This document describes Cisco Identity Services Engine (ISE) validated compatibility with switches, wireless LAN controllers, and other policy enforcement devices as well as operating systems with which Cisco ISE interoperates.
Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication. For a list of supported authentication methods, see the “Manage Authentication Policies” chapter of the Cisco Identity Services Engine Admin Guide, Release 2.1.
Cisco ISE interoperates fully with third-party RADIUS devices that adhere to the standard protocols. Support for RADIUS functions depends on the device-specific implementation.
Cisco ISE conforms to the following RFCs:
RFC 2138—Remote Authentication Dial In User Service (RADIUS)
RFC 2139—RADIUS Accounting
RFC 2865—Remote Authentication Dial In User Service (RADIUS)
RFC 2866—RADIUS Accounting
RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 5176—Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
Note Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality. We recommend that you validate all network devices and their software for hardware capabilities or bugs in a particular software release.
Note Some switch models and IOS versions may have reached the end-of-life date and interoperability may not be supported by Cisco TAC.
To support the Cisco ISE profiling service, use the latest version of NetFlow, which has additional functionality that is needed to operate the profiler. If you use NetFlow version 5, then you can use version 5 only on the primary NAD at the access layer, as it will not work anywhere else.
For Wireless LAN Controllers, note the following:
MAB supports MAC filtering with RADIUS lookup.
Support for session ID and COA with MAC filtering provides MAB-like functionality.
DNS based ACL feature will be supported in WLC 8.0. Not all Access Points support DNS based ACL. Refer to Cisco Access Points Release Notes for more details.
Table 1 lists the support for the devices as follows:
√ — Fully supported
X — Not supported
! — Limited support, some functionalities are not supported
The following are the functionalities supported by each feature:
802.1X, MAB, VLAN Assignment, dACL
RADIUS CoA and Profiling Probes
RADIUS CoA, URL Redirection + SessionID
RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Guest Originating URL
RADIUS CoA, URL Redirection + SessionID, Local Web Auth
3.Minimum OS is the version in which the features got introduced.
4.Catalyst 9000 Series Switches are validated with Cisco ISE, Release 2.1 Patch 6.
5.Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support endpoint posturing. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 184.108.40.206 and for MAB-authenticated WLANs starting from WLC 220.127.116.11. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 18.104.22.168. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.
AAA Attributes for RADIUS Proxy Service
For RADIUS proxy service, the following authentication, authorization, and accounting (AAA) attributes must be included in the RADIUS communication:
Calling-Station-ID (IP or MAC_ADDRESS)
AAA Attributes for Third-Party VPN Concentrators
For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:
Calling-Station-ID (tracks individual client by MAC or IP address)
User-Name (tracks remote client by login name)
NAS-Port-Type (helps to determine connection type as VPN)
RADIUS Accounting Start (triggers official start of session)
RADIUS Accounting Stop (triggers official end of session and releases ISE license)
RADIUS Accounting Interim Update on IP address change (for example, SSL VPN connection transitions from Web-based to a full-tunnel client)
Note For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client’s VPN-assigned IP address to track the endpoint while on a trusted network.
Security Assertion Markup Language (SAML) Single Sign-On (SSO)
Oracle Access Manager (OAM)
Oracle Identity Federation (OIF)
Any SAMLv2-compliant Identity Provider
Open Database Connectivity (ODBC) Identity Source
Microsoft SQL Server
Microsoft SQL Server 2012
Enterprise Edition Release 22.214.171.124.0
6.Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008, 2008 R2, 2012, and 2012 R2.
7.Microsoft Windows Active Directory version 2000 or its functional level are not supported by Cisco ISE.
8.Microsoft has ended support for Windows Server 2003 and 2003 R2. We recommend that you upgrade Windows Server to a supported version.
9.Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2; however, the new features in 2012 R2, such as Protective User Groups, are not supported.
Supported Browsers for the Admin Portal
Mozilla Firefox 62 and earlier versions
Google Chrome 69 and earlier versions
Microsoft Internet Explorer 10. x and 11. x
If you are using Internet Explorer 10. x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).
Adobe Flash Player 126.96.36.199 or above must be installed on the system running your client browser.
The minimum required screen resolution to view the Cisco ISE Admin portal and for a better user experience is 1280 x 800 pixels.
Validated Virtual Environments
Cisco ISE supports the following virtual environment platforms:
VMware ESXi 5. x, 6. x
Note If you are installing Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, you must install the supported update. See the VMware Compatibility Guide for details.
If you are upgrading to Release 2.1 on an ESXi 5.x server, you must upgrade the VMware version to 11 before you can select RHEL 7 as the Guest OS.
KVM on RHEL 7.0 and Ubuntu 14.04 LTS
Validated Cisco Mobility Services Engine Release
Cisco ISE, Release 2.1 integrates with Cisco Mobility Services Engine (MSE), Release 8.0 to provide Location Service (also known as Context Aware Service). This service allows you to track the location of wireless devices.
For information on how to integrate Cisco ISE with Cisco MSE, refer to:
Note All standard 802.1X supplicants can be used with Cisco ISE, Release 2.1 standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. (For information on allowed authentication protocols, see the “Manage Authentication Policies” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.1). For the VLAN change authorization feature to work in a wireless deployment, the supplicant must support IP address refresh on VLAN change.
Cisco NAC Agent Interoperability Between Cisco NAC Appliance and Cisco ISE
The Cisco NAC Agent versions 188.8.131.52 and later can be used on both Cisco NAC Appliance Releases 4.9(3), 4.9(4), 4.9(5) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2, 1.3, 1.4, 2.0, 2.1. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.
Note The new features introduced in Cisco ISE 1.4 and later releases, such as the Service Check (MAC OS X), File Check (MAC OS X), Application Check (MAC OS X), and Patch Management Check (MAC OS X and Windows), are available only with AnyConnect 4.1.00028 or later. Refer to the Cisco Identity Services Engine Administrator Guide, Release 2.1 for more information.
Client Machine Operating Systems and Agent Support in Cisco ISE
10.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.
11.Tested with Cisco ISE, Release 2.1 patch 1.
12.On Android 7.1 devices, the CA certificate option is not set by default. For the device to get connected to the network, we recommend that you configure the wireless settings as follows: If Cisco ISE uses a self-signed certificate for EAP, set the CA certificate option to Do not validate. If Cisco ISE uses a CA-signed certificate (signed by a well-known CA trusted by the Android OS) for EAP, set the CA certificate option to Use system certificate.
13.When Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, certificate warnings might be displayed even for publicly trusted certificates. This usually occurs when the public certificate includes a Certificate Revocation List (CRL) distribution point that the iOS device needs to verify. The iOS device cannot verify the CRL without network access. Click Confirm or Accept in the iOS device to authenticate to the network.
15.Apple Safari version 6.0 is supported only on Mac OS X 10.7.4 and later versions of the operating system.
16.If you are using Mac OS X clients with Java 7, you cannot download the Agents using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the Agents.
17.It is recommended to use the Cisco NAC/Web Agent versions along with the corresponding Cisco ISE version.
18.Cisco NAC Agent and Cisco NAC Web Agent do not support Google Chrome version 45 and later. See CSCuw19276 for more information. We recommend that you use another supported browser.
19.If you have AnyConnect Network Access Manager (NAM) installed, NAM takes precedence over Windows native supplicant as the 802.1X supplicant and it does not support the BYOD flow. You must disable NAM completely or on a specific interface. See the Cisco AnyConnect Secure Mobility Client Administration Guide for more information.
20.Microsoft Edge browser does not support NAC Agent provisioning.
21.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)
22.When you create a Cisco ISE client provisioning policy to accommodate Windows 8, you must specify the “Windows All” operating system option.
23.Windows 8 RT is not supported.
24.Cisco NAC Web Agent 184.108.40.206 is supported for Cisco ISE 2.1 Patch 1 and Microsoft IE browser is not supported on Windows 7 operating system with Cisco NAC Web Agent 220.127.116.11.
28.The latest two officially-released browser versions are supported for all operating systems except Microsoft Windows; refer to Table 9 for the supported Internet Explorer versions.
29.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.
30.Tested with Cisco ISE, Release 2.1 patch 1
31.Tested with Cisco ISE, Release 2.1 patch 1.
32.In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)
Validated Devices for On-Boarding and Certificate Provisioning
Note To get the latest Cisco-supported client OS versions, check the posture update information (Administration > System > Settings > Posture > Updates) and click Update Now, if needed or if you have not recently updated the posture feeds.
Table 10 BYOD On-Boarding and Certificate Provisioning - Validated Devices and Operating Systems
SPW from Cisco.com or Cisco ISE client provisioning feed
33.Tested with Cisco ISE, Release 2.1 patch 1.
34.Connect to secure SSID after provisioning
35.There are known EAP-TLS issues with Android 4.1.1 devices. Contact your device manufacturer for support.
36.Android 6.0 requires May 2016 patch to support ECC certificates; does not support the P-192 ECC curve type.
37.Beginning from Android version 6.0, the Cisco supplicant provisioning wizard (SPW) can no longer modify the system-created SSIDs. When the SPW prompts you to forget the network, you must choose to forget the network and press the Back button to continue the provisioning flow.
38.Barnes & Noble Nook (Android) works when it has Google Play Store 2.1.0 installed.
39.While configuring the wireless properties for the connection (Security > Auth Method > Settings > Validate Server Certificate), uncheck the valid server certificate option or if you check this option, ensure that you select the correct root certificate.
40.If you are using Mac OS X clients with Java 7, you cannot download the SPWs using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the SPWs.
Requirements for CA to Interoperate with Cisco ISE
While using a CA server with Cisco ISE, make sure that the following requirements are met:
Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
Key usage should allow signing and encryption in extension.
While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.
Note EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.
If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure key usage in the SCEP template and enable the “Key Encipherment” option.
For example, If you use Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click the Allow key exchange only with key encryption (key encipherment) radio button and also check the Allow encryption of user data check box.
Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is listed as 1.2.840.113518.104.22.168 instead of the algorithm name.
Note However, if you use the Cisco ISE internal CA for the BYOD flow, the Admin certificate should not be signed using the RSASSA-PSS algorithm (by an external CA). The Cisco ISE internal CA cannot verify an Admin certificate that is signed using this algorithm and the request would fail.
Client Certificate Requirements for Certificate-Based Authentication
For certificate-based authentication with Cisco ISE, the client certificate should meet the following requirements:
Supported Cryptographic Algorithms:
Table 11 Client-Certificate Requirements for RSA and ECC
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.