Guest

Cisco Identity Services Engine

Release Notes for Cisco Identity Services Engine, Release 1.2.x

  • Viewing Options

  • PDF (760.4 KB)
  • Feedback

Table of Contents

Release Notes for Cisco Identity Services Engine, Release 1.2 .x

Contents

Introduction

Deployment Terminology, Node Types, and Personas

Types of Nodes and Personas

System Requirements

Supported Hardware

Supported Virtual Environments

Supported Browsers

Supported Devices and Agents

Cisco NAC Agent Interoperability

Support for Microsoft Active Directory

Supported Antivirus and Antispyware Products

Installing Cisco ISE Software

Upgrading Cisco ISE Software

Upgrade Considerations and Requirements

No iPEP Support in Cisco ISE 1.2.x Patches

Firewall Ports That Must be Open for Communication

VMware Operating System to be Changed to RHEL 5 (64-bit)

Guest Users Identity Source

Other Known Upgrade Considerations and Issues

Cisco Secure ACS to Cisco ISE Migration

Cisco ISE License Information

Requirements for CA to Interoperate with Cisco ISE

New Features in Cisco ISE, Release 1.2.1

New Plus License

Certificate Renewal

Newly Added Dictionary Attributes

Newly Added Authorization Policy Simple Condition

CWA Redirect To Renew Certificates

Upgrade Enhancements

Virtual Machine Resource Checks

Upgrade Bundle SHA-256 Checksum Verification

Monitoring Database Object Checks

Enhanced Show Tech Support Command Output

Database Enhancements

New Features in Cisco ISE, Release 1.2.0

Support for UCS Hardware

Improved Performance and Scalability

Mobile Device Management Interoperability with Cisco ISE

MAB from Non-Cisco Switches

Support for Universal Certificates

Policy Sets

Profiler Feed Service

Logical Profiles

Enhanced Guest and Sponsor Pages

RADIUS Authentication Suppression

Collection Filters

Support for Secure Syslogs

Support for Windows 2012 Active Directory

Global Search

Session Trace

Enhancement to Client Provisioning

Enhanced Reports and Alarms

Enhancements to Live Authentications Page

Enhancements to Cisco NAC Agent

Cisco NAC Agent for Windows

Cisco NAC Agent for Mac OS X

External RESTful Services

Known Issues in Cisco ISE, Release 1.2.x

Mobile Devices Without VLAN

Web Portal Customization for the Russian Language

Device Registration Portal

Cisco ISE Hostname Character Length Limitation with Active Directory

Windows Internet Explorer 8 Known Issues

Issue Accessing the Cisco ISE Administrator User Interface

User Identity Groups Issue

Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines

Issues with Message Size in Monitoring and Troubleshooting

Issues with Accessing Monitoring and Troubleshooting

Inline Posture Restrictions

Custom Language Templates

Issues with Monitoring and Troubleshooting Restores

Issue with Network Device Session Status Report

BYOD Connectivity Issue with Devices running Windows 7

Issue with Converged Access Switches

Issue with Cisco ISE Mapping to OUI

Cisco ISE Installation Files, Updates, and Client Resources

Cisco ISE Downloads from the Download Software Center

Cisco ISE Live Updates

Cisco ISE Offline Updates

Cisco ISE, Release 1.2.1.198 Patch Updates

Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1

Cisco ISE, Release 1.2.0.899 Patch Updates

Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 9

Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

New Plus License

New Customize ISE 1.2 Web Portals HowTo Guide

New Sample HTML Files for Custom ISE 1.2.x Web Portals

Updated Cisco ISE 1.2.x User Guide

Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 7

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 5

Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4

Automatic Update of Compliance Module on Mac OS X Clients

Domain Stripping for Active Directory

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 4

Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3

New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

Support for Guest Self-Registration Based on Email Domain Whitelist

Guest Account Expiration Notifications

Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 1

Cisco ISE, Release 1.2.x, Open Caveats

Open Caveats

Open Agent Caveats

Cisco ISE, Release 1.2.1, Resolved Caveats

Cisco ISE, Release 1.2.0, Resolved Caveats

Resolved Caveats

Resolved Agent Caveats

Resolved SPW Caveats

Documentation Updates

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Identity Services Engine, Release 1.2.x

Revised: August 11, 2014, OL-27043-01

Contents

These release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (ISE), Release 1.2.0 and 1.2.1. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics:

Introduction

The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as a software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.

Deployment Terminology, Node Types, and Personas

Cisco ISE provides a scalable architecture that supports both standalone and distributed deployments.

Table 1-1 Cisco ISE Deployment Terminology

Term
Description

Service

Specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring.

Node

Individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node.

Persona

Determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, Monitoring, and Inline Posture.

Deployment Model

Determines if your deployment is a standalone, high availability in standalone (a basic two-node deployment), or distributed deployment.

Types of Nodes and Personas

A Cisco ISE network has two types of nodes:

  • Cisco ISE node, which can assume any of the following three personas:

Administration—Allows you to perform all administrative operations for Cisco ISE. It handles all system-related configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes running the Administration persona and configured as a primary and secondary pair. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona.

Policy Service—Provides network access, posturing, BYOD device onboarding (native supplicant and certificate provisioning), guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there is more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability.


Note At least one node in your distributed setup should assume the Policy Service persona.


Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all the Administration and Policy Service personas on the Cisco ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.

A node with this persona aggregates and correlates the data that it collects to provide meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can assume primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.


Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and reporting.


  • Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and VPN concentrators on the network. An Inline Posture node enforces access policies after a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows up to 10,000 Inline Posture Nodes in a deployment. You can pair two Inline Posture nodes together as a failover pair for high availability.

Note An Inline Posture node is dedicated solely to that service and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.



NoteEach Cisco ISE node in a deployment can assume more than one persona (Administration, Policy Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated gatekeeping role.


 

Table 2 Recommended Number of Nodes and Personas in a Distributed Deployment

Node / Persona
Minimum Number in a Deployment
Maximum Number in a Deployment

Administration

1

2 (Configured as a high-availability pair)

Monitor

1

2 (Configured as a high-availability pair)

Policy Service

1

  • 2—when the Administration/Monitoring/Policy Service personas are on the same primary/secondary appliances
  • 5—when Administration and Monitoring personas are on same appliance
  • 40—when each persona is on a dedicated appliance

Inline Posture

0

10000 for maximum network access devices (NADs) per deployment

You can change the persona of a node. See the “Setting Up Cisco ISE in a Distributed Environment” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 for information on how to configure personas on Cisco ISE nodes.

System Requirements


NoteFor more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.


Supported Hardware

Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 1.2.x is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms that are listed in Table 3 .

 

Table 3 Supported Hardware and Personas

Hardware Platform
Persona
Configuration

Cisco SNS-3415-K9

(small)

Any

  • Cisco UCS 1C220 M3
  • Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
  • 16-GB RAM
  • 1 x 600-GB disk
  • Embedded Software RAID 0
  • 4 GE network interfaces

Cisco SNS-3495-K92

(large)

Administration

Policy Service

Monitor

  • Cisco UCS C220 M3
  • Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
  • 32-GB RAM
  • 2 x 600-GB disk
  • RAID 0+1
  • 4 GE network interfaces

Cisco ISE-3315-K9 (small)

Any

  • 1x Xeon 2.66-GHz quad-core processor
  • 4 GB RAM
  • 2 x 250 GB SATA3 HDD4
  • 4x 1 GB NIC5

Cisco ISE-3355-K9 (medium)

Any

  • 1x Nehalem 2.0-GHz quad-core processor
  • 4 GB RAM
  • 2 x 300 GB 2.5 in. SATA HDD
  • RAID6 (disabled)
  • 4x 1 GB NIC
  • Redundant AC power

Cisco ISE-3395-K9 (large)

Any

  • 2x Nehalem 2.0-GHz quad-core processor
  • 4 GB RAM
  • 4 x 300 GB 2.5 in. SAS II HDD
  • RAID 1
  • 4x 1 GB NIC
  • Redundant AC power

Cisco ISE-VM-K9 (VMware)

Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)

ESX 4. x

ESXi 4. x and 5.x

1.Cisco Unified Computing System (UCS)

2.Inline posture is a 32-bit system and is not capable of symmetric multiprocessing (SMP). Therefore, it is not available on the SNS-3495 platform.

3.SATA = Serial Advanced Technology Attachment

4.HDD = hard disk drive

5.NIC = network interface card

6.RAID = Redundant Array of Independent Disks

7.Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.

If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large deployments.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • VMware ESX 4. x
  • VMware ESXi 4. x
  • VMware ESXi 5. x

Supported Browsers

The Cisco ISE, Release 1.2.x administrative user interface supports a web interface using the following HTTPS-enabled browsers:

  • Mozilla Firefox version 5. x , 8. x , 9. x , 14. x , 15. x , 18. x , 19. x , 20. x, 21. x, 22. x, 23.x, 24.x, 25.x, 26.x, 27.x, 28.x, 29.x
  • Microsoft Internet Explorer 8. x , 9. x (in Internet Explorer 8 Compatibility Mode), and 10. x

Note The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7 compatibility mode. The Microsoft IE8 is supported in its IE8-only mode.


Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser. The minimum required screen resolution to view the Administration portal and for a better user experience is 1280 x 800 pixels.

Supported Devices and Agents

Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.2 for information on supported devices, browsers, and agents.

Cisco NAC Agent Interoperability

The Cisco NAC Agent versions 4.9.4.3 and later can be used on both Cisco NAC Appliance Releases 4.9(1),4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2.0, and 1.2.1. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.

Support for Microsoft Active Directory

Cisco ISE, Release 1.2.x supports Microsoft Active Directory servers 2003, 2008, 2008 R2, 2012at all functional levels.

Microsoft Active Directory server 2012 R2 and all updates are supported by Cisco ISE, Release 1.2.1.

Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE.

Supported Antivirus and Antispyware Products

See the following Cisco ISE documents for specific antivirus and antispyware support details for Cisco NAC Agent and Cisco NAC Web Agent:

Installing Cisco ISE Software

To install Cisco ISE, Release 1.2.x software on Cisco SNS-3415 and SNS-3495 hardware platforms, turn on the new appliance and configure the Cisco Integrated Management Controller (CIMC). You can then install Cisco ISE, Release 1.2.x over a network using CIMC or a bootable USB.


NoteWhen using virtual machines (VMs), we recommend that the guest VM have the correct time set using an NTP serverbefore installing the .ISO image on the VMs.


Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 . Before you run the setup program, ensure that you know the configuration parameters listed in Table 4 .

 

Table 4 Cisco ISE Network Setup Configuration Parameters

Prompt
Description
Example

Hostname

Must not exceed 19 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). The first character must be a letter.

isebeta1

(eth0) Ethernet interface address

Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14

Netmask

Must be a valid IPv4 netmask.

255.255.255.0

Default gateway

Must be a valid IPv4 address for the default gateway.

10.12.13.1

DNS domain name

Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).

mycompany.com

Primary name server

Must be a valid IPv4 address for the primary name server.

10.15.20.25

Add/Edit another name server

Must be a valid IPv4 address for an additional name server.

(Optional) Allows you to configure multiple name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid IPv4 address or hostname of a Network Time Protocol (NTP) server.

clock.nist.gov

Add/Edit another NTP server

Must be a valid NTP domain.

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone

Must be a valid time zone. For details, see Cisco Identity Services Engine CLI Reference Guide, Release 1.2 , which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or UTC-8 hours).

The time zones referenced are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with the time stamps.

UTC (default)

Username

Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and composed of valid alphanumeric characters (A–Z, a–z, or 0–9).

admin (default)

Password

Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

MyIseYPass2


NoteFor additional information on configuring and managing Cisco ISE, seeRelease-Specific Documents to access other documents in the Cisco ISE documentation suite.


Upgrading Cisco ISE Software

Cisco Identity Services Engine (ISE) supports upgrades from the CLI only. Supported upgrade paths include:

  • Cisco ISE, Release 1.1.0, with Patch 5 or later applied
  • Cisco ISE, Release 1.1.1, with Patch 7 or later applied
  • Cisco ISE, Release 1.1.2, with Patch 10 or later applied
  • Cisco ISE, Release 1.1.3, with Patch 11 or later applied
  • Cisco ISE, Release 1.1.4, with Patch 11 or later applied
  • Cisco ISE, Release 1.2.0, with Patch 8 or later applied

NoteUpgrade to Cisco ISE, Release 1.2.0.899 is not required before upgrading to Release 1.2.1.198.


Follow the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.2 to upgrade to Cisco ISE, Release 1.2.x.


NoteWhen you upgrade to Cisco ISE, Release 1.2.x, you may be required to open network ports that were not used in previous releases of Cisco ISE. For more information, see "Appendix C, Cisco SNS-3400 Series Appliance Ports Reference" in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.


No iPEP Support in Cisco ISE 1.2.x Patches

Cisco ISE, Release 1.2.x patches cannot be installed on an iPEP node due to the node’s 32-bit architecture. You can still install Cisco ISE, Release 1.1.x patches on iPEP nodes.

Firewall Ports That Must be Open for Communication

The replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall between the primary Administration node and any other node, the following ports must be open before you upgrade to Release 1.2:

  • TCP 1528—For communication between the primary administration node and monitoring nodes.
  • TCP 443—For communication between the primary administration node and all other secondary nodes.
  • TCP 12001—For global cluster replication.

For a full list of ports that Cisco ISE, Release 1.2 uses, refer to the Cisco SNS-3400 Series Appliance Ports Reference .

VMware Operating System to be Changed to RHEL 5 (64-bit)

Cisco ISE, Release 1.2.x has a 64-bit architecture. If a Cisco ISE node is running on a virtual machine, ensure that the virtual machine's hardware is compatible with 64-bit systems:


NoteYou must power down the virtual machine before you make these changes and power it back on after the changes are done.


  • Enable BIOS settings that are required for 64-bit systems. See the following resources for more information:

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1003945

Guest Users Identity Source

In previous releases of Cisco ISE, guest-user records were available in the Internal Users database. Cisco ISE, Release 1.2.x introduces a Guest Users database, which is different than the Internal Users database. If you have added the Internal Users database to the identity-source sequence, the Guest Users database also becomes part of the identity-source sequence. If guest-user logins are not required, remove the Guest Users database from the identity-source sequence.

Other Known Upgrade Considerations and Issues

Refer to the Cisco Identity Services Engine Upgrade Guide, Release 1.2.x for other known upgrade considerations and issues:

Cisco Secure ACS to Cisco ISE Migration

Cisco ISE, Release 1.2.x supports migration from Cisco Secure ACS, Release 5.3 only. You must upgrade the Cisco Secure ACS deployment to Release 5.3 before you attempt to perform the migration process to Cisco ISE, Release 1.2.

Cisco ISE does not provide full parity to all the features available in ACS 5.3, especially policies. After migration, you may notice some differences in the way existing data types and elements appear in the new Cisco ISE environment. It is recommended to use the migration tool for migrating specific objects like network devices, internal users, and identity store definitions from ACS. Once the migration is complete, you can manually define the policies for relevant features that are appropriate to Cisco ISE.

The migration tool only supports Mozilla Firefox, versions 3.6, 6, 7, 8, 9, and 10. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.

Complete instructions for moving a Cisco Secure ACS 5.3 database to Cisco ISE Release 1.2.x are available in the Cisco Identity Services Engine, Release 1.2 Migration Tool Guide .

Cisco ISE License Information

Cisco ISE comes with a 90-day Base and Advanced Package Evaluation License already installed on the system. After you have installed the Cisco ISE software and initially configured the primary Administration persona, you must obtain and apply a Base, Plus, Advanced, or Wireless license.

Cisco ISE, Release 1.2 Patch 8 and 1.2.1 includes the new Plus license. The Plus license provides the following services:

  • Bring Your Own Device (BYOD)
  • Profiling
  • Endpoint Protection Service (EPS)
  • TrustSec SGT

The Advanced license provides access to the same features as the Plus license, as well as additional services. The Plus license does not include Base services.


NoteSome of the validation messages and alarms may report in terms of Advanced license instead of the Plus license. For example, attempting to install a Plus license without a Base license results in ISE incorrectly report it as an attempt to install an Advanced license without a Base license. Similarly, ISE will report the expiration of a Plus license as the expiration of an Advanced license.


For more detailed information on license types and obtaining licenses for Cisco ISE, see Cisco Identity Service Engine Hardware Installation Guide, Release 1.2 .

Cisco ISE, Release 1.2.x, supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. For more information on Cisco ISE, Release 1.2.x licenses, see the Cisco Identity Services Engine Licensing Note .

Requirements for CA to Interoperate with Cisco ISE

While using a CA server with Cisco ISE, make sure that the following requirements are met:

  • Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
  • Key usage should allow signing and encryption in extension.
  • While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
  • Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.

New Features in Cisco ISE, Release 1.2.1

Cisco ISE, Release 1.2.1 offers the following features and services:

New Plus License

Cisco ISE, Release 1.2.1 includes the new Plus license. The Plus license provides the following services:

  • Bring Your Own Device (BYOD)
  • Profiling
  • Endpoint Protection Service (EPS)
  • TrustSec SGT

The Advanced license provides access to the same features as the Plus license, as well as additional services. The Plus license does not include Base services.

For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

Certificate Renewal

This release of Cisco ISE allows users to renew certificates that have expired or are about to expire on their personal devices.

By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However, you can change this default behavior and configure ISE to process such requests and prompt the user to renew the certificate.

If you choose to allow the user to renew the certificate, Cisco recommends that you configure an authorization policy rule which checks if the certificate has been renewed before processing the request any further. Processing a request from a device whose certificate has expired may pose a potential security threat. Hence, you must configure appropriate authorization profiles and rules to ensure that your organization’s security is not compromised.

Some devices allow you to renew the certificates before and after their expiry. But on Windows devices, you can renew the certificates only before it expires. Apple iOS, Mac OSX, and Android devices allow you to renew the certificates before or after their expiry.

Newly Added Dictionary Attributes

The following attributes are added to the Cisco ISE certificate dictionary and are used in policy conditions to allow a user to renew the certificate:

  • Days to Expiry: This attribute provides the number of days for which the certificate is valid. You can use this attribute to create a condition that can be used in authorization policy. This attribute can take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of 1 indicates that the certificate has less than 1 day before it expires.
  • Is Expired: This Boolean attribute indicates whether a certificate has expired or not.

Newly Added Authorization Policy Simple Condition

A new simple condition is now added that should be used in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further. This simple condition is called CertRenewalRequired.

CWA Redirect To Renew Certificates

If a user certificate is revoked before its expiry, Cisco ISE checks the CRL published by the CA and rejects the authentication request. In case, if a revoked certificate has expired, the CA may not publish this certificate in its CRL. In this scenario, it is possible for Cisco ISE to renew a certificate that has been revoked. To avoid this, before you renew a certificate, ensure that the request gets redirected to Central Web Authentication (CWA) for a full authentication. You must create an authorization profile to redirect the user for CWA.

Upgrade Enhancements

Cisco ISE, Release 1.2.1 includes the following upgrade enhancements for a seamless upgrade experience.

Virtual Machine Resource Checks

The upgrade software now checks if the virtual machine’s hardware (such as hard disk size, CPU speed, etc.) meets the recommended specifications before it begins the upgrade. If the VM resources do not meet the recommended specification, the upgrade fails without making any changes to the existing ISE installation. The console will display a message stating the minimum resource requirements and that the upgrade can be retried after the virtual machine’s hardware has been updated to meet those requirements.

Upgrade Bundle SHA-256 Checksum Verification

The upgrade software verifies the SHA-256 checksum of the upgrade bundle before starting the upgrade process. This check ensures that upgrade does not fail because of corrupt upgrade software leaving the system in a corrupt state. If the upgrade bundle is corrupted, the console displays a message asking the administrator to re-download the upgrade bundle and try the upgrade again.

Monitoring Database Object Checks

In earlier releases, Cisco ISE upgrade has failed because of missing Monitoring database objects. In this release, the upgrade software checks for the Monitoring database objects to ensure that they are present before the upgrade begins. In the rare cases where the database objects are still missing, the administrator must restore from a backup taken before the upgrade.

Enhanced Show Tech Support Command Output

The show tech-support command is enhanced and now includes the database health report, alert log errors, processes that consume resources, database memory usage, and so on. This output is readable and is also available in the Support Bundle. You can run the show tech-support command on demand to look for the health of the database. The output can help the administrator with troubleshooting, if needed..

Database Enhancements

This release includes several database enhancements that improve Cisco ISE performance. Index entries and corrupt data blocks are identified before the upgrade begins. This release also includes several database enhancements that improve Cisco ISE performance.

New Features in Cisco ISE, Release 1.2.0

Cisco ISE, Release 1.2 offers the following features and services:

For more information on key features of Cisco ISE, see the “Overview” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

Support for UCS Hardware

Cisco ISE, Release 1.2.0, supports Cisco Unified Computing System (UCS) C220 hardware, which is shipped on the following platforms:

  • SNS-3415 (small)
  • SNS-3495 (large)

Refer to Table 3 for other platforms supported by Cisco ISE.

For more information, refer to the Cisco Identity Service Engine Hardware Installation Guide, Release 1.2 .

Improved Performance and Scalability

Cisco ISE, Release 1.2.0 offers better performance and scale compared to previous versions. Cisco ISE 1.2 has moved from a 32-bit architecture to a 64-bit architecture, improving the overall performance from 100,000 concurrent endpoints per ISE deployment in ISE 1.1.x to 250,000 concurrent endpoints in ISE 1.2

Mobile Device Management Interoperability with Cisco ISE

This release of Cisco ISE can interoperate with Mobile Device Management (MDM) servers to secure, monitor, and support mobile devices that are deployed across mobile operators, service providers, and enterprises.

Cisco ISE, Release 1.2.0 supports MDM servers from the following vendors:

  • Airwatch, Inc.
  • Good Technology
  • MobileIron, Inc.
  • Zenprise, Inc.
  • SAP Afaria
  • FiberLink Maas360
  • Cisco Mobile Collaboration Management Services (MCMS)

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

MAB from Non-Cisco Switches

Cisco ISE, Release 1.2.0 supports Machine Authentication Bypass (MAB) from non-Cisco switches using the Cisco ISE endpoints database.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

Support for Universal Certificates

Cisco ISE, Release 1.2.0 supports the use of wildcard server certificates for HTTPS (web-based services) and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field allows you to share a single certificate across multiple nodes in a deployment and helps prevent certificate-name mismatch warnings.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .


NoteThe universal certificates are referred as wildcard certificates in the user guide.


Policy Sets

This release of Cisco ISE allows you to create a set of authentication and authorization policy for various use cases. Policy sets are similar to access services in Cisco Secure ACS 5. x releases.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Profiler Feed Service

Cisco ISE, Release 1.2.x provides a profiler feed service for publishing new profile definitions, updated profile definitions, and new OUI databases posted from IEEE.

With the introduction of the profiler feed service, the profiler conditions, exception actions, and NMAP scan actions are classified as Cisco provided or administrator created (see the System Type attribute) in Cisco ISE. Also, endpoint profiling policies are classified as Cisco provided, administrator created, or administrator modified (see the System Type attribute). You can perform different operations on the profiler conditions, exception actions, NMAP scan actions, and endpoint profiling policies depending on the System Type attribute.

You can retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in Cisco ISE. You can also receive email notifications at an administrator email address that is configured for applied, success, and failure messages. You can also provide additional subscriber information to receive notifications. You can send the subscriber information back to Cisco to maintain the records and they are treated as privileged and confidential.


NoteTo ensure that the most up-to-date OUI database is installed, run the feed service after any Cisco ISE patch or maintenance installation.


For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Logical Profiles

Cisco ISE profiles can be grouped in logical profiles. A logical profile is a container for a category of profiles or associated profiles, irrespective of Cisco-provided or administrator-created endpoint profiling policies. An endpoint-profiling policy can be associated with multiple logical profiles.

You can use the logical profile in an authorization-policy condition to help create an overall network-access policy for a category of profiles.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Enhanced Guest and Sponsor Pages

This release of Cisco ISE provides new default themes for the Guest and Sponsor portal pages. You can customize the pages by uploading logos and editing the color schemes.

When guests access the Guest portal using a mobile device, they are routed automatically to a mobile-optimized version of the Guest portal.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

RADIUS Authentication Suppression

This release of Cisco ISE allows you to configure RADIUS settings to detect the clients that fail to authenticate and to suppress the repeated reporting of successful authentications.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Collection Filters

You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The suppression can be performed at the Policy Service Node level based on different attribute types.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Support for Secure Syslogs

Cisco ISE, Release 1.2.0 can be configured to send secure syslogs to Monitoring nodes and between Cisco ISE nodes, by enabling TLS-protected syslog collectors.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Support for Windows 2012 Active Directory

Cisco ISE, Release 1.2.0 supports Microsoft Windows 2012 Active Directory.

Global Search

Cisco ISE, Release 1.2.0 provides a system-wide endpoint search box that you can use to quickly find and filter endpoints and users on a network. The search result includes detailed session information about each of the matching results, such as the type of access, location, endpoint MAC and IP address, and authorization profile. You can also export these results for further analysis.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Session Trace

Cisco ISE, Release 1.2.0 provides a more efficient troubleshooting functionality. After search results are displayed, you can click the “play” button for more details. A new detailed screen with full session information for the endpoint is displayed.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Enhancement to Client Provisioning

Starting from Cisco ISE Release 1.2.0, it is mandatory to include the client provisioning URL in authorization policy, to enable the NAC Agent to popup in the client machines. This prevents request from any random clients and ensures that only clients with proper redirect URL can request for posture assessment.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2 .

Enhanced Reports and Alarms

Cisco ISE, Release 1.2.0 reports are enhanced to have a new look and feel that is more simple and easy to use. The reports are grouped into logical categories for information related to authentication, session traffic, device administration, configuration and administration, and troubleshooting. A new scheduling service that allows you to queue reports and receive notification when they are available.

 

Table 5 Changes to Reports in Cisco ISE, Release 1.2

Report Name
Change

Endpoint Time to Profiler

Removed

Authentication Failure Code Lookup

Removed

Network Device Log Message

Removed

PAC Provisioning

Removed

Policy CoA

Removed

Posture Trend

Removed

Endpoint Operations History

Removed

AAA Down Summary

Removed. If a AAA server is down, you can see it on the dashboard and in the Health Summary report.

TOP N AAA Down by Network Device

Removed. If a AAA server is down, you can see it on the dashboard and in the Health Summary report.

Authentication Trend

Renamed as Authentication Summary report.

TOP N Authentication by Allowed Protocol

Moved to the Authentication Summary report. You can filter the report by Allowed Protocols.

Server Authentication Summary

Moved to the Authentication Summary report. You can filter the report by Server.

TOP N Authentication by Server

Moved to the Top N Authentication report. You can filter the report by Server.

TOP N Authentication by Machine

Renamed as Top N Authentication by Endpoint.

Failure Reason Authentication Summary

Moved to the Authentication Summary report. You can filter the report by Failure Reason.

TOP N Authentication by Network Device

Moved to the Authentication Summary report. You can filter the report by Network Device.

Session Status Summary

Renamed as Network Device Session Status report.

User Authentication Summary

Moved to the Authentication Summary report. You can filter the report by User.

Radius Terminated Sessions

Moved to the Session View report. You can filter the report by Terminated Sessions.

In Cisco ISE, Release 1.2.0, a new dashlet is on the dashboard that allows you to enable and disable alarms and make minor configuration changes. The following is a list of alarms that are removed in Cisco ISE, Release 1.2:

  • Administrator Account Disabled
  • Max Administrator Sessions Exceeded
  • Restore Successful
  • Purge Backup Success
  • Replication Syn Failure
  • High CPU Utilization
  • Purge Failure
  • Purge Success
  • Application Exceeded Maximum Disk space
  • Base License count
  • Advanced License count
  • Admin Account Lockout
  • NTP Server not Reachable
  • Disk Cleanup
  • Successful Node Registration
  • Successful Patch Install
  • Successful Patch RollBack
  • Successful Node Deregistration
  • Successful Update Node
  • UnSuccessful Add Node
  • UnSuccessful Patch Install
  • UnSuccessful Patch Roll Back
  • UnSuccessful Remove Node
  • UnSuccessful Update Node

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

Enhancements to Live Authentications Page

The Live Authentications page on the Cisco ISE dashboard shows the details corresponding to authentication entries. In addition to these live authentication entries, the Live Authentications page is enhanced to show the live-session entries. You can also get a detailed report on a session.

For more information on the enhancements to the Authentications page, see Cisco Identity Services Engine User Guide, Release 1.2.

Enhancements to Cisco NAC Agent

The following enhancements have been added to Cisco NAC Agent in Cisco ISE, Release 1.2.0.

Cisco NAC Agent for Windows

  • Support for the Polish Language.
  • Support for the Microsoft Windows 8 Operating System. In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”
  • Support for the Log Packager option in the Agent Icon to collect support logs.
  • New for Cisco ISE 1.2.0 patch 3: support for Microsoft Windows 8.1.

Cisco NAC Agent for Mac OS X

  • Support for the Collect Support Logs option in the Agent Icon to collect Agent logs and support information.
  • Notification screen appears automatically when the Agent window is buried by other windows.
  • Support for the Acceptable Use Policy (AUP).
  • New for Cisco ISE 1.2.0 patch 3: support for Mac OS X 10.9.

External RESTful Services

External RESTful Services (ERS) is a new Cisco ISE component that allows you to perform Create, Read, Update, and Delete (CRUD) operations on Cisco ISE resources. ERS also allows you to run advanced queries against the Cisco ISE database and perform bulk operations such as mass updates or deletions.

ERS is based on HTTPS and REST methodology. These APIs provide an interface to the ISE configuration data by enabling internal user identities, endpoints, endpoint groups, identity groups, SGTs, and profiler policies to perform CRUD operations on the ISE data.

Refer to the Cisco Identity Services Engine API Reference Guide, Release 1.2 for more information.

Known Issues in Cisco ISE, Release 1.2.x

Issue Accessing the Cisco ISE Administrator User Interface

User Identity Groups Issue

Mobile Devices Without VLAN

When a mobile device completes the guest flow without VLAN/IP refresh enabled in the Guest Portal, it matches the permit access authorization policy, followed by a CoA termination that deletes the session. The device then goes through the guest flow again and forms a loop.

Web Portal Customization for the Russian Language

When you want to customize a web portal to use the Russian language template, the Browser Locale Mapping for the Russian template is “ru-ru.” However, this default mapping does not work on iPhones. If you encounter this issue, you can create a duplicate template with the Browser Locale Mapping set to “ru.”

Device Registration Portal

When a guest user registers a device using its MAC address, the device does not appear in the Device Registration Portal under the list of Registered Devices. This issue is seen in secondary Policy Service nodes in a distributed deployment and occurs because of replication latency issues.

As a workaround click the Refresh button to view the newly registered device.

Cisco ISE Hostname Character Length Limitation with Active Directory

It is important that Cisco ISE hostnames be limited to 15 characters or less, if you use Microsoft Active Directory on the network. Active Directory does not validate hostnames larger than 15 characters. This can cause a problem if you have multiple Cisco ISE hosts in your deployment that have hostnames longer than 15 characters. If the first 15 characters are identical, Active Directory will not be able to distinguish them.

Issue Accessing the Cisco ISE Administrator User Interface

When you access the Cisco ISE administrator user interface using the host IP address as the destination in the Internet Explorer 8 address bar, the browser automatically redirects the session to a different location. This situation occurs when you install a real SSL certificate issued by a certificate authority like VeriSign.

If possible, we recommend using the Cisco ISE hostname or fully qualified domain name (FQDN) that was used to create the trusted SSL certificate to access the administrator user interface via Internet Explorer 8.

User Identity Groups Issue

If you create and operate 100 or more User Identity Groups, a script in the Cisco ISE administrator user interface can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running script. (If the script continues to run, your computer might become unresponsive.)

Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines

There is a known issue with the Intel Supplicant version 12.4. x for Windows client machines with regard to a VLAN change for wireless deployments. The client machine has no connectivity because the NIC IP address is in the compliant/non compliant VLAN when it should be in the pre posture/pending VLAN.


NoteThis issue affects any supplicant that cannot perform an IP address refresh on a VLAN change in a wireless environment. This issue is related to the VLAN detect (Access VLAN to Authentication VLAN change) functionality, where the Cisco NAC Agent is not working correctly with wireless adapters.


Issues with Message Size in Monitoring and Troubleshooting

Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection performance messages of 8k in size. As a result, you may notice a slightly different message performance rate when compiling 2 k message sizes regularly.

Issues with Accessing Monitoring and Troubleshooting

Although more than three concurrent users can log into Cisco ISE and view monitoring and troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages taking excessive amounts of time to launch, and the application sever restarting on its own.

Inline Posture Restrictions

  • Inline Posture is not supported in a virtual environment, such as VMware.
  • The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture.
  • The Cisco Discovery Protocol (formerly known as CDP) is not supported by Inline Posture.

Custom Language Templates

If you create a custom-language template with a name that conflicts with a default template name, the template is automatically renamed after an upgrade and restore. After an upgrade and restore, default templates revert back to their default settings, and any templates with names that conflict with the default names are renamed as follows: user_{LANG_TEMP_NAME}.

Issues with Monitoring and Troubleshooting Restores

During a Monitoring and Troubleshooting restore, the Cisco ISE application on the Monitoring node restarts and the GUI is unavailable until the restore completes.

Issue with Network Device Session Status Report

Network Device Session Status report hangs during report generation. If the Network device is not configured with SNMP and SNMP community string is not provided, then the report generation hangs and never completes.

Workaround for this issue is to enter the SNMP credentials while launching the Network Device Session Status report. If there is a large number of network devices configured in ISE, then it is recommended to provide snmpCommunity value along with the networkDeviceIP.

BYOD Connectivity Issue with Devices running Windows 7

Devices running Windows 7 operating system do not connect by default if "invalid" security certificate is presented from the server side. This issue is seen if self-signed certificates are in use, or if the certificate is signed by a root CA, which is not in the trusted list of the client.

Workaround for this issue is to create a PEAP network profile before connecting to the Single SSID BYOD network. After a PEAP network profile is created, Windows 7 displays a user prompt.

Issue with Converged Access Switches

The current available IOS releases for converged access switches, such as 3850 or 3650, may not send Calling-Station-ID in the RADIUS accounting requests, which may result in incorrect session states and endpoint profiles in ISE. Enter the following commands in the switch to ensure that the ISE data is updated appropriately.

radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
 

See Also CSCuo46999.

Issue with Cisco ISE Mapping to OUI

After installing or upgrading to Cisco ISE 1.2.1, the OUI entries may be missing in the database, which might result in the endpoints matching incorrect authorization policies. You need to run the feed service to update the OUI. It is recommended to run the feed service after the patch installation to ensure that the latest OUIs are installed.

Cisco ISE Installation Files, Updates, and Client Resources

There are three resources you can use to download to provision and provide policy service in Cisco ISE:

Cisco ISE Downloads from the Download Software Center

In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, you can use the Download software web page to retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules.

Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment.

To access the Cisco Download Software center and download the necessary software:


Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm . You may need to provide login credentials.

Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software .

Choose from the following Cisco ISE installers and software packages available for download:

  • Cisco ISE installer .ISO image
  • Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
  • Windows client machine agent installation files (including MST and MSI versions for manual provisioning)
  • Mac OS X client machine agent installation files
  • AV/AS compliance modules

Step 3 Click Download or Add to Cart .


 

Cisco ISE Live Updates

Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard, Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the Cisco ISE appliance.

Prerequisite:

If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in Administration > System > Settings > Proxy before you are able to access the Live Update locations. If proxy settings are enabled to allow access to the profiler and posture/client provisioning feeds, then it will break access to the internal MDM server as Cisco ISE cannot bypass proxy services for MDM communication. To resolve this, you can configure the proxy service to allow internal communication to the MDM servers.

For more information on proxy settings, see the “Specifying Proxy Settings in Cisco ISE” section in the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 .

Client Provisioning and Posture Live Update portals:

The following software elements are available at this URL:

Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants

Windows versions of the latest Cisco ISE persistent and temporal agents

Mac OS X versions of the latest Cisco ISE persistent agents

ActiveX and Java Applet installer helpers

AV/AS compliance module files

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Client Provisioning Resources Automatically” section of the “Configuring Client Provisioning” chapter in the Cisco Identity Services Engine User Guide, Release 1.2 .

The following software elements are available at this URL:

Cisco predefined checks and rules

Windows and Mac OS X AV/AS support charts

Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Posture Updates Automatically ” section of the “Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.2 .

If you do not enable the automatic download capabilities described above, you can choose to download updates offline. See Cisco ISE Offline Updates.

Cisco ISE Offline Updates

Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent, AV/AS support, compliance modules, and agent installer packages that support client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates when direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a security policy.

Offline updates are not available for Profiler Feed Service.

To upload offline client provisioning resources, complete the following steps:


Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm . You may need to provide login credentials.

Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software .

Choose from the following Off-Line Installation Packages available for download:

  • win_spw- <version> -isebundle.zip — Off-Line SPW Installation Package for Windows
  • mac-spw- <version> .zip — Off-Line SPW Installation Package for Mac OS X
  • compliancemodule- <version> -isebundle.zip — Off-Line Compliance Module Installation Package
  • macagent- <version> -isebundle.zip — Off-Line Mac Agent Installation Package
  • nacagent- <version> -isebundle.zip — Off-Line NAC Agent Installation Package
  • webagent- <version> -isebundle.zip — Off-Line Web Agent Installation Package

Step 3 Click Download or Add to Cart .


 

For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Adding Client-Provisioning Resources from a Local Machine” section of the “Configuring Client Provisioning” chapter in the Cisco Identity Services Engine User Guide, Release 1.2 .

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Macintosh operating systems offline from an archive on your local system using posture updates.

For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.

To upload offline posture updates, complete the following steps:


Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html .

Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh operating systems.

Step 2 Access the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture .

Step 3 Click the arrow to view the settings for posture.

Step 4 Choose Updates . The Posture Updates page appears.

Step 5 From the Posture Updates page, choose the Offline option.

Step 6 From the File to update field, click Browse to locate the single archive file (posture-offline.zip) from the local folder on your system.


Note The File to update field is a required field. You can only select a single archive file (.zip) that contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed.


Step 7 Click the Update Now button.

Once updated, the Posture Updates page displays the current Cisco updates version information under Update Information.


 

Cisco ISE, Release 1.2.1.198 Patch Updates

The following patch releases apply to Cisco ISE release 1.2.1:

Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1

Table 6 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative patch 1.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

 

Table 6 Cisco ISE Patch Version 1.2.1.198-Patch 1 Resolved Caveats

Caveat
Description

CSCty01787

Error in Generating XML Output for EndPointIPAddress API

This fix addresses an issue where an internal error was displayed in the XML when calling the EndPointByIPAddress API for a given IP address appearing in the AuthSessionList.

CSCul25066

ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service

This fix addresses an issue where customers upgrading to ISE 1.2 who had the Wireless Upgrade license to add advanced license functionality to their deployment received the following alert: “Feed Service error : The Advance License installed on the ISE nodes have been expired.”

CSCul29344

ISE 1.2 HTML Custom Pages for Different Portals Not Working

This fix addresses an issue where the sample HTML for custom Guest Portal pages provided in the user guide did not work correctly.

CSCum29186

With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time

This fix addresses an issue where changing the time zone during Guest account creation was not reflected with the newly updated allowed time to login.

CSCum54099

ISE Does Not Send Sponsor-related syslog Message to External syslog Server

This fix addresses an issue where ISE did not send messages like 86008 or 86006 to the external syslog server. It only sent the 86028 messages.

CSCum69410

ISE 1.2 CWA with DRW Included Doesn't Register Endpoint

This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint was registered after a CWA user entered their MAC address on the Guest Device Registration screen.

CSCum85930

ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect

This fix addresses an issue where custom CWA portal may not have loaded images or CSS as expected.

CSCum88817

ISE 1.2 Logs Filled with Unnecessary License Validity Info

This fix addresses an issue where ISE was logging license checks in INFO mode, which caused massive output in the log files.

CSCum96035

This fix addresses an issue that occurred when a user typed in a password that violated the password policy on the default custom portal password-change page and the page refreshes instead of displaying an error message.

CSCun15601

Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail

This fix addresses an issue where the message “This is an invalid text message template. Contact your system administrator for assistance.” was shown while sending Guest account through Mail/SMS if the sponsor is CC’ed.

CSCun36594

ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV

This fix addresses an issue that occurred after importing endpoints from a CSV file where the “Endpoint Identity Group” was changed from the one specified in the file to Profiled.

CSCun41732

Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present

This fix addresses an issue where Cisco ISE could not load the complete Trusted certificate list when a corrupted certificate was present in the list.

CSCun51094

Bulk Import of Guests by Sponsor Falls in Wrong Guest Role

This fix addresses an issue where imported guest users always get the role of default Guest during a bulk import from the Sponsor portal.

CSCun67719

Guest Portal: Error Message When Password Expired Confusing

The Cisco ISE Guest portal provides a generic error for events such as guest user account expired and gives no information on the cause of the issue.

CSCun68637

SNMP Query Fails to Complete during NMAP-triggered Probe

This fix addresses an issue where an SNMP query failed to execute when it was triggered by an NMAP probe.

CSCun93673

ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter

This fix addresses an issue where exporting endpoints results in an empty file if you search using lower case letters.

CSCun97606

ISE Roaming Authentication Failing

This fix addresses an issue that occurred when attributes about endpoints differed from one PSN to another when using multiple PSNs for profiling or authentication.

CSCuo32987

Endpoint Register Broken

This fix addresses an issue where attempts at ERS API endpoint register end in HTTP 500 Internal Server Error.

CSCuo34449

ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent

This fix addresses an issue where a client application that initiated HTTP using User-Agent was not recognized by ISE, and triggered ISE to clear that session and send a Radius CoA Terminate command to NAD.

CSCuo56780

ISE RADIUS Service Denial of Service Vulnerability

This fix addresses an issue where the RADIUS service may become unresponsive when receiving accounting packets from two different Network Access Servers (NASs).

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C

CVE ID CVE-2014-3276 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3276

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCuo63892

CIAM: ISE-commons-fileupload-1-0

This fix addresses third-party software vulnerabilities.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.8:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

CVE ID CVE-2014-0050 have been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCuo73070

CSCuo76078

ISE 1.2 GUI Elements Missing Due to No Advanced License

This fix addresses an issue where the error “No valid system license exists” appeared for the sponsor portal and guest portal after the installation of a Cisco ISE Patch.

Cisco ISE, Release 1.2.0.899 Patch Updates

The following patch releases apply to Cisco ISE release 1.2.0:

Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10

Table 7 lists lists the open issues in Cisco ISE 1.2.0 Patch 10 that may be resolved in other releases.

 

Table 7 Cisco ISE Patch Version 1.2.0.899-Patch 10 Open Caveats

Caveat
Description

CSCup99724

Log displaying active endpoints does not get updated with the latest authenticated user.

In the Operations > Authentications page, a user is authenticated and the username is updated in the Endpoints page. When a new user logs in from the same system, the new username is not updated in the Endpoints page.

CSCuq11506

Deletion of repositories containing special characters in their passwords fail.

In the System > Maintenance > Repository page, deleting a Repository Name that uses special characters, such as %, in the password encounters an error.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10

Table 8 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 10.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

 

Table 8 Cisco ISE Patch Version 1.2.0.899-Patch 10 Resolved Caveats

Caveat
Description

CSCul21337

The Posture Troubleshooting tool was vulnerable to blind SQL injection.

This fix addresses an issue where a vulnerability in the web framework of Cisco ISE may allow an attacker to impact the integrity by executing arbitrary SQL queries.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.5/5.4:

https://intellishield.cisco.com/security/alertmanager/
cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C

CVE ID CVE-2014-3275 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/
CVE-2014-3275

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul39011

The Mobile Device Management (MDM) client failed to reject queries when MDM server was not responding.

This fix addresses an issue where timeouts were caused when the MDM server was not reachable during authorization policy evaluation.

CSCul58758

Redirected to null page in the browser after Local Web Authentication (LWA) flow with WLC-5500 series.

This fix addresses an issue where a guest user enters the username and password in the Guest Login page, but is not redirected to the specified URL.

CSCul86970

GUI does not display the Allow only listed IP addresses option to connect.

This fix addresses an issue in the Admin Access settings page, where the following option was not displayed in the UI: Allow only listed IP addresses to connect.

CSCum37237

Insufficient permission error with bulk import of guest account.

This fix addresses an issue where an error message was encountered when sponsors imported and printed guest usernames, formed from the guests email addresses.

CSCum57372

NAS identifier does not appear the authentication details in the web UI.

This fix addresses an issue where the Network Access Server (NAS) Identifier information did not appear in the Authentication Details page.

CSCun28502

Sponsor, My Devices, and Guest portals does not have a defined character limit.

This fix addresses an issue in the Administration > Web Portal Management > Settings page. The Sponsor, My Devices, and Guest portals contain the Language Template option. The Language Template option contains a list of configurations. The text fields in each configuration allow any one of the following character count: 128,512, 256, or 4000. An error message was displayed for specific fields, such as AUP and Notifications, when the character limit was above 4000 characters.

CSCun74285

ISE safe mode did not bypass admin portal certificate authentication.

This fix addresses an issue where ISE safe mode did not bypass user certificate authentication and did not enable local admin credentials.

CSCun74460

Incorrect Daylight Saving Time (DST) time zone offset in ISE affects remote syslog targets.

This fix addresses an issue where the DST time zone offset was incorrect in the prrt log.

CSCun84251

Error after application ise reset-config on 1.2.0.899 Patch 6.

This fix addresses an issue where an error was found when the application reset-config ise command was run.

CSCun94304

ISE RSA server configuration may fail to replicate to PSNs.

This fix addresses an issue where the RSA configuration (sdconf.rec) did not load properly and data did not replicate from the PAP node to other nodes.

CSCuo13099

ISE Sponsor, email ID used as username with space in it, throws an error.

This fix addresses an issue where the guest user email IDs with spaces encountered an error when used in usernames.

CSCuo39442

ISE 1.2 does not validate remote log target names.

This fix addresses an issue where the Remote Logging Target names displayed in the Administration > System > Logging > Remote Logging Targets page reported the following error message: Name should not contain space(s) or any of the following characters: ! % ^ : ; , [ { | } ] \ ` " = ?. The above error message was displayed even though hyphen or period was used.

CSCuo58919

Endpoint static group assignment toggles between true or false option every 55 seconds.

This fix addresses an issue where the Static Group Assignment check box in the Administration > Identity Management > Identities > Endpoints page toggled between true or false value every 55 seconds.

CSCuo63448

Modifying the ISE parent profile disables child profile.

This fix addresses an issue where in the Profiling Policies page, on modifying a parent profile, endpoints failed to reach the correct profile policy.

CSCuo75506

ISE authorization profile with Central WebAuth (CWA) and custom guest portal does not redirect to default settings.

This fix addresses an issue where a CWA authorization profile was configured and if the CWA authorization profile was edited again, the changes were displayed only in the UI, but failed to reflect in the attributes.

CSCuo88571

The IP release renew operation was not performed on Mac OSX devices.

This fix addresses an issue where a user logged into the guest portal was unable to renew the IP address after clicking Accept in the Acceptable Use Policy (AUP) page.

CSCup33018

Apple iOS 8 beta fails Native Supplicant Provisioning flow.

This fix addresses an issue where with single or dual SSIDs, Apple devices running iOS 8 beta software failed to complete provisioning.

CSCup50216

ISE 1.2+ API update was overwritten by the profiler.

This fix addresses an issue where the ERS API failed to update existing endpoints in static groups.

CSCup51902

Exporting active endpoints does not work from the admin node.

This fix addresses an issue where exporting active endpoints from a Cisco ISE server Administration node did not work.

CSCup63424

Downloading software to effect release or renew of guest virtual LAN (VLAN) was not accomplished.

This fix addresses an issue where the IP address release or renew operation in the VLAN release or renew page, was nonfunctional when it was not the latest version of the Java Applet.

CSCup99806

Custom data access permissions were not working as expected.

This fix addresses an issue where Custom data access permission did not work according to the mapped RBAC policy in the Network Device page.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 9

Table 9 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 9.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

 

Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 9 Resolved Caveats

Caveat
Description

CSCty01787

Error in Generating XML Output for EndPointIPAddress API

This fix addresses an issue where an internal error was displayed in the XML when calling the EndPointByIPAddress API for a given IP address appearing in the AuthSessionList.

CSCui57100

EAP-TLS authentication fails with two sets of CRLs because CRL signature decrypt failed

When Certificate Authority certificates are about to expire, an old and new version of the certificate can coexist on ISE to make sure there is no downtime for users. Both versions have their dedicated CRLs.

This fix addresses an issue where ISE was not able to match the CRLs with the appropriate Certificate Authority certificate, which resulted in failed authentication with the message “CRL signature decrypt failure.”

CSCuj36104

ISE does not allow CRL when the name is the same on two Certificate Authorities

This fix addresses an issue where an handshake error occurred because there were two issuing Certificate Authorities with the same exact name and ISE did not allow CRL checking on both certificates.

CSCul25066

ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service

This fix addresses an issue where customers upgrading to ISE 1.2 who had the Wireless Upgrade license to add advanced license functionality to their deployment received the following alert: “Feed Service error : The Advance License installed on the ISE nodes have been expired.”

CSCul29344

ISE 1.2 HTML Custom Pages for Different Portals Not Working

This fix addresses an issue where the sample HTML for custom Guest Portal pages provided in the user guide did not work correctly.

CSCum29186

With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time

This fix addresses an issue where changing the time zone during Guest account creation was not reflected with the newly updated allowed time to login.

CSCum54099

ISE Does Not Send Sponsor-related syslog Message to External syslog Server

This fix addresses an issue where ISE did not send messages like 86008 or 86006 to the external syslog server. It only sent the 86028 messages.

CSCum69410

ISE 1.2 CWA with DRW Included Doesn't Register Endpoint

This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint was registered after a CWA user entered their MAC address on the Guest Device Registration screen.

CSCum85930

ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect

This fix addresses an issue where custom CWA portal may not have loaded images or CSS as expected.

CSCum88817

ISE 1.2 Logs Filled with Unnecessary License Validity Info

This fix addresses an issue where ISE was logging license checks in INFO mode, which caused massive output in the log files.

CSCum96035

This fix addresses an issue that occurred when a user typed in a password that violated the password policy on the default custom portal password-change page and the page refreshes instead of displaying an error message.

CSCun15601

Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail

This fix addresses an issue where the message “This is an invalid text message template. Contact your system administrator for assistance.” was shown while sending Guest account through Mail/SMS if the sponsor is CC’ed.

CSCun36594

ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV

This fix addresses an issue that occurred after importing endpoints from a CSV file where the “Endpoint Identity Group” was changed from the one specified in the file to Profiled.

CSCun41732

Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present

This fix addresses an issue where Cisco ISE could not load the complete Trusted certificate list when a corrupted certificate was present in the list.

CSCun51094

Bulk Import of Guests by Sponsor Falls in Wrong Guest Role

This fix addresses an issue where imported guest users always get the role of default Guest during a bulk import from the Sponsor portal.

CSCun67719

Guest Portal: Error Message When Password Expired Confusing

The Cisco ISE Guest portal provides a generic error for events such as guest user account expired and gives no information on the cause of the issue.

CSCun68637

SNMP Query Fails to Complete during NMAP-triggered Probe

This fix addresses an issue where an SNMP query failed to execute when it was triggered by an NMAP probe.

CSCun93673

ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter

This fix addresses an issue where exporting endpoints results in an empty file if you search using lower case letters.

CSCun97606

ISE Roaming Authentication Failing

This fix addresses an issue that occurred when attributes about endpoints differed from one PSN to another when using multiple PSNs for profiling or authentication.

CSCuo32987

Endpoint Register Broken

This fix addresses an issue where attempts at ERS API endpoint register end in HTTP 500 Internal Server Error.

CSCuo34449

ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent

This fix addresses an issue where a client application that initiated HTTP using User-Agent was not recognized by ISE, and triggered ISE to clear that session and send a Radius CoA Terminate command to NAD.

CSCuo56780

ISE RADIUS Service Denial of Service Vulnerability

This fix addresses an issue where the RADIUS service may become unresponsive when receiving accounting packets from two different Network Access Servers (NASs).

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C

CVE ID CVE-2014-3276 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3276

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCuo63892

CIAM: ISE-commons-fileupload-1-0

This fix addresses third-party software vulnerabilities.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.8:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

CVE ID CVE-2014-0050 have been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCuo73070

CSCuo76078

ISE 1.2 GUI Elements Missing Due to No Advanced License

This fix addresses an issue where the error “No valid system license exists” appeared for the sponsor portal and guest portal after the installation of a Cisco ISE 1.2 Patch.

Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

New Plus License

Cisco ISE, Release 1.2 Patch 8, includes the new Plus license. The Plus license provides the following services:

  • Bring Your Own Device (BYOD)
  • Profiling
  • Endpoint Protection Service (EPS)
  • TrustSec SGT

The Advanced license provides access to the same features, as well as additional services. The Plus license does not include Base services.

For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

New Customize ISE 1.2 Web Portals HowTo Guide

Learn how to customize Cisco ISE 1.2.x portals using this new HowTo guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-42-Customize_ISE12_Web_Portals.pdf

New Sample HTML Files for Custom ISE 1.2.x Web Portals

You can download the ISE12CustomPortalPackage-v#.zip file, which contains sample HTML files for customizing Cisco ISE 1.2 Web portals, at http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2

Updated Cisco ISE 1.2.x User Guide

The sample HTML code has been removed from Appendix D. Use the downloadable sample files and the new Customize Web Portals HowTo guide for information on creating custom Cisco ISE 1.2.x Web portals.

You can find the updated user guide at http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html

Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

The following table lists the open issues in Cisco ISE 1.2.0 Patch 8 that may be resolved in other releases.

 

Table 10 Cisco ISE Patch Version 1.2.0.899-Patch 8 Open Caveats

Caveat
Description

CSCun49379

If you enter an invalid MAC address on the default custom device registration page, the default login page is returned with an error message instead of the custom login page.

CSCuo20069

Device Registration done through a custom portal does not allow user to continue after adding MAC addresses because it is missing the Continue button.

Workaround Use the default portal.

CSCuo27093

The default custom portal is not in sync with some of the functionality of the default portal, including:

1. The Decline button on the custom AUP page is disabled.

2. Sessions are expired in less than 2 minutes.

3. Input validation is not working on the Login, Password Change, Self-Registration, and Device Registration Pages.

4. If you idle for a while after creating a guest on the Self Registration page, you are taken to the default portal login page.

5. The default custom portal’s Self Registration page does not show the optional fields set in Cisco ISE. It also does not apply the mandatory fields set in Cisco ISE.

CSCup34046

Example custom AUP and Guest_Success pages are not in sync for DRW flow.

Workaround Validation cases.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

Table 11 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 8.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

 

Table 11 Cisco ISE Patch Version 1.2.0.899-Patch 8 Resolved Caveats

Caveat
Description

CSCud89273

Passed Numbers Not Appearing on Authentications Dashlet

This fix addresses an issue where the passed numbers were not appearing on the Authentications Dashlet when there were a large number of passed authentications.

CSCuh79596

Freshly Installed Standalone ISE Server Not Logging MDM Events

This fix addresses an issue where MDM events were not being recorded by monitoring components in freshly installed ISE 1.2 standalone deployments.

CSCuj97669

DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname"

This fix addresses an issue where the DNS name resolution failure alarm had the wrong description or context.

CSCul10677

ISE 1.2 CWA Failure Reason 86017

This fix addresses an issue where a guest user was redirected back to guest login page after accepting the Acceptable Use Policy. The live log showed the failed attempt as 86017 error.

CSCul55934

ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting

This fix addresses an issue where you could not delete guest user accounts that were created using the old timezone settings in 1.1.x after upgrading to 1.2.

CSCum10047

Invalid Account Date When Changing Account Duration

This fix addresses an issue where you couldn’t edit the Start/End duration for accounts on the sponsor portal.

CSCum13453

ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG

This fix addresses a parsing error that occurred when trying to forward SYSLOG messages to a 3rd party SYSLOG server.

CSCum40721

Optional Data Field Not Matching in Authorization Rules

This fix addresses an issue where the client authentication for a guest user failed to match data in the “Optional Data Field” to the authorization rules.

CSCum62918

ISE 1.2 Sample guest portal HTML files should be improved

This fix addresses the issues with the sample Web portal examples using "static" examples instead of variables to populate the fields.

CSCum82815

Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired on Login

This fix addresses an error where a user was presented with the Acceptable Use Policy page after their session had expired, only to be told that their session expired after accepting the AUP.

CSCum82829

Cisco-branded Expiration Page Presented on Custom Portal

This fix addresses an error where a user was redirected to the Cisco default guest portal expiration page after thier session expired instead of a custom expiration page.

CSCun60443

No Dashboard or Live Logs for Long Time After Primary MnT Failure

This fix addresses an issue where no dashboard or live logs were available for long time after the primary MnT failed in an ISE distributed deployment.

CSCun61928

Not All Authorization Profiles are Recognized by Runtime

This fix addresses an issue where an error message was displayed stating that ISE could not find selected Authorization Profiles because ISE was unable to load all of the selected profiles from the database.

CSCuo02708

ERS Port Should Not Request Client Certificate

This fix addresses an issue where ISE requested a client certificate when a HTTP request was sent to the ERS port (9060).

CSCuo04860

Raise Alarms for EAP Session and Context Limits

This fix adds an MnT alarm when ISE reaches EAP session and context limits.

CSCuo16503

ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In

This fix addresses an issue where guest users created with a Sponsor holding their credentials on Active Directory could not log in.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 7

Table 12 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 7.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 12 Cisco ISE Patch Version 1.2.0.899-Patch 7 Resolved Caveats

Caveat
Description

CSCtx94533

The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending”

This fix addresses an issue where devices stayed in “Pending” status when client provisioning policy was not available and the endpoint already existed in the database.

CSCty87291

Admin Web Portal Requests ID certification When It’s Password authentication-only

This fix addresses an issue where web browsers prompted for an ID certificate when navigating to ISE admin web portals, although no certification authentication was configured for admin users.

CSCuh41450

IP Columns Sort on Char on Network Devices Page

This fix addresses an issue where the IP columns on the Network Devices page sorted on char, not varchar, which lead to incorrect sorting.

CSCui15038

ISE HTTP control interface for NAC Web Agent XSS Vulnerability

This fix addresses an issue where, due to insufficient input validation, a cross-site scripting (XSS) vulnerability was present in the naccontrol web application of Cisco Identity Services Engine (ISE).

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C

CVE ID CVE-2014-0680 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0680

Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui15064

Certain ISE Reports Vulnerable to XSS Injection

This fix addresses an issue where certain report pages within the Cisco Identity Services Engine (ISE) administration interface were subject to a cross-site scripting (XSS) vulnerability.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C

CVE ID CVE-2014-0681 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0681

Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui21839

“Export Endpoints” Creates Empty File When Quick Filter is On

This fix addresses an issue where the Export Endpoints function created empty files when the quick or advanced filter was on and used a non alphanumeric character (i.e. :,. ).

CSCui78135

On Alpha Alarms Still Show Up When We Select All and Acknowledge

This fix addresses an issue where Alpha Alarms still showed up even though the user selected all the alarms and acknowledged them.

CSCui82998

Custom Guest Portal Loops after AUP Due to Loss of Session ID

This fix addresses an issue where, due to the custom guest portal, a user received a 404 message or was looped back to the portal’s login page after accepting the AUP.

CSCui96322

Default Guest Portal Email Address Limited to 24 Characters

This fix addresses an issue where the default guest portal limited email addresses to 24 characters.

CSCuj07535

IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2

This fix addresses an issue where a change in the IP address was not recorded in an endpoint profile.

CSCuj11040

CSCum97337

ISE Should Not Degrade a Profile Based on Problematic User-Agent

This fix addresses an issue where iPads were not profiled as iPads, but as Apple-device only, due to an application sending a HTTP packet with a user-agent field of “MobileAsset/1.0” which downgrades the profile in ISE to “Apple-device.”

CSCuj25038

ERS Service Disabled After Reboot

This fix addresses an issue where the ERS API was disabled after reboot, even though it was enabled before the reboot and the configuration was saved using “write mem.”

CSCuj36310

“@” Character Not Accepted in Wireless SSIDs Fields

This fix addresses an issue where ISE did not allow the use of the @ character in wireless SSID fields.

CSCuj66093

86017 Error page sessionExpired.jsp images links are invalid

This fix addresses an issue where the sessionExpired.jsp page (the page that is displayed after error 86017, where a guest user tried to authenticate using an expired sessionID) image links were broken.

CSCul03597

LDAP User Authorization Doesn't Work with EAP-FAST Chaining

This fix addresses an issue where LDAP user authorization didn’t work with EAP-FAST chaining.

CSCul35820

ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address

This fix addresses an issue where the ISE Guest registration process had issues with Apple iOS 7 using an Emil address for the username instead of the first and last name.

CSCul66272

Terminate Change of Authorization during Posture for Unknown User-agent DynGate

This fix addresses an issue where the NAC Agent got stuck in a posture loop due to the TeamViewer application by DynGate.

CSCul77793

Scheduled Reports Not Exported When Using Illegal Character as a Report Name

This fix addresses an issue where you couldn’t export a schedule report if an illegal character (i.e., ~%<> ) was used as the report name.

CSCul84544

Retrieval of Active Directory Groups or Attributes from GUI is Failing

This fix addresses an issue where the user was unable to fetch Groups and/or attributes from Active Directory on the ISE GUI.

CSCul87300

Special Character in LDAP password is not read correctly by ISE

This fix addresses an issue where LDAP authentication and/or group fetch failed when the admin/service account password had special characters, especially double quotation marks.

CSCum26362

Authentications Details are Missing All the Required Data

This fix addresses an issue where the Authentication details page was missing data, such as Authentication Protocol, Authentication method, Network device and service type data.

CSCum60627

Client EAP Sessions Never Get Cleared

This fix addresses an issue where an EAP session would leak when ISE retransmitted the last RADIUS message in response to duplicate packet from NAS, and then the client (NAS or supplicant) dropped the conversation.

CSCum77223

Increase Maximum Login Failures for Guest

This patch allows you to increase the number of maximum login failures for guest users. You can select the maximum number of login failures from a range between 1 and 999. Guest users are also redirected to the Custom Portal login page after exceeding maximum login failures if the Custom portal is in use.

CSCum86347

ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone

This fix addresses an issue where the guest start and expiration dates did not reflect the time zone configured in the sponsor portal settings.

CSCum93050

Patch info not shown in CLI and GUI after installing from CLI

This fix addresses and issue where the patch information was not shown in the Cisco ISE CLI and GUI after installing the Cisco ISE, Release 1.2 patch from the CLI.

CSCum92155

ISE REST API (ERS) - PUT Update Request Removes identityGroups Value

This fix addresses an issue where the identityGroups value was removed when you updated any value using a PUT method via the ISE REST API (ERS).

CSCun00215

ISE RSA Agent Exhausted Under Heavy Load

This fix addresses an issue where the RSA agent became unresponsive due to a very large number of simultaneous PAP requests.

CSCun08410

Guest Account’s Start and End Time Validated Against System Time Zone

This fix addresses an issue where an error message is displayed if the start and end time for a guest user’s account uses a time zone that’s earlier than the system’s time zone.

CSCun11240

Guest Sponsor Mapping Report Incorrectly Changes Sponsor

This fix addresses an issue where a Guest Sponsor Mapping Report showed the Sponsor as GuestAction instead of the sponsor who created the account.

CSCun25178

Fetching Group Information Takes a Long Time Because of SIDHistory

This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group names if the SIDHistory belonged to a trusted domain/forest.

The large number of SIDHistory values in the user's token used to cause long delay (2-5 minutes) during user authentication.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 6

Table 13 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 6.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 13 Cisco ISE Patch Version 1.2.0.899-Patch 6 Resolved Caveats

Caveat
Description

CSCud38634

Guest sponsor details shows wrong sponsor name

This fix addresses an issue where the username shown as the Sponsor was the username of the Guest when viewing Guest Sponsor Details from a report.

CSCud70219

Log.xml files are not cleaned out regularly

This fix addresses an issue where /opt/oracle/base/diag/rdbms/cpm10/cpm10/alert folder filled up with log XML files and caused the hard drive to fill up.

CSCuf76821

.trc and .trm files are not cleaned out regularly

This fix addresses an issue where the /opt/oracle/base/diag/rdbms/cpm10/cpm10/trace folder filled up with *.trc and *.trm files and caused the hard drive to fill up.

CSCug96069

Replication status update fails for all nodes if the network is restored on PAP

This fix addresses an issue in large scale deployments where the status of one or more PSN nodes was shown as 'Replication Stopped' and the data was not published or replicated to other PSN nodes from the PAN node.

CSCui40950

Guest login takes long time and times out

This fix addresses an issue where a guest login could take a long time and then times out after 5 minutes.

CSCui57882

Some expired guest accounts cannot be deleted from PDP

This fix addresses an issue where some expired guests accounts could not be deleted from the sponsor portal.

CSCui57933

Purge expired guest accounts does not work

This fix addresses an issue where some accounts were in a state where they could not be deleted due to incorrect attributes.

CSCui57961

When editing an expired guest account that cannot be deleted, logs out

This fix addresses an issue where the UI logged you out with error “You do not have sufficient permission to access this page” when editing an expired guest account that cannot be deleted.

CSCui72658

Guest Portal cookies not set as Secure or HTTP Only

This fix addresses an issue where the JSESSIONID cookie used in the Guest Portal is not set to Secure or set as HTTP Only.

CSCuj01781

ISE uses SAN of user certificate for machine lookup in Active Directory

This fix addresses an issue where machine lookup in Active Directory failed during EAP-chaining authentication if both machine and user were authenticated with EAP-TLS and principal Username X509 Attribute is configured to SAN.

CSCuj13804

IE8 gives error on ISE1.2 when accessing the provisioning portal

This fix addresses an issue where Internet Explorer 8 on Windows XP displayed an error when you tried to open the client provisioning portal.

CSCuj26086

CSCuj80131

ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9)

Java Applet fails to install SPW/Agent from Client Provisioning page on Safari browser version 7 available with Mac OSX 10.9.

Patch 6 addresses this issue by displaying a message on the login page with instructions on how to configure Safari to allow the Java applet to install.

Before clicking Click to Install Agent, go to: Safari->Preferences->Security->Manage Website Settings->Java->Click on your ISE URL->Run in unsafe mode.

CSCuj34004

User name change detected for the session removes all session attributes

When using Machine authentication followed by user authentication, changing the username will remove attributes for the session from the cache, including the attributes in the whitelist category. This would result in authorization evaluation failure where the first user authentication falls into the wrong authorization profile.

if there is a username change on the session, this cleans up all the session attributes including the ones that are in whitelist category (attrsToKeep).This can result in authz evaluation failure where the first user authentication falls into the wrong authz profile.

This fix addresses this issue by re-initializing the default attributes with their default values.

CSCuj38204

ISE does not allow access for guest with no webagent if posture is configured

This fix addresses an issue where Cisco ISE did not allow access for guest with no NAC web agent if posture is configured.

CSCuj47806

ISE redirects to default guest pages when it’s configured to redirect to custom pages

This fix addresses an issue where the browser renders the initial login page when the user enters the wrong username/password instead of the custom error.html page.

CSCuj49903

Downloading / viewing large log files from PDP causes out of memory error

This fix addresses an issue where downloading or viewing large log files from PDP caused out of memory error.

CSCuj84427

ISE 1.2 Admin password alerts not functioning properly

This fix addresses an issue where admin password alerts were being sent earlier than the Password Policy setting specified.

CSCul02821

MDM attributes doesn't update to Endpoint objective

This fix addresses an issue in Cisco ISE where the MDM can't update into endpoint objective at ISE GUI.

CSCul48352

Right-Click - Copy to MAC and Username in Live Log

This fix addresses an issue where items in the Live Log grid are not selectable enabled by default. Therefore, the user could not select and copy out live log grid cell content.

The MAC address and Username columns in the Live Log grid can now be selected and copied using a right-click.

CSCul50495

Device Registration failed with Cisco Catalyst 3850 Switch

This fix addresses an issue where the Device Registration page displayed an error message when working with the Cisco Catalyst 3850 Switch.

CSCul50720

Samsung Galaxy S4 cannot be on-boarded in dual SSID flow

This fix addresses an issue where Android devices, including the Samsung Galaxy S4, that did not contain “Linux” in their user-agent string were not on-boarded in dual SSID flow.

CSCul58895

ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import

This fix addresses an issue where importing guests using the Import Accounts Option on the Sponsor Portal using a csv file failed on ISE 1.2 patch 3 to an invalid format for the date.

CSCul62175

ISE BYOD enhancement troubleshooting for SCEP

Cisco ISE 1.2 Patch 6 adds logging for Certificate provisioning. This includes interaction messages with the SCEP server.

CSCul65045

Cannot create/edit network device if advanced license expired

This fix addresses an issue where ISE refused to accept new changes to existing network devices or add new ones if the advanced evaluation license expired, even if you did not use any of the advanced feature set.

CSCul66218

Posture delays due to HTTP thread exhaustion

This fix addresses an issue where the NAC Agent took a few minutes to load into the system tray after logging into Windows and then took up to 10 minutes to pop and complete posture assessment.

CSCul71176

Endpoints manually assigned to identity groups might change groups randomly

This fix addresses an issue where endpoints that were manually assigned to an identity group would sometimes randomly show up belonging to another identity group if profiling is enabled.

CSCul71532

XML external entity injection found under ERS

This fix addresses an issue where ERS was vulnerable to XML injection attacks using the DOCTYPE and ENTITY meta data tags in the XML sent in ERS request.

CSCul77732

Warning message while creating Guest user with hyphen in Self Registration

This fix addresses an issue where the Self Registration page displayed an error message if the guest’s first name or last name included a hyphen.

CSCul82658

“Strip prefixes listed below” for Active Directory in GUI is a typo

This fix addresses an issue where the Advanced Settings page for Active Directory in the GUI has a typo that says “Strip prefixes listed below” when it should be “suffixes” instead of “prefixes.” This has been corrected.

CSCum01290

MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4

This fix addresses an issue where MDM enrollment failed while running ISE 1.2 patch 3 or patch 4. Upon redirect to the ISE MDM portal, clients were immediately presented with an error related to "The MDM system is not reachable at this time" even when the MDM server was reachable. MDM logging to ise-psc.log was missing key server response and connection failed syslog info when running the patch.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 5

Table 14 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 5.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.


NotePlease be aware that applying patch 5 to Cisco ISE 1.2 will reboot the nodes on which it is installed. Please make sure you carry out this activity in a maintenance window with a downtime. Cisco ISE 1.2 will also reboot if you revert from patch 5 to an earlier version.


If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 14 Cisco ISE Patch Version 1.2.0.899-Patch 5 Resolved Caveats

Caveat
Description

CSCub18575

Problem with sponsor accounts starting with a "0"

This patch fixes an issue where you could not log into the Sponsor Portal with an account that started with the number 0.

CSCuf24898

ISE repository max password length 16 characters

This fix addresses an issue where FTP / SFTP repository access failed when the user password was larger than 16 characters.

CSCug20065

Unable to enforce RBAC as desired to a custom administrator

This fix addresses an issue where a user, who only has permissions to a custom endpoint identity group, is unable to add, modify, or delete identities unless the entire identities are visible to him.

CSCuh25506

Cisco ISE CSRF Vulnerability

This fix addresses an issue where CSRF protection did not work for some of the web pages and an attacker could exploit this issue to perform CSRF attack against the users of the web interface.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C

CVE ID CVE-2013-3420 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3420

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui30266

ISE MDM Portal Cross-Site Scripting Vulnerability

This fix addresses an issue where the Mobile Device Management (MDM) portal of Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C

CVE ID has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5504

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui46739

Guest applet fails after update to Java 7 update 25

This patch addresses an issue where both Guest Authentication and Supplicant Provisioning failed due to Java 7 update 25’s CRL check feature.

To disable the CRL check feature:

1. Allow the CRL check through the Redirect ACL, Port ACL and any Firewall in place.

2. Clear the checkbox for the CRL check in the Java Control Panel:

  • OS X: System Preferences > Java Advanced > Perform certificate revocation using1: Change to 'Do not check (not recommended)'
  • Windows: Control Panel > Java Advanced > Perform certificate revocation using: Change to 'Do not check (not recommended)'

CSCui67495

Uploaded Filenames/Content Not Properly Sanitized

This fix addresses an issue where filenames and content uploaded to Cisco Identity Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted in a file of incorrect type being uploaded to ISE or the filename leading to a potential cross-site scripting (XSS) issue.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C

CVE ID CVE-2013-5541 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5541

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui67511

Certain File Types are not Filtered and are Executable

This fix addresses an issue where, due to insufficient filtering and access control, potentially malicious file types could have been uploaded to, and executed within, the Cisco Identity Services Engine (ISE) web interface.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C

CVE ID CVE-2013-5539 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5539

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui72269

ISE unable to understand SNMP attribute coming from Switch

This fix addresses an issue where Cisco ISE was unable to handle a bad attribute in an SNMPT query coming from a switch, which caused high CPU cycles on PAP node.

CSCuj48111

Hyphen and minus sign can't be entered as first or last name

This fix addresses an issue where a guest sponsor was unable to enter a hyphen or minus as part of a first or last name while entering a guest’s account information.

CSCuj61976

Admin UI fails to display certain UI pages when using Firefox 25

This fix addresses an issue where ISE admin UI pages with a tree view were not displayed correctly in Firefox 25.

CSCuj84194

ISE sometimes does not send DACL in authorization profile

This fix addresses an issue where ISE sometimes did not send DACL in an authorization profile.

CSCuj98726

iOS devices bypass account suspension/lock by starting new EAP session

This fix addresses an issue where an iOS device can bypass account suspension/lock even it is enabled, due to it being reported as '5440 Endpoint abandoned EAP session and started new' instead of using a wrong password.

CSCul02860

Struts Action Mapper Vulnerability

Previous versions of ISE Cisco ISE included a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4310

Cisco has analyzed these vulnerabilities and concluded that the product is not impacted, however the affected component has been updated as harden measure.

PSIRT Evaluation

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul03127

Struts 2 Dynamic Method Invocation Vulnerability

Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4316

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

CVE ID CVE-2013-4316 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul03621

Endpoint Profiling Information is not being replicated correctly

This fix addresses an issue where Endpoint Profiling Information was not replicated on the PSN that was not doing the profiling.

CSCul06431

Active Directory attribute value in ATZ profile is not sent

This fix addresses an issue where an Active Directory attribute was not sent to the client as part of an ATZ profile.

CSCul13757

Audit records MUST log to External Syslog Servers: CLI log level

This fix addresses an issue where any configured External Syslog servers failed to receive audit records after using the command line interface (CLI) commands to change the log level to any of the following levels: 2, 3, 4, 5, 6 or 7.

CSCul13805

Audit records MUST log to External Syslog Servers: HTTPS idle timeout

This fix addresses an issue where External Syslog Servers failed to receive an audit record in the case of HTTPS Admin GUI idle session timeout occurs and auditable events could only be seen locally by setting the Debug Log Configuration for admin-infra and infrastructure to DEBUG level.

CSCul13812

Audit records MUST log to External Syslog servers: SSH publickey

This fix addresses an issue where SSH server authentication using the publickey authentication method fails to record an audit log and failed connecting to External Syslog Servers.

CSCul13883

Audit records MUST log to External Syslog servers: SSH KEX Group14

This fix addresses an issue where Configured External Secure Syslog servers failed to receive audit events for the administration configuration of SSH server enforcement requiring diffie-hellman-group14-sha1 key exchange algorithm in order to successfully connect.

CSCul13905

Audit records MUST log to External Syslog Servers: CLI clock set

This fix addresses an issue where no audit logs were recorded for changing the system clock via the CLI.

CSCul13946

Audit records MUST log to External Syslog servers: Purge M&T Data

This fix addresses an issue where no audit logs were recorded after purging M&T operational data using the CLI command.

CSCul15967

ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup

This fix addresses an issue in the ISE 1.2 patch 3 where Windows 8.1 clients received an error on secondary PSNs after a CPP redirect.

CSCul16300

Audit records MUST log to External Syslog servers: CLI idle timeout

This fix addresses an issue where External Syslog Servers fail to receive the audit syslog event when command line interface (CLI) connections are closed due to idle session timeout.

CSCul18169

Blocking ISE admin UI access for Chrome browser

This fix addresses some issues that blocked Chrome browsers from using the ISE admin UI.

CSCul18521

Audit records MUST log to External Syslog servers: VGA CLI AUTHC

This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for administrative CLI logins on a VGA console.

CSCul18555

Audit records MUST log to External Syslog servers: SSH conn fail

This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for common SSH connection failures.

CSCul23070

CSCul23252

Audit records MUST log to External Syslog Servers: SSH exit forceout

This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for CLI exit and forceout commands.

CSCul42646

Failed to create Posture Condition with "NOT ENDS WITH" Operator

This fix addresses an issue where creating a Posture condition with an NOT ENDS WITH operator resulted in an error.

CSCul46893

URL preservation not working with self service guest user in MAB flow

This fix addresses an issue where, after connecting to a wired MAB and creating a guest account, the user’s browser did not redirect to the URL that they originally attempted to access.

CSCul58758

Redirecting to 'null' page in the browser after LWA flow with WLC-5500

This fix addresses an issue where connecting to the Guest Wireless LWA flow using a Windows client machine resulted in a guest account getting redirected to a "null" page in the browser window instead of original URL.

Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4

Automatic Update of Compliance Module on Mac OS X Clients

Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, the Cisco NAC Agent supports automatic update of the Compliance Module on Mac OS X clients. Ensure that you have installed the Mac OS X Agent version 4.9.4.1 or later so that the Compliance Module gets updated automatically. Refer to Cisco ISE Installation Files, Updates, and Client Resources for more information on automatic updates. See Also CSCui83009.

Domain Stripping for Active Directory

Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, you can strip prefixes or suffixes from user names when Active Directory is used as External Identity Source. You can configure the prefixes or suffixes to be stripped from the user names by navigating to Administration > Identity Management > External Identity Sources > Active Directory > Advanced Settings . Refer to the “Configuring Active Directory as an External Identity Source” section in the Cisco Identity Services Engine User Guide, Release 1.2 for more information. See Also CSCuj95908.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 4

Table 15 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 15 Cisco ISE Patch Version 1.2.0.899-Patch 4 Resolved Caveats

Caveat
Description

CSCug90502

ISE Blind SQL Injection Vulnerability

This fix addresses an issue where the Cisco Identity Services Engine (ISE) was vulnerable to blind SQL injection. This could allow a remote, authenticated user to modify information in the database.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6/5.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C

CVE ID CVE-2013-5525 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5525

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCuh84099

ISE should verify non-printable characters in x.509 certificates

This fix addresses an issue where ISE was unable to add any endpoints and threw exceptions due to the import of x.509 certificates with non-printable characters.

CSCui22884

ISE presents wrong HTTPS certificate

This fix addresses an issue where ISE presented an old HTTPS certificate when user accesses the admin or sponsor GUI even though it has been configured to use a new imported certificate for HTTPS.

CSCui83009

Unable to push compliance module to NAC agent on Macs

Fixed an issue where ISE did not push the latest compliance modules to the NAC agent for Macs on the fly like it does with the Windows version.

CSCui94488

MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices

This fix addresses an issue where ISE MyDevice Portal is allowed employees to register existing endpoints with a static group assignment other than RegisteredDevices, unless the endpoints already associated with another PortalUser.

CSCuj03131

Lower "Request Rejection Interval" minimum to 5 minutes

The minimum length of time for the “Request Rejection Interval” for RADIUS has been lowered to 5 minutes.

CSCuj28968

Guest Activity Report is not working

This fix addresses an issue where the Guest Activity report was blank.

CSCuj39926

Kaspersky remediation does not appear anymore in the AV remediation

This fix addresses an issue where Kaspersky remediation did not appear for AV remediation (Posture Results).

CSCuj62435

ISE 1.2 TrendMicro not listed for AV Remediation

This fix addresses an issue where Trend Micro was not seen in the AV vendor list when creating an AV Remediation.

CSCuj63046

Text fields impose 24 character limit during guest self-registration

This fix addresses an issue where guest users could not enter information into the boxes on the Self Registration page in excess of 24 characters.

CSCuj72022

Cannot use "Ends With" operator in a Posture condition on ISE

This fix addresses an error that occurred when the user attempted to create a Posture rule using the ENDS WITH logical operator.

CSCuj90823

Guest Portal: IP Refresh Failing in IE 11

This fix addresses an issue where IP Refresh was not working properly in the Guest Portal due to ActiveX in Internet Explorer 11 for Windows 8.

CSCuj91050

Creating Guest users shows incorrect timezone 'GMT+2 ECT'

This fix addresses an issue where Guest user would fail to login with the following error due to an incorrect time zone being assigned to the account: "An internal error occurred. Contact your system administrator for assistance. Contact your system administrator."

CSCuj95908

ISE does not do domain stripping for Active Directory external store

This fix addresses an issue where ISE did not allow the modification of the domain name before authentication when the external identity store used is Active Directory.

CSCul62723

Mobile Guest Portal: Success page redirects to http://10.86.149.92

This fix addresses an issue where the success page on the Mobile Guest Portal redirected the guest to http://10.86.149.92.

CSCuh94133

NAC agent with ISE slowly leaking memory after posture

This fix addresses the issue where there was a memory leakage in the client machine when NAC Agent was connected to Cisco ISE after posture.

Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3

ISE 1.2 Patch 3 supports clients using the Windows 8.1 and Mac OS X 10.9 operating systems.

Please see Open Caveats for a workaround for client provisioning using Safari 7 in Mac OS X 10.9.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3

Table 17 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 3.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 16 Cisco ISE Patch Version 1.2.0.899-Patch 3 Resolved Caveats

Caveat
Description

CSCue14864

Endpoint statically assigned to ID group may appear in different group

This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The issue was that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result.

This issue had been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static.

CSCuf47491

Timestamp of core files not preserved in support bundle

This fix addresses an issue where core-dump were timestamps not always from when the core dump was created.

CSCug59579

Windows 8 and 8.1 not included in Client Provisioning

This fix addresses an issue where Windows 8 is not included in the OS options for Client Provisioning Policies.

CSCuh14228

Internal administrator summary report export not working

This fix addresses an issue where the export feature for the Internal administrator summary report was not working.

CSCuh20322

Need ISE application server restart reason and timestamp

This fix addresses reformats the timestamp for the show application status ise command in order for the user to determine the uptime of the application.

CSCuh23536

RADIUS drop should have last event timestamp

This fix adds a new time stamp column for the radius drops, misconfigured supplicants, and misconfigured network devices log counters

CSCuh30587

Backup fails due to ISE restart

This fix addresses an issue where the ISE application server restarts in the middle of a backup because of a local certificate change, which causes the backup to fail. Now, ISE prevents you from restarting the application server if a backup or restore is in progress.

CSCuh36333

Successful DACL download authentication is counted under authentication dashlet

This fix addresses an issue where the authentication dashlet incorrectly included DACL download authentications.

CSCuh45239

Node Status Patch page does not refresh automatically

This fix addresses an issue where the Node Status page would not automatically refresh when installing an patch. This fix adds a Refresh button to the page.

CSCui21439

Message code texts are blank or incorrect

This fix addresses an issue where the texts for message codes 86009, 86010, 86017, and 86019 were blank and the text for message code 5411 was incorrect. This fix also addresses an issue where the failure reason text for the RADIUS Authentications report did not display properly.

CSCui30275

Fixed an issue where a component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack.

For additional information on cross-site scripting attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied

Mitigation Bulletin ''Understanding Cross-Site Scripting (XSS) Threat Vectors'', which is available at the following link:

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss

PSIRT Evaluation:

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C

CVE ID has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5505

Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCui35514

'show tech' script in support bundle needs fixing

This fix addresses errors in the output of the “show tech” script in the support bundle. These errors included:

  • incorrectly displaying "grep: writing output: Broken pipe" errors
  • the order not being the same as the 'show tech' output on the ADE OS CLI
  • the certificate output having a bad new line character (^M), rendering the PEM output unusable unless manually modified

CSCui36643

ISE Editing schedule report complains of existing report name in use

This fix addresses an issue where editing a scheduled report returned the error "This schedule name has been used. Please specify a different one.”

CSCui71484

ISE SEC PAP has write access via ERS API

This fix addresses an issue where a provisioning request (add/delete/modify) could be done on SEC PAP via ERS API, although it should have only allowed using a GET method.

CSCui77336

Customized URL ISE self registration not working

This fix addresses an issue where ISE Customized web portal self-registration was not working for guest users when using a custom portal with the guestUser.timezone input tag specified in the self-registration html page.

CSCui89741

ISE ERS API creates endpoint with invalid format MAC address

This fix addresses an issue where an invalid MAC address format could be added to ISE database by the External RESTful Services API using the CURL command.

CSCui96960

MNT Livelog/Dashboard performance

This fix addresses an issue where the Livelog and Dashboard performance in ISE 1.2 suffered when the underlying query ran for a specific MAC address and when there was a large volume of data in the newly-created partition without stats.

CSCuj03071

EndPoint update not being saved to PAP due to high latency

This fix addresses an issue where systems with high latency might skip endpoint updates when endpoints are created on PSNs over the WAN from the PAP. For example, Cisco-IP-Phone may appear as Cisco-Device even if the information was collected and endpoint was profiled as Cisco-IP-Phone.

This occurred when there was a very high latency (low bandwidth) between PSN to PAP. Around 0.5 seconds time to create an endpoint.

CSCuj03697

Allow Tunnel* attributes in policies

This fix addresses an issue where tunnel attributes in the Radius IETF dictionary could not be seen in the pull down when configuring a condition.

CSCuj05295

ISE Application server crashed and stuck in initialized state with “null” in collection filter

This fix addresses an issue where ISE crashes and the Application server gets stuck in an initialized state if a Collection Filter is created with value “null.”

CSCuj09430

Guest account is not working according to its Time Zone

This fix addresses an issue where a guest account worked only on the time zone of the server, not the user, which affected when a guest could log into the guest portal and when the guest account expired.

CSCuj14382

Cannot statically assign IP address as FramedAddress

This fix addresses an issue where assigning a string IP value to an IPV4 attribute resulted in a validation error.

CSCuj15372

Authentications fail with MDM authentication rules enabled

This fix addresses an issue where, with MDM authentication rules enabled, all RADIUS authentications fail after several successful runs with the following error message: 5436 RADIUS packet already in the process.

CSCuj16049

HA Licensing

This fix addresses an issue where in the deployment process, once the secondary is promoted as primary, the HA licensing file could not be installed on the promoted secondary.

CSCuj19882

Unable to edit the existing Guest accounts after restoring old backup

This fix addresses an issue where you could not edit a guest account from the sponsor portal if the account was created before ISE 1.2 patch 2 was applied.

CSCuj28447

Endpoint statically assigned to ID group may appear in different group

This fix addresses an issue where an endpoint statically assigned to an Endpoint ID group may have been seen in another group for no apparent reason. Authorization profiles based on ID group led to the endpoint being assigned the wrong authorization result.

CSCuj45431

ISE Support for Mac OS X 10.9 NAC Agent

ISE 1.2 patch 3 supports a NAC Agent for Mac OS X 10.9.

CSCuj45766

Add/Remove MDM server never got replicated to PSNs in distributed deployment

This fix addresses an issue where ISE would still use a previously configured MDM server when another MDM server is created as an active MDM or updated as an Active MDM.

CSCuj51094

Captured TCPDump file is not working

This fix addresses the issue where you are unable to open the captured TCPDump.pcap file in a program like Wireshark.

CSCuj54630

ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server

This fix addresses an issue between ISE 1.2 (899) patch 2 and Mobile Iron Stand Alone (VSP 5.7.1 Build 74). When ISE used the API to check on the status of an endpoint, ISE rejected cookies issued from MI, thus preventing the server from properly identifying what devices are compliant or not. This resulted in the status of "unknown," which prevented access for endpoints that are compliant (via AuthZ rule set).

CSCuj57335

Egress Matrix: require default SGACL that includes log option

This fix adds new log functionality to the default Egress rule.

CSCuj60796

ISE Support for IE 11

ISE 1.2 patch 3 supports Internet Explorer 11.

CSCuj70022

EAP-FAST authenticated provisioning with Android doesn't work

This fix addresses an issue where ISE TLV failed when parsing a TLV sequence that some versions of Android sent during authenticated provisioning.

CSCuj82378

Downloaded captured TCP dump file for remote node is not of proper size

This fix addresses issues with TCP dump files. Previously, the Download button would not respond after running the TCP dump for more than five minutes. Also, an error occurred after downloading the TCP dump file because the file size was incorrect. These issues have been resolved.

New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

Support for Guest Self-Registration Based on Email Domain Whitelist

You can allow guests to create their own accounts by enabling the self-service feature by choosing: Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations > Operations > Guest users should be allowed to do self service . When you enable this feature, the account credentials display on the screen, and they are also emailed to the email address used to create the account.

You can restrict this feature by limiting guests’ ability to create their own accounts based on their email domain. By creating an email domain whitelist, you can ensure that only guest users with email accounts on those domains can create guest accounts.

To prevent the account credentials from displaying on the screen, you must create a custom portal when using an email domain whitelist. These steps provide an overview:

1. Create a custom portal, following these guidelines:

Add a required email field and an acceptable use policy (AUP) page to the Self-Registration html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals for information on downloading a sample file.

Add text to refer users to their email for their login credentials on the Self-Registration Results html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals for information on downloading a sample file.

Map the Login file to the Self-Registration page. See the “Mapping HTML Files to Guest Portal Pages” section in the Cisco Identity Services Engine User Guide, Release 1.2 for detailed instructions.

2. Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server).

3. Specify the default e-mail address from which to send all guest notifications. (Administration > System > Settings > SMTP Server and choose Use Default email address ).

4. Create the email domain whitelist. See the “Restricting Self-Registration Based on Email Domain” section.

5. Customize the self-registration credentials email message. See the “Customizing the Self-Registration Credentials Email” section.

6. Customize the self-registration failure message. See the “Customizing the Self-Registration Failure Message” section

Restricting Self-Registration Based on Email Domain

Before You Begin

  • Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server).
  • Specify the default e-mail address from which to send all guest notifications. (Administration > System > Settings > SMTP Server and choose Use Default email address ).

Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations .

Step 2 Add or edit a guest portal and click Operations .

Step 3 Check these options:

  • Guest users should be allowed to do self service.
  • Send self-registration credentials to whitelisted email domains

Step 4 Enter the allowable domains in the Whitelisted email domains field, following these criteria:

  • Enter the exact domain name; wildcard characters are not supported.
  • Use commas to separate multiple domain names
  • The field supports a maximum of 4000 bytes so the total number of supported domains varies, depending on multibyte or unicode requirements.

Step 5 Click Save .


 

Customizing the Self-Registration Credentials Email

You can customize the email message sent to users containing their self-registration login credentials. When customizing this message, be sure to configure it for the languages supported for your guest users. This email is sent to the guest and sponsor using the guest notification language (specified in this setting: Sponsor portal > Edit guest account > Notification language).


Step 1 Choose Administration > Web Portal Management > Settings > Sponsor > Language Template > English (or other language) > Configure Email Notifications > Self-Registration Credentials .

Step 2 Customize the message and click Save .


 

Customizing the Self-Registration Failure Message

You can customize the error message that displays when users attempt to register using an email account from an unsupported domain.


Step 1 Choose Administration > Web Portal Management > Settings > Guest > Language Template > English (or other language) > Configure Error Messages > Self Service Failed Message .

Step 2 Customize the message and click Save .


 

Guest Account Expiration Notifications

You can notify guests and sponsors in advance that guests’ accounts are close to expiring. Sponsors can then proactively extend the account duration.

These restrictions apply when sending account expiration notifications:

  • Notifications are sent only to active accounts. Pending, suspended, and expired accounts will not receive a notification.
  • Accounts using the FromFirstLogin time profile will not receive a notification until they have become activated and are in the expiration notification window.
  • The timezone of the guest account is used to determine the account expiration.

Configuring Guest Account Expiration Notifications


Step 1 Choose Administration > Web Portal Management > Settings > Guest > Time Profiles .

Step 2 Add or edit a time profile.

Step 3 Check these options:

  • Send account expiration notification
  • Notification time—enter a value between 0 and 336 hours. You must enter a time allowed by the time profile. (For example, if the time profile limits guest access to one week, you might enter 24 to send the expiration notification a day in advance.)
  • Send email to guest or Send email to sponsor—you must choose at least one of these options.

Step 4 Click Save .


 

Customizing the Guest Account Expiration Notification

You can customize the messages sent to guests and sponsors to warn them that the guest account is expiring soon. When customizing these messages, be sure to configure it for the languages supported for your guest and sponsor users. This email is sent to sponsors and guests in the language indicated by these settings:

  • Sponsors—Sponsor Portal > My Settings > Language template
  • Guests—Sponsor portal > Edit guest account > Notification language

Step 1 Choose one of these options:

  • Guests— Administration > Web Portal Management > Settings > Guest > Language Template > English (or other language) > Configure Email Notifications > Account Expiration Notification Message .
  • Sponsors— Administration > Web Portal Management > Settings > Sponsor > Language Template > English (or other language) > Configure Email Notifications > Account Expiration Notification Message .

Step 2 Customize the message to send to sponsors and guests, using these supported variables:

  • $guest$—first name of the account or the username if first name is empty
  • $username$—login of the guest account
  • $firstname$—first name on guest account
  • $lastname$—last name on guest account
  • $sponsor$—the sponsors login username
  • $time$—the time remaining on the account before expiration. Displays as: HH:MM
  • $remaininghours$—the remaining number of hours before expiration
  • $remainingminutes$—the remaining number of minutes before expiration
  • $starttime$—the start date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For example: Fri 30, Aug 2013 10:30.
  • $endtime$—the end date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For example: Fri 30, Aug 2013 10:30.

Step 3 Click Save .


 

Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

ISE 1.2 Patch 2 supports iOS 7 Endpoints for Guest users (Local Web Authentication and Central Web Authentication), as well as BYOD on-boarding. Please note that to ensure iOS 7 endpoint support with ISE 1.2 Patch 2, the WLC needs to be updated to version 7.4.115.0.

The WLC 7.4.115.0 update for these devices:

  • Cisco 2504 Wireless Controller
  • Cisco 5508 Wireless Controller
  • Cisco 8510 Wireless Controller
  • Cisco Flex 7510 Wireless Controller
  • Cisco Virtual Wireless Controller

can be downloaded by registered users of Cisco.com from this location: http://software.cisco.com/download/special/release.html?config=fe18b0e824ca3427253bf74fdf50dab9

The WLC 7.4.115.0 update for the Cisco Wireless Services Module 2 (WiSM2) can be downloaded by registered users of Cisco.com from this location: http://software.cisco.com/download/special/release.html?config=dc3ed2770a7e6d66be495ac1d8cf0cc5

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

Table 17 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 2.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

Table 17 Cisco ISE Patch Version 1.2.0.899-Patch 2 Resolved Caveats

Caveat
Description

CSCuh25868

Authorization policy condition’s re-editable text/string limited to 16 characters.

This fix addresses an issue where editing an authorization policy’s conditions resulted the text box only showing the first 16 characters in a string condition. The remaining characters were replaced by "..."

CSCuh56278

Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails.

This fix ensures that iOS 6 devices are authenticated correctly and gain access to the network appropriately.

CSCui34389

RADIUS accounting drop is not suppressed, flooding live log

This fix addresses an issue where message codes for RADIUS accounting drops were not suppressed, resulting with live logs being flooded.

CSCui36160

Whitelist and expiration notification.

The new Guest Self-Service feature provides administrators and sponsors the ability to have a customized notification email sent to guest users or sponsors X days before the guest account expires, allowing the sponsor (or guest user in SPP) to update the time profile and extend the account expiration.

Self Service Guest accounts have password credentials sent via email, with an additional Email Whitelist feature for validation.

Note See Support for Guest Self-Registration Based on Email Domain Whitelist for more information.

CSCui42788

Exporting of imported profile policy results a garbled description.

This fix addresses an issue where exporting an imported policy with a description field resulted in a garbled description field.

CSCui44324

Backup task can't be configured in ISE 1.2 UI.

This fix addresses an issue where a scheduled backup couldn’t be configured on ISE 1.2 in UI under "Administration -> System -> Backup and restore". After filling all data and clicking on "Save" button, nothing happened. (e.i., neither is a task created nor an error generated).

CSCui56071

ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0) to reduce replication.

CSCui58390

Multiple names in SAN Field and ISE choose value randomly

This fix addresses an issue where the ISE chose the wrong Subject Alternative Name if there are multiple names in the SAN field values in the certificate.

CSCui75335

ISE 1.2 NAC agent fails posture due to 'NAC Server not available'

This fix addresses an issue where a NAC agent fails a posture assessment attempt and displayed a “NAC Server not available” error.

CSCuj23727

A change in iOS 7 to the user-agent string for an iPod Touch breaks its BYOD workflow.

This fix ensures that an iPod Touch device is recognized as such in a BYOD workflow.

Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 1

Table 18 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 1.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software , and save a copy of the patch file to your local machine.

Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . for instructions on how to apply the patch to your system.

If you experience problems installing the patch, contact Cisco Technical Assistance Center.

 

Table 18 Cisco ISE Patch Version 1.2.0.899-Patch 1 Resolved Caveats

Caveat
Description

CSCui16528

Wrong service selection for NDAC Policy

This fix addresses the issue in a Cisco ISE deployment with SGA functionality implemented, where the authentication request was rejected by the Cisco ISE PSN server and the request from the client timed out.

Cisco ISE, Release 1.2.x, Open Caveats

Open Caveats

 

Table 19 Cisco ISE, Release 1.2.x, Open Caveats

Caveat
Description

CSCua97013

Apple iOS devices are prompted to accept “Not Verified” certificates

Apple iOS devices (iPhone & iPad) are asked to accept the certificate, appearing to them as “Not Verified,” when connecting to WLAN (802.1X).

By design, Apple iOS devices are prompted to accept a proprietary certificate, but Apple OS X and Android devices work without being prompted to accept a certificate.

This happens even when the certificate is signed by a known CA, as there is an intermediate certificate in the server certificate chain.

Workaround Click Accept to acknowledge the certificate. While browsing any URL, the user is redirected to provision the device. After provisioning, the intermediate certificate is installed on the iDevice.

CSCub17522

IP Phone IEEE 802.1X authentication reverts to PAC-based authentication when the “Accept client on authenticated provisioning” option is not enabled.

When the “Accept client on authenticated provisioning” option is off, Cisco IP Phone EAP-FAST authentication sessions always end with an Access-Reject event. This requires the IP phone to perform PAC-based authentication to pass authentication. Since Cisco IP Phones perform authentication via authenticated provisioning and not via PAC-based authentication, it is not possible for the phone to authenticate when this option is off.

Workaround Try one of the following:

  • Turn on the Cisco IP Phone “Accept client on authenticated provisioning” option.
  • Switch from EAP-FAST protocol to PAC-less mode.
  • Authenticate Cisco IP Phones via EAP-TLS rather than EAP-FAST.

CSCuc60349

False alarms on patch install/rollback as failure on secondary node

ISE sometimes generates critical false alarms for install or rollback failure alarms on secondary node even though the install or rollback operations were successful.

Workaround Use PAP (Administration > Maintenance > Patch > Show Node Status) to verify patch installation status.

CSCuc92246

Disk input/output operation while importing users slows down the appliance

If you enabled the Profiler service in your deployment, you have a Cisco ISE 3315 appliance as your primary Administration node, and you import users, accessing the user interface becomes very slow.

Workaround None

CSCud00407

Microsoft Active Directory 2012 user authentication with Alternative User Principal Name suffix fails.

This issue occurs when the Alternative User Principal Name (UPN) is the same as the name of the parent or ancestral domain to which Cisco ISE is joined. For example, if Cisco ISE is joined to a domain named “sales.country.region.global.com,” and you have an Alternative UPN named “global.com,” then user authentication fails.

Workaround Use an Alternative UPN that is not the same as the parent or an ancestor.

CSCud18190

Unable to reregister a device (via EAP-TLS) that was provisioned earlier.

If you delete an endpoint that was provisioned, you have to force the deleted or missing endpoint to re register with Cisco ISE so that the endpoint is created again.

Workaround Create an authorization rule similar to the following:

Re-register-Policy NetworkAccess.AuthenticationMethod == x509_PKI CWA-Policy

This rule redirects to the CWA policy and authenticates the user (you must add the identity store to the guest authentication store sequence), and re-provisions the endpoint.

CSCue08385

After changing the domain name could not access node in 3 node setup.

After changing the domain name in PAP node, it is not possible to access the PAP node through GUI and HTTP error is thrown.

CSCue17018

MNT node gets messages even after it is out of deployment and is disconnected.

CSCue46758

Session expired error occurs during guest authentication. Cisco ISE displays the following error message:

ISE: 86107- Session cache entry missing

For Central Web Authentication, when you configure an authorization profile, and modify the cisco-av-pair (cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?
sessionId=SessionIdValue&action=cwa), the user is redirected to the Web Authentication page, but the session expires after the user logs in.

Workaround Do any one of the following:

  • Do not replace “ip” in the cisco-av-pair with a value.
  • Do not modify cisco-av-pair. Instead, configure the Web Authentication option under Common Tasks.

CSCue51298

Guest users who are assigned the ActivatedGuest role and First Login time profile have to change their password at first login or after password expiration.

This issue occurs when you assign the ActivatedGuest guest role and the From First Login time profile to a guest user.

This time profile requires the guest users to first access the Guest portal to change their password. The typical flow for these activated guest users does not require them to access the Guest portal because they sign in using IEEE 802.1X (dot1x) authentication or VPN.

Workaround For activated guest users, use the From Creation time profile instead of the From First Login time profile.

CSCuf77949

After upgrade, two instances of the same alarm appear on your dashboard.

After you upgrade, you might see two instances of the same alarm being generated. This issue exists for about 15 minutes after the upgrade is complete.

Workaround None.

CSCug60740

While using Chrome as browser on Nexus 7 tablet, if the Javascript is disabled, users logging in to the Guest portal for the first time will not be able to continue with the site security certificate page.

Workaround Enable Javascript for the browser or install trusted certificate on ISE to avoid the site security certificate page.

CSCuh07358

Holistic solution is required to resolve Java/SPW issue on Mac OS X/Windows provisioning.

While onboarding Mac OS X devices, if Java is not installed, an error message is displayed. This requires the user to install Java and rerun the flow again to onboard the device.

CSCuh75971

Issue running applet in Windows or Macintosh OS with latest Java 7 update 25.

If Java 7 update 25 or above is installed, launching of the Agents or Network Setup Assistant during client provisioning or the onboarding process on a Windows or Mac OS X clients would take about 3 minutes as this Java update has Perform revocation checks enabled by default. This causes the applets signed certificates to be verified against the issuers CA server, which is currently blocked. This issue affects only Java applet and does not affect ActiveX, so there is less impact on Internet Explorer that uses ActiveX by default.

Workaround Cisco ISE administrator should allow access to crl.thawte.com and oscp.verisign.net for restricted network during provisioning. If the administrator is not able open access to these sites, then the end user should turn off Perform certificate revocation checks in Java as follows:

Open the Java Control Panel, click the Advanced tab, go to Perform certificate revocation checks on and select Do not check .

CSCuh78210

Agent does not turn TLS1.0 in IE if FIPS ciphers are disabled by default

When redirected from Internet Explorer, if the FIPS cryptographic cyphers from local security policies on client machines are enabled or disabled, then the NAC Agent does not pop up for posture assessment.

Workaround Exit and launch the NAC Agent again to get the latest FIPS settings.

CSCuh07275

Roaming of iPad breaks onboarding process.

If a device roams to a different Access point or WLC that connects to a different PSN, then the CoA is sent to WLC that is not expecting it and the onboarding goes into a loop.

Workaround Disconnect from the wireless and try to connect again.

CSCuh12619

BYOD: Device registration is successful even after canceling the profile installation.

CSCuh21153

IP Address does not refresh in Windows 7 client when using Internet Explorer for authentication in DRW flow.

CSCuh22013

Some endpoint devices like iPAD and iPhone have issues with wildcard certificates when CN is blank.

CSCuh43300

Node group cluster information is deleted if a node is made primary and included in a node group at a time.

When a node group is created in a standalone node and then the node is made as primary, the failover information is not notified to the primary node.

CSCuh60829

While upgrading from ISE 1.1.1 to ISE 1.2, the Time and Date condition configured as 'All Day' changes to specific hours and it fails for all authentication and authorization policies that use the time based condition.

CSCuh64576

Language Template description and browser Locale Map are not carried over

After upgrading to ISE 1.2, the 'Description' and 'Browser Locale Mapping' in the template definition are not carried over for Sponsor, My Devices, and Guest Language template.

Workaround After the upgrade, set the flags manually.

CSCuh77967

Error message when same rule name appears under local and Global exception

When global and local exception rules are created with same names, they get saved successfully. While trying to edit and save the policy, an error message is displayed that the exception rule already exists.

CSCuh78514

Config Restore including ADE-OS could cause nodes go out of sync

In a deployment, nodes are not in sync after ADE-OS restore.

Workaround After the restore is successful, the nodes need to be syncronized manually using ISE Administration web UI.

CSCuh88557

User password policy attribute migration issue

In ACS UI, the Password may not contain the username or its characters in reversed order checkbox is enabled and exported to ISE. After importing the policies, the checkbox appears disabled.

CSCuh90273

BYOD flow does not work when ISE acts as RADIUS proxy.

Once AD user is authenticated successfully against remote RADIUS server, the user is redirected to NSP portal. In the NSP portal, it is not possible to obtain the user information. An error is thrown and instead of the 'Register' option, 'Try Again' option is displayed.

CSCuh94096

IE9: Register button greyed out when ActiveX is disabled

In a Windows 7 client using Internet Explorer 9 with ActiveX disabled, while trying to perform the BYOD flow the browser redirects the user to ‘Device Registration’ page, where the ‘Register’ option is greyed out.

Workaround Enable the ActiveX to get the Register option properly.

CSCui00865

After creating guest accounts using Mozilla Firefox, the 'Manage Guest Accounts' page does not contain the newly created guests and has missing objects.

Workaround Clear the cache and restart the browser.

CSCui01605

Saving Duplicate policy set which has user defined simple condition fails

It is not possible to duplicate and save a policy set that contains user defined simple condition.

Workaround

  • Create a new policy set with same user defined simple conditions and save it.

OR

  • Duplicate a policy set with authorization simple condition and delete the user defined simple conditions in the policy set. Create the same condition in the duplicated policy set and save it.

CSCui03041

Device ID does not go to RegisteredDevices group

When a laptop with Mac OS X is connected to a network through BYOD flow, both the wired and wireless MAC addresses are listed in 'RegisteredDevices' group. When the same laptop is connected again after cleaning up the profiles and user credentials, only the wireless MAC address is listed in the 'RegisteredDevices' group.

CSCui05265

Guest Role configuration in the Administration UI using IE does not work properly

Configuring Guest Role at Administration > Web Portal Management > Settings > Guest > Guest Roles Configuration , using Internet Explorer does not display the ID groups properly.

Workaround Use other browsers like Firefox.

CSCui07457

WLC ACL issue with Android device during BYOD

In a BYOD flow, when the ACLs are created through the Setup Assistant, Android devices fail to download the Network Setup Assistant application.

Workaround Do any one of the following to enable the Android devices to download the profile and connect to the network successfully.

  • Update the ACL in the WLC GUI by deleting one of the ACLs and creating it again with same values.

OR

  • In the Edit page of the WLC, click Save without changing the values. This will update the ACL.

CSCui08084

Guest user not terminated on switch when suspending through edit account

When a guest account is suspended using the Suspend option in the Edit page of the Sponsor portal, the guest session is not terminated.

Workaround Suspend the guests in the Sponsor Portal List page. The suspend button in the List page will terminate sessions for suspended guests.

CSCui10632

NSP profile deleted and replaced by another after downloading the resources

After creating an NSP profile for EAP-TLS and using it in a client provisioning policy, when the agents and resources are downloaded through the update feed URL, the NSP profile gets deleted. It is replaced with one of the downloaded NSP profiles.

CSCui12947

After upgrading, replication fails on deployment when secondary PAP is promoted.

Workaround Delete the local certificates and restart the PAP.

CSCui16373

Upgrading any secondary node from Limited Availability Release to Release 1.2 Fails.

This issue occurs only when you upgrade from the Limited Availability release to Cisco ISE, Release 1.2. This issue is seen when you have backup schedules configured in Cisco ISE.

Workaround Disable or cancel the backup schedules before you upgrade to Release 1.2.

CSCui16876

Default authentication policy matching instead of default dot1x rule

When the default policy is modified to 'deny access' and dot1x authentication is performed against PDP with internal user, authentication fails. The authentication matches with 'AllowedProtocolMatchedRule'.

Workaround Instead of deny access, select identity source/sequence to get authenticated.

CSCui18956

Not able to update the custom RBAC policies after upgrading to Cisco ISE 1.2

After upgrading from Cisco ISE 1.1.x to 1.2, it is not possible to update the RBAC policies, custom menu access and data access permissions that were created in Cisco ISE 1.1.x.

Workaround

1. Create new menu access permission after upgrading to 1.2

2. Update the RBAC policy created in 1.1.x with the newly created menu access permission and save the policy.

3. Log in with the RBAC user and the updated menus will be displayed.

CSCui19072

After creating RBAC menu access permission, navigate to the Home page and click the Show button. This throws the following error: 'TypeError: selectedItem is undefined'.

Workaround This happens only for the first time. Edit the menu access, go to the Home page, and click Show.

CSCui28492

Registered Endpoints report takes a few minutes.

Workaround Gather the statistics in CEPM schema and the reports are generated without delay.

CSCui87386

Default Guest Portal displays Self Service Results on screen with the White Listing Feature enabled.

Workaround Use Custom Guest Portal, with the Self Service Results Page customized not to display the Results on screen. Additionally disable the Self Service option in Default Guest Portal Settings, as there is risk of accessing the Default Guest Portal tweaking the redirected URL

CSCuj10678

The iPEP Node is unable to correctly handle tagged VLANs.

Workaround Make the native VLAN on the switch the same as the management VLAN.

CSCuj22597

When using the notification feature, emails are delivered even when notifications disabled for the sponsor in admin.

Workaround Disable the notification on the time profile setting instead.

CSCuj40148

During the BYOD flow the end user will be continuously redirected to the device registration page after installing Java.

This occurs when:

  • the endpoint does not have Java installed and after the installation is completed on the Firefox browser, or
  • Java is uninstalled and the Firefox browser was not quit before starting the BYOD flow

Workaround Quit and relaunch the Firefox browser after installing the Java package from www.java.com/en/download and then continue with the BYOD onboarding.

CSCuj62777

After uninstalling 1.2 Patch 3, the PAP node goes down and doesn’t come up, showing HTTP 404 Error in GUI.

CSCul27693

If you do a CSV bulk import from the sponsor portal, you are asked to which role to tie the imported guests. If you use the "Guest" group as suggested by default and then try to authenticate with one of those guests, they never hit the authorization rule where you configured "identity group=guest" as condition because ISE sees the guest account as part of the “Any” identity group.

Workaround As the sponsor, edit the guest account but change nothing and save the account without having changed anything. The user will correctly show as belonging to Guest group when logging in.

CSCul69609

The same session ID is being used by multiple guest users, so some guest users see login page even after accepting AUP.

CSCul39011

For installations of ISE 1.2 with MDM server integrated, ISE tries to query the MDM server during EAP sessions. If the server does not respond, it continuously retries and this causes the session to hang in runtime. The ISE live authentication logs may report 5436, 5405/5411, and 5441 errors making it appear as if the supplicant is misbehaving while the ISE alarms report “External MDM Server Connection Failure.”

Workaround Make sure the MDM server is constantly able to respond to queries. If profiling is used, configure and assign logical profiles to the MDM rules to reduce the scope to mobile devices only. Add the MDMServerReachable condition to the configured MDM authorization rule to allow ISE to use MDM reachability as a condition match.

CSCul92356

While using Guest Portal along with “Guest users should be allowed to do Device Registration,” when the Guest user registers the device, the device falls into the UNKNOWN Group whereas it should go in either the GuestEndpoints group or in the RegisteredDevices group.

Workaround We can force the endpoint to fall into a different group by manually creating a profiler policy.

  • Create a Profiling condition where the “IP_EndPointSource” EQUALS “GUEST Portal.” Allow it to Create a matching Identity group.
  • We can see that the endpoints will now fall into the new Endpoint Identity group under Endpoint groups > Profiled and can be used in an authorization Policy.

CSCul94611

Issue with the Live dashboard in ISE 1.1.4 not displaying information and only showing “No Data Available.”

Workaround Enter the following commands below:

ms-ise-mgm01/admin# app config ise
 
Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
[6]Enable/Disable ERS API
[7]Reset M&T Session Database
[8]Rebuild M&T Unusable Indexes
[9]Purge M&T Operational Data
[10]Reset M&T Database
[11]Refresh M&T Database Statistics
[12]Display Profiler Statistics
[13]Exit

Select the following options:

7 to reset the session db

10 to reset the M&T database

11 to refresh the statistics (Possibly do not need. Was only needed in 1 case.)

Once you have run these commands the DashBoard should begin to display information.

This process can take up to 12 hours to complete all three steps. Roughly 1 to 3 hours per option selected.

CSCum05066

When rolling back a patch update using the GUI, it is uninstalled successfully on primary node but it does not happen in secondary nodes. On the Primary node, the GUI shows patch is no longer installed in Primary but shows the patch as installed on the secondary node.

This issue is fixed in ISE 1.2 patch 5. However, it will occur if you rollback a fresh install of ISE 1.2 patch 6 or 7, or if you rollback ISE 1.2 patch 5.

Workaround The user needs to run the rollback again from the Primary GUI.

CSCum05562

An endpoint might not matching the right authorization profile because the change of authorization was not sent.

Workaround Don't use policy sets or use fast reAuths on switch as doing a CoA from MnT works as well.

CSCum21201

Windows workstation devices that have a MAC address starting with "3C:97:0E" are profiled as a "Nortel-Device."

Workaround Remove Nortel condition matching on "OUI CONTAINS Wistron" and increase the Certainty Factor of Windows workstation device so that it prefers Windows profile policy over Nortel policy.

CSCum41138

After CoA REST API is issued successfully, ISE live logs shows the “NAS IP Address” to be the MnT address, instead of the switch address.

CSCum73765

While using profiling with SNMP v3 Query and Trap probes, the correct profiling information is not fetched. The SNMP v3 queries triggered by the SNMP traps generated by linkup/linkdown or mac-notification from the switch fails SNMP v3 authorization and leads to closing of the SNMP session.

The same is seen when the SNMP v3 query is triggered by a Radius Accounting probe.

In the profiler.log, we can clearly see that the SNMP v3 authorization fails and the SNMP session is closed.

Workaround There is no workaround. The only options available currently are:

1. Use SNMP v2c instead of SNMP v3.

2. Reduce the polling interval to 600 seconds on the network device configuration. Now, when the device is connected, it will be profiled wrongly at first but 10 minutes later (600 seconds), when the independent query takes place, it will get correctly profiled. This delay will be seen only the first time the device is bought in the network. From the next time onwards, it will connect and get the correct policy immediately since it is already saved with the right profiling information.

CSCum85832

On the Fresh installation setup of 1.2.1 and restoring the Operational (MNT) data of 1.2. Operational restore will be completed successfully.

CSCun23340

Randomly created guest users are not shown for exporting and printing the user information in Firefox.

Workaround Use Internet Explorer 11.

CSCun23357

Uploaded guest users are not shown in Firefox.

Workaround Use Internet Explorer 11.

CSCun53951

ISE presents self-signed cert instead of CA-signed cert even though the GUI shows the CA-signed cert marked for HTTPS use.

The standalone ISE node has 2 certificates in its local certificate store: a self signed one and a CA signed one.

The CA signed certificate is marked to be used for HTTPS and EAP. This node presents the CA signed certificate when the GUI is accessed.

Once the above ISE node is registered to the primary, it starts presenting the self signed cert.

Workaround After registration, choose the self-signed cert in the GUI, so that the node presents the CA signed cert.

CSCun65239

The desktop device does not display sessionExpired page when the “change password” and “device registration” options are enabled.

The mobile portal does not display sessionExpired page when session is terminated. This occurs when the following options are enabled:

  • Guest users should agree to an acceptable use policy - Every Login
  • Enable Mobile Portal
  • Allow guest users to change password
  • Guest users should be allowed to do self service

Workaround If the login page loops after the session has expired, disconnect and reconnect SSID/network. Then have the client redirect to the guest portal by entering an external URL in the address bar so they get a new session ID.

1. Disable mobile portal option.

2. Disable the following options:

Require guest users to change password at expiration and first login

Guest users should be allowed to do device registration

CSCun75689

ISE is unable to save a Scheduled Report using UTF-8 characters in the report name. You will receive the following message: “Schedule name should only contain alphanumeric and _ - . characters.”

Workaround Rename the Schedule Report with non-UTF-8 characters.

CSCuo40057

EAP-Chaining authorization is stuck with out successful certificate renewal.

Workaround In order to identify EAP-Chaining with expired cert functionality, you can have a rule which reads: if Network Access.UseCase EQUALS EAP-Chaining AND CertRenewalRequired then DenyAccess.

CSCuo54649

An endpoint consuming advanced features will show against both Advanced and Plus license if both licenses are available in the system.

Workaround Refer to Current Licenses page instead of details of licenses installed.

CSCuo56327

Since Plus license support was introduced in Cisco ISE 1.2 patch 8, the Plus license will be removed if admin removes Cisco ISE 1.2 patch 8 or Cisco ISE 1.2.1.

CSCuo62507

Once the disk space is been reached to more than 80 % aggressive purging will be triggered automatically from the back-end. If admin tried to perform the CLI purging while backend purge is in progress. Data will be partially purged.

Workaround Once Both process is completed. Again triggered the CLI PURGE. All the data will be purged successfully as per the threshold which we set.

CSCuo88056

Guest Action word is displayed instead of sponsor name in the Reports after Guest Password is changed.

Workaround Guest user can change his password after login to the Guest portal, so that Sponsor name will be displayed properly in the reports.

CSCuo88459

Apple iOS device, after certificate Renewal gets stuck and will always be redirected to CWA URL or wi-fi interface is down.

Workaround Click on the Wi-fi, and select the option forget this network and try reconnecting to the same network, Please do the steps in the below mentioned order Device will ask user to select the authentication Method select EAP-TLS and select the user certificate. Enter the user name with the user name and click connect.

CSCuo89783

When we trigger a backup to invalid repository, the backup fails and no alarm is generated.

Workaround Can check the backup status in Administration > System > Backup & Restore Page.

CSCup00209

Guest user name is not displayed for Guest attribute value, instead “Self Registration” word / Internal Sponsor name is shown under Guest Sponsor mapping and Guest Sponsor Detail reports respectively.

Workaround Guest user can be created by Sponsor via Sponsor Portal.

CSCup08066

Performing a backup preserves alarm notifications. In Cisco ISE 1.2.1, this causes alarms to trigger in the dashboard.

CSCup10918

Consistency issue in French localization. “Vous devez renouveler l'inscription de votre périphérique pour continuer à utiliser le réseau sécurisé” should be “Vous devez renouveler l'enregistrement de votre périphérique pour continuer à utiliser le réseau sécurisé.”

CSCup23595

Exporting endpoints results in an empty file if filtering by IP address.

Workaround Export endpoints using the “Export Selected” option.

CSCup39916

Exporting endpoints with the _ special character in the profile name results in an empty file.

Workaround Export endpoints using the “Export Selected” option.

CSCup44205

CoA session quarantine doesn't do any action but gives successfully applied message.

Workaround Disable EPS services for ASA COA users. Quarantine option will not be displayed in MnT.

CSCup52657

Error messages occur when the servers are placed in the following deployment and APIs are executed for the Secondary MnT IP address:

PAP(P)+MnT(S)+PDP- Node 1

PAP(S)+MnT(P)- Node 2

Workaround Change the deployment as follows:

PAP(P)+MnT(P)+PDP

PAP(S)+MnT(S)

CSCup68428

CoA session re-authentication is successful the first time, but the session is terminated for second re-authentication if Posture isn’t completed.

Workaround Issue the ASA CaA re-authentication once Posture is completed.

CSCup94688

When trying to add or delete IP addresses for admin access, the Save and Reset buttons functionalities are not properly implemented.

Workaround No functional/Flow impact. Just Add and Delete will do it.

Open Agent Caveats

 

Table 20 Cisco ISE, Release 1.2, Open Agent Caveats

Caveat
Description

CSCti60114

The Mac OS X Agent 4.9.0. x install is allowing downgrade

The Mac OS X Agent is allowing downgrades without warnings.

Note Mac OS X Agent builds differ in minor version updates only. For example, 4.9.0.638 and 4.9.0.637.

CSCti71658

The Mac OS X Agent shows user as “logged-in” during remediation

The menu item icon for Mac OS X Agent might appear logged-in before getting full network accesses

The client endpoints are connecting to an ISE 1.0 network or NAC using device-filter/check with Mac OS X Agent 4.9.0. x .

Workaround Please ignore the icon changes after detecting the server and before remediation is done.

CSCtj22050

Certificate dialog seen multiple times when certificate is not valid

When the certificate used by the agent to communicate with the server is not trusted, the error message can be seen multiple times.

Workaround Make sure you have a valid certificate installed on the server and that it has also been accepted and installed on the client.

Note The additional certificate error message is primarily informational in nature and can be closed without affecting designed behavior.

CSCtj31552

Pop-up Login windows option not used with 4.9 Agent and Cisco ISE

When right clicking on the Windows taskbar tray icon, the Login option is still present, but is not used for Cisco ISE. The login option should be removed or greyed out.

Workaround There is no known workaround for this issue.

CSCtk34851

XML parameters passed down from server are not using the mode capability

The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite. Mac OS X agent is not processing the mode correctly. Instead, the complete file is overwritten each time.

Workaround To use a unique entry, the administrator must set up a different user group for test purposes, or set the file to read only on the client machine and manually make the necessary changes to the local file.

CSCtl53966

Agent icon stuck on Windows taskbar

The taskbar icon should appear when the user is already logged in.

Workaround Right-click on the icon in the taskbar tray and choose Properties or About . After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes away.

CSCto33933

Login Success display does not disappear when user clicks OK

This can occur if the network has not yet settled following a network change.

Workaround Wait a few seconds for the display to close.

CSCto45199

“Failed to obtain a valid network IP” message does not go away after the user clicks OK

This issue has been observed in a wired NAC network with IP address change that is taking longer then normal. (So far, this issue has only been only seen on Windows XP machines.)

Workaround None. The user needs to wait for the IP address refresh process to complete and for the network to stabilize in the background.

CSCto48555

Mac OS X agent does not rediscover the network after switch from one SSID to another in the same subnet

Agent does not rediscover until the temporary role (remediation timer) expires.

Workaround The user needs to click Complete or Cancel in the agent login dialog to get the agent to appear again on the new network.

CSCto63069

The nacagentui.exe application memory usage doubles when using “ad-aware”

This issue has been observed where the nacagentui.exe memory usage changes from 54 to 101MB and stays there.

Workaround Disable the Ad-Watch Live Real-time Protection function.

CSCto84932

The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and NAC agent.

Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCto97486

The Mac OS X VLAN detect function runs between discovery, causing a delay

VLAN detect should refresh the client IP address after a VLAN detect interval (5) X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec.

This issue has been observed in both a wired and wireless deployment where the Cisco NAC agent changes the client IP address in compliant or non-compliant state since Mac OS X supplicant cannot.

An example scenario involves the user getting a “non-compliant” posture state where the Cisco ISE authorization profile is set to Radius Reauthentication (default) and session timer of 10 min (600 sec). After 10 min the session terminates and a new session is created in the pre-posture VLAN. The result is that the client machine still has post-posture VLAN IP assignment and requires VLAN detect to move user back to the pre-posture IP address.

Workaround Disconnect and then reconnect the client machine to the network.

CSCtq02332

Windows agent does not display IP refresh during non-compliant posture status

The IP refresh is happening on the client machine as designed, but the Agent interface does not display the change appropriately (for example, following a move from preposture (non-compliant) to postposture (compliant) status).

Workaround There is no known workaround for this issue.

CSCtq02533

The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and Cisco NAC agent.

Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCts80116

OPSWAT SDK 3.4.27.1 causes memory leak on some PCs

Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may experience excessive memory usage.

Note This has only been observed with version 8.2.0 of Avira AntiVir Premium or Personal. Later versions of the application do not have this issue.

Workaround Install later version of Avira AntiVir Premium or Personal.

CSCty02167

IP refresh fails intermittently for Mac OS 10.7 guest users

This problem stems from the way Mac OS 10.7 handles certificates. Marking the certificate as “trusted” in the CWA flow is not good enough to download the java applet required to perform the DHCP refresh function.

Workaround The Cisco ISE certificate must be marked as “Always Trust” in the Mac OS 10.7 Keychain.

CSCub62836

In Live Authentication page, certain UTF-8 characters do not display correctly

This only happens for a very limited set of characters.

Workaround Use RADIUS Authentications report instead, to view the same information correctly.

CSCul10891

Upgrade from earlier version of NAC Agent to version 4.9.0.1013 fails to launch Agent popup

After upgrading to NAC Agent version 4.9.0.1013 on Windows 8 or Windows 8.1 64-bit clients, the upgraded Agent might not launch automatically.

Workaround If the Agent does not launch automatically, then manually double-click the NAC Agent UI shortcut on the desktop to launch the Agent.

CSCum88173

Minimum compliance module version required for configuring SEP 12.1.x definition check on Mac OS is 3.6.8616.2 and not 3.6.8501.2.

The minimum Compliance Module version required for configuring AV check in NAC support charts for Symantec Endpoint Protection (SEP) 12.1 for Mac OS is displayed as 3.5.8501.2. However, the version 3.5.8501.2 has issues in detecting the definition date/version for SEP 12.1.x on Mac OS. As this issue is addressed in Compliance Module 3.6.8616.2, administrators need to use 3.6.8616.2 as the minimum Compliance Module needed for detecting SEP 12.1 definitions on Mac OS.

CSCun60071

UI not visible for application launched by NAC agent during remediation

When Cisco ISE is configured to launch an application as a remediation, the application gets launched and is available in the task manager, but the UI is not visible to the user, irrespective of whether the user is logged in as admin or not. Since Launch program remediation feature is modified from user privilege to system privilege, NAC Agent allows UAC Elevation for all Launch program remediation actions.

For more details, refer to CSCun60071 .

CSCtw50782

Agent hangs awaiting posture report response from server

Workaround

The issue occurs with Mac OS X 10.7.2 clients.

Kill the CCAAgent Process and then start CCAAgent.app.

Perform the following:

1. Go to Keychain Access.

2. Inspect the login Keychain for corrupted certificates, like certificates with the name “Unknown” or without any data

3. Delete any corrupted Certificates

4. From the pull-down menu, select Preferences and click the Certificates tab

5. Set OCSP and CRL to off.

CSCty51216

Upgrading Mac OS X Agent version 4.9.0.638 to later versions fails.

Workaround

1. Remove the “CCAAgent” folder from temporary directory

2. Reboot the client

3. Connect to Web login page and install the Agent from there

Cisco ISE, Release 1.2.1, Resolved Caveats

The following table lists the resolved caveats in Cisco ISE, Release 1.2.1.

 

Table 21 Cisco ISE, Release 1.2.1, Resolved Caveats

Caveat
Description

CSCtx94533

The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending”

CSCty01787

Error in Generating XML Output for EndPointIPAddress API

CSCty87291

Admin Web Portal Requests ID certification When It’s Password authentication-only

CSCua69331

IE 8 + ChromeFrame BHO - CWA authorization profiles not displaying correctly.

CSCub18575

Problem with sponsor accounts starting with a "0"

CSCud38634

Guest sponsor details shows wrong sponsor name.

CSCud70219

Log.xml files are not cleaned out regularly.

CSCud70397

Need support SCSI controller (VMware Paravirtual) for VMware install.

CSCud89273

Passed Numbers Not Appearing on Authentications Dashlet

CSCue14864

Endpoint statically assigned to ID group may appear in different group

CSCue98728

No indication of character limit for 'Configure Email Notification' box

CSCuf24898

ISE repository max password length 16 characters.

CSCuf47491

Timestamp of core files not preserved in support bundle.

CSCuf76821

.trc and .trm files are not cleaned out regularly.

CSCug20065

Unable to enforce RBAC as desired to a custom administrator.

CSCug59579

Windows 8 not included in Client Provisioning

CSCug90502

ISE Blind SQL Injection Vulnerability.

CSCug96069

Replication status update fails for all nodes if the network is restored on PAP.

CSCuh01760

Misconfigured NAS criteria needs to be changed

CSCuh14228

Internal administrator summary report export not working

CSCuh15572

Invalid license file, possibly license file has expired or is corrupt.

CSCuh20322

Need ISE application server restart reason and timestamp

CSCuh23536

RADIUS drop should have last event timestamp

CSCuh25506

Cisco ISE CSRF Vulnerability

CSCuh25868

Authorization: re-editable text/string condition limited to 16 characters

CSCuh30587

Backup fails due to ISE restart

CSCuh36333

Successful DACL download authentication is counted under authentication dashlet

CSCuh38253

IP columns sorts on char instead on num on.

CSCuh41450

IP Columns Sort on Char on Network Devices Page

CSCuh44972

DenyUsers oracle statement removed during upgrade.

CSCuh45239

Node Status Patch page does not refresh automatically

CSCuh56170

MCPSS Mnt DB Sanity Check failed during upgrade from 1.1.2.145 to 1.2.

CSCuh56278

Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails

CSCuh65084

Scroll issue for small screens on Live Log page

CSCuh79596

Freshly Installed Standalone ISE Server Not Logging MDM Events

CSCuh81511

ISE remote command execution

CSCuh84099

ISE should verify non-printable characters in x.509 certs

CSCuh88637

Method "getAlarmsOccuredAfter" throws exception

CSCuh89780

MDM VENDOR : Airwatch" MDM Server Response Code: 404"

CSCuh95845

After internal password change policies using NA conditions match default Policy.

CSCui02984

Sponsor authentication failed for Active Directory user with Sponsor_Portal_Sequence.

CSCui14093

Oracle Critical Patch Update

CSCui15042

BYOD Stress causes MNT to stop reporting current Authentication Sessions

CSCui15038

ISE HTTP control interface for NAC Web Agent XSS Vulnerability

CSCui15064

Certain ISE Reports Vulnerable to XSS Injection

CSCui15354

ISE should remove ENDSW operators

CSCui15633

Sponsor portal login fails for some users

CSCui16528

Wrong service selection for NDAC Policy

CSCui21439

Message code texts are blank or incorrect

CSCui22884

ISE presents wrong HTTPS certificate

CSCui23231

Certain custom ISE reports cannot be exported

CSCui26708

ISE node to node HTTP Basic Authentication username and password logged

CSCui30266

ISE MDM Portal Cross-Site Scripting Vulnerability

CSCui30275

Component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack

CSCui34389

RADIUS accounting drop is not suppressed, flooding live log.

CSCui36160

Whitelist and expiration notification.

CSCui36643

ISE Editing schedule report complains of existing report name in use.

CSCui38818

ISE 1.2 NFS repository configuration has extra colon after upgrade

CSCui40950

Guest login takes long time and times out.

CSCui42788

Exporting of imported profile policy results a garbled description.

CSCui44324

Backup task can't be configured in ISE 1.2 UI.

CSCui45891

Upgrade logs are missing in ADE.log after upgrade failed

CSCui46739

Guest applet fails after update to Java 7 update 25.

CSCui48781

NSF Rule with complex condition - names are not unique per service

CSCui48779

Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some conditions.

CSCui56071

ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

CSCui57100

EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed

CSCui57152

Endpoint Policy not updated for endpoints added using ERS API

CSCui57374

ISE iPEP Invalid RADIUS Authenticator error during high load

CSCui57882

Some expired guest accounts cannot be deleted from PDP

CSCui57933

Purge expired guest accounts does not work

CSCui57961

When editing an expired guest account that cannot be deleted, logs out.

CSCui58123

Upgrading to 1.2 with \"Select Condition\" in Posture Requirements

CSCui58390

Multiple names in SAN Field and ISE choose value randomly.

CSCui59370

Upgrade fails on Guest update sponsor user: email is null

CSCui62290

Develop REST APIs for ISE MnT alarms

CSCui65530

Upgrade failed with DuplicateEntityException for TimeProfile

CSCui67495

Uploaded Filenames/Content Not Properly Sanitized

CSCui67511

Certain File Types are not Filtered and are Executable

CSCui71484

ISE SEC PAP has write access via ERS API

CSCui72269

ISE unable to understand SNMP attribute coming from Switch.

CSCui72330

HTML comments disclose potentially sensitive information

CSCui72658

Guest Portal cookies not set as Secure or HTTP Only.

CSCui74478

Self Service Flow checking for email address

CSCui74496

Domain Names should be validated before saving the Portal settings

CSCui74678

Getting Account Expiration Notification too early for the Guest accounts

CSCui75335

ISE 1.2 NAC agent fails posture due to ‘NAC Server not available.’

CSCui75669

Endpoint update calls from guest-portal causing replication issues

CSCui76932

Unable to Save Notification details while creation of Time Profile

CSCui77336

Customized URL ISE self registration not working.

CSCui78135

On Alpha Alarms Still Show Up When We Select All and Acknowledge

CSCui78802

Usability issues while validating security defect

CSCui78849

Warning message should be more meaning full while creating Time Profile

CSCui80340

Partner MDM performance improvements

CSCui81442

Domain Validation should be Case Insensitive

CSCui81825

Unable to Save Notification details while editing Sponsor Lang template.

CSCui82674

Unable to save and modified edited endpoint with Base license ONLY

CSCui82998

Custom Guest Portal Loops after AUP Due to Loss of Session ID

CSCui83009

Unable to push compliance module to NAC agent on Macs.

CSCui89741

ISE ERS API creates endpoint with invalid format MAC address.

CSCui90286

Able to create TimeProfile eventhough Notification time > duration

CSCui94488

MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices.

CSCui96322

Default Guest Portal Email Address Limited to 24 Characters

CSCui96960

MNT Livelog/Dashboard performance.

CSCuj01781

ISE uses SAN of user certificate for machine lookup in Active Directory

CSCuj03071

EndPoint update not being saved to PAP due to high latency

CSCuj03131

Lower "Request Rejection Interval" minimum to 5 minutes

CSCuj03697

Allow Tunnel attributes in policies

CSCuj03811

No suppression for misconfigured NAS when errors are alternating

CSCuj04748

Original URL preservation for BYOD provisioning and Guest flows

CSCuj05295

ISE App server crashed and stuck in initialized state with "null" in collection filter

CSCuj07535

IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2

CSCuj09430

Guest account is not working according to its Time Zone

CSCuj11040

CSCum97337

ISE Should Not Degrade a Profile Based on Problematic User-Agent

CSCuj11855

ISE gives little debugs when SCEP fails for Windows-related reasons

CSCuj13804

IE8 gives error on ISE1.2 when accessing the provisioning portal

CSCuj14382

Cannot statically assign IP address as FramedAddress

CSCuj15372

Authentications fail with MDM authentication rules enabled

CSCuj16049

HA Licensing

CSCuj17272

Upgrade from 1.1.3 to 1.2 breaks identity source sequence instances

CSCuj19602

Sponsor portal banners do not work on upgraded ISE

CSCuj19882

Unable to edit the existing Guest accounts after restoring old backup

CSCuj23727

Change in iOS 7 user-agent string for an iPod Touch breaks its BYOD flow

CSCuj25038

ERS Service Disabled After Reboot

CSCuj26086

CSCuj80131

ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9)

CSCuj26495

Restricted Characters in Policy Names carried forward after upgrade.

CSCuj28447

Endpoint statically assigned to ID group may appear in different group

CSCuj28968

Guest Activity Report is not working

CSCuj34004

User name change detected for the session removes all session attributes

CSCuj36104

ISE does not allow CRL when the name is the same on two Certificate Authorities

CSCuj36310

“@” Character Not Accepted in Wireless SSIDs Fields

CSCuj38204

ISE does not allow access for guest with no webagent if posture is configured

CSCuj39926

Kaspersky remediation does not appear anymore in the AV remediation

CSCuj45431

ISE Support for Mac OS X 10.9 NAC Agent

CSCuj45766

Add/Remove MDM server never got replicated to PSNs in distributed deployment

CSCuj47806

ISE redirects to default guest pages when it’s configured to redirect to custom pages

CSCuj48111

Hyphen and minus sign can't be entered as first or last name

CSCuj49903

Downloading / viewing large logfiles from PDP causes out of memory error

CSCuj51094

Captured TCPDump file is not working

CSCuj52520

Unable to login to CLI after ISE upgrade

CSCuj54630

ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server

CSCuj57335

Egress Matrix: require default SGACL that includes log option

CSCuj60796

ISE Support for IE 11

CSCuj61976

Admin UI fails to display certain UI pages when using Firefox 25

CSCuj62239

Rollback in case of upgrade failure is not cleaning temp tables, indexes

CSCuj63046

Text fields impose 24 character limit during guest self-registration

CSCuj63053

Cfg.xml,CM download doesn't happen if CP rule is Win8.1 Specific

CSCuj63516

Denial of Service Vulnerability exists in OpenSSH version

CSCuj64206

Parent Endpoint Identity Group cannot be created in Win7 IE10

CSCuj65306

Cisco ISE 1.2 upgrade fails due to shared memory allocation failure

CSCuj65586

Need to optimize the way records are displayed in RADIUS Drop counters

CSCuj66093

86017 Error page sessionExpired.jsp images links are invalid

CSCuj70022

EAP-FAST authenticated provisioning with Android doesn't work

CSCuj71439

Cisco ISE REST API - changing username returns password error

CSCuj72022

Cannot use "Ends With" operator in a Posture condition on ISE

CSCuj82836

Manual CoA - Re-authorization is not working

CSCuj82378

Downloaded captured TCP dump file for remote node is not of proper size

CSCuj84194

Cisco ISE sometimes does not send DACL in authorization profile

CSCuj84427

Cisco ISE 1.2 Admin password alerts not functioning properly

CSCuj86717

Dot1x endpoint fails authentication with Reject Requests After Detection

CSCuj88222

Upgrade should check for CA certificates corruption

CSCuj88888

ISE 1.1.4 patches fail machine authentications in disjointed ActiveDirectory namespaces

CSCuj90823

Guest Portal: IP Refresh Failing in IE 11

CSCuj91050

Creating Guest users shows incorrect timezone 'GMT+2 ECT'

CSCuj91461

ISE 1.2 backup on host A, restore on same version on host B breaks database listener

CSCuj91764

Pre-upgrade checks

CSCuj95588

Reach context limit when multiple conversations use Tunnel attributes

CSCuj95908

Cisco ISE does not do domain stripping for Active Directory external store

CSCuj97832

Cisco ISE hard disk filling up

CSCuj97669

DNS Resolution Failed for CNAME: "hostname" from the ISE node "hostname"

CSCuj98726

iOS devices bypass account suspension/lock by starting new EAP session

CSCuj99951

Avaya Phones profiled as unknown

CSCul02821

MDM attributes doesn't update to Endpoint objective

CSCul02860

Struts Action Mapper Vulnerability

CSCul03127

Struts 2 Dynamic Method Invocation Vulnerability

CSCul03621

Endpoint Profiling Information is not being replicated correctly

CSCul03597

LDAP User Authorization Doesn't Work with EAP-FAST Chaining

CSCul06431

Active Directory attribute value in ATZ profile is not sent

CSCul06937

Do Sync check before upgrade of secondary PAP

CSCul09815

Upgrade should not proceed if node role type cannot be detected

CSCul10677

ISE 1.2 CWA Failure Reason 86017

CSCul13757

Audit records MUST log to External Syslog Servers: CLI log level

CSCul13805

Audit records MUST log to External Syslog Servers: HTTPS idle timeout

CSCul13812

Audit records MUST log to External Syslog servers: SSH publickey

CSCul13883

Audit records MUST log to External Syslog servers: SSH KEX Group14

CSCul13905

Audit records MUST log to External Syslog Servers: CLI clock set

CSCul13946

Audit records MUST log to External Syslog servers: Purge M&T Data

CSCul15967

ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup

CSCul16300

Audit records MUST log to External Syslog servers: CLI idle timeout

CSCul18169

Blocking ISE admin UI access for Chrome browser

CSCul18521

Audit records MUST log to External Syslog servers: VGA CLI AUTHC

CSCul18555

Audit records MUST log to External Syslog servers: SSH conn fail

CSCul20850

Port Patch 5 Guest changes to Patch 4

CSCul23070

CSCul23252

Audit records MUST log to External Syslog Servers: SSH exit forceout

CSCul25066

ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service

CSCul25956

Upgrade from 1.2 to 1.2.1 timeout and fail when previous upgrade fails

CSCul29344

ISE 1.2 HTML Custom Pages for Different Portals Not Working

CSCul29647

Cisco ISE 1.2 upgrade disables Cisco Root certs if they were installed before Cisco ISE 1.2

CSCul35820

ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address

CSCul42307

Upgrade fails when local disk fills up due to core dumps

CSCul42646

Failed to create Posture Condition with "NOT ENDS WITH" Operator

CSCul46893

URL preservation not working with self service guest user in MAB flow

CSCul48352

Right-Click - Copy to MAC and Username in Live Log

CSCul50495

Device Registration failed with Cisco Catalyst 3850 Switch

CSCul50720

Samsung Galaxy S4 cannot be on-boarded in dual SSID flow

CSCul55934

Cisco ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting

CSCul57506

Restore process breaks Report functionality and UI Purge

CSCul58895

Cisco ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import

CSCul62175

ISE BYOD enhancement troubleshooting for SCEP

CSCul62723

Mobile Guest Portal: Success page redirects to http://10.86.149.92

CSCul65045

Cannot create/edit network device if advanced license expired

CSCul66218

Posture delays due to HTTP thread exhaustion

CSCul66272

Terminate Change of Authorization during Posture for Unknown User-agent DynGate

CSCul69350

Cisco ISE 1.2.0 CFG database restore in Cisco ISE 1.2.1 fails

CSCul71176

Endpoints manually assigned to identity groups might change groups randomly

CSCul71245

ISE Authorization with certificate serial number broken in 1.2 patch 2

CSCul71532

XML external entity injection found under ERS

CSCul77732

Warning message while creating Guest user with hyphen in Self Registration

CSCul77793

Scheduled Reports Not Exported When Using Illegal Character as a Report Name

CSCul80050

Upgrade failed from Cisco ISE 1.1.3 to Cisco ISE 1.2.1

CSCul82658

“Strip prefixes listed below” for Active Directory in GUI is a typo

CSCul84544

Retrieval of Active Directory Groups or Attributes from GUI is Failing

CSCul87279

ISE 1.2 Patch 5 through GUI not pushed to secondary nodes in the deployment

CSCul87300

Special Character in LDAP password is not read correctly by ISE

CSCul96698

Observed NullPExc intermittently while accessing create Guest Rest API

CSCul96763

Guest users are getting created with special characters through Rest API

CSCul97050

Issue with input validation for language Notification tag - Guest REST API

CSCum01290

MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4

CSCum10047

Invalid Account Date When Changing Account Duration

CSCum13453

ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG

CSCum26362

Authentications Details are Missing All the Required Data

CSCum29186

With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time

CSCum37742

Randomly generated guest users allowed to log in after getting expired

CSCum40721

Optional Data Field Not Matching in Authorization Rules

CSCum54099

ISE Does Not Send Sponsor-related syslog Message to External syslog Server

CSCum60054

Unable to download catalina.out logs from GUI

CSCum60501

Undefined is displaying in GUI instead of Log file name

CSCum60627

Client EAP Sessions Never Get Cleared

CSCum69410

ISE 1.2 CWA with DRW Included Doesn't Register Endpoint

CSCum77223

Increase Maximum Login Failures for Guest

CSCum79002

Upgrade Validation check to PKIX path building failed

CSCum82400

ISE 1.2 Posture upgrade failure

CSCum82815

Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired on Login

CSCum82829

Cisco-branded Expiration Page Presented on Custom Portal

CSCum85487

Data Purging audit report is not exporting

CSCum85930

ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect

CSCum86347

ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone

CSCum88817

ISE 1.2 Logs Filled with Unnecessary License Validity Info

CSCum92155

ISE REST API (ERS) - PUT Update Request Removes identityGroups Value

CSCum96035

Guest custom portal password change does not have error handling

CSCun00215

ISE RSA Agent Exhausted Under Heavy Load

CSCun00427

ISE 1.2 match operator return true when LHS is NULL and RHS is constant

CSCun02007

iPEP exhibits slow data transfer rate and packet loss with traffic bursts when using iPEP routed mode.

CSCun08410

Guest Account’s Start and End Time Validated Against System Time Zone

CSCun11240

Guest Sponsor Mapping Report Incorrectly Changes Sponsor

CSCun15601

Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail

CSCun25178

Fetching Group Information Takes a Long Time Because of SIDHistory

CSCun25815

ISE 1.2 marks DCs as 'Dead' while doing a 'CAPILdapFetch'

CSCun36350

Patch info is shown after Cisco ISE Patch 7 CLI Rollback in standalone and deployment

CSCun36594

ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV

CSCun38402

Exception in CLI after enabling ERS

CSCun41732

Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present

CSCun46032

Renew expired certificate

CSCun51094

Bulk Import of Guests by Sponsor Falls in Wrong Guest Role

CSCun60443

No Dashboard or Live Logs for Long Time After Primary MnT Failure

CSCun61928

Not All Authorization Profiles are Recognized by Runtime

CSCun67719

Guest Portal: Error Message When Password Expired Confusing

CSCun68637

SNMP Query Fails to Complete during NMAP-triggered Probe

CSCun70626

Locking issue after reset session database

CSCun93673

ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter

CSCun94693

ISE upgrade to 1.2 fails with boot loader error

CSCun97606

ISE Roaming Authentication Failing

CSCuo02708

ERS Port Should Not Request Client Certificate

CSCuo04860

Raise Alarms for EAP Session and Context Limits

CSCuo16503

ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In

CSCuo31160

Support Plus licenses in ISE 1.2.x

CSCuo32987

Endpoint Register Broken

CSCuo34449

ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent

CSCuo38618

ISE 1.2 cannot join the unit to Distributed Deployment

CSCuo56780

ISE RADIUS Service Denial of Service Vulnerability

CSCuo63892

CIAM: ISE-commons-fileupload-1-0

This fix addresses third-party software vulnerabilities.

CSCuo73070

CSCuo76078

ISE 1.2 GUI Elements Missing Due to No Advanced License

Cisco ISE, Release 1.2.0, Resolved Caveats

This section lists the caveats that have been resolved in this release.

Resolved Caveats

 

Table 22 Cisco ISE, Release 1.2, Resolved Caveats

Caveat
Description

CSCtj81255

Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.

CSCtn76441

Custom conditions are not updated under Rules in profiling policies.

CSCtn92594

Quickpicker filters are not working correctly during Client Provisioning policy configuration.

CSCto32002

The Cisco ISE MAC address authentication summary report displays IP addresses instead of MAC addresses.

CSCto87799

Guest authentication fails.

CSCtq06832

Time and Date conditions need to be updated correctly when changing time zones.

CSCtq09004

Windows 7 guest access not successful from IE8 and Chrome 10.

CSCtq53690

Scheduled Monitoring and Troubleshooting incremental backup switches off following failed backup attempt.

CSCtr58811

Need to log out and log back in to get Advanced License functionality.

CSCtr66929

Selected month and year while configuring file “Date” condition.

CSCtr88091

You may experience slow response times for some user interface elements when using Internet Explorer 8.

CSCts45441

Weird behavior with creating guest account using start-end time profile.

CSCtt17378

Failed to send notification from UTF-8 Email address.

CSCtu05540

Monitoring and Troubleshooting node does not show Active Directory External Groups following authentication failure.

CSCtv17606

Monitoring and Troubleshooting requires an appropriate error message if backup/restore process fails.

CSCtw79431

Exiting the Cisco Mac Agent while in “pending” state displays the wrong user message.

CSCtw98454

Guest accounting report filter not working.

CSCtx01136

Cisco NAC Agent is not performing posture assessment.

CSCtx03427

Create Alarm Schedule returning XSS error messages.

CSCtx07670

Profiler conditions that are edited wind up corrupting Profiler policies.

CSCtx25213

IP table entry needs cleanup after deregistering a secondary node.

CSCtx31601

Cannot add Network Access user, but able to import users.

CSCtx33747

RBAC admin cannot access deployment page and perform deployment-related functions.

CSCtx51454

Unable to retrieve administrator users list.

CSCtx59957

A warning/pop-up appears while creating a Guest Time profile.

CSCtx74574

Device Configure Deployment option selected after upgrade from software Release 1.0 to Release 1.1.

CSCtx77149

Disk space issue.

CSCtx81905

Cisco ISE returns an error message while registering one node to another.

CSCtx90696

Cisco ISE does not work after updating the IP address.

CSCtx94533

The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending”

CSCtx94839

Clicking on logout link on the AUP page of Device Registration Webauth flow appears to do nothing.

CSCtx95251

Deployment page load exceeds six minutes when two or more nodes are unreachable.

CSCtx97190

Cisco 3750 switch is profiled as “Generic Cisco Router”.

CSCty00899

LiveLog Reports cannot be opened.

CSCty01787

Error in Generating XML Output for EndPointIPAddress API.

CSCty02379

Cisco ISE runs out of space due to a backlog of pending messages in the replication queue.

CSCty05157

The Cisco ISE dashboard is not working for administrator user names with more than 15 non-English characters contained in the username.

CSCty10461

Cannot register a Cisco ISE node with UTF-8 characters in administrator name.

CSCty10692

Requirement is used by Policy-Need tooltip on OS.

CSCty15646

Monitoring and Troubleshooting debug log alert settings get reset to WARN.

CSCty16603

Administrator ISE node promotion fails, resulting in disabled replication status.

CSCty19010

Editing Cisco ISE failure reason information returns error message.

CSCty23790

Internet Explorer 8 is unable to import endpoints from LDAP.

CSCty40077

Shared Secret Key for Inline Posture node Network Access Device is not created or updated.

CSCty51260

Active Directory "dn" attribute does not work for authorization policies.

CSCty59165

SNMPQuery Probe events queue runs out of memory.

CSCty87291

Admin Web Portal Requests ID certification When It’s Password authentication-only

CSCty80451

Failed to authenticate external admin (AD user) when configured user to change password at the next log in.

CSCty98551

Race condition between CoA event and persistence event during initial endpoint login.

CSCtz13306

Monitoring and Troubleshooting collector cannot collect posture audit logs to generate report.

CSCtz28057

After upgrade to Release 1.1, Cisco ISE is still in “initializing” state.

CSCtz41262

Authorization policy does not match when the MAC address uses the colon delimiter (00:00:00:00:00:00).

CSCtz41452

Evaluation license counter incrementing when wireless license installed.

CSCtz49846

Cisco ISE does not contain the ASA attribute 146 Tunnel Group Name that is sent on the Access Request.

CSCtz55815

Default Gateway is not changed if the new value is a part of old value.

CSCtz56691

Research In Motion (Blackberry) devices no longer work after upgrade to Cisco ISE, Release 1.1.1.

CSCtz67814

Replication disabled for secondary node.

CSCua00821

Error messages appear when you configure Active Directory via the CLI.

CSCua03889

Guest users are asked to accept the Acceptable Use Policy twice when first logging into Cisco ISE with password change.

CSCua05003

Service status is not correct if the ARP port number changes.

CSCua05433

The endpoint identity import function does not maintain correct identity group membership.

CSCua25187

Employees whose user names are 41 digits long will not see their devices.

CSCub18575

Problem with sponsor accounts starting with a "0"

CSCuc49317

When you have more than 60 authorization policy rules, creating a new rule takes about 4 minutes.

CSCuc61075

With the RADIUS probe disabled, if you indicate a device as lost or reinstate in the My Devices portal, CoA fails.

CSCuc63052

Policy Service node fails to load client certificate for secure syslog configuration.

CSCuc71592

In policy sets, authorization simple condition cannot be used in authorization policy rules.

CSCuc82453

Monitoring data exported in a .csv file from the primary Administration node is empty.

CSCuc87242

If you disable a sponsor user who has logged in to the sponsor portal, the sponsor user’s account is not disabled until the end of the session.

CSCuc92010

Sponsor users who create guest user accounts cannot delete those accounts from the Sponsor Portal.

CSCuc96884

Profiler Feed Service edit and save operations do not work in Internet Explorer 8.

CSCuc97133

Profiler log throws exceptions when you enable FIPS mode on the primary Administration node and FIPS mode is not enabled on the secondary nodes until they are restarted.

CSCud19143

Endpoint filtering does not work for the BYOD Registration and Device Registration Status fields.

CSCud22608

The minimum length of admin and user passwords in the password policy by default becomes four characters, instead of six.

CSCud31778

Policy set page takes a long time to load and save.

CSCud32310

Current Active Sessions report displays an error when the Monitor persona runs on remote node.

CSCud32485

Cannot log in to the sponsor portal after reinstating guest users and accepted the Acceptable Use Policy (AUP).

CSCud38499

Replication of authorization policy fails in a distributed deployment setup if the policy set name includes an underscore (_) character.

CSCud38623

MDM server’s Active status does not reflect the connectivity status.

CSCud38634

Guest sponsor details shows wrong sponsor name.

CSCud39871

Cannot save profiler configuration for a secondary node.

CSCud42216

Authentication request from Apple MAC systems that use the EAP-FAST protocol with inner method GTC or TLS fails.

CSCud43467

Posture reassessment check functionality is not working when you enable posture reassessment for a group of users. If a user moves to the compliant state, the user gains access to the network, but posture reassessment does not happen, and the user’s session gets terminated after a time interval.

CSCud70219

Log.xml files are not cleaned out regularly.

CSCud89273

Passed Numbers Not Appearing on Authentications Dashlet

CSCue14864

Endpoint statically assigned to ID group may appear in different group

CSCuf03318

The Network Setup Assistant fails when the user tries to “Cancel” the Configure Profile Tool.

CSCuf24898

ISE repository max password length 16 characters.

CSCuf47491

Timestamp of core files not preserved in support bundle.

CSCuf76821

.trc and .trm files are not cleaned out regularly.

CSCug20065

Unable to enforce RBAC as desired to a custom administrator.

CSCug59579

Windows 8 not included in Client Provisioning

CSCug59644

Trying dot1X authentication in an Activated Guest with “First Login” time profile fails.

CSCug69311

Not able to connect to SFTP, which is required for secure backups.

CSCug82539

While moving the policies from one profiled node to another, the profiler does not contain the policies in the policy cache.

CSCug90502

ISE Blind SQL Injection Vulnerability.

CSCug91963

Java process crashes when configuring host alias.

CSCug96069

Replication status update fails for all nodes if the network is restored on PAP.

CSCuh02759

While creating a support bundle, an error message appears as “node not reachable”.

CSCuh05950

Certificate missed and node disconnected after PAP promotion failed.

CSCuh07534

While downloading the debug logs from Administration node, an error appears as “Node is not reachable. Please check the node's status”.

CSCuh13582

ISE applies wrong Authorization rule/ profile

CSCuh14228

Internal administrator summary report export not working

CSCuh20322

Need ISE application server restart reason and timestamp

CSCuh23536

RADIUS drop should have last event timestamp

CSCuh25506

Cisco ISE CSRF Vulnerability

CSCuh30587

Backup fails due to ISE restart

CSCuh36333

Successful DACL download authentication is counted under authentication dashlet

CSCuh41450

IP Columns Sort on Char on Network Devices Page

CSCuh45239

Node Status Patch page does not refresh automatically

CSCuh56278

Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails

CSCuh65084

Scroll issue for small screens on Live Log page

CSCuh79596

Freshly Installed Standalone ISE Server Not Logging MDM Events

CSCuh84099

ISE should verify non-printable characters in x.509 certs

CSCuh95845

After internal password change policies using NA conditions match default Policy.

CSCui02984

Sponsor authentication failed for Active Directory user with Sponsor_Portal_Sequence.

CSCui15038

ISE HTTP control interface for NAC Web Agent XSS Vulnerability

CSCui15064

Certain ISE Reports Vulnerable to XSS Injection

CSCui16528

Wrong service selection for NDAC Policy

CSCui21439

Message code texts are blank or incorrect

CSCui21839

“Export Endpoints” Creates Empty File When Quick Filter is On

CSCui22884

ISE presents wrong HTTPS certificate

CSCui26708

ISE node to node HTTP Basic Authentication username and password logged

CSCui30266

ISE MDM Portal Cross-Site Scripting Vulnerability

CSCui30275

Component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack

CSCui34389

RADIUS accounting drop is not suppressed, flooding live log.

CSCui35514

'show tech' script in support bundle needs fixing

CSCui36160

Whitelist and expiration notification.

CSCui36643

ISE Editing schedule report complains of existing report name in use.

CSCui40950

Guest login takes long time and times out.

CSCui42788

Exporting of imported profile policy results a garbled description.

CSCui44324

Backup task can't be configured in ISE 1.2 UI.

CSCui46739

Guest applet fails after update to Java 7 update 25.

CSCui48779

Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some conditions.

CSCui56071

ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

CSCui57100

EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed

CSCui57152

Endpoint Policy not updated for endpoints added using ERS API

CSCui57882

Some expired guest accounts cannot be deleted from PDP

CSCui57933

Purge expired guest accounts does not work

CSCui57961

When editing an expired guest account that cannot be deleted, logs out.

CSCui58390

Multiple names in SAN Field and ISE choose value randomly.

CSCui67495

Uploaded Filenames/Content Not Properly Sanitized

CSCui67511

Certain File Types are not Filtered and are Executable

CSCui71484

ISE SEC PAP has write access via ERS API

CSCui72269

ISE unable to understand SNMP attribute coming from Switch.

CSCui72658

Guest Portal cookies not set as Secure or HTTP Only.

CSCui75335

ISE 1.2 NAC agent fails posture due to 'NAC Server not available.'

CSCui77336

Customized URL ISE self registration not working.

CSCui78135

On Alpha Alarms Still Show Up When We Select All and Acknowledge

CSCui82998

Custom Guest Portal Loops after AUP Due to Loss of Session ID

CSCui83009

Unable to push compliance module to NAC agent on Macs.

CSCui89741

ISE ERS API creates endpoint with invalid format MAC address.

CSCui94488

MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices.

CSCui96322

Default Guest Portal Email Address Limited to 24 Characters

CSCui96960

MNT Livelog/Dashboard performance.

CSCuj01781

ISE uses SAN of user certificate for machine lookup in Active Directory

CSCuj03071

EndPoint update not being saved to PAP due to high latency

CSCuj03131

Lower "Request Rejection Interval" minimum to 5 minutes

CSCuj03697

Allow Tunnel* attributes in policies

CSCuj05295

ISE App server crashed and stuck in initialized state with "null" in collection filter

CSCuj07535

IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2

CSCuj09430

Guest account is not working according to its Time Zone

CSCuj11040

CSCum97337

ISE Should Not Degrade a Profile Based on Problematic User-Agent

CSCuj13804

IE8 gives error on ISE1.2 when accessing the provisioning portal

CSCuj14382

Cannot statically assign IP address as FramedAddress

CSCuj15372

Authentications fail with MDM authentication rules enabled

CSCuj16049

HA Licensing

CSCuj19882

Unable to edit the existing Guest accounts after restoring old backup

CSCuj25038

ERS Service Disabled After Reboot

CSCuj26086

CSCuj80131

ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9)

CSCuj28447

Endpoint statically assigned to ID group may appear in different group

CSCuj28968

Guest Activity Report is not working

CSCuj34004

User name change detected for the session removes all session attributes

CSCuj36104

ISE does not allow CRL when the name is the same on two Certificate Authorities

CSCuj36310

“@” Character Not Accepted in Wireless SSIDs Fields

CSCuj38204

ISE does not allow access for guest with no webagent if posture is configured

CSCuj39926

Kaspersky remediation does not appear anymore in the AV remediation

CSCuj45431

ISE Support for Mac OS X 10.9 NAC Agent

CSCuj45766

Add/Remove MDM server never got replicated to PSNs in distributed deployment

CSCuj47806

ISE redirects to default guest pages when it’s configured to redirect to custom pages

CSCuj48111

Hyphen and minus sign can't be entered as first or last name

CSCuj49903

Downloading / viewing large logfiles from PDP causes out of memory error

CSCuj51094

Captured TCPDump file is not working

CSCuj54630

ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server

CSCuj57335

Egress Matrix: require default SGACL that includes log option

CSCuj60796

ISE Support for IE 11

CSCuj61976

Admin UI fails to display certain UI pages when using Firefox 25

CSCuj62435

ISE 1.2 TrendMicro not listed for AV Remediation

CSCuj63046

Text fields impose 24 character limit during guest self-registration

CSCuj66093

86017 Error page sessionExpired.jsp images links are invalid

CSCuj70022

EAP-FAST authenticated provisioning with Android doesn't work

CSCuj72022

Cannot use "Ends With" operator in a Posture condition on ISE

CSCuj82836

Manual CoA - Re-authorization is not working

CSCuj84194

ISE sometimes does not send DACL in authorization profile

CSCuj84427

ISE 1.2 Admin password alerts not functioning properly

CSCuj90823

Guest Portal: IP Refresh Failing in IE 11

CSCuj91050

Creating Guest users shows incorrect timezone 'GMT+2 ECT'

CSCuj95908

ISE does not do domain stripping for Active Directory external store

CSCuj97669

DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname"

CSCuj98726

iOS devices bypass account suspension/lock by starting new EAP session

CSCul02821

MDM attributes doesn't update to Endpoint objective

CSCul02860

Struts Action Mapper Vulnerability

CSCul03127

Struts 2 Dynamic Method Invocation Vulnerability

CSCul03621

Endpoint Profiling Information is not being replicated correctly

CSCul03597

LDAP User Authorization Doesn't Work with EAP-FAST Chaining

CSCul06431

Active Directory attribute value in ATZ profile is not sent

CSCul10677

ISE 1.2 CWA Failure Reason 86017

CSCul13757

Audit records MUST log to External Syslog Servers: CLI log level

CSCul13805

Audit records MUST log to External Syslog Servers: HTTPS idle timeout

CSCul13812

Audit records MUST log to External Syslog servers: SSH publickey

CSCul13883

Audit records MUST log to External Syslog servers: SSH KEX Group14

CSCul13905

Audit records MUST log to External Syslog Servers: CLI clock set

CSCul13946

Audit records MUST log to External Syslog servers: Purge M&T Data

CSCul15967

ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup

CSCul16300

Audit records MUST log to External Syslog servers: CLI idle timeout

CSCul18169

Blocking ISE admin UI access for Chrome browser

CSCul18521

Audit records MUST log to External Syslog servers: VGA CLI AUTHC

CSCul18555

Audit records MUST log to External Syslog servers: SSH conn fail

CSCul23070

CSCul23252

Audit records MUST log to External Syslog Servers: SSH exit forceout

CSCul25066

ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service

CSCul29344

ISE 1.2 HTML Custom Pages for Different Portals Not Working.

CSCul35820

ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address

CSCul42646

Failed to create Posture Condition with "NOT ENDS WITH" Operator

CSCul46893

URL preservation not working with self service guest user in MAB flow

CSCul48352

Right-Click - Copy to MAC and Username in Live Log

CSCul50495

Device Registration failed with Cisco Catalyst 3850 Switch

CSCul50720

Samsung Galaxy S4 cannot be on-boarded in dual SSID flow

CSCul55934

ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting

CSCul58758

Redirecting to 'null' page in the browser after LWA flow with WLC-5500

CSCul58895

ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import

CSCul62175

ISE BYOD enhancement troubleshooting for SCEP

CSCul65045

Cannot create/edit network device if advanced license expired

CSCul66218

Posture delays due to HTTP thread exhaustion

CSCul66272

Terminate Change of Authorization during Posture for Unknown User-agent DynGate

CSCul71176

Endpoints manually assigned to identity groups might change groups randomly

CSCul71532

XML external entity injection found under ERS

CSCul77732

Warning message while creating Guest user with hyphen in Self Registration

CSCul77793

Scheduled Reports Not Exported When Using Illegal Character as a Report Name

CSCul82658

“Strip prefixes listed below” for Active Directory in GUI is a typo

CSCul84544

Retrieval of Active Directory Groups or Attributes from GUI is Failing

CSCul87300

Special Character in LDAP password is not read correctly by ISE

CSCum01290

MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4

CSCum10047

Invalid Account Date When Changing Account Duration

CSCum13453

ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG

CSCum26362

Authentications Details are Missing All the Required Data

CSCum29186

With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time

CSCum37237

ISE No Sufficient Permission Error with Bulk Import of Guest Account

CSCum40721

Optional Data Field Not Matching in Authorization Rules

CSCum54099

ISE Does Not Send Sponsor-related syslog Message to External syslog Server

CSCum60627

Client EAP Sessions Never Get Cleared

CSCum69410

ISE 1.2 CWA with DRW Included Doesn't Register Endpoint

CSCum77223

Increase Maximum Login Failures for Guest

CSCum82815

Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired on Login

CSCum82829

Cisco-branded Expiration Page Presented on Custom Portal

CSCum85930

ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect

CSCum86347

ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone

CSCum88817

ISE 1.2 Logs Filled with Unnecessary License Validity Info

CSCum92155

ISE REST API (ERS) - PUT Update Request Removes identityGroups Value

CSCum96035

Guest Custom Portal Password Change Does Not Have Error Handling

CSCun00215

ISE RSA Agent Exhausted Under Heavy Load

CSCun08410

Guest Account’s Start and End Time Validated Against System Time Zone

CSCun11240

Guest Sponsor Mapping Report Incorrectly Changes Sponsor

CSCun15601

Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail

CSCun25178

Fetching Group Information Takes a Long Time Because of SIDHistory

CSCun36594

ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV

CSCun41732

Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present

CSCun51094

Bulk Import of Guests by Sponsor Falls in Wrong Guest Role

CSCun60443

No Dashboard or Live Logs for Long Time After Primary MnT Failure

CSCun61928

Not All Authorization Profiles are Recognized by Runtime

CSCun67719

Guest Portal: Error Message When Password Expired Confusing

CSCun68637

SNMP Query Fails to Complete during NMAP-triggered Probe

CSCun93673

ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter

CSCun97606

ISE Roaming Authentication Failing

CSCuo02708

ERS Port Should Not Request Client Certificate

CSCuo04860

Raise Alarms for EAP Session and Context Limits

CSCuo16503

ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In

CSCuo32987

Endpoint Register Broken

CSCuo34449

ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent

CSCuo56780

ISE RADIUS Service Denial of Service Vulnerability

CSCuo63892

CIAM: ISE-commons-fileupload-1-0

CSCuo73070

CSCuo76078

ISE 1.2 GUI Elements Missing Due to No Advanced License

Resolved Agent Caveats

 

Table 23 Cisco ISE, Release 1.2, Resolved Agent Caveats

Caveat
Description

CSCto03644

Tray icon flickers click focus if user changes applications from login successfully.

CSCto19507

Mac OS X agent does not prompt for upgrade when coming out of sleep mode.

CSCto97422

Auto Popup does not happen after clicking Cancel during remediation failure.

CSCug26558

Live Authentications: Posture links redirect to wrong MAC address and empty report

CSCue98661

Cisco ISE NAC Agent on Windows 8 checks for AV that is not selected

CSCue41912

Posture: Cisco NAC Agent not triggering on Windows 8

Resolved SPW Caveats

Table 24 Cisco ISE, Release 1.2, Resolved SPW Caveats for Windows

Caveat
Description
SPW Version

CSCug95980

Cisco ISE NSP does not support SDIO based wireless adapters.

1.0.0.31

CSCug66885

Windows SPW-Trusted Root CA not set in network profile.

1.0.0.30

CSCud65260

DualSSID_Win7_PEAP_AutoLogin NSP not connecting to Closed SSID.

1.0.0.29

CSCud01247

BYOD: Messages are not localized.

1.0.0.28

CSCud56448

PEAP Supplicant Provisioning does not set Validate Server Certificate.

1.0.0.28

CSCue38943

BYOD: Characters corrupted. A vertical line appears at the end of the Applying Configuration screen.

1.0.0.28

CSCue43405

Windows 8- Dual SSID is broken (MAB + PEAP), if wrong networking password is entered in SPW.

1.0.0.28

CSCue43413

Login failure message displayed in dual SSID (MAB + PEAP).

1.0.0.28

CSCue47503

Win SPW v1.0.0.27 fails with Wired dual SSID (MAB > PEAP).

1.0.0.28

CSCud05296

NSP installation on Windows 8 failed.

1.0.0.26

Table 25 Cisco ISE, Release 1.2, Resolved SPW Caveats for Mac OS X

Caveat
Description
SPW Version

CSCuf61159

Wired MAC10.8.3-Fails to auto re-connect to network using new profile.

1.0.0.21

CSCug16632

BYOD CR: SPW configures the profile and succeeds even when PDP is down.

1.0.0.20

CSCug18081

NSP page does not show status of Mac SPW consistently.

1.0.0.20

CSCuf03318

Network Setup Assistant fails, if user clicks ‘Cancel’ in the Config profile Tool.

1.0.0.19

CSCue53450

Cisco Network Setup Assistant copy right year should be changed.

1.0.0.19

CSCue62005

Macintosh SPW 1.0.0.17 is not able to configure wired adapters.

1.0.0.18

CSCud00349

Translation property file has new line character in the JA translation property file.

1.0.0.17

CSCud64592

MAC OS X 10.6.8: Fails to connect to Closed SSID using the TSL Profile.

1.0.0.16

CSCub29212

In MAC OS X 10.8, modify system network configuration needs confirmation from system administrator.

1.0.0.15

CSCuc42511

Localization for NSP wizards - support for additional languages.

1.0.0.14

CSCub27769

Cisco ISE does not block both wired and wireless interface MAC addresses for lost devices.

1.0.0.13

CSCub65963

Certificate Enrollment is vulnerable to session Hija.

1.0.0.12

CSCub29185

MAC 10.8: Agent and SPW fails to install, when “MAC App Store and identified developers” is selected in the Security & Privacy Preference Pane.

1.0.0.11

Documentation Updates

 

Table 26 Updates to Release Notes for Cisco Identity Services Engine, Release 1.2.x

Date
Description

8/7/2014

Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10.

7/18/2014

Added Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1

7/3/2014

Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 9

6/20/2014

6/2/2014

Updated Support for Microsoft Active Directory

5/30/2014

3/26/2014

2/21/2014

Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 6

1/22/2014

Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 5

12/20/2013

12/5/2013

Added No iPEP Support in Cisco ISE 1.2.x Patches

11/27/2013

10/29/2013

10/28/2013

Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3

9/19/2013

8/1/2013

Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 1

7/25/2013

Cisco Identity Services Engine, Release 1.2

Related Documentation

Release-Specific Documents

General product information for Cisco ISE is available at http://www.cisco.com/go/ise . End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html .

 

Table 27 Product Documentation for Cisco Identity Services Engine

Document Title
Location

Release Notes for the Cisco Identity Services Engine, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.2

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Upgrade Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine, Release 1.2 Migration Tool Guide

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine CLI Reference Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine Troubleshooting Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine 3300 Series Appliance, Cisco Secure Access Control System 1121 Appliance, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco ISE In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.