Release Notes for Cisco Identity Services Engine, Release 2.2
Available Languages
Table of Contents
Release Notes for Cisco Identity Services Engine, Release 2.2
New Features in Cisco ISE, Release 2.2
Ability to Detect Anomalous Behavior of Endpoints
ACS to ISE migration Tool Enhancements
Auth VLAN DHCP and DNS Service Enhancements
Context Visibility Enhancements
Dictionary Check for Internal User and Admin User Password
Endpoint Identity Groups in Posture Policy
Network Device Group Hierarchies
RADIUS IPsec Security for Cisco ISE-NAD Communication
RADIUS Shared Secret Minimum Length
Stateless Session Resume Support for EAP-TLS
Support for Enrollment Over Secure Transport
Support for Microsoft Hyper-V Virtual Machines
Support for Multiple TrustSec Matrices
TrustSec-ACI Integration Enhancements
Active Directory Search Changes
Supported Virtual Environments
Support for Microsoft Active Directory
Supported Anti-Virus and Anti-Malware Products
Upgrade Considerations and Requirements
Reverse DNS Lookup Configuration
Cisco Secure ACS to Cisco ISE Migration
SXP Protocol Security Standards
Diffie-Hellman Minimum Key Length
LDAP Attributes in Authorization Policies After Migration
EST Service Does Not Run in Cisco ISE 2.1
Features Not Supported in Cisco ISE, Release 2.2
Deployment Terminology, Node Types, and Personas
Requirements for CA to Interoperate with Cisco ISE
Cisco ISE Installation Files, Updates, and Client Resources
Cisco ISE Downloads from the Download Software Center
Cisco ISE, Release 2.2.0.470 Patch Updates
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 17
Delay in information sent to PxGrid client after MnT failover
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 16
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 15
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 14
New Features in Cisco ISE Version 2.2.0.470—Cumulative Patch 13
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 13
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 12
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 11
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 10
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 9
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 8
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 7
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 6
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 5
Active Directory Identity Search Attributes
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 4
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 3
New Features and Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 2
Security Settings Page Enhancements
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 2
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 1
Cisco ISE, Release 2.2 Open Caveats
Accessibility Features in Cisco ISE 2.2
Obtaining Documentation and Submitting a Service Request
Contents
These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics
- Introduction
- New Features in Cisco ISE, Release 2.2
- System Requirements
- Installing Cisco ISE Software
- Upgrading to Release 2.2
- Cisco Secure ACS to Cisco ISE Migration
- Known Limitations
- Features Not Supported in Cisco ISE, Release 2.2
- Cisco ISE License Information
- Deployment Terminology, Node Types, and Personas
- Requirements for CA to Interoperate with Cisco ISE
- Cisco ISE Installation Files, Updates, and Client Resources
- Using the Bug Search Tool
- Cisco ISE, Release 2.2.0.470 Patch Updates
- Cisco ISE, Release 2.2 Open Caveats
- Resolved Caveats
- Documentation Updates
- Related Documentation
Introduction
The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, device administration (TACACS+), and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.
Note
We strongly recommend that you rollback any existing hot patches in your current deployment before applying ISE 2.2 Patch 5.
Note We have recalled ISE 2.2 Patch 4 due to an issue we found after posting. An updated patch file has been reposted, and the new file name is ise-patchbundle-2.2.0.470-Patch4-221755.SPA.x86_64.tar.gz. If you already installed the previously posted patch, you MUST uninstall that patch, and install the new one.
Note We have recalled ISE 2.2 Patch 6 due to an issue we found after posting. An updated patch file has been reposted, and the new file name is ise-patchbundle-2.2.0.470-Patch6-232642.SPA.x86_64.tar.gz. If you already installed the previously posted patch, you MUST uninstall that patch, and install the new one.
Note For more information about the features that are supported in Cisco ISE 2.2, see Cisco Identity Services Engine Administrator Guide, Release 2.2.
| Join the ISE Community to view resources, ask questions, and participate in discussions. See ISE Product Documentation, Introduction to ISE, YouTube Videos, Feature and Integration Demos, and Training Resources. The examples and screenshots provided in the ISE Community resources might be from earlier releases of Cisco ISE. Check the GUI for newer or additional features and updates. |
New Features in Cisco ISE, Release 2.2
- Ability to Detect Anomalous Behavior of Endpoints
- ACS to ISE migration Tool Enhancements
- Auth VLAN DHCP and DNS Service Enhancements
- Context Visibility Enhancements
- Cryptobinding TLV Support
- Custom User Attributes
- Dial-in Attribute Support
- Dictionary Check for Internal User and Admin User Password
- Endpoint Identity Groups in Posture Policy
- Guest Enhancements
- JSON Support for APIs
- Network Conditions
- Network Device Group Hierarchies
- OTP Token Caching
- Posture Enhancements
- pxGrid Enhancements
- RADIUS DTLS
- RADIUS IPsec Security for Cisco ISE-NAD Communication
- RADIUS Shared Secret Minimum Length
- Serviceability Enhancements
- Session Trace Test Cases
- Smart Call Home Enhancements
- Stateless Session Resume Support for EAP-TLS
- Support for Enrollment Over Secure Transport
- Support for Microsoft Hyper-V Virtual Machines
- Support for Multiple TrustSec Matrices
- Support for DEFCON Matrices
- Support for MySQL
- TC-NAC Enhancements
- TrustSec-ACI Integration Enhancements
- Wireless Setup
- Active Directory Search Changes
Ability to Detect Anomalous Behavior of Endpoints
Cisco ISE protects your network from the illegitimate use of a MAC address by detecting the endpoints involved in MAC address spoofing and allows you to restrict the permission of the suspicious endpoints. The following options are available in the profiler configuration page:
- Enable Anomalous Behavior Detection—Cisco ISE probes for data and checks for any contradictions to the existing data. If any contradictions are found, the AnomalousBehavior attribute is set to true and the corresponding endpoints are displayed in the Context Visibility page.
- Enable Anomalous Behavior Enforcement—A CoA is issued if anomalous behavior is detected. The suspicious endpoints are reauthorized based on the authorization rules configured in the Profiler Configuration page.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
ACS to ISE migration Tool Enhancements
- Migration of RADIUS or TACACS based configurations—You can migrate objects specific to RADIUS or TACACS. You can use this option if your Cisco Secure ACS deployment includes only TACACS or RADIUS configurations.
- Selective object migration—The migration tool allows you to select the high-level configuration components such as Dictionaries, to be migrated from Cisco Secure ACS to Cisco ISE. You can migrate all the supported configuration components or select some of the high-level configuration components from the list of configuration components based on your requirements.
- Special characters in object names—If the names of the ACS data objects contain any special characters that are not supported by Cisco ISE, the migration tool converts the unsupported special characters to underscore (_) and migrates the data objects to Cisco ISE. The auto-converted data objects are displayed as warnings in the export report. However, if LDAP/AD attributes, RSA, RSA realm prompts, internal usernames, or predefined reference data contain any special characters that are not supported by Cisco ISE, the export process fails.
- Enhanced help—In the migration tool UI, choose Help > Migration Tool Usage to view the details of the options that are available in the migration tool.
For more information, see the User Guide for Cisco Secure ACS to Cisco ISE Migration Tool, Release 2.2.
Auth VLAN DHCP and DNS Service Enhancements
While configuring the DHCP service, you can also assign specific DHCP options for clients that connect to the Auth VLAN. You can add multiple DHCP options to each scope that you define. The options available in the drop-down list are as defined in RFC 2132. You can add additional customized options by selecting Custom from the drop-down list.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Cryptobinding TLV Support
You can enable the crytobinding TLV option if you want the EAP peer and EAP server to participate in the inner and outer EAP authentications of a PEAP authentication.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Custom User Attributes
The following data types are supported for the custom attributes on the User Custom Attributes page:
- String—You can specify the maximum string length.
- Integer—You can configure the minimum and maximum range.
- Enum—You can specify the internal value and the display value. You can also specify the default parameter. The values that you add in the Display field are displayed while adding or editing a Network Access or Admin user.
- Float
- Password—You can specify the maximum string length.
- Long—You can configure the minimum and maximum range.
- IP—You can specify a default IPv4 or IPv6 address.
- Boolean—You can set either True or False as the default value.
- Date—You can select a date from the calendar and set it as the default value. The date is displayed in yyyy-mm-dd format.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Dial-in Attribute Support
Cisco ISE supports dial-in check to check the dial-in permissions of the user during authentication or query. The result of the check is returned to the device on the RADIUS response.
Dictionary Check for Internal User and Admin User Password
While configuring the password settings for internal users and admin users, you can choose if the password can contain any dictionary word or its characters in reverse order.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Endpoint Identity Groups in Posture Policy
You can create posture policies based on the endpoint identity groups. The endpoint identity groups are listed in the Identity Groups column in the Posture Policy page.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Guest Enhancements
- Single-click guest account approval—Self Registered guests that require approval can be approved by a Sponsor by clicking a link in the approval request email.
- Custom portal file upload—You can upload files to ISE and use them in portals.
- Directory attributes can be used to determine sponsor group membership. Active Directory, LDAP, SAML, and ODBC attributes are supported.
- Auto-timezone—Cisco ISE uses the timezone from the Sponsor portal's browser while creating guest accounts. Default times are created for that timezone when the sponsor creates an account. You must create timezones for your sites.
- You can now add, remove, resize, and reorder columns on the Manage Accounts page. You can also search the list by phone number. The column "creation date" has also been added.
- Hide password from sponsor—You can prevent the Sponsor from seeing the guest password when the guest is notified; the password is sent to the guest.
- Sponsor access to pending accounts—Access to all or only the Sponsor's accounts is now supported for Active Directory and LDAP.
- Auto-send sponsored guest credentials—Email notification can be sent automatically; the Sponsor does not need to click the Notify button.
- Account import supports passwords—Cisco ISE now supports setting account passwords while importing the user account details using a CSV file.
- Hotspot CoA—You can now choose the CoA type used by Hotspot portals.
- ERS API now supports creating guest types and sponsor groups, and setting account passwords.
- Portal background image—You can add a background image to a portal in the Customization page for that portal.
- Cisco ISE now supports Apple Captive Network Assistant (CNA) mini-browser for Guest and BYOD flows.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
JSON Support for APIs
Cisco ISE 2.2 supports JSON for all APIs. For more information, see the online SDK.
Network Conditions
Each network condition defines a list of objects that can be included in policy conditions, resulting in a set of definitions that are matched against those presented in the request. The operator that you use in the condition can be either match (in which case the value presented must match at least one entry within the network condition) or no matches (it should not match any entry in the set of objects that is present in the network condition).
After you create a network condition with a name, you can reuse this condition multiple times across various rules and policies by referring to its name.
You can create the following network conditions to restrict access to the network:
- Endstation Network Conditions—Based on endstations that initiate and terminate the connection.
- Device Network Conditions—Based on the AAA client that processes the request.
- Device Port Network Conditions—Based on the device's IP address, name, NDG, and port (physical port of the device that the endstation is connected to).
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Network Device Group Hierarchies
You can view the network device group hierarchy in Tree view or Flat Table view. In the Tree view, the root node appears at the top of the tree followed by the child groups in hierarchial order. Click Expand All to view all the device groups under each root group. Click Collapse All to list only the root groups.
In the Flat Table view, you can view the hierarchy of each device group in the Group Hierarchy column.
You can also view the number of network devices that are assigned to each child group. Click the number link to launch the Network Devices window, which lists all the network devices that are assigned to that device group. You can add additional devices to a device group or move the existing devices to another device group.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
OTP Token Caching
While configuring a RADIUS token server or RSA Identity Source, you can enable Passcode Caching if you want Cisco ISE to store the passcode in the cache after the first successful authentication with an RADIUS token server. Cisco ISE uses the cached user credentials for the subsequent authentications if they happen within the configured time period.
Enter the number of seconds for which the passcode must be stored in the cache in the Aging Time field. Within this period of time, the user can perform more than one authentication with the same passcode.
Note We strongly recommend that you enable this option only when you use a protocol that supports encryption of the passcode, for example, EAP-FAST-GTC.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Posture Enhancements
- The Firewall condition checks if a specific Firewall product is running on an endpoint. You can enforce policies during initial posture and Periodic Reassessment (PRA).
- The application visibility condition queries for applications that are installed on an endpoint. This improves the overall visibility of the software installed on your endpoints.
- AnyConnect client provisioning and posture discovery do not mandate CoA and URL redirection. The flow is seamless for on/off premises, third party NADs, and Cisco NADs. Without URL redirection, you can connect to the ISE PSN directly. This eliminates the need to depend on Cisco NADs to support redirection. It also ensures faster onboarding process without discovery.
Note You should enter the provisioning URL or perform a secondary authentication (on premises) only when you download the AnyConnect agent for the first time.
- Support for deploying the AnyConnect agent in Stealth mode to monitor and enforce Cisco ISE posture policies.
- You can configure AnyConnect in Clientless mode.
- Endpoint context visibility using the Unique Identifier (UDID) attribute.
For more information, see the Client Provisioning Without URL Redirection for Different Networks section and Cisco Identity Services Engine Administrator Guide, Release 2.2.
pxGrid Enhancements
- You can generate the pxGrid certificate from the Administration > pxGrid Services > Certificates page. You can generate the pxGrid certificate from the Primary Administration Node. The following options are available:
– Generate a certificate with or without certificate signing request
– Download root certificate chain
- You can enable pxGrid with Base license, but you must have a Plus license to enable pxGrid persona.
- In a high availability configuration, you can check the pxGrid Services page to verify whether a pxGrid node is currently in active or standby state.
- IPv6 filtering support for session topic.
- You can use the Test option on the pxGrid Settings page to run a health check on the pxGrid node. You can view the details in the pxgrid/pxgrid-test.log file.
- pxGrid support for UTF-8 and additional attributes.
RADIUS DTLS
You can use RADIUS DTLS protocol for RADIUS authentication. RADIUS DTLS provides improved security for DTLS tunnel establishment and RADIUS communication.
RADIUS IPsec Security for Cisco ISE-NAD Communication
Cisco ISE supports RADIUS IPsec protocol to secure communication with the Network Access Devices (NADs). Cisco ISE supports IPsec in Tunnel Mode or Transport Mode. IPsec can be enabled on GigabitEthernet 1 through GigabitEthernet 5 interfaces. You can configure IPsec on only one Cisco ISE interface.
Note Gig0 is the management interface and IPsec is not supported on Gig0.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
RADIUS Shared Secret Minimum Length
Shared secret length must be equal to or greater than the value configured in the Minimum RADIUS Shared Secret Length field in the Device Security Settings page (Administration > Network Resources > Network Devices > Device Security Settings).
For the RADIUS server, best practice is to have 22 characters. Note that for new installation and upgraded deployment, by default, this value is 4 characters. You can change this value on the Device Security Settings page.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Serviceability Enhancements
- Show CPU Usage Command Enhancements—The output of the show cpu usage command now includes several Cisco ISE functions and lists the percentage of CPU utilization. For more information, see the Cisco Identity Services Engine CLI Reference Guide.
- ISE Counters and Key Performance Metrics reports are introduced in this release.
Cisco ISE collects data for various attributes and provides the ISE Counters report that lists the threshold values for these attributes. You can use this information for capacity planning and debugging Cisco ISE issues. You can check the value for these attributes against the threshold values and if there is an increase in any particular attribute, you can correlate this information with the issues in your deployment to identify a possible cause.
The Key Performance Metrics report provides information about the number of RADIUS requests that were handled by each PSN in the deployment, the average and maximum load on each server, the average latency per request, and the average transactions per second. For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Session Trace Test Cases
This tool allows you to test the policy flow in a predicable way to check and verify the way that the policy is configured, without needing to have real traffic originate from a real device. You can configure the list of attributes and their values to be used in the Test Case. These details are used to perform interactions with the Policy system to simulate the runtime invocation of policy. The attributes can be configured by using the dictionaries. All the dictionaries that are applicable to Simple RADIUS authentication are listed in the Attributes field.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Smart Call Home Enhancements
Cisco ISE provides support for Transport Gateway. If your organization's security policy does not allow communication between the ISE servers in your network and the Smart Call Home (SCH) servers, you can use an optional Transport Gateway to act as a proxy for SCH communication. The Transport Gateway software can be downloaded from Cisco.com and can be installed and maintained on a Linux server. Refer to the Smart Call Home Deployment Guide for information on how to deploy the Transport Gateway software on an RHEL server.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Stateless Session Resume Support for EAP-TLS
While configuring EAP-TLS protocol settings, you can enable stateless session resumption for EAP-TLS sessions. Cisco ISE supports session ticket extension as described in RFC 5077. Cisco ISE creates a ticket and sends it to an EAP-TLS client. The client presents the ticket to ISE to resume a session.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Support for Enrollment Over Secure Transport
Cisco ISE now supports the Enrollment Over Secure Transport (EST) protocol, which is a successor to the SCEP protocol. EST handles certificate provisioning in a more secure and robust manner. Cisco ISE CA can now provision ECC-based certificates to devices that connect over a BYOD flow.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Support for Microsoft Hyper-V Virtual Machines
Cisco ISE can be installed on Microsoft Hyper-V servers. For more information, see the Cisco Identity Services Engine Installation Guide, Release 2.2.
Support for Multiple TrustSec Matrices
Cisco ISE allows you to create multiple policy matrices for different scenarios. You can use these matrices to deploy different policies to different network devices. For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Support for DEFCON Matrices
DEFCON matrices are standby policy matrices that can be easily deployed in the event of network security breaches.
You can create DEFCON matrices for the following severity levels: Critical, Severe, Substantial, and Moderate.
When a DEFCON matrix is activated, the corresponding DEFCON policy is immediately deployed on all the TrustSec network devices. You can use the Deactivate option to remove the DEFCON policy from the network devices.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Support for MySQL
MySQL database can be used as an ODBC identity source. For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
TC-NAC Enhancements
- This release of Cisco ISE supports integration with Cisco Threat Analytics (CTA), Rapid7 Nexpose, and Tenable Security Center (Nessus scanner) adapters.
- FireAMP adapter enhancements:
– You can select the event source to which you want to subscribe. The following options are available: AMP events only, CTA events only, and CTA and AMP events.
– When you change the advanced settings or reconfigure an adapter, if there are any new events added to the AMP cloud, those events are also listed in the Events Listing page.
– You can choose a log level for the adapter. The available options are: Error, Info, and Debug.
- You can use the show container tc-nac CLI command to view information about the Vulnerability Assessment adapters and their statuses.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
TrustSec-ACI Integration Enhancements
Cisco ISE now supports the following options:
Policy Plane—You can select this option if you want Cisco ISE to interact only with APIC data center to interchange SGT, EPG, and SXP information.
Data Plane—If you select this option, in addition to SGT and EPG, additional information is provided to the ASR devices that are connected between the TrustSec network and the APIC-controlled network. These ASR devices must contain the Translation tables for SGT-to-EPG and EPG-to-SGT conversion.
Note SXP mappings are not propagated to ACI if you select the Data Plane option.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Wireless Setup
ISE Wireless Setup provides a very intuitive workflow to quickly set up common wireless use cases, such as, 802.1X, Guest, BYOD. In just a few steps, the setup workflow configures both ISE and a Cisco wireless controller, for a working end-to-end flow.
Wireless Setup is supported only for new installations. The Wireless Setup menu does not appear, if you upgrade to Cisco ISE 2.2 from an earlier release or restore ISE from a backup.
Note The Wireless Setup feature is disabled by default in Cisco Identity Services Engine, Release 2.2 cumulative patch 2.
Note ISE Wireless Setup is beta software - please do not use Wireless Setup in production networks.
Active Directory Search Changes
To improve the accuracy of user identification, this patch changes the attributes used to search Active Directory from SAM and CN to just SAM. \
You can change the attributes back to the previous default. For instructions, see the Further Problem Description field of defect CSCvf21978.
System Requirements
- Supported Hardware
- Supported Virtual Environments
- Supported Browsers
- Support for Microsoft Active Directory
- Supported Anti-Virus and Anti-Malware Products
Note For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 2.2.
Supported Hardware
Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 2.2 is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, Monitoring, and pxGrid) on the platforms that are listed in Table 1 .
| See the Cisco Identity Services Engine Hardware Installation Guide for the appliance hardware specifications. |
||
| See the Cisco Identity Services Engine Hardware Installation Guide for the appliance hardware specifications. |
||
ESXi 5. x (5.1 U2 and later support RHEL 7), 6. x Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later Note If you are installing or upgrading Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later. |
Note Legacy ACS and NAC appliances (including the Cisco ISE 3300 series) are not supported with Cisco ISE, Release 2.0 and later releases.
FIPS Mode Support
Cisco ISE uses embedded FIPS 140-2 validated cryptographic module, Cisco FIPS Object Module Version 6.0 (Certificate #2505). For details of the FIPS compliance claims, see the FIPS Compliance Letter.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
- VMware ESXi 5. x (5.1 U2 and later support RHEL 7), 6. x
- Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
- KVM on RHEL 7.0
Note If you are installing or upgrading Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later.
Supported Browsers
Supported browsers for the Admin portal include:
- Mozilla Firefox 69 and earlier versions
- Mozilla Firefox ESR 60.9 and earlier versions
- Google Chrome 77 and earlier versions
- Microsoft Edge beta 77 and earlier versions
- Microsoft Internet Explorer 10.x and 11.x
– If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).
– If you use Chrome 65.0.3325.189, you may be unable to view guest account details in the print preview section.
– When self-signed certificates are used, Cisco ISE portal may fail to launch in Microsoft Edge beta 77 browser even if URL redirection is successful. To resolve this issue:
a. Add both DNS name and IP address in the Subject Alternative Name (SAN) field.
b. After the ISE services are restarted, redirect the portal in a different browser.
c. Choose View Certificate > Details and copy the certificate by selecting the base-64 encoded option.
d. Install the certificate in Trusted path and relaunch the browser.
– You might see a warning message while downloading an executable (EXE) file in Google Chrome 76 or later. To resolve this issue:
a. In your browser, click the Settings menu at the top-right corner.
b. At the bottom of the Settings window, click Advanced.
c. Under Downloads, check the Ask Where to Save Each File before Downloading check box.
Support for Microsoft Active Directory
Cisco ISE, Release 2.2 works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, and 2016 at all functional levels.
Note Microsoft has ended support for Windows Server 2003 and 2003 R2. We recommend that you upgrade Windows Server to a supported version.
Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE.
Cisco ISE 2.2 supports Multi-Forest/Multi-Domain integration with Active Directory infrastructures to support authentication and attribute collection across large enterprise networks. Cisco ISE 2.2 supports up to 50 domain join points.
Supported Anti-Virus and Anti-Malware Products
See the following link for specific anti-virus and anti-malware support details for Cisco NAC Agent and Cisco NAC Web Agent:
https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html
Cisco NAC Web Agents have static compliance modules which cannot be upgraded without upgrading the Web Agent.
Installing Cisco ISE Software
To install Cisco ISE, Release 2.2 software on Cisco SNS-3415, SNS-3495, SNS-3515, and SNS-3595 hardware platforms, turn on the new appliance and configure the Cisco Integrated Management Controller (CIMC). You can then install Cisco ISE, Release 2.2 over a network using CIMC or a bootable USB.
Note When using virtual machines (VMs), we recommend that the guest VMs have the correct time set using an NTP server before installing the ISO image or OVA file on the VMs.
Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.2. Before you run the setup program, ensure that you know the configuration parameters listed in Table 2 .
Note For additional information on configuring and managing Cisco ISE, see Release-Specific Document.
Upgrading to Release 2.2
You can directly upgrade to Release 2.2 from the following Cisco ISE releases:
Due to the following known issues, we recommend that you apply the latest patch to your current Cisco ISE version before upgrade:
If you are on a version earlier than Cisco ISE, Release 1.4, you must first upgrade to one of the releases listed above and then upgrade to Release 2.2.
This release of Cisco ISE supports GUI as well as CLI based upgrade.
Note If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.
The GUI-based upgrade from the Admin portal is supported only if you are currently on Release 2.0 or later and want to upgrade to Release 2.2.
From the Cisco ISE CLI, you can upgrade from Release 1.4, 2.0, 2.0.1, or 2.1 directly to Release 2.2.
Supported Operating System for Virtual Machines
Release 2.2 supports Red Hat Enterprise Linux (RHEL) 7.0.
If you are upgrading Cisco ISE nodes on VMware virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.
Reverse DNS Lookup Configuration
Configure reverse DNS lookup for all Cisco ISE nodes in your distributed deployment in the DNS server(s). Otherwise, you may run into deployment-related issues after upgrade (“ISE Indexing Engine” status turns to “not running”).
Also, the secondary PAN is unable to join the primary PAN to make a cluster for ISE Indexing engine if reverse DNS is not configured, displays error in VCS pages.
The SSL Exception “No subject alternative name present” displays on secondary PAN on the ise-elasticsearch.log file, if reverse DNS is missing.
Prepare for Upgrade
Before you start the upgrade process, ensure that you perform the following tasks:
- Change VMware virtual machine guest operating system and settings
- Open firewall ports for communication
- Back up configuration and operational data
- Back up system logs
- Check the validity of certificates
- Export certificates and private keys
- Disable PAN automatic failover and backup schedules before upgrade
- NTP server should be configured correctly and be reachable
- Record profiler configuration
- Obtain Active Directory and internal administrator account credentials
- Activate MDM vendor before upgrade
- Create repository and copy the upgrade bundle
- Check load balancer configuration
Refer to the Cisco ISE Upgrade Guide, Release 2.2 for a list of pre and post upgrade tasks.
Known Upgrade Issues
This section lists the known upgrade-related caveats. See Cisco ISE, Release 2.2 Open Caveats for a description of these caveats.
Due to the following known issues, we recommend that you apply the latest patch to your current Cisco ISE version before upgrade:
Cisco Secure ACS to Cisco ISE Migration
You can directly migrate to Cisco ISE, Release 2.2 only from Cisco Secure ACS, Releases 5.5 or later. For information about migrating from Cisco Secure ACS, Releases 5.5 or later to Cisco ISE, Release 2.2, see the Cisco Identity Services Engine Migration Tool Guide.
You cannot migrate to Release 2.2 from Cisco Secure ACS 5.1, 5.2, 5.3, 5.4, 4.x, or earlier versions, or from Cisco Network Admission Control (NAC) Appliance. From Cisco Secure ACS, Releases 4.x, 5.1, 5.2, 5.3, or 5.4, you must upgrade to ACS, Release 5.5 or later, and then migrate to Cisco ISE, Release 2.2.
Note If you are installing Cisco ISE, Release 2.2 on Cisco SNS-3500 series appliances with ACS PIDs (Cisco SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9), you must update the BIOS and CIMC firmware on the hardware appliance before you install Cisco ISE, Release 2.2. Refer to the Cisco Identity Services Engine Hardware Installation Guide for information on how to update the BIOS and CIMC firmware.
Known Limitations
SXP Protocol Security Standards
SXP protocol transfers unencrypted data and uses weak hash algorithm for message integrity checking per draft-smith-kandula-sxp-06.
High Memory Utilization
Cisco ISE Version 1.3 and later use RHEL, version 6. You may experience high memory utilization after installing or upgrading to Cisco ISE Version 1.3 or later. Because of the way kernels manage cache memory, Cisco ISE might use more memory, which may trigger high memory usage (80 to 90%) and alarms. If the memory usage is consistently above 90% or if there is any performance impact, you can contact Cisco TAC for troubleshooting.
Diffie-Hellman Minimum Key Length
Connection to LDAP server might will if the Diffie-Hellman minimum key length configured on the LDAP server is less than 1024.
Profiler RADIUS Probe
When the RADIUS probe is disabled, endpoints are not profiled but are only authenticated and added to the database.
LDAP Attributes in Authorization Policies After Migration
After migration from ACS to ISE 2.2, you cannot add LDAP attributes to the ISE TACACS+ authorization policies.
You can duplicate the migrated authorization policy and add the required attributes in the new policy. For further information, you can refer to defect CSCvg97689.
EST Service Does Not Run in Cisco ISE 2.1
After a fresh installation of Cisco ISE 2.1, when you run the show application status ise command, the EST service might be shown as disabled. This issue occurs when the root certificate of the Cisco ISE internal CA is signed by an external CA and the external CA certificate is not present in your Trusted Certificates store. Import the external CA certificate in to the Trusted Certificates store to bring up the EST service.
This issue is also seen after upgrade to Release 2.1, if the entire certificate chain of the internal ISE CA is not present. You must generate the Cisco ISE CA chain to bring up the EST service.
Cisco ISE License Information
Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources.
All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints on the network, you must obtain and register Base licenses for the number of concurrent users on your system. If you require additional functionality, you will need Plus and/or Apex licenses to enable that functionality.
Cisco ISE, Release 2.2, supports licenses with two UIDs. You can obtain a license based on the UIDs of both the primary and secondary Administration nodes.
For more detailed information on license types and obtaining licenses for Cisco ISE, see the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.2 .
For more information on Cisco ISE, Release 2.2 licenses, see the Cisco Identity Services Engine Data Sheet.
Cisco Identity Services Engine Ordering Guide is available at: http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
Deployment Terminology, Node Types, and Personas
Cisco ISE provides a scalable architecture that supports both standalone and distributed deployments.
Types of Nodes and Personas
A Cisco ISE network has the following types of nodes:
– Administration—Allows you to perform all administrative operations for Cisco ISE. It handles all system-related configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes running the Administration persona and configured as a primary and secondary pair. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona.
– Policy Service—Provides network access, posturing, BYOD device onboarding (native supplicant and certificate provisioning), guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there is more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability.
Note For the installation of ISE 2.1 and previous versions, you must ensure the service is enabled on a dedicated node.
– Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all the Administration and Policy Service personas on the Cisco ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.
A node with this persona aggregates and correlates the data that it collects to provide meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can assume primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.
Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and reporting.
– pxGrid—Cisco pxGrid is a method for network and security devices to share data with other devices through a secure publish and subscribe mechanism. These services are applicable for applications that are used external to ISE and that interface with pxGrid. The pxGrid services can share contextual information across the network to identify the policies and to share common policy objects. This extends the policy management.
You can change the persona of a node. See the “Set Up Cisco ISE in a Distributed Environment” chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for information on how to configure personas on Cisco ISE nodes.
Requirements for CA to Interoperate with Cisco ISE
While using a CA server with Cisco ISE, make sure that the following requirements are met:
- Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
- Key usage should allow signing and encryption in extension.
- While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
- Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.
Note EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.
- If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure key usage in the SCEP template and enable the “Key Encipherment” option. For example, if you use Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click the Allow key exchange only with key encryption (key encipherment) radio button and also check the Allow encryption of user data check box.
- Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is listed as 1.2.840.113549.1.1.10 instead of the algorithm name.
However, if you use the Cisco ISE internal CA for the BYOD flow, the Admin certificate should not be signed using the RSASSA-PSS algorithm (by an external CA). The Cisco ISE internal CA cannot verify an Admin certificate that is signed using this algorithm and the request would fail.
Cisco ISE Installation Files, Updates, and Client Resources
There are three resources you can use to download to provision and provide policy service in Cisco ISE:
- Cisco ISE Downloads from the Download Software Center
- Cisco ISE Live Updates
- Cisco ISE Offline Updates
Cisco ISE Downloads from the Download Software Center
In addition to the.ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, you can use the Download software web page to retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules.
Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment.
To access the Cisco Download Software center and download the necessary software:
Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
Step 2 Choose Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
The following Cisco ISE installers and software packages are available for download:
- Cisco ISE installer.ISO image
- Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
- Windows client machine agent installation files (including MST and MSI versions for manual provisioning)
- Mac OS X client machine agent installation files
- AnyConnect agent installation files
- AV/AS compliance modules
Step 3 Click Download or Add to Cart.
Cisco ISE Live Updates
Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard, Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the Cisco ISE appliance.
If the default Update Feed URL is not reachable and your network requires a proxy server, you must configure the proxy settings in Administration > System > Settings > Proxy before you access the Live Update locations. If proxy settings are enabled to allow access to the profiler and posture/client provisioning feeds, it will break access to the MDM server as Cisco ISE cannot bypass proxy services for MDM communication. To resolve this, you can configure the proxy service to allow communication to the MDM servers. For more information on proxy settings, see the “Specify Proxy Settings in Cisco ISE” section in the “Administer Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.2.
Client Provisioning and Posture Live Update portals:
- Client Provisioning portal — https://www.cisco.com/web/secure/pmbu/provisioning-update.xml
The following software elements are available at this URL:
– Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
– Windows versions of the latest Cisco ISE persistent and temporal agents
– Mac OS X versions of the latest Cisco ISE persistent agents
– ActiveX and Java Applet installer helpers
– AV/AS compliance module files
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Download Client Provisioning Resources Automatically” section in the “Configure Client Provisioning” chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2.
- Posture portal — https://www.cisco.com/web/secure/pmbu/posture-update.xml
The following software elements are available at this URL:
– Cisco predefined checks and rules
– Windows and Mac OS X AV/AS support charts
– Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Download Posture Updates Automatically” section in the “Configure Client Posture Policies” chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2.
If you do not want to enable the automatic download capabilities described above, you can choose to download updates offline (see Cisco ISE Offline Updates).
Cisco ISE Offline Updates
Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent, AV/AS support, compliance modules, and agent installer packages that support client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates when direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a security policy.
Offline updates are also available for Profiler Feed Service. For more information, see the Configure Profiler Feed Services Offline section in the Cisco Identity Services Engine Administrator Guide.
To upload offline client provisioning resources:
Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
Step 2 Choose Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
The following Off-Line Installation Packages are available for download:
- win_spw- <version> -isebundle.zip — Off-Line SPW Installation Package for Windows
- mac-spw- <version>.zip — Off-Line SPW Installation Package for Mac OS X
- compliancemodule- <version> -isebundle.zip — Off-Line Compliance Module Installation Package
- macagent- <version> -isebundle.zip — Off-Line Mac Agent Installation Package
- nacagent- <version> -isebundle.zip — Off-Line NAC Agent Installation Package
- webagent- <version> -isebundle.zip — Off-Line Web Agent Installation Package
Step 3 Click Download or Add to Cart.
For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Add Client Provisioning Resources from a Local Machine” section in the “Configure Client Provisioning” chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2.
You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Macintosh operating systems offline from an archive on your local system using posture updates.
For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.
To upload offline posture updates:
Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html.
Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh operating systems.
Step 2 Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.
Step 3 Click the arrow to view the settings for posture.
The Posture Updates page appears.
Step 5 Choose the Offline option.
Step 6 Click Browse to locate the archive file (posture-offline.zip) from the local folder on your system.
Note The File to Update field is a required field. You can select only a single archive file (.zip) that contains the appropriate files. Archive files other than.zip (like.tar, and.gz) are not allowed.
Step 7 Click the Update Now button.
Using the Bug Search Tool
You can use the Bug Search Tool to view the list of outstanding and resolved bugs in a release. This section explains how to use the Bug Search Tool to search for a specific bug or to search for all the bugs in a specified release.
Step 1 Go to https://tools.cisco.com/bugsearch/search.
Step 2 Enter your registered Cisco.com username and password, and then click Log In.
Note If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do.
Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter.
Step 4 To search for bugs in the current release:
a. Click the Select from List link.
The Select Product page is displayed.
b. Choose Security > Access Control and Policy > Cisco Identity Services Engine (ISE) 3300 Series Appliances.
d. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs based on different criteria, such as status, severity, or modified date.
Click the Export Results to Excel link in the Search Results page to export all the bug details from your search to an Excel spreadsheet. Presently, up to 10,000 bugs can be exported at a time to the Excel spreadsheet.
Cisco ISE, Release 2.2.0.470 Patch Updates
This section provides information on patches that were made available after the initial availability of the Cisco ISE 2.2 release. Patches are cumulative such that any patch version also includes all fixes delivered in the preceding patch versions.
Note If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.
Cisco ISE version 2.2.0.470 was the initial version of the Cisco ISE 2.2 release. After installation of the patch, you can see the version information from Settings > About Identity Services Engine page in the Cisco ISE GUI and from the CLI in the following format “2.2.0.470 patch N”; where N is the patch number.
Note Within the bug database, issues resolved in a patch have a version number with different nomenclature in the format, “2.2(0.9NN)” where NN is also the patch number, displayed as two digits. For example, version “2.2.0.470 patch 2" corresponds to the following version in the bug database “2.2(0.902)”.
The following patch releases apply to Cisco ISE release 2.2:
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 17
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 16
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 15
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 14
New Features in Cisco ISE Version 2.2.0.470—Cumulative Patch 13
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 13
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 12
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 11
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 10
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 9
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 8
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 7
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 6
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 5
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 4
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 3
New Features and Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 2
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 1
Delay in information sent to PxGrid client after MnT failover
When a MnT node failover occurs, a PxGrid client does not receive session information from Cisco ISE until the failed primary MnT node is restored to the network. 20 to 30 minutes after the primary MnT node is back online, PxGrid clients will receive session information from Cisco ISE once more.
In a larger deployment where a Cisco ISE node only has one Cisco ISE persona will not receive session information from Cisco ISE in the case of a MnT node failover. You must enable PxGrid persona on the same node that serves as he primary MnT node to ensure PxGrid clients receive session information.
Table 6 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 17. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 17 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 16
Table 6 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 16. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 16 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 15
Table 7 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 15. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 15 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Resolved Issues in Cisco ISE Version 2.2.0.470 —Cumulative Patch 14
Table 8 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 14. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 14 might not work with older versions of SPW. MAC users must upgrade to MacOsXSPWizard 2.2.1.43 or later and Windows users must upgrade to WinSPWizard 2.1.0.51 or later
Table 8 Cisco ISE 2.2.0.470-Patch 14 - Resolved Caveats
Fewer Results Per Report Page
The number of data rows in the reports displayed on the Cisco ISE Reports window has been revised from 5,000 to 1,000 for better performance.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 13
Table 9 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 13. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 13 might not work with older versions of SPW. MAC users must upgrade to MacOsXSPWizard 2.2.1.43 or later and Windows users must upgrade to WinSPWizard 2.1.0.51 or later.
Table 9 Cisco ISE 2.2.0.470-Patch 13 - Resolved Caveats
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 12
Table 10 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 12. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 12 might not work with older versions of SPW. MAC users must upgrade to MacOsXSPWizard 2.2.1.43 or later and Windows users must upgrade to WinSPWizard 2.1.0.51 or later.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 11
Cisco ISE Release 2.2 cumulative patch 11 has been retracted from the Cisco Download Software site. The resolved caveats of 2.2 cumulative patch 11 have been included in 2.2 cumulative patch 12.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 10
Table 11 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 10. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 10 might not work with older versions of SPW. MAC users must upgrade to MacOsXSPWizard 2.2.1.43 or later and Windows users must upgrade to WinSPWizard 2.1.0.51 or later.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 9
Patch Parity : Cisco ISE 2.2 Patch 9 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 Patch 3.
Table 12 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 9. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 9 might not work with older versions of SPW. MAC users must upgrade to MacOsXSPWizard 2.2.1.43 or later and Windows users must upgrade to WinSPWizard 2.1.0.51 or later.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 8
Patch Parity : Cisco ISE 2.2 Patch 8 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 Patch 3.
Table 13 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 8. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 8 might not work with older versions of SPW. MAC users must upgrade to MacOsXSPWizard 2.2.1.43 or later and Windows users must upgrade to WinSPWizard 2.1.0.51 or later.
Context Visibility page was not loading in ISE 2.2 Patch 5. For CSCvh48558, we recommend that you reset Elasticsearch after applying ISE 2.2 patch 8 to clear the Context Visibility history data. To do this: a. b. c. d. Note Endpoint Capacity and Compliance Status Trend dashlets have been decommissioned in Cisco ISE 2.2 patch 8 and above to prevent performance issues when displaying large datasets. See Decommissioned Dashlets for more details. |
|
Authentication latency is observed while evaluating endpoint ID store and checking PIP policies during authorization. |
|
Endpoint profiling using Visibility Setup Wizard does not profile endpoints authenticating from other subnets. |
|
Connection status of the endpoints are not updated properly in the Context Visibility Endpoints page. |
|
NFS location could not be mounted and backup to this repository fails. |
|
Smart Licensing feature is not working in ISE 2.1 if proxy communication method is used. |
|
Application server goes to initializing state if empty custom attributes are included in the RADIUS request. |
|
ISE is taking the client machine's time instead of the server time while scheduling reports. |
|
Guest user authentication notification emails are sent twice. |
|
ISE Posture Periodic Reassessment (PRA) timer expires and the device becomes noncompliant. |
|
ISE 2.2 displays a blank page for scheduled reports for Key Performance Metrics, Misconfigured Supplicants, and Manual Certificate Provisioning reports. |
|
ISE machine password refresh fails due to expired kerberos ticket and Active Directory Connector status shows "Not Connected". |
|
While exporting a report to remote repository, data is partially truncated if it exceeds certain size. |
|
During upgrade, secondary node is stuck in de-register step and the old PAN does not respond. |
|
Upgrade times out while enabling or disabling temporary MnT persona on the old or new primary PAN. |
|
Telemetry event doesn't include profiling and network access information. |
|
"Configured name server is down" alarms are seen every 90 minutes if unusable domains are detected in the Active Directory. |
|
MDMServerReachable condition does not work for System Center Configuration Manager (SCCM) MDM in ISE 2.2 patch 4. |
|
Not able to save user-defined dictionary attributes in ISE 2.0, 2.1 and 2.2. |
|
ISE Application server is stuck in initializing state if the orphaned cell matrix ID is Null. |
|
"Smart Licensing Authorization Renewal Success" alarm is triggered every hour if Smart Licensing is enabled. |
|
Successfully authenticated endpoints are not displayed in the Context Visibility Endpoints page in ISE 2.2 patch 5 if Plus or Advanced license is not installed. |
|
Change of Authorization (CoA) fails to initialize if CoA is triggered after 48 hours from the time of initial authentication. |
|
Application patch failure alarm is generated even if the patch is installed successfully. |
|
ISE 2.1 endpoint lookup using MnT REST API was very slow. Now, approximately 1000 endpoints can be authenticated with the REST API with good performance. |
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 7
Patch Parity : Cisco ISE 2.2 Patch 7 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 Patch 3.
Table 14 lists the issues that are resolved in Cisco ISE, Release 2.2 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site with your Cisco.com login credentials, choose Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
See the “ Installing a Software Patch ” section in the Administering Cisco ISE chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.2 for instructions on how to apply the patch to your system.
Patch 7 might not work with older versions of SPW. MAC users must upgrade to MacOsXSPWizard 2.2.1.43 or later and Windows users must upgrade to WinSPWizard 2.1.0.51 or later.
Note After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 6
Note We have recalled ISE 2.2 Patch 6 due to an issue we found after posting. An updated patch file has been reposted, and the new file name is ise-patchbundle-2.2.0.470-Patch6-232642.SPA.x86_64.tar.gz. If you already installed the previously posted patch, you MUST uninstall that patch, and install the new one. However, you can install ISE 2.2 patch 7 or later on top of the old patch 6 file (one that was recalled) or new patch 6 file.
Note If there are Collection Filters of type Bypass already configured on ISE, Cisco recommends deleting the expired Collection Filters of type Bypass. You should retain the suppression event before applying the Cisco ISE 2.2 patch 6. If you do not delete the expired Collection Filters, ISE nodes can potentially experience high CPU usage due to defect CSCvi10727.
Patch Parity : Cisco ISE 2.2 Patch 6 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 P3.
Table 15 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.2 cumulative
patch 6. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Patch 6 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.2. for instructions on how to apply the patch to your system.
Note After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm.
Active Directory Identity Search Attributes
Cisco ISE identifies users using the attributes SAM, CN, or both. Cisco ISE, Release 2.2 Patch 5 and above, and 2.3 Patch 2 and above, use sAMAccountName attribute as the default attribute. In earlier releases, both SAM and CN attributes were searched by default. This behavior has changed in Release 2.2 Patch 5 and above, and 2.3 Patch 2 and above, as part of CSCvf21978 bug fix (see https://tools.cisco.com/bugsearch/bug/CSCvf21978 for details). In these releases, only the sAMAccountName attribute is used as the default attribute.
You can configure Cisco ISE to use SAM, CN, or both, if your environment requires it. When SAM and CN are used, and the value of the SAMAccountName attribute is not unique, Cisco ISE also compares the CN attribute value.
To configure Active Directory identity search attributes:
1. Choose Administration > Identity Management > External Identity Sources > Active Directory. In the Active Directory window, click Advanced Tools, and choose Advanced Tuning. Enter the following details:
- ISE Node —Choose the ISE node that is connecting to Active Directory.
- Name —Enter the registry key that you are changing. To change the AD search attributes, enter:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField - Value —Enter the attributes that ISE uses to identify a user:
– SAM —To use only SAM in the query (this is the default option).
– CN —To use only CN in the query.
– SAMCN —To use CN and SAM in the query.
2. Click Update Value to update the registry.
A pop-up message appears. Read the message and accept the change. The AD connector service in ISE restarts.
Patch Parity
Cisco ISE 2.2 Patch 5 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 P3.
Table 16 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.2 cumulative
patch 5. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Patch 5 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.40 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.2. for instructions on how to apply the patch to your system.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 4
Note We have recalled ISE 2.2 Patch 4 due to an issue we found after posting. An updated patch file has been reposted, and the new file name is ise-patchbundle-2.2.0.470-Patch4-221755.SPA.x86_64.tar.gz. If you already installed the previously posted patch, you MUST uninstall that patch, and install the new one.
Patch Parity : Cisco ISE 2.2 Patch 4 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 P3.
Table 17 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.2 cumulative
patch 4. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Patch 4 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.40 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.2. for instructions on how to apply the patch to your system.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 3
Patch Parity : Cisco ISE 2.2 Patch 3 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 P3.
Table 18 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.2 cumulative
patch 3. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.2. for instructions on how to apply the patch to your system.
Note After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm.
Wireless Setup Enhancement
The Wifi Setup feature is disabled by default in Cisco ISE 2.2 patch 2. It is recommended to enable it in a lab environment and not in a production environment. Use the application configure ise command for demonstration. Select option 17 Enable/Disable Wifi Setup to enable or disable this feature.
Security Enhancements
In Cisco ISE 2.2 Patch 2, ISE TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants do not support TLS version 1.0. To use the ISE TLS based EAP authentication methods in TLS version 1.0, you must check Allow TLS 1.0 configuration in the Security Settings page.
ECDSA Signature Algorithm, ECDHE_ECDSA Cipher Suite Support
The ISE Administration and ISE EAP Authentication Server support imported ECDSA signature certificates.
This enhancement allows you to negotiate ECDHE_ECDSA cipher suites when the ISE server certificate(s) are imported for Administration and/or EAP Authentication Server.
Note iOS is not supported if you use ECDSA as a system certificate. The supported endpoints for ECDSA certificate are Android 6.x and Android 7.x.
Steps to Import ECDSA certificate signed by Windows Server
Step 1 Generate Key and CSR in MAC:
1. Install openssl to generate key and CSR.
2. To generate the key, openssl ecparam -out <name_key.pem> -name secp384r1(prime256v1) -genkey
3. To generate the CSR, openssl req -new -key <name_key.pem> -out <name_csr.pem> -sha384(sha256)
Transferring <name_csr.pem> file to the Windows server
Step 2 Generate certificate using Windows Server command prompt:
Use the following command to generate the ECDSA certificate:
certreq.exe -submit -attrib "certificateTemplate: <ECDSA_template_name>" <name_csr.pem> <Certifiate_name.cer>
Note Since ECDHE curve templates (template version 4) is not displayed in Web Enrollment, ISE is unable to generate the certificate using web enrollment. It is recommended to use command prompt to generate the certificate.
Only ECDSA certificate curve types P-256 and P-384 are supported as a System Certificate
- In Cisco ISE the key exchange algorithm is restricted to ecdh-sha2-nist settings. Cisco ISE is enhanced to restrict the SSHv2 Key Exchange Algorithms to any combination of, ecdh-sha2-nistp256 ecdh-sha2-nistp384 and/or ecdh-sha2-nistp521.
For example, ISE CLI global configuration command, service sshd key-exchange-algorithm ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521.
- The Administration Access Authentication Failure settings in the Administration UI is moved from the Password Policy tab to Lock/Suspend Settings tab.
When you use the SSH public key authentication, the Lock/Suspend Settings applies to SSH CLI.
Cisco ISE enhances the LDAP or LDAPS server with Active Directory using LDAPS access, to use it as the authorization identity source for ISE Administration. In earlier than 2.2 Patch 2 release, ISE only supported Active Directory Identity Source for Authorization to the ISE Administration application.
Security Settings Page Enhancements
The following options are added in the Security Settings page (Administration > System > Settings > Protocols > Security Settings) :
– Cisco ISE is configured as EAP server
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE is configured as secure TCP syslog client
– Cisco ISE is configured as secure LDAP client
Note Allow TLS 1.0 option is disabled by default in Cisco ISE 2.2 Patch 2 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).
– Cisco ISE is configured as EAP server
– Cisco ISE is configured as RADIUS DTLS server
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS or secure LDAP server
– Cisco ISE is configured as secure TCP syslog client
– Cisco ISE is configured as secure LDAP client
This option is enabled by default.
Note It is recommended to use SHA-256 or SHA-384 ciphers for enhanced security.
- Allow Unsafe Legacy TLS Renegotiation for ISE as a Client and Accept Certificates without Validating Purpose—When this option is enabled:
– Allows communication with legacy TLS servers that do not support safe TLS renegotiation for the following workflows:
- Cisco ISE downloads CRL from HTTPS server
- Cisco ISE downloads CRL from secure LDAP server
- Cisco ISE is configured as secure TCP syslog client
- Cisco ISE is configured as secure LDAP client
– When ISE acts as an EAP server, client certificates are accepted without checking whether the Key Usage extension contains keyAgreement bit for ECDHE-ECDSA ciphers or keyEncipherment bit for other ciphers.
- Allow ECDHE-RSA, 3DES, DSS ciphers—Allows ECDHE-RSA, 3DES, DSS ciphers for communication with peers for the following workflows:
– Cisco ISE is configured as EAP server (DSS ciphers are not permitted)
– Cisco ISE is configured as RADIUS DTLS server (DSS ciphers are not permitted)
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE is configured as secure TCP syslog client
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 2
Patch Parity : Cisco ISE 2.2 Patch 2 has parity with Cisco ISE 1.3 Patch 8, 1.4 Patch 11, 2.0 Patch 5, 2.0.1 Patch 4, and 2.1 P3.
Table 19 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.2 cumulative
patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Patch 2 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.40 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.2. for instructions on how to apply the patch to your system.
Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 1
Table 20 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.2 cumulative
patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.2, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Patch 1 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.40 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Then refer to the “ Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.2. for instructions on how to apply the patch to your system.
Cisco ISE, Release 2.2 Open Caveats
The following link lists the caveats that are open in Release 2.2.
https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=283801589&rls=2.2(0.914)&sb=afr&sts=open&bt=null
Resolved Caveats
Documentation Updates
Added Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 4. |
|
Added Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 5. |
|
Added Resolved Issues in Cisco ISE Version 2.2.0.470—Cumulative Patch 6 |
Related Documentation
Release-Specific Document
General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Cisco Identity Services Engine Ordering Guide is available at http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
Platform-Specific Documents
Links to other platform-specific documentation are available at the following locations:
http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS
_rack_roadmap.html
- Cisco Secure ACS
http://www.cisco.com/c/en/us/support/security/secure-access-control-system/tsd-products-support-series-home.html - Cisco NAC Appliance
http://www.cisco.com/c/en/us/support/security/nac-appliance-clean-access/tsd-products-support-series-home.html - Cisco NAC Profiler
http://www.cisco.com/c/en/us/support/security/nac-profiler/tsd-products-support-series-home.html - Cisco NAC Guest Server
http://www.cisco.com/c/en/us/support/security/nac-guest-server/tsd-products-support-series-home.html
Accessibility Features in Cisco ISE 2.2
Cisco ISE 2.2 supports accessibility for the user facing web portals only. Cisco Web Accessibility Design Requirements (ADRs) are based on W3C Web Content Accessibility Guidelines (WCAG) 2.0 Level AA requirements. Cisco ADRs cover all Section 508 standards and more. Cisco ADRs website, http://wwwin.cisco.com/accessibility/acc_center/adrs_web/main.html, provides all information and resources for the accessibility requirements.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.1.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)