Note

Come to the Content Hub at content.cisco.com, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more...

So, what are you waiting for? Click content.cisco.com now!

And, if you are already experiencing the Content Hub, we'd like to hear from you!

Click the Feedback icon on the page and let your thoughts flow!


Introduction

Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, Cisco Wireless Controllers, Virtual Private Network (VPN) gateways, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on Secure Network Server appliances with different performance characterizations, and also as software that can be run on a virtual machine (VM). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For more information about the features that are supported in this Cisco ISE release, see the Cisco Identity Services Engine Administrator Guide.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation in this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE, Release 2.4, requires the following platforms.

Table 1. Supported Hardware platforms and Personas

Hardware Platform

Persona

Configuration

Cisco SNS-3515-K9 (small)

Any

For the appliance hardware specifications, see the "Cisco SNS-3500 Series Appliances" chapter in the Cisco Identity Services Engine Hardware Installation Guide 2.4.

Cisco SNS-3595-K9 (large)

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

Cisco ISE-VM-K9 (VMware, Linux KVM, Microsoft Hyper-V)


Note

For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.


After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, and pxGrid on the platforms that are listed in the above table.


Note

  • Cisco Secured Network Server (SNS) 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

  • Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.


Federal Information Processing Standard Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.0 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • ESXi 5.x (5.1 U2 and later support RHEL 7), 6.x

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on RHEL 7.3


    Note

    If you are installing or upgrading Cisco ISE on an ESXi 5.x server to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later.


Supported Browsers

The supported browsers for the Admin portal include:

  • Mozilla Firefox 69 and earlier versions

  • Mozilla Firefox ESR 60.9 and earlier versions

  • Google Chrome 77 and earlier versions


    Note

    If you use Chrome 65.0.3325.189, you may not be able to view guest account details in the print preview section.


  • Microsoft Internet Explorer 10.x and 11.x

  • Microsoft Edge beta 77 and earlier versions


Note

  • If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).

  • If you use Chrome 65.0.3325.189, you may be unable to view guest account details in the print preview section.

  • When self-signed certificates are used, Cisco ISE portal may fail to launch in Microsoft Edge beta 77 browser even if URL redirection is successful. To resolve this issue:

    1. Add both DNS name and IP address in the Subject Alternative Name (SAN) field.

    2. After the ISE services are restarted, redirect the portal in a different browser.

    3. Choose View Certificate > Details and copy the certificate by selecting the base-64 encoded option.

    4. Install the certificate in Trusted path and relaunch the browser.

  • You might see a warning message while downloading an executable (EXE) file in Google Chrome 76 or later. To resolve this issue:

    1. In your browser, click the Settings menu at the top-right corner.

    2. At the bottom of the Settings window, click Advanced.

    3. Under Downloads, check the Ask Where to Save Each File before Downloading check box.


Support for Microsoft Active Directory

Cisco ISE works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, and 2016 at all functional levels.


Note

  • It is recommended that you upgrade Windows server to a supported version as Microsoft no longer supports Window server 2003 and 2003 R2. .

  • Microsoft Active Directory Version 2000 or its functional level is not supported by Cisco ISE.


Cisco ISE supports multidomain forest integration with Active Directory infrastructure to support authentication and attribute collection across large enterprise networks. Cisco ISE supports up to 50 domain join points.

Improved User Identification

Cisco ISE can identify Active Directory users when a username is not unique. Duplicate usernames are common when using short usernames in a multidomain Active Directory environment. You can identify users by Software Asset Management (SAM), Customer Name (CN), or both. Cisco ISE uses the attributes that you provide to uniquely identify a user.

Update the value of the following:

  • SAM: Update this value to use only the SAM in the query (the default).

  • CN: Update this value to use only CN in the query.

  • CNSAM: Update this value to use CN and SAM in the query.

To configure the attributes mentioned above for identifying Active Directory users, update the IdentityLookupField parameter in the registry on the server that is running Active Directory:

REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField

What is New in Cisco ISE, Release 2.4

Support for Cisco Secure Network Server 3600 Series Appliance

For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

Business Outcome

Improved performance, scalability, and platform manageability over SNS 35xx series appliances.

The Default TLS Version when initiating External Connections through Proxy is TLS 1.2

When the Cisco ISE acts as a client, the default protocol used for the connections initiated from it to the external entities is TLS 1.2 In this case the supported protocol will be TLS 1.2 only. In case you want to provide support for lower versions as well (which might be insecure), these versions need to be explicitly enabled from the Cisco ISE by going to the following page: Administration > System > Settings > Security Settings.

Business Outcome

Improved security in SSL connections.

Cisco ISE Can Pull IoT Device Context and Session Data from Cisco IND

Cisco ISE can profile and display the status of devices attached to a Cisco Industrial Network Director (IND). Cisco Platform Exchange Grid (pxGrid) is used to communicate the endpoint (Internet of Things [IoT]) data between Cisco ISE and Cisco IND. pxGrid is used to receive the context from Cisco IND and query Cisco IND to update endpoint type.

Business Outcome

Automates classification of IoT devices on your network.

Control Permissions for pxGrid Clients

You can create pxGrid authorization rules to control the permissions of the pxGrid clients (under Administration > pxGrid Services > Permissions).

These rules to control which services and operation on that service are available to the pxGrid clients. Cisco ISE applies the rules to groups, not individual clients. You can manage groups by clicking the Manage Groups heading in the Permissions window. The Permissions window displays predefined authorization rules that use predefined groups (such as EPS, ANC). You can only update the Groups field in the predefined rules.

Business Outcome

Better pxGrid backward compatibility:

  • Ability to control authorizations for different pxGrid services.

  • Easier to group pxGrid clients with similar permissions.

Customizable SSH Ciphers and Encryption Algorithms

You can use the service sshd encryption-algorithm and service sshd encryption-mode global configuration commands in Cisco ISE 2.4 to harden the ISE SSH server and specify the cipher suite to be used. You can use AES-CTR and/or AES-CBC ciphers.

Cisco ISE 2.3 and earlier releases allowed only AES-CBC ciphers (due to Common Criteria Protection Profiles for Access Control Devices and Systems). Cisco ISE 2.4 allows you to use both AES-CTR and AES-CBC ciphers.

Business Outcome

  • Improved security for SSH access.

  • Allows you to choose the encryption algorithms.

  • Allows you to choose the ciphers to be used to harden secure access.

Endpoint API Enhancements for MDM Attributes

Mobile Device Management (MDM) attributes are made available through the endpoints API to enable additional synchronization capability between Cisco ISE and a third-party MDM server.

Business Outcome

Helps customers to better integrate third party systems with ISE and provide better user experience for end users using mobile devices that are managed by an MDM server.

IPv6 Support for RADIUS

IPv6 addresses are now supported for RADIUS configurations. The IP Address field in the Administration > Network Resources > Network Devices page and the Host IP field in the Administration > Network Resources > External RADIUS Server page now support both IPv4 and IPv6 addresses for RADIUS configurations.

Business Outcome

Additional support for IPv6 addressing:

  • Allows you to migrate your network to IPv6-based networks. You can migrate to IPv6 addressing if you have fragmented networks or have exhausted IPv4 addresses.

  • Facilitates more efficient routing, packet processing, security, and simplified network configuration.

Large Virtual Machine for Monitoring Persona

Cisco ISE introduces a large VM for Monitoring nodes.

This form factor is available only as a VM in Release 2.4 and above, and requires a large VM license.

Business Outcome

Deploying Monitoring persona on a large VM offers the following advantages:

  • Up to three times the volume of data previously supported.

  • Improved performance in terms of faster response to live log queries and report completion.

Posture Enhancements

  • Grace Period for Noncompliant Devices—Cisco ISE provides an option to configure grace time for devices that become noncompliant. Cisco ISE caches the results of posture assessment for a configurable amount of time. If a device is found to be noncompliant, Cisco ISE looks for the previously known good state in its cache and provides grace time for the device, during which the device is granted access to the network. You can configure the grace time period in minutes, hours, or days (up to a maximum of 30 days). The Posture Assessment by Endpoint report is updated and displays a Grace Compliant status for an endpoint that is currently not compliant, but is under the grace period.

  • Posture Rescan—AnyConnect users can now manually restart posture at any time.

  • AnyConnect Stealth Mode Notifications—Several new failure notifications are added for AnyConnect stealth mode deployment to help users identify issues with their VPN connection.

  • Disabling UAC Prompt on Windows—You can choose to disable the User Access Control (UAC) prompts on Windows endpoints from the AnyConnect posture profile.

    Note

    By default, this value is set to No while configuring the AnyConnect Profile. When you change it to Yes, the UAC prompts are disabled and the Windows users no longer receive these prompts. If you want to enable the UAC prompt again, you should change this setting to No in the AnyConnect Profile. This setting takes effect only when the Windows endpoint is restarted.


  • New URL for Downloading Client Provisioning and Posture Updates—The client provisioning and posture feed URL has changed. The new URL for Posture Updates is https://www.cisco.com/web/secure/spa/posture-update.xml and for Client Provisioning is https://www.cisco.com/web/secure/spa/provisioning-update.xml

  • File Condition Enhancements—A new operator, within, is introduced under File Condition to check for the changes in a file within a certain period of time.

  • Certificate Attributes in Client Provisioning and Posture Policies—Certificate attributes are now available in the client provisioning and posture policy pages.

  • The following option has been newly added under the Location field in the Policy > Policy Elements > Conditions > Posture > Disk Encryption Condition window:

    • All Internal Drives—To check the internal drives. Includes all hard disks that are mounted and encrypted, and all internal partitions. Excludes read only drives, system recovery disk/partition, boot partition, network partitions, and the different physical disk drives that are external to the endpoint (including but not limited to disk drives connected via USB and Thunderbolt). Encryption software products that are validated include:

      • Bit-locker-6.x/10.x

      • Checkpoint 80.x on Windows 7


    Note

    "All Internal Drives" option is supported from AnyConnect Version 4.6.01098 onwards.


Business Outcome

Improved security alerts and enforcement:

  • Provides admin users with more flexible options for educating end users about posture condition failures including grace-period-specific messaging scenarios.

  • Helps effective management of some posture checks and remediations that require additional privileges and prompts the user for such privileges.

Profiler Enhancements

  • Added 190 new profile policies from vendors, including AudioCode, BlackBerry, Brother, Hewlett Packard, Lexmark, NetApp, Samsung, and Xerox.

  • Added additional conditions to 185 profile policies to support additional probes. For example, DHCP conditions are added to Xerox devices such that customers who do not want to profile Xerox devices based on SNMP, can profile Xerox devices using DHCP.

  • Reorganized profiles into families for better identification of new devices. For example, HP-LaserJet-4350 was previously profiled directly under HP-Device. It is now profiled under HP-LaserJet, which in turn is profiled under HP-Device. When Hewlett Packard introduces a new Hewlett Packard LaserJet printer model, Cisco ISE will classify the new model as HP-LaserJet, and not as HP-Device until a new profile policy for that exact LaserJet printer model is added.

Business Outcome

Effective classification of devices:

  • Helps you gain visibility of previously unknown devices, such as Xerox printers or Vista link printers with improved profiler efficacy.

Support for Sending Separate SNMP CoA Packets

You can check the Send SNMP COA Separate Request check box in the Administration > Network Resources > Network Device Profiles > Change of Authorization (CoA) window to send the SNMP CoA packets to the NAD as two packets.

Business Outcome

Increased compatibility with devices:

  • Provides support for older Cisco and third-party NADs that mandate the sending of SNMP CoA packets as two packets (for the shutdown and no shutdown interface configuration commands).

Support for Two Shared Secrets Per IP for RADIUS NAD Clients

You can specify two shared secrets (keys) to be used by the network device and Cisco ISE. You can configure the shared secrets in the RADIUS authentication settings section for a NAD in the Administration > Network Resources > Network Devices page in Cisco ISE.

Business Outcome

Replace Shared Secrets on network devices:

  • Enables you to replace shared secrets on network devices independently and allows ISE to support both old and new shared secrets until the shared secret is replaced on the network device. Changing a RADIUS secret is now simplified and allows you to enter a new shared secret even before updating the network device.

TrustSec Enhancements

You can select the ISE node from which the configuration changes must be sent to the network device while adding the network device (under Advanced TrustSec Settings section). You can select the PAN or PSN node. If the PSN node that you selected is down, the configuration changes are sent to this device using the PAN.

While deploying the IP SGT static mappings, you can select the devices or the device groups to which the selected mappings must be deployed. You can select all the devices if necessary. You can use the filter option to search for the devices that you want. If you do not select any device, the selected mappings are deployed on all TrustSec devices.

You can use the Check Status option to check if different SGTs are assigned to the same IP address for a specific device. You can use this option to find the devices that have conflicting mappings, IP address that is mapped to multiple SGTs, and the SGTs that are assigned to the same IP address. This option can be used even if device groups, FQDN, hostname, or IPv6 addresses are used in the deployment. You must remove the conflicting mappings or modify the scope of deployment before deploying these mappings.

Verify TrustSec Deployment option on the General TrustSec Settings page helps you to verify whether the latest TrustSec policies are deployed on all the network devices. Alarms are displayed in the Alarms dashlet (under Work Centers > TrustSec > Dashboard), if there are any discrepancies between the policies that are configured on Cisco ISE and the network device. The following alarms are displayed in the TrustSec dashboard:

  • An alarm with an Info icon is displayed whenever the verification process is started or completed.

  • An alarm with an Info icon is displayed if the verification process is cancelled due to a new deployment request.

  • If the verification process resulted in an error (for instance, failed to open SSH connection with the network device, or the network device is unavailable), or if there is any discrepancy between the policies that are configured on Cisco ISE and the network device, an alarm with a Warning icon is displayed for each of these network devices.

The Verify Deployment option is also available on the following pages:

  • Work Centers > TrustSec > Components > Security Groups

  • Work Centers > TrustSec > Components > Security Group ACLs

  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix

  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree

  • Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree

Check the Automatic Verification After Every Deploy check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process is started after the time that you specify in the Time after Deploy Process field. The current verification process is cancelled if a new deployment request is received during the waiting period or when the verification is in progress. Click Verify Now to start the verification process immediately.

IPv6 addresses can be used in IP SGT static mappings. These mappings can be propagated using SSH or SXP to specific network devices or network device groups.

If FQDN and hostnames are used, Cisco ISE looks for the corresponding IP addresses in the PAN and PSN nodes while deploying the mappings and checking the deployment status. You can select one of the following options (under IP SGT Static Mapping of Hostnames) in the General TrustSec Settings window to specify the number of mappings created for the IP addresses returned by the DNS query:

  • Create mappings for all IP addresses returned by DNS query

  • Create mappings only for the first IPv4 address and the first IPv6 address that is returned by a DNS query

Business Outcome

  • Verifies TrustSec policy on Network Devices.
  • Enhanced IP-SGT mapping workflow:

    • Improves network device misconfiguration error handling and operational efficiency through Check Status option.

    • Selectively deploy the IP SGT static mappings.

    • Create IP static mappings with IPv6 addresses.

    • Create mappings for first or all known IP addresses which are based on DNS FQDN query.

Decommissioned Dashlets

Some Dashlets Removed to Resolve Performance Issues

The following dashlets have been decommissioned to prevent performance issues when displaying large data sets:

  • Context Visibility > Endpoint > Compliance: Status Trend

  • Home > Endpoints > Endpoint Capacity

A large number of endpoints caused performance problems with some dashlets.

Kerberos Authentication for the Sponsor Portal

You can configure ISE to use Kerberos to authenticate a sponsor user who is logged onto Windows for access to the sponsor portal. This process uses the Active Directory credentials of the logged in sponsor user in the Kerberos ticket. Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.

Additional security for Sponsor authentication.

NFS Repository Credentials

When you add a repository and select NFS as the protocol, you can no longer enter credentials to connect to the repository.

Business Outcome

Using credentials to connect to an NFS repository caused problems.

Known Limitations and Workarounds

IP-SGT Bindings Are Not Propagated Under Certain Conditions

Under the following conditions, IP-SGT mappings are not propagated to ACI.

On the ISE administrators console, navigate to Work Centers -> TrustSec -> Components:

  1. Create a security group, but don't check Propagate to ACI.

  2. Create an IP-SGT binding with previously created Security Group. It may be a static, session or SXP binding.

  3. On the Security Group, click Propagate to ACI .

  4. Click Save.

  5. The Security Group synchs to ACI, but not IP-SGT that is mapped to the Security Group.

Workaround

Either:

  1. Restart the ACI propagation in ISE and recreate the IP-SGT mappings.

    1. On the Work Centers->TrustSec->Settings->ACI Settings, uncheck “TrustSec-ACI Policy Element Exchange”, and save.

    2. Check TrustSec-ACI Policy Element Exchange, and save.

    3. The connection between Cisco ISE and ACI is reestablished.

  2. Delete the old IP-SGT bindings, and recreate them while Propagate to ACI is checked.


Note

The connection between ACI and ISE reauthenticates every 24 hours, which also fixes this problem.


SXP Protocol Security Standards

Limitation: Security Group Exchange Protocol (SXP) transfers unencrypted data and uses weak Hash Algorithm for message integrity checking per draft-smith-kandula-sxp-06.
Workaround: There is no workaround.

For more information, see https://tools.ietf.org/html/draft-smith-kandula-sxp-06.

Patch Build Download Using Chrome Browser

Limitation: Integrity checksum issues occur when you use the Google Chrome browser to download the patch build.
Condition: The Message Digest 5 (MD5) sum values do not match.
Workaround: Download the patch build using the FireFox browser. Verify that the downloaded patch bundle has the correct MD5 checksum.

Radius Logs for Authentication

Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.

Profiler RADIUS Probe

Limitation: Endpoints are not profiled; they are only authenticated and added to the database.
Condition: The RADIUS probe is disabled.
Workaround: Disable the profiling services completely.

High Memory Utilization

Limitation: High memory utilization after installing or upgrading to Cisco ISE Version 1.3 or later.
Condition: Because of the way kernels manage cache memory, Cisco ISE might use more memory, which may trigger high memory usage (80 to 90%) and alarms.
Workaround: There is no workaround.

For more information, see CSCvn07836.

Diffie-Hellman Minimum Key Length

Limitation: Connection to LDAP server fails.
Condition: If the Diffie-Hellman minimum key length that is configured on the LDAP server is less than 1024, connection to the LDAP server fails.
Workaround: Change the Diffie Hellman key size on the LDAP server.

For more information, see CSCvi76985.

ECDSA Certificates

Limitation: Cisco ISE supports Elliptic Curve Digital Signature Algorithm (ECDSA) certificates with key lengths of 256 and 384 only.
Condition: ECDSA certificates that are used for EAP authentication are supported only for endpoints with Android Version 6.x and later.

Note

Apple iOS is not supported if you use ECDSA as a system certificate. ECDSA certificates are supported only for Android 6.x and Android 7.x.


Workaround: You can select the key length in the Administration > System > Certificates > Certificate Management > System Certificates window.

Cisco Temporal Agent

We recommend that you run the Cisco Temporal Agent within two minutes of downloading the agent from the Client Provisioning Portal. Otherwise, the Posture Failed Due to Server Issues error message is displayed.

Mobile Service Engine (MSE) Devices

When adding an MSE device to Cisco ISE, you must copy the certificates from the MSE device over to ISE to facilitate authorization. ISE does not receive these certificates directly from the MSE device.

Re-create Supplicant Provisioning Wizard References

Limitation: BYOD certificate provisioning flow is broken with both Internal and External Certificates.
Condition: When you upgrade to a new release, or apply a patch, the Supplicant Provisioning Wizard (SPW) is updated.
Workaround: Create new native supplicant profiles and new client-provisioning policies that reference the new SPWs.

Upgrade Information


Note

If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.


Applying Patches to Release 2.4

To obtain the patch file for Cisco ISE, Release 2.4, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

For instructions on how to apply the patch to your system, see the Installing a Software Patchsection in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

For instructions to install a patch using CLI, see the "Install Patch" section in the Cisco Identity Services Engine CLI Reference Guide, Release 2.4.


Note

When installing 2.4 Patch 4 and later, CLI services will be temporary unavailable during kernel upgrade. If CLI is accessed during this time, CLI will show the following error: "Stub Library could not be opened". However, once patch installation is complete, CLI services will be available again.


Patches are cumulative such that any patch version also includes all fixes delivered in the preceding patch versions. Cisco ISE version 2.4.0.357 was the initial version of the Cisco ISE 2.4 release. After installation of the patch, you can see the version information from Settings > About Identity Services Engine page in the Cisco ISE GUI and from the CLI in the following format “2.4.0.357 patch N”; where N is the patch number.


Note

Within the bug database, issues resolved in a patch have a version number with different nomenclature in the format, “2.4(0.9NN)” where NN is also the patch number, displayed as two digits. For example, version “2.4.0.298 patch 1" corresponds to the following version in the bug database “2.4(0.901)”.



Note

We recommend you to clear your browser cache after you install a patch on Cisco ISE, Release 2.4.


Upgrading to Release 2.4

You can directly upgrade to Release 2.4 from the following Cisco ISE releases:

  • 2.0
  • 2.0.1
  • 2.1
  • 2.2
  • 2.3

Information about the upgrade packages and the platforms they support, is avaliable at Cisco ISE Software Download.

If you are on a version earlier than Cisco ISE, Release 2.0, you must first upgrade to one of the releases listed above and then upgrade to Release 2.4.


Note

It is recommended to upgrade to the latest patch in the existing version before upgrading to the next version of Cisco ISE.


You can upgrade to Release 2.4 from the GUI or the CLI. See, Cisco Identity Services Engine Upgrade Guide, Release 2.4

Verify Operating System of Virtual Machines

ISE Release 2.4 runs on Red Hat Enterprise Linux (RHEL) 7.0. If you are upgrading Cisco ISE nodes on a VMware VM, after you upgrade, ensure that you change the guest operating system to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the guest operating system to RHEL 7, and power on the VM after the change.

External RADIUS Token Server Timeout

External Radius Token Server Timeout maximum changed from 120 seconds to 60 seconds. Upgrades to this release change the existing setting, if the maximum is more than 60 seconds.

License Changes

Device Administration Licenses

There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.

The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.

Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only node Licenses are available for sale.

However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.

The evaluation license allows device administration on one policy service node.

Licenses for Virtual Machine nodes

Cisco ISE is also sold as a virtual machine (VM). For this Release, we recommend that you install appropriate VM licenses for the VM nodes in your deployment. Install the VM licenses based on the number of VM nodes and each VM node's resources, such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys. However, the installation process will not be interrupted. From Cisco ISE, Release 2.4, you can manage your VM licenses from the GUI.

VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using a 3595-equivalent VM node with eight cores and 64-GB RAM, you might need a Medium category VM license if you want to replicate the same capabilities on the VM. You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.

VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features that are enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.

After installing or upgrading, if there is any mismatch between the number of deployed VM nodes and installed VM licenses, alarms are displayed in the Alarms dashlet for every 14 days. Alarms are also displayed if there are any changes in the VM node’s resources, or whenever a VM node is registered or de-registered.

VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification pop-up window.

If you have not purchased an ISE VM license earlier, see the Cisco Identity Services Engine Ordering Guide to choose the appropriate VM license to be purchased.


Note

If you have purchased ISE VM licenses without a PAK, you can request VM PAKs by emailing licensing@cisco.com. Include the Sales Order numbers that reflect the ISE VM purchase, and your Cisco ID in your email. You will be provided a medium VM license key for each ISE VM purchase you have made.

For details about VM compatibility with your Cisco ISE version, see "Hardware and Virtual Appliance Requirements" chapter in the Cisco Identity Services Engine Installation Guide for the applicable release.

For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before an ISE software upgrade in order to check if the configured data can be upgraded to the required ISE version. Most upgrade failures occur because of data upgrade issues; the URT is designed to validate the data before the actual upgrade and reports and tries to fix the issues, wherever possible. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.

Telemetry

After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner appears on screen. Using this feature, Cisco ISE securely collects non-sensitive information about your deployment, network access devices, profiler, and other services that you are using. The data that is collected will be used to provide better services and additional features in forthcoming releases. By default, the telemetry feature is enabled. You can choose to disable or modify the account information. To do this, choose Administration > Settings > Smart Call Home. Account information provided is unique to the deployment. Each admin user need not provide it separately.

Cisco ISE Live Update Portals

Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the corresponding device using Cisco ISE.

If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings by choosing Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

Client Provisioning and Posture Live Update Portals

You can download Client Provisioning resources from:

Work Centers > Posture > Settings > Software Updates > Client Provisioning.

The following software elements are available at this URL:

  • Supplicant Provisioning wizards for Windows and Mac OS X native supplicants

  • Windows versions of the latest Cisco ISE persistent and temporal agents

  • Mac OS X versions of the latest Cisco ISE persistent agents

  • ActiveX and Java Applet installer helpers

  • AV/AS compliance module files

For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

You can download Posture updates from:

Work Centers > Posture > Settings > Software Updates > Posture Updates

The following software elements are available at this URL:

  • Cisco-predefined checks and rules

  • Windows and Mac OS X AV/AS support charts

  • Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide, Release 2.4.

If you do not want to enable the automatic download capabilities, you can choose to download updates offline.

Cisco ISE Offline Updates

This offline update option allows you to download client provisioning and posture updates, when direct internet access to Cisco.com from a device using Cisco ISE is not available or is not permitted by a security policy.

Offline updates are also available for Profiler Feed Service. For more information, see the .

To download offline client provisioning resources, perform the following procedure:

Procedure


Step 1

Go to: https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0.

Step 2

Provide your login credentials.

Step 3

Navigate to the Cisco Identity Services Engine download window, and select the release.

The following Offline Installation Packages are available for download:

  • win_spw-<version>-isebundle.zip—Offline SPW Installation Package for Windows

  • mac-spw-<version>.zip—Offline SPW Installation Package for Mac OS X

  • compliancemodule-<version>-isebundle.zip—Offline Compliance Module Installation Package

  • macagent-<version>-isebundle.zip—Offline Mac Agent Installation Package

  • webagent-<version>-isebundle.zip—Offline Web Agent Installation Package

Step 4

Click either Download or Add to Cart.


For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.

For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.

To download offline posture updates, perform the following procedure:

Procedure


Step 1

Go to https://s3.amazonaws.com/ise-public/posture-offline.zip.

Step 2

Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems.

Step 3

Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 4

Click the arrow to view the settings for posture.

Step 5

Click Updates.

The Posture Updates window is displayed.
Step 6

Click the Offline option.

Step 7

Click Browse to locate the archive file (posture-offline.zip) from the local folder in your system.

Note 
The File to Update field is a mandatory field. You can select only one archive file (.zip) containing the appropriate files. Archive files other than .zip, such as .tar, and .gz are not supported.
Step 8

Click Update Now.


Configuration Prerequisites

  • The relevant Cisco ISE license fees should be provided.

  • The latest patches should be installed.

  • Cisco ISE software capabilities should be active.

  • Read the Release Notes document for the corresponding release of Cisco Identity Services Engine.

Cisco ISE Integration with Cisco Digital Network Architecture Center

Cisco ISE can integrate with Cisco DNA Center. For information about configuring Cisco ISE to work with Cisco DNA, see the Cisco DNA Center documentation https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/tsd-products-support-series-home.html.

For information about which versions of Cisco ISE are compatible with which versions of Cisco DNA Center, see https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html?wcmmode=disabled .

Caveats

This section describes open severity 1 and 2 caveats and select severity 3 caveats. The “Open Caveats” sections list open caveats that apply to the current release and may apply to previous releases. A caveat that is open for a prior release and is still unresolved applies to all future releases until it is resolved. The bug IDs are sorted alphanumerically. The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, you must use the Bug Search Tool.

Cisco Bug Search Tool (BST), the online successor to Bug Toolkit, is designed to improve effectiveness in network risk management and device troubleshooting. You can search for bugs based on product, release, and keyword. For more details on the tool, see the help page located athttp://www.cisco.com/web/applicat/cbsshelp/help.html.

New Features in Cisco ISE Release 2.4.0.357- Cumulative Patch 10

Enable Probe Data Publisher

This option is newly added in the Profiler Settings window ((Work Centers > Profiler > Settings). This option is disabled by default. Enable this option if you want Cisco ISE to publish endpoint probe data to pxGrid subscribers that need this data to classify endpoints onboarding on ISE. The pxGrid subscriber can pull the endpoint records from Cisco ISE using bulk download during initial deployment phase. Cisco ISE sends the endpoint records to the pxGrid subscriber whenever they are updated in PAN.


Note

When you enable this option, ensure that the pxGrid persona is enabled in your deployment.


Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 10

Patch 10 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.

The following table lists the resolved caveats in Release 2.4 cumulative patch 10.

Caveat ID Number

Description

CSCvd48081

The software shouldn't allow to delete the pxGrid certificate on a ISE node

CSCvf36221

posture update not working when there's a proxy with credentials in ISE

CSCvf45991

Pseudo double Auth request on AD

CSCvf91219

ISE T+ and Policy : Allowed protocols for RADIUS uncheck if changes are made via TACACS PE section

CSCvg60477

ISE 2.3+ does not have authentication condition Network Access:AuthenticationMethod

CSCvh86082

Parsing NMAP smb-os-discovery data should remove &#xa; or \x00

CSCvi16994

ERS Guest User operations fail with 401 Unauthorized if Sponsor_Portal_Sequence missing

CSCvi17935

ISE 2.x: Mobile/Desktop previews don't display self-registration form fields correctly

CSCvi18412

ISE 2.3 p2 is sending redundant CoA message during VPN Posture Flow

CSCvi29474

ISE2.3 portals not displaying Spanish Accents

CSCvi50874

Endpoint Oracle Persist Received value wrongly counted in ISE Counters report

CSCvi72862

ISE : Accounting updates tolerance for suppression needs to be more efficient.

CSCvi86385

Is ISE affected by Spring Framework CVE-2018-1270

CSCvi99138

ad_agent.log flooded with entries from non-whitelisted domains

CSCvj07166

ISE RBAC unable to modify nested permissions after migration from ACS

CSCvj34578

REST API GET DACL page filter does not show correct information

CSCvj61028

ISE HTTP error 401 unauthorized on External CA UI

CSCvj88164

Remote-Access VPN Posture Sessions showing Base license consumed but no Apex

CSCvk01929

Making name changes to the "All_User_ID_Stores" Identity Source Sequence will break new policy sets.

CSCvk52803

Different FQDN in SAN can cause CV issue

CSCvk53782

ISE ENH : Allow RADIUS Dictionary VSA "Vendor Attribute Size Field Length" of 2 bytes

CSCvk56913

Cannot edit Guest group if accesing through Manage accounts

CSCvm10275

Cisco Identity Services Engine Cross Site Scripting Vulnerability

CSCvm70858

Triggered SNMP query not working properly for HP OUI

CSCvn31337

ISE: Exception thrown while adding email address in NTP Service Failure alarm

CSCvn66106

ISE custom attributes not being applied to endpoint when pushed from cloudpost IND

CSCvn73740

EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization.

CSCvo04342

Multiple Vulnerabilities in jackson-databind

CSCvo64085

The caluclation of required space for MNT backup need to be revalidated.

CSCvo75129

Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler

CSCvo77219

Sponsor guest portal rate limit time not honored

CSCvo80291

pxGrid startup order causing profiler code to fail init

CSCvo82930

ProfilerCoA:- Exception in getting Policy details Exception : in Infinite Loop in Profiler.log

CSCvo90380

Sponsored Guest account start date not adjusting when account extend

CSCvo94666

ISE 2.4 P5 : Profiling : Netflow probe not working on ISE Bonded Interface

CSCvp00421

ISE Profiler SNMP Request Failure Alarms should show the reason of failure

CSCvp01553

No serialization or batching when large scale(>300) NADs are moved between MatrixA to MatrixB

CSCvp03249

ISE: SMTP server sending Email notification gets Exhausted

CSCvp22075

ERS API that requires CSRF token always failing on PUT/POST/DELETE

CSCvp30958

ISE dropping requests due to descriptor allocation exhaustion under external server latency scenario

CSCvp40509

Internal User not found in prrt-server intermittently even though PrRTCpmBridge returns user found

CSCvp46165

Posture redirect fails with error 'unable to determine peer' in AnyConnect_ISEPosture.txt

CSCvp47029

ISE 2.4 With CTA threat, threat endpoints are not detecting

CSCvp54424

AD Diagnostic tool shows low level API query failed w/ Response contains no answer. Check DNS config

CSCvp54773

ISE 2.4 p6 400 error on sponsor portal after timeout.

CSCvp58616

SQLite FTS3 Query Processing Integer Overflow Vulnerability

CSCvp61880

Authorization profile fails to import with no warnings or errors to user

CSCvp68285

AUP guest portal error 400 when retrun from contact support link (iphone captive portal)

CSCvp72966

Email not received to guest if view/print guest password disabled

CSCvp73385

Authentications start failing once AD throws KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

CSCvp74154

Unable to remove an endpoint from the endpoint database due to permission error

CSCvp75207

2.4 P8/P9 Certificate chain does not get imported to Patch 8 and Patch 9

CSCvp76617

ISE customer endpoint attribute type string doesn't allow certain numbers

CSCvp77014

ISE trustsec custom view doesn't sort properly with manual order

CSCvp77941

License usage for Plus either shows 0 or incorrect value

CSCvp83006

Export from Context Visibility-Endpoints does not contain Custom Attr for most of Endpoints

CSCvp88242

[ 400 ] Bad Request error when refreshing the Mydevice portal

CSCvp88443

ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions

CSCvp88940

Can't use endpoint group description during runtime for authz profile

CSCvp91987

Wrongly job (HOURLY_STATS_JOB) running

CSCvp98851

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

CSCvq00186

ISE 2.4 fails to match authorization rules after deleting authorization condition

CSCvq13341

ISE 2.6 patch 1 - AD User Test is returning 0 groups

CSCvq14925

Renewed self-signed certificate doesn't get updated in trusted store

CSCvq17464

Cannot Update Internal User with External Password ID Store via ERS--ISE

CSCvq19039

ISE fails to save configuration changes for large policy-sets

CSCvq24877

Create Failing with ORA-02291 on CEPM.REF_ROLE_MASTER if groupId w/ prepending/trailing spaces

CSCvq27110

Core files on PSN servers causing High Disk Utilization alarms

CSCvq29336

ISE shows "Oops. Something went wrong" if session ID contains "-"

CSCvq35826

Incorrect audit report while updating Counter Time Limit in Max Sesssions page

CSCvq39759

ISE PAN failover inactive days = elapsed days causing incorrect purging of EP's.

CSCvq45008

ISE doesn't store self-registered EndPoints in configured custom group

CSCvq46232

ISE 2.6 ACI integration Trustesec ACI report doesn't have sent ip-sgt mappings to ACI

CSCvq50088

Export function in Network device groups fails when using RBAC

CSCvq51955

Network Conditions do not work with shorten IPv6

CSCvq52340

'Deleting All' Network Access Users doesn't appear on audit report

CSCvq54533

Using ECDSA signed certificates with the admin or pxgrid usage breaks pxgrid

CSCvq56241

ISE user import does not fail when username contains invalid characters

CSCvq58785

Static group information is lost from EP in some scenarios

CSCvq62367

PSN generates scheduled reports if no connectivity to MNT

CSCvq71264

Static group assignment losing from guest flow

CSCvq71844

"Cache not properly initialized" message in every Profiler Policy and cannot update Profiler Feed

CSCvq72760

When updating password for administrative user it is possible to bypass entering current password

CSCvq73457

Under heavy load, ISE live logs either unavailable or delayed

CSCvq74995

ISE 2.4 Possible XSS input in Certificate Attributes message when "/" sign is in the name

CSCvo07993

Qualys show connected state once disable/enable tc-nac if added before applying patch. 

CSCvq38610

Certificate trust chain is incomplete for pxGrid on pxGrid alone persona

CSCvn45977

Allowing Different FQDN in SAN DNS field for EAP Certificate.

CSCvp63038

System Test: Temporial agent instalation is failing with internal system error. 

CSCvq16846

Rename the label from "ResetAll Hitcounts" to "Reset Policyset Hitcounts" under policy sets 

CSCvq54153

Cisco Identity Services Engine Policy Set Name Cross Site Scripting Vulnerability 

CSCvo15652

pxGrid WebSocket multiple connections issue

CSCvp53222

ISE subscribes to IND topic /topic/com.cisco.endpoint.asset 3 times

CSCvp54975

pxGrid service lookup still returns old hostname after hostname change

CSCvq33194

Not able to change the language in guest portal with option "Always use"

CSCvq33527

VM Licenses are not consuming based on M5 Profiles

CSCvp02082

Env data is missing when TrustSec-ACI integration is enabled.

CSCvp92030

unable to create ATZ policy using supported special character

CSCvq13294

SXP Mappings bulk download is slow over pxgrid

CSCvq69138

Change logging level of 90140 INFO PassiveID: Message parsed syslog to DEBUG

CSCvq42847

ISE: "Posture failed due to server issues" error during System scan on MAC OSX

Resolved Caveats in Cisco ISE Release 2.4.0.357 - Cumulative Patch 9

For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

The following table lists the resolved caveats in Cisco ISE 2.4 Patch 9.

Patch 9 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.


Note

After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm.


Caveat ID Number

Description

CSCvd88480

Location filter for ERS Network Device get-all API fails

CSCvf17323

Normalized Radius:SSID not matched after CoA in the same session-ID

CSCvf33851

ISE 2.1+ RBAC: not able to manage endpoints and assign static identity groups

CSCvh64185

Some information is missing when session details are sent from ISE to FMC via pxGrid

CSCvi27613

Endpoints keeps profiling even though profiling is disabled

CSCvi65932

Blank pop-up in Sponsor Portal if customField contains "null" value

CSCvj02829

SCCM MDM attribute LastPolicyRequest is not converted correctly in ISE

CSCvj31598

Import two CA certs with same subject name

CSCvj83747

ISE Secure Access Wizard Easy Wireless null AD groups for BYOD, Secure Access, Sponsored guest flow

CSCvk52874

ISE does not provide the expected values in the context of EAP chaining

CSCvk76680

ISE-PIC self signed certificate delete operation fails due to Secure Syslog Server reference error

CSCvm00481

CA Service still running on command line after disabling internal certificate authority in Web UI

CSCvm01627

ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes"

CSCvn66198

Sponsor portal doesn't refresh the accounts after deleting users and requires a manual refresh

CSCvn85484

Removing SCEP RA Profile causes the associated CA chain to be removed from Trusted Store

CSCvo48975

ISE downloads unnecessary RA certificate for BYOD

CSCvo56989

Json SearchResult gives the href value as NULL

CSCvo74766

ISE DACL syntax checking validation failing on wildcard notation

CSCvo75376

pxGrid node name limit too short for FMC

CSCvo78171

ISE 2.4 Patch 6 installation breaks FQDN of Sponsor and MyDevices Portal

CSCvo82021

Memory usage discrepancy in GUI and show tech

CSCvo90393

COA failure in Radius+PassiveID flow

CSCvo92284

While saving IP SGT static mappings changes, "Discard changes you have made" message is displayed

CSCvo98554

After Importing ISE PB to ISE, Login page are not loaded

CSCvp05303

Provisioned Certificates are not deleted after revocation

CSCvp05936

Adding DEFCON matrix pop-up title needs to be changed

CSCvp07591

Active Directory Machine authentication fails with error "22040 Wrong password or invalid shared secret"

CSCvp12131

ISE 2.4 Patch 6 reload breaks backups

CSCvp12685

Cross-Site Request Forgery (CSRF) [OWASP_CSRFTOKEN bypass]

CSCvp13378

PassiveID flow should send User's SamAccountName and ExplicitUPN

CSCvp14725

ADNormalizedUserName field missing in some of the sessions

CSCvp16734

Plus Licenses consumed without Plus features

CSCvp17444

RSA or RADIUS Token user with Valid account and credentials gets a blank page when trying to login to ISE Admin portal if the account doesn't exists under Access > Administrators

CSCvp18692

AD User information not shown in Context Visibility page

CSCvp19632

Policy sets order mismatch when exporting as XML

CSCvp23869

ISE TLS 1.0 and 1.1 security settings are not applied for PxGrid, causing WSA to fail integration

CSCvp29197

ISE 2.4p3 Radius livelogs not displayed due to invalid NAD ip address

CSCvp29278

Cisco Identity Services Engine Blind SQL Injection Vulnerability

CSCvp29413

Modifying Radius attributes to send in the request to External RADIUS Server is not working on ISE

CSCvp29572

Enable Pxgrid Profiling Probe setting is not working properly

CSCvp33593

ISE fails to match authorization policy with endpoint ID group "unknown"

CSCvp33598

ISE deletes all endpoints if MAC address is deleted twice at the same time

CSCvp33862

Custom Attribute (advanced filter in CV) not able to filter on risk score (integer value)

CSCvp37101

Application server crash is observed when an AD Join operation is attempted via GUI under Administration > Identity Management > External Identity Sources > Active Directory

CSCvp37238

TACACS/AAA live log report not showing configuration change made from ACI

CSCvp40082

ISE 2.3/2.4 upgrade to the latest patch may break dynamic redirection for third party NADs

CSCvp40398

Cannot configure scheduled config and operational backup with start date same as current day

CSCvp48710

Unable to add AD group if it contains "/." or "/.." in the AD group name

CSCvp50450

ise-elasticsearch.log files not purged in ISE 2.4 and 2.6

CSCvp50557

Changing max user global settings is not logged in change configuration audit

CSCvp51033

GUI Context Visibility report export slowness

CSCvp52201

Replication: Cluster information table has old FQDN

CSCvp54949

BYOD flow is broken in IOS 12.2

CSCvp54992

BYOD provisioned profile doesn't automatically configure EAP TLS in IOS 12.2

CSCvp58945

Import of network device template throws error "Failed illegal value for Encryption key"

CSCvp59286

Multiple Vulnerabilities in struts2-core

CSCvp60359

Upgraded ISE Node shows LDAP Identity Store password in plain text

CSCvp62113

Enforce NMAP skip host discovery and NMAP scan timeout

CSCvp65711

ISE 2.4 P8 posture scan running when an endpoint switches to a wired network not configured with dot1x

CSCvp65816

"Cisco Modified" Profiles are overwritten by the Profiler Feed Service

CSCvp73076

Log Collection Error - Session directory write failed when AD Probe Session is inserted

CSCvp76911

Deploy button is missing in the Matrix page when Multiple Matrices workflow is enabled

CSCvp77008

ISE LogicalProfile appears under Custom attributes in Context Visibility page when custom attributes are configured

CSCvp86406

Unable to add network device with combination of any digit followed by () in Software Version field

CSCvp93901

Enhancement to publish the following attributes via pxGrid: ADUserSamAccountName, ADUserQualifiedName, ADHostSamAccountName, and ADHostQualifiedName

CSCvq15329

Restore failing for scheduled backup

Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 8

The following table lists the resolved caveats in Release 2.4 cumulative patch 8.

Patch 8 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.


Note

After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm.


Caveat ID Number

Description

CSCvh54905 Identity Admin cannot see users under Identities tab

CSCvj83362

Include hostname in posture assessment reports

CSCvk34232

Posture remediation files are limited to 50MB

CSCvn35142

ISE 2.3 : Posture report for endpoint by condition not working as expected

CSCvn44171

Network access user with external password cannot be used as ISE admin

CSCvn52886

User name from WMI information is deleted on receiving a DHCP custom syslog for same endpoint

CSCvn55560

ISE 2.3 after applying patch 5 creation of EOB Guest user does not work

CSCvn58964

ISE 2.4 slow database response with 500 authorization policies

CSCvn60787

Emails are not sent for alarm specific email configuration

CSCvn61139

Smart Licensing agent thread lock causes GUI login delay in ISE 2.2

CSCvn64652

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

CSCvn65317

ISE not able to assign guest account to the same guest type used for previous user

CSCvn67160

ISE 2.4 Unable to modify proxy settings when proxy bypass list contains carriage return symbol

CSCvn67199

Cannot filter Context Visibility by 'NAD Port ID' when using "/" character

CSCvn69854

ISE includes only one prrt-server file in support bundle

CSCvn70558

MDMServerReachable does not work for SCCM MDM again

CSCvn70680

ISE expired license can't be deleted if number of Base and Wired Licenses are not matching

CSCvn72150

Nodes have high IO spikes frequently in VM performance reports

CSCvn72918

ISE TrustSec policy difference alarm description is not accessible

CSCvn75396

Authentications are displayed in correctly in "Top N Authentication by Failure Reason" report

CSCvn76567

ISE 2.4 - IP-SGT bindings disappear from SXP for user session

CSCvn79043

ISE 2.4 Live Logs Not Filtering

CSCvn79557

ISE : Custom user attribute change does not reflect changes in configuration change audit report

CSCvn79569

App status for ISE is in initialisation state

CSCvn85498

ISE 2.4 : InactiveDays attribute update with disabled profiling

CSCvn87918

IPV6 based client provisioning portal is not working on default port 8443

CSCvn92246

ISE: admin users unable to delete or modify groups if a tacacs user is saved without any group

CSCvn92778

Removal of unused logical profile may cause a wrong authorization result

CSCvn98932

Non-existed DACL is not verifyed by the ISE

CSCvo05269

[ISE 2.4]Unable to use created profiling policy in authorization condition

CSCvo09945

Backups from SFTP repository may show incorrect year in Modified time

CSCvo13269

ISE does not allow to add an SGT

CSCvo13626

ISE : Improve Posture Assessment by Condition Report export rate for higher records (millions)

CSCvo17704

ISE 2.4 - CLI password will not accept 3 $

CSCvo18247

ISE: failed to skip duplicate framed-pool attribute during migration

CSCvo19076

ISE endpoint purge ACTIVEDIRECTORY dictionary is not loading

CSCvo23340

TACACS+ Admin Group access denied when navigating to Work Center > Device Admin > Identities

CSCvo28092

ISE Custom Endpoint Attributes - Will not save or delete

CSCvo28578

ISE 2.3 - Location info and IPSEC info are reversed in order in Network Device Groups for some NADs

CSCvo30170

Guest portal client provisioning customization text doesn't save

CSCvo33696

ISE2.4 doesn't reset failedLoginAttempts after successful login of internal users to network device

CSCvo35516

Device Sensor not able to correctly parse DHCP attributes via RADIUS probe

CSCvo36837

Admin group cannot get access to "Users" at "Device Administration" tab after install patch 5

CSCvo42165

Default python change password script returns CRUD operation exception

CSCvo45582

Internal Administrator Summary report not allowing to select specific columns

CSCvo45606

ISE:WMI-Passed values may compromise the security of ISE. Please remove malicious scripting terms

CSCvo48352

CSV file of RADIUS authentications report may have duplicate records

CSCvo49521

ISE Adds an additional character at the end of OperatingSystemVersion

CSCvo51295

ISE 2.2 Sponsor: Single click approval displays wrong message after clicking on approval link twice

CSCvo61888

Device Administration Current Active Sessions report not available from 2.4 P6

CSCvo61900

System Scan throws internal error for MAC built-in FW remediation

CSCvg70813

ISE dmp files are not deleted from /opt/oracle/base/admin/cpm10/dpdump for failed backup attempts

CSCvh19430

ISE 2.x : Guest account activation time discrepancy for imported accounts

CSCvh22907

Sponsor Portal Page takes more than 10 seconds to load

CSCvi21737

ISE 2.2 has too many journal files.

CSCvi29759

Samsung S7 and S8 profile

CSCvi51291

ISE CoA doesnt work 2 days after initial auth

CSCvi68744

Surplus of License Files can Cause Excessive Login Delay--ISE

CSCvi80094

ERS API that requires CSRF token returns HTTP 404 instead of 403

CSCvj08392

ISE SNMPv3 User still display on "show snmp user" after delete snmp-server user

CSCvj72647

ODBC attribute retrieval not working properly with EAP chaining

CSCvj75478

Device network conditions missing

CSCvj81752

URT Fails at Import Due to ORA-31684

CSCvj90273

Multi-NIC Windows/macOS: ISE Posture Module Maps VPN IP to MAC Address of a Disconnected Interface

CSCvk29087

Master Guest reports takes 30+mins to display

CSCvk50720

ISE 2.2 : Network devices page is not loading

CSCvk59716

Domain Admins are not able to edit Sponsor accounts properly

CSCvk61386

ISE not showing filtered NADs

CSCvk70748

High CPU and High Auth Latency and OOM condition on PSN nodes

CSCvm05840

NAD CSV imports should allow all supported characters

CSCvm07718

TACACS/RADIUS shared secret key disappears after highlight and then command/control + C

CSCvm63427

Cisco Identity Services Engine Password Recovery Vulnerability

CSCvm87060

ISE 2.x : Remote forest Active Directory controller failover prolonged time

CSCvm87292

Unable to integrate Tenable adapter to ISE 2.4 & 2.5 2.2 2.3

CSCvm90478

"No Data Available" when attempting to add endpoints to Identity Group with RBAC User

CSCvn01551

Failed to upload AC packages of file size > 50MB on ISE->Agent Resources

CSCvn10971

ISE: Rebooting associated site-specific GC does not result in failover to other GC

CSCvn12229

log4j.appender.ACS-FILE.MaxBackupIndex is not working in ISE

CSCvn15670

SL Server is getting overloaded with ISE auth renewals

CSCvn21926

Parser error seen with Threat Centric NAC CTA Configuration irrespective of ise version

CSCvn24392

Certain characters are not being parsed properly

CSCvn24568

Network Device Filtering Returns Only First IP Range When Multiple Ranges Are Configured

CSCvn27022

Limited access user getting "failed to fetch network device group" when accessing NAD

CSCvn27325

Posture policy with Tunnel Group Name in condition is not hitting

CSCvn39504

TACACS authentication details displays blank page

CSCvn39998

Pullout reports from Authentication Summary report is showing empty report.

CSCvn40822

Guest creation fails ISE 2.3 after patch 5

CSCvn56754

Live sessions record is not getting updated with new username (and/or) new IP address.

CSCvo41052

ISE deleting the newly created IP-SGT mapping

CSCvo11090

Able to delete ACI IEPG in ISE.

CSCvo24593

pagination is not working in "All SXP mappings" page in ISE.

CSCvo32279

APIC logs not seeing in sxp.log when SXP logging set to 'DEBUG'.

CSCvo35144

Delay in clearing of SXP mappings in ISE.

CSCvo43289

ISE truncates the SGT name after a "-" character and assigning a version id

CSCvo29478

ISE 2.3 P5 ISE doesn't allows to delete SGT tag from GUI although it is not referenced

CSCvo45768

Adding config to support PrA in PSN failover case

CSCvm81230

Cisco Identity Services Engine (ISE) Arbitrary Client Certificate Creation Vulnerability

Resolved Caveats in Cisco ISE Release 2.4.0.357 - Cumulative Patch 7

The following table lists the caveats that are resolved in Release 2.4 cumulative patch 7. Patch 7 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.

Caveat ID Number

Description

CSCvn90651

This is an enhancement to implement master node APIs for multi-DNAC support in Cisco ISE.

Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 6

The following table lists the resolved caveats in Release 2.4 cumulative patch 6.

Patch 6 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.

Caveat ID Number

Description

CSCux55288

Guest remember-me breaks ISE Guest Activity Logging

CSCuy41309

ISE 2.x Unable to delete endpoint from endpoint group

CSCuz00603

Unable to add duplicated mappings to multiple SXP VPNs

CSCvb17967

ISE fails to read response from MDM with special characters

CSCvb45390

Collection Filters configured with User name is not working for TACACS Author/Acct

CSCvc06629

[ISE] SMS notifications in non-English containing <BR> HTML tag

CSCvd79952

EasyConnect CoA not sent after session merge in distributed deployment

CSCvf03310

ISE email notifications to guests sends twice email for approval and guest user

CSCvf19364

ISE 2.2 no patch, SXP process fails when trying to create network subnet static mapping

CSCvf30591

ISE 2.2: Disabled password Lifetime, however getting reminder for account expiration.

CSCvf75225

ISE 2.1-P3 || high CPU seen in PAN due to 100K limit in redis

CSCvg86743

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

CSCvh09779

ISE 2.x TACACS log extremely slow

CSCvh11308

Cisco Identity Services Engine Logs Cross-Site Scripting Vulnerability

CSCvh31565

ISE fails to re-establish TCP syslog connection after break in connectivity

CSCvh83222

ISE: Need a report/dashboard for total unique endpoints

CSCvh91118

Flexibility needed to choose the time intervals in disclosing the user name for failed auth

CSCvh97544

Short CPU spikes can be observed when client didnt respond and ISE is used as RADIUS Proxy

CSCvi21043

Library conds referrred in policies are getting deleted; evaluation is giving deny access

CSCvi30462

Bulk guest import does not work using when logged into sponsor portal using SAML provider,

CSCvi37480

SNMPv3 COA failures on ISE using HP switches

CSCvi41678

Endpoint Attributes not updated in context visibility

CSCvi42404

validDays does not match span of fromDate to toDate for ERS created guests

CSCvi43687

ISE 2.2 Endpoint export may contain duplicate entries

CSCvi48298

Policy Hit count value gets nullified while click on REFRESH button.

CSCvi50320

EST Service not running owhen ISE iseca folder missing

CSCvi61204

ISE 2.1 Endpoint Purge policy is matched but job halts during execution.

CSCvi67780

ISE Internal CA : SAN ext validation fails if it isn't the first entry in RequestedExtensions in CSR

CSCvi68271

ERS API get all endpoints not returning description field as stated in documentation

CSCvi97332

Unsupported character Backslash has to be added to the UI error message while creation of admin user

CSCvi99561

AC 4.6 Application enforcement is not working for Torrent

CSCvj01047

Password length limitation when adding DC's in the PassiveID section of 32 characters.

CSCvj05563

Cannot delete security groups having virtual network mapping

CSCvj24095

Unknown Radius Flow is set to RadiusFlowType when updating ExternalIdStoreDictionary

CSCvj25696

User customer attributes order doesn't change after drag drop and save.

CSCvj31243

ISE 2.3 AD Group SID Update fails for Groups referenced in the policies

CSCvj50257

Active endpoints are mismatched from expected value

CSCvj57593

SNMP CoA is not sending correct SNMP traps

CSCvj62592

Cisco Identity Services Engine (ISE) Java Deserialization Vulnerability

CSCvj62599

Cisco Identity Service Engine (ISE) unsafe deserialization in Adobe Action Message Format (AMF)

CSCvj62614

Cisco Identity Services Engine (ISE) File Upload Code Execution Vulnerability

CSCvj63376

ISE 2.2 VPN MDM- Compliance not updated from MDM Compliance Checker for active session

CSCvj64763

DNAC-ISE:Pxgrid failover fails with 2.4 patch1 with DNAC - ISE Integration

CSCvj65552

ISE 2.4 Backup Input Validation does not occur on backup name characters

CSCvj67414

ISE HSTS Max-Age parameter is too agressive no includedDomains flag

CSCvj72699

ISE stops publishing SXP mapping

CSCvj73152

Enable VLAN DHCP release breaks guest flow for ISE 2.4

CSCvj77878

pxgrid: XMPP Cleartext Authentication

CSCvj92976

ISE : Incomplete error message while importing an icon under Network Device Profiles

CSCvj95709

Enable pxGrid in FIPS mode

CSCvj99698

Guest password is not reset if Sponsor does not have rights to view the Guest Password

CSCvk01682

ISE allows importing multiple instances of same language in portal setup

CSCvk04424

Changed name for My Reports against Policy Set match removes the delete option from My Reports

CSCvk10156

RBAC SuperAdmin Data Access over written by read-only data access for Network Device Groups

CSCvk23161

ISE stops responding to TACACS requests.

CSCvk23532

Remove GMT portion from $ui_start_date_time$ and $ui_end_date_time$ on Email Notifications

CSCvk27295

NMAP fails to execute when an EP matches a Admin Created profiling policy

CSCvk28847

ISE sponsor's e-mail shoud not be in CC when view/print guests' passwords is disabled

CSCvk38374

ISE 2.4 Sponsor-Group OWN_ACCOUNTS email association

CSCvk39421

ISE offline profiler feed service unavailable 17/07/18

CSCvk40105

Editing guest user throws pop up error when creating with java scripts in first and last name

CSCvk48315

Live sessions are not seen in ISE Live logs page in ISE 2.4

CSCvk51906

DST changes are not honored by the shift job which is causing the data movement issues on MNT nodes

CSCvk55285

ISE doesn't validate the data type date in the custom endpoint attribute

CSCvk58134

SAML authentication is showing wrong Identity store in Sponsor Login and Audit report

CSCvk59357

Admin warned of license non-compliance even after adding new licenses

CSCvk68196

SNMPv3 profiling works only with DES or AES128 privacy protocol

CSCvk70087

SecureSyslogCollectors should be disabled by default on remote log targets.

CSCvk71816

ISE ADE-OS - when trying to change timezone there should be a warning stated it is not supported

CSCvk72606

ISE- Can login to GUI with disabled admin accounts.

CSCvk74190

Radius Token Identity Caching Timeout not Configurable

CSCvm00127

ISE sponsor email customization doesn't add image properly

CSCvm03842

PxGrid SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection - CVE-2009-3555

CSCvm09377

HTTP Request Header for ISE fails if it contains @ in email

CSCvm09493

ISE 2.4 | Unable to save multiple custom attributes at once

CSCvm11230

Customer sees no data available for this record for "Details" page in Live Logs

CSCvm12105

ISE 2.3 not hitting policy with Session BYOD-Apple-MiniBrowser-Flow condition

CSCvm12281

ISE 2.3 Context Visibility Authentication Policy column is blank.

CSCvm12443

ISE should not send alarm for 'ERS-Media-Type' not present in ERS header

CSCvm14030

Evaluation of positron for Struts remote code execution vulnerability August 2018

CSCvm15059

ISE 2.1+ : Identity Source Sequence info button information is wrong for Sponsor Portal

CSCvm16060

Cannot Disable Telnet Change Password

CSCvm16523

ISE 2.3 to 2.4 upgrade is failing with error "nodes are not on the same ISE patch version"

CSCvm16952

Oracle Security Alert Advisory - CVE-2018-3110

CSCvm20561

ISE 2.x || Cisco-Device profiler policy missing the tandberg OUI as a condition

CSCvm21147

ISE: After upgrading to ISE 2.4 schedule backup are not working.

CSCvm22262

AMQP Cleartext Authentication Vulnerability

CSCvm26334

Endpoints not re-profiled after config restore and import new profiles

CSCvm27249

PassiveID Probe hprof files in temp folder

CSCvm29583

ISE AD lookup broken due to non-whitelisted domain lookup failing

CSCvm31919

IE11 : Trash icon linked to MAC address search box in Context Visibility

CSCvm32107

Unable to delete Root Network Device Group

CSCvm32303

Rest API- Unable to retrieve Guest User Details using ToDate filters

CSCvm33217

AD groups with more than one space doesn't allow authZ policy to be saved

CSCvm33673

Difference between Oracle and ES in terms of description

CSCvm34694

Newly created Network Device Model Name and Software Version are not present in GUI

CSCvm39902

Maintain Connectivity During Reauthentication option not working

CSCvm39909

Live log detailed reports shows msec instead of seconds for session timeout

CSCvm41485

ISE 2.3 : Unable to access NFS repository and scheduled reports not working using NFS respository

CSCvm41759

'Error 400' after pressing Sing Out on the Manage Guest Accounts page.

CSCvm45072

OWASP ZAP reports Cross Site Scripting (DOM Based) on pxGrid Web application

CSCvm45330

pxGrid cert change causing onAuthzRequest DENIED

CSCvm45941

ISE 2.4 not sending "Framed-IP-Address" attribute in profile when using leading zero

CSCvm47317

30+ GB files left behind after successful ISE 2.4 upgrade

CSCvm47507

Changes made in allowed protocols is missing in change configuration audit reports

CSCvm47638

ISE-secondary node doesnt send COA when guest account gets suspended or deleted

CSCvm48075

Manual CoA fails from Context Visibility if user never accesses Live logs or Live Sessions prior

CSCvm49084

ISE PB portal files are not restored with a restore of an old backup

CSCvm49503

WasMachineAuthenticated EQUALS False No Longer Parsed in Runtime--ISE 2.4

CSCvm57650

BYOD TLS not working for IOS 12 FCS release

CSCvm61134

SXP debug logs are not dumped in sxp.log unless services are restarted

CSCvm62783

'EST-CSR-Request' dictionary condition does not work

CSCvm62862

Cisco Identity Services Engine Logging Cross-Site Scripting Vulnerability

CSCvm66696

ISE 2.4 Conditional CoA failure upon EndPoint Identity Group change

CSCvm66751

Guest AUP: AUP acceptance is triggering replication event

CSCvm67561

Accounting messages from ASR1K not saved and not shown in ISE Reports

CSCvm69965

Chrome:Cannot create new ByoD portal

CSCvm70470

Max Sessions" value can not be applied on GUI after applying 2.2p10 or 2.3p4

CSCvm71860

Cisco Identity Services Engine Reflected Cross-Site Scripting Vulnerability

CSCvm71871

Cisco ISE Path traversal issue

CSCvm72187

ISE 2.2 | Guest self registration portal doesn't sort timezone list correctly

CSCvm72309

AD Probe failing to find the computer object with FQDN

CSCvm73506

Alarms: Profiler Queue Size Limit Reached

CSCvm73626

Sponsor creating random accounts for time restricted guest types fails

CSCvm74423

ISE 2.4 - Guest users aren't getting emails automatically while importing from CSV

CSCvm74605

ISE: EAP-FAST prefers cached AD DN over new DN after changing the Account OU

CSCvm75687

MyDevices Portal: Can't change device status on a PSN running with secondary PAN.

CSCvm75765

ISE -"user's email is not valid" unable to create User for top level domains other than .com .in etc

CSCvm75790

SAML with ADFS is broken with 3rd party NAD

CSCvm76717

ISE 2.4 Replication failure causing nodes to go out of sync after LAN automation

CSCvm79293

ISE2.2 TACACS doesnt apply the command sets after long REGEX argument

CSCvm79609

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

CSCvm79618

Cisco ISE Local Privilege Escalation Vulnerability

CSCvm80914

ISE 2.4 Scheduled backups not working. Can be seen in gui

CSCvm81243

endpointcert/certRequest API call causes Internal CA Service to Crash in ISE

CSCvm82504

Request to increase Radius Token Server password caching to 900 seconds or later

CSCvm86244

Inner Execution Context is not fully iuodated from API Execution context

CSCvm86699

ISE CAC or certificate login does not populate external groups under new admin group

CSCvm87685

Menu access duplicate is failing with plus sign

CSCvm88149

Account Disable Policy 'Disable accounts after days of inactivity' is incorrectly calculated

CSCvm89126

ISE 2.3 patch 5 : NAD / AAA server address is not specified.

CSCvm89837

Lost and Stolen buttons stay disabled on My Devices portal if Japanese GUI used

CSCvm90359

pxGrid debug "warn" level causing XCP to stop running

CSCvm91202

Cisco Identity Services Engine Password Recovery Vulnerability

CSCvm92317

ISE Kerberos Authentications are incrementing AD bad password count by 2

CSCvm93821

Authorization policy evaluation failing intermittently when using identity group as condition

CSCvm98407

Show members delays to retrieve the N/w devices in NDG page

CSCvm99398

SGACL Push in large scale NAD environment causes High CPU on PAN

CSCvn01019

Modify existing Network Device Profiles, grayed SAVE button

CSCvn04051

ISE 2.4: Details of 'error 500' missing in REST API query after patch 1 installation

CSCvn11424

PassiveID Management Logs Show Database ID insead of DC Name

CSCvn12114

Need to add Internal User Group in Certificate Authentication Profile

CSCvn12442

Under heavy load, ISE live logs stop working on ISE 2.3

CSCvn13802

ISE 2.4 :Unable to import network devices if shared secret contains "<"

CSCvn17210

ISE importing EMPTY cells in trustsec matrix doesnt overwrite existing content of cells

CSCvn18758

Profiler definitions for OSX Mojave (10.14) are not available in ISE 2.4 latest patch.

CSCvn21316

ISE: logwatch process failed with ::1 fatal error

CSCvn22251

ISE 2.4 patch 4 reduces I/O read Speed

CSCvn23570

ISE: Import Network Device does not conform to admin access permissions

CSCvn24356

pxGrid not handling invalid xml characters for publish and download

CSCvn25367

VCS pages Auth/Endpoint tab shows blank pop up msg.

CSCvn29633

ISE does not follow the capabilities of the Listener.

CSCvn31277

ISE: Trustsec alarm doesn't have SEVERITY level and its greyed out.

CSCvn31755

400 Bad Request when logging out Sponsor Portal

CSCvn33441

RBAC permissions do not propagate for admin users who login ISE with AD

CSCvn33534

Report logs can not fully displayed with "latst 30 days"

CSCvn35579

SXP connection between ISE and IOS Devices stuck in DeleteHoldDown state

CSCvn36029

Date in Unix Epoch format when context visibility in exported

CSCvn37048

ISE 2.x || ISE syslog message code (59200-59208) are not being used in ISE currently.

CSCvn40645

2.4P5:In 3 node deployment After Rollback of P5 PSN went down

CSCvn50203

ISE 2.4p5 - ACI integration - Not all IP_EPG mappings on ACI is imported by ISE

CSCvn51282

ISE replaces "ip:" to it's hostname in "ip:inacl" Cisco AV-Pair

CSCvn52114

Process failure using external radius token server authentication

CSCvn55640

Manage ACC calling infinite time when sponsoruser configured with permissions ALL&GROUP sponsor grps

CSCvn56648

When individual policy set is reset, other policy set hit counters are reset to 0.

CSCvn59383

ISE 2.3 patch 5 issue when creating guest user on sponsor portal using special character

CSCvn59502

ISE DACL syntax checking is not properly catching errors

CSCvn62164

ISE should support internal users with Special char colon : character to be partiy with ACS

CSCvn62788

TC-NAC configured with Qualys shows Not Reachable.

CSCvn67968

ISE stops responding to IPv6 hosts in its own subnet after adding IPv6 route.

CSCvn79861

ResetAll Hitcount Button not resetting hitcount value in Firefox browser

CSCvn81631

Cores being consistently generated on every node after upgrading from ISE 2.4 to 2.5

CSCvn92528

ISE 2.4 : Misconfigured supplicant query is one of the reasons for high CPU on both MNT nodes

New Features in Cisco ISE Release 2.4.0.357 - Cumulative Patch 6

Identity Caching in RADIUS Token and RSA SecurID Server

Identity caching is used to allow processing of requests that do not perform authentication against the server. You can enable the identity caching option and set the aging time in minutes. The default value is 120 minutes. The valid range is from 1 to 1440 minutes. The results obtained from the last successful authentication are available in the cache for the specified time period.

This option is disabled by default.

Open Caveats in Cisco ISE Release 2.4.0.357 - Cumulative Patch 6

Caveat ID Number

Description

CSCvo75376

pxGrid node name limit is too short for Cisco Firepower Management Center (FMC)

Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 5

The following table lists the resolved caveats in Release 2.4 cumulative patch 5.

Patch 5 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.

Caveat ID Number

Description

CSCvj86877

SFTP Connect Error

CSCvm03681

EAP-FAST doesn't support correct key generation in TLS 1.2

CSCvm91034

pxGrid : EndpointProfileMetaData not propagated with Pxgrid V2

CSCvm93698

AD authentications are failing after applying 2.2 P11/ 2.4 P4

CSCvn09504

TC-NAC configured with Qualys shows Not Reachable.

CSCvk13724

EPG mappings not created on ISE

CSCvn17524

ISE Apache Struts CVE-2016-1000031 Vulnerability

Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 4

The following table lists the resolved caveats in Release 2.4 cumulative patch 4.

Patch 4 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.

Caveat ID Number

Description

CSCuq95531

Diag Tool: For DNS A Record tests change status failed to warning

CSCuz52877

ISE21- Auth inactivity alarms every 15 mins

CSCvh25718

ISE doesn't convert guest username to lower case if credentials used in 802.1x, not on portal

CSCvh74979

Reset-config is reverting the fixes of patches and causing the issues.

CSCvi10363

ISE: Remove state attribute from access accept packets.

CSCvi50536

Evaluate ISE for Apache Tomcat February 2018 Vulnerabilities

CSCvi58316

ISE : URT fails due to upgrading the ACS to ISE migrated setup.

CSCvi85159

Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability

CSCvi88520

Message Catalog Displaying Only the Message Code 89006 but Not the Rest

CSCvj36442

Network devices page fails to paginate as shared secret is in plain text

CSCvj44088

ISE: While registering getting the error: Unable to register the node <fqdn> Version: 0.0.0.0.

CSCvj57771

General Patch Management - Red Hat Linux(Critical/High)

CSCvj57967

Application check works in opposite logic

CSCvj70896

Failed to get sgt name from sgt tag: 5 or sgt is read only, or isPropgateToAPIC is false

CSCvj97277

Fix for CSCvf68738 does not allow legitimate CA certificate refresh

CSCvk07631

ISE 2.2: Hot Spot portal users asked to accept the AUP more than once

CSCvk09597

VM License Thresholds Mismatch Platform definitions

CSCvk10303

ISE 2.4 Trustsec Dashboard Query performance

CSCvk10454

Adding Node to deployment does not add the Profiling OUI data

CSCvk10674

ISE 2.4 Windows PC behind IP phone being profiled as Cisco-IP-Phone-8851

CSCvk12450

Regression: Windows 8/10 clients incorrectly profiled as windows7 due to feed policies

CSCvk13569

"ERROR_NO_SUCH_USER" due to ISE ADRT mis-identifiing a child domain name as root forest domain

CSCvk16959

ISE 2.4 no patches : unable to load network devices page

CSCvk19766

ISE 2.4 MnT session & Auth API response is not populating 'other_attributes' section

CSCvk40421

Not able to delete certificate from trusted page

CSCvk43032

Wrong number or types of arguments in call to 'COLLATIONDAILY_PURGE',HOURLY_STATS_JOB

CSCvk51667

ISE: "Manage accounts" gives 400 HTTP error if sponsor portal is configured for SAML authentication.

CSCvk55065

ISE 2.4 PxGrid queries against Secondary MNT resulting in collector crashing

CSCvk61086

ISE 2.4 2.3 2.2 2.1 2.0 : NFS repository credentials are not used

CSCvk65898

ISE 2.4 : Social Login e2e flow fails due to recent changes done on Facebook side

CSCvk71161

ISE 2.4 excessive profiler syslogs sent to MNT

CSCvk74356

ISE 2.4 Cisco Prime querying ISE session API could cause high CPU utilization on Monitoring Nodes

CSCvk74989

Certificate parameters not persistent after DNAC trust re-establishment

CSCvk75544

Authentication Summary Reports show "no data available" for Radius and TACACS

CSCvk76510

ISE 2.4 Core dump on primary node: SIGSERV in GenericConfigObject::getAsNested(unsigned int) const

CSCvm02478

CISCO Network Setup Assistant APP Not Available on GooglePlay

CSCvm05439

ISE cores on LDAP test server after DNAC establishment when same chain used

CSCvm05499

ISE CoA sends NULL value for NAS-Port-Id

CSCvm11175

ISE custom endpoint attribute type String doesn't allow numbers only

CSCvm11595

LiveSessions are not showing on GUI because user name having unicode characters

CSCvm12575

ISE context visibility endpoints import fails with custom endpoint attribute date

CSCvm17749

400 Error Seen In Guest and Sponsor Portal due to portal session deletion

CSCvm17795

Config Backups triggered from GUI hangs at 45% during ES backup

Open Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 4

Caveat ID Number

Description

CSCvm93698 AD authentications fail after installing ISE 2.4 patch 4. Could see the following error in ad_agent.log: Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE

CSCvm75266

ISE 2.4: Possible kernel memory leak

CSCvm72528

ISE 2.4 patch 3: COA is not working for CTS role based policy

CSCvm90852

Unable to use SFTP server as a repository in ISE 2.4 patch 4

Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 3

The following table lists the resolved caveats in Release 2.4 cumulative patch 3.

Patch 3 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.

Caveat ID Number

Description

CSCvd78169

CDP Attributes not added to EP via SNMP Query

CSCvf75968

Multiple Vulnerabilities in httpasyncclient

CSCvf82350

US27030 - Fix VPN Session to MAC Mapping

CSCvg46899

ISE 2.2 user may be redirected again after AUP acceptance on Hotspot portal

CSCvh54726

ISE: Failure to retrieve AD groups for Intel AMT supplicant username format

CSCvh91996

Matched AuthC and AuthZ rules in Monitor Only mode showing in GUID but not names

CSCvi03093

Purging doesn't work if Identity group name was changed/ change is not reflected to purge policy

CSCvi06525

Single click approval sponsor not seeing self-registered guest with implicit/explicit UPN

CSCvi23542 ISE doesn't fail-over to other available DCs when receiving STATUS_ACCESS_DENIED (0xc0000022) from DC on authentication attempts

CSCvi31965

ISE High Authentication Latency due to lookup in Internal Endpoints

CSCvi66786

Corefiles are being generated due to timesten crash in MNT node

CSCvi74182

Log Collection Error : null alarm

CSCvj02644

Customer see's blank "Details" page in RADIUS Live Logs

CSCvj37364

The content changes for imported guest notification template is not working.

CSCvj38428

Changing status of Network Access Users doesn't appear on audit report

CSCvj41029

User domain name may remain empty in session when ISE passive-id AD agent or MS WEF is used

CSCvk48105

Sponsor created guest have a previous guest account email CC'd

CSCvk57963

ISE 2.4 patch 2 install brings application services down due to integrity checksums failure

Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 2

The following table lists the resolved caveats in Release 2.4 cumulative patch 2.

Patch 2 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.1.0.53 or later.

Caveat ID Number

Description

CSCvc71503

Jedis connections back to pool - broken connections (due to timeout)

CSCvf20208

ISE Posture PRA timer expires to non-compliant

CSCvf52213

ENH: ISE CLI support for MTU configuration on interfaces

CSCvg75818

Upgrade from ISE 2.2 to 2.3 fails on "CREATE UNIQUE INDEX CEPM.PKUPSABSTRACTTYPE_ATTRIBUTES"

CSCvh86466

PassiveID: WMI queries DC cause memory increased issues on DCs (Microsoft WMI memory leak)

CSCvi29600

Sponsor Groups are not merging results with AD Sponsor groups when Internal user uses AD password

CSCvi50542

ISE Telemetry Scheduler to be Configurable

CSCvi51021

No data available in context visibility if there is no plus/advanced license - Standalone node

CSCvi73782

Static Group Assignment dropping due to DHCP Probe

CSCvi79632

In case of no accounting activity, live session retains all session post 5 days period

CSCvi82192

Generate pxGrid Certificates page doesn't respect cert template RSA key size

CSCvi91353

NMAP scans for custom port 9100 but doesnt report it in nmap.log

CSCvj08379

ISE 2.4 EPSStatus is not updated in Context Visibility properly

CSCvj11319

ISE 2.4 - EST Service not running after upgrade from 2.3

CSCvj11981

SNMPv3 profiler breaks for NAD with security level of no auth after modifying the SNMP polling time

CSCvj13401

ISE "Failed Value for attribute Protocol is mandatory" when importing network device

CSCvj20617

Upgrade to 2.4 fails due to KEK change

CSCvj42529

ISE - API POST 401 Unauthorized 60-90 seconds after successful Guest Create POST

CSCvj47154

ISE2.4 is consuming extra plus license for default authorization policy

CSCvj52267

ISE 2.4 Input validation error for IPv6 subnets under TACACS Device Network Condition

CSCvj66943

ISE not using SSL for LDAP for "Retrieve Attributes" however connects to port 636

CSCvj72180

ENH: ISE: Store new m/c password on ISE side if new password is valid despite RPC error - 121

CSCvj79271

Secondary MNT: incorrect timesten permission issue for the folder Timesten_Data

CSCvj88674

Smart License enable is failing on ISE 2.4 release.

CSCvj90439

SGT used in trustsec matrix should not be allowed to delete

CSCvj92358

After upgrade UDI values of secondary node are missing from sec_hostconfig table

CSCvk28377

MnT persists frequent Accounting Interim-updates without any changes into Database

CSCvk31092

Core: SyslogSecureTCPConnection::updateConnectionData

CSCvi44041

Cisco Identity Services Engine Privilege Escalation Vulnerability

Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 1

Caveat

Description

CSCvi36111

Live sessions - NAS IP address Tooltip is duplicated for ipv6

CSCvi47074

Replication failure seen on SXP nodes during SXP connection down

CSCvi48886

Post upgrade - the GuestVLAN doesn't copy the key of omapi.key to DHCP

CSCvi50979

Machine change password interval should be configurable from advance tuning parameter (Kerberos SSO)

CSCvi56003

AUP Link in the Self-Registration form throws Bad Request in ISE 2.4

CSCvi69286

Dashboard > Search : Endpoint details screen doesn't work correctly in Internet Explorer

CSCvj11476

ISE : Wrong error message when deleting a certificate referenced by some resource

CSCvi53593

Wrong msg if trying to issue CoA and no MAC address is selected

CSCvj61368

2.4 P1: ISE Indexing server is not running on secondary PAN

CSCvi38373

ISE Delete All Endpoints in Context Visibility too risky

CSCvh93370

ISE Guest: Incorrect accounting in syslog causes issues

CSCvi06647

Anyconnect configuration - drop menu for compliance module is empty

CSCvi61330

Occasional application restart post Radius/DTLs authentication

CSCvg90863

"Application Configure ISE" left idle for long time causes SSHD to disable

CSCvj17258

ISE 2.4 keeps old DNAC client cert causing new DNAC pxGrid with ISE to fail

CSCvj33336

DNAC1.2: Network devices not getting added in ISE 2.4 after provision

CSCvi49103

Wrong data type for "Enable Multi Shared Secret:String(128)" in NAD CSV export

CSCvg19708

Guest Accounting report broken

Resolved Caveats in Cisco ISE Release 2.4.0.357


Note

Cisco ISE 2.4 patch 0 has parity with Cisco ISE 2.0 Patch 6, 2.0.1 Patch 5, 2.1 Patch 6, 2.2 Patch 6, and 2.3 Patch 2


The following table lists the resolved caveats in Release 2.4.

Table 2. Cisco ISE, Release 2.4, Resolved Caveats, Patch 0

Caveat

Description

CSCvf69805 Cisco Identity Services Engine cross-site request forgery vulnerability
CSCvf49844 Cisco Identity Services Engine local command injection vulnerability
CSCvf63414 Cisco Identity Services Engine authenticated CLI denial of service vulnerability
CSCvh51992 Cisco Identity Services Engine authenticated CLI denial of service vulnerability
CSCvf69753 Cisco Identity Services Engine authenticated privilege escalation vulnerability
CSCvf69963 Cisco Identity Services Engine cross-site scripting vulnerability
CSCvg95479 Cisco Identity Services Engine command injection to underlying OS vulnerability
CSCvd38467 BYOD does not work on Apple iOS 10.3.x.
CSCvf29467 Editing multiple client provisioning policies simulataneously hides the results column.
CSCvf33475 Simultaneuos configuration and operational backup on same browser is very slow.
CSCvi45925 Newly created dashboard not visible in 2.4 342 build.
CSCvf28877 ISE 2.3 TACACS+ : Unable to add commands to Command Set while editing.
CSCvf32298 ISE 2.3 Sponsor Portal: There is a delay of one minute between the update of the username table and the counter.
CSCvf32394 ISE 2.3 Self-registered guest portal of SMS provider- Global default is always re-selected when other attributes are changed.
CSCvf34216 ISE 2.3: Unable to select Work Center Menu - Guest Access Identity Group upon opening detailed report.
CSCvh05703 'Remember Me' RADIUS live sessions view does not show usernames for guest devices

Open Caveats in Cisco ISE Release 2.4.0.357

The following table lists the open caveats in Release 2.4.

Caveat ID Number

Description

CSCvf30591

ISE 2.2: Disabled password Lifetime, however getting reminder for account expiration.

CSCvg80657

disk maintenance. need automatic and on demand cleanup of ESR 5921 IOS crashinfo files

CSCvg80766

"application configure ise" command ungracefully terminates all CLI sessions

CSCvh20790

"Go to Update Report Page" giving "no data found."

CSCvh22907

Sponsor Portal Page takes more than 10 seconds to load

CSCvh22984

Unable to delete multiple sponsor accounts at once

CSCvh65530

Filter by No of Devices not working in NDG Flat table page

CSCvh69481

Get-All with filtertype=OR not working for some of the objects

CSCvh77969

User Visibility not working after VSW

CSCvh86082

Parsing NMAP smb-os-discovery data should remove &#xa; or \x00

CSCvh93771

Broken admin web ui access with PAT/NAT of HTTPS://<IP>:<port-non-443>

CSCvh95370

Creating Network Device Defaults Device Profile to AlcatelWired

CSCvi48276

AMP in ISE remains connected even after deregter from cloud

CSCvi48298

Policy Hit count value gets nullified while creating new policies in a specific case

CSCvi60160

Stop All Running Tests not functioning properly in Active Directory Diagnostic Tool

CSCvi85015

Anyconnect Profile for Vlan Refresh - notes is confusing

CSCvi88520

Message Catalog Displaying Only the Message Code 89006 but Not the Rest

CSCvi90269

SXP Device Connection page on ISE UI shows OFF on ISE even when peer is showing connection ON

CSCvj06916

ISE 2.3+ : Authc/Authz policies in a policy set cannot be configured if ext radius sequence is used

CSCvj13757

ISE 2.4 - Unable to acknowledge AD Diagnostic Failure Alarm

CSCvj22303

Endpoint OS is wrongly updated in External Mobile Device Management reports

CSCvj28192

ISE 2.4 GUI tcpdump is not having embeded -s 0 option

CSCvj29551

No warning/error on importing policy based on non-existing custom attributes

CSCvj31598

Enhancement Request: Import two CA certs with same subject name

CSCvj50085

After deleting the end-points from context visibility, homepage shows active end-points as 0

CSCvj50257

Active endpoints are mismatched from expected value

CSCvj54057

Alarm "Trustsec PAC validation failed" need to be enhanced to point the NAD hostname and IP address

CSCvj73152

Enable VLAN DHCP release breaks guest flow for ISE 2.4

CSCvj73550

CTS PAC refresh failed due to EAP-FAST communication failed btw switch and ISE

CSCvj77125

cdpCachePlatform rules not matching for Cisco Wave 2 (aka COS) APs 1800/2800/3800

CSCvj83961

CWA using non-mgmt interface is not replacing secondary interface fqdn for guest flow

CSCvj88164

Remote-Access VPN Posture Sessions showing Base license consumed but no Apex

CSCvj93331

Link to next page is not present in REST response

CSCvk06884

ISE should return 400 HTTP error, not 500 if incorrect data provided for REST call

CSCvk09565

ISE 2.x onwards RFC 3164 is not being followed completely

CSCvk12450

Regression: Windows 8/10 clients incorrectly profiled as windows7 due to feed policies

CSCvk25549

Offline profiler feed update web page is missing the offline feed option

CSCvk34422

Profiler: Feed download - Unable to update FeedEndpointPolicy

CSCvk40421

Not able to delete certificate from trusted page

CSCvk48315

Live sessions are not seen in ISE Live logs page in ISE 2.4

CSCvk55076

ISE 2.4 losing static group mapping due to profiler AD Probe

CSCvk55285

ISE doesn't validate the data type date in the custom endpoint attribute

CSCvk59357

Admin warned of license non-compliance even after adding new licenses

CSCvk65179

error while assigning a certificate to a certificate usage, Unable to access login Portal

CSCvk65898

ISE 2.4 : Social Login e2e flow fails due to recent changes done on Facebook side

CSCvk67692

ISE 2.x: REST API Get-All Internal Users' result has 'next-page' link missing in XML and JSON output

CSCvk68196

SNMPv3 profiling works only with DES or AES128 privacy protocol

CSCvk71555

Unable to configure opposite logic for Application condition

CSCvk72920

ISE does not send SNMP bulk request for CDP after it did once

CSCvk74989

Certificate parameters not persistent after DNAC trust re-establishment

CSCvm01627

ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes"

CSCvm03411

Kernel Side-Channel Attack using L1 Terminal Fault: CVE-2018-3620 and CVE-2018-3646 (Foreshadow-NG)

CSCvm03842

PxGrid SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection - CVE-2009-3555

CSCvm05439

ISE cores on LDAP test server after DNAC establishment when same chain used

CSCvm05840

NAD CSV imports should allow all supported characters

CSCvm06464

ISE: SNMPv3 not sending traps

CSCvm06688

Patch roll back from CLI is failing in case of Patch install has issues after installing from GUI

CSCvm07566

ACS migration to ISE 2.4 breaks Identity Source Sequencing

CSCvm09377

HTTP Request Header for ISE fails if it contains @ in email

CSCvm10559

ISE 2.4 Unable to delete unused SGTs associated with Virtual Network

CSCvm11175

ISE custom endpoint attribute type String doesn't allow numbers only

CSCvm11230

Customer sees no data available for this record for "Details" page in Live Logs

CSCvm12215

Patch install needs to re-apply SQL fixes in case of database reset

CSCvm12484

ISE sending wrong message to DNAC when clock not sync'd during trust establishment

CSCvm17795

Config Backups triggered from GUI hangs at 45% during ES backup

CSCvm19797

Hotfix Install Generates False Error Messages

CSCvm19803

ISE 2.4 EndPoints are being associated with the incorrect logical profile

CSCvm20561

ISE 2.x || Cisco-Device profiler policy missing the tandberg OUI as a condition

CSCvm22838

CoAs not being sent after the initial profiler CoA when the profile for an endpoint changes

CSCvm23096

PSN is down and in initializing state for ever

CSCvm26207

ISE METRICS, Compliance percentage is of total endpoints instead actual endpoints go through posture

CSCvm26372

ISE Indexing Engine not running after installation of 2.4 patch 3 on secondary pan

CSCvm29083

ISE 2.4 configured Authz policy does not match the correct policy when using Logical Profiles

CSCvm29136

Windows7-Workstation policy is incorrect for the rule "WinPlatform certainty factor or 40

CSCvm29577

ISE 2.4 : Context Visibility Users : Active Directory attributes not getting stored

CSCvm31919

IE11 : Trash icon linked to MAC address search box in Context Visibility

CSCvm32107

Unable to delete Root Network Device Group

CSCvm32303

Rest API- Unable to retrieve Guest User Details using ToDate filters

CSCvm33217

Receiving an error when saving authorization policy using external domain users group as condition

CSCvo61888

Device Administration Current Active Sessions report not available from 2.4 P6

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.