PDF(582.5 KB) View with Adobe Reader on a variety of devices
Updated:November 30, 2017
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Note The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.
This document describes Cisco Identity Services Engine (ISE) validated compatibility with switches, wireless LAN controllers, and other policy enforcement devices as well as operating systems with which Cisco ISE interoperates.
Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication.
RADIUS
Cisco ISE interoperates fully with third-party RADIUS devices that adhere to the standard protocols. Support for RADIUS functions depends on the device-specific implementation.
RFC Standards
Cisco ISE conforms to the following RFCs:
RFC 2138—Remote Authentication Dial In User Service (RADIUS)
RFC 2139—RADIUS Accounting
RFC 2865—Remote Authentication Dial In User Service (RADIUS)
RFC 2866—RADIUS Accounting
RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 5176—Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
TACACS+
Cisco ISE interoperates fully with third-party TACACS+ client devices that adhere to the governing protocols. Support for TACACS+ functions depends on the device-specific implementation.
Note Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality. We recommend that you validate all network devices and their software for hardware capabilities or bugs in a particular software release.
For information on enabling specific functions of Cisco ISE on network switches, see the “Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions” chapter in Cisco Identity Services Engine Admin Guide, Release 2.3.
Note Some switch models and IOS versions may have reached the end-of-life date and interoperability may not be supported by Cisco TAC.
Caution
To support the Cisco ISE profiling service, use the latest version of NetFlow, which has additional functionality that is needed to operate the profiler. If you use NetFlow version 5, then you can use version 5 only on the primary NAD at the access layer, as it will not work anywhere else.
For Wireless LAN Controllers, note the following:
MAB supports MAC filtering with RADIUS lookup.
Support for session ID and COA with MAC filtering provides MAB-like functionality.
DNS based ACL feature will be supported in WLC 8.0. Not all Access Points support DNS based ACL. Refer to Cisco Access Points Release Notes for more details.
The following tables list the support for the devices as follows:
√ — Fully supported
X — Not supported
! — Limited support, some functionalities are not supported
The following are the functionalities supported by each feature:
Feature
Functionality
AAA
802.1X, MAB, VLAN Assignment, dACL
Profiling
RADIUS CoA and Profiling Probes
BYOD
RADIUS CoA, URL Redirection + SessionID
Guest
RADIUS CoA, URL Redirection + SessionID, Local Web Auth
Guest Originating URL
RADIUS CoA, URL Redirection + SessionID, Local Web Auth
3.Minimum OS is the version in which the features got introduced.
4.The IOS 12.x version does not fully support the Posture and Guest flows because of CSCsx97093. As a workaround, when you configure URL redirect in Cisco ISE, assign a value to “coa-skip-logical-profile.”
5.Catalyst 9000 Series Switches are validated with Cisco ISE, Release 2.2 Patch 4.
11.Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support endpoint posturing. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.
Table 4 Validated Third Party Wireless LAN Controllers
21.Minimum OS is the version in which the features got introduced.
AAA Attributes for RADIUS Proxy Service
For RADIUS proxy service, the following authentication, authorization, and accounting (AAA) attributes must be included in the RADIUS communication:
Calling-Station-ID (IP or MAC_ADDRESS)
RADIUS::NAS_IP_Address
RADIUS::NAS_Identifier
AAA Attributes for Third-Party VPN Concentrators
For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:
Calling-Station-ID (tracks individual client by MAC or IP address)
User-Name (tracks remote client by login name)
NAS-Port-Type (helps to determine connection type as VPN)
RADIUS Accounting Start (triggers official start of session)
RADIUS Accounting Stop (triggers official end of session and releases ISE license)
RADIUS Accounting Interim Update on IP address change (for example, SSL VPN connection transitions from Web-based to a full-tunnel client)
Note For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client’s VPN-assigned IP address to track the endpoint while on a trusted network.
Security Assertion Markup Language (SAML) Single Sign-On (SSO)
Microsoft Azure
—
Oracle Access Manager (OAM)
Version 11.1.2.2.0
Oracle Identity Federation (OIF)
Version 11.1.1.2.0
PingFederate Server
Version 6.10.0.4
PingOne Cloud
—
Secure Auth
8.1.1
Any SAMLv2-compliant Identity Provider
—
Open Database Connectivity (ODBC) Identity Source
Microsoft SQL Server
Microsoft SQL Server 2012
Oracle
Enterprise Edition Release 12.1.0.2.0
PostgreSQL
9.0
Sybase
16.0
MySQL
6.3
Social Login (for Guest User Accounts)
Facebook
22.Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008 and later.
23.Microsoft Windows Active Directory version 2000 or its functional level are not supported by Cisco ISE.
24.Microsoft has ended support for Windows Server 2003 and 2003 R2. We recommend that you upgrade Windows Server to a supported version.
25.Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2; however, the new features in 2012 R2, such as Protective User Groups, are not supported.
Validated MDM Servers
Validated MDM servers include products from the following vendors:
Absolute
AirWatch
Citrix XenMobile
Globo
Good Technology
IBM MaaS360
JAMF Software
Meraki SM/EMM
MobileIron
SAP Afaria
SOTI
Symantec
Tangoe
Microsoft Intune - for mobile devices
Microsoft SCCM - for desktop devices
Supported Browsers for the Admin Portal
Mozilla Firefox 69 and earlier versions
Mozilla Firefox ESR 60.9 and earlier versions
Google Chrome 77 and earlier versions
Microsoft Internet Explorer 10. x and 11. x
If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).
The minimum required screen resolution to view the Cisco ISE Admin portal and for a better user experience is 1280 x 800 pixels.
Validated Virtual Environments
Cisco ISE supports the following virtual environment platforms:
VMware ESXi 5. x (5.1 U2 and later support RHEL 7), 6. x
Note If you are installing or upgrading Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later.
KVM on RHEL 7.0
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
Note Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. Cisco recommends that you use the backup functionality included in Cisco ISE for archival and restoration of data.
Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node.
Cisco ISE 2.3 Patch 6 is validated with Cisco Application Centric Infrastructure (ACI), Release 3.0(1).
Validated Cisco Mobility Services Engine Release
Cisco ISE integrates with Cisco Mobility Services Engine (MSE), Release 8.0.110.0 to provide Location Service (also known as Context Aware Service). This service allows you to track the location of wireless devices.
For information on how to integrate Cisco ISE with Cisco MSE, refer to:
Cisco Prime Infrastructure, Release 3.1 integrates with Cisco ISE to leverage the monitoring and reporting capabilities of Cisco ISE.
Validated Lancope Stealthwatch Release
Cisco ISE is validated with Lancope Stealthwatch, Release 6.9.
Support for Threat Centric NAC
Cisco ISE is validated with the following adapters:
SourceFire FireAMP
Qualys
Note Only the Qualys Enterprise Edition is currently supported for TC-NAC flows.
Validated Client Machine and Personal Device Operating Systems, Supplicants, and Agents
Client Machine Operating Systems and Agent Support in Cisco ISE lists the supported client machine operating systems, browsers, and agent versions supporting each client machine type. For all devices, you must also have cookies enabled in the web browser. See the Compatibility Information page for links to the Cisco AnyConnect-ISE Posture Support Charts.
Note Cisco ISE, Release 2.3 supports only the Cisco AnyConnect and Cisco Temporal Agents.
Note All standard 802.1X supplicants can be used with Cisco ISE, Release 2.3 standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. For the VLAN change authorization feature to work in a wireless deployment, the supplicant must support IP address refresh on VLAN change.
Client Machine Operating Systems and Agent Support in Cisco ISE
26.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.
Changes in Android 9 require:
Update the posture feed in ISE to get the NSA for Android 9.
Android no longer uses Common Name (CN). The Hostname must be in the subjectAltName (SAN) extension, or trust fails. If you are using self-signed certificates, regenerate the certificate by entering either domain name or IP Address option in the SAN field.
27.When Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, certificate warnings might be displayed even for publicly trusted certificates. This usually occurs when the public certificate includes a Certificate Revocation List (CRL) distribution point that the iOS device needs to verify. The iOS device cannot verify the CRL without network access. Click Confirm or Accept in the iOS device to authenticate to the network.
If you are using Apple iOS 12.2 or later version, you must manually install the downloaded Certificate/Profile. To do this, choose Settings > General > Profile in the Apple iOS device and Click Install.
If you are using Apple iOS 12.2 or later version, RSA key size must be 2048 bits or higher. Otherwise, you might see an error while installing the BYOD profile.
Table 10 Apple Mac OS X
Client Machine Operating System
Web Browser
Supplicants (802.1X)
Cisco ISE
AnyConnect
Note Cisco ISE does work with earlier releases of AnyConnect; however, for new features such as Hardware Inventory, you should upgrade to AnyConnect 4.5.
Note Cisco ISE does work with earlier releases of AnyConnect; however, for new features such as Hardware Inventory, you should upgrade to AnyConnect 4.5.
29.If you have AnyConnect Network Access Manager (NAM) installed, NAM takes precedence over Windows native supplicant as the 802.1X supplicant and it does not support the BYOD flow. You must disable NAM completely or on a specific interface. See the Cisco AnyConnect Secure Mobility Client Administration Guide for more information.
30.When you create a Cisco ISE client provisioning policy to accommodate Windows 8, you must specify the “Windows All” operating system option.
Note Cisco ISE BYOD or Guest portal will fail to launch in Chrome Operating System 73 even though the URL is redirected successfully. To launch the portals in Chrome Operating System 73, follow the steps below: 1. Generate a new self-signed certificate from ISE GUI by filling the Subject Alternative Name field. Both DNS and IP Address must be filled. 2. Export and Copy the certificate to the end client (chrome book). 3. Choose Settings > Advanced > Privacy and Security > Manage certificates > Authorities. 4. Import the certificate. 5. Open the browser and try to redirect the portal.
33.Google Chrome does not support 32-bit Linux systems.
34.The support for 802.1X has not been tested extensively by Cisco, but any 802.1X supplicant is supported as long as it is compliant with the IEEE 802.1X standards.
Validated Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
These Cisco ISE portals support the following operating system and browser combinations. These portals require that you have cookies enabled in your web browser.
Apple iOS 12.x, 11.x, 10.x, 9.x, 8.x, 7.x, 6.x, 5.x
Safari
Apple Mac OS X 10.14, 10.13, 10.12, 10.11, 10.10, 10.9
Mozilla Firefox
Safari
Google Chrome
Microsoft Windows 10, 8.1, 8, 7
Microsoft IE 11
Mozilla Firefox
Google Chrome
Red Hat Enterprise Linux (RHEL)
Mozilla Firefox
Google Chrome
35.The latest two officially-released browser versions are supported for all operating systems except Microsoft Windows; refer to Table 14 for the supported Internet Explorer versions.
36.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.
Validated Devices for On-Boarding and Certificate Provisioning
Note To get the latest Cisco-supported client OS versions, check the posture update information (Administration > System > Settings > Posture > Updates) and click Update Now, if needed or if you have not recently updated the posture feeds.
Table 15 BYOD On-Boarding and Certificate Provisioning - Validated Devices and Operating Systems
Device
Operating System
Single SSID
Dual SSID (open > PEAP (no cert) or open > TLS)
Onboard Method
Apple iDevice
Apple iOS 12.x, 11.x, 10.x37, 9.x, 8.x, 7.x, 6.x, 5.x
39.There are known EAP-TLS issues with Android 4.1.1 devices. Contact your device manufacturer for support.
40.Android 6.0 requires May 2016 patch to support ECC certificates; does not support the P-192 ECC curve type.
41.Beginning from Android version 6.0, the Cisco supplicant provisioning wizard (SPW) can no longer modify the system-created SSIDs. When the SPW prompts you to forget the network, you must choose to forget the network and press the Back button to continue the provisioning flow.
42.Barnes & Noble Nook (Android) works when it has Google Play Store 2.1.0 installed.
43.While configuring the wireless properties for the connection (Security > Auth Method > Settings > Validate Server Certificate), uncheck the valid server certificate option or if you check this option, ensure that you select the correct root certificate.
44.If you are using Mac OS X clients with Java 7, you cannot download the SPWs using Google Chrome browser. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the SPWs.
Validated OpenSSL Version
Cisco ISE, Release 2.3 supports OpenSSL 1.0.2.x (CiscoSSL 6.0).
Supported Cipher Suites
Cisco ISE 2.3 supports TLS versions 1.0, 1.1, and 1.2.
Cisco ISE supports RSA and ECDSA server certificates. The following elliptic curves are supported:
secp256r1
secp384r1
secp521r1
The following table lists the supported Cipher Suites for Cisco ISE 2.3.
Table 16 Supported Cipher Suites
Cipher suite
EAP server
RADIUS DTLS server
Download CRL from HTTPS
Download CRL from LDAPS
Secure TCP syslog client
Secure LDAP client
RADIUS DTLS client for CoA
TLS 1.0 support
When TLS 1.0 is allowed
(DTLS server supports only DTLS 1.2)
Note Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).
When TLS 1.0 is allowed
(DTLS client supports only DTLS 1.2)
TLS 1.1 support
When TLS 1.1 is allowed
Note Allow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).
When TLS 1.1 is allowed
ECC DSA ciphers
ECDHE-ECDSA-AES256-GCM-SHA384
Yes
Yes
ECDHE-ECDSA-AES128-GCM-SHA256
Yes
Yes
ECDHE-ECDSA-AES256-SHA384
Yes
Yes
ECDHE-ECDSA-AES128-SHA256
Yes
Yes
ECDHE-ECDSA-AES256-SHA
When SHA-1 is allowed
When SHA-1 is allowed
ECDHE-ECDSA-AES128-SHA
When SHA-1 is allowed
When SHA-1 is allowed
ECC RSA ciphers
ECDHE-RSA-AES256-GCM-SHA384
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES128-GCM-SHA256
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES256-SHA384
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES128-SHA256
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES256-SHA
When ECDHE-RSA/SHA-1 is allowed
When ECDHE-RSA/SHA-1 is allowed
ECDHE-RSA-AES128-SHA
When ECDHE-RSA/SHA-1 is allowed
When ECDHE-RSA/SHA-1 is allowed
DHE RSA ciphers
DHE-RSA-AES256-SHA256
No
Yes
DHE-RSA-AES128-SHA256
No
Yes
DHE-RSA-AES256-SHA
No
When SHA-1 is allowed
DHE-RSA-AES128-SHA
No
When SHA-1 is allowed
RSA ciphers
AES256-SHA256
Yes
Yes
AES128-SHA256
Yes
Yes
AES256-SHA
When SHA-1 is allowed
When SHA-1 is allowed
AES128-SHA
When SHA-1 is allowed
When SHA-1 is allowed
3DES ciphers
DES-CBC3-SHA
When 3DES/SHA-1 is allowed
When 3DES/DSS and SHA-1 are enabled
DSS ciphers
DHE-DSS-AES256-SHA
No
When 3DES/DSS and SHA-1 are enabled
DHE-DSS-AES128-SHA
No
When 3DES/DSS and SHA-1 are enabled
EDH-DSS-DES-CBC3-SHA
No
When 3DES/DSS and SHA-1 are enabled
Weak RC4 ciphers
RC4-SHA
When “Allow weak ciphers” option is enabled in the Allowed Protocols page and when SHA-1 is allowed
No
RC4-MD5
When “Allow weak ciphers” option is enabled in the Allowed Protocols page
No
EAP-FAST anonymous provisioning only:
ADH-AES-128-SHA
Yes
No
Peer certificate restrictions
Validate KeyUsage
Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
Validate ExtendedKeyUsage
Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
RC4-SHA
RC4-MD5
Server certificate should have ExtendedKeyUsage=Server Authentication
Requirements for CA to Interoperate with Cisco ISE
While using a CA server with Cisco ISE, make sure that the following requirements are met:
Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
Key usage should allow signing and encryption in extension.
While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.
Note EJBCA is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.
If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure key usage in the SCEP template and enable the “Key Encipherment” option.
For example, If you use Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click the Allow key exchange only with key encryption (key encipherment) radio button and also check the Allow encryption of user data check box.
Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is listed as 1.2.840.113549.1.1.10 instead of the algorithm name.
Note However, if you use the Cisco ISE internal CA for the BYOD flow, the Admin certificate should not be signed using the RSASSA-PSS algorithm (by an external CA). The Cisco ISE internal CA cannot verify an Admin certificate that is signed using this algorithm and the request would fail.
Client Certificate Requirements for Certificate-Based Authentication
For certificate-based authentication with Cisco ISE, the client certificate should meet the following requirements:
Supported Cryptographic Algorithms:
RSA
ECC
Table 17 Client-Certificate Requirements for RSA and ECC
Note The examples and screenshots provided in the ISE Community resources might be from earlier releases of Cisco ISE. Check the GUI for newer or additional features and updates.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the
“Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.