Cisco Identity Services Engine Network Component Compatibility, Release 2.0

This document describes Cisco Identity Services Engine (ISE) validated compatibility with switches, wireless LAN controllers, and other policy enforcement devices as well as operating systems with which Cisco ISE interoperates.

Validated Network Access Devices

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication. For a list of supported authentication methods, see the “Manage Authentication Policies” chapter of the Cisco Identity Services Engine Admin Guide, Release 2.0.

RADIUS

Cisco ISE interoperates fully with third-party RADIUS devices that adhere to the standard protocols. Support for RADIUS functions depends on the device-specific implementation.

RFC Standards

Cisco ISE conforms to the following RFCs:

RFC 2138—Remote Authentication Dial In User Service (RADIUS)
RFC 2139—RADIUS Accounting
RFC 2865—Remote Authentication Dial In User Service (RADIUS)
RFC 2866—RADIUS Accounting
RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 5176—Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

Note Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality. We recommend that you validate all network devices and their software for hardware capabilities or bugs in a particular software release.

For information on enabling specific functions of Cisco ISE on network switches, see the “Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions” chapter in Cisco Identity Services Engine Admin Guide, Release 2.0.

For information about third-party NAD profiles, see the ISE Community Resources.

Note Some switch models and IOS versions may have reached the end-of-life date and interoperability may not be supported by Cisco TAC.

Caution

To support the Cisco ISE profiling service, use the latest version of NetFlow, which has additional functionality that is needed to operate the profiler. If you use NetFlow version 5, then you can use version 5 only on the primary NAD at the access layer, as it will not work anywhere else.

For Wireless LAN Controllers, note the following:

MAB supports MAC filtering with RADIUS lookup.
Support for session ID and COA with MAC filtering provides MAB-like functionality.
DNS based ACL feature will be supported in WLC 8.0. Not all Access Points support DNS based ACL. Refer to Cisco Access Points Release Notes for more details.

Table 1 lists the support for the devices as follows:

√ — Fully supported
X — Not supported
! — Limited support, some functionalities are not supported

The following are the functionalities supported by each feature:

Feature	Functionality
AAA	802.1X, MAB, VLAN Assignment, dACL
Profiling	RADIUS CoA and Profiling Probes
BYOD	RADIUS CoA, URL Redirection + SessionID
Guest	RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Guest Originating URL	RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Posture	RADIUS CoA, URL Redirection + SessionID
MDM	RADIUS CoA, URL Redirection + SessionID
TrustSec	SGT Classification

Table 1 Validated Network Access Devices
Device	Recommended OS ¹	AAA	Profiling	BYOD	Guest	Guest Originating URL	Posture	MDM	TrustSec ²
Device	Minimum OS 3	AAA	Profiling	BYOD	Guest	Guest Originating URL	Posture	MDM	TrustSec ²
Cisco Access Switches
IE2000 IE3000	IOS 15.2(2) E3	√	√	√	√	√	√	√	X
IE2000 IE3000	IOS 15.0(2) EB	√	√	√	√	X	√	√	X
CGS 2520	IOS 15.2(3)E3	√	√	√	√	X	√	√	√
CGS 2520	IOS 15.0(2)EK1	√	√	√	√	X	√	√	√
Catalyst 2960 LAN Base	IOS 12.2.55-SE10	√	√	√	√	X	√	√	X
Catalyst 2960 LAN Base	IOS v12.2(55)SE5	√	√	√	√	X	√	√	X
Catalyst 2960-C Catalyst 3560-C	IOS 15.2(2)E3	√	√	√	√	√	√	√	√
Catalyst 2960-C Catalyst 3560-C	IOS 12.2(55) EX3	√	√	√	√	√	√	√	√
Catalyst 2960-Plus Catalyst 2960-SF	IOS 15.2(2)E3	√	√	√	√	√	√	√	√
Catalyst 2960-Plus Catalyst 2960-SF	IOS 15.0(2)SE7	√	√	√	√	√	√	√	X
Catalyst 2960-S	IOS 15.0.2-SE10a	√	√	√	√	√	√	√	X
Catalyst 2960-S	IOS v12.2.(55)SE5	√	√	√	√	√	√	√	X
Catalyst 2960–XR Catalyst 2960–X	IOS 15.2(2)E3	√	√	√	√	√	√	√	√
Catalyst 2960–XR Catalyst 2960–X	IOS 15.0.2A-EX5	√	√	√	√	√	√	√	X
Catalyst 2960-CX Catalyst 3560-CX	IOS 15.2(3)E1	√	√	√	√	√	√	√	√
Catalyst 2960-CX Catalyst 3560-CX	IOS 15.2(3)E	√	√	√	√	√	√	√	√
Catalyst 3560G Catalyst 3750G	IOS 12.2.(55)SE10	√	√	√	√	√	√	√	√
Catalyst 3560G Catalyst 3750G	IOS 12.2(55)SE5	√	√	√	√	√	√	√	√
Catalyst 3560V2 Catalyst 3750V2	IOS 12.2.(55)SE10	√	√	√	√	√	√	√	√
Catalyst 3560V2 Catalyst 3750V2	IOS 12.2.(55)SE5	√	√	√	√	√	√	√	√
Catalyst 3560-E Catalyst 3750-E	IOS 12.2.(55)SE10	√	√	√	√	√	√	√	√
Catalyst 3560-E Catalyst 3750-E	IOS v12.2(55)SE5	√	√	√	√	√	√	√	√
Catalyst 3560-X Catalyst 3750-X	IOS 15.2(2)E3	√	√	√	√	√	√	√	√
Catalyst 3560-X Catalyst 3750-X	IOS 12.2.(55)SE5	√	√	√	√	√	√	√	√
Catalyst 3850 Catalyst 3650	IOS XE 16.3.3 IOS XE 3.6.3	√	√	√	√	√	√	√	√
Catalyst 3850 Catalyst 3650	IOS XE 3.3.5.SE	√	√	√	√	√	√	√	√
Catalyst 4500-X	IOS XE 3.6.3	√	√	√	√	√	√	√	√
Catalyst 4500-X	IOS XE 3.4.4 SG	√	√	√	√	X	√	√	√
Catalyst 4500 Supervisor 7-E, 7L-E	IOS XE 3.6.3	√	√	√	√	√	√	√	√
Catalyst 4500 Supervisor 7-E, 7L-E	IOS XE 3.4.4 SG	√	√	√	√	X	√	√	√
Catalyst 4500 Supervisor 6-E, 6L-E	IOS 15.2(2)E3	√	√	√	√	X	√	√	√
Catalyst 4500 Supervisor 6-E, 6L-E	IOS 15.2(2)E	√	√	√	√	X	√	√	√
Catalyst 4500 Supervisor 8-E	IOS XE 3.6.3	√	√	√	√	X	√	√	√
Catalyst 4500 Supervisor 8-E	IOS XE 3.3.2 XO	√	√	√	√	X	√	√	√
Catalyst 6500-E (Supervisor 32)	IOS 12.2.33-SJX9	√	√	√	√	X	√	√	√
Catalyst 6500-E (Supervisor 32)	IOS v12.2(33)SXI6	√	√	√	√	X	√	√	√
Catalyst 6500-E (Supervisor 720)	IOS 15.1(2)SY5	√	√	√	√	X	√	√	√
Catalyst 6500-E (Supervisor 720)	IOS v12.2(33)SXI6	√	√	√	√	X	√	√	√
Catalyst 6500-E (VS-S2T-10G)	IOS 15.1(2)SY5	√	√	√	√	X	√	√	√
Catalyst 6500-E (VS-S2T-10G)	IOS 15.0(1)SY1	√	√	√	√	X	√	√	√
Catalyst 6807-XL Catalyst 6880-X (VS-S2T-10G)	IOS 15.1(2)SY5	√	√	√	√	X	√	√	√
Catalyst 6807-XL Catalyst 6880-X (VS-S2T-10G)	IOS 15.0(1)SY1	√	√	√	√	X	√	√	√
Catalyst 6848ia	IOS 15.1(2)SY5	√	√	√	√	X	√	√	√
Catalyst 6848ia	IOS 15.1(2) SY+	√	√	√	√	X	√	√	√
Catalyst 9300⁴	IOS 16.6.2 ES	√	√	√	√	√	√	√	√
Catalyst 9300⁴	IOS 16.6.2 ES	√	√	√	√	√	√	√	√
Catalyst 9400 4	IOS 16.6.2 ES	√	√	√	√	√	√	√	√
Catalyst 9400 4	IOS 16.6.2 ES	√	√	√	√	√	√	√	√
Catalyst 9500 4	IOS 16.6.2 ES	√	√	√	√	√	√	√	√
Catalyst 9500 4	IOS 16.6.2 ES	√	√	√	√	√	√	√	√
Meraki MS Platforms	Latest Version	√	√	√	!	X	X	X	X
Meraki MS Platforms	Latest Version	√	√	X	!	X	X	X	X
Third Party Access Switches
Avaya ERS 2526T	4.4	√	!	X	X	X	X	X	X
Avaya ERS 2526T	4.4	√	!	X	X	X	X	X	X
Brocade ICX 6610	8.0.20	√	√	X	X	X	X	X	X
Brocade ICX 6610	8.0.20	√	√	X	X	X	X	X	X
HP H3C HP ProCurve	5.20.99	√	!	X	X	X	X	X	X
HP H3C HP ProCurve	5.20.99	√	!	X	X	X	X	X	X
Juniper EX3200	12.3R6.6	√	!	X	X	X	X	X	X
Juniper EX3200	12.3R6.6	√	!	X	X	X	X	X	X
Cisco Wireless LAN Controllers 5
WLC 2100	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
WLC 2100	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
WLC 4400	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
WLC 4400	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
WLC 2500	AirOS 8.0.121.0	√	√	√	√	X	√	√	√
WLC 2500	AirOS 7.2.103.0	!	√	√	√	X	√	√	X
WLC 5508	AirOS 8.0.121.0	√	√	√	√	X	√	√	√
WLC 5508	AirOS 7.0.116.0	!	√	X	!	X	X	X	√
WLC 5520	AirOS 8.1.122.0	√	√	√	√	X	√	√	√
WLC 5520	AirOS 8.1.122.0	√	√	√	√	X	√	√	√
WLC 7500	AirOS 8.0.121.0	√	√	√	√	X	√	√	X
WLC 7500	AirOS 7.2.103.0	!	√	X	X	X	X	X	X
WLC 8510	AirOS 8.0.120.0	√	√	√	√	X	√	√	X
WLC 8510	AirOS 7.4.121.0	√	√	X	X	X	X	√	X
WLC 8540	AirOS 8.1.122.0	√	√	√	√	X	√	√	X
WLC 8540	AirOS 8.1.122.0	√	√	√	√	X	√	√	X
vWLC	AirOS 8.0.120.0	√	√	√	√	X	√	√	X
vWLC	AirOS 7.4.121.0	√	√	√	√	X	√	√	X
WiSM1 6500	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
WiSM1 6500	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
WiSM2 6500	AirOS 8.0.120.0	√	√	√	√	X	√	√	√
WiSM2 6500	AirOS 7.2.103.0	!	√	√	√	X	√	√	√
WLC 5760	IOS XE 3.6.3	√	√	√	√	√	√	√	√
WLC 5760	IOS XE 3.3	√	√	√	√	X	√	√	√
WLC for ISR (ISR2 ISM, SRE700, and SRE900)	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
WLC for ISR (ISR2 ISM, SRE700, and SRE900)	AirOS 7.0.116.0	!	√	X	!	X	X	X	X
Meraki MR Platforms	Public Beta	√	√	√	√	X	√	√	X
Meraki MR Platforms	General Availability	√	!	X	!	X	X	X	X
Third Party Wireless LAN Controllers
Aruba 3200XM Aruba 650	6.4	√	√	√	√	X	√	√	X
Aruba 3200XM Aruba 650	6.4	√	√	√	√	X	√	√	X
Motorola RFS 4000	5.5	√	√	√	√	X	√	√	X
Motorola RFS 4000	5.5	√	√	√	√	X	√	√	X
HP 830	35073P5	√	√	√	√	X	√	√	X
HP 830	35073P5	√	√	√	√	X	√	√	X
Ruckus ZD1200	9.9.0.0	√	√	X	X	X	X	X	X
	9.9.0.0	√	√	X	X	X	X	X	X
Cisco Routers
ISR 88x, 89x Series	IOS 15.3.2T(ED)	√	!	X	!	X	X	X	√
ISR 88x, 89x Series	IOS 15.2(2)T	!	!	X	!	X	X	X	√
ISR 19x, 29x, 39x Series	IOS 15.3.2T(ED)	√	!	X	!	X	X	X	√
ISR 19x, 29x, 39x Series	IOS 15.2(2)T	√	!	X	!	X	X	X	√
SGR 2010	IOS 15.3.2T(ED)	√	!	X	!	X	X	X	√
SGR 2010	IOS 15.3.2T(ED)	√	!	X	!	X	X	X	√
4451-X SM-X L2/L3 Ethermodule	IOS XE 3.11	√	√	√	√	X	√	√	√
4451-X SM-X L2/L3 Ethermodule	IOS XE 3.11	√	√	√	√	X	√	√	√
Cisco Remote Access
ASA 5500, ASA 5500-X (Remote Access Only)	ASA 9.2.1	NA	NA	√	NA	X	√	X	√
ASA 5500, ASA 5500-X (Remote Access Only)	ASA 9.1.5	NA	NA	X	NA	X	X	X	X
Meraki MX Platforms	Latest Version	√	!	X	!	X	X	X	X
Meraki MX Platforms	Latest Version	√	!	X	!	X	X	X	X

^1.Recommended OS is the version tested for compatibility and stability.

^2.For a complete list of Cisco TrustSec feature support, see http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html.

^3.Minimum OS is the version in which the features got introduced.

^4.Catalyst 9000 Series Switches are validated with Cisco ISE, Release 2.0.1 Patch 4.

^5.Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support endpoint posturing. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.

AAA Attributes for RADIUS Proxy Service

For RADIUS proxy service, the following authentication, authorization, and accounting (AAA) attributes must be included in the RADIUS communication:

Calling-Station-ID (IP or MAC_ADDRESS)
RADIUS::NAS_IP_Address
RADIUS::NAS_Identifier

AAA Attributes for Third-Party VPN Concentrators

For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:

Calling-Station-ID (tracks individual client by MAC or IP address)
User-Name (tracks remote client by login name)
NAS-Port-Type (helps to determine connection type as VPN)
RADIUS Accounting Start (triggers official start of session)
RADIUS Accounting Stop (triggers official end of session and releases ISE license)
RADIUS Accounting Interim Update on IP address change (for example, SSL VPN connection transitions from Web-based to a full-tunnel client)

Note For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client’s VPN-assigned IP address to track the endpoint while on a trusted network.

Validated External Identity Sources

Refer to Cisco Identity Services Engine Administrator Guide, Release 2.0 for more information.

Table 2 Validated External Identity Sources
External Identity Source	OS/Version
Active Directory 6 ^, 7 ^, 8
Microsoft Windows Active Directory 2003	—
Microsoft Windows Active Directory 2003 R2	—
Microsoft Windows Active Directory 2008	—
Microsoft Windows Active Directory 2008 R2	—
Microsoft Windows Active Directory 2012	—
Microsoft Windows Active Directory 2012 R2⁹	—
LDAP Servers
SunONE LDAP Directory Server	Version 5.2
OpenLDAP Directory Server	Version 2.4.23
Token Servers
RSA ACE/Server	6. x series
RSA Authentication Manager	7. x and 8. x series
Any RADIUS RFC 2865-compliant token server	—
Security Assertion Markup Language (SAML) Single Sign-On (SSO)
Oracle Access Manager (OAM)	Version 11.1.2.2.0
Oracle Identity Federation (OIF)	Version 11.1.1.2.0

^6.Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008, 2008 R2, 2012, and 2012 R2.

^7.Cisco ISE SCEP functionality is available only on Microsoft Windows Active Directory 2008 R2, 2012, and 2012 R2.

^8.Microsoft Windows Active Directory version 2000 or its functional level are not supported by Cisco ISE.

^9.Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2; however, the new features in 2012 R2, such as Protective User Groups, are not supported.

Supported Browsers for the Admin Portal

Mozilla Firefox 69 and earlier versions
Mozilla Firefox ESR 60.9 and earlier versions
Google Chrome 77 and earlier versions
Microsoft Edge beta 77 and earlier versions
Microsoft Internet Explorer 10. x and 11. x

If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).

Adobe Flash Player 11.1.0.0 or above must be installed on the system running your client browser.

The minimum required screen resolution to view the Cisco ISE Admin portal and for a better user experience is 1280 x 800 pixels.

Validated Virtual Environments

Cisco ISE supports the following virtual environment platforms:

VMware ESXi 5. x, 6. x
KVM on RHEL 7.0

Validated Cisco Mobility Services Engine Release

Cisco ISE, Release 2.0 integrates with Cisco Mobility Services Engine (MSE), Release 8.0 to provide Location Service (also known as Context Aware Service). This service allows you to track the location of wireless devices.

For information on how to integrate Cisco ISE with Cisco MSE, refer to:

Validated Cisco Prime Infrastructure Release

Cisco Prime Infrastructure, Release 3.1 integrates with Cisco ISE, Release 2.0 to leverage the monitoring and reporting capabilities of Cisco ISE.

Validated Client Machine and Personal Device Operating Systems, Supplicants, and Agents

Client Machine Operating Systems and Agent Support in Cisco ISE lists the supported client machine operating systems, browsers, and agent versions supporting each client machine type. For all devices, you must also have cookies enabled in the web browser.

All standard 802.1X supplicants can be used with Cisco ISE, Release 2.0 standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. (For information on allowed authentication protocols, see the “Manage Authentication Policies” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.0). For the VLAN change authorization feature to work in a wireless deployment, the supplicant must support IP address refresh on VLAN change.

Note The new features introduced in Cisco ISE, Release 1.4, such as the Service Check (MAC OS X), File Check (MAC OS X), Application Check (MAC OS X), and Patch Management Check (MAC OS X and Windows), are available only with AnyConnect 4.1.00028 or later. Refer to the Cisco Identity Services Engine Administrator Guide, Release 2.0 for more information.

Cisco NAC Agent Interoperability Between Cisco NAC Appliance and Cisco ISE

The Cisco NAC Agent versions 4.9.5.3 and later can be used on both Cisco NAC Appliance Releases 4.9(3), 4.9(4), 4.9(5) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2, 1.3, 1.4, 2.0. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.

Client Machine Operating Systems and Agent Support in Cisco ISE

Table 3 Google Android 10
Client Machine Operating System	Web Browser	Supplicants (802.1X)
Google Android 8.x	Native browser Mozilla Firefox	Google Android Supplicant 8.x
Google Android 7.x¹¹	Native browser Mozilla Firefox	Google Android Supplicant 7.x
Google Android 6.x	Native browser Mozilla Firefox	Google Android Supplicant 6.x
Google Android 5.x	Native browser Mozilla Firefox	Google Android Supplicant 5.x
Google Android 4.4.x	Native browser Mozilla Firefox	Google Android Supplicant 4.4.x
Google Android 4.2.x	Native browser Mozilla Firefox	Google Android Supplicant 4.2.x
Google Android 4.1.2	Native browser Mozilla Firefox	Google Android Supplicant 4.1.2
Google Android 4.0.4	Native browser Mozilla Firefox	Google Android Supplicant 4.0.4
Google Android 4.0.3	Native browser Mozilla Firefox	Google Android Supplicant 4.0.3
Google Android 4.0	Native browser	Google Android Supplicant 4.0
Google Android 3.2.1	Native browser Mozilla Firefox	Google Android Supplicant 3.2.1
Google Android 3.2	Native browser	Google Android Supplicant 3.2
Google Android 2.3.6	Native browser Mozilla Firefox	Google Android Supplicant 2.3.6
Google Android 2.3.3	Native browser Mozilla Firefox	Google Android Supplicant 2.3.3
Google Android 2.2.1	Native browser	Google Android Supplicant 2.2.1
Google Android 2.2	Native browser Mozilla Firefox	Google Android Supplicant 2.2

^10.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.

^11.Tested with Cisco ISE, Release 2.0 patch 3 and Release 2.0.1 patch 1.

Table 4 Apple iOS 12
Client Machine Operating System	Web Browser	Supplicants (802.1X)
Apple iOS 12.x	Safari	Apple iOS Supplicant 12.x
Apple iOS 11.x	Safari	Apple iOS Supplicant 11.x
Apple iOS 10.x¹³	Safari	Apple iOS Supplicant 10.x
Apple iOS 9.x	Safari	Apple iOS Supplicant 9.x
Apple iOS 8.x	Safari	Apple iOS Supplicant 8.x
Apple iOS 7.x	Safari	Apple iOS Supplicant 7.x
Apple iOS 6.x	Safari	Apple iOS Supplicant 6.x
Apple iOS 5.1	Safari	Apple iOS Supplicant 5.1
Apple iOS 5.0.1	Safari	Apple iOS Supplicant 5.0.1

^12.When Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, certificate warnings might be displayed even for publicly trusted certificates. This usually occurs when the public certificate includes a Certificate Revocation List (CRL) distribution point that the iOS device needs to verify. The iOS device cannot verify the CRL without network access. Click Confirm or Accept in the iOS device to authenticate to the network.

^13.Tested with Cisco ISE, Release 2.0 patch 3 and Release 2.0.1 patch 1.

If you are using Apple iOS 12.2 or later version, you must manually install the downloaded Certificate/Profile. To do this, choose Settings > General > Profile in the Apple iOS device and Click Install.

If you are using Apple iOS 12.2 or later version, RSA key size must be 2048 bits or higher. Otherwise, you might see an error while installing the BYOD profile.

Table 5 Apple Mac OS X
Client Machine Operating System	Web Browser	Supplicants (802.1X)	Cisco ISE	Mac OS X Agent	AnyConnect ¹⁴
Apple Mac OS X 10.14	Apple Safari Mozilla Firefox Google Chrome	Apple Mac OS X Supplicant 10.14	2.0	4.9.5.3	AnyConnect 4.2, 4.3, and 4.4
Apple Mac OS X 10.13	Apple Safari Mozilla Firefox Google Chrome	Apple Mac OS X Supplicant 10.13	2.0	4.9.5.3	AnyConnect 4.2, 4.3, and 4.4
Apple Mac OS X 10.12	Apple Safari Mozilla Firefox Google Chrome	Apple Mac OS X Supplicant 10.12	2.0	4.9.5.3	AnyConnect 4.2, 4.3, and 4.4
Apple Mac OS X 10.11	Apple Safari ¹⁵ Mozilla Firefox Google Chrome ¹⁶	Apple Mac OS X Supplicant 10.11	2.0	4.9.5.3	AnyConnect 4.2, 4.3, and 4.4
Apple Mac OS X 10.10	Apple Safari ¹⁷ Mozilla Firefox Google Chrome ¹⁸	Apple Mac OS X Supplicant 10.10	2.0	4.9.5.3	AnyConnect 4.2, 4.3, and 4.4
Apple Mac OS X 10.9	Apple Safari Mozilla Firefox Google Chrome	Apple Mac OS X Supplicant 10.9	2.0	4.9.5.3	AnyConnect 4.2, 4.3, and 4.4
Apple Mac OS X 10.8	Apple Safari Mozilla Firefox Google Chrome	Apple Mac OS X Supplicant 10.8	2.0	4.9.5.3	AnyConnect 4.2, 4.3, and 4.4

^14.Cisco ISE 2.0 does not support Anyconnect 4.5 and later.

^15.Apple Safari version 6.0 is supported only on Mac OS X 10.7.4 and later versions of the operating system.

^16.If you are using Mac OS X clients with Java 7, you cannot download the Agents using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the Agents.

^17.Apple Safari version 6.0 is supported only on Mac OS X 10.7.4 and later versions of the operating system.

^18.If you are using Mac OS X clients with Java 7, you cannot download the Agents using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the Agents.

Table 6 Microsoft Windows 19
Client Machine Operating System	Web Browser	Supplicants (802.1X)	Cisco ISE	Cisco NAC Agent ²⁰	Cisco NAC Web Agent 16	AnyConnect ²¹
Microsoft Windows 10
Windows 10	Microsoft Edge²² Microsoft IE 11 Mozilla Firefox Google Chrome	Microsoft Windows 10 802.1X Client	2.0	4.9.5.8	4.9.5.4 4.9.5.8²³	AnyConnect 4.2, 4.3, and 4.4
Microsoft Windows 8 24,25^,26
Windows 8.1 Windows 8 Windows 8 x64 Windows 8 Professional Windows 8 Professional x64 Windows 8 Enterprise Windows 8 Enterprise x64	Microsoft IE 11, 10 Mozilla Firefox Google Chrome	Microsoft Windows 8 802.1X Client	2.0	4.9.5.8	4.9.5.4 4.9.5.8²⁷	AnyConnect 4.2, 4.3, and 4.4
Microsoft Windows 728
Windows 7 Professional Windows 7 Professional x64 Windows 7 Ultimate Windows 7 Ultimate x64 Windows 7 Enterprise Windows 7 Enterprise x64 Windows 7 Home Premium Windows 7 Home Premium x64 Windows 7 Home Basic Windows 7 Starter Edition	Microsoft IE 11, 10 ²⁹ Mozilla Firefox Google Chrome	Microsoft Windows 7 802.1X Client AnyConnect Network Access Manager	2.0	4.9.5.8	4.9.5.4 4.9.5.8³⁰	AnyConnect 4.2, 4.3, and 4.4

^19.It is recommended to use the Cisco NAC/Web Agent versions along with the corresponding Cisco ISE version.

^20.Cisco NAC Agent and Cisco NAC Web Agent do not support Google Chrome version 45 and later. See CSCuw19276 for more information. We recommend that you use another supported browser such as Internet Explorer 7.0, 8.0 or 9.0 or Mozilla Firefox 3.5.7, 3.6 or 20.x.

^21.Cisco ISE 2.0 does not support Anyconnect 4.5 and later.

^22.Microsoft Edge browser does not support NAC Agent provisioning.

^23.Cisco NAC Web Agent 4.9.5.8 is supported for Cisco ISE 2.0 Patch 4.

^24.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)

^25.When you create a Cisco ISE client provisioning policy to accommodate Windows 8, you must specify the “Windows All” operating system option.

^26.Windows 8 RT is not supported.

^27.Cisco NAC Web Agent 4.9.5.8 is supported for Cisco ISE 2.0 Patch 4 on Windows 8.1 and Windows 8 operating systems only.

^28.Cisco ISE does not support the Windows Embedded operating systems available from Microsoft.

^29.When Internet Explorer 10 is installed on Windows 7, to get full network access, you need to update to March 2013 Hotfix ruleset.

^30.Cisco NAC Web Agent 4.9.5.8 is supported for Cisco ISE 2.0 Patch 4 and Microsoft IE browser is not supported on Windows 7 operating system with Cisco NAC Web Agent 4.9.5.8.

Table 7 Others
Client Machine Operating System	Web Browser	Supplicants (802.1X)
Red Hat Enterprise Linux (RHEL) 5	Google Chrome Mozilla Firefox	Not tested extensively ³¹

^31.The support for 802.1X has not been tested extensively by Cisco, but any 802.1X supplicant is supported as long as it is compliant with the IEEE 802.1X standards.

Validated Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals

These Cisco ISE portals support the following operating system and browser combinations. These portals require that you have cookies enabled in your web browser.

Table 8 Supported Operating Systems and Browsers
Supported Operating System ³²	Browser Versions
Google Android ³³ 8.x, 7.x³⁴, 6.x, 5.x, 4.4.x, 4.2.x, 4.1.2, 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2	Native browser Mozilla Firefox
Apple iOS 11.x, 10.x³⁵, 9.x, 8.x, 7.x, 6.1, 6, 5.1, 5.0.1	Safari
Apple Mac OS X 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.8, 10.7, 10.6	Mozilla Firefox Safari Google Chrome
Microsoft Windows 10, 8, 8.1 ³⁶, 7³⁷, Vista	Microsoft Edge³⁸ Microsoft IE 11, 10³⁹ Mozilla Firefox Google Chrome
Red Hat Enterprise Linux (RHEL) 5	Mozilla Firefox Google Chrome

^32.The latest two officially-released browser versions are supported for all operating systems except Microsoft Windows; refer to Table 8 for the supported Internet Explorer versions.

^33.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.

^34.Tested with Cisco ISE, Release 2.0 patch 3 and Release 2.0.1 patch 1.

^35.Tested with Cisco ISE, Release 2.0 patch 3 and Release 2.0.1 patch 1.

^36.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)

^37.Cisco ISE does not support the Windows Embedded 7 versions available from Microsoft.

^38.Cisco ISE, Release 1.4 Patch 3 supports Windows 10 operating system and Microsoft Edge browser.

^39.When Internet Explorer 10 is installed on Windows 7, to get full network access, you need to update to March 2013 Hotfix ruleset.

Note When a guest user tries to log in using Google Chrome on Windows 7 OS, the login fails. It is recommended to upgrade the browser to Chrome 11 or later.

Validated Devices for On-Boarding and Certificate Provisioning

Cisco Wireless LAN Controller (WLC) 7.2 or above support is required for the BYOD feature. Refer to the Release Notes for the Cisco Identity Services Engine, Release 2.0 for any known issues or caveats.

Table 9 BYOD On-Boarding and Certificate Provisioning - Validated Devices and Operating Systems
Device	Operating System	Single SSID	Dual SSID (open > PEAP (no cert) or open > TLS)	Onboard Method
Apple iDevice	Apple iOS 11.x, 10.x⁴⁰, 9.x, 8.x, 7.x, 6.1, 6, 5.1, 5.0.1	Yes	Yes⁴¹	Apple profile configurations (native)
Android	2.2 and above⁴²	Yes	Yes	Cisco Network Setup Assistant
Barnes & Noble Nook (Android) HD/HD+ ⁴³	—	—	—	—
Windows	Windows 10, 8.1, 8, 7, Vista	Yes⁴⁴	Yes	SPW from Cisco.com or Cisco ISE Client Provisioning feed
Windows	Mobile 8, Mobile RT, Surface 8, and Surface RT	No	No	—
MAC OS X⁴⁵	Mac OS X 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.8, 10.7, 10.6	Yes	Yes	SPW from Cisco.com or Cisco ISE client provisioning feed

^40.Tested with Cisco ISE, Release 2.0 patch 3 and Release 2.0.1 patch 1.

^41.Connect to secure SSID after provisioning

^42.There are known EAP-TLS issues with Android 4.1.1 devices. Contact your device manufacturer for support.

^43.Barnes & Noble Nook (Android) works when it has Google Play Store 2.1.0 installed.

^44.While configuring the wireless properties for the connection (Security > Auth Method > Settings > Validate Server Certificate), uncheck the valid server certificate option or if you check this option, ensure that you select the correct root certificate.

^45.If you are using Mac OS X clients with Java 7, you cannot download the SPWs using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the SPWs.

Requirements for CA to Interoperate with Cisco ISE

While using a CA server with Cisco ISE, make sure that the following requirements are met:

Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
Key usage should allow signing and encryption in extension.
While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.

Note EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.

Client Certificate Requirements for Certificate-Based Authentication

For certificate-based authentication with Cisco ISE, the client certificate should meet the following requirements:

Supported Cryptographic Algorithms: RSA
Supported Key Sizes: 1024, 2048, or 4096 bits
Supported Secure Hash Algorithms (SHA): SHA-1 and SHA-2 (includes SHA-256)

Table 10 Product Documentation for Cisco Identity Services Engine
Document Title	Location
Release Notes for the Cisco Identity Services Engine, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-release-notes-list.html
Cisco Identity Services Engine Network Component Compatibility, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html
Cisco Identity Services Engine Admin Guide, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-and-configuration-guides-list.html
Cisco Identity Services Engine Hardware Installation Guide, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html
Cisco Identity Services Engine Upgrade Guide, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html
Cisco Identity Services Engine Sponsor Portal User Guide, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-user-guide-list.html
Cisco Identity Services Engine CLI Reference Guide, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-command-reference-list.html
Cisco Identity Services Engine API Reference Guide, Release 2.0	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-command-reference-list.html
Regulatory Compliance and Safety Information for Cisco Identity Services Engine 3400 Series Appliance	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html
Cisco ISE In-Box Documentation and China RoHS Pointer Card	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-documentation-roadmaps-list.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

Related Cisco Community Discussions

This Document Applies to These Products

Identity Services Engine 2.0

Cisco Identity Services Engine Network Component Compatibility, Release 2.0

Available Languages

Download Options

Table of Contents