Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco Group Based Policy solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on Cisco Secure Network Server appliances with different performance characterizations, virtual machines (VMs), or on the public cloud.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
What is New in Cisco ISE, Release 3.2?
This section lists the new and changed features in Cisco ISE 3.2.
Cisco Private 5G
From Cisco ISE Release 3.2 onwards, Cisco ISE supports Cisco Private 5G. Cisco ISE provides policy configuration for 5G and 5G authorization, that is implemented with RADIUS authorize-only and accounting flows.
For more information, see "Configure Cisco Private 5G as a service" in the Chapter "Secure Access" in the Cisco ISE Administrator Guide, Release 3.2.
Cisco AnyConnect Rebranding
Cisco AnyConnect is rebranded as Cisco Secure Client.
Cisco ISE 3.2 supports Cisco Secure Client only for Windows OS. Windows OS supports both AnyConnect (version 4.10.5075 and later) and Cisco Secure Client (version 5.00529 and later). You can configure both for your endpoints on Windows OS but only one policy will be considered at run time for an endpoint.
For more information, see the Chapter "Compliance" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
Cisco pxGrid Direct
Cisco pxGrid Direct helps you to connect to external REST APIs that provide JSON data for endpoint attributes. The data that are collected is based on the attributes your specify in your pxGrid Direct configurations. Then, pxGrid Direct stores the collected data in the Cisco ISE database.
This data can be used in the authorization policies. pxGrid Direct helps to evaluate and authorize the endpoints faster as the fetched data is used in the authorization policies. This eliminates the need to query for endpoint attribute data each time an endpoint must be authorized.
Configuration of Authorization Policies for PassiveID Login Users
Check the Authorization Flow check box in the Active Directory Advanced Settings window if you want to configure authorization policies for PassiveID login users.
You can configure an authorization policy to assign an SGT to a user based on the AD group membership. This allows you to create TrustSec policy rules even for PassiveID authorization.
For more information, see "Active Directory Settings" in the Chapter "Asset Visibility" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
Data Connect
The Data Connect feature provides database access to Cisco ISE using an Open Database Connectivity (ODBC) or Java Database Connectivity (JDBC) driver, so that you can directly query the database server to generate reports of your choice. Only read-only access to the data is provided.
You can extract any configuration or operational data about your network depending on your business requirement and use it to generate insightful reports and dashboards.
 Note |
If the Data Connect feature is active on your Cisco ISE Release 3.2 Limited Availability release, when you upgrade to the Cisco ISE Release 3.2 General Availability release you must disable and then enable the Data Connect feature. |
Deploy Cisco ISE Natively on Cloud Platforms
Cisco ISE Release 3.2 is natively available on the cloud platforms Amazon Web Services (AWS), Azure Cloud, and Oracle Cloud Infrastructure (OCI). For information on configuring Cisco ISE on the cloud platforms, see Deploy Cisco Identity Services Engine Natively on Cloud Platforms
EAP-TLS and TEAP Authorization Support with Azure AD
Cisco ISE supports certificate-based authentication and Microsoft Entra ID authorization. The certificate-based authentications can be either EAP-TLS or TEAP with EAP-TLS as the inner method. Then, you can select attributes from Microsoft Entra ID and add them to the Cisco ISE dictionary. These attributes can be used for authorization. EAP Chaining the TEAP User session with an authenticated TEAP Computer session is not supported. Only user authentication is supported.
Endpoint and Logical Profile Summary Report
This report lists the logical and endpoint profiles, and the number of endpoints matching those profiles.
For more information, see "Available Reports" in the Chapter "Maintain and Monitor" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
ERS APIs Open API Specification
The Open API specification (JSON file) for ERS APIs is available for download in the Cisco ISE GUI, in the Overview section of the API Settings window (.
This Open API JSON file can be used for auto-generation of API client code using any programming language such as Python, Java, and so on. For additional information about Open API specifications and tools, see https://openapi.tools/.
ERS APIs PATCH Request Support
Cisco ISE now supports PATCH request for ERS APIs. PATCH request helps in updating a subset of attributes for a resource. Only the attributes sent as part of the request are updated instead of updating the entire configuration for that resource. For more details, see API Reference Guide.
Managing Passwords of Cisco ISE Users
From Cisco ISE Release 3.2, as an internal user of Cisco ISE, you can manage the lifetime of your Enable and Login passwords using the Password Lifetime option. For more information, see "Cisco ISE Users" in the Chapter "Asset Viisbility" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Mobile Device Management Enhancement
You can configure the General MDM or UEM Settings to query multiple MDM servers when the endpoints are not registered with the primary MDM or UEM server, or the primary MDM or UEM server is not reachable.
For more information, see "Configure General MDM or UEM Settings" in the Chapter "Secure Access" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
Posture Condition Script Support
You can create and upload a posture condition script to perform any kind of posture check on an endpoint. The following platforms and script types are supported:
|
Platform |
Supported Script Type |
|---|---|
|
Windows |
PowerShell script (.ps1) |
|
macOS |
Shell script (.sh) |
|
Linux |
Shell script (.sh) |
For more information, see "Add a Script Condition" in the Chapter "Compliance" in Cisco Identity Services Engine Administrator Guide, Release 3.2.
Required URL for Smart Licensing
Cisco ISE Release 3.2 uses https://smartreceiver.cisco.com to obtain Smart Licensing information.
Security Settings Enhancement
When the Allow SHA-1 Ciphers option (under ) is enabled, Cisco ISE allows SHA-1 ciphers for communication with the following Cisco ISE components:
-
Admin Access UI
-
Cisco ISE Portals
-
ERS
-
pxGrid
The following ports are used by these components for communication:
-
Admin Access: 443
-
Cisco ISE Portals: 9002, 8443, 8444, 8445, 8449
-
ERS: 9060, 9061, 9063
-
pxGrid: 8910
This option is disabled by default.
When you upgrade to Cisco ISE Release 3.2, the Allow SHA-1 Ciphers option is disabled even if you have enabled this option before the upgrade. You can enable this option after the upgrade if you want to allow the clients with only SHA-1 ciphers to communicate with Cisco ISE. You must restart all the nodes in a deployment after enabling or disabling this option.
For more information, see "Configure Security Settings" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
Single Entry for Endpoints with GUID in Endpoint Context Visibility Window
If an endpoint that uses random MAC addresses connects to Cisco ISE and meets the following conditions, the Endpoint Context Visibility window displays only the latest MAC address for the endpoint:
-
The endpoint connects to Cisco ISE through a certificate-based authentication method (such as EAP-TLS).
-
The endpoint connects to Cisco ISE through an MDM server.
An endpoint that meets the above conditions is identified through a unique attribute that is called a GUID, instead of its MAC address. In the Cisco ISE GUI, in the Context Visibility > Endpoints window, an endpoint with a GUID is listed only once with its latest random MAC address.
The MDM-GUID column displays the consistent GUID that is assigned to the endpoint.
All the endpoint data that was available with the previous MAC address entry is carried forward to the new entry.
Support for Extra Small Virtual Machine Deployment
Cisco ISE 3.2 supports extra small virtual machine deployment. You can enable only the PSN persona on this node. PAN and MnT personas are not supported for this node.
|
Requirement Type |
Specifications |
|---|---|
|
No of CPU cores |
8 |
|
Memory |
32 GB |
|
Hard Disk |
300 GB |
|
Cloud |
Type/Size/Shape |
vCPU |
Memory |
|---|---|---|---|
|
AWS |
m5.2xlarge |
8 |
32 GB |
|
Azure |
Standard_D8s_v4 |
8 |
32 GB |
|
OCI |
Standard3.Flex |
8 (4 OCPU, where one Oracle Compute Unit (OCPU) is comparable to two vCPUs) |
32 GB |
For more information, see the Cisco Identity Services Engine Installation Guide, Release 3.2.
System 360
System 360 includes Monitoring and Log Analytics.
The Monitoring feature enables you to monitor a wide range of application and system statistics, and the key performance indicators (KPI) of all the nodes in a deployment from a centralized console. KPIs are useful to gain insight into the overall health of the node environment. Statistics offer a simplified representation of the system configurations and utilization-specific data.
Cisco ISE 3.2 and later releases are integrated with Grafana and Prometheus. Grafana is a third-party metrics dashboard and graph editor. It provides a graphical or text-based representation of statistics and counters collected in the Prometheus database. Prometheus is used as the datastore to store the KPIs in time series format. For more information about Grafana, see Grafana documentation.
The Grafana dashboard projects a comprehensive set of quantitative and qualitative data that helps you to analyze system metrics and take informed decisions. You can create customized Grafana dashboards to analyze and monitor the required system metrics. To create customized Grafana dashboards, choose Operations > System 360 > Monitoring.
You can use built-in or custom queries for fetching the required data from the Prometheus data source. While creating Grafana dashboards, you can add new dashboard panels and specify the queries to be used for fetching the Prometheus data in the Queries tab.
The Monitoring service is enabled by default. You can disable or enable this service from Operations > System 360 > Settings.
Log Analytics provides a flexible analytics system for in-depth analysis of endpoint authentication, authorization, and accounting (AAA) and posture syslog data. You can also analyze the ISE health summary and ISE process statuses. You can generate reports similar to the ISE Counters and Health Summary reports. The Log Analytics service runs only on the MnT nodes.
Kibana, an open-source data visualization platform, is used to analyze and visualize the syslog data, and Elasticsearch is used to store and index the syslog data.
To enable Log Analytics, choose Operations > System 360 > Settings and enable the Log Analytics service.
For more information, see "System 360" in the Chapter "Maintain and Monitor" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
View Cisco ISE in Default or Dark Mode
You can now view Cisco ISE in default (light) or dark mode. Choose the default or dark mode from the Account Settings dialog box in the Cisco ISE administrator portal.
See the topic "Apply Default or Dark Mode in Cisco ISE" in the chapter "Basic Setup" in the Cisco ISE Administrator Guide, Release 3.2.
Zero Touch Provisioning – Security Update
The following security features are available, if you provision Cisco ISE through Zero Touch Provisioning (ZTP):
-
Public Key Authentication: You can now login into the Cisco ISE CLI using your private key instead of password. For more information, see Public Key Authentication.
-
First Login Password Change: You will now be prompted to reset the admin password upon the first login into the Cisco ISE GUI. For more information, see First Login Password Change.
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Supported Hardware
Cisco ISE 3.2 can be installed on the following Secure Network Server (SNS) hardware platforms:
|
Hardware Platform |
Configuration |
|---|---|
|
Cisco SNS-3595-K9 (large) |
For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
|
Cisco SNS-3615-K9 (small) |
|
|
Cisco SNS-3655-K9 (medium) |
|
|
Cisco SNS-3695-K9 (large) |
|
|
Cisco SNS-3715-K9 (small) |
|
|
Cisco SNS-3755-K9 (medium) |
|
|
Cisco SNS-3795-K9 (large) |
The following OVA templates are available for SNS 3600 series appliances:
-
ISE-3.2.0.542a-virtual-SNS3615-SNS3655-300.ova
-
ISE-3.2.0.542a-virtual-SNS3615-SNS3655-600.ova
-
ISE-3.2.0.542a-virtual-SNS3655-SNS3695-1200.ova
-
ISE-3.2.0.542a-virtual-SNS3695-1800.ova
-
ISE-3.2.0.542a-virtual-SNS3695-2400.ova
The following OVA templates are available for SNS 3700 series appliances:
-
ISE-3.2.0.542b-virtual-SNS3715-SNS3755-300.ova
-
ISE-3.2.0.542b-virtual-SNS3715-SNS3755-600.ova
-
ISE-3.2.0.542b-virtual-SNS3755-SNS3795-1200.ova
-
ISE-3.2.0.542b-virtual-SNS3795-2400.ova
Note |
Cisco ISE 3.1 Patch 6 and above, and Cisco ISE 3.2 Patch 2 and above support Cisco SNS 3700 series appliances. |
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
For Cisco ISE Release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases.
-
OVA templates: VMware version 14 or higher on ESXi 6.7 and ESXi 7.0.
-
ISO file supports ESXi 6.7 and later releasesESXi 6.7, ESXi 7.0, and ESXi 8.0.
You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:
-
VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data centre provided by VMware Cloud on AWS.
-
Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.
-
Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data centre by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software defined data centre provided by the VMware Engine.
Note
From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shut down or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.
-
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
-
KVM on QEMU 2.12.0-99
Note
Cisco ISE cannot be installed on OpenStack.
-
Nutanix AHV 20220304.392
You can deploy Cisco ISE natively on the following public cloud platforms:
-
Amazon Web Services (AWS)
-
Microsoft Azure Cloud
-
Oracle Cloud Infrastructure (OCI)
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Federal Information Processing Standard (FIPS) Mode Support
Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 7.2 (Certificate #3790). For details about the FIPS compliance claims, see Global Government Certifications.
When FIPS mode is enabled on Cisco ISE, consider the following:
-
All non-FIPS-compliant cipher suites will be disabled.
-
Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.
-
RSA private keys must be 2048 bits or greater.
-
Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be 224 bits or greater.
-
Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.
-
SHA1 is not allowed to generate ISE local server certificates.
-
The anonymous PAC provisioning option in EAP-FAST is disabled.
-
The local SSH server operates in FIPS mode.
-
The following protocols are not supported in FIPS mode for RADIUS:
-
EAP-MD5
-
PAP
-
CHAP
-
MS-CHAPv1
-
MS-CHAPv2
-
LEAP
-
Supported Browsers
Cisco ISE 3.2 is supported on the following browsers:
-
Mozilla Firefox versions 102, 103, 104, 105, 106, 107, 108, 110, 113, 114, 119, and 123
-
Google Chrome versions 103, 104, 105, 106, 107, 108, 109, 110, 112, 114, 116, 117, 119, and 122
-
Microsoft Edge versions 103, 104, 106, 107, 108, 109, 112, 115, and 117, 119, and 122
Validated External Identity Sources
Note |
The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC. |
|
External Identity Source |
Version |
|---|---|
|
Active Directory |
|
|
Microsoft Windows Active Directory 2012 |
Windows Server 2012 |
|
Microsoft Windows Active Directory 2012 R2 1 |
Windows Server 2012 R2 |
|
Microsoft Windows Active Directory 2016 |
Windows Server 2016 |
|
Microsoft Windows Active Directory 2019 |
Windows Server 2019 |
|
Microsoft Windows Active Directory 2022 |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
LDAP Servers |
|
|
SunONE LDAP Directory Server |
Version 5.2 |
|
OpenLDAP Directory Server |
Version 2.4.23 |
|
Any LDAP v3 compliant server |
Any version that is LDAP v3 compliant |
|
AD as LDAP |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
Token Servers |
|
|
RSA ACE/Server |
6.x series |
|
RSA Authentication Manager |
7.x and 8.x series |
|
Any RADIUS RFC 2865-compliant token server |
Any version that is RFC 2865 compliant |
|
Security Assertion Markup Language (SAML) Single Sign-On (SSO) |
|
|
Microsoft Azure MFA |
Latest |
|
Oracle Access Manager (OAM) |
Version 11.1.2.2.0 |
|
Oracle Identity Federation (OIF) |
Version 11.1.1.2.0 |
|
PingFederate Server |
Version 6.10.0.4 |
|
PingOne Cloud |
Latest |
|
Secure Auth |
8.1.1 |
|
Any SAMLv2-compliant Identity Provider |
Any Identity Provider version that is SAMLv2 compliant |
|
Open Database Connectivity (ODBC) Identity Source |
|
|
Microsoft SQL Server |
Microsoft SQL Server 2012 Microsoft SQL Server 2022 |
|
Oracle |
Enterprise Edition Release 12.1.0.2.0 |
|
PostgreSQL |
9.0 |
|
Sybase |
16.0 |
|
MySQL |
6.3 |
|
Social Login (for Guest User Accounts) |
|
|
|
Latest |
Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.
See the Cisco Identity Services Engine Administrator Guide for more information.
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
Validated OpenSSL Version
Cisco ISE 3.2 is validated with OpenSSL 1.1.1k.
OpenSSL Update Requires CA:True in CA Certificates
For a certificate to be defined as a CA certificate, the certificate must contain the following property:
basicConstraints=CA:TRUE
This property is mandatory to comply with recent OpenSSL updates.
Known Limitations and Workarounds
This section provides information about the various known limitations and the corresponding workarounds.
Cisco ISE Restart Limitation with Disabled pxGrid Direct Connectors
Restarting Cisco ISE when there are disabled pxGrid Direct connectors causes problems with scheduling sync operations using pxGrid Direct connectors following the restart. We recommend you to enable all disabled pxGrid Direct connectors before restarting Cisco ISE, and disable the connectors again following the restart. Alternatively, you could also edit the attributes of the disabled connector (making it an active connector) prior to the Cisco ISE restart as a workaround to this problem.
This problem has been resolved in Cisco ISE Release 3.2 Cumulative Patch 5 and Cisco ISE Release 3.3 Cumulative Patch 2.
Microsoft Compliance Retrieval API Support for Ethernet MAC Address-based APIs
Microsoft Compliance Retrieval API currently does not support the Ethernet MAC attribute for MAC address-based APIs. This limitation will be addressed by Microsoft in January 2024. For wired deployments, we recommended that you to migrate to GUID-embedded certificates before upgrading to the following patches: Cisco ISE Release 3.1 Patch 8, Cisco ISE Release 3.2 Patch 4, or Cisco ISE Release 3.3 Patch 1.
Hot Patch for RADIUS Live Log Delays
In Cisco ISE Release 3.2 Cumulative Patches 2, 3, and 4, you may experience RADIUS live logs delay as explained in CSCwi06794. You must install the following hot patch to fix this issue: ise-apply-CSCwi06794_3.1.x_patchall-SPA.tar.gz.
Hyper-V Installations have DHCP Enabled on eth0 Interface
When Cisco ISE 3.2 main or patch release is installed on Microsoft Hyper-V (fresh installation), DHCP is enabled on eth0 interface. This issue is not seen when you upgrade to Cisco ISE 3.2 main or patch release.
You might see the following issues when Cisco ISE is installed on Hyper-V:
-
Cisco ISE 3.2 node running on Hyper-V will be assigned a DHCP address in addition to the static IP configured during the initial setup.
-
Gateway and NTP ping might fail inconsistently.
-
Cisco ISE GUI might not be accessible in some cases.
-
Deployment and other operations might fail due to network communication issues.
You must install the following hot patch to fix this issue:
ise-apply-CSCwf02093_3.2.x_patchall-SPA.tar.gz
To install this hot patch:
-
Log in to Cisco ISE CLI.
-
Run the following command to install the bundle that will apply the hot patch:
application install ise-apply-CSCwf02093_3.2.x_patchall-SPA.tar.gz <Repository_Name> -
After the hot patch is successfully installed, run the reset-config command on the Hyper-V admin console to reset the network configurations such as ip address/mask/gateway, hostname, domain name, DNS server, and NTP server. This command will not reset the configuration data in Cisco ISE.
Note
-
Note that you need to run the reset-config command on the Hyper-V admin console.
-
You must not use the application reset-config ise command
-
-
Enter the required setup details to complete reset-config operation.
Antimalware Condition for ClamWin Products
You might see the following error message while trying to add an antimalware condition for ClamWin Pty Ltd vendor:
class com.cisco.cpm.posture.exceptions.PostureException:Check am_linux_def_v4_ClamWinPtyLtd is not foundWhen multiple ClamWin products with 0.x version are listed in the Baseline Condition tab, if you select any of those products and configure an antimalware condition, the above error message might be displayed.
In such a scenario, you must run the posture feed update one or more times to remove the multiple entries for 0.x version.
As a workaround, you can select a product from the Advanced Condition tab and configure an antimalware condition for ClamWin Pty Ltd vendor.
Host alias is not added or removed automatically when IPv6 address is configured on an interface
From Cisco ISE Release 3.2 onwards, the host alias of the corresponding IP address is not added or removed automatically, when IPv6 address is configured on an interface. You must add or remove the host alias manually by executing the following ip host commands.
To add the host alias:
ip host 2001:420:54ff:4::456:00 demo demo.cisco.com
To remove the host alias:
no ip host 2001:420:54ff:4::456:00 demo demo.cisco.com
3.2P5 SLR registered Node shows SL registered post patch rollback
If you install Cisco ISE Release 3.2 Patch 5 or later releases on a Cisco ISE node, enable Specific License Registration (SLR), and then roll back to an earlier release, the node is automatically registered to Smart Licensing (SL) instead of SLR. In this case, you cannot return SLR because deregistration or update operations will not work due to incorrect licensing configuration. This issue can be resolved through TAC intervention.
To avoid this, you must return SLR before rolling back to an earlier release. Each node has a unique code that you must submit in the Cisco Smart Software Manager (CSSM) to return SLR. If you had enabled SLR before installing Cisco ISE Release 3.2 Patch 5 or later, you do not have to return SLR before rolling back to an earlier release.
Upgrade Information
Note |
Upgrades cannot be performed on Cisco ISE nodes deployed in native cloud environments. You must deploy a new node with a newer version of Cisco ISE and restore the configuration of your older Cisco ISE deployment onto it. |
Upgrading to Release 3.2
You can directly upgrade to Release 3.2 from the following Cisco ISE releases:
-
2.7
-
3.0
-
3.1
If you are on a version earlier than Cisco ISE, Release 2.7, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.2.
We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.
Cisco ISE, Release 3.2, has parity with the Cisco ISE patch release: 2.7 Patch 7, 3.0 Patch 6, and 3.1 Patch 3, and earlier patches.
Upgrade Packages
For information about the upgrade packages and the supported platforms, see Cisco ISE Software Download.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Cisco ISE Integration with Cisco Catalyst Center
Cisco ISE can integrate with Cisco Cisco Catalyst Center. For information about configuring Cisco ISE to work with Cisco Catalyst Center, see the Cisco DNA Center documentation.
For information about Cisco ISE compatibility with Cisco Catalyst Center, see the Cisco SD-Access Compatibility Matrix.
Install a New Patch
For instructions on how to apply the patch to your system, see the "Cisco ISE Software Patches" section in the Cisco Identity Services Engine Upgrade Journey.
For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.
Note |
If you have installed a hot patch on your previous Cisco ISE Release, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to integrity check security issue. |
Caveats
The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST).
Note |
The Open Caveats sections list the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.2. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved. |
New Features in Cisco ISE Release 3.2 - Cumulative Patch 5
Opening TAC Support Cases in Cisco ISE
From Cisco ISE Release 3.2 Patch 5, you can open TAC Support Cases for Cisco ISE directly from the Cisco ISE GUI.
For more information, see "Open TAC Support Cases in Cisco ISE" in the Chapter "Troubleshoot" in Cisco ISE Administrator Guide, Release 3.2.
Localized ISE Installation
While reinstalling Cisco ISE, you can use the Localized ISE Install option (option 36) in the application configure ise command to reduce the installation time. Though this option can be used for both Cisco Secure Network Server and virtual appliances, it significantly reduces the reinstallation time for Cisco Secure Network Servers.
For more information, see "application configure" in the Chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco Identity Services Engine CLI Reference Guide, Release 3.2.
On-demand pxGrid Direct Data Synchronization using Sync Now
You can use the Sync Now feature to perform on-demand synchronization of data for pxGrid Direct URL Fetcher connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.
For more information, see "Sync Now: Data Synchronization On-demand" in the "Asset Visibility" chapter in the Cisco ISE Administrator Guide.
Resolved Caveats in Cisco ISE Release 3.2 - Cumulative Patch 5
|
Caveat ID |
Description |
|---|---|
|
GCMP256 authentication for SHA384 with RSA4096 certificate failed |
|
|
PxGrid not showing topic registration details |
|
|
Read-Only permissions for SAML users |
|
|
Data corruptions causing FailureReason=11007 or FailureReason=15022 |
|
|
Endpoint Probe does not clean up SXP mappings |
|
|
When non-mandatory attributes are not included in the PUT requests, those values are reset to empty or default |
|
|
ISE - SSL buffer is not cleared and affects PAC decryption |
|
|
Show CLI commands throws exception after configuring log level to 5 |
|
|
SMS not sent in "Reset Password" flow when a custom "SMTP API Destination Address" is used |
|
|
Wildcard certificate imported on PPAN not replicated to other nodes in deployment |
|
|
External RADIUS server list does not show up after upgrading to ISE 3.2 |
|
|
ISE-PIC license expiration alarms |
|
|
ISE API doesn't recognize identity groups while creating user accounts |
|
|
Vulnerabilities in log4net 2.0.8.0 |
|
|
Endpoints profiled incorrectly as Android devices |
|
|
Aruba-MPSK-Passphrase needs encryption support |
|
|
Unable to delete existing devices in My Device portal after restoring from ISE 2.7 version |
|
|
Unable to create SNMPv3 user with auth and priv passwords equal to 40 characters |
|
|
Need support for system certificate import for multi-node cluster in ISE OpenAPI |
|
|
Unable to filter the TACACS Live Logs via Network Device IP |
|
|
Portals fail to initialize if IPv6 enable is the only IPv6 command on interface |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
Posture client provisioning resources HTTP error when dictionary attribute contains "-" |
|
|
Excess number of AD groups mapped to sponsor groups causing latency in sponsor login |
|
|
PAN missing non-significant attribute updates of endpoints from PSNs |
|
|
Cannot generate pxGrid client certificate leveraging CSR |
|
|
ISE lwsm decodes are not done properly |
|
|
ISE not allowing special characters for password while importing certificate |
|
|
Posture failure due to expired or invalid license reported as Internal System Error in AnyConnect ISE Posture reports |
|
|
0.0.0.0 default static routes configured on all interfaces get deleted post reload |
|
|
Authorization policy search feature not working |
|
|
Apache Struts Vulnerability Affecting Cisco Products: December 2023 |
|
|
REST Auth service not running on ISE node |
|
|
Acs.Username is not being updated with guest username in first device connection |
|
|
ISE Context Visibility doesn't validate static MAC entries if they miss a separator like colon |
|
|
Radius Authentication report exported from the Operational Data Purging page are empty |
|
|
ISE database not updating the email field for Sponsor Accounts |
|
|
Failure due to case sensitive check when new MDMs are created with the same name but different case |
|
|
All network device groups are deleted when a child item is removed from any group |
|
|
Endpoints purging rule automatically created when duplicate option is used for My Devices portal |
|
|
ISE Abandoned Jedis connections not being sent back to the threadPool |
|
|
Enhancement for encryption to only send AES256 for MS-RPC calls |
|
|
Location group information is missing from policy sets |
|
|
Verify existence of Per-User dACL on ISE configuration |
|
|
Cannot set PreferredDCs registry value in advanced tuning |
|
|
Profiling not processing the Calling Station ID values with the following format "xxxxxxxxxxx" |
|
|
Guest Type save doesn't work when Account Expiration Notification has special or newline character |
|
|
Operational Backups from the GUI fail to SFTP Repositories if the PKI key pair passphrase contains + |
|
|
ISE CLI admin user unable to login after 2 months of inactive period |
|
|
RADIUS Live log delay Regression for CSCwe00424 |
|
|
Enabling only "User Services" enables Admin GUI Access as well. |
|
|
Sponsor portal shows wrong days of week information from [Setting date] tab when using Japanese UI |
|
|
Matching authorization profile with SGT, VN name, Vlan empty causes prrt to crash |
|
|
Gig0 always involved in TCP Handshake of Sponsor FQDN |
|
|
Authorization rule evaluation broken for attempts using eap-chaining and Azure AD groups |
|
|
Additional IPV6-SGT session binding created for IPv6 link local address from SXP Add operation |
|
|
Registering node with left over certificates from deregistration can delete in use certificates |
|
|
Few internal users password not expiring after configured global password expiry days |
|
|
Add a mechanism to fetch user data for pxGrid connector |
|
|
Critical Error displayed while saving changes made to Client Provisioning portal |
|
|
Limited GUI access/Inability to regenerate Root CA when essentials licenses are disabled |
|
|
Unable to save changes in the patch management condition |
|
|
Corrupted NAD profiles are not loaded and authentication failed with FailureReasons 11007 and 15022 |
|
|
Search for MAC Address in xx:xx:xx:xx:xx:xx format ignored |
|
|
ISE Alarm and Dashboard Summary does not load |
|
|
SXP can create inconsistent mapping between IP address and SGT |
|
|
pxGrid Direct: Premier license is required to add a connector, feature should only need Advantage |
|
|
ISE limits connection to AMP AMQP service to TLSv1.0 |
|
|
ISE ERS API - /ers/config/deploymentinfo/getAllInfo returns different data on multi-node deployments |
|
|
ISE 3.2 Self-Reg Email Subject line truncates everything after "=" sign on Sponsor-Guest Portal |
|
|
Unable to change admin password if it contains "$" |
|
|
Enable password of the internal users is created even when this is not specified through ERS API |
|
|
ISE services stuck in initializing state with secure syslog |
|
|
ISE incorrectly routes RADIUS Traffic when multiple static default routes are configured |
|
|
Endpoints with custom attributes used in Never Purge rule are still purged |
|
|
After ADE-OS restore, ISE UI and CLI not accessible in 3.2P1 and above |
|
|
When MnT database usage exceeds threshold,database purge done based on retention days set for RADIUS |
|
|
Administrator Login Report shows "Administrator authentication failed" every 5 minutes |
|
|
Session information is not stored in the timed session cache during third party posture flow |
|
|
Issue while inserting the data to the config folder if any of the connector is disabled |
Open Caveats in Cisco ISE Release 3.2 - Cumulative Patch 5
These are open caveats in Cisco ISE Release 3.2 - Cumulative Patch 5.
|
Caveat ID Number |
Description |
|---|---|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE Release 3.2 - Cumulative Patch 4
Customer Experience Surveys
Cisco ISE now presents customer satisfaction surveys to its users within the administration portal. The periodic administration of customer satisfaction surveys helps us better understand your Cisco ISE experiences, track what is working well, and identify areas of improvement. After you submit a survey, you are not presented with another survey for the next 90 days.
The surveys are enabled by default in all Cisco ISE deployments. You can disable the surveys at a user level or for a Cisco ISE deployment.
For more information, see "Customer Experience Surveys" in the chapter "Basic Setup" in the Cisco ISE Administrator Guide, Release 3.2 .
Microsoft Intune Ends Support for UDID-Based Queries for Its MDM Integrations
From March 24, 2024, Microsoft Intune will not support UDID-based queries for its MDM integrations, as detailed in this Field Notice. The Cisco ISE APIs that fetch required endpoint information from Microsoft Intune MDM integrations have changed in response to this end of support.
From Cisco ISE Release 3.2 Patch 4, Microsoft Intune only provides the following endpoint details in response to compliance APIs:
-
Device compliance status
-
Managed by Intune
-
MAC address
-
Registration status
For more information on these changes, see Integrate MDM and UEM Servers with Cisco ISE.
Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller
You can create profiling policies, authorization conditions, and authentication conditions and policies for Apple, Intel, and Samsung endpoints, using device analytics data from the Cisco Wireless LAN Controllers integrated with your Cisco ISE.
For more information, see "Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller" in the chapter "Asset Visibility" in the Cisco ISE Administration Guide, Release 3.2.
Resolved Caveats in Cisco ISE Release 3.2 - Cumulative Patch 4
|
Caveat ID |
Description |
|---|---|
|
ISE Passive ID session aging time is always an hour irrespective of the configuration. |
|
|
Deleted network device groups still show up on policy sets. |
|
|
ISE crl retrieval failing alarm needs to print the server on which the crl download failed. |
|
|
Unable to delete custom endpoint attribute. |
|
|
Unable to log into secondary administration node's GUI using AD credentials. |
|
|
ISE 3.3 BH SNMP engine ID is the same in all nodes. |
|
|
Dedicated MNT nodes do not replicate the SMTP configuration. |
|
|
ISE Rest API document provided by the script is incorrect while creating the endpoint group. |
|
|
Unable to configure the KRON job. |
|
|
Guest expired accounts do not receive SMS when you reactivate the account. |
|
|
For local and global exception rules, if only SecGroup is selected in results, the rule does not match. |
|
|
GUI does not load when you edit Client Provisioning Portal configuration. |
|
|
'Asset' attributes and pxGrid context-in through OpenAPI. |
|
|
SXP service gets stuck at initializing state due to H2 DB delay in querying bindings. |
|
|
ISE 3.1 portal tag with special character validation issues. |
|
|
MNT log processor runs on a non-management admin ISE node. |
|
|
Unable to match Azure AD group in authorization due to lack of paging in the query to Azure. |
|
|
ISE 3.1 SXP bindings report shows no data found. |
|
|
Inconsistency in VLAN ID and Name 'Error: Not a valid ODBC dictionary'. |
|
|
UI pages do not load properly with custom admin menu workcenter permissions. |
|
|
Firefox 45+/Chrome 72: Incorrect line numbering for DACL. |
|
|
ISE 3.2 P3: PEAP and EAP-TLS do not work in FIPS mode. |
|
|
ISE 3.2.0.542: Hotpatches don't install when both patch and hotpatches are in ZTP Configuration. |
|
|
RADIUS server sequence configuration is corrupted. |
|
|
Reconfiguring repositories with credentials is necessary after restoration of configuration backup. |
|
|
Windows agentless posture does not work if the username starts with $ (dollar sign). |
|
|
ISE 3.1 - Agentless posture flows fail when domain user is configured for endpoint login. |
|
|
In ISE 3.2, the order of IP name-servers in the running configuration is incorrect. |
|
|
Cisco ISE Patch 3.1 NAD radius shares a secret key incorrectly when it starts with an apostrophe symbol. |
|
|
After the admin certificate change, ISE does not restart services if the bond interface is configured. |
|
|
pxGrid Direct: A premier license is required to add a connector. The feature should only need advantage license. |
|
|
The endpoint MAC address is not added to Endpoint Identity Group when using grace access in guest portal. |
|
|
ISE 3.2 patch 3 : Adapter log issue. |
|
|
Context visibility: Endpoint custom attributes cannot be filtered with special characters. |
|
|
Guest portal FQDN is mapped with the IP address of node in DB. |
|
|
Deleting SNMPv3 username with a "-" or "_" character does not delete the hexadecimal username from ISE. |
|
|
ISE 3.1 patch 5 : Guest portal removal failure : ORA-02292: integrity constraint. |
|
|
"no ip name-server" restarts services directly without prompt. |
|
|
ISE 2.7 - Unable to disable active directory diagnostic tool scheduled tests. |
|
|
ISE messaging service oscillating between "Not running" and "Initializing". |
|
|
Agentless script does not run if the computer is not on AC power. |
|
|
The 'terms and conditions' checkbox disappears when Portal Builder is used for ISE 3.0 and higher. |
|
|
ISE 3.0 P6: Policy export does not export policies. |
|
|
ISE 3.1 on AWS shows a false negative on the DNS check for health checks. |
|
|
Guest account cannot be seen by sponsors in a specific sponsor group. |
|
|
ISE Easyconnect stitching does not work if PassiveID happens before active authentication. |
|
|
ISE 3.2 Patch 3: CRL download failure. |
|
|
Unable to select ISE messaging usage (grayed out) for an existing certificate. |
|
|
Using potentially insecure methods - HTTP PUT method accepted. |
|
|
There is an ISE 3.x spelling mistake in API gateway settings. |
|
|
User & endpoint identity groups description field is not editable for long text. |
|
|
Trash All or Selected at pxGrid policy should not touch entries for internal group. |
|
|
ISE agentless posture does not support a password containing the ":" character. |
|
|
ISE exports all network devices and gives an empty file. |
|
|
The ISE "Get All Endpoints" request takes time to execute since Release 2.7. |
|
|
RBAC policy with custom permissions does not work when the administration menu is hidden. |
|
|
Meraki Sync Service does not run immediately after ISE application server restarts. |
|
|
Endpoint .csv file import displays "No file chosen" after selecting a file. |
|
|
Profiler CoA sent with the wrong session ID. |
|
|
ISE in AWS - Health Check input and output bandwidth performance and check false alarm. |
|
|
Launch page level help does not work with patch management, upgrade, and health checks. |
|
|
The ISE maximum session counter time limit does not work. |
|
|
SG and contracts with multiple backslash characters in a row in the description cannot sync with ISE. |
|
|
pxgriddirect-connector.log discrepancy between the actual clock and the time, it prints the logs. |
|
|
Sponsor permissions are disabled on the sponsor portal when accessed from the primary PAN. |
|
|
ISE 3.0: Connection attempt to disallowed domains. |
|
|
ISE Authorization Profile shows the wrong Security Group and VN value. |
|
|
Using an apostrophe in the First Name and Last name fields presents an invalid name error. |
|
|
AnyConnect posture script does not run when the script condition name includes a period. |
|
|
ISE Intune MDM integration might be disrupted due to the End of Support for MAC Address-Based APIs from Intune. |
|
|
Upgrading to 3.2 with LSD disabled before upgrade causes EP profiler exception. |
|
|
ISE limits connection to AMP AMQP service to TLSv1.0 |
|
|
Row of "Manage SXP Domain filters" only displays maximum 25. |
|
|
ISE SXP bindings API call returns 2xx response when the call fails. |
|
|
Unable to disable SHA1 for ports associated with passive ID agents. |
|
|
ENH: Add "Disable EDR Internet Check" tag. |
|
|
ISE 3.2 P3: CoA Disconnect is sent instead of CoA Push during posture assessment with RSD disabled. |
|
|
"Configuration Missing" warning is seen on the log analytics page. |
|
|
TCP socket exhaustion. |
|
|
ISE and CVE-2023-24998. |
|
|
TACACS deployment with 0 days evaluation will not work after registering for smart licensing. |
|
|
Need CoA Port-Bounce while removing ANC Policy with PORT_BOUNCE. |
|
|
Vulnerabilities present in antisamy 1.5.9. |
|
|
There is a mismatch between the FQDN value in the GUI and CLI after performing reset-configuration. |
|
|
Attempting to delete "Is IPSEC Device" NDG causes all subsequent RADIUS/T+ authentications to fail. |
|
|
Dession gets stuck indefinitely until it restarts when NAD (Meraki) misbehaves. |
|
|
ISE drops RADIUS request with the message "Request from a non-wireless device was dropped". |
|
|
A fix to the bug CSCwd35608 is causing CoA calls from UI to be sent to the wrong IP address. |
|
|
TACACS:PSN crashes during max user session authentication flow. |
|
|
ISE 3.1 P5: Agentless posture failures cause /tmp/ folder to increase in size. |
|
|
Profiler triggers port bounce when multiple sessions exist on a switch port. |
|
|
German and Italian emails are not saved under Account Expiration Notification in Guest Types. |
|
|
TopN Device administration reports don't work when TACACS incoming messages exceed 40 million records per day. |
|
|
TLS 1.0/1.1 accepts ISE 3.0 admin portal. |
|
|
ISE 3.2 SNMP does not work after node restarts. |
|
|
Smart license registration fails with "communication send error" alarms intermittently. |
|
|
ISE changes the MAC address format according to the selected MAC address format even when it is unnecessary. |
|
|
Unable to edit or delete authorization profiles with parentheses in their names. |
|
|
Manually deleting the static route will cause ISE to send a packet with the wrong MAC at 3.0 P7. |
|
|
Ct_engine uses 100% CPU. |
|
|
Unable to schedule or edit the schedule for configuration backup. |
|
|
ANC remediation does not function with AnyConnect VPN. |
|
|
ISE does not use a license when authorized with no authZ profile rule. |
|
|
Unable to edit or create admin user due to "xwt.widget.repeater.DataRepeater" error. |
|
|
Vulnerable JavaScript library issue found while executing ZAP. |
|
|
AD Connector does not stop. |
|
|
ISE 3.1 patch 7 : Context Visibility : pxGrid ContextIn : Missing Custom Attributes. |
|
|
Static IPv6 routes are removed after a reload in ISE 3.2. |
|
|
ISEaaS: AWS - Support IMDS v2 issue. |
|
|
Cisco ISE stored cross-site scripting vulnerability. |
Open Caveats in Cisco ISE Release 3.2 - Cumulative Patch 4
These are open caveats in Cisco ISE Release 3.2 - Cumulative Patch 4.
|
Caveat ID Number |
Description |
|---|---|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE Release 3.2 - Cumulative Patch 3
Link External LDAP Users to Cisco ISE Endpoint Groups
From Cisco ISE Release 3.2 Patch 3, you can assign external LDAP user groups to Endpoint Identity Groups for guest devices using the Dynamic option. For more information, see "Create or Edit Guest Types" in the Chapter "Guest and Secure WiFi" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
Split Upgrade of Cisco ISE Deployment from GUI
Split upgrade is a multi step process that enables the upgrade of your Cisco ISE deployment while allowing other services to be available for users. The downtime can be limited in a split upgrade by upgrading the nodes in iterations or batches, although the process might take longer than a full upgrade.
For more information, see "Split Upgrade of Cisco ISE Deployment from GUI" in the chapter "Perform the Upgrade" in the Cisco Identity Services Engine Upgrade Guide, Release 3.2.
Ukrainian Language Support in Portals
Guest, Sponsor, My Devices, and Client Provisioning portals now include Ukrainian as a supported localization language.
Resolved Caveats in Cisco ISE Release 3.2 - Cumulative Patch 3
|
Caveat ID |
Description |
|---|---|
|
SFTP and FTP validation fails through CLI when password is configured with more than 16 characters. |
|
|
ISE 3.2 - System 360 is not available only with Device Admin license. |
|
|
Session.CurrentDate attribute is not calculated correctly during authentication. |
|
|
Posture Assessment By Condition generates ORA-00904: "SYSTEM_NAME": invalid identifier. |
|
|
TrustSec PAC Information Field attribute values are lost when network device CSV template file is imported. |
|
|
TrustSec status cannot be changed if using Japanese UI in ISE. |
|
|
PSN GUI is not accessible when only device administration license is enabled |
|
|
ISE-PIC 3.2 p3 Smart Licensing Disabled PIC Upgrade is out of compliance. |
|
|
ISE-PIC does not show Queue Link errors. |
|
|
Agentless posture fails when using multiple domain users in the endpoint login configuration. |
|
|
SXP service gets stuck into initializing due to H2 DB delay in querying bindings. |
|
|
Unable to retrieve groups or attributes from different LDAPs when defined per node. |
|
|
ISE PassiveID Agent probes the status of all domains even the ones without passiveID configuration. |
|
|
ISE is unable to save the subnet or IP address pool name for voice vlans. |
|
|
Sync status shows as failed when maximum trustsec objects are selected for sync. |
|
|
Network Device Group information is missing when admin account is Read-Only. |
|
|
Multiple requests for same IP+VN+VPN combinations with different session IDs creates duplicate records. |
|
|
ISE date of last purge has wrong timestamp. |
|
|
Radius Server Sequence page shows "no data available". |
|
|
VLAN detection interval should not be more than 30 seconds. |
|
|
SXP service gets stuck in initializing due to an exception on port 9644. |
|
|
Some items are displayed as [Test] in Japanese display. |
|
|
Scheduled report with huge size comes up as empty on the repository when exported. |
|
|
ISE 3.1 and 3.2 - Validation is missing for existing routes during CLI configuration. |
|
|
"Read-only Admin" is not available for ISE admin SAML authentication. |
|
|
ISE - Network device captcha prompts only when filter matches one network device. |
|
|
Admin account created from network access users cannot change dark mode setting. |
|
|
Conditions Studio drag and drop layering. |
|
|
ISE ERS SDK network device bulk request documentation is not correct. |
|
|
Trust store does not update admin certificate after generating new admin certificate. |
|
|
Fix for CSCvz85074 breaks AD group retrieval in ISE. |
|
|
ISE MNT Auth Status API query should be optimized. |
|
|
Radius used space reports incorrect usage as it also takes into account a few TACACS tables. |
|
|
ISE upgrade fails because of custom security group. |
|
|
ISE does not show any error when importing a certificate and prirvate key when the password has % . |
|
|
Data lost when accessing Total Compromised Endpoints in Cisco ISE dashboard Threat for TC-NAC. |
|
|
ISE 3.1P4 and P5: Standalone ISE crashes if restarted after removing admin access restriction. |
|
|
Unable to save launch program remediation when the parameter contains double quote (""). |
|
|
Cisco Identity Services Engine Information Disclosure Vulnerability. |
|
|
ISE 3.2 cannot handle portal customization scripts that include single-line JavaScript comments. |
|
|
Accept client certificate without KU purpose validation as per CiscoSSL rules. |
|
|
Unable to enable the firewall condition in ISE 3.1. |
|
|
Support bundle does not contain tterrors.log and times.log. |
|
|
Deferrred Update condition does not work if compliance module is not compatible whith Secure Client. |
|
|
For SCCM integration with ISE need MSAL support as MS is deprecating ADAL. |
|
|
ISE 3.2 crashes with VN in authorization profile. |
|
|
Vulnerabilities in hibernate-validator - multiple versions. |
|
|
ISE 3.2 SAML sign authentication request setting gets unchecked on being saved. |
|
|
ISE 3.2 P1 establishes connections to servers not listed in ISE ports or resources reference guides. |
|
|
Mnt Log Processor service stops every night. |
|
|
ISE 3.2: Ports for Guest Portal configuration do not open on ISE nodes installed on AWS node. |
|
|
ISE filter of REST ID Store Groups displays: Error Processing this request. |
|
|
Failed to handle API resource request: Failed to convert condition. |
|
|
In ISE the SMS Javascript Customization does not work for SMS email gateway. |
|
|
ISE - latest IP access restriction configuration removes previous configuration. |
|
|
ISE 3.1 OpenAPI Error 400 when device admin network conditions are fetched. |
|
|
Update warning message while changing timezone. |
|
|
From ISE 3.2, clear text passwords must be entered in the identity-store command. |
|
|
ISE 3.1 services fail to start after restoring backup from old ISE vrsion 2.7. |
|
|
ISE Certificate API fails to return trusted certificate with hash character in friendly name. |
|
|
Permission for collector.log file is set as root automatically. |
|
|
Make MDM API V3 certificate string case insensitive. |
|
|
GUI does not validate default value while adding custom attributes. |
|
|
ISE smart licensing now uses smart transport. |
|
|
ISE SAML certificate does not replicate to other nodes. |
|
|
Vulnerabilities in spring-framework 5.1.3. |
|
|
User Custom Attributes are stuck on rendering. |
|
|
IotAsset information is missing when Get All Endpoints is invoked. |
|
|
Static IP-SGT mapping with VN reference causes DNAC Group-Based Policy sync to fail. |
|
|
Unable to create Scheduled backup with admin user from "System Admin" AdminGroup. |
|
|
CPU spike due memory leak with EP purge call. |
|
|
ISE-PIC 3.1 : PIC License : Consumption 0. |
|
|
UI shows HTML hexadecimal code for the characters in the command set. |
|
|
ERS API internal error seen while creating existing NDG. |
|
|
ISE displays tomcat stacktrace when using a specific URL. |
|
|
Getting pxGrid error logs in ise-psc.log after disabling pxGrid. |
|
|
ISE 3.2 Missing S-PAN Key for PKI-based SFTP. |
|
|
EAP-TLS authentication with ECDSA certificates fails on ISE 3.1. |
|
|
REST AUTH services not running after upgrade from ISE 3.1 to version 3.2. |
|
|
Unable to import certificates on secondary node post registration to the deployment. |
|
|
ISE IP SGT static mapping is not sent to SXP domain on moving it to another mapping group. |
|
|
TACACS Command Accounting report export does not work. |
|
|
ISE Change Configuration Audit Report does not clearly indicate SGT create and delete events. |
|
|
Unable to add Network Access Device. Reason: "There is an overlapping IP Address in your device" . |
|
|
Sponsored Portal in Germany - Calendar shows Thursday (Donnerstag) as Di not Do. |
|
|
ISE Authorization Profile displays wrong Security Group and VN value. |
|
|
ISE 3.1 Patch 3 : Sponsor Portal : Session Cookie SameSite value set to none. |
|
|
Registered Endpoint Report shows unregistered guest devices. |
|
|
ISE 3.1 ENH "Illegal hex characters in escape (%) pattern ? for input string: ^F". |
|
|
Post SL update, ISE licensing page shows evaluation compliance status for consumed licenses. |
|
|
Vulnerabilities in jszip 3.0.0. |
|
|
Authorization policy evaluation fails due to NullPointerException in LicenseConsumptionUtil.java. |
|
|
LSD causes high bandwidth utilization. |
|
|
Enhancement: To have separate log file with MNT DB metrics. |
|
|
Guest portal displays "Error Loading Page" when reason for visit field contains special characters. |
|
|
During upgrade the deregister call fails to remove all the nodes from the database. |
|
|
Issues with ISE 3.2 admin access restriction. |
|
|
No validation of PBIS reg key configuration on advance tuning page. |
|
|
Qualys adapter is unable to download the knowledge base - Stuck in knowledge download in progress. |
|
|
ISE cannot retrieve OU attributes from client certificate in EAP-TLS session resumption. |
|
|
ISE AD Connector fails during join. |
|
|
Import saml metadata fails. |
|
|
DNSCache enabling command in FQDN syslog popup needs correction. |
|
|
Unable to change the condition operator from AND to OR in posture policy condition. |
|
|
ISE 3.2 : Data Connect password about to expired alarm every minute. |
|
|
Certificate based GUI admin login stuck. |
|
|
Passive D agent sends incorrect time format events. |
|
|
Cisco Identity Services Engine Denial of Service Vulnerability. |
|
|
ERS API schema for network device group creation. |
|
|
ISE SAML destination attribute is missing for signed authentication requests. |
|
|
ISE 3.2 Unable to delete the rules which are added during the time of adding IP access rule. |
|
|
ISE Replication: SyncRequest timeout monitor thread does not kill file transfer after timeout. |
|
|
ISE 3.2 : APIC Integration : com.cisco.cpm.apic.ConfImporter:521 - Failed to get EPs null. |
|
|
ISE 3.1 - Key attributes are missing in SessionCache when third party network device profile is in use. |
|
|
Authentication against ROPC identity store fails with RSA key generation error. |
|
|
WMI status shows progress after mapping from agent protocol to WMI protocol. |
|
|
Passwords with more than 16 characters are not supported in ISE 3.2 for identity-store configuration command. |
|
|
ISE does not remove SXP mapping when SGT is changed after CoA. |
|
|
Unable to download support bundle with size over 1GB from GUI. |
|
|
ISE nodes intermittently trigger Queue Link alarms : Cause=Timeout. |
|
|
NTP authentication key with more that 15 characters getting % ERROR: bad hashed key. |
|
|
Exception error messages observed when debug log level is enabled on meraki-connector. |
Open Caveats in Cisco ISE Release 3.2 - Cumulative Patch 3
These are open caveats in Cisco ISE Release 3.2 - Cumulative Patch 3.
|
Caveat ID Number |
Description |
|---|---|
|
PEAP and EAP-TLS don´t work on FIPS mode. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup |
New Features in Cisco ISE, Release 3.2 - Cumulative Patch 2
Bulk Update and Bulk Delete Support for Context-In API in pxGrid Cloud
From Cisco ISE Release 3.2 Patch 2, you have context-in API support in pxGrid Cloud for bulk updation and bulk deletion of endpoints. For more information, see the Cisco pxGrid Cloud Onboarding Guide and the Cisco ISE API Reference Guide.
pxGrid Direct Enhancements
pxGrid Direct is no longer a controlled introduction feature. Before you upgrade to Cisco ISE Release 3.2 Patch 2 from Cisco ISE Releases 3.2 or 3.2 Patch 1, we recommend that you delete all configured pxGrid Direct connectors and any authorization profiles and policies that use data from pxGrid Direct connectors. After you upgrade to Cisco ISE Release 3.2 Patch 2, reconfigure pxGrid Direct connectors.
Note |
If you do not delete the configured pxGrid Direct connectors, the connectors are automatically deleted during the upgrade. This deletion results in uneditable and unusable authorization profiles and policies that you must delete and replace with new ones. |
For more information on changes to the pxGrid Direct feature, see "pxGrid Direct" in the chapter "Asset Visibility" in the Cisco ISE Administration Guide, Release 3.2.
Support for Cisco Secure Network Server 3700 Series Appliance
The Cisco Secure Network Server (SNS) 3700 series appliances are based on the Cisco Unified Computing System (Cisco UCS) C220 Rack Server and are configured specifically to support Cisco ISE. Cisco SNS 3700 series appliances are designed to deliver high performance and efficiency for a wide range of workloads.
The Cisco SNS 3700 series appliances are available in the following models:
-
Cisco SNS 3715 (SNS-3715-K9)
-
Cisco SNS 3755 (SNS-3755-K9)
-
Cisco SNS 3795 (SNS-3795-K9)
Cisco SNS 3715 appliance is designed for small deployments. Cisco SNS 3755 and Cisco SNS 3795 appliances have several redundant components such as hard disks and power supplies and are suitable for larger deployments that require highly reliable system configurations.
For more information, see the Cisco Secure Network Server 3700 Series Appliance Hardware Installation Guide.
Note |
Cisco ISE 3.2 patch 2 and later versions support Cisco SNS 3700 series appliances. You cannot rollback to Cisco ISE 3.2 after installing the first patch (Cisco ISE 3.2 patch 2 or later) on an SNS 3700 series appliance. |
Note |
Cisco ISE 3.2 upgrade bundle has been replaced on the Cisco ISE Software Download site. You must use the new upgrade bundle (ise-upgradebundle-2.7.x-3.1.x-to-3.2.0.542b.SPA.x86_64.tar.gz) to upgrade from Cisco ISE 3.1 to Cisco ISE 3.2 on SNS 3700 series appliances. |
Resolved Caveats in Cisco ISE Release 3.2 - Cumulative Patch 2
|
Identifier |
Headline |
|---|---|
|
Could not create Identity User if the user custom attribute includes $ or ++ |
|
|
pxGrid session publishing stops when reintergrating FMC while P-PIC is down |
|
|
PRRT should be sending unfragmented messages to MnT if IMS is enabled to avoid merge |
|
|
ISE 3.2 ROPC basic serviceability improvements |
|
|
ISE 3.1 Azure AD Autodiscovery for MDM API V3 is incorrect |
|
|
Cisco Identity Services Engine Command Injection Vulnerability |
|
|
Configuration changed is not working when assigning an endpoint to a group |
|
|
ISE 3.1 P4 Passive DC configuration failing to save username correctly |
|
|
Can't add quotation character in TACACS authorization profile |
|
|
IndexRebuild.sql script ran over MnT |
|
|
Issues with ISE 3.2 Admin Access restriction |
|
|
Entering incorrect password on GUI shows end user agreement |
|
|
Automatic backup stops working after 3 - 5 days |
|
|
High CPU utilization when Agentless Posture is configured |
|
|
ISE 3.2 Patch 1: Unable to Parse CLI Admin Username with '-' (hyphen/dash) |
|
|
APIC Integration missing fvIP subscription |
|
|
ERS API doesn't allow for use of minus character in "Network Device Group" name |
|
|
Interface status is showing UP even after shutdown |
|
|
AD Retrieve Groups shows a blank page when loading a huge number of AD groups (400+) |
|
|
ISE not deleting sessions from All SXP Mapping table |
|
|
Network Device Profile shows HTML code as name |
|
|
Error Loading Page error is shown when creating a guest account in the Self-Registered Guest portal |
|
|
Sync status shows as failed when maximum TrustSec objects selected for Sync |
|
|
GUI TCPDUMP gets stuck on Stop_In_Progress |
|
|
ISE- SQLException sent to the Collection Failure Alarm caused by NAS-Port-id length |
|
|
ISE fails to translate AD attribute of msRASSavedFramedIPAddress |
|
|
IP Addresses/Device Groups fields in Network Device Port Conditions page doesn’t accept valid port strings |
|
|
All NADs are deleted when you filter network devices by IP and Location |
|
|
Internal CA Certificate Chain becomes invalid when original PPAN is removed |
|
|
ISE fails to establish a secure connection when a new certificate is imported for a portal using same subject and signed by an external CA (without CSR) |
|
|
URI not accepted as Group attribute or as Name in Assertion of attributes for SAML IdP in ISE 3.1/3.2 |
|
|
Allow Guest Portal HTTP Requests containing Content-headers with {} characters |
|
|
Radius Token Server config accepts empty host IP for Secondary Server |
|
|
Self-reg portal does not support nodes FQDNs for the Approve/Deny links sent to the sponsors |
|
|
ISE not sending hostname attribute to DNAC |
|
|
Re-profiling result is not saved in Oracle and VCS DB after feed incremental update |
|
|
Unable to change the Identity source from internal to external RSA/RADIUS-token server |
|
|
PUT operation failing with payload via DNAC to ISE (ERS) |
|
|
ISE displays mismatched information on "Get All Endpoints" report |
|
|
Duplicate Manager doesn't remove packet when there is an exception in reading config |
|
|
Anomalous behavior detection is not working as expected |
|
|
Incorrect SLR out of compliance error reported in ISE |
|
|
ISE-DNAC integration fails if there are invalid certificates in ISE Trusted Store |
|
|
ISE vPSN with IMS performance degrades by 30-40% compared to UDP syslog |
|
|
Unable to join node to AD by REST API if we configure a specific OU |
|
|
Getting Null System Error while editing the groups and adding Name in Assertion under SAML |
|
|
16-character passwords are not supported in ISE 3.2 for sftp configuration |
|
|
Online Page level Help IDs for meraki-connector pages in ISE GUI |
|
|
Vertical Scrollbar bug in ISE 3.1 |
|
|
Session directory write failed alarm with Cisco NAD using "user defined" NAD profile |
|
|
Not able to configure KRON Job |
|
|
Authentication failed due to missing certificate private key |
|
|
"The phone number is invalid" error message seen when trying to import users from csv file |
|
|
Certificate based login asks for license file if only the Device Admin license is enabled |
|
|
ISE upgrade tab shows upgrade in progress after installing patch |
|
|
ISE Authentication latency from devices with no mac address |
|
|
PKI-enabled SFTP repositories not working in ISE 3.2 |
|
|
CIAM: xstream 1.4.17 |
|
|
ISE openAPI restore shows Completed_With_Success 25 minutes before CLI command "show restore status" does |
|
|
Smart license registration is not working properly |
|
|
When using certificate based authentication, attempt to access ISE GUI results in access permission error |
|
|
Configuration backup executed on Primary MnT node |
|
|
Session stitching support with ISE PIC agent |
|
|
"Posture Configuration detection" alarms should be "INFO" level and reworded |
|
|
Cisco DNA Center integration issue due to multiple internal CA certificates |
|
|
OpenAPI for EP create/update should work same as ERS API in addition to providing more functionality |
|
|
MDM Connection to Microsoft SCCM fails after Windows DCOM Server Hardening for CVE-2021-26414 |
|
|
Live session get stuck at "Authenticated" state |
|
|
Cisco AI Analytics doesn't work with Proxy configured as IP Address |
|
|
ISE 3.1p5 verifies CA certificate EKU leading to "unsupported certificate" error |
Open Caveats in Cisco ISE Release 3.2 - Cumulative Patch 2
These are open caveats in Cisco ISE Release 3.2 - Cumulative Patch 2.
|
Caveat ID Number |
Description |
|---|---|
|
A match authorization profile with SGT, VN name, VLAN fields empty causes port to crash. |
|
|
Accept client certificate without KU purpose validation per CiscoSSL rules. |
|
|
In Cisco ISE Release 3.2, hyper-V installations have DHCP enabled. |
|
|
Cisco ISE Releases 3.1 and 3.2: Missing validation for existing routes during CLI configuration. |
|
|
No response received from SNMP server when the "snmp-server host" is configured in Cisco ISE Release 3.2 patch 2. |
|
|
In Cisco ISE Release 3.2, the SNMP is not working following a node restart. |
|
|
The latest IP access restriction configuration removes the previous configuration in Cisco ISE. |
|
|
In Cisco ISE Release 3.2, users are not able to delete the rules which were added during IP access rule addition. |
|
|
In Cisco ISE Releases 3.1 patches 4 and 5, a standalone Cisco ISE node is crashing if it is restarted after removing the admin access restriction. |
|
|
In Cisco ISE Release 3.2 Patch 1, the Cisco ISE GUI and CLI are inaccessible following a configuration restoration with ADE-OS. |
|
|
Cisco ISE cannot retrieve multiple attribute values from the client's certificate in EAP-TLS session. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE, Release 3.2 - Cumulative Patch 1
Note |
The in-app Online Help does not contain information on the features and enhancements in Cisco ISE Release 3.2 Patch 1. For configuration information on the following new features and enhancements, see the Cisco Identity Services Engine Administrator Guide, Release 3.2. |
Extended Support for Cisco Secure Client
Cisco ISE 3.2 Patch 1 supports both AnyConnect and Cisco Secure Client for Windows, macOS, and Linux operating systems. The following Cisco Secure Client versions are supported for these operating systems:
-
Windows: Cisco Secure Client version 5.00529 and later
-
macOS: Cisco Secure Client version 5.00556 and later
-
Linux: Cisco Secure Client version 5.00556 and later
You can configure both AnyConnect and Cisco Secure Client for your endpoints on these operating systems but only one policy will be considered at run time for an endpoint.
Note |
Cisco ISE 3.2 supports Cisco Secure Client only for Windows OS. |
For more information, see the Chapter "Compliance" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
Meraki Connector for Cisco ISE
Cisco ISE and cloud-based Cisco Meraki are TrustSec-enabled systems that are policy administration points for TrustSec policies. If you use both Cisco and Meraki network devices, you can connect one or more Cisco Meraki dashboards to Cisco ISE to replicate TrustSec policies and elements from Cisco ISE to the Cisco Meraki networks belonging to each organization.
For information on configuring Meraki Connectors, see "Connect Cisco Meraki Dashboards with Cisco ISE" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.2.
pxGrid Cloud Support for Context-in
From Cisco ISE Release 3.2 Cumulative Patch 1, pxGrid support for context-in is available. pxGrid Cloud context-in support is provided through ERS and Open APIs. For more information, see the pxGrid Cloud Onboarding Guide.
Support for Cisco AI Analytics
Cisco ISE 3.2 patch 1 and later releases support Cisco AI Analytics. The Cisco AI Analytics agent queries the endpoints data from Cisco ISE and sends it to AI cloud at regular intervals. This data can be used to reduce the number of unknown endpoints in the network by providing AI-based endpoint groupings, automated custom profiling rules, and crowd-sourced endpoint labels.
For more information, see "Enable Cisco AI Analytics" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.2.
SGT Reservation using OpenAPI
From Cisco ISE 3.2 patch 1 onwards, SGT reservation through OpenAPI is supported. For more information, see Cisco Identity Services Engine API Reference Guide.
Resolved Caveats in Cisco ISE Release 3.2 - Cumulative Patch 1
|
Caveat ID |
Description |
|---|---|
|
Patch install from UI fails |
|
|
ISE hourly cron should cleanup the cached buffers instead of the 95% memory usage |
|
|
ISE TCPDUMP stuck at "COPY_REPO_FAILED" state when no repository is selected |
|
|
ISE TrustSec Logging - SGT create event is not logged to ise-psc.log file |
|
|
ISE 3.1 TFTP copy times out |
|
|
ISE 3.1 patch 3 SAML SSO doesn't work if active PSN is down |
|
|
Save button for SAML configuration grayed out |
|
|
Not able to add too many Authorization Profiles with active session alarm setting |
|
|
Node syncup fails to replicate wildcard certificate with the portal role |
|
|
Metaspace exhaustion causes crashes on ISE node |
|
|
Scheduled backup failure when ISE indexing engine backup failed |
|
|
Guest locations do not load in the ISE Guest Portal |
|
|
Cisco Identity Services Engine Unauthorized File Access Vulnerability |
|
|
ISE 3.0 NFS share stuck |
|
|
Toggle to enable/disable RSA PSS cipher based on policy under Allowed Protocols |
|
|
Sec_txnlog_master table should be truncated post 2 million record count |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
Error with SNMPv3 privacy password in ISE 3.1 |
|
|
ISE is sending old Audit Session ID in reauthentication CoA after successful port-bounce CoA |
|
|
Cisco Identity Services Engine Insufficient Access Control Vulnerability |
|
|
ISE 3.1 creates cni-podman0 interface with IP 10.88.0.1 and ip route for 10.88.0.0/16 |
|
|
Slowness in the Support Bundle page due to Download Logs page loading in the background |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
Intermittent issues with App activation or App not receiving events |
|
|
ISE abruptly stops consuming passive-id session from a third party Syslog server |
|
|
ISE 3.2 SFTP repositories not operational from GUI after clicking "generate key pairs" |
|
|
ISE cannot retrieve repositories and scan policies of Tenable Security Center |
|
|
ISE 3.2 ERS POST /ers/config/networkdevicegroup fails due to broken attribute othername/type/ndgtype |
|
|
RMQForwarder thread to control based on hardware Appliance in platform.properties |
|
|
"All devices were successfully deleted" message displayed while trying to delete a NAD by filtering |
|
|
ISE 3.2 Authorization Profile does not persist VLAN name string for SDA SG-VN-VLAN use case |
|
|
ISE RADIUS and PassiveID session merging |
|
|
Not able to access Time Settings Configuration Export on ERS API |
|
|
Add serviceability and fix "Could not get a resource since the pool is exhausted" error in ISE 3.0 |
|
|
ISE 3.1 patch 3 unable to import endpoints from csv file if SAML is used |
|
|
"Unknown CA" Queue Link error when using third-party signed certificate for IMS |
|
|
CLI password change doesn't persist in Confd DB after "password" command |
|
|
Unable to download rest-id-store from Download Logs on GUI |
|
|
ROPC AD groups retrieval is not working with 53k and above groups |
|
|
The change of profiling policy name is not reflected in the policy set conditions |
|
|
"File path field must contain a valid file name" error when configuring file conditions for posture. |
|
|
PPAN application server stuck at initializing state |
|
|
ISE 3.2 can't save Group Membership attribute for SAML service provider |
|
|
ISE 3.0 patch 6 missing scheduled reports |
|
|
ISE 3.0 not saving SCCM MDM server object with new password, works when new instance is used |
|
|
Latency observed during query of Session.PostureStatus |
|
|
Authentication step latency for policy evaluation due to GC activity |
|
|
SAML flow with load balancer is failing due to incorrect token handling |
|
|
ANC CoA is sent to the NAS IP address instead of the Device IP address |
|
|
Getting error while creating network device groups via REST API |
|
|
LSD is causing high CPU usage |
|
|
Windows Server 2022 is actually working as the target domain controller to be monitored |
|
|
ISE 3.0 patch 4 unable to access system certificates page for the registered node |
|
|
Profiler should ignore non-positive RADIUS syslog messages for forwarding from default RADIUS probe |
|
|
Cisco Identity Services Engine Interface Feature Insufficient Access Control Vulnerability |
|
|
ISE 3.2 Safe mode not enabled |
|
|
ISE openAPI HTTP repo patch install fails when dir listing is disabled |
|
|
ISE scheduled radius authentication reports failed while exporting to SFTP repository |
|
|
Posture Requirements only show the default entry |
|
|
Static default route with gateway of interfaces other than Gig 0 breaks network connectivity |
|
|
Cisco Identity Services Engine Command Injection Vulnerability |
|
|
Application server crashes if CRL of size 5 MB or more is downloaded frequently |
|
|
ISE 3.1 patch 1 does not create Rest ID/ROPC folder logs |
Open Caveats in Cisco ISE Release 3.2 - Cumulative Patch 1
|
Caveat ID |
Description |
|---|---|
|
Sync status shows as failed when maximum TrustSec objects are selected for sync. |
|
|
Exception error messages seen when Debug log level is enabled on meraki-connector. |
|
|
System Error : Null while editing the groups and adding Name in Assertion under SAML. |
|
|
Sync Cycle does not end when meraki-connection is deleted from ISE. |
|
|
Page level online help for Meraki Connector is not available. |
|
|
Dashboards created using the changed Time fields:acs_timestamp would not show up after patch install. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
Known Limitations in Cisco ISE Release 3.2 - Cumulative Patch 1
Custom Log Analytics Dashboards are not Displayed After Patch Install
Custom Log Analytics dashboards that are created in Cisco ISE Release 3.2 are not displayed after you install Cisco ISE Release 3.2 Patch 1. To view those dashboards, you must export all the custom dashboards from Kibana (as json files) before upgrading to Cisco ISE 3.2 patch 1, and import those dashboards on the MnT node after installing Cisco ISE 3.2 patch 1.
These dashboards will not be displayed even if you restore Cisco ISE 3.2 operational backup on an Cisco ISE 3.2 patch 1 node. As mentioned earlier, you must export the dashboards from Kibana and import them after patch install.
After installing Cisco ISE 3.2 patch 1, the Log Analytics dashboards with visualization created using the following attributes might show an error:
-
acs_timestamp
-
acsview_timestamp (for all indices except TACACS)
-
generated_time for TACACS indices
-
IP address field in all indices
Do the following to fix this error:
-
Replace acs_timestamp with logged_at_timezone
-
Replace acsview_timestamp with logged_at
-
Replace generated_time with logged_at_timezone
-
Consider ipaddress as a text field
Cisco ISE 3.2 Files Replaced on Software Download Site
Cisco ISE 3.2 OVA, ISO, and upgrade bundle files have been replaced on the Cisco ISE Software Download site.
What Changes are Made?
-
The following bug is resolved in this build:
-
CSCwd13425: Patch installation on the ISE 3.2 GUI fails.
-
Note |
|
Open Caveats in Cisco ISE Release 3.2
The following table lists the open caveats in Release 3.2
| Caveat ID | Description |
|---|---|
| CSCwc75986 | The endpoint debug report in Cisco ISE Release 3.2 shows the error "No Data Available". |
| CSCwb16640 | In Cisco ISE Release 3.2, the authorization profile does not persist with the VLAN name string for SDA SG-VN-VLAN use case. |
| CSCwc54812 | Upgrade preparation results in a thread dump due to a high load. |
| CSCwc73330 | The last name of the internal user is not added properly while creating a user in Cisco ISE Release 3.2. |
| CSCwc83059 | After a full upgrade, the VCS information is missing. |
| CSCwc41697 | Legacy split upgrade fails on PSN from when upgrading from Cisco ISE Release 3.1 Patch 3 to Cisco ISE Release 3.2.0.483 after the secondary PAN upgrade. |
| CSCwc74251 | PRRT - A Response signature verification failure issue occurs for pxGrid clients when performing an OCSP check. |
| CSCwe99609 |
Timestamps need readjustment whenever the timezone is changed. |
| CSCwe99666 |
Live logs and live sessions pages are displayed in an incorrect sorting order when the timezone is changed on the PSN and MnT nodes |
| CSCwe99706 |
Session data is shown at the bottom when PSNs are in different timezones. |
|
An upgrade to Cisco ISE Release 3.2 with LSD disabled prior to the upgrade causes an EP profiler exception. |
|
|
Cisco ISE Monitoring GUI page is stuck at "Welcome to Grafana". |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup |
Resolved Caveats in Cisco ISE Release 3.2
|
Bug ID |
Reason |
|---|---|
| CSCwd13425 |
Patch install from the Cisco ISE GUI fails. |
|
Unable to fetch the attributes from ODBC after upgrading Cisco ISE to Cisco ISE Release 3.0 patch 3. |
|
|
Cisco ISE XML external entity injection vulnerability. |
|
|
The secondary administrative Cisco ISE node is causing services to restart on the primary administration node. This causes a mismatch in the documentation. |
|
|
/ers/config/<obj>/bulk/submit returning invalid Location URI /ers/config/<obj>/bulk/submit/<bulkID> |
|
|
Unsupported message code 91104 and 91105 alarms. |
|
|
AD users in Super Admin group can't create or edit admin user. The error "Operation is not permitted" is displayed. |
|
|
RADIUS reports older than 7 days are empty (regression of CSCvw78289). |
|
|
NTP (' - ') source state description missing in Cisco ISE CLI. |
|
|
Vulnerability assessment for CVE-2021-35599 on Oracle DB. |
|
|
PGA memory used by the instance exceeds PGA_AGGREGATE_LIMIT on the monitoring node. |
|
|
Cisco ISE Release 3.1 TFTP copy times out. |
|
|
Cisco ISE AD User SamAccountName parameter is null for user sessions. |
|
|
Updated fields list for PUT on /erc/config/authorizationprofile/{id} usually empty. |
|
|
Memory leak on TACACS flow. |
|
|
Fix for CSCvu35802 breaks AD group retrieval with certificate attribute as identity in EAP-chaining. |
|
|
When the Essential license is disabled on the Cisco ISE GUI, smart licensing portal is not reporting license consumption. |
|
|
Could not create Identity User if username includes $. |
|
|
Inconsistent sorting on Cisco ISE ERS API(s) for endpoint group. |
|
|
Create a nested endpoint group using Cisco ISE ERS API. |
|
|
Toggle to enable/disable RSA PSS cipher based on policy under Allowed Protocols. |
|
|
Cisco ISE Health Check I/O bandwidth performance check false alarm. |
|
|
Threads getting exhausted post moving to the latest patches where the nss rpm is updated. |
|
|
Cisco ISE ova ztp attempts HTTP directs listing of contents. |
|
|
Agentless posture breaks for locale. |
|
|
Cisco ISE Release 3.1 OpenAPI giving a 400 error when fetching Nested Conditions. |
|
|
Cisco ISE-PIC not forwarding live sessions beginning with special characters. |
|
|
SystemTest: Cisco ISE primary administration node GUI page not opening after PAN failover. |
|
|
SMS Javascript customization is not working for SMS email gateway. |
|
|
Cisco ISE Guest SAML authentication fails with "Access rights validated" HTML page. |
|
|
Unable to add SAML ID provider on Cisco ISE 3.1 patch 1 when doing a configuration restore from an older Cisco ISE release. |
|
|
When upgrading from Cisco ISE Release 2.4 patch 13 to Cisco ISE 2.7 if external RADIUS server configuration upgrade will fail. |
|
|
Cisco ISE is allowing user to change admin password without validating the current password. |
|
|
Cisco ISE must avoid sending empty Cisco AV-Pairs in access-accept packets. |
|
|
CoA was not initiated on Cisco ISE for switches for which matrix wasn’t changed, hence the policy sync failed. |
|
|
TACACS authentication report shows duplicate entries. |
|
|
Device administration using RADIUS does not consume base license. |
|
|
Cisco ISE GC_APP Logs are not auto-rotating or deleting from the local disk. |
|
|
Unable to add many authorization profiles with active session alarm setting. |
|
|
TEAP (EAP-TLS) with EAP-chaining is not using the configured CN for AD lookups. |
|
|
Microsoft Intune graph URL change from graph.windows.net/tenant to graph.microsoft.com. |
|
|
Upgraded Cisco ISE nodes via CLI method gets stuck in "Upgrading" status on the primary administration node GUI. |
|
|
Cisco ISE 2.7: Authentication success settings shows success/success URL. |
|
|
Having single quote in middle of the password on proxy settings causes page to become un-editable. |
|
|
TACACS authorization policy querying for username fails because username from session cache is null. |
|
|
The change of profiling policy name is not reflected on the policy set conditions automatically. |
|
|
Cisco ISE does not show report for client provisioning when AC is updated on the endpoint through Cisco ISE. |
|
|
Cisco ISE 3.1: Special character in attributes not supported. |
|
|
The next page field is missing from the JSON response of API 'GET /ers/config/radiusserversequence'. |
|
|
Unable to download a created support bundle from the Cisco ISE GUI if we login using format DomainName\UserName. |
|
|
The authentication settings of the Cisco ISE ERS SDK is not disabled via API call. |
|
|
Device port network conditions does not validate interface ID. |
|
|
REST ID cannot filter groups based on name or SID for Azure AD groups. |
|
|
Cisco ISE API add user operation with long custom attribute string takes 4min using Curl |
|
|
Cisco ISE manage account selection issue. |
|
|
The Replication Stopped alarm is triggered in Cisco ISE. |
|
|
Cisco ISE RADIUS service denial of service vulnerability. |
|
|
CIAM: linux-kernel 4.18.0. |
|
|
Cisco Identity Services Engine Assessment of CVE-2021-4034 Polkit |
|
|
Operational data purging and database utilization node information does not show intermittently. |
|
|
Fail to import Internal CA and key from Cisco ISE Release 2.7 Patch 2 to Cisco ISE Release 3.0. |
|
|
Unable to scroll to different pages in the Issued Certificates page. |
|
|
Cisco ISE GUI is stuck at loading if the AD group does not exist when using certificate based authentication for Cisco GUI access. |
|
|
Cisco ISE ADE-OS CLI TCP params fail to make changes and are no longer relevant. |
|
|
User unable to generate support bundle. |
|
|
New objects do not exist in the conditions studio. |
|
|
Error handling or messaging for the mobile number format is not clear. |
|
|
Inconsistency between Cisco ISE syslog level and message level. |
|
|
Get-By-ID server sequence, returns empty server list after first change made on the sequence via Cisco ISE GUI. |
|
|
In dark mode of Cisco ISE Release 3.2, the Internal Users have a color that is difficult to read. |
|
|
Cisco ISE Release 3.2 displays the error: "TypeError: Cannot read properties of undefined (reading 'attr')". |
|
|
Reports are unusable due to mishandling fields with multiple values. |
|
|
DST/TZ update should happen automatically. |
|
|
Sponsor Portal admin unable to create random guest accounts for 60 minutes or 1 hour duration or less. |
|
|
Cisco ISE Release 3.0: Unable to edit primary administration node auto failover alarms. |
|
|
No possibility to edit certificate imported to Cisco ISE Trusted Certificate. |
|
|
Cisco DNA Center - Cisco ISE Integration: Cisco ISE shows an old Cisco DNA Center certificate for pxGrid endpoint. |
|
|
Cisco ISE: Application server stuck initializing after backup restore due to MDM configuration. |
|
|
Vulnerability assessment for CVE-2021-35619 on Oracle DB. |
|
|
NTP sync failure alarms with more than 2 NTP servers configured. |
|
|
Cisco ISE Release 2.7 should display an error when attempting to delete the IP default label of network access devices on Cisco ISE GUI. |
|
|
Move queue link error from WARN to Critical and Restart if there is a timeout. |
|
|
Session Directory Write failed, SQLException: String Data right truncation on Cisco ISE 3.0 Patch 4. |
|
|
Certificate validation syslog message sent during specific certificate audits in Cisco ISE. |
|
|
In Cisco ISE 2.7 patch 4, users are unable to upload .json file for Umbrella security profile. |
|
|
Cisco ISE is showing incorrect VLAN assignment information in authorization profile and attributes details. |
|
|
"File path field must contain a valid file name" error when configuring file conditions for posture. |
|
|
CIAM: openssh 7.6. |
|
|
Internal users using external password store are getting disabled if we create users using API flow. |
|
|
High latency observed for TACACS+ requests with date and time condition in authorization policies. |
|
|
Cisco ISE on AWS: Operational DB not sized properly based on a larger OS disk. |
|
|
IPV6 changes the Subnet to /128 when using the duplicate option from Network device tab. |
|
|
Cisco ISE Release 3.0 checks only the first SAN entry. |
|
|
Cisco ISE TrustSec Logging - SGT create event is not logged to ise-psc.log file. |
|
|
Slowness on support bundle page due to the Download Logs page loading in the background. |
|
|
Cisco ISE Release 2.4 patch 8 is unable to edit, duplicate or delete guest portals. |
|
|
Unknown NAD and misconfigured network device detected alarms. |
|
|
Passive easy connect does not work in Cisco ISE with dedicated monitoring nodes. |
|
|
High operations DB usage alarm percentage need to be configurable. |
|
|
Cisco ISE 3.1: Metaspace exhaustion causes crashes on Cisco ISE node. |
|
|
Unable to load the Endpoint Purge tab. |
|
|
Cisco ISE 3.0 geantless posture does not use domain authenitcation if same local user exists. |
|
|
Cisco ISE 2.4 patch 12 install is stuck. |
|
|
Configuration changes to guest types is not updated in audit reports. |
|
|
RCM and MDM flows getting failed because of session cache not populated. |
|
|
Backup-logs using public key encryption on the Cisco ISE CLI does not allow for caputure of core files. |
|
|
Guest users (AD or internal) cannot delete or add their own devices on specific node. |
|
|
Reauthorization issue in Aruba third party device. |
|
|
EAP-TEAP with EAP-TLS unable to match condition that has "CERTIFICATE.Issuer - Common Name". |
|
|
Cisco ISE GUI: net::ERR_ABORTED 404: /admin/ng/nls/fr-fr/. |
|
|
CSV NAD import is rejected due to special symbol @ at the beginning of RADIUS shared secret. |
|
|
Cisco ISE 3.1 creates cni-podman0 interface with IP 10.88.0.1 and IP route for 10.88.0.0/16. |
|
|
Cisco ISE authorization profiles option get truncated during editing or saving (in Google Chrome only). |
|
|
Cisco ISE - Invalid character error in Admin Groups. |
|
|
Cisco ISE Release 3.0 Patch 5: Unable to login into the Cisco ISE GUI of MnT nodes using RSA 2FA in distribusted deployment. |
|
|
Unable to assign the role to externally signed system cert binded by CSR in Cisco ISE 3.1 Patch 1. |
|
|
Adding FQDN in discovery host- Discovery host: invalid IP address or host name. |
|
|
Cisco ISE Release 3.1 Guest Username or Password Policy is not modifiable. |
|
|
Unable to import Network Device configured with SNMPv3 SHA2 authorization. |
|
|
Multiple runtime crashes seen due to memory allocation inconsistency. |
|
|
Cisco ISE PRA failover. |
|
|
TACACS report showing duplicate entries due to EPOCH time being null. |
|
|
Cisco ISE Release 3.0 can't deselect the 'location' settings as part of the guest self registration portal. |
|
|
Cisco ISE Release 3.1 SHA-2 option is not available for NAD creation via REST API. |
|
|
Cisco Identity Services Engine Unauthorized File Access Vulnerability. |
|
|
Error with SNMPv3 Privacy Password on Cisco ISE Release 3.1 only. |
|
|
Unable to get message option in Posture remediation actions. |
|
|
Cisco ISE Release 3.1: Race condition causes registration/sync failure. |
|
|
AD security groups cannot have their OU end with dot character on Posture Policy. |
|
|
Cisco ISE Release 3.0: Admin access is allowed for Cisco ISE GUI with secondary interfaces GigabitEthernet 1 and Bond 1. |
|
|
AWS Cloud Formation stack for Cisco ISE Release 3.1 fails with very strong admin password. |
|
|
Need to handle Posture expiry when 8 octet MAC is present in endpoint on the deployment node. |
|
|
Guest posrtal registration page gives "error loading page" when email address contains apostrophe. |
|
|
Bi-directional communication/UDP heart-beat between Cisco ISE and AnyConnect Cisco ISE Posture. |
|
|
Pingnode call causing app server to crash (OOM exception) during CRL validation. |
|
|
NetworkSetupAssistance.exe digital signature certificate expired in BYOD flow using Windows SPW. |
|
|
Posture firewall remediation action unchangeable. |
|
|
Licensing only displays one reserved count if licenses reserved in CSSM have multiple expiry dates. |
|
|
Last 7 days filter not working in Reports. |
|
|
Cisco ISE Release 3.1 compatibility problems with Hyper-V Gen-2. |
|
|
Cisco ISE Release 3.0 not saving SCCM MDM server object with new password, works when new instance is use. |
|
|
Cisco ISE 3.1 BH Context visibility shows \\ in username where as live logs show correct single \. |
|
|
Cisco ISE Release 3.1: Getting error while creating network device groups via REST API. |
|
|
PEAP session timeout value restricted to max 604800. |
|
|
Cisco ISE Release 3.1 is requesting ISE-PIC licenses from smart account. |
|
|
Default domain configuration in Passive-Syslog provider does not work in Cisco ISE Release 3.1. |
|
|
Agentless Posture not passing AntiMalware check. |
|
|
Cisco ISE Release 2.7: EndpointPersister thread getting stopped. |
|
|
Unable to enter IPV6 address for on-prem SSM server. |
|
|
Cisco ISE Release 3.1 SAML admin authentication failing with Access Denied if 2+ groups in the group claim. |
|
|
Attribute value dc-opaque causing issues with Live Logs. |
|
|
Cisco ISE Release 3.1:When updating network device from Cisco DNA Center shared secret/password is empty or masked. |
|
|
Cisco ISE unable to fetch the URL attribute value from improper index during posture flow. |
|
|
Parent user identity group can be created via CSV file. |
|
|
Cisco ISE Release 3.1: Application server stuck in initializing state due to ACE library error. |
|
|
Cisco ISE ERS API does't allow for use of dot character in "Network Device Group" name or create or update. |
|
|
Context visibility endpoint authentication tab is not showing data in Cisco ISE Release 3.1. |
|
|
Posture lease breaks for EAP chaining from Cisco ISE Release 2.7. |
|
|
Customer fields in the guest portal contains & - $ #. |
|
|
Cisco ISE: SSH/SFTP to Hosts w/ Newer HostKey algorithms (e.g. rsa-sha2-512). |
|
|
Maximum sessions are not being enforced with EAP-FAST-Chaining in Cisco ISE. |
|
|
Guest locations do not load in Cisco ISE Guest Portal. |
|
|
Cisco ISE Release 3.1 Patch 1 does not create the Rest ID/ROPC folder logs. |
|
|
CIAM: openjdk - multiple versions. |
|
|
Multi-line issues for Guest SMS notification under Cisco ISE portal. |
|
|
Cisco ISE Release 3.0: Device Admin license alone should allow access to Administration > System > Logging menu. |
|
|
SSH to Cisco ISE failing on any SSH public keys manually imported. |
|
|
Cisco ISE Release 3.1: Unable to delete endpoint identity group created via REST API when setting no description. |
|
|
Mac OS Beta Monterey (MacOS 12 beta 2) failing NSP MacOsXSPWizard v3.1.0.2. |
|
|
Cisco ISE Releases 3.0 & 3.1: Device Admin License alone should allow access to all TACACS required menus. |
|
|
Disabling Open TAC case leads to Cisco ISE Integrity Check failure on Cisco ISE service restart. |
|
|
Cisco ISE Release 2.7 failed to add endpoint to group. |
|
|
ANC COA is sent to the NAS IP address instead of the Device IP address. |
|
|
Cisco ISE Release 3.1 patch 3 is unable to import endpoints from .csv file if SAML is used. |
|
|
Latency observed during query of Session.PostureStatus. |
|
|
CVE-2022-0778 - Cisco ISE Release 3.1 and above is affected. |
|
|
CIAM: OpenSSL upgrade to 1.0.2ze and 1.1.1o. |
|
|
Save button for SAML configuration grayed out. |
|
|
Enabling cookies for POST /ers/config/internaluser/ causes Identity Group(s) does not exist error. |
|
|
Cisco ISE ERS Validation Error- Mandatory fields missing: [validDays]. |
|
|
Menu access customization is not working. |
|
|
Health check and full upgrade precheck timesout when third party CA certificate is used for the admin. |
|
|
Cisco ISE replacing pxGrid cert when generating Cisco ISE internal CA. |
|
|
If we set MTU greater than 1500 then the MTU value is not setting persistently across reboot. |
|
|
Cisco ISE 3.0 BH: TACACS live logs do not give an option select Network Device IP. |
|
|
Guest redirect with Auth vlan no longer works on Cisco ISE Release 3.1. |
|
|
Cisco ISE GUI shows all the licenses as Out of Compliance - Smart Licensing. |
|
|
MDM intune integration broken for vpn user on Cisco ISE Release 3.1. |
|
|
Cisco ISE CLI is stuck. |
|
|
Inconsistent IP to SGT mapping after several re-authentications when VN value is changing. |
|
|
Cisco ISE client pxGrid certificate is not delivered to Cisco DNA Center. |
|
|
CIAM: linux-kernel 4.18.0 |
|
|
Cisco ISE restore popup menu displays wrong text. |
|
|
Cisco ISE Release 3.1: Authentication tab shows blank result in Context Visivility. |
|
|
HTTP 400 response in Repo OpenAPI when an SFTP/FTP repo user password contains ! (exclamation mark). |
|
|
Missing PermSize attribute on sysodbcini file. |
|
|
Cisco ISE: Cannot create network device group with name Location or Device Type. |
|
|
Sponsor permissions are not passed to guest REST API for "By Name" calls. |
|
|
Cisco ISE sending SXP MSG size > 4096 bytes in SXP version 4. |
|
|
Cannot export SAML provider info xml file from the Cisco ISE GUI. |
|
|
Profiler condition not displaying the attribute value. |
|
|
Cisco ISE is not sending "mobilenumber" value in the SMTP API body. |
|
|
Cisco ISE Release 3.1: No response when click "choose file" on import endpoints from CSV file page. |
|
|
Key Performance Metrics report has no entries for 8 AM and 9 AM every day. |
|
|
Cisco ISE policy service nodes crashing due to incorrect cryptoLib initialization. |
|
|
Improvement to logs needed with conflict handling SGT-IP mapping w/VN. |
|
|
Deleted root network device groups are still referenced in the network devices exported CSV report. |
|
|
"All devices were successfully deleted" after trying to delete one particular NAD by filtering. |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability. |
|
|
Cisco ISE should either allow IP only for syslog targets or provide DNS caching. |
|
|
SNMPv3 COA request is not issued by Cisco ISE Release 2.7. |
|
|
Need hard Q cap on RMQ. |
|
|
Cisco ISE can't handle deletion/addition of SXP-IP mappings propagation due to race condition. |
|
|
Unable to restore CFG backup from linux SFTP repository if the file owned by a group name w/ space. |
|
|
Cisco ISE evaluation for Struts2 CVE-2021-31805. |
|
|
Windows Server 2022 is actually working as the target domain controller to be monitored. |
|
|
Configuration backup fails due to "EDF_DB_LOG". |
|
|
Unable to change network device group name and description at the same time. |
|
|
WLC failed to validate EAPOL Key M2 with Cisco ISE Release 3.1. |
|
|
Context visibility endpoints and NADs from an existing deployment are not removed after restore. |
|
|
Existing routes are not installed in routing table after MTU change. |
|
|
Cisco ISE Conditions Studio: Identity Groups drop-down limited to 1000. |
|
|
Cisco ISE TrustSec Dashboard Refresh Call causing high CPU on MnT. |
|
|
DELETE /ers/config/networkdevicegroup/{id} not working; CRUD exception. |
|
|
"Invalid Length" TACACS authorization failures within live logs for non-TACACS traffic. |
|
|
Cisco ISE Release 3.1: Services failed to start after restoring backup from old Cisco ISE Release 2.6. |
|
|
Authorization profile will throw an error if we use some symbols. |
|
|
Cisco ISE Smart Licensing Authorization Renewal Failure: Details=Invalid response from licensing cloud. |
|
|
Duplicated culomn "Failure Reasons" in RADIUS Authentications Report. |
|
|
Cisco ISE Evaluation log4j CVE-2021-44228. |
|
|
MAR feature should be ignored in case of MAB authentication. |
|
|
Session service unavailable for pxGrid Session Directory with dedicated MnT. |
|
|
Cisco ISE Debug Wizard Posture profile does not contain client-webapp component to DEBUG. |
|
|
Location of "Location" and "Device Type" exchanging every time clicking Network Devices > Add. |
|
|
64-character limit is too small to accommodate external user identities, such as user principal name. |
|
|
Empty user custom attribute included in AuthZ advanced attributes settings results in incorrect AVP. |
|
|
ODBC behavior failover issues. |
|
|
Cisco ISE Release 3.1 GUI not loading post login. |
|
|
Cisco ISE 3.X: Invalid characters in external RADIUS token shared secret. |
|
|
Cisco Identity Services Engine Authentication Bypass Vulnerability. |
|
|
Scheduled backup failure when Cisco ISE indexing engine backup failed. |
|
|
Upgrade External RADIUS server list not showing up after upgrading to Cisco ISE Release 3.0 or later. |
|
|
Platform check fails for Cisco ISE having disk size more than 1TB. |
|
|
Cisco ISE Queue Link Error: Message=From Node1 To Node2; Cause=Timeout in NAT'ed deployment. |
|
|
Supported HTTP methods are visible. |
|
|
SessionCache not cleared for TACACS AuthZ failures results in high heap usage and authentication latency. |
|
|
Cisco ISE Deployment: All nodes thrown OUT_OF_SYNC as a result of incorrect certificate expiry check. |
|
|
Catalina.out file is huge because of SSL audit events. |
|
|
Windows 11 Pro for Workstations is indeed not supported yet in the latest posture feed update. |
|
|
T+ ports (49) are still open if disable device admin process under deployment page. |
|
|
Cisco:cisco-av-pair AuthZ conditions stopped working. |
|
|
SNMP config set on the N/w device, a delay of 20 seconds is introduced while processing SNMP record. |
|
|
Special characters in Banner blocking SFTP repository. |
|
|
MAC - CSC 5.0554 web dployment pkgs are failed to upload to ISE->CP-> resources[100MB]. |
|
|
Cisco ISE Release 3.1 requests a traditional license. |
|
|
Cisco ISE configuration backup fails due to SYS_EXPORT_SCHEMA_01. |
|
|
Deployment-RegistrationPoller causing performance issues on PAN node with 200+ internal certificates. |
|
|
Cisco ISE Release 3.1: Unable to generate pxGrid certificates with Active Directory super admin. |
|
|
Cannot disable "Dedicated MnT" option from the Cisco ISE GUI once it is enabled. |
|
|
Cisco ISE Release 3.1 default route is on the incorrect interface if bonding is configured. |
|
|
Cisco ISE Release 3.1: Default route removed or tied to wrong interface after upgrading. |
|
|
Cisco ISE Configured with 15 Collection Filters Hides the 15th Filter. |
|
|
Optimize bouncy-castle class to improve performance on primary administration node. |
|
|
Cisco ISE RADIUS and PassiveID session merging. |
|
|
Cisco ISE using jquery v1.10.2 is vulnerable. |
|
|
Cisco ISE Release 3.1 Patch 3 SAML SSO doesn't work if active policy service node goes down. |
|
|
Serviceability: "DNS Resolution Failure" alarm should show Cisco ISE server. |
|
|
Cisco ISE application server process is restarting during Dot1X due to buffer length = 0 for EAP TLS. |
|
|
Missing IPv4 mappings if sessions have both IPv4 and IPv6 addresses |
|
|
Inaccurate dictionary word evaluation for passwords. |
|
|
EAP-chaining authz failure due to machine authentication flag set to true incorrectly. |
|
|
ADFS SAML login to work with FQDN same as Okta. |
|
|
Node syncup fails to replicate wildcard certificate with the portal role. |
|
|
Cisco ISE not update expiry date after updating SLR license. |
|
|
Session cache needs to be update dduring EAP chaining flow to handle relevant identities. |
|
|
CIAM: linux-kernel 4.18.0. |
|
|
Cisco ISE Release 3.0 NFS share stuck. |
|
|
Changing Parent Identity Group name breaks authorization references. |
|
|
Android VPN and InTune MDM integration not working on Cisco ISE Release 3.1. |
|
|
Enable ability to modify SMS content when sponsornet guest self-reset password. |
|
|
Guest Portal's Button's text element is causing words to be repeated for Apple VoiceOver. |
|
|
Cisco ISE CPP not loading correctly in some languages. |
|
|
Hotpatch API details have blank timestamp. |
|
|
Hotspot Guest Portals in CNA with blank Success and not switched to done on iDevices. |
|
|
Cisco ISE detects large VMs as unsupported. |
|
|
IP-SGT mapping does not link with new network access device group. |
|
|
SCM js files browser download during admin login. |
|
|
Stale sessions observed for TACACS could not find selected service error. |
|
|
Sponsor Portal getting error 500 when enabling "Allow kerberos SSO" portal setting. |
|
|
pxGrid shown disabled on Summary page for Cisco ISE-PIC. |
|
|
Cisco ISE abruptly stops consuming passive-id session from a third party syslog server. |
|
|
Unable to add more than one ACI IP address/hostname when trying to enable ACI integration in Cisco ISE. |
|
|
Cisco ISE Release 3.1 - The Cisco ISE GUI is not working when IPV6 is disabled globally. |
|
|
SystemTest: Android BYOD flow with EST and StaticIP/Hostname/FQDN fails. |
|
|
Hotpatch.log needs to be included in support-bundle. |
|
|
Cisco ISE 2.x: Intune MDM Alarm for connectivity || 401 Unauthorized. |
|
|
Sponsor portal breaks after removing endpoint groups. |
|
|
All NADs are deleted due to one particular NAD deletion. |
|
|
Cisco ISE Queue Link Error: Cause=Timeout due to 169.254.2.0/25 in Cisco ISE IPtables. |
|
|
Cisco ISE can login to the Cisco ISE GUI with disabled shadow admin accounts with external identity source. |
|
|
Sorting internal users based on User Identity Groups doesn't work in Identity Mangement->Identities. |
|
|
Guest portal does not load if hosted on a different interface from Gig0. |
|
|
REST ID is fething the groups from cloud once the connector settings page is opened. |
|
|
Cisco ISE Release 3.0 patch 2- Monitor all setting displays incorrectly with multiple matrices and different views. |
|
|
ISE is adding extra 6 hours to nextUpdate date for CRL |
|
|
Unsafe characters in T+ commands stored in Hex Numeric Character References. |
|
|
TACACS responses are not sent sometimes with single connect enabled. |
|
|
MnT log processor is not running because collector log permission. |
|
|
From address to send email is invalid if it does not end with .com or .net. |
|
|
Unable to edit or remove Scheduled Reports if admin who created them is no longer available |
|
|
RMQ TLS syslogs related to internal docker IP 169.254.2.2 are sent to audit logs. |
|
|
Inability to import Cisco ISE certificates issued for primary administartion node to other nodes in spite of the SAN field FQDN. |
|
|
Okta redirection fails for first ID store and works when second ID store is assigned. |
|
|
CSV NAD import is rejected if += characters are at the beginning of the RADIUS shared secret. |
|
|
High Active Directory latency during high TPS causes HOL Blocking on ADRT. |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability. |
|
|
User unable to create a guest SSID during Portal Creation step - Cisco ISE is busy is the error dispalyed. |
|
|
TrustCertQuickView giving the same info for all trusted certificates. |
|
|
Live log/session not showing latest data due to "too many files open" error. |
|
|
$ui_time_left$ variable showing wrong duration |
|
|
Unable to export certificate with private key using API. |
|
|
Certificate signing request shoule not be case sensitive. |
|
|
Cisco ISE: SAML flow with loadbalancer is failing due to incorrect token handling on Cisco ISE. |
|
|
Getting 400 Bad Request while enabling the Internal User with external password type using Rest API. |
|
|
Cisco ISE Release 3.0: APIC Integration: Failed to create secGroup. |
|
|
Application server restart on all nodes after changing the Primary Administration certificate. |
|
|
Certificate based admin login not working when client/browser send more than one certificate. |
|
|
Cisco ISE Release 3.1 ERS call /ers/config/sgmapping/{id} doesn't return SGT value for custom SGTs. |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability. |
|
|
Add ability to disable TLS 1.0 and 1.1 on Cisco ISE PIC node. |
|
|
EP's incorreclty profiled as "cisco-router" due to NMAP performing aggressive guesses. |
|
|
Cisco ISE Health Check MDM Validation false alarm. |
|
|
Removing an IP Access list from Cisco ISE destroys the distributed deployment. |
|
|
Underscore is vulnerable in Guest Portals. |
|
|
In Cisco ISE Release 2.6 patch 9, default permissions can't go back to default group Internal after adding a new group. |
|
|
My Devices Portal doesn't open after reloading the node unless we do CRUD. |
|
|
AD security groups cannot have their OU end with dot character on client provisioning policy. |
|
|
Inconsistent sorting on Cisco ISE ERS API(s) for identity group. |
Additional References
See Cisco ISE End-User Resources for additional resources that you can use when working with Cisco ISE:.
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Feedback