This document describes Cisco Identity Services Engine (ISE) compatibility with switches, wireless LAN controllers, and other policy enforcement devices, as well as client machine operating systems with which Cisco ISE interoperates in the network. This document covers the following topics:
Cisco ISE supports interoperability with any (Cisco or non-Cisco) RADIUS client NAD that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication. For a list of supported authentication methods, see the “Configuring Authentication Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x.
Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices. In addition, certain other advanced functions like central web authentication (CWA), Change of Authorization (CoA), Security Group Access, and downloadable ACLs, are only supported on Cisco devices. For a full list of supported Cisco devices, see Table 1.
The NADs that are not explicitly listed in Table 1 and that do not support RADIUS Change of Authorization (CoA) must use inline posture.
Note Some switch models and IOS versions may have reached their Cisco end-of-maintenance milestones, hence interoperability may not be fully supported for these switch types.
To support the Cisco ISE Profiling service, Cisco recommends using the latest version of NetFlow (version 9), which has additional functionality that is needed to operate the Profiler. If you use NetFlow version 5 in your network, then you can use version 5 only on the primary NAD at the access layer, as it will not work anywhere else.
Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)
1.For 802.1X authentications, you need IOS version 12.2(55)SE3.
2.Does not support posture and profiling services.
3.For LWA, use the local pages of the switch or customize redirect pages on Cisco ISE with an external RADIUS server. For wireless LWA, edit the default authorization condition, WLC_Web_Authentication to check for Radius:Service-Type = Outbound & Radius:NAS-Port = Wireless IEEE 802.11.
5.Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support the requirements for Inline Posture Node as they do not send Framed-IP-Address. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 184.108.40.206 and for MAB-authenticated WLANs starting from WLC 220.127.116.11. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 18.104.22.168. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.
6.An issue has been observed during wireless login scenarios where the WLC is running firmware version 22.214.171.124. Unless you require features available only in version 126.96.36.199, Cisco recommends returning your WLC firmware version to 188.8.131.52 or upgrade your WLC firmware version to 184.108.40.206. For more information, see the Release Notes for Cisco Identity Services Engine, Release 1.1.x.
7.Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 220.127.116.11, there is support for session ID and COA with MAC filtering so it is more MAB-like.
AAA Attributes Required for Third-Party VPN Concentrators
For third-party VPN concentrators to integrate with Cisco ISE and Inline Posture nodes, the following AAA attributes must be included in RADIUS communication:
Calling-Station-Id (for MAC_ADDRESS)
Also, for VPN devices, the RADIUS accounting message must have the framed-ip-address attribute set to the VPN client’s IP address pool.
Supported External Identity Sources
Table 2 lists the external identity sources supported with Cisco ISE.
Note The minimum required screen resolution to view the Cisco ISE GUI and for a better user experience is 1280*800 pixels.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
VMware ESX 4.x
VMware ESXi 4.x
VMware ESXi 5.x
Supported Client Machine and Personal Device Operating Systems, Supplicants, and Agents
This section lists the supported client machine operating systems, browsers, and Agent versions supporting each client machine type. For all devices, you must also have cookies enabled in your web browser.
Note All standard 802.1X supplicants can be used with Cisco ISE 1.1.x standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. (For information on allowed authentication protocols, see the “Managing Authentication Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x.) For the VLAN Change authorization feature to work in a wireless deployment the supplicant must support IP address refresh on VLAN Change.
Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE)
The Cisco NAC Agent versions 18.104.22.168 and later can be used on both Cisco NAC Appliance Releases 4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.
Client Machine Operating Systems and Agent Support in Cisco ISE
This section lists the details for the following Operating Systems:
12.When Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, certificate warnings might be displayed even for publicly trusted certificates. This usually occurs when the public certificate includes a Certificate Revocation List (CRL) distribution point that the iOS device needs to verify. The iOS device cannot verify the CRL without network access. Click Confirm or Accept in the iOS device to authenticate to the network.
13.Apple Safari version 6.0 is only supported on Mac OS X 10.7.4 and later versions of the operating system.
14.If you are using Mac OS X clients with Java 7, you cannot download the Agents using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the Agents.
15.It is recommended to use the Cisco NAC/Web Agent versions along with the corresponding Cisco ISE version.
16.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)
17.When you create a Cisco ISE client provisioning policy to accommodate Windows 8, you must specify the “Windows All” operating system option.
18.Windows 8 RT is not supported.
19.Cisco ISE does not support the Windows Embedded operating systems available from Microsoft.
20.When Internet Explorer 10 is installed on Windows 7, to get full network access, you need to update to March 2013 Hotfix ruleset.
22.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.
23.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)
24.Cisco ISE does not support the Windows Embedded 7 versions available from Microsoft.
25.When Internet Explorer 10 is installed on Windows 7, to get full network access, you need to update to March 2013 Hotfix ruleset.
Note When a guest user tries to login using Google Chrome on Windows 7 OS, the login fails. It is recommended to upgrade the browser to Chrome 11.
Supported Devices for On-Boarding and Certificate Provisioning Functions
SPW from Cisco.com or Cisco ISE Client Provisioning feed
26.Connect to secure SSID after provisioning
27.There are known EAP-TLS issues with Android 4.1.1 devices. Contact your device manufacturer for support.
28.While configuring the wireless properties for the connection (Security > Auth Method > Settings > Validate Server Certificate), uncheck the valid server certificate option or if you check this option, ensure that you select the correct root certificate.
29.If you are using Mac OS X clients with Java 7, you cannot download the SPWs using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the SPWs.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.