Overview

This document describes Cisco Identity Services Engine (ISE) validated compatibility with switches, wireless LAN controllers, and other policy enforcement devices as well as operating systems with which Cisco ISE interoperates.

Validated Network Access Devices

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication.

RADIUS

Cisco ISE interoperates fully with third-party RADIUS devices that adhere to the standard protocols. Support for RADIUS functions depends on the device-specific implementation.

RFC Standards

Cisco ISE conforms to the following RFCs:

  • RFC 2138—Remote Authentication Dial In User Service (RADIUS)

  • RFC 2139—RADIUS Accounting

  • RFC 2865—Remote Authentication Dial In User Service (RADIUS)

  • RFC 2866—RADIUS Accounting

  • RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support

  • RFC 5176—Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

TACACS+

Cisco ISE interoperates fully with third-party TACACS+ client devices that adhere to the governing protocols. Support for TACACS+ functions depends on the device-specific implementation.


Note

Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality. We recommend that you validate all network devices and their software for hardware capabilities or bugs in a particular software release.


For information on enabling specific functions of Cisco ISE on network switches, see the “Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions” chapter in Cisco Identity Services Engine Admin Guide.

For information about third-party NAD profiles, see the ISE Community Resources.


Note

Some switch models and IOS versions may have reached the end-of-life date and interoperability may not be supported by Cisco TAC.



Note

You must use the latest version of NetFlow for the Cisco ISE profiling service. If you use NetFlow Version 5, you can use it only on the primary NAD at the access layer.


For Wireless LAN Controllers, note the following:

  • MAC authentication bypass (MAB) supports MAC filtering with RADIUS lookup.

  • Support for session ID and COA with MAC filtering provides MAB-like functionality.

  • DNS-based ACL feature is supported in WLC 8.0. Not all Access Points support DNS-based ACL. See the Cisco Access Points Release Notes for more details.

The following notations are used to mark the device support:

  • —Fully supported
  • X—Not supported

  • !—Limited support, some functionalities are not supported.

The following functionalities are supported by each feature:

Table 1. Features and Functionalities
Feature Functionality

AAA

802.1X, MAB, VLAN Assignment, dACL

Profiling

RADIUS CoA and Profiling Probes

BYOD

RADIUS CoA, URL Redirection and SessionID

Guest

RADIUS CoA, Local Web Auth, URL Redirection and SessionID

Guest Originating URL

RADIUS CoA, Local Web Auth, URL Redirection and SessionID

Posture

RADIUS CoA, URL Redirection and SessionID

MDM

RADIUS CoA, URL Redirection and SessionID

TrustSec

SGT Classification

Validated Cisco Access Switches

Table 2. Validated Cisco Access Switches

Device

Validated OS 1

AAA

Profiling

BYOD

Guest

Guest Originating URL

Posture

MDM

TrustSec 2

Minimum OS 3

IE2000

IE3000 

IOS 15.2(2)E4

IOS 15.2(4)EA6

IOS 15.0(2)EB

X

IE4000

IE5000

IOS 15.2(2)E5

IOS 15.2(4)E2

IOS 15.2(4)EA6

IOS 15.0.2A-EX5

IE4010

IOS 15.2(2)E5

IOS 15.2(4)E2

IOS 15.0.2A-EX5

SMB SG500

Sx500 1.4.8.06

4

!

X

X

X

X

X

X

Sx500 1.2.0.97

!

!

X

X

X

X

X

X

CGS 2520

IOS 15.2(3)E3

X

IOS 15.2(3)E3

X

Catalyst 2960 LAN Base

IOS 15.0(2)SE11

X

X

IOS v12.2(55)SE5 5

!

X

!

!

X

Catalyst 2960-C

Catalyst 3560-C

IOS 15.2(2)E4

IOS 12.2(55)EX3

Catalyst 2960-L6

IOS 15.2(6.1.27)E2

X

IOS 15.2(6)E2

X

Catalyst 2960-Plus

Catalyst 2960-SF

IOS 15.2(2)E4

IOS 15.0(2)SE7

X

Catalyst 2960-S

IOS 15.2(2) E6

IOS 15.0.2SE10a

IOS 15.0(2)SE11

X

X

IOS 12.2.(55)SE5

X

Catalyst 2960–XR

Catalyst 2960–X

IOS 15.2(2)E6

IOS 15.2(2)E5

IOS 15.2(4)E2

IOS 15.2.6E1(ED)

IOS 15.0.2A-EX5

Catalyst 2960-CX

Catalyst 3560-CX

IOS 15.2(3)E1

IOS 15.2(3)E

Catalyst 3560-G

Catalyst 3750-G

Cat 3750-E

IOS 15.2(2) E6

IOS 12.2(55)SE5

IOS 12.2(55)SE10

IOS 12.2(55)SE11

IOS 12.2(55)SE5

Catalyst 3560V2

Catalyst 3750V2

IOS 12.2(55)SE10

IOS 12.2(55)SE5

Catalyst 3560-E

IOS 15.0(2)SE11

IOS 12.2(55)SE5

Catalyst 3560-X

IOS 15.2(2)E5

IOS 15.2(2)E6

IOS 12.2(55)SE5

Catalyst 3650

Catalyst 3650-X

IOS XE 16.3.3

IOS XE 3.6.5E

IOS 16.6.2 ES

IOS XE 3.3.5.SE

Catalyst 3750-E

IOS 15.2(2) E6

IOS 15.0(2)SE11

IOS 12.2(55)SE5

Catalyst 3750-X

IOS 15.2(2) E6

IOS 15.2(2)E5

IOS 15.2(4)E2

IOS 12.2(55)SE5

Catalyst 3850

IOS XE 16.3.3

IOS XE 3.6.5E

IOS XE 3.6.7E

IOS 16.6.2 ES

IOS XE 3.3.5.SE

Catalyst 4500-X

IOS XE 3.6.6 E

IOS 15.2(2)E5

IOS 15.2(4)E2

IOS 15.2(6)E

IOS XE 3.4.4 SG

X

Catalyst 4500 Supervisor 7-E, 7L-E

IOS XE 3.6.4

IOS XE 3.4.4 SG

X

Catalyst 4500 Supervisor 6-E, 6L-E

IOS 15.2(2)E4

X

IOS 15.2(2)E

X

Catalyst 4500 Supervisor 8-E

IOS XE 3.6.4

IOS XE 3.6.8E

X

IOS XE 3.3.2 XO

X

Catalyst 5760

IOS XE 3.7.4

X

Catalyst 6500-E (Supervisor 32)

IOS 12.2(33)SXJ10

X

IOS 12.2(33)SXI6

X

Catalyst 6500-E (Supervisor 720)

IOS 15.1(2)SY7

X

IOS v12.2(33)SXI6

X

Catalyst 6500-E (VS-S2T-10G)

IOS 152-1.SY1a

X

IOS 15.0(1)SY1

X

Catalyst 6807-XL

Catalyst 6880-X (VS-S2T-10G)

IOS 152-1.SY1a

X

IOS 15.0(1)SY1

X

Catalyst 6500-E (Supervisor 32)

IOS 12.2(33)SXJ10

X

IOS 12.2(33)SXI6

X

Catalyst 6848ia

IOS 152-1.SY1a

X

IOS 15.1(2) SY+

X

Catalyst 9200

Catalyst 9200-L

IOS-XE 16.10.1

IOS-XE 16.9.2

Catalyst 9300

IOS-XE 16.6.2 ES

IOS-XE 16.8.1a

IOS-XE 16.6.2 ES

Catalyst 9400

IOS-XE 16.6.2 ES

IOS-XE 16.8.1a

IOS-XE 16.6.2 ES

Catalyst 9500

IOS-XE 16.6.2 ES

IOS-XE 16.8.1a

IOS-XE 16.6.2 ES

Meraki MS Platforms

Latest Version

! 7

! 8

X

! 9

X

Latest Version

!

!

X

!

X

1 Validated OS is the version tested for compatibility and stability.
2 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
3 Minimum OS is the version in which the features got introduced.
4 SMB SG500 does not support the MAC Authentication Bypass (MAB) feature.
5 The IOS 12.x version does not fully support the Posture and Guest flows because of CSCsx97093. As a workaround, when you configure URL redirect in Cisco ISE, assign a value to “coa-skip-logical-profile.”
6 Only limited features are supported for 802.1x implementation for switches with LanLite hardware (for example, Cisco Catalyst 2960X-24TS-LL Switch) and LanLite software (for example, Cisco Catalyst 2960-24TC-S Switch).
7 dACL is not supported for Meraki switches.
8 Local Web Authentication is not supported for Meraki switches.
9 Only Meraki MDM is supported. Third-party MDM is not supported.
Cisco ISE supports SNMP CoA for Cisco Catalyst switches. The following features are supported with SNMP CoA for Cisco Catalyst switches:
  • Posture

  • BYOD

  • Guest

Validated Third Party Access Switches

Table 3. Validated Third Party Access Switches

Device

Validated OS 10

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 11

Minimum OS 12

Avaya ERS 2526T

4.4

!

X

X

X

X

X

4.4

!

X

X

X

X

X

Brocade ICX 6610

8.0.20

X

X

8.0.20

X

X

Extreme X440-48p

ExtremeXOS 15.5

X

X

X

ExtremeXOS 15.5

X

X

X

HP H3C

HP ProCurve

5.20.99

X

X

5.20.99

X

X

HP ProCurve 2900

WB.15.18.0007

X

X

WB.15.18.0007

X

X

Juniper EX3300

12.3R11.2

X

X

12.3R11.2

X

X

10 Validated OS is the version tested for compatibility and stability.
11 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
12 Minimum OS is the version in which the features got introduced.

For more information on third-party device support, see https://communities.cisco.com/docs/DOC-64547

Validated Cisco Wireless LAN Controllers

Table 4. Validated Cisco Wireless LAN Controllers

Device

Validated OS 13

AAA

Profiling

BYOD

Guest

Guest Originating URL

Posture

MDM

TrustSec 14

WLC 2100

AireOS 7.0.252.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

WLC 2504

AirOS 8.5.120.0(ED)

WLC 3504

AirOS 8.5.105.0

Not validated

WLC 4400

AireOS 7.0.252.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

WLC 2500

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.3.102.0

X

AireOS 8.4.100.0

X

AireOS 7.2.103.0 (minimum)

!

X

X

WLC 5508

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.3.102.0

X

AireOS 8.3.114.x

X

AireOS 8.3.140.0

X

AireOS 8.4.100.0

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

WLC 5520

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.3.102.0

X

AireOS 8.4.100.0

X

AireOS 8.5.1.x

AireOS 8.6.1.x

AirOS 8.6.101.0(ED)

AireOS 8.1.122.0 (minimum)

X

WLC 7500

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.2.154.x

X

AireOS 8.3.102.0

X

AireOS 8.4.100.0

X

AirOS 8.5.120.0(ED)

AireOS 7.2.103.0 (minimum)

!

X

X

X

X

X

X

WLC 8510

AireOS 8.0.135.0

X

X

AireOS 7.4.121.0 (minimum)

X

X

X

X

X

WLC 8540

AireOS 8.1.131.0

X

X

AireOS 8.1.122.0 (minimum)

X

X

Catalyst 9800-80

Catalyst 9800-40

Catalyst 9800-CL

Catalyst 9800 on Catalyst 9300

IOS XE 16.10.1 (minimum)

X

vWLC

AireOS 8.0.135.0

X

X

AireOS 7.4.121.0 (minimum)

X

X

WiSM1 6500

AireOS 7.0.252.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

WiSM2 6500

AireOS 8.0.135.0

X

AireOS 7.2.103.0 (minimum)

!

X

WLC 5760

IOS XE 3.6.4

IOS XE 3.3 (minimum)

X

WLC for ISR (ISR2 ISM, SRE700, and SRE900)

AireOS 7.0.116.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

Meraki MR Platforms

Public Beta

X

Latest Version (minimum)

X

13 Validated OS is the version tested for compatibility and stability.
14 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.

Refer to the Cisco Wireless Solutions Software Compatibility Matrix for a complete list of supported operating systems.


Note

Due to CSCvi10594, IPv6 RADIUS CoA fails in AireOS Release 8.1 and later. As a workaround, you can use IPv4 RADIUS or downgrade Cisco Wireless LAN Controller to AireOS Release 8.0.



Note

Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support endpoint posturing. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.


Supported Cisco Access Points

Table 5. Supported Cisco Access Points

Cisco Access Point

Minimum Cisco Mobility Express Version

AAA

Profiling

BYOD

Guest

Guest Originating URL

Posture

MDM

TrustSec

Cisco Aironet 1540 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1560 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1815i

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1815m

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1815w

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 2800 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 3800 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Validated Third Party Wireless LAN Controllers

Table 6. Validated Third Party Wireless LAN Controllers

Device

Validated OS 15

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 16

Minimum OS 17

Aruba 320018

Aruba 3200XM

Aruba 650

6.4

X

X

6.4

X

X

6.4

X

X

Aruba 7000

Aruba IAP

6.4.1.0

!

!

6.4.1.0

!

!

Motorola RFS 4000

5.5

X

X

5.5

X

X

HP 830

35073P5

X

X

35073P5

X

X

Ruckus ZD1200

9.9.0.0

X

X

9.9.0.0

X

X

15 Validated OS is the version tested for compatibility and stability.
16 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
17 Minimum OS is the version in which the features got introduced.
18 Aruba 3200 is supported for ISE 2.2 patch 2 and above.

For more information on third-party device support, see https://communities.cisco.com/docs/DOC-64547

Validated Cisco Routers

Table 7. Validated Cisco Routers

Device

Validated OS 19

Minimum OS 20

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 21

ISR 88x, 89x Series

IOS 15.3.2T(ED)

X

X

X

X

X

X

IOS 15.2(2)T

X

X

X

X

X

X

ISR 19x, 29x, 39x Series

IOS 15.3.2T(ED)

!

X

!

X

X

IOS 15.2(2)T

!

X

!

X

X

CGR 2010

IOS 15.3.2T(ED)

!

X

!

X

X

IOS 15.3.2T(ED)

!

X

!

X

X

4451-XSM-X L2/L3 Ethermodule

IOS XE 3.11

IOS XE 3.11

19 Validated OS is the version tested for compatibility and stability.
20 Minimum OS is the version in which the features got introduced.
21 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.

Validated Cisco Remote Access

Table 8. Validated Cisco Remote Access

Device

Validated OS 22

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 23

Minimum OS 24

ASA 5500, ASA 5500-X (Remote Access Only)

ASA 9.2.1

NA

NA

NA

X

ASA 9.1.5

NA

NA

X

NA

X

X

X

Meraki MX Platforms

Latest Version

X

Latest Version

X

22 Validated OS is the version tested for compatibility and stability.
23 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
24 Minimum OS is the version in which the features got introduced.

AAA Attributes for RADIUS Proxy Service

For RADIUS proxy service, the following authentication, authorization, and accounting (AAA) attributes must be included in the RADIUS communication:

  • Calling-Station-ID (IP or MAC_ADDRESS)

  • RADIUS::NAS_IP_Address

  • RADIUS::NAS_Identifier

AAA Attributes for Third-Party VPN Concentrators

For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:

  • Calling-Station-ID (tracks individual client by MAC or IP address)

  • User-Name (tracks remote client by login name)

  • NAS-Port-Type (helps to determine connection type as VPN)

  • RADIUS Accounting Start (triggers official start of session)

  • RADIUS Accounting Stop (triggers official end of session and releases ISE license)

  • RADIUS Accounting Interim Update on IP address change (for example, SSL VPN connection transitions from Web-based to a full-tunnel client)


Note

For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client’s VPN-assigned IP address to track the endpoint while on a trusted network.


Validated External Identity Sources

See the Cisco Identity Services Engine Administrator Guide for more information.

Table 9. Validated External Identity Sources

External Identity Source

OS/Version

Active Directory

25 26 27

Microsoft Windows Active Directory 2003

28

Microsoft Windows Active Directory 2003 R2

Microsoft Windows Active Directory 2008

Microsoft Windows Active Directory 2008 R2

Microsoft Windows Active Directory 2012

Microsoft Windows Active Directory 2012 R2

29

Microsoft Windows Active Directory 2016

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

OpenLDAP Directory Server

Version 2.4.23

Any LDAP v3 compliant server

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x and 8.x series

Any RADIUS RFC 2865-compliant token server

Security Assertion Markup Language (SAML) Single Sign-On (SSO)

Microsoft Azure

Oracle Access Manager (OAM)

Version 11.1.2.2.0

Oracle Identity Federation (OIF)

Version 11.1.1.2.0

PingFederate Server

Version 6.10.0.4

PingOne Cloud

Secure Auth

8.1.1

Any SAMLv2-compliant Identity Provider

Open Database Connectivity (ODBC) Identity Source

Microsoft SQL Server

Microsoft SQL Server 2012

Oracle

Enterprise Edition Release 12.1.0.2.0

PostgreSQL

9.0

Sybase

16.0

MySQL

6.3

Social Login (for Guest User Accounts)

Facebook

25

Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008 and later.

26 Microsoft Windows Active Directory version 2000 or its functional level is not supported by Cisco ISE.
27

You can only add up to 200 Domain Controllers on ISE. On exceeding the limit, you will receive the following error:

Error creating <DC FQDN> - Number of DCs Exceeds allowed maximum of 200
28

Microsoft has ended support for Windows Server 2003 and 2003 R2. We recommend that you upgrade your Windows server to a supported version.

29

Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2, however, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.

Validated MDM Servers

Validated Mobile Device Management (MDM) servers include products from the following vendors:

  • Absolute

  • AirWatch

  • Citrix XenMobile

  • Globo

  • Good Technology

  • IBM MaaS360

  • JAMF Software

  • Meraki SM/EMM

  • MobileIron

  • SAP Afaria

  • SOTI

  • Symantec

  • Tangoe

  • Microsoft Intune - for mobile devices

  • Microsoft SCCM - for desktop devices

Supported Browsers for the Admin Portal

  • Mozilla Firefox 66 and earlier versions

  • Google Chrome 74 and earlier versions

  • Microsoft Internet Explorer 10.x and 11.x

    If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).

    The minimum required screen resolution to view the Cisco ISE Admin portal and for a better user experience is 1280 x 800 pixels.

Validated Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • VMware ESXi 5.x (5.1 U2 and later support RHEL 7), 6.x


    Note

    If you are installing or upgrading Cisco ISE on an ESXi 5.x server, update the VMware hardware version to 9 or later to support RHEL 7 as the Guest OS. RHEL 7 is supported with VMware hardware Version 9 and later.


  • KVM on RHEL 7.0

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later


Note

Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. We recommend that you use the backup functionality included in Cisco ISE for archival and restoration of data.

Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node.


Validated Cisco Digital Network Architecture Center Release

Cisco ISE is validated with Cisco Digital Network Architecture Center (Cisco DNA Center), Release 1.1.

Validated Cisco Prime Infrastructure Release

Cisco Prime Infrastructure, Release 3.1 integrates with Cisco ISE to leverage the monitoring and reporting capabilities of Cisco ISE.

Validated Cisco Stealthwatch Release

Cisco ISE is validated with Cisco Stealthwatch, Release 6.9.

Support for Threat Centric NAC

Cisco ISE is validated with the following adapters:

  • SourceFire FireAMP

  • Qualys

    Note

    Only the Qualys Enterprise Edition is currently supported for TC-NAC flows.

Validated Client Machine Operating Systems, Supplicants, and Agents

This section lists the validated client machine operating systems, browsers, and agent versions for each client machine type. For all devices, you must also have cookies enabled in the web browser. Cisco AnyConnect-ISE Posture Support Charts are available at: https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html


Note

Cisco ISE, Release 2.3 and later support only the Cisco AnyConnect and Cisco Temporal Agents.

All standard 802.1X supplicants can be used with Cisco ISE, Release 2.4 and above standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. For the VLAN change authorization feature to work in a wireless deployment, the supplicant must support IP address refresh on VLAN change.



Note

Cisco ISE does not support any trail version or evaluation edition of an operating system.


Google Android


Note

Cisco ISE may not support certain Android OS version and device combinations due to the open access-nature of Android implementation on certain devices.


Table 10. Google Android

Client Machine Operating System

Web Browser

Supplicants (802.1X)

Google Android 9.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 9.x

Google Android 8.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 8.x

Google Android 7.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 7.x

Google Android 6.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 6.x

Google Android 5.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 5.x

Google Android 4.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 4.x

Google Android 3.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 3.x

Google Android 2.3.x

  • Native browser

  • Mozilla Firefox

Google Android Supplicant 2.3.x

Google Android 2.2.x

  • Native browser

Google Android Supplicant 2.2.x


Note

If you are using Google Android 9.x, you must:

  • Update the posture feed in Cisco ISE to get the NSA for Android 9.

  • Android no longer uses Common Name (CN). The Hostname must be in the subjectAltName (SAN) extension, or trust fails. If you are using self-signed certificates, regenerate Cisco ISE self-signed certificate by selecting Domain Name or IP Address option from the SAN drop-down list for Portals (under Administration > System > Certificates > System Certificates.


Apple iOS


Note

While Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, the public certificate includes a CRL distribution point that the iOS device needs to verify but it cannot do it without network access. Click “confirm/accept” on the iOS device to authenticate to the network.


Table 11. Apple iOS

Client Machine Operating System

Web Browser

Supplicants (802.1X)

Apple iOS 12.x

Safari

Apple iOS Supplicant 12.x

Apple iOS 11.x

Safari

Apple iOS Supplicant 11.x

Apple iOS 10.x

Safari

Apple iOS Supplicant 10.x

Apple iOS 9.x

Safari

Apple iOS Supplicant 9.x

Apple iOS 8.x

Safari

Apple iOS Supplicant 8.x

Apple iOS 7.x

Safari

Apple iOS Supplicant 7.x

Apple iOS 6.x

Safari

Apple iOS Supplicant 6.x

Apple iOS 5.x

Safari

Apple iOS Supplicant 5.x


Note

  • If you are using Apple iOS 12.2, you must manually install the downloaded Certificate/Profile. To do this, choose Settings > General > Profile in the Apple iOS device and Click Install.

  • If you are using Apple iOS 12.2, RSA key size must be 2048 bits or higher. Otherwise, you might see an error while installing the BYOD profile.


Apple MAC OS X

Table 12. Apple Mac OS X

Client Machine Operating System

Web Browser

Supplicants (802.1X)

Cisco ISE

AnyConnect

Apple macOS 10.14

  • Apple Safari

  • Mozilla Firefox

  • Google Chrome

Apple macOS Supplicant 10.14

2.4

4.6.01098 or later

Apple macOS 10.13

  • Apple Safari

  • Mozilla Firefox

  • Google Chrome

Apple macOS Supplicant 10.13

2.4

4.6.01098 or later

Apple macOS 10.12

  • Apple Safari30

  • Mozilla Firefox

  • Google Chrome

Apple macOS Supplicant 10.12

2.4

4.6.01098 or later

Apple Mac OS X 10.11

  • Apple Safari

  • Mozilla Firefox

  • Google Chrome

Apple MAC OS X Supplicant 10.11

2.4

4.6.01098 or later

Apple Mac OS X 10.10

  • Apple Safari

  • Mozilla Firefox

  • Google Chrome

Apple MAC OS X Supplicant 10.10

2.4

4.6.01098 or later

Apple Mac OS X 10.9

  • Apple Safari

  • Mozilla Firefox

  • Google Chrome

Apple MAC OS X Supplicant 10.9

2.4

4.6.01098 or later

30 Apple Safari version 6.0 is supported only on Mac OS X 10.7.4 and later versions of the operating system.

Note

Cisco ISE does work with earlier release of AnyConnect 4.x. However, only newer AnyConnect releases support newer features. For example, “All Internal Drives” option in Disk Encryption Condition requires AnyConnect release 4.6.01098 or later.


Microsoft Windows

Table 13. Microsoft Windows

Client Machine Operating System

Web Browser

Supplicants (802.1X)

Cisco ISE

Cisco Temporal Agent

AnyConnect31

Microsoft Windows 10

  • Windows 10 Enterprise

  • Windows 10 Enterprise N

  • Windows 10 Enterprise E

  • Windows 10 Enterprise LTSB

  • Windows 10 Enterprise N LTSB

  • Windows 10 Professional

  • Windows 10 Professional N

  • Windows 10 Professional E

  • Windows 10 Education

  • Windows 10 Home

  • Windows 10 Home Chinese

  • Windows 10.0 SLP (Single Language Pack)

  • Microsoft Edge

  • Microsoft IE 11

  • Mozilla Firefox

  • Google Chrome

  • Microsoft Windows 10 802.1X Client

  • AnyConnect Network Access Manager

2.4

4.5 or later

4.6.01098 or later

Microsoft Windows 8

32

Windows 8.1

Windows 8

Windows 8 x64

Windows 8 Professional

Windows 8 Professional x64

Windows 8 Enterprise

Windows 8 Enterprise x64

Note 

Windows 8 RT is not supported.

  • Microsoft IE 11

  • Mozilla Firefox

  • Google Chrome

  • Microsoft Windows 8 802.1X Client

  • AnyConnect Network Access Manager

2.4

4.5 or later

4.6.01098 or later

Windows 7 Professional

Windows 7 Professional x64

Windows 7 Ultimate

Windows 7 Ultimate x64

Windows 7 Enterprise

Windows 7 Enterprise x64

Windows 7 Home Premium

Windows 7 Home Premium x64

Windows 7 Home Basic

Windows 7 Starter Edition

  • Microsoft IE 11

  • Mozilla Firefox

  • Google Chrome

  • Microsoft Windows 7 802.1X Client

  • AnyConnect Network Access Manager

2.4

4.5 or later

4.6.01098 or later

31 If you have AnyConnect Network Access Manager (NAM) installed, NAM takes precedence over Windows native supplicant as the 802.1X supplicant and it does not support the BYOD flow. You must disable NAM completely or on a specific interface. See the Cisco AnyConnect Secure Mobility Client Administration Guide for more information.
32

When you create a client provisioning policy to accommodate Windows 8, you must select the “Windows All” operating system option.


Note

Cisco ISE does work with earlier release of AnyConnect 4.x. However, only newer AnyConnect releases support newer features. For example, “All Internal Drives” option in Disk Encryption Condition requires AnyConnect release 4.6.01098 or later.


Google Chromebook


Note

Google Chromebook is a managed device and does not support the Posture service. See the Cisco Identity Services Engine Administration Guide for more information.


Table 14. Google Chromebook

Client Machine Operating System

Web Browser

Supplicants (802.1X)

Cisco ISE

Google Chromebook

Google Chrome version 49

Google Chromebook supplicant

2.4


Note

Cisco ISE BYOD or Guest portal will fail to launch in Chrome Operating System 73 even though the URL is redirected successfully.

To launch the portals in Chrome Operating System 73, follow the steps below:

1. Generate a new self-signed certificate from ISE GUI by filling the Subject Alternative Name field. Both DNS and IP Address must be filled.

2. Export and Copy the certificate to the end client (chrome book).

3. Choose Settings > Advanced > Privacy and Security > Manage certificates > Authorities.

4. Import the certificate.

5. Open the browser and try to redirect the portal.


Other Operating Systems

Table 15. Other Operating Systems

Client Machine Operating System

Web Browser

33

Supplicants (802.1X)

Red Hat Enterprise Linux (RHEL)

  • Google Chrome

  • Mozilla Firefox

Not tested extensively

34
33 Google Chrome does not support 32-bit Linux systems.
34 The support for 802.1X has not been tested extensively by Cisco, but any 802.1X supplicant is supported as long as it is compliant with the IEEE 802.1X standards.

Validated Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals

These Cisco ISE portals support the following operating system and browser combinations. These portals require that you have cookies enabled in your web browser.

Table 16. Validated Operating Systems and Browsers

Supported Operating System35

Browser Versions

Google Android36 8.x, 7.x, 6.x, 5.x, 4.x, 3.x, 2.3.x, 2.2.x

  • Native browser

  • Mozilla Firefox

Apple iOS 12.x, 11.x, 10.x, 9.x, 8.x, 7.x, 6.x, 5.x

  • Safari

Apple macOS 10.14, 10.13, 10.12, 10.11, 10.10, 10.9

  • Mozilla Firefox

  • Safari

  • Google Chrome

Microsoft Windows 10, 8.1, 8, 7

  • Microsoft Edge

  • Microsoft IE 11

  • Mozilla Firefox

  • Google Chrome

Red Hat Enterprise Linux (RHEL)

  • Mozilla Firefox

  • Google Chrome

35 The latest two officially-released browser versions are supported for all operating systems except Microsoft Windows; refer to Table 14 for the supported Internet Explorer versions.
36 Cisco ISE may not support certain Android OS version and device combinations due to the open access-nature of Android implementation on certain devices.

Validated Devices for On-Boarding and Certificate Provisioning

Cisco Wireless LAN Controller (WLC) 7.2 or above support is required for the BYOD feature. See the Release Notes for the Cisco Identity Services Engine for any known issues or caveats.


Note

To get the latest Cisco-supported client OS versions, check the posture update information (Administration > System > Settings > Posture > Updates) and click Update Now.


Table 17. BYOD On-Boarding and Certificate Provisioning - Validated Devices and Operating Systems

Device

Operating System

Single SSID

Dual SSID (open > PEAP (no cert) or open > TLS)

Onboard Method

Apple iDevice

Apple iOS 12.x, 11.x, 10.x, 9.x, 8.x, 7.x, 6.x, 5.x

Yes

Yes37

Apple profile configurations (native)

Android

2.2 and above38 39

Yes40

Yes

Cisco Network Setup Assistant

Barnes & Noble Nook (Android) HD/HD+41

Windows

Windows 10, 8.1, 8, 7

Yes42

Yes

SPW from Cisco.com or Cisco ISE Client Provisioning feed

Windows

Mobile 8, Mobile RT, Surface 8, and Surface RT

No

No

Apple macOS

Apple macOS 10.14, 10.13, 10.12, 10.11, 10.10, 10.9

Yes

Yes

SPW from Cisco.com or Cisco ISE client provisioning feed

37 Connect to secure SSID after provisioning.
38 There are known EAP-TLS issues with Android 4.1.1 devices. Contact your device manufacturer for support.
39 Android 6.0 requires May 2016 patch to support ECC certificates; does not support the P-192 ECC curve type.
40

You cannot modify the system-created SSIDs using the Cisco supplicant provisioning wizard (SPW), if you using Android version 6.0 or above . When the SPW prompts you to forget the network, you must choose this option and press the Back button to continue the provisioning flow.

41 Barnes & Noble Nook (Android) works when it has Google Play Store 2.1.0 installed.
42 While configuring the wireless properties for the connection (Security > Auth Method > Settings > Validate Server Certificate), uncheck the valid server certificate option . If you check this option, ensure that you select the correct root certificate.

Validated OpenSSL Version

Cisco ISE is validated with OpenSSL 1.0.2.x (CiscoSSL 6.0).

Supported Cipher Suites

Cisco ISE supports TLS versions 1.0, 1.1, and 1.2.

Cisco ISE supports RSA and ECDSA server certificates. The following elliptic curves are supported:

  • secp256r1

  • secp384r1

  • secp521r1

The following table lists the supported Cipher Suites:

Cipher suite

EAP server

RADIUS DTLS server

Download CRL from HTTPS

Download CRL from LDAPS

Secure TCP syslog client

Secure LDAP client

RADIUS DTLS client for CoA

TLS 1.0 support

When TLS 1.0 is allowed

(DTLS server supports only DTLS 1.2)

Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).

When TLS 1.0 is allowed

(DTLS client supports only DTLS 1.2)

TLS 1.1 support

When TLS 1.1 is allowed

Allow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).

When TLS 1.1 is allowed

ECC DSA ciphers

ECDHE-ECDSA-AES256-GCM-SHA384

Yes

Yes

ECDHE-ECDSA-AES128-GCM-SHA256

Yes

Yes

ECDHE-ECDSA-AES256-SHA384

Yes

Yes

ECDHE-ECDSA-AES128-SHA256

Yes

Yes

ECDHE-ECDSA-AES256-SHA

When SHA-1 is allowed

When SHA-1 is allowed

ECDHE-ECDSA-AES128-SHA

When SHA-1 is allowed

When SHA-1 is allowed

ECC RSA ciphers

ECDHE-RSA-AES256-GCM-SHA384

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES128-GCM-SHA256

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES256-SHA384

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES128-SHA256

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES256-SHA

When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed

ECDHE-RSA-AES128-SHA

When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed

DHE RSA ciphers

DHE-RSA-AES256-SHA256

No

Yes

DHE-RSA-AES128-SHA256

No

Yes

DHE-RSA-AES256-SHA

No

When SHA-1 is allowed

DHE-RSA-AES128-SHA

No

When SHA-1 is allowed

RSA ciphers

AES256-SHA256

Yes

Yes

AES128-SHA256

Yes

Yes

AES256-SHA

When SHA-1 is allowed

When SHA-1 is allowed

AES128-SHA

When SHA-1 is allowed

When SHA-1 is allowed

3DES ciphers

DES-CBC3-SHA

When 3DES/SHA-1 is allowed

When 3DES/DSS and SHA-1 are enabled

DSS ciphers

DHE-DSS-AES256-SHA

No

When 3DES/DSS and SHA-1 are enabled

DHE-DSS-AES128-SHA

No

When 3DES/DSS and SHA-1 are enabled

EDH-DSS-DES-CBC3-SHA

No

When 3DES/DSS and SHA-1 are enabled

Weak RC4 ciphers

RC4-SHA

When "Allow weak ciphers" option is enabled in the Allowed Protocols page and when SHA-1 is allowed

No

RC4-MD5

When "Allow weak ciphers" option is enabled in the Allowed Protocols page

No

EAP-FAST anonymous provisioning only:

ADH-AES-128-SHA

Yes

No

Peer certificate restrictions

Validate KeyUsage

Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384

Validate ExtendedKeyUsage

Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:

  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA
  • DHE-RSA-AES128-SHA
  • DHE-RSA-AES256-SHA
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • RC4-SHA
  • RC4-MD5

Server certificate should have ExtendedKeyUsage=Server Authentication

Requirements for CA to Interoperate with Cisco ISE

Client Certificate Requirements for Certificate-Based Authentication

While using a CA server with Cisco ISE, make sure that the following requirements are met:

  • Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.

  • Key usage should allow signing and encryption in extension.

  • While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA and SHA1.

  • Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.


    Note

    Enterprise Java Beans Certificate Authority (EJBCA) is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.


  • If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure key usage in the SCEP template and enable the Key Encipherment option.

    If you use Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click the Allow Key Exchange only with Key Encryption (Key encipherment) radio button and check the Allow Encryption of User Data check box.

  • Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is listed as 1.2.840.113549.1.1.10 instead of the algorithm name.


Note

If you use the Cisco ISE internal CA for the BYOD flow, the Admin certificate should not be signed using the RSASSA-PSS algorithm (by an external CA). The Cisco ISE internal CA cannot verify an Admin certificate that is signed using this algorithm and the request would fail.


For certificate-based authentication with Cisco ISE, the client certificate should meet the following requirements:

Supported Cryptographic Algorithms:

  • RSA

  • ECC

Table 18. Client-Certificate Requirements for RSA and ECC

RSA

Supported Key Sizes

1024, 2048, and 4096 bits

Supported Secure Hash Algorithms (SHA)

SHA-1 and SHA-2 (includes SHA-256)

ECC 43 44

Supported Curve Types

P-192, P-256, P-384, and P-521

Supported Secure Hash Algorithm (SHA)

SHA-256

Client Machine Operating Systems and Supported Curve Types

Windows

8 and later

P-256, P-384, and P-521

Android

4.4 and later

Note 

Android 6.0 requires May 2016 patch to support ECC certificates.

All curve types (except Androidv6.0, which does not support the P-192 curve type).

43 Windows 7 and Apple iOS do not natively support ECC for EAP-TLS authentication.
44 This release of Cisco ISE does not support the use of ECC certificates on MAC OS X devices.