Come to the Content Hub at, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more...

So, what are you waiting for? Click now!

And, if you are already experiencing the Content Hub, we'd like to hear from you!

Click the Feedback icon on the page and let your thoughts flow!


Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, Cisco Wireless Controllers, Virtual Private Network (VPN) gateways, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on Secure Network Server appliances with different performance characterizations, and also as software that can be run on a virtual machine (VM). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For more information about the features that are supported in this Cisco ISE release, see the Cisco Identity Services Engine Administrator Guide.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation in this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE, Release 2.4, requires the following platforms.

Table 1. Supported Hardware platforms and Personas

Hardware Platform



Cisco SNS-3515-K9 (small)


For the appliance hardware specifications, see the "Cisco SNS-3500 Series Appliances" chapter in the Cisco Identity Services Engine Hardware Installation Guide 2.4.

Cisco SNS-3595-K9 (large)

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

Cisco ISE-VM-K9 (VMware, Linux KVM, Microsoft Hyper-V)


For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise- Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, and pxGrid on the platforms that are listed in the above table.


  • Cisco Secured Network Server (SNS) 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

  • Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.

Federal Information Processing Standard Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.0 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • ESXi 5.x (5.1 U2 and later support RHEL 7), 6.x

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on RHEL 7.0, and 7.3


    If you are installing or upgrading Cisco ISE on an ESXi 5.x server to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later.

Supported Browsers

The supported browsers for the Admin portal include:

  • Mozilla Firefox 69 and earlier versions

  • Mozilla Firefox ESR 60.9 and earlier versions

  • Google Chrome 77 and earlier versions

  • Microsoft Internet Explorer 10.x and 11.x

  • Microsoft Edge beta 77 and earlier versions


  • If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).

  • If you use Chrome 65.0.3325.189, you may be unable to view guest account details in the print preview section.

  • When self-signed certificates are used, Cisco ISE portal may fail to launch in Microsoft Edge beta 77 browser even if URL redirection is successful. To resolve this issue:

    1. Add both DNS name and IP address in the Subject Alternative Name (SAN) field.

    2. After the ISE services are restarted, redirect the portal in a different browser.

    3. Choose View Certificate > Details and copy the certificate by selecting the base-64 encoded option.

    4. Install the certificate in Trusted path and relaunch the browser.

  • You might see a warning message while downloading an executable (EXE) file in Google Chrome 76 or later. To resolve this issue:

    1. In your browser, click the Settings menu at the top-right corner.

    2. At the bottom of the Settings window, click Advanced.

    3. Under Downloads, check the Ask Where to Save Each File before Downloading check box.

Support for Microsoft Active Directory

Cisco ISE works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, and 2016 at all functional levels.


  • It is recommended that you upgrade Windows server to a supported version as Microsoft no longer supports Window server 2003 and 2003 R2. .

  • Microsoft Active Directory Version 2000 or its functional level is not supported by Cisco ISE.

Cisco ISE supports multidomain forest integration with Active Directory infrastructure to support authentication and attribute collection across large enterprise networks. Cisco ISE supports up to 50 domain join points.

Improved User Identification

Cisco ISE can identify Active Directory users when a username is not unique. Duplicate usernames are common when using short usernames in a multidomain Active Directory environment. You can identify users by Software Asset Management (SAM), Customer Name (CN), or both. Cisco ISE uses the attributes that you provide to uniquely identify a user.

Update the value of the following:

  • SAM: Update this value to use only the SAM in the query (the default).

  • CN: Update this value to use only CN in the query.

  • CNSAM: Update this value to use CN and SAM in the query.

To configure the attributes mentioned above for identifying Active Directory users, update the IdentityLookupField parameter in the registry on the server that is running Active Directory:


What is New in Cisco ISE, Release 2.4

Support for Cisco Secure Network Server 3600 Series Appliance

For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise- Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

Business Outcome

Improved performance, scalability, and platform manageability over SNS 35xx series appliances.

The Default TLS Version when initiating External Connections through Proxy is TLS 1.2

When the Cisco ISE acts as a client, the default protocol used for the connections initiated from it to the external entities is TLS 1.2 In this case the supported protocol will be TLS 1.2 only. In case you want to provide support for lower versions as well (which might be insecure), these versions need to be explicitly enabled from the Cisco ISE by going to the following page: Administration > System > Settings > Security Settings.

Business Outcome

Improved security in SSL connections.

Cisco ISE Can Pull IoT Device Context and Session Data from Cisco IND

Cisco ISE can profile and display the status of devices attached to a Cisco Industrial Network Director (IND). Cisco Platform Exchange Grid (pxGrid) is used to communicate the endpoint (Internet of Things [IoT]) data between Cisco ISE and Cisco IND. pxGrid is used to receive the context from Cisco IND and query Cisco IND to update endpoint type.

Business Outcome

Automates classification of IoT devices on your network.

Control Permissions for pxGrid Clients

You can create pxGrid authorization rules to control the permissions of the pxGrid clients (under Administration > pxGrid Services > Permissions).

These rules to control which services and operation on that service are available to the pxGrid clients. Cisco ISE applies the rules to groups, not individual clients. You can manage groups by clicking the Manage Groups heading in the Permissions window. The Permissions window displays predefined authorization rules that use predefined groups (such as EPS, ANC). You can only update the Groups field in the predefined rules.

Business Outcome

Better pxGrid backward compatibility:

  • Ability to control authorizations for different pxGrid services.

  • Easier to group pxGrid clients with similar permissions.

Customizable SSH Ciphers and Encryption Algorithms

You can use the service sshd encryption-algorithm and service sshd encryption-mode global configuration commands in Cisco ISE 2.4 to harden the ISE SSH server and specify the cipher suite to be used. You can use AES-CTR and/or AES-CBC ciphers.

Cisco ISE 2.3 and earlier releases allowed only AES-CBC ciphers (due to Common Criteria Protection Profiles for Access Control Devices and Systems). Cisco ISE 2.4 allows you to use both AES-CTR and AES-CBC ciphers.

Business Outcome

  • Improved security for SSH access.

  • Allows you to choose the encryption algorithms.

  • Allows you to choose the ciphers to be used to harden secure access.

Endpoint API Enhancements for MDM Attributes

Mobile Device Management (MDM) attributes are made available through the endpoints API to enable additional synchronization capability between Cisco ISE and a third-party MDM server.

Business Outcome

Helps customers to better integrate third party systems with ISE and provide better user experience for end users using mobile devices that are managed by an MDM server.

IPv6 Support for RADIUS

IPv6 addresses are now supported for RADIUS configurations. The IP Address field in the Administration > Network Resources > Network Devices page and the Host IP field in the Administration > Network Resources > External RADIUS Server page now support both IPv4 and IPv6 addresses for RADIUS configurations.

Business Outcome

Additional support for IPv6 addressing:

  • Allows you to migrate your network to IPv6-based networks. You can migrate to IPv6 addressing if you have fragmented networks or have exhausted IPv4 addresses.

  • Facilitates more efficient routing, packet processing, security, and simplified network configuration.

Large Virtual Machine for Monitoring Persona

Cisco ISE introduces a large VM for Monitoring nodes.

This form factor is available only as a VM in Release 2.4 and above, and requires a large VM license.

Business Outcome

Deploying Monitoring persona on a large VM offers the following advantages:

  • Up to three times the volume of data previously supported.

  • Improved performance in terms of faster response to live log queries and report completion.

Posture Enhancements

  • Grace Period for Noncompliant Devices—Cisco ISE provides an option to configure grace time for devices that become noncompliant. Cisco ISE caches the results of posture assessment for a configurable amount of time. If a device is found to be noncompliant, Cisco ISE looks for the previously known good state in its cache and provides grace time for the device, during which the device is granted access to the network. You can configure the grace time period in minutes, hours, or days (up to a maximum of 30 days). The Posture Assessment by Endpoint report is updated and displays a Grace Compliant status for an endpoint that is currently not compliant, but is under the grace period.

  • Posture Rescan—AnyConnect users can now manually restart posture at any time.

  • AnyConnect Stealth Mode Notifications—Several new failure notifications are added for AnyConnect stealth mode deployment to help users identify issues with their VPN connection.

  • Disabling UAC Prompt on Windows—You can choose to disable the User Access Control (UAC) prompts on Windows endpoints from the AnyConnect posture profile.


    By default, this value is set to No while configuring the AnyConnect Profile. When you change it to Yes, the UAC prompts are disabled and the Windows users no longer receive these prompts. If you want to enable the UAC prompt again, you should change this setting to No in the AnyConnect Profile. This setting takes effect only when the Windows endpoint is restarted.

  • New URL for Downloading Client Provisioning and Posture Updates—The client provisioning and posture feed URL has changed. The new URL for Posture Updates is and for Client Provisioning is

  • File Condition Enhancements—A new operator, within, is introduced under File Condition to check for the changes in a file within a certain period of time.

  • Certificate Attributes in Client Provisioning and Posture Policies—Certificate attributes are now available in the client provisioning and posture policy pages.

  • The following option has been newly added under the Location field in the Policy > Policy Elements > Conditions > Posture > Disk Encryption Condition window:

    • All Internal Drives—To check the internal drives. Includes all hard disks that are mounted and encrypted, and all internal partitions. Excludes read only drives, system recovery disk/partition, boot partition, network partitions, and the different physical disk drives that are external to the endpoint (including but not limited to disk drives connected via USB and Thunderbolt). Encryption software products that are validated include:

      • Bit-locker-6.x/10.x

      • Checkpoint 80.x on Windows 7


    "All Internal Drives" option is supported from AnyConnect Version 4.6.01098 onwards.

Business Outcome

Improved security alerts and enforcement:

  • Provides admin users with more flexible options for educating end users about posture condition failures including grace-period-specific messaging scenarios.

  • Helps effective management of some posture checks and remediations that require additional privileges and prompts the user for such privileges.

Profiler Enhancements

  • Added 190 new profile policies from vendors, including AudioCode, BlackBerry, Brother, Hewlett Packard, Lexmark, NetApp, Samsung, and Xerox.

  • Added additional conditions to 185 profile policies to support additional probes. For example, DHCP conditions are added to Xerox devices such that customers who do not want to profile Xerox devices based on SNMP, can profile Xerox devices using DHCP.

  • Reorganized profiles into families for better identification of new devices. For example, HP-LaserJet-4350 was previously profiled directly under HP-Device. It is now profiled under HP-LaserJet, which in turn is profiled under HP-Device. When Hewlett Packard introduces a new Hewlett Packard LaserJet printer model, Cisco ISE will classify the new model as HP-LaserJet, and not as HP-Device until a new profile policy for that exact LaserJet printer model is added.

Business Outcome

Effective classification of devices:

  • Helps you gain visibility of previously unknown devices, such as Xerox printers or Vista link printers with improved profiler efficacy.

Support for Sending Separate SNMP CoA Packets

You can check the Send SNMP COA Separate Request check box in the Administration > Network Resources > Network Device Profiles > Change of Authorization (CoA) window to send the SNMP CoA packets to the NAD as two packets.

Business Outcome

Increased compatibility with devices:

  • Provides support for older Cisco and third-party NADs that mandate the sending of SNMP CoA packets as two packets (for the shutdown and no shutdown interface configuration commands).

Support for Two Shared Secrets Per IP for RADIUS NAD Clients

You can specify two shared secrets (keys) to be used by the network device and Cisco ISE. You can configure the shared secrets in the RADIUS authentication settings section for a NAD in the Administration > Network Resources > Network Devices page in Cisco ISE.

Business Outcome

Replace Shared Secrets on network devices:

  • Enables you to replace shared secrets on network devices independently and allows ISE to support both old and new shared secrets until the shared secret is replaced on the network device. Changing a RADIUS secret is now simplified and allows you to enter a new shared secret even before updating the network device.

TrustSec Enhancements

You can select the ISE node from which the configuration changes must be sent to the network device while adding the network device (under Advanced TrustSec Settings section). You can select the PAN or PSN node. If the PSN node that you selected is down, the configuration changes are sent to this device using the PAN.

While deploying the IP SGT static mappings, you can select the devices or the device groups to which the selected mappings must be deployed. You can select all the devices if necessary. You can use the filter option to search for the devices that you want. If you do not select any device, the selected mappings are deployed on all TrustSec devices.

You can use the Check Status option to check if different SGTs are assigned to the same IP address for a specific device. You can use this option to find the devices that have conflicting mappings, IP address that is mapped to multiple SGTs, and the SGTs that are assigned to the same IP address. This option can be used even if device groups, FQDN, hostname, or IPv6 addresses are used in the deployment. You must remove the conflicting mappings or modify the scope of deployment before deploying these mappings.

Verify TrustSec Deployment option on the General TrustSec Settings page helps you to verify whether the latest TrustSec policies are deployed on all the network devices. Alarms are displayed in the Alarms dashlet (under Work Centers > TrustSec > Dashboard), if there are any discrepancies between the policies that are configured on Cisco ISE and the network device. The following alarms are displayed in the TrustSec dashboard:

  • An alarm with an Info icon is displayed whenever the verification process is started or completed.

  • An alarm with an Info icon is displayed if the verification process is cancelled due to a new deployment request.

  • If the verification process resulted in an error (for instance, failed to open SSH connection with the network device, or the network device is unavailable), or if there is any discrepancy between the policies that are configured on Cisco ISE and the network device, an alarm with a Warning icon is displayed for each of these network devices.

The Verify Deployment option is also available on the following pages:

  • Work Centers > TrustSec > Components > Security Groups

  • Work Centers > TrustSec > Components > Security Group ACLs

  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix

  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree

  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree

Check the Automatic Verification After Every Deploy check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process is started after the time that you specify in the Time after Deploy Process field. The current verification process is cancelled if a new deployment request is received during the waiting period or when the verification is in progress. Click Verify Now to start the verification process immediately.

IPv6 addresses can be used in IP SGT static mappings. These mappings can be propagated using SSH or SXP to specific network devices or network device groups.

If FQDN and hostnames are used, Cisco ISE looks for the corresponding IP addresses in the PAN and PSN nodes while deploying the mappings and checking the deployment status. You can select one of the following options (under IP SGT Static Mapping of Hostnames) in the General TrustSec Settings window to specify the number of mappings created for the IP addresses returned by the DNS query:

  • Create mappings for all IP addresses returned by DNS query

  • Create mappings only for the first IPv4 address and the first IPv6 address that is returned by a DNS query

Business Outcome

  • Verifies TrustSec policy on Network Devices.
  • Enhanced IP-SGT mapping workflow:

    • Improves network device misconfiguration error handling and operational efficiency through Check Status option.

    • Selectively deploy the IP SGT static mappings.

    • Create IP static mappings with IPv6 addresses.

    • Create mappings for first or all known IP addresses which are based on DNS FQDN query.

Decommissioned Dashlets

Some Dashlets Removed to Resolve Performance Issues

The following dashlets have been decommissioned to prevent performance issues when displaying large data sets:

  • Context Visibility > Endpoint > Compliance: Status Trend

  • Home > Endpoints > Endpoint Capacity

A large number of endpoints caused performance problems with some dashlets.

Kerberos Authentication for the Sponsor Portal

You can configure ISE to use Kerberos to authenticate a sponsor user who is logged onto Windows for access to the sponsor portal. This process uses the Active Directory credentials of the logged in sponsor user in the Kerberos ticket. Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.

Additional security for Sponsor authentication.

NFS Repository Credentials

When you add a repository and select NFS as the protocol, you can no longer enter credentials to connect to the repository.

Business Outcome

Using credentials to connect to an NFS repository caused problems.

Known Limitations and Workarounds

IP-SGT Bindings Are Not Propagated Under Certain Conditions

Under the following conditions, IP-SGT mappings are not propagated to ACI.

On the ISE administrators console, navigate to Work Centers -> TrustSec -> Components:

  1. Create a security group, but don't check Propagate to ACI.

  2. Create an IP-SGT binding with previously created Security Group. It may be a static, session or SXP binding.

  3. On the Security Group, click Propagate to ACI .

  4. Click Save.

  5. The Security Group synchs to ACI, but not IP-SGT that is mapped to the Security Group.



  1. Restart the ACI propagation in ISE and recreate the IP-SGT mappings.

    1. On the Work Centers->TrustSec->Settings->ACI Settings, uncheck “TrustSec-ACI Policy Element Exchange”, and save.

    2. Check TrustSec-ACI Policy Element Exchange, and save.

    3. The connection between Cisco ISE and ACI is reestablished.

  2. Delete the old IP-SGT bindings, and recreate them while Propagate to ACI is checked.


The connection between ACI and ISE reauthenticates every 24 hours, which also fixes this problem.

SXP Protocol Security Standards

Limitation: Security Group Exchange Protocol (SXP) transfers unencrypted data and uses weak Hash Algorithm for message integrity checking per draft-smith-kandula-sxp-06.
Workaround: There is no workaround.

For more information, see

Patch Build Download Using Chrome Browser

Limitation: Integrity checksum issues occur when you use the Google Chrome browser to download the patch build.
Condition: The Message Digest 5 (MD5) sum values do not match.
Workaround: Download the patch build using the FireFox browser. Verify that the downloaded patch bundle has the correct MD5 checksum.

Radius Logs for Authentication

Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.

Profiler RADIUS Probe

Limitation: Endpoints are not profiled; they are only authenticated and added to the database.
Condition: The RADIUS probe is disabled.
Workaround: Disable the profiling services completely.

High Memory Utilization

Limitation: High memory utilization after installing or upgrading to Cisco ISE Version 1.3 or later.
Condition: Because of the way kernels manage cache memory, Cisco ISE might use more memory, which may trigger high memory usage (80 to 90%) and alarms.
Workaround: There is no workaround.

For more information, see CSCvn07836.

Diffie-Hellman Minimum Key Length

Limitation: Connection to LDAP server fails.
Condition: If the Diffie-Hellman minimum key length that is configured on the LDAP server is less than 1024, connection to the LDAP server fails.
Workaround: Change the Diffie Hellman key size on the LDAP server.

For more information, see CSCvi76985.

ECDSA Certificates

Limitation: Cisco ISE supports Elliptic Curve Digital Signature Algorithm (ECDSA) certificates with key lengths of 256 and 384 only.
Condition: ECDSA certificates that are used for EAP authentication are supported only for endpoints with Android Version 6.x and later.


Apple iOS is not supported if you use ECDSA as a system certificate. ECDSA certificates are supported only for Android 6.x and Android 7.x.

Workaround: You can select the key length in the Administration > System > Certificates > Certificate Management > System Certificates window.

Cisco Temporal Agent

We recommend that you run the Cisco Temporal Agent within two minutes of downloading the agent from the Client Provisioning Portal. Otherwise, the Posture Failed Due to Server Issues error message is displayed.

Mobile Service Engine (MSE) Devices

When adding an MSE device to Cisco ISE, you must copy the certificates from the MSE device over to ISE to facilitate authorization. ISE does not receive these certificates directly from the MSE device.

Re-create Supplicant Provisioning Wizard References

Limitation: BYOD certificate provisioning flow is broken with both Internal and External Certificates.
Condition: When you upgrade to a new release, or apply a patch, the Supplicant Provisioning Wizard (SPW) is updated.
Workaround: Create new native supplicant profiles and new client-provisioning policies that reference the new SPWs.

Upgrade Information


If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.

Applying Patches to Release 2.4

To obtain the patch file for Cisco ISE, Release 2.4, log in to the Cisco Download Software site at (you might be required to provide your login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

For instructions on how to apply the patch to your system, see the Installing a Software Patchsection in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

For instructions to install a patch using CLI, see the "Install Patch" section in the Cisco Identity Services Engine CLI Reference Guide, Release 2.4.


When installing 2.4 Patch 4 and later, CLI services will be temporary unavailable during kernel upgrade. If CLI is accessed during this time, CLI will show the following error: "Stub Library could not be opened". However, once patch installation is complete, CLI services will be available again.

Patches are cumulative such that any patch version also includes all fixes delivered in the preceding patch versions. Cisco ISE version was the initial version of the Cisco ISE 2.4 release. After installation of the patch, you can see the version information from Settings > About Identity Services Engine page in the Cisco ISE GUI and from the CLI in the following format “ patch N”; where N is the patch number.


Within the bug database, issues resolved in a patch have a version number with different nomenclature in the format, “2.4(0.9NN)” where NN is also the patch number, displayed as two digits. For example, version “ patch 1" corresponds to the following version in the bug database “2.4(0.901)”.


We recommend you to clear your browser cache after you install a patch on Cisco ISE, Release 2.4.

Upgrading to Release 2.4

You can directly upgrade to Release 2.4 from the following Cisco ISE releases:

  • 2.0
  • 2.0.1
  • 2.1
  • 2.2
  • 2.3

Information about the upgrade packages and the platforms they support, is avaliable at Cisco ISE Software Download.

If you are on a version earlier than Cisco ISE, Release 2.0, you must first upgrade to one of the releases listed above and then upgrade to Release 2.4.


It is recommended to upgrade to the latest patch in the existing version before upgrading to the next version of Cisco ISE.

You can upgrade to Release 2.4 from the GUI or the CLI. See, Cisco Identity Services Engine Upgrade Guide, Release 2.4

Verify Operating System of Virtual Machines

ISE Release 2.4 runs on Red Hat Enterprise Linux (RHEL) 7.0. If you are upgrading Cisco ISE nodes on a VMware VM, after you upgrade, ensure that you change the guest operating system to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the guest operating system to RHEL 7, and power on the VM after the change.

External RADIUS Token Server Timeout

External Radius Token Server Timeout maximum changed from 120 seconds to 60 seconds. Upgrades to this release change the existing setting, if the maximum is more than 60 seconds.

License Changes

Device Administration Licenses

There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.

The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.

Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only node Licenses are available for sale.

However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.

The evaluation license allows device administration on one policy service node.

Licenses for Virtual Machine nodes

Cisco ISE is also sold as a virtual machine (VM). For this Release, we recommend that you install appropriate VM licenses for the VM nodes in your deployment. Install the VM licenses based on the number of VM nodes and each VM node's resources, such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys. However, the installation process will not be interrupted. From Cisco ISE, Release 2.4, you can manage your VM licenses from the GUI.

VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using a 3595-equivalent VM node with eight cores and 64-GB RAM, you might need a Medium category VM license if you want to replicate the same capabilities on the VM. You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.

VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features that are enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.

After installing or upgrading, if there is any mismatch between the number of deployed VM nodes and installed VM licenses, alarms are displayed in the Alarms dashlet for every 14 days. Alarms are also displayed if there are any changes in the VM node’s resources, or whenever a VM node is registered or de-registered.

VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification pop-up window.

If you have not purchased an ISE VM license earlier, see the Cisco Identity Services Engine Ordering Guide to choose the appropriate VM license to be purchased.


If you have purchased ISE VM licenses without a PAK, you can request VM PAKs by emailing Include the Sales Order numbers that reflect the ISE VM purchase, and your Cisco ID in your email. You will be provided a medium VM license key for each ISE VM purchase you have made.

For details about VM compatibility with your Cisco ISE version, see "Hardware and Virtual Appliance Requirements" chapter in the Cisco Identity Services Engine Installation Guide for the applicable release.

For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before an ISE software upgrade in order to check if the configured data can be upgraded to the required ISE version. Most upgrade failures occur because of data upgrade issues; the URT is designed to validate the data before the actual upgrade and reports and tries to fix the issues, wherever possible. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.


After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner displays. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. We use the collected data to provide better services and more features in forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Smart Call Home. The account is unique to each deployment. Each admin user need not provide it separately.

Cisco ISE Live Update Portals

Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from to the corresponding device using Cisco ISE.

If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings by choosing Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

Client Provisioning and Posture Live Update Portals

You can download Client Provisioning resources from:

Work Centers > Posture > Settings > Software Updates > Client Provisioning.

The following software elements are available at this URL:

  • Supplicant Provisioning wizards for Windows and Mac OS X native supplicants

  • Windows versions of the latest Cisco ISE persistent and temporal agents

  • Mac OS X versions of the latest Cisco ISE persistent agents

  • ActiveX and Java Applet installer helpers

  • AV/AS compliance module files

For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

You can download Posture updates from:

Work Centers > Posture > Settings > Software Updates > Posture Updates

The following software elements are available at this URL:

  • Cisco-predefined checks and rules

  • Windows and Mac OS X AV/AS support charts

  • Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

If you do not want to enable the automatic download capabilities, you can choose to download updates offline.

Cisco ISE Offline Updates

This offline update option allows you to download client provisioning and posture updates, when direct internet access to from a device using Cisco ISE is not available or is not permitted by a security policy.

Offline updates are also available for Profiler Feed Service. For more information, see the .

To download offline client provisioning resources:


Step 1
Step 2

Provide your login credentials.

Step 3

Navigate to the Cisco Identity Services Engine download window, and select the release.

The following Offline Installation Packages are available for download:

  • win_spw-<version>—Offline SPW Installation Package for Windows

  • mac-spw-<version>.zip—Offline SPW Installation Package for Mac OS X

  • compliancemodule-<version>—Offline Compliance Module Installation Package

  • macagent-<version>—Offline Mac Agent Installation Package

  • webagent-<version>—Offline Web Agent Installation Package

Step 4

Click either Download or Add to Cart.

For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.

For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.

To download offline posture updates:


Step 1

Go to

Step 2

Save the file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems.

Step 3

Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 4

Click the arrow to view the settings for posture.

Step 5

Click Updates.

The Posture Updates window is displayed.
Step 6

Click the Offline option.

Step 7

Click Browse to locate the archive file ( from the local folder in your system.

The File to Update field is a mandatory field. You can select only one archive file (.zip) containing the appropriate files. Archive files other than .zip, such as .tar, and .gz are not supported.
Step 8

Click Update Now.

Configuration Prerequisites

  • The relevant Cisco ISE license fees should be provided.

  • The latest patches should be installed.

  • Cisco ISE software capabilities should be active.

  • Read the Release Notes document for the corresponding release of Cisco Identity Services Engine.

Cisco ISE Integration with Cisco Digital Network Architecture Center


This section describes open severity 1 and 2 caveats and select severity 3 caveats. The “Open Caveats” sections list open caveats that apply to the current release and may apply to previous releases. A caveat that is open for a prior release and is still unresolved applies to all future releases until it is resolved. The bug IDs are sorted alphanumerically. The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, you must use the Bug Search Tool.

Cisco Bug Search Tool (BST), the online successor to Bug Toolkit, is designed to improve effectiveness in network risk management and device troubleshooting. You can search for bugs based on product, release, and keyword. For more details on the tool, see the help page located at

Resolved Caveats in Cisco ISE Release Cumulative Patch 11

The following table lists the resolved caveats in Release 2.4 cumulative patch 11.

Patch 11 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Carlsbad Dashboard allows special characters: <>?"'


Custom filters not working for Session status column in Live Sessions


CoA REST API is not working for ASA VPN Sessions


SXP Devices page - can't show all the name after 14 chars


Live sessions show incorrect Authorization profile and Authorization Policy for VPN+Posture scenario


Patch installation might generate alarm Application patch installation failed


ISE 2.3 no patches, unable to login to sponsor portal with internal user


ISE sends CoA after receiving a RADIUS Accounting-STOP


ISE Network conditions with device,port being skipped during authz


Self-signed account creation error: "An attempt to text your account information to you has failed"


Change Audit config is not showed for the users when edit and change the status


ISE Cannot Schedule a report the same day


Not able to delete certificate after hostname change


Message Class for EAP-TLS messages from System-Management to EAP


Windows 7 device is profiled wrongly post Posture flow, due to anyconnect sending wrong useragent


Config restore is struck in the UI forever, while restoring backup taken on the same node


Alarm TrustSec SSH connection failed needs to be provide more details on NAD


change password for few of the internal users not working after upgrade to 2.6


To enable CLI clock timezone command


'MAR cache distribution is not enabled' even when it has been enabled.


Memory leak on ISE node with the openldap rpm running version 2.4.44


Patchupload files >1 G don't get deleted when upgrading if upload through WebGUI interrupted


ISE 2.2 Sign On Button grey out with Guest portal second factor Radius Token server authentication


ISE 2.4 Live Sessions Cannot Filter on Policy


Secure Syslog Audit for CLI Authentication Failure Suspend/Lock Account


Generate a singlecertificate(with CSR) option in pxgridserivces with PKCS8format throws error.


In Deployment, when external CA signs any system certificate allows to delete CA from trusted page.


Unable to disable MDM server if configured server is not reachable


Expired guest accounts purge is stuck after daylight time change


ISE ERS Create via the API does not use the specified ID


Network device Import to ISE when having IPV6 address, takes too long to import the devices


Wrong password being notified after password reset (Only on SMS)


MnT Purge with option to export repository not working


Vulnerability Evaluation for ISE


when binding external ca sign cert in intermediate CA CSR,certificate chain has broken under CA page


ISE TACACS Authentication and accounting reports older than 30 days missing


ISE does not show logging when CTS pac is expired


Move to Mapping Group drop down menu limits SGT Mapping groups to 25


PassiveID Agent: No Syslog message is sent to MnT when the agent monitoring DC goes down


pxGrid controller contacting


ISE 2.4p9 Grace period is not working with PRA with VPN usecase


ISE sponsor portal - sorting by creation date doesnt work


Network devices added via restful API fails authentication with a 'Network Device not located' error


IPv6 RADIUS attributes cannot be mapped to any External attribute


Trashing IP SGT Static mappings across pages never completes


IP SGT static mapping export fails for entries with no mapping data


Internal user using token password will be disabled due to password expired


Maximum thread value limit is too low and triggers 'Admin thread pool reached threshold value' alarm


Remove Unnecessary JQUERY-UI Files from ISE


Login page AUP as link does not work with iOS CNA browser


Move devices to another group botton should be disabled when access has been restricted to NDG


SNMP traps on access switch connected to APs causes incorrect profiling.


All SNMP packets are logged to /var/log/messages file


ISE 2.4 localhost-<date>.log files growing upto and more than 8 Gb in size


ISE 2.6 Patch 2: EAP-TLS auth not matching endpoint groups


No password audit will be generated after user change ISE internal user enable password via ASA CLI


App Server crash observed while being passiveid dashboard for some time with > 200K activesessions


Posture assessment by condition report is showing empty records.


DCS Probe data notification missing endpoint attributes in the message


ISE Posture Agent Profile does not allow blank remediation timer


when creating Purging Rule ,Radius directory will hang if there is no plus license


Radius Authentication and Radius Account Report performance is slow


in ex-Radius scenario ,ISE should replace state attribute before forwarding access challenge to NAD


Certificate is not loading from Oracle to NSSDB properly


ISE 2.4: Advanced Custom Filter option and export of reports not working as Expected


ISE : "MDM: Failed to connect to MDM server" log entry needs to have endpoint information


Framed-Interface-Id RADIUS attribute not sent in access-accept if IPV6 address is in ::xx format


REST API: Create Network Device with special character ("\") in password field is interpreted as utf


ISE ERS SDK NetworkDeviceGroup PUT does not show ID placement in the API call


pxGrid XMPP GCL Reconnect failure


Network Device POST API allows for characters and spaces in Model name of device, GUI does not


After changing password via UCP, "User change password audit" report doesn't have "Identity"


Validation needed RADIUS Cisco DNA Center-ISE REST call sp. char (&) and (\) in shared secret fails


Legacy | ISE fails to load N/w devices page while filtering on IP/Mask


ISE: Read-only admin users are able to view TrustSec device configuration credentials


Unable to get all tenable adapter repositories


Radius Authentication report missing log, if custom Filter Used


ISE not using the device-public-mac attribute in endpoint database


Export failed in ISE gui in case of private key encryption failed no ERROR msg in ISE GUI


ISE 3695 appliance is having issue with Oracle parameters configured for super MNT


Day0: iPad OS 13.1 BYOD flow got failed


Password lifetime expiration reminder appears for Internal Users with external passwords


Multi Shared Secret Field is being populated for exported TACACS devices


Unexpected COAs may be observed with SCCM MDM


Unable to access My Devices portal


GUI login with AD user failing when similar internal user is disabled


ISE 2.4 Not entire fqdn is matched, but fragment of characters


ISE services are not coming up after installing patch 2.3 p7


DHCP messages are marking endpoints active increasing the active endpoint count


ISE 2.4 p9 Session directory write failed : String index out of range: -1


ISE sponsor's e-mail gets CC'd even when view/print guests' passwords is disabled


Called-Station-ID missing in RADIUS Authentication detail report


SCCMException in SCCM flow,ISE updating the MDMServerReachable value as false in the MDMServersCache


WSA receives SIDs instead of AD groups from ISE


Definition date for few AM product like mcafee and symantec is listed false


Replication alarm when trustsec matrix CSV imported with EMPTY SGACL that is already EMPTY in GUI


No profiling CoA for ip based profile policy


Missing the following properties in for <sns3615> ,<sns3655> <sns3695>


SYSAUX tablespace is getting filled up with AWR and OPSSTAT data.

New Features in Cisco ISE Release Cumulative Patch 10

Enable Probe Data Publisher

This option is newly added in the Profiler Settings window ((Work Centers > Profiler > Settings). This option is disabled by default. Enable this option if you want Cisco ISE to publish endpoint probe data to pxGrid subscribers that need this data to classify endpoints onboarding on ISE. The pxGrid subscriber can pull the endpoint records from Cisco ISE using bulk download during initial deployment phase. Cisco ISE sends the endpoint records to the pxGrid subscriber whenever they are updated in PAN.


When you enable this option, ensure that the pxGrid persona is enabled in your deployment.

Resolved Caveats in Cisco ISE Release Cumulative Patch 10

Patch 10 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

The following table lists the resolved caveats in Release 2.4 cumulative patch 10.

Caveat ID Number



The software shouldn't allow to delete the pxGrid certificate on a ISE node


posture update not working when there's a proxy with credentials in ISE


Pseudo double Auth request on AD


ISE T+ and Policy : Allowed protocols for RADIUS uncheck if changes are made via TACACS PE section


ISE 2.3+ does not have authentication condition Network Access:AuthenticationMethod


Parsing NMAP smb-os-discovery data should remove &#xa; or \x00


ERS Guest User operations fail with 401 Unauthorized if Sponsor_Portal_Sequence missing


ISE 2.x: Mobile/Desktop previews don't display self-registration form fields correctly


ISE 2.3 p2 is sending redundant CoA message during VPN Posture Flow


ISE2.3 portals not displaying Spanish Accents


Endpoint Oracle Persist Received value wrongly counted in ISE Counters report


ISE : Accounting updates tolerance for suppression needs to be more efficient.


Is ISE affected by Spring Framework CVE-2018-1270


ad_agent.log flooded with entries from non-whitelisted domains


ISE RBAC unable to modify nested permissions after migration from ACS


REST API GET DACL page filter does not show correct information


ISE HTTP error 401 unauthorized on External CA UI


Remote-Access VPN Posture Sessions showing Base license consumed but no Apex


Making name changes to the "All_User_ID_Stores" Identity Source Sequence will break new policy sets.


Different FQDN in SAN can cause CV issue


ISE ENH : Allow RADIUS Dictionary VSA "Vendor Attribute Size Field Length" of 2 bytes


Cannot edit Guest group if accesing through Manage accounts


Cisco Identity Services Engine Cross Site Scripting Vulnerability


Triggered SNMP query not working properly for HP OUI


ISE: Exception thrown while adding email address in NTP Service Failure alarm


ISE custom attributes not being applied to endpoint when pushed from cloudpost IND


EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization.


Multiple Vulnerabilities in jackson-databind


The caluclation of required space for MNT backup need to be revalidated.


Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler


Sponsor guest portal rate limit time not honored


pxGrid startup order causing profiler code to fail init


ProfilerCoA:- Exception in getting Policy details Exception : in Infinite Loop in Profiler.log


Sponsored Guest account start date not adjusting when account extend


ISE 2.4 P5 : Profiling : Netflow probe not working on ISE Bonded Interface


ISE Profiler SNMP Request Failure Alarms should show the reason of failure


No serialization or batching when large scale(>300) NADs are moved between MatrixA to MatrixB


ISE: SMTP server sending Email notification gets Exhausted


ERS API that requires CSRF token always failing on PUT/POST/DELETE


ISE dropping requests due to descriptor allocation exhaustion under external server latency scenario


Internal User not found in prrt-server intermittently even though PrRTCpmBridge returns user found


Posture redirect fails with error 'unable to determine peer' in AnyConnect_ISEPosture.txt


ISE 2.4 With CTA threat, threat endpoints are not detecting


AD Diagnostic tool shows low level API query failed w/ Response contains no answer. Check DNS config


ISE 2.4 p6 400 error on sponsor portal after timeout.


SQLite FTS3 Query Processing Integer Overflow Vulnerability


Authorization profile fails to import with no warnings or errors to user


AUP guest portal error 400 when retrun from contact support link (iphone captive portal)


Email not received to guest if view/print guest password disabled


Authentications start failing once AD throws KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN


Unable to remove an endpoint from the endpoint database due to permission error


2.4 P8/P9 Certificate chain does not get imported to Patch 8 and Patch 9


ISE customer endpoint attribute type string doesn't allow certain numbers


ISE trustsec custom view doesn't sort properly with manual order


License usage for Plus either shows 0 or incorrect value


Export from Context Visibility-Endpoints does not contain Custom Attr for most of Endpoints


[ 400 ] Bad Request error when refreshing the Mydevice portal


ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions


Can't use endpoint group description during runtime for authz profile


Wrongly job (HOURLY_STATS_JOB) running


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


ISE 2.4 fails to match authorization rules after deleting authorization condition


ISE 2.6 patch 1 - AD User Test is returning 0 groups


Renewed self-signed certificate doesn't get updated in trusted store


Cannot Update Internal User with External Password ID Store via ERS--ISE


ISE fails to save configuration changes for large policy-sets


Create Failing with ORA-02291 on CEPM.REF_ROLE_MASTER if groupId w/ prepending/trailing spaces


Core files on PSN servers causing High Disk Utilization alarms


ISE shows "Oops. Something went wrong" if session ID contains "-"


Incorrect audit report while updating Counter Time Limit in Max Sesssions page


ISE PAN failover inactive days = elapsed days causing incorrect purging of EP's.


ISE doesn't store self-registered EndPoints in configured custom group


ISE 2.6 ACI integration Trustesec ACI report doesn't have sent ip-sgt mappings to ACI


Export function in Network device groups fails when using RBAC


Network Conditions do not work with shorten IPv6


'Deleting All' Network Access Users doesn't appear on audit report


Using ECDSA signed certificates with the admin or pxgrid usage breaks pxgrid


ISE user import does not fail when username contains invalid characters


Static group information is lost from EP in some scenarios


PSN generates scheduled reports if no connectivity to MNT


Static group assignment losing from guest flow


"Cache not properly initialized" message in every Profiler Policy and cannot update Profiler Feed


When updating password for administrative user it is possible to bypass entering current password


Under heavy load, ISE live logs either unavailable or delayed


ISE 2.4 Possible XSS input in Certificate Attributes message when "/" sign is in the name


Qualys show connected state once disable/enable tc-nac if added before applying patch. 


Certificate trust chain is incomplete for pxGrid on pxGrid alone persona


Allowing Different FQDN in SAN DNS field for EAP Certificate.


System Test: Temporial agent instalation is failing with internal system error. 


Rename the label from "ResetAll Hitcounts" to "Reset Policyset Hitcounts" under policy sets 


Cisco Identity Services Engine Policy Set Name Cross Site Scripting Vulnerability 


pxGrid WebSocket multiple connections issue


ISE subscribes to IND topic /topic/ 3 times


pxGrid service lookup still returns old hostname after hostname change


Not able to change the language in guest portal with option "Always use"


VM Licenses are not consuming based on M5 Profiles


Env data is missing when TrustSec-ACI integration is enabled.


unable to create ATZ policy using supported special character


SXP Mappings bulk download is slow over pxgrid


Change logging level of 90140 INFO PassiveID: Message parsed syslog to DEBUG


ISE: "Posture failed due to server issues" error during System scan on MAC OSX

Known Issues in Cisco ISE Release Cumulative Patch 10

CA Service Disabled after Upgrade to Cisco ISE 2.4 Patch 10

After upgrading to Cisco ISE 2.4 Patch 10, Certificate Authority (CA) service might be disabled on the nodes on which Policy Service persona is not enabled. To enable the CA service, choose Administration > System > Certificates > Certificate Authority > Internal CA Settings.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 9

For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise- Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

The following table lists the resolved caveats in Cisco ISE 2.4 Patch 9.

Patch 9 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.


After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm.

Caveat ID Number



Location filter for ERS Network Device get-all API fails


Normalized Radius:SSID not matched after CoA in the same session-ID


ISE 2.1+ RBAC: not able to manage endpoints and assign static identity groups


Some information is missing when session details are sent from ISE to FMC via pxGrid


Endpoints keeps profiling even though profiling is disabled


Blank pop-up in Sponsor Portal if customField contains "null" value


SCCM MDM attribute LastPolicyRequest is not converted correctly in ISE


Import two CA certs with same subject name


ISE Secure Access Wizard Easy Wireless null AD groups for BYOD, Secure Access, Sponsored guest flow


ISE does not provide the expected values in the context of EAP chaining


ISE-PIC self signed certificate delete operation fails due to Secure Syslog Server reference error


CA Service still running on command line after disabling internal certificate authority in Web UI


ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes"


Sponsor portal doesn't refresh the accounts after deleting users and requires a manual refresh


Removing SCEP RA Profile causes the associated CA chain to be removed from Trusted Store


ISE downloads unnecessary RA certificate for BYOD


Json SearchResult gives the href value as NULL


ISE DACL syntax checking validation failing on wildcard notation


pxGrid node name limit too short for FMC


ISE 2.4 Patch 6 installation breaks FQDN of Sponsor and MyDevices Portal


Memory usage discrepancy in GUI and show tech


COA failure in Radius+PassiveID flow


While saving IP SGT static mappings changes, "Discard changes you have made" message is displayed


After Importing ISE PB to ISE, Login page are not loaded


Provisioned Certificates are not deleted after revocation


Adding DEFCON matrix pop-up title needs to be changed


Active Directory Machine authentication fails with error "22040 Wrong password or invalid shared secret"


ISE 2.4 Patch 6 reload breaks backups


Cross-Site Request Forgery (CSRF) [OWASP_CSRFTOKEN bypass]


PassiveID flow should send User's SamAccountName and ExplicitUPN


ADNormalizedUserName field missing in some of the sessions


Plus Licenses consumed without Plus features


RSA or RADIUS Token user with Valid account and credentials gets a blank page when trying to login to ISE Admin portal if the account doesn't exists under Access > Administrators


AD User information not shown in Context Visibility page


Policy sets order mismatch when exporting as XML


ISE TLS 1.0 and 1.1 security settings are not applied for PxGrid, causing WSA to fail integration


ISE 2.4p3 Radius livelogs not displayed due to invalid NAD ip address


Cisco Identity Services Engine Blind SQL Injection Vulnerability


Modifying Radius attributes to send in the request to External RADIUS Server is not working on ISE


Enable Pxgrid Profiling Probe setting is not working properly


ISE fails to match authorization policy with endpoint ID group "unknown"


ISE deletes all endpoints if MAC address is deleted twice at the same time


Custom Attribute (advanced filter in CV) not able to filter on risk score (integer value)


Application server crash is observed when an AD Join operation is attempted via GUI under Administration > Identity Management > External Identity Sources > Active Directory


TACACS/AAA live log report not showing configuration change made from ACI


ISE 2.3/2.4 upgrade to the latest patch may break dynamic redirection for third party NADs


Cannot configure scheduled config and operational backup with start date same as current day


Unable to add AD group if it contains "/." or "/.." in the AD group name


ise-elasticsearch.log files not purged in ISE 2.4 and 2.6


Changing max user global settings is not logged in change configuration audit


GUI Context Visibility report export slowness


Replication: Cluster information table has old FQDN


BYOD flow is broken in IOS 12.2


BYOD provisioned profile doesn't automatically configure EAP TLS in IOS 12.2


Import of network device template throws error "Failed illegal value for Encryption key"


Multiple Vulnerabilities in struts2-core


Upgraded ISE Node shows LDAP Identity Store password in plain text


Enforce NMAP skip host discovery and NMAP scan timeout


ISE 2.4 P8 posture scan running when an endpoint switches to a wired network not configured with dot1x


"Cisco Modified" Profiles are overwritten by the Profiler Feed Service


Log Collection Error - Session directory write failed when AD Probe Session is inserted


Deploy button is missing in the Matrix page when Multiple Matrices workflow is enabled


ISE LogicalProfile appears under Custom attributes in Context Visibility page when custom attributes are configured


Unable to add network device with combination of any digit followed by () in Software Version field


Enhancement to publish the following attributes via pxGrid: ADUserSamAccountName, ADUserQualifiedName, ADHostSamAccountName, and ADHostQualifiedName


Restore failing for scheduled backup

Resolved Caveats in Cisco ISE Release Cumulative Patch 8

The following table lists the resolved caveats in Release 2.4 cumulative patch 8.

Patch 8 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.


After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm.

Caveat ID Number


CSCvh54905 Identity Admin cannot see users under Identities tab


Include hostname in posture assessment reports


Posture remediation files are limited to 50MB


ISE 2.3 : Posture report for endpoint by condition not working as expected


Network access user with external password cannot be used as ISE admin


User name from WMI information is deleted on receiving a DHCP custom syslog for same endpoint


ISE 2.3 after applying patch 5 creation of EOB Guest user does not work


ISE 2.4 slow database response with 500 authorization policies


Emails are not sent for alarm specific email configuration


Smart Licensing agent thread lock causes GUI login delay in ISE 2.2


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


ISE not able to assign guest account to the same guest type used for previous user


ISE 2.4 Unable to modify proxy settings when proxy bypass list contains carriage return symbol


Cannot filter Context Visibility by 'NAD Port ID' when using "/" character


ISE includes only one prrt-server file in support bundle


MDMServerReachable does not work for SCCM MDM again


ISE expired license can't be deleted if number of Base and Wired Licenses are not matching


Nodes have high IO spikes frequently in VM performance reports


ISE TrustSec policy difference alarm description is not accessible


Authentications are displayed in correctly in "Top N Authentication by Failure Reason" report


ISE 2.4 - IP-SGT bindings disappear from SXP for user session


ISE 2.4 Live Logs Not Filtering


ISE : Custom user attribute change does not reflect changes in configuration change audit report


App status for ISE is in initialisation state


ISE 2.4 : InactiveDays attribute update with disabled profiling


IPV6 based client provisioning portal is not working on default port 8443


ISE: admin users unable to delete or modify groups if a tacacs user is saved without any group


Removal of unused logical profile may cause a wrong authorization result


Non-existed DACL is not verifyed by the ISE


[ISE 2.4]Unable to use created profiling policy in authorization condition


Backups from SFTP repository may show incorrect year in Modified time


ISE does not allow to add an SGT


ISE : Improve Posture Assessment by Condition Report export rate for higher records (millions)


ISE 2.4 - CLI password will not accept 3 $


ISE: failed to skip duplicate framed-pool attribute during migration


ISE endpoint purge ACTIVEDIRECTORY dictionary is not loading


TACACS+ Admin Group access denied when navigating to Work Center > Device Admin > Identities


ISE Custom Endpoint Attributes - Will not save or delete


ISE 2.3 - Location info and IPSEC info are reversed in order in Network Device Groups for some NADs


Guest portal client provisioning customization text doesn't save


ISE2.4 doesn't reset failedLoginAttempts after successful login of internal users to network device


Device Sensor not able to correctly parse DHCP attributes via RADIUS probe


Admin group cannot get access to "Users" at "Device Administration" tab after install patch 5


Default python change password script returns CRUD operation exception


Internal Administrator Summary report not allowing to select specific columns


ISE:WMI-Passed values may compromise the security of ISE. Please remove malicious scripting terms


CSV file of RADIUS authentications report may have duplicate records


ISE Adds an additional character at the end of OperatingSystemVersion


ISE 2.2 Sponsor: Single click approval displays wrong message after clicking on approval link twice


Device Administration Current Active Sessions report not available from 2.4 P6


System Scan throws internal error for MAC built-in FW remediation


ISE dmp files are not deleted from /opt/oracle/base/admin/cpm10/dpdump for failed backup attempts


ISE 2.x : Guest account activation time discrepancy for imported accounts


Sponsor Portal Page takes more than 10 seconds to load


ISE 2.2 has too many journal files.


Samsung S7 and S8 profile


ISE CoA doesnt work 2 days after initial auth


Surplus of License Files can Cause Excessive Login Delay--ISE


ERS API that requires CSRF token returns HTTP 404 instead of 403


ISE SNMPv3 User still display on "show snmp user" after delete snmp-server user


ODBC attribute retrieval not working properly with EAP chaining


Device network conditions missing


URT Fails at Import Due to ORA-31684


Multi-NIC Windows/macOS: ISE Posture Module Maps VPN IP to MAC Address of a Disconnected Interface


Master Guest reports takes 30+mins to display


ISE 2.2 : Network devices page is not loading


Domain Admins are not able to edit Sponsor accounts properly


ISE not showing filtered NADs


High CPU and High Auth Latency and OOM condition on PSN nodes


NAD CSV imports should allow all supported characters


TACACS/RADIUS shared secret key disappears after highlight and then command/control + C


Cisco Identity Services Engine Password Recovery Vulnerability


ISE 2.x : Remote forest Active Directory controller failover prolonged time


Unable to integrate Tenable adapter to ISE 2.4 & 2.5 2.2 2.3


"No Data Available" when attempting to add endpoints to Identity Group with RBAC User


Failed to upload AC packages of file size > 50MB on ISE->Agent Resources


ISE: Rebooting associated site-specific GC does not result in failover to other GC


log4j.appender.ACS-FILE.MaxBackupIndex is not working in ISE


SL Server is getting overloaded with ISE auth renewals


Parser error seen with Threat Centric NAC CTA Configuration irrespective of ise version


Certain characters are not being parsed properly


Network Device Filtering Returns Only First IP Range When Multiple Ranges Are Configured


Limited access user getting "failed to fetch network device group" when accessing NAD


Posture policy with Tunnel Group Name in condition is not hitting


TACACS authentication details displays blank page


Pullout reports from Authentication Summary report is showing empty report.


Guest creation fails ISE 2.3 after patch 5


Live sessions record is not getting updated with new username (and/or) new IP address.


ISE deleting the newly created IP-SGT mapping


Able to delete ACI IEPG in ISE.


pagination is not working in "All SXP mappings" page in ISE.


APIC logs not seeing in sxp.log when SXP logging set to 'DEBUG'.


Delay in clearing of SXP mappings in ISE.


ISE truncates the SGT name after a "-" character and assigning a version id


ISE 2.3 P5 ISE doesn't allows to delete SGT tag from GUI although it is not referenced


Adding config to support PrA in PSN failover case


Cisco Identity Services Engine (ISE) Arbitrary Client Certificate Creation Vulnerability

Resolved Caveats in Cisco ISE Release - Cumulative Patch 7

The following table lists the caveats that are resolved in Release 2.4 cumulative patch 7. Patch 7 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



This is an enhancement to implement master node APIs for multi-DNAC support in Cisco ISE.

Resolved Caveats in Cisco ISE Release Cumulative Patch 6

The following table lists the resolved caveats in Release 2.4 cumulative patch 6.

Patch 6 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Guest remember-me breaks ISE Guest Activity Logging


ISE 2.x Unable to delete endpoint from endpoint group


Unable to add duplicated mappings to multiple SXP VPNs


ISE fails to read response from MDM with special characters


Collection Filters configured with User name is not working for TACACS Author/Acct


[ISE] SMS notifications in non-English containing <BR> HTML tag


EasyConnect CoA not sent after session merge in distributed deployment


ISE email notifications to guests sends twice email for approval and guest user


ISE 2.2 no patch, SXP process fails when trying to create network subnet static mapping


ISE 2.2: Disabled password Lifetime, however getting reminder for account expiration.


ISE 2.1-P3 || high CPU seen in PAN due to 100K limit in redis


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


ISE 2.x TACACS log extremely slow


Cisco Identity Services Engine Logs Cross-Site Scripting Vulnerability


ISE fails to re-establish TCP syslog connection after break in connectivity


ISE: Need a report/dashboard for total unique endpoints


Flexibility needed to choose the time intervals in disclosing the user name for failed auth


Short CPU spikes can be observed when client didnt respond and ISE is used as RADIUS Proxy


Library conds referrred in policies are getting deleted; evaluation is giving deny access


Bulk guest import does not work using when logged into sponsor portal using SAML provider,


SNMPv3 COA failures on ISE using HP switches


Endpoint Attributes not updated in context visibility


validDays does not match span of fromDate to toDate for ERS created guests


ISE 2.2 Endpoint export may contain duplicate entries


Policy Hit count value gets nullified while click on REFRESH button.


EST Service not running owhen ISE iseca folder missing


ISE 2.1 Endpoint Purge policy is matched but job halts during execution.


ISE Internal CA : SAN ext validation fails if it isn't the first entry in RequestedExtensions in CSR


ERS API get all endpoints not returning description field as stated in documentation


Unsupported character Backslash has to be added to the UI error message while creation of admin user


AC 4.6 Application enforcement is not working for Torrent


Password length limitation when adding DC's in the PassiveID section of 32 characters.


Cannot delete security groups having virtual network mapping


Unknown Radius Flow is set to RadiusFlowType when updating ExternalIdStoreDictionary


User customer attributes order doesn't change after drag drop and save.


ISE 2.3 AD Group SID Update fails for Groups referenced in the policies


Active endpoints are mismatched from expected value


SNMP CoA is not sending correct SNMP traps


Cisco Identity Services Engine (ISE) Java Deserialization Vulnerability


Cisco Identity Service Engine (ISE) unsafe deserialization in Adobe Action Message Format (AMF)


Cisco Identity Services Engine (ISE) File Upload Code Execution Vulnerability


ISE 2.2 VPN MDM- Compliance not updated from MDM Compliance Checker for active session


DNAC-ISE:Pxgrid failover fails with 2.4 patch1 with DNAC - ISE Integration


ISE 2.4 Backup Input Validation does not occur on backup name characters


ISE HSTS Max-Age parameter is too agressive no includedDomains flag


ISE stops publishing SXP mapping


Enable VLAN DHCP release breaks guest flow for ISE 2.4


pxgrid: XMPP Cleartext Authentication


ISE : Incomplete error message while importing an icon under Network Device Profiles


Enable pxGrid in FIPS mode


Guest password is not reset if Sponsor does not have rights to view the Guest Password


ISE allows importing multiple instances of same language in portal setup


Changed name for My Reports against Policy Set match removes the delete option from My Reports


RBAC SuperAdmin Data Access over written by read-only data access for Network Device Groups


ISE stops responding to TACACS requests.


Remove GMT portion from $ui_start_date_time$ and $ui_end_date_time$ on Email Notifications


NMAP fails to execute when an EP matches a Admin Created profiling policy


ISE sponsor's e-mail shoud not be in CC when view/print guests' passwords is disabled


ISE 2.4 Sponsor-Group OWN_ACCOUNTS email association


ISE offline profiler feed service unavailable 17/07/18


Editing guest user throws pop up error when creating with java scripts in first and last name


Live sessions are not seen in ISE Live logs page in ISE 2.4


DST changes are not honored by the shift job which is causing the data movement issues on MNT nodes


ISE doesn't validate the data type date in the custom endpoint attribute


SAML authentication is showing wrong Identity store in Sponsor Login and Audit report


Admin warned of license non-compliance even after adding new licenses


SNMPv3 profiling works only with DES or AES128 privacy protocol


SecureSyslogCollectors should be disabled by default on remote log targets.


ISE ADE-OS - when trying to change timezone there should be a warning stated it is not supported


ISE- Can login to GUI with disabled admin accounts.


Radius Token Identity Caching Timeout not Configurable


ISE sponsor email customization doesn't add image properly


PxGrid SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection - CVE-2009-3555


HTTP Request Header for ISE fails if it contains @ in email


ISE 2.4 | Unable to save multiple custom attributes at once


Customer sees no data available for this record for "Details" page in Live Logs


ISE 2.3 not hitting policy with Session BYOD-Apple-MiniBrowser-Flow condition


ISE 2.3 Context Visibility Authentication Policy column is blank.


ISE should not send alarm for 'ERS-Media-Type' not present in ERS header


Evaluation of positron for Struts remote code execution vulnerability August 2018


ISE 2.1+ : Identity Source Sequence info button information is wrong for Sponsor Portal


Cannot Disable Telnet Change Password


ISE 2.3 to 2.4 upgrade is failing with error "nodes are not on the same ISE patch version"


Oracle Security Alert Advisory - CVE-2018-3110


ISE 2.x || Cisco-Device profiler policy missing the tandberg OUI as a condition


ISE: After upgrading to ISE 2.4 schedule backup are not working.


AMQP Cleartext Authentication Vulnerability


Endpoints not re-profiled after config restore and import new profiles


PassiveID Probe hprof files in temp folder


ISE AD lookup broken due to non-whitelisted domain lookup failing


IE11 : Trash icon linked to MAC address search box in Context Visibility


Unable to delete Root Network Device Group


Rest API- Unable to retrieve Guest User Details using ToDate filters


AD groups with more than one space doesn't allow authZ policy to be saved


Difference between Oracle and ES in terms of description


Newly created Network Device Model Name and Software Version are not present in GUI


Maintain Connectivity During Reauthentication option not working


Live log detailed reports shows msec instead of seconds for session timeout


ISE 2.3 : Unable to access NFS repository and scheduled reports not working using NFS respository


'Error 400' after pressing Sing Out on the Manage Guest Accounts page.


OWASP ZAP reports Cross Site Scripting (DOM Based) on pxGrid Web application


pxGrid cert change causing onAuthzRequest DENIED


ISE 2.4 not sending "Framed-IP-Address" attribute in profile when using leading zero


30+ GB files left behind after successful ISE 2.4 upgrade


Changes made in allowed protocols is missing in change configuration audit reports


ISE-secondary node doesnt send COA when guest account gets suspended or deleted


Manual CoA fails from Context Visibility if user never accesses Live logs or Live Sessions prior


ISE PB portal files are not restored with a restore of an old backup


WasMachineAuthenticated EQUALS False No Longer Parsed in Runtime--ISE 2.4


BYOD TLS not working for IOS 12 FCS release


SXP debug logs are not dumped in sxp.log unless services are restarted


'EST-CSR-Request' dictionary condition does not work


Cisco Identity Services Engine Logging Cross-Site Scripting Vulnerability


ISE 2.4 Conditional CoA failure upon EndPoint Identity Group change


Guest AUP: AUP acceptance is triggering replication event


Accounting messages from ASR1K not saved and not shown in ISE Reports


Chrome:Cannot create new ByoD portal


Max Sessions" value can not be applied on GUI after applying 2.2p10 or 2.3p4


Cisco Identity Services Engine Reflected Cross-Site Scripting Vulnerability


Cisco ISE Path traversal issue


ISE 2.2 | Guest self registration portal doesn't sort timezone list correctly


AD Probe failing to find the computer object with FQDN


Alarms: Profiler Queue Size Limit Reached


Sponsor creating random accounts for time restricted guest types fails


ISE 2.4 - Guest users aren't getting emails automatically while importing from CSV


ISE: EAP-FAST prefers cached AD DN over new DN after changing the Account OU


MyDevices Portal: Can't change device status on a PSN running with secondary PAN.


ISE -"user's email is not valid" unable to create User for top level domains other than .com .in etc


SAML with ADFS is broken with 3rd party NAD


ISE 2.4 Replication failure causing nodes to go out of sync after LAN automation


ISE2.2 TACACS doesnt apply the command sets after long REGEX argument


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


Cisco ISE Local Privilege Escalation Vulnerability


ISE 2.4 Scheduled backups not working. Can be seen in gui


endpointcert/certRequest API call causes Internal CA Service to Crash in ISE


Request to increase Radius Token Server password caching to 900 seconds or later


Inner Execution Context is not fully iuodated from API Execution context


ISE CAC or certificate login does not populate external groups under new admin group


Menu access duplicate is failing with plus sign


Account Disable Policy 'Disable accounts after days of inactivity' is incorrectly calculated


ISE 2.3 patch 5 : NAD / AAA server address is not specified.


Lost and Stolen buttons stay disabled on My Devices portal if Japanese GUI used


pxGrid debug "warn" level causing XCP to stop running


Cisco Identity Services Engine Password Recovery Vulnerability


ISE Kerberos Authentications are incrementing AD bad password count by 2


Authorization policy evaluation failing intermittently when using identity group as condition


Show members delays to retrieve the N/w devices in NDG page


SGACL Push in large scale NAD environment causes High CPU on PAN


Modify existing Network Device Profiles, grayed SAVE button


ISE 2.4: Details of 'error 500' missing in REST API query after patch 1 installation


PassiveID Management Logs Show Database ID insead of DC Name


Need to add Internal User Group in Certificate Authentication Profile


Under heavy load, ISE live logs stop working on ISE 2.3


ISE 2.4 :Unable to import network devices if shared secret contains "<"


ISE importing EMPTY cells in trustsec matrix doesnt overwrite existing content of cells


Profiler definitions for OSX Mojave (10.14) are not available in ISE 2.4 latest patch.


ISE: logwatch process failed with ::1 fatal error


ISE 2.4 patch 4 reduces I/O read Speed


ISE: Import Network Device does not conform to admin access permissions


pxGrid not handling invalid xml characters for publish and download


VCS pages Auth/Endpoint tab shows blank pop up msg.


ISE does not follow the capabilities of the Listener.


ISE: Trustsec alarm doesn't have SEVERITY level and its greyed out.


400 Bad Request when logging out Sponsor Portal


RBAC permissions do not propagate for admin users who login ISE with AD


Report logs can not fully displayed with "latst 30 days"


SXP connection between ISE and IOS Devices stuck in DeleteHoldDown state


Date in Unix Epoch format when context visibility in exported


ISE 2.x || ISE syslog message code (59200-59208) are not being used in ISE currently.


2.4P5:In 3 node deployment After Rollback of P5 PSN went down


ISE 2.4p5 - ACI integration - Not all IP_EPG mappings on ACI is imported by ISE


ISE replaces "ip:" to it's hostname in "ip:inacl" Cisco AV-Pair


Process failure using external radius token server authentication


Manage ACC calling infinite time when sponsoruser configured with permissions ALL&GROUP sponsor grps


When individual policy set is reset, other policy set hit counters are reset to 0.


ISE 2.3 patch 5 issue when creating guest user on sponsor portal using special character


ISE DACL syntax checking is not properly catching errors


ISE should support internal users with Special char colon : character to be partiy with ACS


TC-NAC configured with Qualys shows Not Reachable.


ISE stops responding to IPv6 hosts in its own subnet after adding IPv6 route.


ResetAll Hitcount Button not resetting hitcount value in Firefox browser


Cores being consistently generated on every node after upgrading from ISE 2.4 to 2.5


ISE 2.4 : Misconfigured supplicant query is one of the reasons for high CPU on both MNT nodes

New Features in Cisco ISE Release - Cumulative Patch 6

Identity Caching in RADIUS Token and RSA SecurID Server

Identity caching is used to allow processing of requests that do not perform authentication against the server. You can enable the identity caching option and set the aging time in minutes. The default value is 120 minutes. The valid range is from 1 to 1440 minutes. The results obtained from the last successful authentication are available in the cache for the specified time period.

This option is disabled by default.

Open Caveats in Cisco ISE Release - Cumulative Patch 6

Caveat ID Number



pxGrid node name limit is too short for Cisco Firepower Management Center (FMC)

Resolved Caveats in Cisco ISE Release Cumulative Patch 5

The following table lists the resolved caveats in Release 2.4 cumulative patch 5.

Patch 5 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



SFTP Connect Error


EAP-FAST doesn't support correct key generation in TLS 1.2


pxGrid : EndpointProfileMetaData not propagated with Pxgrid V2


AD authentications are failing after applying 2.2 P11/ 2.4 P4


TC-NAC configured with Qualys shows Not Reachable.


EPG mappings not created on ISE


ISE Apache Struts CVE-2016-1000031 Vulnerability

Resolved Caveats in Cisco ISE Release Cumulative Patch 4

The following table lists the resolved caveats in Release 2.4 cumulative patch 4.

Patch 4 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Diag Tool: For DNS A Record tests change status failed to warning


ISE21- Auth inactivity alarms every 15 mins


ISE doesn't convert guest username to lower case if credentials used in 802.1x, not on portal


Reset-config is reverting the fixes of patches and causing the issues.


ISE: Remove state attribute from access accept packets.


Evaluate ISE for Apache Tomcat February 2018 Vulnerabilities


ISE : URT fails due to upgrading the ACS to ISE migrated setup.


Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability


Message Catalog Displaying Only the Message Code 89006 but Not the Rest


Network devices page fails to paginate as shared secret is in plain text


ISE: While registering getting the error: Unable to register the node <fqdn> Version:


General Patch Management - Red Hat Linux(Critical/High)


Application check works in opposite logic


Failed to get sgt name from sgt tag: 5 or sgt is read only, or isPropgateToAPIC is false


Fix for CSCvf68738 does not allow legitimate CA certificate refresh


ISE 2.2: Hot Spot portal users asked to accept the AUP more than once


VM License Thresholds Mismatch Platform definitions


ISE 2.4 Trustsec Dashboard Query performance


Adding Node to deployment does not add the Profiling OUI data


ISE 2.4 Windows PC behind IP phone being profiled as Cisco-IP-Phone-8851


Regression: Windows 8/10 clients incorrectly profiled as windows7 due to feed policies


"ERROR_NO_SUCH_USER" due to ISE ADRT mis-identifiing a child domain name as root forest domain


ISE 2.4 no patches : unable to load network devices page


ISE 2.4 MnT session & Auth API response is not populating 'other_attributes' section


Not able to delete certificate from trusted page


Wrong number or types of arguments in call to 'COLLATIONDAILY_PURGE',HOURLY_STATS_JOB


ISE: "Manage accounts" gives 400 HTTP error if sponsor portal is configured for SAML authentication.


ISE 2.4 PxGrid queries against Secondary MNT resulting in collector crashing


ISE 2.4 2.3 2.2 2.1 2.0 : NFS repository credentials are not used


ISE 2.4 : Social Login e2e flow fails due to recent changes done on Facebook side


ISE 2.4 excessive profiler syslogs sent to MNT


ISE 2.4 Cisco Prime querying ISE session API could cause high CPU utilization on Monitoring Nodes


Certificate parameters not persistent after DNAC trust re-establishment


Authentication Summary Reports show "no data available" for Radius and TACACS


ISE 2.4 Core dump on primary node: SIGSERV in GenericConfigObject::getAsNested(unsigned int) const


CISCO Network Setup Assistant APP Not Available on GooglePlay


ISE cores on LDAP test server after DNAC establishment when same chain used


ISE CoA sends NULL value for NAS-Port-Id


ISE custom endpoint attribute type String doesn't allow numbers only


LiveSessions are not showing on GUI because user name having unicode characters


ISE context visibility endpoints import fails with custom endpoint attribute date


400 Error Seen In Guest and Sponsor Portal due to portal session deletion


Config Backups triggered from GUI hangs at 45% during ES backup

Open Caveats in Cisco ISE Release Cumulative Patch 4

Caveat ID Number


CSCvm93698 AD authentications fail after installing ISE 2.4 patch 4. Could see the following error in ad_agent.log: Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE


ISE 2.4: Possible kernel memory leak


ISE 2.4 patch 3: COA is not working for CTS role based policy


Unable to use SFTP server as a repository in ISE 2.4 patch 4

Resolved Caveats in Cisco ISE Release Cumulative Patch 3

The following table lists the resolved caveats in Release 2.4 cumulative patch 3.

Patch 3 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



CDP Attributes not added to EP via SNMP Query


Multiple Vulnerabilities in httpasyncclient


US27030 - Fix VPN Session to MAC Mapping


ISE 2.2 user may be redirected again after AUP acceptance on Hotspot portal


ISE: Failure to retrieve AD groups for Intel AMT supplicant username format


Matched AuthC and AuthZ rules in Monitor Only mode showing in GUID but not names


Purging doesn't work if Identity group name was changed/ change is not reflected to purge policy


Single click approval sponsor not seeing self-registered guest with implicit/explicit UPN

CSCvi23542 ISE doesn't fail-over to other available DCs when receiving STATUS_ACCESS_DENIED (0xc0000022) from DC on authentication attempts


ISE High Authentication Latency due to lookup in Internal Endpoints


Corefiles are being generated due to timesten crash in MNT node


Log Collection Error : null alarm


Customer see's blank "Details" page in RADIUS Live Logs


The content changes for imported guest notification template is not working.


Changing status of Network Access Users doesn't appear on audit report


User domain name may remain empty in session when ISE passive-id AD agent or MS WEF is used


Sponsor created guest have a previous guest account email CC'd


ISE 2.4 patch 2 install brings application services down due to integrity checksums failure

Resolved Caveats in Cisco ISE Release Cumulative Patch 2

The following table lists the resolved caveats in Release 2.4 cumulative patch 2.

Patch 2 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Jedis connections back to pool - broken connections (due to timeout)


ISE Posture PRA timer expires to non-compliant


ENH: ISE CLI support for MTU configuration on interfaces




PassiveID: WMI queries DC cause memory increased issues on DCs (Microsoft WMI memory leak)


Sponsor Groups are not merging results with AD Sponsor groups when Internal user uses AD password


ISE Telemetry Scheduler to be Configurable


No data available in context visibility if there is no plus/advanced license - Standalone node


Static Group Assignment dropping due to DHCP Probe


In case of no accounting activity, live session retains all session post 5 days period


Generate pxGrid Certificates page doesn't respect cert template RSA key size


NMAP scans for custom port 9100 but doesnt report it in nmap.log


ISE 2.4 EPSStatus is not updated in Context Visibility properly


ISE 2.4 - EST Service not running after upgrade from 2.3


SNMPv3 profiler breaks for NAD with security level of no auth after modifying the SNMP polling time


ISE "Failed Value for attribute Protocol is mandatory" when importing network device


Upgrade to 2.4 fails due to KEK change


ISE - API POST 401 Unauthorized 60-90 seconds after successful Guest Create POST


ISE2.4 is consuming extra plus license for default authorization policy


ISE 2.4 Input validation error for IPv6 subnets under TACACS Device Network Condition


ISE not using SSL for LDAP for "Retrieve Attributes" however connects to port 636


ENH: ISE: Store new m/c password on ISE side if new password is valid despite RPC error - 121


Secondary MNT: incorrect timesten permission issue for the folder Timesten_Data


Smart License enable is failing on ISE 2.4 release.


SGT used in trustsec matrix should not be allowed to delete


After upgrade UDI values of secondary node are missing from sec_hostconfig table


MnT persists frequent Accounting Interim-updates without any changes into Database


Core: SyslogSecureTCPConnection::updateConnectionData


Cisco Identity Services Engine Privilege Escalation Vulnerability

Resolved Caveats in Cisco ISE Release Cumulative Patch 1




Live sessions - NAS IP address Tooltip is duplicated for ipv6


Replication failure seen on SXP nodes during SXP connection down


Post upgrade - the GuestVLAN doesn't copy the key of omapi.key to DHCP


Machine change password interval should be configurable from advance tuning parameter (Kerberos SSO)


AUP Link in the Self-Registration form throws Bad Request in ISE 2.4


Dashboard > Search : Endpoint details screen doesn't work correctly in Internet Explorer


ISE : Wrong error message when deleting a certificate referenced by some resource


Wrong msg if trying to issue CoA and no MAC address is selected


2.4 P1: ISE Indexing server is not running on secondary PAN


ISE Delete All Endpoints in Context Visibility too risky


ISE Guest: Incorrect accounting in syslog causes issues


Anyconnect configuration - drop menu for compliance module is empty


Occasional application restart post Radius/DTLs authentication


"Application Configure ISE" left idle for long time causes SSHD to disable


ISE 2.4 keeps old DNAC client cert causing new DNAC pxGrid with ISE to fail


DNAC1.2: Network devices not getting added in ISE 2.4 after provision


Wrong data type for "Enable Multi Shared Secret:String(128)" in NAD CSV export


Guest Accounting report broken

Resolved Caveats in Cisco ISE Release


Cisco ISE 2.4 patch 0 has parity with Cisco ISE 2.0 Patch 6, 2.0.1 Patch 5, 2.1 Patch 6, 2.2 Patch 6, and 2.3 Patch 2

The following table lists the resolved caveats in Release 2.4.

Table 2. Cisco ISE, Release 2.4, Resolved Caveats, Patch 0



CSCvf69805 Cisco Identity Services Engine cross-site request forgery vulnerability
CSCvf49844 Cisco Identity Services Engine local command injection vulnerability
CSCvf63414 Cisco Identity Services Engine authenticated CLI denial of service vulnerability
CSCvh51992 Cisco Identity Services Engine authenticated CLI denial of service vulnerability
CSCvf69753 Cisco Identity Services Engine authenticated privilege escalation vulnerability
CSCvf69963 Cisco Identity Services Engine cross-site scripting vulnerability
CSCvg95479 Cisco Identity Services Engine command injection to underlying OS vulnerability
CSCvd38467 BYOD does not work on Apple iOS 10.3.x.
CSCvf29467 Editing multiple client provisioning policies simulataneously hides the results column.
CSCvf33475 Simultaneuos configuration and operational backup on same browser is very slow.
CSCvi45925 Newly created dashboard not visible in 2.4 342 build.
CSCvf28877 ISE 2.3 TACACS+ : Unable to add commands to Command Set while editing.
CSCvf32298 ISE 2.3 Sponsor Portal: There is a delay of one minute between the update of the username table and the counter.
CSCvf32394 ISE 2.3 Self-registered guest portal of SMS provider- Global default is always re-selected when other attributes are changed.
CSCvf34216 ISE 2.3: Unable to select Work Center Menu - Guest Access Identity Group upon opening detailed report.
CSCvh05703 'Remember Me' RADIUS live sessions view does not show usernames for guest devices

Open Caveats in Cisco ISE Release

The following table lists the open caveats in Release 2.4.

Caveat ID Number



ISE 2.2: Disabled password Lifetime, however getting reminder for account expiration.


disk maintenance. need automatic and on demand cleanup of ESR 5921 IOS crashinfo files


"application configure ise" command ungracefully terminates all CLI sessions


"Go to Update Report Page" giving "no data found."


Sponsor Portal Page takes more than 10 seconds to load


Unable to delete multiple sponsor accounts at once


Filter by No of Devices not working in NDG Flat table page


Get-All with filtertype=OR not working for some of the objects


User Visibility not working after VSW


Parsing NMAP smb-os-discovery data should remove &#xa; or \x00


Broken admin web ui access with PAT/NAT of HTTPS://<IP>:<port-non-443>


Creating Network Device Defaults Device Profile to AlcatelWired


AMP in ISE remains connected even after deregter from cloud


Policy Hit count value gets nullified while creating new policies in a specific case


Stop All Running Tests not functioning properly in Active Directory Diagnostic Tool


Anyconnect Profile for Vlan Refresh - notes is confusing


Message Catalog Displaying Only the Message Code 89006 but Not the Rest


SXP Device Connection page on ISE UI shows OFF on ISE even when peer is showing connection ON


ISE 2.3+ : Authc/Authz policies in a policy set cannot be configured if ext radius sequence is used


ISE 2.4 - Unable to acknowledge AD Diagnostic Failure Alarm


Endpoint OS is wrongly updated in External Mobile Device Management reports


ISE 2.4 GUI tcpdump is not having embeded -s 0 option


No warning/error on importing policy based on non-existing custom attributes


Enhancement Request: Import two CA certs with same subject name


After deleting the end-points from context visibility, homepage shows active end-points as 0


Active endpoints are mismatched from expected value


Alarm "Trustsec PAC validation failed" need to be enhanced to point the NAD hostname and IP address


Enable VLAN DHCP release breaks guest flow for ISE 2.4


CTS PAC refresh failed due to EAP-FAST communication failed btw switch and ISE


cdpCachePlatform rules not matching for Cisco Wave 2 (aka COS) APs 1800/2800/3800


CWA using non-mgmt interface is not replacing secondary interface fqdn for guest flow


Remote-Access VPN Posture Sessions showing Base license consumed but no Apex


Link to next page is not present in REST response


ISE should return 400 HTTP error, not 500 if incorrect data provided for REST call


ISE 2.x onwards RFC 3164 is not being followed completely


Regression: Windows 8/10 clients incorrectly profiled as windows7 due to feed policies


Offline profiler feed update web page is missing the offline feed option


Profiler: Feed download - Unable to update FeedEndpointPolicy


Not able to delete certificate from trusted page


Live sessions are not seen in ISE Live logs page in ISE 2.4


ISE 2.4 losing static group mapping due to profiler AD Probe


ISE doesn't validate the data type date in the custom endpoint attribute


Admin warned of license non-compliance even after adding new licenses


error while assigning a certificate to a certificate usage, Unable to access login Portal


ISE 2.4 : Social Login e2e flow fails due to recent changes done on Facebook side


ISE 2.x: REST API Get-All Internal Users' result has 'next-page' link missing in XML and JSON output


SNMPv3 profiling works only with DES or AES128 privacy protocol


Unable to configure opposite logic for Application condition


ISE does not send SNMP bulk request for CDP after it did once


Certificate parameters not persistent after DNAC trust re-establishment


ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes"


Kernel Side-Channel Attack using L1 Terminal Fault: CVE-2018-3620 and CVE-2018-3646 (Foreshadow-NG)


PxGrid SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection - CVE-2009-3555


ISE cores on LDAP test server after DNAC establishment when same chain used


NAD CSV imports should allow all supported characters


ISE: SNMPv3 not sending traps


Patch roll back from CLI is failing in case of Patch install has issues after installing from GUI


ACS migration to ISE 2.4 breaks Identity Source Sequencing


HTTP Request Header for ISE fails if it contains @ in email


ISE 2.4 Unable to delete unused SGTs associated with Virtual Network


ISE custom endpoint attribute type String doesn't allow numbers only


Customer sees no data available for this record for "Details" page in Live Logs


Patch install needs to re-apply SQL fixes in case of database reset


ISE sending wrong message to DNAC when clock not sync'd during trust establishment


Config Backups triggered from GUI hangs at 45% during ES backup


Hotfix Install Generates False Error Messages


ISE 2.4 EndPoints are being associated with the incorrect logical profile


ISE 2.x || Cisco-Device profiler policy missing the tandberg OUI as a condition


CoAs not being sent after the initial profiler CoA when the profile for an endpoint changes


PSN is down and in initializing state for ever


ISE METRICS, Compliance percentage is of total endpoints instead actual endpoints go through posture


ISE Indexing Engine not running after installation of 2.4 patch 3 on secondary pan


ISE 2.4 configured Authz policy does not match the correct policy when using Logical Profiles


Windows7-Workstation policy is incorrect for the rule "WinPlatform certainty factor or 40


ISE 2.4 : Context Visibility Users : Active Directory attributes not getting stored


IE11 : Trash icon linked to MAC address search box in Context Visibility


Unable to delete Root Network Device Group


Rest API- Unable to retrieve Guest User Details using ToDate filters


Receiving an error when saving authorization policy using external domain users group as condition


Device Administration Current Active Sessions report not available from 2.4 P6

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.