Table of Contents
This document describes Cisco Identity Services Engine (ISE) compatibility with switches, wireless LAN controllers, and other policy enforcement devices as well as operating systems with which Cisco ISE interoperates.
- Supported Network Access Devices
- Supported AAA Attributes for Third-Party VPN Concentrators
- Supported External Identity Sources
- Supported Browsers for the Admin Portal
- Supported Client Machine and Personal Device Operating Systems, Supplicants, and Agents
- Supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
- Supported Devices for On-Boarding and Certificate Provisioning
- Documentation Updates
- Related Documentation
- Obtaining Documentation and Submitting a Service Request
Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication. For a list of supported authentication methods, see the “Configuring Authentication Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.2.
Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices. In addition, certain other advanced functions like central web authentication (CWA), Change of Authorization (CoA), Security Group Access (SGA), and downloadable access control lists (ACLs), are only supported on Cisco devices. For a full list of supported Cisco devices, see Table 1 .
The NADs that are not explicitly listed in Table 1 and do not support RADIUS CoA must use inline posture.
For information on enabling specific functions of Cisco ISE on network switches, see the Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions appendix of the Cisco Identity Services Engine User Guide, Release 1.2.
Caution To support the Cisco ISE profiling service, use the latest version of NetFlow, which has additional functionality that is needed to operate the profiler. If you use NetFlow version 5, then you can use version 5 only on the primary NAD at the access layer, as it will not work anywhere else.
Recommended OS Version 1 dACL/ Named ACL 2 TrustSec 3
IOS v 15.0.2-SE (ED) LAN BASE 4
Catalyst 3850, 3650 5
Wireless LAN Controller (WLC) 2100 6
Wireless LAN Controller (WLC) 4400 6
Wireless LAN Controller (WLC) 2500 8
Wireless LAN Controller (WLC) 5500 8
Wireless LAN Controller (WLC) 7500 8
Wireless LAN Controller (WLC) 8500 8
ISR 88x, 89x Series 10
ISR 19x, 29x, 39x Series 10
1.The “Recommended OS Version” is based on releases that contain both core and advanced ISE feature support and have been tested with Cisco ISE release 1.2. This table is not a representation of all possible OS versions supported by ISE. The OS versions not listed may be supported with limited features, may contain critical defects for selected features, and have not been fully tested with Cisco ISE 1.2. While selecting an OS version, it is recommended to refer to the OS documentation for the required Cisco ISE feature support and outstanding defects.
For previously tested OS versions with older Cisco ISE releases, refer to the following:
2.Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support the requirements for Inline Posture Node as they do not send Framed-IP-Address. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 126.96.36.199 and for MAB-authenticated WLANs starting from WLC 188.8.131.52. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 184.108.40.206. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.
3.For a complete list of Cisco TrustSec feature support, see http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html.
5.The current available IOS releases for converged access switches, such as 3850 or 3650, may not send Calling-Station-ID in the RADIUS accounting requests, which may result in incorrect session states and endpoint profiles in ISE. Refer to Release Notes for Cisco Identity Services Engine, Release 1.2.x for more information.
For third-party VPN concentrators to integrate with Cisco ISE and Inline Posture nodes, the following authentication, authorization, and accounting (AAA) attributes must be included in RADIUS communication:
Refer to Release Notes for the Cisco Identity Services Engine, Release 1.2.x for more information.
Microsoft Windows Active Directory 2012 R2 15
- Mozilla Firefox version 5. x and later (applicable for Windows, Mac OS X, and Linux-based operating systems).
- Windows Internet Explorer 8. x and later.
Client Machine Operating Systems and Agent Support in Cisco ISE lists the supported client machine operating systems, browsers, and agent versions supporting each client machine type. For all devices, you must also have cookies enabled in the web browser.
Note All standard 802.1X supplicants can be used with Cisco ISE, Release 1.2.x standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. (For information on allowed authentication protocols, see the “Managing Authentication Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.2). For the VLAN change authorization feature to work in a wireless deployment, the supplicant must support IP address refresh on VLAN change.
The Cisco NAC Agent versions 220.127.116.11 and later can be used on both Cisco NAC Appliance Releases 4.9(1),4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2.x. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.
Table 3 Google Android 16
Table 4 Apple iOS 17
Apple iOS 7.x18
17.While Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, the public certificate includes a CRL distribution point that the iOS device needs to verify but it cannot do it without network access. Click “confirm/accept” on the iOS device to authenticate to the network.
18.To work with Apple iOS 7, you need to install Cisco ISE Release 18.104.22.1689 cumulative patch 2 or later. To apply the patch, refer to Release Notes for Cisco Identity Services Engine, Release 1.2.x.
Table 6 Microsoft Windows 22
Microsoft Windows 726
- Microsoft IE 9, 10 27
- Google Chrome 11, 12, 13, 14, 15, 16
- Mozilla Firefox 3.6, 4, 5, 9
Microsoft Windows Vista 5
Microsoft Windows XP 5
Not tested extensively 28
Google Android 29 4.1.2, 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
Microsoft Windows 830
Microsoft Windows 731
- Microsoft IE 9, 10 32
- Mozilla Firefox 3.6, 5, 9, 16
- Google Chrome 11
Cisco Wireless LAN Controller (WLC) 7.2 or above support is required for the BYOD feature. Refer to the Release Notes for the Cisco Identity Services Engine, Release 1.2 for any known issues or caveats.
2.2 and above34
Barnes & Noble Nook (Android) HD/HD+ 35
MAC OS X37
- Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
- Key usage should allow signing and encryption in extension.
- While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
- Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.
Updated the Microsoft Active Directory versions in Supported External Identity Sources
Added support for Apple iOS 7 to Apple iOS
- Cisco ISE
- Cisco Secure ACS
- Cisco NAC Appliance
- Cisco NAC Profiler
- Cisco NAC Guest Server
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.