Cisco Identity Services Engine Network Component Compatibility, Release 2.0
Validated Network Access Devices
AAA Attributes for RADIUS Proxy Service
AAA Attributes for Third-Party VPN Concentrators
Validated External Identity Sources
Supported Browsers for the Admin Portal
Validated Virtual Environments
Validated Cisco Mobility Services Engine Release
Validated Cisco Prime Infrastructure Release
Validated Client Machine and Personal Device Operating Systems, Supplicants, and Agents
Cisco NAC Agent Interoperability Between Cisco NAC Appliance and Cisco ISE
Client Machine Operating Systems and Agent Support in Cisco ISE
Validated Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
Validated Devices for On-Boarding and Certificate Provisioning
Requirements for CA to Interoperate with Cisco ISE
Client Certificate Requirements for Certificate-Based Authentication
Obtaining Documentation and Submitting a Service Request
This document describes Cisco Identity Services Engine (ISE) validated compatibility with switches, wireless LAN controllers, and other policy enforcement devices as well as operating systems with which Cisco ISE interoperates.
Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication. For a list of supported authentication methods, see the “Manage Authentication Policies” chapter of the Cisco Identity Services Engine Admin Guide, Release 2.0.
Cisco ISE interoperates fully with third-party RADIUS devices that adhere to the standard protocols. Support for RADIUS functions depends on the device-specific implementation.
Cisco ISE conforms to the following RFCs:
Note Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality. We recommend that you validate all network devices and their software for hardware capabilities or bugs in a particular software release.
For information on enabling specific functions of Cisco ISE on network switches, see the “Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions” chapter in Cisco Identity Services Engine Admin Guide, Release 2.0.
For information about third-party NAD profiles, see the ISE Community Resources.
Note Some switch models and IOS versions may have reached the end-of-life date and interoperability may not be supported by Cisco TAC.
For Wireless LAN Controllers, note the following:
Table 1 lists the support for the devices as follows:
The following are the functionalities supported by each feature:
Recommended OS
1
|
TrustSec
2
|
||||||||
---|---|---|---|---|---|---|---|---|---|
Minimum OS
3
|
|||||||||
Catalyst 93004 |
|||||||||
Catalyst 9400 4 |
|||||||||
Catalyst 9500 4 |
|||||||||
Cisco Wireless LAN Controllers
5
|
|||||||||
2.For a complete list of Cisco TrustSec feature support, see http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html. 5.Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support endpoint posturing. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform. |
For RADIUS proxy service, the following authentication, authorization, and accounting (AAA) attributes must be included in the RADIUS communication:
For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:
Note For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client’s VPN-assigned IP address to track the endpoint while on a trusted network.
Refer to Cisco Identity Services Engine Administrator Guide, Release 2.0 for more information.
Microsoft Windows Active Directory 2012 R29 |
|
If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).
Adobe Flash Player 11.1.0.0 or above must be installed on the system running your client browser.
The minimum required screen resolution to view the Cisco ISE Admin portal and for a better user experience is 1280 x 800 pixels.
Cisco ISE, Release 2.0 integrates with Cisco Mobility Services Engine (MSE), Release 8.0 to provide Location Service (also known as Context Aware Service). This service allows you to track the location of wireless devices.
For information on how to integrate Cisco ISE with Cisco MSE, refer to:
Cisco Prime Infrastructure, Release 3.1 integrates with Cisco ISE, Release 2.0 to leverage the monitoring and reporting capabilities of Cisco ISE.
Client Machine Operating Systems and Agent Support in Cisco ISE lists the supported client machine operating systems, browsers, and agent versions supporting each client machine type. For all devices, you must also have cookies enabled in the web browser.
All standard 802.1X supplicants can be used with Cisco ISE, Release 2.0 standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. (For information on allowed authentication protocols, see the “Manage Authentication Policies” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.0). For the VLAN change authorization feature to work in a wireless deployment, the supplicant must support IP address refresh on VLAN change.
Note The new features introduced in Cisco ISE, Release 1.4, such as the Service Check (MAC OS X), File Check (MAC OS X), Application Check (MAC OS X), and Patch Management Check (MAC OS X and Windows), are available only with AnyConnect 4.1.00028 or later. Refer to the Cisco Identity Services Engine Administrator Guide, Release 2.0 for more information.
The Cisco NAC Agent versions 4.9.5.3 and later can be used on both Cisco NAC Appliance Releases 4.9(3), 4.9(4), 4.9(5) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2, 1.3, 1.4, 2.0. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.
AnyConnect
14
|
|||||
---|---|---|---|---|---|
Cisco NAC Agent
20
|
Cisco NAC Web Agent
16
|
AnyConnect
21
|
||||
---|---|---|---|---|---|---|
|
4.9.5.823 |
|||||
4.9.5.827 |
||||||
Microsoft Windows 728 |
||||||
|
4.9.5.830 |
|||||
19.It is recommended to use the Cisco NAC/Web Agent versions along with the corresponding Cisco ISE version. 20.Cisco NAC Agent and Cisco NAC Web Agent do not support Google Chrome version 45 and later. See CSCuw19276 for more information. We recommend that you use another supported browser such as Internet Explorer 7.0, 8.0 or 9.0 or Mozilla Firefox 3.5.7, 3.6 or 20.x. 24.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”) 25.When you create a Cisco ISE client provisioning policy to accommodate Windows 8, you must specify the “Windows All” operating system option. 27.Cisco NAC Web Agent 4.9.5.8 is supported for Cisco ISE 2.0 Patch 4 on Windows 8.1 and Windows 8 operating systems only. |
Not tested extensively 31 |
These Cisco ISE portals support the following operating system and browser combinations. These portals require that you have cookies enabled in your web browser.
Supported Operating System
32
|
|
---|---|
Google Android 33 8.x, 7.x34, 6.x, 5.x, 4.4.x, 4.2.x, 4.1.2, 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2 |
|
Apple iOS 11.x, 10.x35, 9.x, 8.x, 7.x, 6.1, 6, 5.1, 5.0.1 |
|
Apple Mac OS X 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.8, 10.7, 10.6 |
|
32.The latest two officially-released browser versions are supported for all operating systems except Microsoft Windows; refer to Table 8 for the supported Internet Explorer versions. 33.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations. 36.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”) |
Note When a guest user tries to log in using Google Chrome on Windows 7 OS, the login fails. It is recommended to upgrade the browser to Chrome 11 or later.
Cisco Wireless LAN Controller (WLC) 7.2 or above support is required for the BYOD feature. Refer to the Release Notes for the Cisco Identity Services Engine, Release 2.0 for any known issues or caveats.
Apple iOS 11.x, 10.x40, 9.x, 8.x, 7.x, 6.1, 6, 5.1, 5.0.1 |
Yes41 |
|||
2.2 and above42 |
||||
Barnes & Noble Nook (Android) HD/HD+ 43 |
||||
Yes44 |
||||
MAC OS X45 |
Mac OS X 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.8, 10.7, 10.6 |
42.There are known EAP-TLS issues with Android 4.1.1 devices. Contact your device manufacturer for support. |
While using a CA server with Cisco ISE, make sure that the following requirements are met:
Note EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.
This section covers information on release-specific documentation and platform-specific documentation.
Links to other platform-specific documentation are available at the following locations:
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.