 8, you must specify the "Windows All" operating system option.

4 Cisco ISE does not support the Windows Embedded operating systems available from Microsoft.

5 When Internet Explorer 10 is installed on Windows 7, to get full network access, you need to update to March 2013 Hotfix ruleset.


Table 5 Others

Client Machine Operating System
End User Browser
Supplicants (802.1X)
Agent
VPN

Red Hat Enterprise Linux (RHEL) 5

Google Chrome 11

Mozilla Firefox 3.6, 4, 5

No official support 1

Ubuntu

Mozilla Firefox 3.6

No official support

1 Although not supported by Cisco, the WPA_Supplicant and Open1X Supplicant are available for use with Linux.


Supported Operating Systems and Browsers for Cisco ISE Guest Services

The Cisco ISE Guest services support the following operating system and browser combinations.

Table 6 Cisco ISE Guest Services - Supported Operating Systems and Browsers

Supported Operating System
Browser Versions

Microsoft Windows 81

Microsoft IE 10

Microsoft Windows 72

Microsoft IE 9

Mozilla Firefox 3.6, 5, 9

Google Chrome 11

Microsoft Windows Vista, Microsoft Windows XP

Microsoft IE 6, 7, 8

Mozilla Firefox 3.6, 9

Google Chrome 5

Apple Mac OS X 10.5, 10.6, 10.7, 10.8

Mozilla Firefox 3.6, 4, 5, 9

Safari 4, 5, 6

Google Chrome 11

Red Hat Enterprise Linux (RHEL) 5

Mozilla Firefox 3.6, 4, 5, 9

Google Chrome 11

Ubuntu

Mozilla Firefox 3.6, 9

1 In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable "compatibility mode.")

2 Cisco ISE does not support the Windows Embedded 7 versions available from Microsoft.



Note When a guest user tries to login using Google Chrome on Windows 7 OS, the login fails. It is recommended to upgrade the browser to Chrome 11.


Documentation Updates

Table 7 Cisco Identity Services Engine Network Component Compatibility Documentation Updates

Date
Update Description

04/08/13

Added support for Internet Explorer 10 on Windows 7

04/02/13

Updated Client Machine Operating Systems and Agent Support in Cisco ISE

03/05/13

Updated Windows 8 editions in Supported Client Machine Operating Systems, Supplicants, and Agents

10/29/12

Added editions of Windows to Supported Client Machine Operating Systems, Supplicants, and Agents

10/26/12

Added support for Windows 8

8/6/12

Added support for Apple Mac OS X 10.8

3/19/12

Cisco Identity Services Engine, Release 1.1


Related Documentation

This section covers information on release-specific documentation and platform-specific documentation.

Release-Specific Documents

Table 8 lists the product documentation available for the Cisco ISE Release. General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.

Table 8 Product Documentation for Cisco Identity Services Engine 

Document Title
Location

Release Notes for the Cisco Identity Services Engine, Release 1.1

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.1

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.1

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.1

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine CLI Reference Guide, Release 1.1

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.1

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine Troubleshooting Guide, Release 1.1

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html


Platform-Specific Documents

Links to other platform-specific documentation are available at the following locations:

Cisco ISE
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Secure ACS
http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html

Cisco NAC Appliance
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

Cisco NAC Profiler
http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html

Cisco NAC Guest Server
http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.


This document is to be used in conjunction with the documents listed in the "Related Documentation" section.