 Note |
Come to the Content Hub at content.cisco.com, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more... So, what are you waiting for? Click content.cisco.com now! And, if you are already experiencing the Content Hub, we'd like to hear from you! Click the Feedback icon on the page and let your thoughts flow! |
Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, 5GaaS networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on secure network server appliances with different performance characterizations, and also as software that can be run on a virtual machines (VMs). Note that you can add more appliances to a deployment for better performance.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services, where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation in this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Supported Hardware
Cisco ISE, Release 2.6, can be installed on the following platforms:
 Caution |
For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation. |
|
Hardware Platform |
Configuration |
|---|---|
|
Cisco SNS-3515-K9 (small) |
For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
|
Cisco SNS-3595-K9 (large) |
|
|
Cisco SNS-3615-K9 (small) |
|
|
Cisco SNS-3655-K9 (medium) |
|
|
Cisco SNS-3695-K9 (large) |
After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.
Caution |
|
Federal Information Processing Standard (FIPS) Mode Support
Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.
When FIPS mode is enabled on Cisco ISE, consider the following:
-
All non-FIPS-compliant cipher suites will be disabled.
-
Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.
-
RSA private keys must be 2048 bits or greater.
-
Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be 224 bits or greater.
-
Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.
-
SHA1 is not allowed to generate ISE local server certificates.
-
The anonymous PAC provisioning option in EAP-FAST is disabled.
-
The local SSH server operates in FIPS mode.
-
The following protocols are not supported in FIPS mode for RADIUS:
-
EAP-MD5
-
PAP
-
CHAP
-
MS-CHAPv1
-
MS-CHAPv2
-
LEAP
-
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
VMware ESXi 5.x, 6.x, 7.x
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
-
KVM on RHEL 7.1, 7.3, and 7.5
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Caution |
Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. We recommend that you use the backup functionality included in Cisco ISE for archival and restoration of data. Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node. |
Supported Browsers
The supported browsers for the Admin portal include:
-
Mozilla Firefox 96 and earlier versions from version 82
-
Mozilla Firefox ESR 91.3 and earlier versions
-
Google Chrome 97 and earlier versions from version 86
-
Microsoft Internet Explorer 11.x
-
Microsoft Edge, the latest version and one version earlier than the latest version
Support for Microsoft Active Directory
Cisco ISE works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019 at all functional levels.
Note |
|
Cisco ISE supports multidomain forest integration with Active Directory infrastructure to support authentication and attribute collection across large enterprise networks. Cisco ISE supports up to 50 domain join points.
Improved User Identification
Cisco ISE can identify Active Directory users when a username is not unique. Duplicate usernames are common when using short usernames in a multidomain Active Directory environment. You can identify users by Software Asset Management (SAM), Customer Name (CN), or both. Cisco ISE uses the attributes that you provide to uniquely identify a user.
Update the value of the following:
-
SAM: Update this value to use only the SAM in the query (the default).
-
CN: Update this value to use only CN in the query.
-
CNSAM: Update this value to use CN and SAM in the query.
To configure the attributes mentioned above for identifying Active Directory users, update the IdentityLookupField parameter in the registry on the server that is running Active Directory:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
Supported Ciphers
In a clean or fresh install of Cisco ISE, SHA1 ciphers are disabled by default. However, if you upgrade from an existing version of Cisco ISE, the SHA1 ciphers retain the options from the earlier version. You can view and change the SHA1 ciphers settings using the Allow SHA1 Ciphers field (Administration > System > Settings > Security Settings).
Note |
This does not apply to the Admin portal. When running in Federal Information Processing Standard Mode (FIPS), an upgrade does not remove SHA1 ciphers from the Admin portal. |
Cisco ISE supports TLS versions 1.0, 1.1, and 1.2.
Cisco ISE supports RSA and ECDSA server certificates. The following elliptic curves are supported:
-
secp256r1
-
secp384r1
-
secp521r1
Note |
Cisco ISE does not support intermediate certificates having SHA256withECDSA signature algorithm for any of the elliptical curves due to the limitations in the current implementation of OpenJDK 1.8. |
The following table lists the supported Cipher Suites:
| Cipher Suite |
When Cisco ISE is configured as an EAP server When Cisco ISE is configured as a RADIUS DTLS server |
When Cisco ISE downloads CRL from HTTPS or a secure LDAP server When Cisco ISE is configured as a secure syslog client or a secure LDAP client When Cisco ISE is configured as a RADIUS DTLS client for CoA |
|
TLS 1.0 support |
When TLS 1.0 is allowed (DTLS server supports only DTLS 1.2) Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings window. To view this window, choose Administration > System > Settings > Protocols > Security Settings. |
When TLS 1.0 is allowed (DTLS client supports only DTLS 1.2) |
|
TLS 1.1 support |
When TLS 1.1 is allowed Allow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings window(Administration > System > Settings > Protocols > Security Settings). |
When TLS 1.1 is allowed |
|
ECC DSA ciphers |
||
|
ECDHE-ECDSA-AES256-GCM-SHA384 |
Yes |
Yes |
|
ECDHE-ECDSA-AES128-GCM-SHA256 |
Yes |
Yes |
|
ECDHE-ECDSA-AES256-SHA384 |
Yes |
Yes |
|
ECDHE-ECDSA-AES128-SHA256 |
Yes |
Yes |
|
ECDHE-ECDSA-AES256-SHA |
When SHA-1 is allowed |
When SHA-1 is allowed |
|
ECDHE-ECDSA-AES128-SHA |
When SHA-1 is allowed |
When SHA-1 is allowed |
|
ECC RSA ciphers |
||
|
ECDHE-RSA-AES256-GCM-SHA384 |
When ECDHE-RSA is allowed |
When ECDHE-RSA is allowed |
|
ECDHE-RSA-AES128-GCM-SHA256 |
When ECDHE-RSA is allowed |
When ECDHE-RSA is allowed |
|
ECDHE-RSA-AES256-SHA384 |
When ECDHE-RSA is allowed |
When ECDHE-RSA is allowed |
|
ECDHE-RSA-AES128-SHA256 |
When ECDHE-RSA is allowed |
When ECDHE-RSA is allowed |
|
ECDHE-RSA-AES256-SHA |
When ECDHE-RSA/SHA-1 is allowed |
When ECDHE-RSA/SHA-1 is allowed |
|
ECDHE-RSA-AES128-SHA |
When ECDHE-RSA/SHA-1 is allowed |
When ECDHE-RSA/SHA-1 is allowed |
|
DHE RSA ciphers |
||
|
DHE-RSA-AES256-SHA256 |
No |
Yes |
|
DHE-RSA-AES128-SHA256 |
No |
Yes |
|
DHE-RSA-AES256-SHA |
No |
When SHA-1 is allowed |
|
DHE-RSA-AES128-SHA |
No |
When SHA-1 is allowed |
|
RSA ciphers |
||
|
AES256-SHA256 |
Yes |
Yes |
|
AES128-SHA256 |
Yes |
Yes |
|
AES256-SHA |
When SHA-1 is allowed |
When SHA-1 is allowed |
|
AES128-SHA |
When SHA-1 is allowed |
When SHA-1 is allowed |
|
3DES ciphers |
||
|
DES-CBC3-SHA |
When 3DES/SHA-1 is allowed |
When 3DES/DSS and SHA-1 are enabled |
|
DSS ciphers |
||
|
DHE-DSS-AES256-SHA |
No |
When 3DES/DSS and SHA-1 are enabled |
|
DHE-DSS-AES128-SHA |
No |
When 3DES/DSS and SHA-1 are enabled |
|
EDH-DSS-DES-CBC3-SHA |
No |
When 3DES/DSS and SHA-1 are enabled |
|
Weak RC4 ciphers |
||
|
RC4-SHA |
When "Allow weak ciphers" option is enabled in the Allowed Protocols page and when SHA-1 is allowed |
No |
|
RC4-MD5 |
When "Allow weak ciphers" option is enabled in the Allowed Protocols page |
No |
|
EAP-FAST anonymous provisioning only: ADH-AES-128-SHA |
Yes |
No |
|
Peer certificate restrictions |
||
|
Validate KeyUsage |
Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:
|
|
|
Validate ExtendedKeyUsage |
Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:
|
Server certificate should have ExtendedKeyUsage=Server Authentication |
What is New in Cisco ISE, Release 2.6?
Base Licensing
The features described below require Cisco ISE base licensing.
CLI Access by External Identity Store
ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.
Business Outcome: You can manage a single source for passwords without the need to manage multiple password policies and administer internal users within ISE, thereby reducing time and effort.
IPv6 Support
In addition to the IPv4 support, Cisco ISE, Release 2.6 extends IPv6 support for the following functions or events:
-
ISE Management
You can access and manage a Cisco ISE node over an IPv6 address, and configure an IPv6 address to Eth0 (Interface) during setup wizard as well as through CLI.
Note
If you choose to configure IPv6 address, you should also have an IPv4 address configured (in addition to IPv6 address) for the Cisco ISE node communication. Hence, dual stack (combination of both IPv4 and IPv6) is required.
You can also manage Secure Socket Shell (SSH) with IPv6 addresses. Cisco ISE supports multiple IPv6 addresses on any interface and these IPv6 addresses can be configured and managed using CLI.
-
Network Time Protocol Support
You can access, configure, and manage Network Time Protocol (NTP) servers with IPv4, FQDN, IPv6 addresses, or with a mix of these.
Cisco ISE also supports NTP server fallback mechanism and server authentication over an IPv6 address.
-
Domain Name System Support
You can configure a combination of IPv4 and IPv6 Domain Name System (DNS) servers and even manage IPv4 or IPv6-based DNS servers through CLI and GUI. Static hostnames can be mapped with IPv6 addresses.
For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6
-
External Repositories
You can add an external repository in Cisco ISE with an IPv6 address. Communication between a Cisco ISE node and an IPv6 external repository is possible when the node has an IPv6 address configured to Eth0.
For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6
-
Audit Logs and Reports
You can view the reports relating to login and logout activities, password changes, and operational changes made by you while accessing Cisco ISE through an IPv6 address. These events can be viewed in the audit reports available in the Cisco ISE dashboard.
-
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) traps and MIBs can be communicated through IPv6 addresses. You can configure IPv4-based, IPv6-based SNMP or multiple SNMP (a mix of IPv4 and IPv6) servers.
-
Access Control Lists And Dynamic Access Control Lists
From Cisco ISE, Release 2.6, you can define Access Control Lists (ACLs), Dynamic Access Control Lists (DACLs) and Cisco Airespace ACLs with IPv6 addresses.
-
Active Directory
You can connect to the IPv6 Active Directory from Cisco ISE.
-
External Restful Service Portal
External Restful Service is available on an IPv6 client.
-
Syslog Client or Logging Targets
You can configure IPv6-based syslog targets.
-
Posture
You can access RADIUS servers with an IPv6 address.
For more information on Cisco ISE, Release 2.6, IPv6 support, see Cisco Identity Services Engine Administrator Guide, Release 2.6.
Business Outcome: You can migrate to an IPv6-based network to complete the events mentioned above.
Japanese or English View of the Administrator Portal
The Administration console currently supports two languages, Japanese and English. You can select either the Japanese view or the English view under Account Settings.
Business Outcome: Suitable for Japanese-speaking and English-speaking administrators to configure and use Cisco ISE.
Policy Service Nodes and the Light Session Directory
The Light Session Directory feature can be used to store user session information and replicate it across the Policy Service Nodes (PSNs) in a deployment, thereby eliminating the need to be totally dependent on the Primary Administration Node (PAN) or the Monitoring and Troubleshooting (MnT) node for user session details. The Light Session Directory feature stores only the session attributes required for Change of Authorization (CoA). To enable the Light Session Directory feature, choose Administration > Settings > Light Session Directory and check the Enable Light Session Directory check box.
Business Outcome: Improved performance and scalability of Cisco ISE node.
REST Support for External Administrators
From Cisco ISE 2.6, External RESTful Services (ERS) users can either be internal users or belong to an external Active Directory. The Active Directory group to which the external users belong should be mapped to either the ERS Admin or the ERS Operator group. With this enhancement, administrators no longer have to create internal user counterparts for external users who need access to ERS services.
Business Outcome: The process of enabling external administrators to access RESTful services is simplified.
Support for Manufacturer Usage Descriptor
Manufacturer Usage Descriptor (MUD) is an IETF standard, which defines a way to on-board IoT devices. It provides seamless visibility and segmentation automation of IoT devices. MUD has been approved in IETF process, and released as RFC8520. For more information, see https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/.
Cisco ISE, Release 2.6 and later supports identification of IoT devices. Cisco ISE automatically creates profiling policies and Endpoint Identity Groups. MUD supports profiling IoT devices, creating profiling policies dynamically, and automating the entire process of creating policies and Endpoint Identity Groups. Administrators can use these profiling policies to create manually Authorization Policies and Profiles. IoT devices sending MUD URL in DHCP and LLDP packets are on board, using those profiles and policies.
Cisco ISE performs unsigned classification of IoT devices. Cisco ISE does not store the MUD attributes; the attributes are only used in the current session. In the Context and Visibility > Endpoints window, you can filter IoT devices by the Endpoint Profile field.
The following devices support sending MUD data to Cisco ISE:
-
Cisco Catalyst 3850 Series Switches running Cisco IOS XE Version 16.9.1 & 16.9.2
-
Cisco Catalyst Digital Building Series Switches running Cisco IOS Version 15.2(6)E2
-
Cisco Industrial Ethernet 4000 Series Switches running Cisco IOS Version 15.2(6)E2
-
Internet of Things (IoT) devices with embedded MUD functionality
Profiler Support
Cisco ISE supports the following profiling protocols and profiling probes:
-
LLDP and RADIUS - TLV 127
-
DHCP - Option 161
Business Outcome: The number of IoT devices that are connected to enterprise networks is increasing. Until now, Cisco ISE could not classify these devices. From Release 2.6, Cisco ISE can classify and display the IoT devices that are connected to your network, using an automated process.
Syslog over ISE Messaging
From Cisco ISE, Release 2.6, Monitoring and Troubleshooting (MnT) WAN Survivability is available for UDP syslog collection. Syslogs are recorded using ISE Messaging Service. The Remote Logging Targets, where the syslogs are collected and stored uses port TCP 8671 and the Secure Advanced Message Queuing Protocols (AMQPs) for sending syslogs to MnT.
By default, the ISE Messaging Service option is disabled until Cisco ISE, Release 2.6 Patch 1.
From Cisco ISE, Release 2.6 Patch 2 onwards, by default, the ISE Messaging Service option is enabled.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6
Business Outcome: Operational data will be retained for a finite duration even when the MnT node is unreachable.
Hardening Improvements
The following caveats are fixed to ensure improved hardening of Cisco ISE:
-
CSCvj85532- Streamlined security enforcement upon administrators' authentication failures.
-
CSCvk46033- Improved security hardening for connections to the Cisco ISE SSH server.
-
CSCvk09565- Conformance to RFC 3164 standards.
-
CSCvj96345- Improved security for connections to the Cisco ISE Administration application.
TrustSec Deployment Verification Report
You can use this report to verify whether the latest TrustSec policies are deployed on all network devices and whether there are any discrepancies between the policies configured on Cisco ISE and those deployed on the network devices.
Business Outcome: You can easily verify whether the latest TrustSec policies are deployed on the network devices or if there are any discrepancies.
NFS Repository Credentials
When you add a repository and select NFS as the protocol, you can no longer enter credentials to connect to the repository.
Business Outcome: Using credentials to connect to an NFS repository caused problems.
Apex Licensing
The features described below require Cisco ISE apex licensing.
Identify Managed Devices with Dynamic MAC Addresses
AnyConnect 4.7 now provides a Unique Device ID (UDID) to identify a connected user. The UDID value can be mapped with information from Mobile Device Management (MDM) providers to help identify users who have the same MAC address. MAC address sharing is common in open offices, where more than one person shares a dock or USB dongle.
Business Outcome: You can develop a solution that uses the UDID to uniquely identify a user, when device connections are shared.
Flexible Remediation Notification
From Cisco ISE, Release 2.6, you can delay the grace period prompt from being displayed to the user until a specific percentage of grace period has elapsed.
For example, if the Delay Notification field in the Policy > Posture > Posture Policy window is set to 50 percent and the configured grace period is 10 minutes, Cisco ISE checks the posture status after 5 minutes and displays the grace period notification if the endpoint is found to be noncompliant. Grace period notification is not displayed if the endpoint status is compliant. If the notification delay period is set to 0 percent, the user is prompted immediately at the beginning of the grace period to remediate the problem. However, the endpoint is granted access until the grace period expires.
Business Outcome: Prevents unnecessary remediation prompts for endpoints waiting for JAMF software or Microsoft System Center Configuration Manager (SCCM) updates.
Generic or Custom Messaging Through Cisco AnyConnect
More informative messages can now be displayed by Cisco AnyConnect when it is used in the context of Cisco ISE Posture service. End users can now see messages about posture status and errors. You can modify the content that is displayed in AnyConnect posture profiles. Note that this feature requires Cisco AnyConnect Version 4.7.
Business Outcome: Better communication with end users.
Platform
Support for Cisco Secure Network Server 3600 Series Appliance
Cisco ISE 2.6 supports Cisco Secure Network Server 3615, Secure Network Server 3655, and Secure Network Server 3695 appliances.
For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.
Business Outcome: Improved performance, scalability, and platform manageability over SNS 35xx series appliances.
Known Limitations and Workarounds
LDAP Server Reconfiguration after Upgrade
Limitation
The primary Hostname or IP is not updated which causes authentication failures. This is because while upgrading the Cisco ISE deployment, the deployment IDs tend to reset.
Condition
When you enable the Specify server for each ISE node option in the Connection window ( or choose and an existing server) and then upgrade your Cisco ISE deployment with PSNs, the deployment IDs tend to reset.
Workaround
Reconfigure the LDAP Server settings for each node. For more information, see LDAP Identity Source Settings section in the Administrative Access to Cisco ISE Using an External Identity Store chapter in the "Cisco Identity Services Engine Administrator Guide, Release 2.4".
Upgrade GUI Notification
Limitation
Upgrade GUI shows that the upgrade progress at 0% for secondary PAN until upgrade is at 100%. The upgrade process continues in background and there’s no impact on upgrade.
Condition
While upgrading from Cisco ISE 2.4 Patch 8 to a higher release.
Workaround
show logging system ade/ADE.logFor more information, see CSCvp78781.
pxGrid Certificate Issue
Limitation
Default self-signed certificate for pxGrid fails.
Condition
While upgrading from Cisco ISE 2.7 Patch 7 to a higher release.
Workaround
Either use a different certificate, or add "SSL Client" to the existing certificate.
IP-SGT Bindings Are Not Propagated Under Certain Conditions
Under the following conditions, IP-SGT mappings are not propagated to ACI.
On the ISE administrators console, navigate to Work Centers -> TrustSec -> Components:
-
Create a security group, but don't check Propagate to ACI.
-
Create an IP-SGT binding with previously created Security Group. It may be a static, session or SXP binding.
-
On the Security Group, click Propagate to ACI .
-
Click Save.
-
The Security Group synchs to ACI, but not IP-SGT that is mapped to the Security Group.
Either:
-
Restart the ACI propagation in ISE and recreate the IP-SGT mappings.
-
On the Work Centers->TrustSec->Settings->ACI Settings, uncheck “TrustSec-ACI Policy Element Exchange”, and save.
-
Check TrustSec-ACI Policy Element Exchange, and save.
-
The connection between Cisco ISE and ACI is reestablished.
-
-
Delete the old IP-SGT bindings, and recreate them while Propagate to ACI is checked.
Note |
The connection between ACI and ISE reauthenticates every 24 hours, which also fixes this problem. |
SXP Protocol Security Standards
For more information, see https://tools.ietf.org/html/draft-smith-kandula-sxp-06.
Patch Build Download Using Chrome Browser
Radius Logs for Authentication
Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.
Profiler RADIUS Probe
NAM TLS 1.2 Incompatibility Warning
-
Cisco ISE Release 2.4: Patch 5 or later.
-
Cisco ISE Releases 2.0, 2.0.1, and 2.1. Install the Struts2-CVE-2018-11776 PSIRT fix, before you apply the hot patch. You can download the Struts2-CVE-2018-11776 PSIRT fix from Cisco software downloads.
Note |
In order to obtain hot patches for Cisco ISE releases earlier than Release 2.4, contact the Cisco Technical Assistance Center (TAC). Ensure that the ISE software has the latest patches applied before you apply the hot patch. |
For more information, see https://www.cisco.com/c/en/us/support/docs/field-notices/703/fn70357.html.
High Memory Utilization
For more information, see CSCvn07836.
Diffie-Hellman Minimum Key Length
For more information, see CSCvi76985.
ECDSA Certificates
Note |
Apple iOS is not supported if you use ECDSA as a system certificate. ECDSA certificates are supported only for Android 6.x and Android 7.x. |
Re-create Supplicant Provisioning Wizard References
Endpoint Protection Services API
As of Cisco ISE 1.4, ANC replaces Endpoint Protection Services. ANC provides additional classifications, and performance improvements. There are new APIs for ANC in the Cisco ISE SDK. While the ERS APIs might still work, we strongly recommend that you move to ANC.
Server IP update under Trustsec AAA Server list
When the IP of the Cisco ISE instance is changed via CLI, then Cisco ISE will restart the services. Once the services are up, we need to change the IP of Trustsec AAA Server. Choose .
Upgrade Information
Upgrading to Release 2.6
You can directly upgrade to Release 2.6 from the following Cisco ISE releases:
-
2.1
-
2.2
-
2.3
-
2.4
Note |
When you upgrade to Cisco ISE 2.6 patch 7, you will see an error message if you were using the RE_AUTHENTICATE in an ANC policy. The existing policies will still work. Applying patch 2 eliminates the error message. Or you can remove those policies before upgrading. |
If you are on a version earlier than Cisco ISE, Release 2.1, you must first upgrade to one of the releases listed above and then upgrade to Release 2.6.
Note |
We recommend that you upgrade to the latest patch in the existing version before starting the upgrade. |
Cisco ISE, Release 2.6, has parity with 2.0 Patch 7, 2.1 Patch 8, 2.2 Patch 13, 2.3 Patch 5, and 2.4 Patch 5.
Supported Operating System for Virtual Machines
You can upgrade to Release 2.6 from either the GUI or the CLI.
Cisco ISE runs on the Cisco Application Deployment Engine operating system (ADEOS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE, Release 2.6, ADEOS is based on RHEL 7.5. For more information, see Cisco Identity Services Engine Upgrade Journey.
If you are upgrading Cisco ISE nodes on VMware virtual machines, after upgrade is complete, ensure that you change the Guest Operating System to supported version of Red Hat Enterprise Linux (RHEL). To do this, you must power down the VM, change the Guest Operating System to the supported RHEL version, and power on the VM after the change.
Patch Compatibility
This patch is compatible with the following patch releases:
-
2.2 Patch 15
-
2.3 Patch 7
-
2.4 Patch 10
-
2.6 Patch 2
Upgrade Packages
For information about the upgrade packages and the supported platforms, see Cisco ISE Software Download.
License Changes
Device Administration Licenses
There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.
The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.
Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.
Cluster licenses have been discontinued, and now only node Licenses are available for sale.
However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.
The evaluation license allows device administration on one policy service node.
Licenses for Virtual Machine nodes
Cisco ISE is also sold as a virtual machine (VM). For this Release, we recommend that you install appropriate VM licenses for the VM nodes in your deployment. Install the VM licenses based on the number of VM nodes and each VM node's resources, such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys. However, the installation process will not be interrupted. From Cisco ISE, Release 2.4, you can manage your VM licenses from the GUI.
VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using a 3595-equivalent VM node with eight cores and 64-GB RAM, you might need a Medium category VM license if you want to replicate the same capabilities on the VM. You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.
VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features that are enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.
VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification pop-up window.
If you have not purchased an ISE VM license earlier, see the Cisco Identity Services Engine Ordering Guide to choose the appropriate VM license to be purchased.
Note |
If you have purchased ISE VM licenses without a PAK, you can request VM PAKs by emailing licensing@cisco.com. Include the Sales Order numbers that reflect the ISE VM purchase, and your Cisco ID in your email. You will be provided a medium VM license key for each ISE VM purchase you have made. |
For details about VM compatibility with your Cisco ISE version, see "Hardware and Virtual Appliance Requirements" chapter in the Cisco Identity Services Engine Installation Guide for the applicable release.
For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Cisco ISE Live Update Portals
Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the corresponding device using Cisco ISE.
If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings. Choose Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
Client Provisioning and Posture Live Update Portals
You can download Client Provisioning resources from:
The following software elements are available at this URL:
-
Supplicant Provisioning wizards for Windows and Mac OS X native supplicants
-
Windows versions of the latest Cisco ISE persistent and temporal agents
-
Mac OS X versions of the latest Cisco ISE persistent agents
-
ActiveX and Java Applet installer helpers
-
AV/AS compliance module files
For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.
You can download Posture updates from:
The following software elements are available at this URL:
-
Cisco-predefined checks and rules
-
Windows and Mac OS X AV/AS support charts
-
Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.
If you do not want to enable the automatic download capabilities, you can choose to download updates offline.
Cisco ISE Offline Updates
This offline update option allows you to download client provisioning and posture updates, when direct internet access to Cisco.com from a device using Cisco ISE is not available or is not permitted by a security policy.
To download offline client provisioning resources:
Procedure
| Step 1 |
Go to: https://software.cisco.com/download/home/283801620/type/283802505/release/2.6.0. |
| Step 2 |
Provide your login credentials. |
| Step 3 |
Navigate to the Cisco Identity Services Engine download window, and select the release. The following Offline Installation Packages are available for download:
|
| Step 4 |
Click either Download or Add to Cart. |
For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.
You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.
For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.
To download offline posture updates:
Procedure
| Step 1 |
Go to https://www.cisco.com/web/secure/spa/posture-offline.html. |
||
| Step 2 |
Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems. |
||
| Step 3 |
Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture. |
||
| Step 4 |
Click the arrow to view the settings for posture. |
||
| Step 5 |
Click Updates. The Posture Updates window is displayed.
|
||
| Step 6 |
Click the Offline option. |
||
| Step 7 |
Click Browse to locate the archive file (posture-offline.zip) from the local folder in your system.
|
||
| Step 8 |
Click Update Now. |
Configuration Prerequisites
-
The relevant Cisco ISE license fees should be paid.
-
The latest patches should be installed.
-
Cisco ISE software capabilities should be active.
Monitoring and Troubleshooting
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
Ordering Information
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
Cisco ISE Integration with Cisco Digital Network Architecture Center
Cisco ISE can integrate with Cisco DNA Center. For information about configuring Cisco ISE to work with Cisco DNA Center, see the Cisco DNA Center documentation.
For information about Cisco ISE compatibility with Cisco DNA Center, see the Cisco SD-Access Compatibility Matrix.
Install a New Patch
To obtain the patch file that is necessary to apply a patch to Cisco ISE, log in to the Cisco Download Software site at https://software.cisco.com/download/home (you will be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
For instructions on how to apply the patch to your system, see the "Install a Software Patch" section in the Cisco Identity Services Engine Administrator Guide.
For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.
Note |
Cisco ISE Release 2.6 Patch 10 and later releases support the licensing feature SSM On-Prem connection method. If you enable this feature and need to roll back to Cisco ISE 2.6 Patch 9 or earlier, you must disable the licensing feature before you uninstall the patch with the licensing feature. |
Caveats
The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST). The bug IDs are sorted alphanumerically.
Note |
The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 2.6. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved. |
The BST, which is the online successor to the Bug Toolkit, is designed to improve the effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at http://www.cisco.com/web/applicat/cbsshelp/help.html.
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 12
The following table lists the resolved caveats in Release 2.6 cumulative patch 12.
|
Caveat ID Number |
Description |
|---|---|
|
PLR returned upon 3.0P5 to 3.0P3 |
|
|
Application server crashes when System Time page is accessed in 2.6 Patch 11 |
|
|
Internal users using External Password Store get disabled if users are created using API flow |
|
|
dom4j before 2.1.3 allows external DTDs and External Entities by default |
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 11
The following table lists the resolved caveats in Release 2.6 cumulative patch 11.
Patch 11 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Identifier |
Headline |
|---|---|
|
CIAM: openjdk - multiple versions |
|
|
Cisco ISE Wildcard certificate failing with internal error |
|
|
Cisco ISE XML external entity injection vulnerability |
|
|
Cisco ISE formula injection vulnerability |
|
|
VNs fail to replicate from Author to Reader |
|
|
Cisco ISE 2.7 patches 4,5, and 6 report the error "There is an overlapping IP Address in your device" |
|
|
CIAM: unixodbc 2.3.0 |
|
|
REST API for CoA works with any server IP |
|
|
Upgrade Cisco ISE 3.0 and earlier patches with CiscoSSL 1.0.2za |
|
|
Optimize bouncy-castle class to improve performance on PAN |
|
|
Cisco ISE 3.1 BH: Default profiling policies' description displays the space character hex code instead of space |
|
|
CIAM: cpio 2.12 |
|
|
CIAM: cyrus-sasl 2.1.27 |
|
|
CIAM: nettle 3.4.1 |
|
|
enabling cookies for POST /ers/config/internaluser/ causes Identity Group(s) Does Not Exist error |
|
|
CIAM: libpng 1.6.20 |
|
|
Manual ActiveSession report is empty |
|
|
High Active Directory latency during high TPS causes HOL blocking on ADRT |
|
|
CIAM: samba 4.8.3 |
|
|
The licensing page has zero count after upgrading to patch 13 |
|
|
MNT REST API for ReAuth fails when used in a distributed deployment (separate MnT) |
|
|
Live log/session does not display latest data due to "Too Many Files Open" error |
|
|
Reauth issue - Aruba - 3rd party device |
|
|
With PLR, Profiler Online Updates error : Failed to get License file data : null |
|
|
Cisco ISE: DST Root CA X3 Certificate Authority - Expires by 30 Sep 2021 (within 90 days) |
|
|
Unable to retrieve the license details causing features to be disabled |
|
|
High Latency observed for Tacacs+ requests with date time condition in authorization policies |
|
|
CIAM: perl 5.16.3 |
|
|
Multiple vulnerabilities in apache log4j |
|
|
Version pre-check fails for 3.2 full upgrade. |
|
|
Cisco ISE assessment of CVE-2021-4034 Polkit |
|
|
Cisco ISE installation fails with "Database Priming Failed" error when an all-numbers subdomain is used |
|
|
Application server stuck on initializing state due to certificate template curve type P-192 |
|
|
Generate bulk certificates does not include the Cisco ISE self-signed certificate |
|
|
Auth Passed live logs are not seen when using a profile name with more than 50 characters |
|
|
Unsafe characters in T+ commands stored in hex numeric character references |
|
|
hotpatch.log needs to be included in support-bundle |
|
|
CIAM: screen 4.1.0 CVE-2021-26937 |
|
|
Threads are exhuasted after moving to latest patches where NSS RPM is updated (only Release 3.0 Patch 5 and Release 2.7 Patch 7) |
|
|
Cisco ISE sensitive information disclosure vulnerability |
|
|
External MDM server (Microsoft Intune), change in polling interval does not take effect |
|
|
Multiple runtime crashes seen due to memory allocation inconsistency |
|
|
Microsoft Intune Graph URL changed from graph.windows.net/tenant to graph.microsoft.com |
|
|
Cisco ISE Evaluation log4j CVE-2021-44228 |
|
|
Cisco ISE allowing user to change admin password without validating current password |
|
|
Cisco ISE privilege escalation vulnerability |
|
|
When duplicated RADIUS vendor ID is present, any network device change can cause PSN to crash. |
|
|
Cisco ISE adds six extra hours to nextUpdate date for CRL |
|
|
CIAM: libx11 1.6.8 |
|
|
CIAM: net-snmp 5.7.2 |
|
|
Apply code fix based on Red Hat recommendation for "Cisco ISE unable to talk to NTP daemon" error |
|
|
CIAM: nss 3.44.0 |
|
|
Terminated sessions are not cleared from Cisco ISE live sessions tab. |
|
|
CIAM: jspdf 1.0.0 |
|
|
Authentication is not blocked in policySet with TimeAndDate condition for specific minute in the day |
|
|
Cisco ISE RADIUS service, denial of service vulnerability |
|
|
CIAM: bind 9.11.20 |
|
|
Cisco:cisco-av-pair AuthZ conditions stopped working |
|
|
Cisco ISE - Persistent self cross-site scripting vulnerability |
|
|
memory leak on systemd-journal process |
|
|
Daily purge is not happening and hence data to be purged does not get copied to repository |
|
|
DST/TZ update should happen automatically |
|
|
CIAM: quartz - multiple versions |
|
|
CIAM: sqlite 3.7.17 |
|
|
Fullupgrade wont work with patch when CLI repo or disk repo is used |
|
|
Cisco ISEdailycron temp1 tracking is causing delay in AWR reports |
|
|
Menu access customization is not working |
|
|
UDI information is missing in the GUI |
|
|
Cisco ISE Health Check I/O bandwidth performance check false alarm |
|
|
CTS-SXP-CONN : ph_tcp_close from device to Cisco ISE SXP connection - Hawkeye |
|
|
libcgroup umask configuration information disclosure vulnerability |
|
|
SessionCache not cleared for TACACS AuthZ failures results in high heap usage and auth latency |
|
|
ntpd in NTP earlier than 4.2.8p14, and 4.3.x earlier than 4.3.100 allows remote attack |
|
|
Multiple vulnerabilities in glibc |
|
|
CIAM found poi vulnerable |
|
|
SystemTest : 2.6P10 : PPAN UI page not opening after PAN failover |
|
|
CIAM: jsoup 1.10.3 |
|
|
MnT log processor not running because of collector log permission |
|
|
Cisco ISE sensitive information disclosure vulnerability |
|
|
3.1:Maxscale: Core generated by /opt/CSCOcpm/prrt/diag/bin/diagRunner start |
|
|
Cisco ISE Application server crash/restart due to cancellation of configuration backup |
|
|
CIAM: nss - multiple versions |
|
|
CIAM: libx11 1.6.7 |
Open Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 11
|
Caveat ID Number |
Description |
|---|---|
|
Application server crashes when accessing System Time page in 2.6 Patch 11 |
New Features in Cisco ISE Release 2.6.0.156 - Cumulative Patch 10
Licensing Method for Air-Gapped Networks
Smart Software Manager (SSM) On-Prem is a connection method in which you configure an SSM On-Prem server that manages smart licensing in your Cisco ISE-enabled network. With this connection method, Cisco ISE does not require a persistent connection to the Internet.
For more information, see the Licensing Chapter in the Cisco Identity Services Engine Administrator Guide.
Full Upgrade and Split Upgrade Options Added to Cisco ISE GUI
You can select one of the following options in the Administration > System > Upgrade> Upgrade Selection window to upgrade your Cisco ISE deployment:
-
Full Upgrade: Full upgrade is a multi-step process that enables a complete upgrade of your Cisco ISE deployment sequentially. This method will upgrade all nodes in parallel and in lesser time compared to the split upgrade process. The application services will be down during this upgrade process because all nodes are upgraded parallelly.
-
Split Upgrade: Split upgrade is a multi-step process that enables the upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process. This upgrade method allows you to choose the Cisco ISE nodes to be upgraded on your deployment.
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 10
The following table lists the resolved caveats in Release 2.6 cumulative patch 10.
Patch 10 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
Account used for ISE AD join may become locked after passive-id service is enabled |
|
|
Account is suspended temporarily due to excessive failed authentication |
|
|
Multiple Vulnerabilities in jetty |
|
|
ISE does not reattempt wildcard replication for failed nodes |
|
|
"Plus License is out of compliance and trying generate Internal CA operations" error shown while trying to regenerate ISE Root CA chain |
|
|
In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash) |
|
|
Changes in IP table settings causing TCP slowness and TACACS latency |
|
|
Support Information is out of the flow |
|
|
Update "blacklist portal" to "blocked list portal" everywhere in the ISE UI + code |
|
|
Update "blacklist identity group" to "blocked list identity group" everywhere in the ISE UI + code |
|
|
Certificate chain is not sent on the portal |
|
|
PKCS11 key store creating memory leak when having endpoints in ISE |
|
|
ISE 3.0 Upgrade failing at step RuleResultsSGTUpgradeService |
|
|
Cannot configure scheduled config and operational backup with start date same as current day |
|
|
Cisco ADE-OS Local File Inclusion Vulnerability |
|
|
Heap buffer overflow in Freetype CVE-2020-15999, CVE-2018-6942 |
|
|
Multiple Vulnerabilities in glibc |
|
|
For PKI based SFTP, exporting GUI key for MnT node is possible only when it is promoted to PAN |
|
|
ISE remains in eval expire state even after registering with Smart Licensing |
|
|
Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 |
|
|
Error 400 while authenticating to Sponsor portal with Single Sign-on/Kerberos User. |
|
|
Receiving acct stop without NAS-IP address keeps session in started state |
|
|
AMP events not mapped correctly for new endpoints |
|
|
CIAM: bind - multiple versions CVE-2020-8625 |
|
|
Emails sent for all system alarms even when there is no email address configured |
|
|
ISE 2.7 p2 : RADIUS Authentication Troubleshooting report shows incorrect or no data in its result |
|
|
Workaround for False Failed login Event not working on 2.6 patch 8 |
|
|
Qualys integration is failing with ISE |
|
|
Not able to retrieve Endpoint Identity Groups via API calls |
|
|
Smart license of de-registration flow is not working in ISE and ISE-PIC |
|
|
ISE configuration backup size mismach when using NFS repository |
|
|
Top Authorization report does not show filter in scheduled reports |
|
|
Vulnerabilities fixed in XStream 1.4.16 |
|
|
ISE internal ERS user attepting to authenticate via external ID store causing REST delays |
|
|
ISE 2.7p3: NAD IP definitions using - or * do not perform full IP comparison |
|
|
ISE persistant XSS Admin Group |
|
|
High CPU seen on PSN nodes from ISE 2.6P3 onwards due to PIP query evaluation |
|
|
Cisco Identity Services Engine Self Cross-Site Scripting Issue |
|
|
Special characters allowed previously in Descriptions field for few objects no longer can be used |
|
|
Unable to download Debug Logs from GUI |
|
|
ISE 2.6 does not support "cariage return" <cr> character in command-set |
|
|
Tacacs custom AV pair as condition in policies is not working |
|
|
Full upgrade should throw warning if data size is more than 40GB overall |
|
|
External DNAC authentication via ISE fails with "Invalid login credentials" error |
|
|
Context Visibility Delete 'All' function showing incorrect number of endpoints on confirmation popup |
|
|
Empty RabittMQ password causing Replication issue. |
|
|
ISE 2.7 patch 4 unable to upload .json file for Umbrella security profile |
|
|
Platform check fails for ISE having disk size more than 1TB |
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 9
The following table lists the resolved caveats in Release 2.6 cumulative patch 9.
Patch 9 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
Guest remember-me flow radius accounting and access accept is not sending Guest Username. |
|
|
GNU gettext default_add_message Double-Free Vulnerability. |
|
|
MIT Kerberos 5 KDC krbtgt Ticket S4U2Self Request Denial of Service. |
|
|
Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler. |
|
|
ISE 2.4 SNMPv3 user added with wrong hash after reload causing SNMPv3 authentication failure. |
|
|
ISC BIND managed-keys Trust Anchor Denial of Service Vulnerability. |
|
|
Show running-configuration fails to complete. |
|
|
Info-ZIP UnZip File Overlapping Denial of Service Vulnerability CVSS v3.0 Base 7.5 |
|
|
cURL and libcurl tftp_receive_packet() Function Heap Buffer Overflow Vulner CVSS v3.1 Base: 9.8. |
|
|
ISE 2.7 BETA: Username field in Self-Registration Portal Config is not saved. |
|
|
cURL and libcurl tftp_receive_packet() Function Heap Buffer Overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. |
|
|
GNU patch pch_write_line Function Denial of Service Vulnerability. |
|
|
SSSD Group Policy Objects Implementation Improper Access Control Vulnerability. |
|
|
ISC BIND Dynamically Loadable Zones Unauthorized Access Vulnerability. |
|
|
libssh2 packet.c Integer Overflow Vulnerability CVSS v3.1 Base: 8.1. |
|
|
TPS - update curl lib in prrt. |
|
|
Samba Filename Path Separators Unauthorized Access Vulnerability. |
|
|
ISE 2.4 p5 crashes continuously around midnight, generating core files. |
|
|
gllibc LD_PREFER_MAP_32BIT_EXEC Environment Variable ASLR Bypass Vulnerability. |
|
|
Update CiscoSSL to fix CSCvg56800 - Evaluation of ISE vulnerability nginx Oct 2017. |
|
|
libxml2 xml Parse Balanced Chunk Memory Recover Memory Leak Vulnerability. |
|
|
Multiple Vulnerabilities in libcurl. |
|
|
System button_open Memory Leak Vulnerability. |
|
|
ISE Feed Server fails via 'createLicenseSource' method "FlexlmListException: Error". |
|
|
Multiple Vulnerabilities in python. |
|
|
ISE: runtime-aaa debugs do not print packet details in ascii; breaking Endpoint debugs. |
|
|
SSLDUMP() logs printed on Showtech via Audit logs causing showtech file to grow extensively. |
|
|
Impossible to create whitelist policy via ERS API. |
|
|
Multiple Vulnerabilities in activemq-all. |
|
|
Description using two lines, or <Enter> was used, under Client provisioning resources throws errorA. |
|
|
Heavy delay observed in sxp mappings when 50k acc packets with single SGT and VN send. |
|
|
Rotation of diagnostics.log is not working on ISE. |
|
|
Suspected memory leak in io.netty.buffer.PoolChunk. |
|
|
ISE with DUO as External Radius Proxy drops access-reject. |
|
|
CIAM: batik 1.7. |
|
|
CIAM: cups 1.6.3. |
|
|
CIAM: ksh. |
|
|
CIAM: libssh. |
|
|
ISE 2.4 p6 - REST API MnT query to get device by MAC address taking more than 2 minutes. |
|
|
ISE 2.x, Free space on Undo tablespace not cleared as per isehourlycron.sh cron script. |
|
|
CIAM: perl 5.14.1. |
|
|
CIAM: procps 3.3.10. |
|
|
CIAM: python (version 2.7.5, 2.7.14 & 3.7.1). |
|
|
CIAM: vim 7.4.160. |
|
|
Update "master guest report" to "primary guest report" everywhere in the ISE UI + code. |
|
|
Update "master/slave" terms to "primary/subordinate" in "show interface" command. |
|
|
Posture fails when primary PSN/PAN are unreachable. |
|
|
Alarm Suppression required for ERS queries along with suppression on iselocalstore.log. |
|
|
CIAM: d-bus 1.10.24. |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability. |
|
|
Guest password policy settings cannot be saved when set to ranges for Alphabets or numbers. |
|
|
CLDAP thread is hung and running infinite. |
|
|
ISE not doing lookup for all mac addresses in mac list causing redirectless Posture to fail. |
|
|
CIAM: libjpeg & libjpeg-turbo. |
|
|
App server crashes while transitioning into stopping state. |
|
|
Context visibility: exception caught on transport layer: Unable to load Context Visibility page. |
|
|
ISE:SEV2: Unable to restore backup of ISE 2.4 patch 12. |
|
|
Cisco Identity Services Engine Privilege Escalation Vulnerability. |
|
|
SYSAUX tablespace full despite fix for CSCvr96003. |
|
|
Max Sessions Limit is not working for Users and Groups. |
|
|
DNA ACA SG Sync Fails with JDBCException:could not prepare statement. |
|
|
Can not start CSV exporting for Selected User in internal ID Store. |
|
|
Radius passed-auth live logs not sent due to invalid IPv6 Address. |
|
|
PSK cisco-av-pair throws an error if the key contains < or > symbols. |
|
|
Device admin service is getting disabled when updating TACACS configuration. |
|
|
TrustSec enabled NADs not showing in trustSec Matrices when NDG column exceeds 255 characters. |
|
|
Can not get the download link of NetworkSetupAssistant.exe using Aruba dynamic URL redirect. |
|
|
ISE_EST_Local_Host RADIUS Shared Secret empty causes ISE application server intializing state. |
|
|
Context Visibility CVS exported from CLI not showing IP Addresses. |
|
|
ISE 2.6/2.7 Repositories get deleted post ISE node reload. |
|
|
Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.7 p2. |
|
|
ISE RADIUS Live Log details missing AD-Group-Names under Other Attributes section. |
|
|
Authentication summary report gets stuck if the total records are more than 5M. |
|
|
proxy bypass settings does not allow upper characters. |
|
|
ISE - Network Device API call throws error 500 if you query an non-existent network device. |
|
|
ISE constantly requesting internal "Super Admin" users against the external RADIUS token server. |
|
|
Unable to retrieve LDAP Groups/Subject Attributes when % character is used twice or more in bind password. |
|
|
Bulk certificate generation failed with 'An unexpected error occurred' message after RMA'd pPAN. |
|
|
Memory Leak : High Allocation in by CAD_ValidateUser during PassiveID stress. |
|
|
Smart Licensing Entitlement Tab gets stuck at "Refreshing" if there is connection failure. |
|
|
ISE 2.6 scheduled reports are not working when primary MNT is down. |
|
|
ISE Collection Filters will not display in GUI. |
|
|
ISE 2.6 P6/Unable to create SGT: NetworkAuthZProfile with entered name already exists. |
|
|
ISE 2.6p3 Adding Double Slash "//" in File Path with SFTP Servers. |
|
|
[CFD] ACA Sync broken - "Error occurs during migration: Waiting for Sync Runtime timed out". |
|
|
ISE nodes intermittently trigger Queue Link alarms : Cause=Timeout. |
|
|
ISE admin/portal Login with Chrome 85/86 could show error Oops. Something went wrong. |
|
|
Memory leak after adding AD Groups for passiv-id flow. |
|
|
USID is found different when user login with Email/Userid when Ldap store is configured. |
|
|
Posture does not work with dynamic redirection on 3rd party NADs. |
|
|
Not Throwing error for ip overlap case. |
|
|
GNU.org bash rbash BASH_CMDS Modification Privilege Escalation Vulnerability. |
|
|
Authorization Profiles showing "No data available" after NAD profile deleted. |
|
|
pxGrid ANC applyEndpointPolicy does not handle all MAC address formats correctly. |
|
|
Cisco Identity Services Engine Untrusted File Upload Vulnerability. |
|
|
Passive ID is not working stable with multi-connect syslog clients. |
|
|
ISE TACACS logging timestamp shows future date. |
|
|
ISE 3.0 not importing certificates with missing CN and SAN into Trusted Certificate Store. |
|
|
NADs shared secrets are visible in the logs while using APIs. |
|
|
Internal User custom attributes are not sent in CoA-Push. |
|
|
ISE MNT Live Session status is not changing to Postured in VPN use case. |
|
|
ISE Service Account Locked and WMI not established due to special characters in password. |
|
|
API IP SGT mapping not returning result for [No Devices]. |
|
|
AD security groups cannot have their OU end with dot character on RBAC policies. |
|
|
XStream before version 1.4.15 shows multiple vulnerabilities |
|
|
In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component. |
|
|
Multiple Vulnerabilities in c3p0. |
|
|
ISE Policy Evaluation : RADIUS requests dropped after deleting policy sets. |
|
|
CIAM found mariadb vulnerable. |
|
|
ISE incorrect number for the TOTAL field. |
|
|
HotSpot Guest portal displays Error Loading Page when passcode field contains special characters. |
|
|
ISE conditions Library corruption during Pen test. |
|
|
Dot1x authentication failed due to duplicate manager: add=false. |
|
|
CWE-20: Improper Input Validation to Create Node Group. |
|
|
"Radius Authentication Details" Report takes time when IMS(ISE Messaging Service) is disabled |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities. |
|
|
ISE 2.6/2.7 Sorting based on username does not work in User Identity Groups. |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities. |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities. |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities. |
|
|
Live session is not showing the correct active session. |
|
|
ISE 2.4 p13 break AD Authorization lookup for MAB authenticated endpoints. |
|
|
MAB authentication via Active Directory passes with AD object disabled. |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities. |
|
|
ISE 2.4 patch 8 Unable to edit,.duplicate or delete guest portals. |
|
|
iPod not shown as an option in ISE BYOD portal. |
|
|
ISE 2.6 : Runtime crashes while TACACS+ get_handle is called by a socket stream. |
|
|
Unable to create support bundle if Japanese language is selected in Account Settings. |
|
|
Itune Integration is throwing error while saving though test connection is working fine. |
|
|
Health Checks:DNS Resolvability: False failures with ISE FQDN as CNAME (alias). |
|
|
Health Checks:Disk space: shows insufficient failure information. |
|
|
Add IdenTrust Commercial Root CA 1 Certificate to ISE truststore. |
|
|
ISE Health Check Platform Support should update UI directly with results. |
|
|
SGA value Under-Provisioned for SNS3515 running all personas on same node. |
|
|
In EAP chaining scenario, posture policy failed to retrieve machine AD group membership. |
|
|
Memory leak on TACACS flow. |
|
|
Add IdenTrust Commercial Root CA 1 Certificate for Smart Call Home and Smart Licensing. |
|
|
Network Devices > Default Device page requires PLUS license to allow configuration. |
|
|
Services not running after upgrade to 2.7. |
|
|
Upgrade failed from 2.6+ restore -> P8 to 3.1.0.289. |
|
|
MacOS Big Sur 11.x BYOD Failing EAPtls when using a CA Signed Certificate. |
|
|
Upgrade license check should check ISE DB for smart license registration. |
|
|
ISE Live Session Postured session is moving to Started upon Interim Update. |
|
|
SB should collect Hibernate.log. |
|
|
Memory Leak: PSN rmi GC collection not working properly causing memory leak in passive id flow. |
Open Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 9
|
Caveat ID Number |
Description |
|---|---|
|
PAN login page times out after entering the credentials |
|
|
TACACS + authentications fails all of a sudden with maximum connection limit reached error |
|
|
Disabled PSN persona but TACACS port 49 still open |
Known Limitations in Cisco ISE 2.6 Patch 9
Special Characters Usage Limitations in Name and Description Fields
-
The following special characters cannot be used in the Description field for TACACS+ profiles and Device Administration Network conditions: [%\<>*^:"|',=/()$.@;&-!#{}.?]. Supported characters are: alphanumeric, underscore(_ ), and space.
-
The following special characters cannot be used in the Name and Description fields for Authorization Profiles: %\<>*^:\"|',=. Supported characters for the Name and Description fields are: alphanumeric, hyphen(-), dot(.), underscore(_ ), and space.
-
The following special characters cannot be used in the Name and Description fields for Time and Date conditions: [%\#$&()~+*@{}!/?;:',=^`]"<>". Supported characters for the Name and Description fields are: alphanumeric, hyphen(-), dot(.), underscore(_ ), and space.
Change in SNMP User Password Format and SNMP Hash Minimum Length
After applying Cisco ISE 2.6 Patch 9, SNMP user configuration might be removed due to the change in the SNMP user password format. SNMP user passwords are now displayed in hash format. You must reconfigure the SNMP user settings again.
SNMP hash with less than 80 characters will not work and you will see the below error:
snmp-server user FT10 v3 hash fe7c35f09ff1238e369968a0be273f22 fe7c35f09ff1238e369968a0be273f22
% Error: Decryption Failed. Could not add SNMP User New Features in Cisco ISE Release 2.6.0.156 - Cumulative Patch 8
Health Check
An on-demand health check option is introduced to diagnose all the nodes in your deployment. Running a health check on all the nodes prior to any operation helps identify critical issues, if any, that may cause downtime or blocker. Health Check provides the working status of all the dependent components. On failure of a component, it immediately provides troubleshooting recommendations to resolve the issue for a seamless execution of the operation.
Ensure that you run Health Check before initiating the upgrade process.
Business Outcome: Identify critical issues to avoid downtime or blockers.
DNS Cache
The DNS requests for hosts can be cached, thereby reducing the load on the DNS server.
This feature can be enabled in the configuration mode using the following command:
service cache enable hosts ttl ttl
To disable this feature, use the no form of this command.
no service cache enable hosts ttl ttl
Admin can choose the Time to Live (TTL) value, in seconds, for a host in the cache while enabling the cache. There is no default setting for ttl. The valid range is from 1 to 2147483647.
Note |
TTL value is honored for negative responses. The TTL value set in the DNS server is honored for positive responses. If there is no TTL defined on the DNS server, then the TTL configured from the command is honored. Cache can be invalidated by disabling the feature. |
Business Outcome: Load on DNS Server is reduced.
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 8
The following table lists the resolved caveats in Release 2.6 cumulative patch 8.
Patch 8 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
ISE not returning configured Radius AVP 18 in access-reject |
|
|
ERS Update/Create for "Authorization Profile" failing XML Schema Validation |
|
|
nas-update=true accounting attribute will cause session to not be deleted. |
|
|
ISE 2.4 BETA : The status of the pxGrid services should show as active/standby not running/disabled |
|
|
Non-internal-CA signed pxGrid certificate incorrectly replaced upon ISE reload |
|
|
CSCvi62805 ISE ODBC does not convert the mac address as per configured stored procedure |
|
|
ISC BIND krb5-subdomain and ms-subdomain Update Policies Vulnerability |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
Latency observed with high TPS rates, when ISE messaging service is turned ON |
|
|
Device Sensor not able to correctly parse DHCP attributes via RADIUS probe |
|
|
ISE truncates the SGT name after a "-" character and assigning a version id |
|
|
ISE Adds an additional character at the end of OperatingSystemVersion |
|
|
Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler |
|
|
ISE Repository Password is accepted in GUI but not CLI |
|
|
Active endpoints missing from MNT session directory during 2.7 Longevity |
|
|
core files are generated on PSN during 2.7 Longevity |
|
|
GNU Wget Buffer Overflow Vulnerability |
|
|
ISE TACACS livelogs does not have the option to filter using specific NAS ip address. |
|
|
Application server stuck in Initializing due to corrupted indexes |
|
|
High Auth Latency - no info which thread pool is guilty |
|
|
Apache ActiveMQ Corrupt MQTT Frame Out of Memory Denial of Service V ... |
|
|
Disabled PSN persona but TACACS port 49 still open. |
|
|
Incorrect DNS config can lead to TACACS or Radius auth failure |
|
|
ISE False alarm - Health status unavailable |
|
|
System Summary is not available for MNT nodes |
|
|
Import NAD is failing with unsupported error When shared secret key has special character (8o\v|) |
|
|
glibc Multiple Vulnerabilities CVE-2018-11236, CVE-2018-11237, CVE-2018-6485 and CVE-2017-16997 |
|
|
Evaluate 32-bit glibc vulnerabilities RHSA-2018:0805 |
|
|
FreeType Buffer Over-Read Vulnerabilities |
|
|
Samba Symbolic Link Traversal Vulnerability CVSS v3.1 Base: 5.4 |
|
|
Failing Network Devices CSV import, process silently aborting without reason |
|
|
core file generated on PSN |
|
|
Max Session Counter time limit option is not working |
|
|
EgressMatrixCell Allows Duplicate Creation Through ERS Call |
|
|
Service account passwords returned from server in SMS and LDAP page |
|
|
ISE versions use old JDBC version (11.2.0.3) which is not compatible with new Oracle Database |
|
|
Authz Profiles not pulling properly using REST API (Pagination is missing) |
|
|
X.Org libX11 Client Segmentation Fault Denial of Service Vulnerability |
|
|
X.Org libX11 Off-by-One Memory Write Arbitrary Code Execution Vulnerable |
|
|
"AD-Operating-System" attribute is not being fetched when this OS attribute changes on the AD Server |
|
|
TCPDump - Node and Interface field Unavailable |
|
|
Unavailability to edit saved compound conditions using conditions library. |
|
|
SMS over HTTPS is not sending username/password to gateway |
|
|
Application Server takes more time to initialize |
|
|
ISE-2.x || MNT REST API for ReAuth fails when using in distributed deployment |
|
|
ISE Server-side authorization checks insufficient |
|
|
Application server may crash when MAR cache replication is enabled |
|
|
pxGrid unable to delete user in INIT state |
|
|
Mismatched Information between CLI export and Context Visibility |
|
|
Cannot select 45 or more products when creating Anti-Malware Condition for definition |
|
|
CPU spikes are being observed at policy HitCountCollector |
|
|
Session cache getting filled with incomplete sessions |
|
|
ise-psc.log filled up with "check TTConnection is valid" causing relevant logs to roll over |
|
|
ISE 2.6 : Create Guest User using external sponsor users via ERS fails with 401 Unauthorized Error |
|
|
ISE 2.6 : TacacsConnectionManager needs to be enhanced to remove the stale connections |
|
|
suspected memory leak in io.netty.buffer.PoolChunk |
|
|
ISE is not allowing to disable Radius in NAD via API |
|
|
ISE : Oracle process reached limit : causing multiple issues |
|
|
TC-NAC adapter stopped scanning with nexpose (insiteVM) |
|
|
ISE 2.6p6 // Portal background displays incorrectly |
|
|
ISE is returning an incorrect version for the rest API call from DNAC |
|
|
Import option is not working under TACACS command sets |
|
|
portal page customization changes are not reflecting in certificate provisioning portal |
|
|
ISE logging timestamp shows future date |
|
|
ERS SGT create is not permitted after moving from Multiple matrix to Single matrix |
|
|
2.4P11 VPN + Posture : Apex Licenses are not being consumed, |
|
|
NDG added through ERS became associated with all network devices in DB |
|
|
When running ISE ERS API for internaluser update the existing identityGroups value is set to null |
|
|
License out of compliance alarm with a valid license |
|
|
ISE 2.4 p6 - REST API MnT query to get device by MAC address taking more than 2 seconds |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
code for securityGroupAclTopic missing from 2.4 and 2.6, but topic still advertised |
|
|
Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest |
|
|
Session API for MAC Address returning Char 0x0 out of allowed range |
|
|
[CFD] GBAC sync breaks on deleting VN from SG if AuthZ profile is mapped to the same VN for diff SG |
|
|
Compress messages.x files in the system |
|
|
ISE 2.x, 3.x : Drop_Cache required for systems with High Memory Issues |
|
|
suspected Memory Leak in Elastic search |
|
|
ISE Authorize-Only requests are not assessed against Internal User Groups |
|
|
Radius secret 4 chars min requirement is not checked when REST API used to create NAD |
|
|
ERS REST API returns duplicate values multiple times when use filter by locations |
|
|
SessionDB columns are missing from ISE (>=2.4) |
|
|
ISE creates new site in insiteVM (tc-nac server) |
|
|
Failed Logins to ISE GUI Are Not Seen in Audit Report When AD Is Selected as the Identity Source |
|
|
ISE: REST API PUT query may fail after successful ERS Guest queries |
|
|
Alarms and system summary is not showing up on ISE GUI |
|
|
authentication failure with reason"12308 Client sent Result TLV indicating failure" |
|
|
ISE allows duplicates device ID in ERS flow in all version. |
|
|
ISE Radius Live Sessions Page Showing No Data Found |
|
|
InternalUser Attributes in ATZ policy will fail TACACS+ ASCII Authentication |
|
|
ISE Authentication Status API Call Duration does not work as expected |
|
|
HitCount REFRESH and RESET button is not visible in ISE 26p7,p9 |
|
|
ISE should either allow IP only for syslog targets or provide DNS caching |
|
|
Restore of Config backup on ISE 2.6 P7 is causing issues with node registration |
|
|
ISE 2.4 Application server going to Initializing on enabling endpoint debugs |
|
|
Overlap of network devices using subnet and IP range |
|
|
ISE:SEV3:Endpoint data not visible on secondary Admin node . |
|
|
ISE unable to connect with ODBC "Connection failed" with a port number |
|
|
Log Collection Error alarms appear |
|
|
TACACS Aggregate table is not purged properly. |
|
|
Unable to register IND with ISE on 2.4 P13 |
|
|
Session Cache for dropped session not getting cleared; causing High CPU on the PSN's |
|
|
ISE : Authz profile not saved with proper attributes when Security Group selected under common tasks |
|
|
ISE Authentication Status API Call does not return all records for the specified time range |
|
|
Modify TCP settings to enhance TACACS+ and TCP on ISE |
|
|
Policy Export Is Not Being Saved Without Encryption After It is Saved With Encryption |
|
|
MAC 11.0 support for ISE is not available |
|
|
NFS Repository is not working from GUI |
|
|
Evaluation of positron for Apache Struts Aug20 vulnerabilities |
|
|
Health check doesn't work when ISE has NIC teaming enabled |
|
|
Filters do not work for ISE Profiler Reports |
|
|
Export of Current active session reports only shows sessions that has been updated since midnight |
|
|
Saving command with parenthesis in TACACS command set gives an error (ISE 2.7 p2) |
|
|
Group lookup failed as empty value to be appended to the context |
|
|
ISE - Security Group values in Authorization Profile disappear shortly after fetching |
|
|
No password audit will be generated after changing ISE internal user password via Switch/Router CLI |
|
|
ISE 3.0 DNS resolvability false Alarm |
|
|
Remove ojdbc8 from 2.6/2.7 patch branch |
|
|
Multiple version of ojdbc in 2.6p7 results in licensing/mnt/deployment issues |
New Features in Cisco ISE Release 2.6.0.156 - Cumulative Patch 7
ANC Enhancement
MAC address is not always a unique identifier for an endpoint. USB NIC dongles means that multiple users can have the same MAC address. Plus, some endpoints have the same MAC address. MAC spoofing also shows duplicate MAC addresses.
To better identify an endpoint for the ANC service, Cisco ISE uses the IP address of the switch that the endpoint is connected
to. The switch's IP address is the NAS-IPAddress attribute.
Endpoint sessions can use the MAC address and NAS-IPAddress in an ANC Policy.
MDM vendors can use NAS-IPAddress in pxGrid v2 API.
PxGrid v2 is required to use NAS-IPAddress in the new API. The existing API still works. But you cannot use both the old and new APIs together.
Upgrading Cisco ISE Consideration
If you upgrade to Cisco ISE 2.6 patch 7, you will see an error message if you were using the RE_AUTHENTICATE in an ANC policy. The existing policies will still work.
Applying Cisco ISE 2.6 patch 2 eliminates the error message. Or you can remove those policies before upgrading.
Enable Probe Data Publisher
The Probe Data Publisher initiates a pxGrid publisher on the Primary Policy Administration Node (PAN). When the primary PAN identifies a change in attributes for a connected endpoint, the updated attribute data is published to the relevant pxGrid Topic in Cisco ISE.
This option, by default, is not enabled. We recommend that this option be enabled only if you have an external data consumer configured.
To enable the Probe Data Publisher, go to , and check the Enable Probe Data Publisher checkbox.
Telemetry
After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data will be used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique for each deployment. Each admin user need not provide it separately.
Telemetry provides valuable information about the status and capabilities of Cisco ISE. Telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco ISE. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.
It may take up to 24 hours after the Telemetry feature is disabled for Cisco ISE to stop sharing telemetry data. Starting with patch 6, telemetry is disabled immediately.
Interactive Help
The Interactive Help provides tips and step-by-step guidance to complete tasks with ease.
Business Outcome: This helps the end users to easily understand the work flow and complete their tasks with ease.
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 7
The following table lists the resolved caveats in Release 2.6 cumulative patch 7.
Patch 7 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
ISE RBAC Network Device Type/Location View not working |
|
|
No AD domain attributes retrieved for RA-VPN/CWA if AD used for both authC and authZ |
|
|
ISE sends CoA to active-compliant sessions when a node-group member is unreachable |
|
|
ISE Crashes during policy evaluation for AD attributes |
|
|
tcpdump print_prefix Function Stack-Based Buffer Overread Vulnerability |
|
|
Logwatch files are not capped for size |
|
|
AnyConnect displays Cisco NAC agent error when using Cisco temporal agent |
|
|
ISE 2.4 URT fails with cert error |
|
|
ISE restore option should not have <cr> Carriage return without encryption-key |
|
|
'MAR cache distribution is not enabled' even when it has been enabled. |
|
|
Remove older journal log files |
|
|
libssh2 SSH_MSG_CHANNEL_REQUEST Packet Handling Out-of-Bounds Read V ... |
|
|
Cannot configure scheduled config and operational backup with start date same as current day |
|
|
GnuPG Filename Status Message Spoofing Vulnerability |
|
|
ISE PSN node crashing while fetching context attributes during posture plus RADIUS flow |
|
|
Evaluation of positron for TCP_SACK |
|
|
Replication failed alarm generated and ORA-00001 exceptions seen on ise-psc.log |
|
|
My Device Portal does not show a device after BYOD on-boarding with SAML authentication |
|
|
GNU patch OS Shell Command Injection Vulnerability |
|
|
FasterXML jackson-databind logback-core Class Polymorphic Deserializ ... |
|
|
Multiple Vulnerabilities in jquery - guest portals |
|
|
GNU patch do_ed_script OS Shell Command Execution Vulnerability |
|
|
Apache Commons Beanutils PropertyUtilsBean Class Property Suppression Vulnerability |
|
|
Blank Course of Action for Threat events received from CTA cloud to TC-NAC adapter |
|
|
EAP-FAST authentication failed with no shared cipher in case of private key encryption failed. |
|
|
FasterXML jackson-databind Polymorphic Typing Vulnerability CVSS v3.1 Base: 9.8 |
|
|
Apache Commons Compress File Name Encoding Algorithm DoS Vulnerability CVSS v3.0 Base: 7.5 |
|
|
Localdisk size needs to be increased to accommodate large corefiles |
|
|
libmspack chmd_read_headers Function Denial of Service Vulnerability |
|
|
ISE 2.2 patch 14 AD status shows up as "updating.." indicating the process is hung |
|
|
ISE App crash due to user API |
|
|
ACI mappings are not published to SXP pxGrid topic |
|
|
App server and EST services crash/restart at 1 every morning |
|
|
Add the capability to filter out failed COA due to MAR cache checks among group nodes in ISE |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
Policy engine continues to evaluate all Policy Sets even after rule is matched |
|
|
Invalid root CA certificate accepted |
|
|
Unable to configure CRL URL with 2 parenthesis at ISE 2.6 |
|
|
Trustsec matrix pushing stale data |
|
|
Highload on Mnt nodes with Xms value |
|
|
SEC_ERROR_BAD_DATABASE seen in system/app debug logs while removing a trusted CA cert |
|
|
The CRL is expired with specific condition |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
ISE not updating SGT's correctly |
|
|
AuthZ profile advanced profile for url-redirect does not allow custom HTTPS destination |
|
|
ISE 2.6 CA Certificate with the same CN removed from Trusted Store while integrating with DNA-C |
|
|
Condition disappeared from the library but is still in DB |
|
|
Fail to import Internal CA and key on ISE2.6 |
|
|
NFS mounting causes crash |
|
|
MACAdress API is not working(API/mnt/Session/MACAddress) |
|
|
Creating a new user in the sponsor portal shows "invalid input" |
|
|
Days to Expiry value, marked as 0 for random authentications |
|
|
NAD CSV imports should allow all supported characters in the TrustSecDeviceID |
|
|
ISE Admin User Unable To Change The Group For Internal Users |
|
|
collector log is dumped with pxgid and dnac messages |
|
|
Tacacsprofile not retrieved properly using REST API |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
After importing network device / groups, unable to add new Location |
|
|
ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory due to Inflater() |
|
|
Days duration is not getting updated in portal page customization for self registration portal |
|
|
Errors when SG created using _ underscore sent from DNAC |
|
|
ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory by PORT_Alloc_Util() |
|
|
ISE 2.6 - Cannot enable FIPS if Default Device Admin has been modified |
|
|
ISE: 2.4p9 Intermediate CA cert not installed when configuring SCEP RA |
|
|
Unable to do portal customization for "certificate provisioning portal" |
|
|
ISE crashes due to empty string instead of username in RadiusProxyFlow::stripUserName() |
|
|
ISE: Unable to use attribute "url-redirect" with HTTPS, same URL with HTTP works fine. |
|
|
URT fails on a ConditionsData clause from INetworkAuthZCheck |
|
|
API is not retrieving the data when interim-updates are not stored DB |
|
|
Multiple Vulnerabilities in binutils |
|
|
Having string 'TACACS' in AD join-point causes AD joinpoint to not show in AuthZ condition |
|
|
ISE 2.4 Guest ERS Call Get-By-Name fails when guest username contains @ sign (guest@example.com) |
|
|
Multiple Vulnerabilities in patch |
|
|
Multiple Vulnerabilities in python |
|
|
Multiple Vulnerabilities in sudo |
|
|
ISE 2.6 Install: Input Validation- Check IP Domain Name |
|
|
Vulnerability in unzip package - RHEL 7 |
|
|
ISE SNMP server crashes when using Hash Password. |
|
|
Importing metadata xml file with special characters results in unsupported tags error |
|
|
ISE 2.4 P11 On OP Backup Restore, EPOCH_TIME column is removed |
|
|
.dmp files not deleted from /opt/oracle/base/admin/cpm10/dpdump even after the reset-config on ISE |
|
|
404 error upon refresh of success page of guest sponsored portal |
|
|
NMAP - MCAFeeEPROOrchestratorClientscan fails to execute on 2.6 version of ISE |
|
|
ISE expired tacacs session not cleared timely from session cache |
|
|
Cert Revoke and CPP not functioning without APEX license. |
|
|
Change "View" Options Wording in TrustSec Policy Matrix--ISE |
|
|
POST getBackupRestoreStatus occures on every ISE page after navigating to Backup/Restore menu |
|
|
No threshold option for High disk Utilization in Alarm Settings |
|
|
Posture with tunnel group policy evaluation is eating away Java Mem |
|
|
ISE shouldn't be allowing ANY in egress policy when imported |
|
|
Time difference in ISE 2.6 |
|
|
[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for network devices |
|
|
IP SGT static mapping import not working correctly with hostnames |
|
|
FasterXML jackson-databind xbean-reflect/JNDI Blocking Vulnerability |
|
|
pxGrid 2.0 WebSocket distributed upstream connect issue |
|
|
pxGrid 2.0 WebSocket ping pong too slow even on idled standalone |
|
|
ISE doesn't display all device admin authz rules when there are more authz policies and exceptions |
|
|
Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.6 |
|
|
Authentication goes to process fail when "Guest User" ID Store is used. |
|
|
Radius Errors/Misconfigured supplicants tables do not exist after upgrade to ISE2.6 |
|
|
PERMGEN configured instead of metaspace for JDK8 |
|
|
When accessing the portal with iPad using Apple CNA and AUP as a link we get 400 Bad Request error. |
|
|
Publishing batch logic in Pxgrid when we use WMI and REST at the same time |
|
|
ISE shouldn't allow ANY SGT or value 65535 to be exposed over SGT import or export |
|
|
ISE ERS API Endpoint update slow when large number of endpoints exist |
|
|
Cannot add/modify allowed values more than 6 attributes to System Use dictionaries |
|
|
EP lookup takes more time causing high latency for guest flow |
|
|
Identity group updates for an internal user in ISE |
|
|
ISE 2.6 MDM flow fails if redirect value is present in the URL |
|
|
Hostname goes missing from CARS configuration |
|
|
[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for /ers/config/internaluser |
|
|
ISE: If min pwd length is increased then existing shorter pwd fails to login via GUI with no error |
|
|
MNT node election process is not properly designed. |
|
|
Syslog Target configured with FQDN can cause Network Outage |
|
|
Authentication Status API call on ISE 2.6p5 returns blank output |
|
|
App-server crashes if IP-access submitted w/o any entries |
|
|
Intermittent password rule error for REST API Update Operation |
|
|
ISE ERS API - GET call on Network Device is slow while processing SNMP configuration |
|
|
Alarm Dashlet shows 'No Data Found'. |
|
|
No debug log for non working MNT widgets |
|
|
ISE DACL Syntax check not detecting IPv4 format errors |
|
|
PUT verb for /ers/config/internaluser/name/{username}makes id&password&name mandatory in req content |
|
|
EAP TLS authentication is getting failed in 2.6p5 /p6 after backup restore from 2.6p3 |
|
|
Machine authentication via EAP-TLS is failing during authorization flow with user not found error |
Open Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 7
|
Caveat ID Number |
Description |
|---|---|
|
Multiple version of ojdbc in 2.6p7 results in licensing/mnt/deployment issues. |
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 6
The following table lists the resolved caveats in Release 2.6 cumulative patch 6.
Patch 6 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
Posture session state need to be shared across PSNs in multi-node deployment |
|
|
Provisioned Certificates are not getting deleted after revocation |
|
|
SXP Bindings are not published to pxGrid 2.0 clients |
New Features in Cisco ISE Release 2.6.0.156 - Cumulative Patch 5
Cisco AI Endpoint Analytics Support
Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep packet inspection, and probes from sources like Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.
Cisco AI Endpoint Analytics also uses artificial intelligence and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to an on-premise Cisco DNA Center.
These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.
Open Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 5
show running-config|
Caveat ID Number |
Description |
|---|---|
|
Redirection not happening as hostname name missing from CARS configuration |
|
|
Expired Evaluation profiler on ISE will cause default radius probe to enable |
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 5
The following table lists the resolved caveats in Release 2.6 cumulative patch 5.
Patch 5 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
ISE Dashboard allows special characters: <>?" |
|
|
Custom filters not working in Session Status column in Live Sessions window |
|
|
CoA REST API is not working for ASA VPN Sessions |
|
|
Endpoints lose static group assignment |
|
|
MNT API does not support special character |
|
|
Live sessions show incorrect Authorization profile and Authorization Policy for VPN and Posture scenario |
|
|
TACACS authorization rule fails with no clear explanation when there is no command set defined for the rule if there is a VSA in the shell profile |
|
|
Parsing NMAP smb-os-discovery data should remove 
 or \x00 |
|
|
Self-signed account creation error: "An attempt to text your account information to you has failed" |
|
|
Multiple Vulnerabilities in procps-ng |
|
|
Licensing consumption is incorrect for postured sessions with remote-access VPN |
|
|
ISE 2.3 RSA SecurID authentication fails |
|
|
Not able to delete certificate after hostname change |
|
| CSCvm15495 |
Evaluation of positron for CVE-2018-5391 (FragmentSmack) |
|
Multiple Vulnerabilities in openssh |
|
|
Windows 7 device is profiled wrongly post Posture flow, due to anyconnect sending wrong useragent |
|
|
After applying ISE 2.3 patch 5, creation of EOB Guest user does not work |
|
|
Error occurred in publishing threat events with AMP adapters |
|
|
Errors seen in /var/log/secure every 10 seconds for isemntlogproc |
|
|
ISE 2.4 URT does not check if node is on a supported appliance |
|
|
ISE 2.3: Location info and IPSEC info are reversed in Network Device Groups for some NADs |
|
|
Multiple Vulnerabilities in krb5 |
|
|
To enable CLI clock timezone command |
|
|
ProfilerCoA:- Exception in getting Policy details Exception seen in Profiler.log |
|
|
Memory leak on ISE node with the openldap rpm running version 2.4.44 |
|
|
Patchupload files greater than 1GB don't get deleted while upgrading if upload through WebGUI is interrupted |
|
|
Sponsored Guest account start date is not adjusted when account is extended |
|
|
EAP-GTC Machine Authentication Failure password mismatch due to UTF-8 Validation Check failure |
|
|
Cross-Site Request Forgery (CSRF) [OWASP_CSRFTOKEN bypass] |
|
|
ISE 2.2 Sign On button grey out with Guest portal second factor Radius Token server authentication |
|
|
ISE 2.4 live sessions cannot be filtered based on authentication or authorization policy |
|
|
Cisco Smart Licensing cloud agent in waiting state causes GUI login delay in ISE 2.2 |
|
|
ISE 2.4 High CPU utilization on Secondary Admin Node |
|
|
Able to delete CA from trusted page when external CA signs any system certificate |
|
|
Internal User not found in prrt-server intermittently even though PrRTCpmBridge returns user found |
|
|
IETF Dictionary Attribute Ascend-Client-Primary-DNS broken after upgrade |
|
|
Expired guest accounts purge is stuck after daylight time change |
|
|
Radius session detail report is broken if calling-station-id contains CLIENTVPN |
|
|
Wrong job (HOURLY_STATS_JOB) running |
|
|
Network device Import to ISE takes too long when IPV6 address is included |
|
|
MnT Purge with option to export repository not working |
|
|
When binding external CA sign certificate in intermediate CA CSR, certificate chain is broken in CA page |
|
|
ISE TACACS Authentication and Accounting reports older than 30 days missing |
|
|
ISE does not show logging when CTS pac is expired |
|
|
Evaluation of ISE for CVE-2018-20685 |
|
|
Change logging level of 90140 INFO PassiveID: Message parsed syslog to DEBUG |
|
|
Trashing IP SGT Static mappings across pages never completes |
|
|
Maximum thread value limit is too low and triggers "Admin thread pool reached threshold value" alarm |
|
|
SNMP traps on access switch connected to Access Points cause incorrect profiling. |
|
|
All SNMP packets are logged to /var/log/messages file |
|
|
ISE 2.4 localhost-<date>.log files growing up to and more than 8 Gb in size |
|
|
No password audit is generated when a user changes ISE internal user enable password via ASA CLI |
|
|
Application Server crash observed in Passive ID dashboard after some time if number of active sessions is more than 200K |
|
|
Posture assessment by condition report is showing empty records |
|
|
ISE Posture Agent Profile does not allow blank remediation timer |
|
|
When creating Purging Rule, Radius directory hangs if there is no plus license |
|
|
ISE 2.6 MUD URL is not parsed correctly if IP address or port is used |
|
|
In external Radius scenario, ISE should replace state attribute before forwarding access challenge to NAD |
|
|
Certificate is not loading from Oracle to NSSDB properly |
|
|
ISE 2.4: Advanced Custom Filter option and export of reports not working as expected |
|
|
"MDM: Failed to connect to MDM server" log entry must include endpoint information |
|
|
Framed-Interface-Id RADIUS attribute not sent in access-accept if IPv6 address is in ::xx format |
|
|
ISE ERS SDK NetworkDeviceGroup PUT does not show ID placement in the API call |
|
|
ISE ERS SDK NetowrkDeviceGroup DELETE does not specify ID location |
|
|
pxGrid XMPP GCL Reconnect failure |
|
|
Network Device POST API allows for characters and spaces in Model name of device but GUI does not |
|
|
After changing password via UCP, "User change password audit" report doesn't have "Identity" |
|
|
When ISE and Cisco DNA Center are integrated, network devices do not appear in ISE when the secret value contains both special characters & and \ |
|
|
ISE fails to load network devices page while filtering on IP/Mask |
|
|
Systemd vulnerabilities RHEL 7 RHSA-2019:0049 |
|
|
Read-only admin users are able to view TrustSec device configuration credentials |
|
|
Unable to get all tenable adapter repositories |
|
|
Network Devices description issue with Japanese Language |
|
|
Radius Authentication report missing log when custom filter is used |
|
|
ISE not using the device-public-mac attribute in endpoint database |
|
|
Export failed in ISE GUI when private key encryption failed |
|
|
Password lifetime expiration reminder appears for Internal Users with external passwords |
|
|
ACS 5.7 to ISE 2.6 migration doesn't import authorization profiles |
|
|
Multi Shared Secret Field is being populated for exported TACACS devices |
|
|
Unexpected CoAs may be observed with SCCM MDM |
|
|
Unable to access My Devices portal |
|
|
GUI login with AD user failed when similar internal user is disabled |
|
|
ISE not searching machine account properly on AD |
|
|
ISE 2.4: Incorrect sponsor portal presented to user due to incorrect FQDN match |
|
|
ISE services are not coming up after installing patch 2.3 p7 |
|
|
DHCP messages are marking endpoints active thereby increasing the active endpoint count |
|
|
Typo in Max Sessions window in Counter Time Limit tab |
|
|
PxGrid ANC API support for Session-ID |
|
|
ISE 2.4 p9: Session directory write failed : String index out of range: -1 alarms seen in the deployment |
|
|
Unable to delete SCEP profile because it is referencing system certificates |
|
|
ISE MnT stops showing Live Logs after 90% Purge |
|
|
ISE sponsor's e-mail gets CCed in guest credential email even when view/print guest' passwords is disabled |
|
|
ISE IP routing precedence issue |
|
|
Called-Station-ID missing in RADIUS Authentication detail report |
|
|
SCCMException seen in SCCM flow and MDMServerReachable value is updated as false in MDMServersCache |
|
|
WSA receives SIDs instead of AD groups from ISE |
|
|
Definition date for few AM product like mcafee and symantec is listed false |
|
|
ISE prefers cached AD OU over new OU after changing the Account OU |
|
|
Config restore from one platform on another platform set incorrect UDI in sec_hostconfig table |
|
|
tzdata needs to be updated in ISE guest OS |
|
|
ISE LDAP bind test does not use the correct server when defined per node |
|
|
Replication alarm when trustsec matrix CSV imported with EMPTY SGACL that is already EMPTY in GUI |
|
|
Valid Base and Plus licenses show out of compliance |
|
|
Live Logs show wrong username in "5436 NOTICE RADIUS: RADIUS packet already in the process" messages |
|
|
ISE fails to re-establish External syslog connection after break in connectivity |
|
|
SYSAUX tablespace is getting filled up with AWR and OPSSTAT data |
|
|
NDG device references not removed from ISE DB thereby preventing NDG deletion |
|
|
No profiling CoA for ip based profile policy |
|
|
ERS Admin account disabled incorrectly due to password expiry |
|
|
ISE Messaging service triggers Queue Link error alarms with reason basic_cancel |
|
|
Different results seen in API calls and GUI |
|
|
Max Session Counter time limit option is not working |
|
|
ISE doesn't display the correct user in RADIUS reports if username is entered differently twice |
|
|
ISE 2.3 p6 LDAP test GUI flow with multiple results does not generate error observed in runtime |
|
|
Authorization Profile created using ERS API does not match with "ASA VPN" field in GUI |
|
|
PSN crashes for TACACS+ |
|
|
Set max time frame to 60 mins when EndPoint default interval disabled |
|
|
Reset config on 2.4 patch 9 throws some errors despite finishing successfully |
|
|
ISE Guest creation API validation for Guest Users valid Days doesn't take time into account |
|
|
PassiveID: Configuring WMI with an AD account password that contains $ character throws an error |
|
|
LDAP ID store corruption alarm - Enhancement |
|
|
Improve behavior against brute force password attacks |
|
|
ISE 2.6 and 2.7 - Cannot add character ' in dACL description field |
|
|
ISE 2.6 should allow multiple blank lines in dACL syntax, even if user chooses IPv4 or IPv6 |
|
|
ISE 2.x Network Device stuck loading |
|
|
Self Registered Guest portal unable to save guest type settings |
|
|
Unable to edit static group assignment |
|
|
ISE allows to insert a space before command under Command Sets |
|
|
Backups are not triggering with special characters for encryption key |
|
|
Multiple endpoints profiled every second causing ISE nodes to go out of sync |
|
|
RabbitMQ Container failed to start when port 15672 is in use |
|
|
When an internal user is configured with external passwords, Enable authentication function is broken |
|
|
HSTS is not implemented for root folder |
|
|
"No policy server" error seen in ISE posture module during high load |
|
|
Corrupt Endpoints: Attributes associated to the incorrect Endpoint |
|
|
pxGrid 2.0 authorization profile attribute missing from the session directory |
New Features in Cisco ISE Release 2.6.0.156 - Cumulative Patch 3
Multi-DNAC Support
Cisco DNA Center systems cannot scale to more than the range of 25 to 100 thousand endpoints. Cisco ISE can scale to two million endpoints. Currently, you can only integrate one Cisco DNA Center system with one Cisco ISE system. Large Cisco ISE deployments can benefit by integrating multiple DNA Center clusters with a single Cisco ISE. Cisco now supports multiple Cisco DNA center clusters per Cisco ISE deployment, also known as Multi-DNAC.
Business Outcome: This feature for the Access Control app in Cisco DNA Center allows you to integrate up to four Cisco DNA Center clusters with a single Cisco ISE system.
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 3
The following table lists the resolved caveats in Release 2.6 cumulative patch 3.
Patch 3 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
Missing NAD info in Alarm "Unknown SGT was provisioned" |
|
|
The software shouldn't allow to delete the pxGrid certificate on a ISE node |
|
|
Pseudo double Auth request on AD |
|
|
ISE 2.3+ does not have authentication condition Network Access:AuthenticationMethod |
|
|
ISE easy wireless setup - SAW secure access wizard not working with wlc code >8.3 |
|
|
ISE : Accounting updates tolerance for suppression needs to be more efficient. |
|
|
Supported server ciphers for TLSv1.2 need 2048-bit option |
|
|
ISE does not provide the expected values in the context of EAP chaining |
|
|
ISE ENH : Allow RADIUS Dictionary VSA "Vendor Attribute Size Field Length" of 2 bytes |
|
|
Remove ciphers with Diffie-Hellman moduli size less than or equal to 1024 bits for SSL connections |
|
|
Cisco Identity Services Engine (ISE) Arbitrary Client Certificate Creation Vulnerability |
|
|
Parser error seen with Threat Centric NAC CTA Configuration irrespective of ise version |
|
|
ISE custom attributes not being applied to endpoint when pushed from cloudpost IND |
|
|
MDMServerReachable does not work for SCCM MDM again |
|
|
ISE 2.4 Live Logs Not Filtering |
|
|
Multiple Vulnerabilities in jackson-databind |
|
|
Qualys show connected state once disable/enable tc-nac if added before applying patch. |
|
|
Disclose invalid username by Always show invalid name configuration not working |
|
|
ISE 2.3 P5 ISE doesn't allows to delete SGT tag from GUI although it is not referenced |
|
|
Guest portal client provisioning customization text doesn't save |
|
|
ISE2.4 doesn't reset failedLoginAttempts after successful login of internal users to network device |
|
|
ISE 2.2 Sponsor: Single click approval displays wrong message after clicking on approval link twice |
|
|
The calculation of required space for MNT backup need to be revalidated. |
|
|
ISE 2.4 P5 : Profiling : Netflow probe not working on ISE Bonded Interface |
|
|
ISE Profiler SNMP Request Failure Alarms should show the reason of failure |
|
|
No serialization or batching when large scale(>300) NADs are moved between MatrixA to MatrixB |
|
|
Env data is missing when TrustSec-ACI integration is enabled. |
|
|
ISE: SMTP server sending Email notification gets Exhausted |
|
|
ERS API that requires CSRF token always failing on PUT/POST/DELETE |
|
|
Change in External admin permissions are not getting reflected in other nodes in deployment. |
|
|
ISE deletes all endpoint if mac address is deleted twice at the same time |
|
|
SystemTest : Error when deleting SCEP RA profile |
|
|
Posture redirect fails with error 'unable to determine peer' in AnyConnect_ISEPosture.txt |
|
|
ISE 2.4 With CTA threat, threat endpoints are not detecting |
|
|
GUI Context Visibility report export slowness |
|
|
AD Diagnostic tool shows low level API query failed w/ Response contains no answer. Check DNS config |
|
|
Unable to disable MDM server if configured server is not reachable |
|
|
SQLite FTS3 Query Processing Integer Overflow Vulnerability |
|
|
Enforce NMAP skip host discovery and NMAP scan timeout |
|
|
System Test: Temporal agent installation is failing with internal system error. |
|
|
[pxGrid XMPP Server] TCP/5222 insecure Diffie-Hellman prime p 1024 bits |
|
|
Log Collection Error - Session directory write failed when AD Probe Session is inserted |
|
|
Authentications start failing once AD throws KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN |
|
|
Unable to remove an endpoint from the endpoint database due to permission error |
|
|
2.4 P8/P9 Certificate chain does not get imported to Patch 8 and Patch 9 |
|
|
ISE LogicalProfile appears under Custom attributes in CV if configure after valid Custom attributes |
|
|
ISE trustsec custom view doesn't sort properly with manual order |
|
|
ISE ERS Create via the API does not use the specified ID |
|
|
ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions |
|
|
Can't use endpoint group description during runtime for authz profile |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
ISE fails to handle SAML authentication response token |
|
|
Certificate provisioning portal error with ISE as SubCA and PKCS12 (sinlge file) |
|
|
Renewed self-signed certificate doesn't get updated in trusted store |
|
|
Restore failing for scheduled backup |
|
|
Cannot Update Internal User with External Password ID Store via ERS--ISE |
|
|
ISE fails to save configuration changes for large policy-sets |
|
|
Wrong password being notified after password reset (Only on SMS) |
|
|
Create Failing with ORA-02291 on CEPM.REF_ROLE_MASTER if groupId w/ prepending/trailing spaces |
|
|
Core files on PSN servers causing High Disk Utilization alarms |
|
|
ISE shows "Oops. Something went wrong" if session ID contains "-" |
|
|
Not able to change the language in guest portal with option "Always use" |
|
|
Incorrect audit report while updating Counter Time Limit in Max Session page |
|
|
Posture fails with "Posture failed due to server issues". when Primary PAN is unreachable |
|
|
Certificate trust chain is incomplete for pxGrid on pxGrid alone persona |
|
|
ISE PAN failover inactive days = elapsed days causing incorrect purging of EP's. |
|
|
ISE: "Posture failed due to server issues" error during System scan on MAC OSX |
|
|
ISE doesn't store self-registered EndPoints in configured custom group |
|
|
ISE 2.6 ACI integration Trustesec ACI report doesn't have sent ip-sgt mappings to ACI |
|
|
Export function in Network device groups fails when using RBAC |
|
|
Network Conditions do not work with shorten IPv6 |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
'Deleting All' Network Access Users doesn't appear on audit report |
|
|
Cisco Identity Services Engine Information Disclosure Vulnerability |
|
|
System Summary is not available for MNT nodes |
|
|
Cisco Identity Services Engine Policy Set Name Cross Site Scripting Vulnerability |
|
|
Using ECDSA signed certificates with the admin or pxgrid usage breaks pxgrid |
|
|
ISE user import does not fail when username contains invalid characters |
|
|
ISE Guest portal fails to parse http request with two questions marks |
|
|
Static group information is lost from EP in some scenarios |
|
|
PSN generates scheduled reports if no connectivity to MNT |
|
|
Implementation of patch popup |
|
|
ISE 2.6 : Fix for CSCvi89085 breaks detectMACAuthenticationOnPAP flow |
|
|
Move to Mapping Group drop down menu limits SGT Mapping groups to 25 |
|
|
PassiveID Agent: No Syslog message is sent to MnT when the agent monitoring DC goes down |
|
|
pxGrid controller contacting terracotta.org |
|
|
Static group assignment losing from guest flow |
|
|
"Cache not properly initialized" message in every Profiler Policy and cannot update Profiler Feed |
|
|
When updating password for administrative user it is possible to bypass entering current password |
|
|
ISE 2.4p9 Grace period is not working with PRA with VPN use case |
|
|
ISE sponsor portal - sorting by creation date doesn't work |
|
|
ISE 2.4 Possible XSS input in Certificate Attributes message when "/" sign is in the name |
|
|
Network devices added via restful API fails authentication with a 'Network Device not located' error |
|
|
ACS to ISE migtool changes the intended results of auth policy |
|
|
IPv6 RADIUS attributes cannot be mapped to any External attribute |
|
|
IP SGT static mapping export fails for entries with no mapping data |
|
|
Internal user using token password will be disabled due to password expired |
|
|
ise.messaging.log not visible on support bundle or gui |
|
|
Remove Unnecessary JQUERY-UI Files from ISE |
|
|
Login page AUP as link does not work with iOS CNA browser |
|
|
Move devices to another group button should be disabled when access has been restricted to NDG |
|
|
ISE 2.6 Patch 2: EAP-TLS auth not matching endpoint groups |
|
|
REST API: Create Network Device with special character ("\") in password field is interpreted as utf |
|
|
ISE fails to parse NMAP Scan information |
|
|
ISE 2.7 BETA: My Devices portal fails to load due to invalid character in Endpoint Description |
|
|
ISE 3695 appliance is having issue with Oracle parameters configured for super MNT |
|
|
Day0: iPad OS 13.1 BYOD flow got failed |
|
|
Hostname change causes ISE Messaging issues - MNT Failover and Queue Link Error-basic_cancel |
Open Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 3
|
Caveat ID Number |
Description |
|---|---|
|
SGT Notification is missing on PxGrid V2 Client |
New Features in Cisco ISE Release 2.6.0.156 - Cumulative Patch 2
Syslog over ISE Messaging Service
The UDP syslogs (built-in UDP syslog targets - LogCollector and LogCollector2) will be delivered to the monitoring nodes using the existing ISE Messaging service infrastructure, which is by default enabled now. This enhances WAN survivability of syslog messages. Please ensure to open the TCP port 8671 on firewalls (if any) between all nodes for this feature to work.
You can disable this option to deliver the UDP Syslogs via UDP Ports. To do so, navigate to Administration > System > Logging > Log Settings page in the Cisco ISE GUI and uncheck the Use ISE messaging Service for UDP syslog delivery to MnT option.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6
Business Outcome
Operational data will be retained for a finite duration even when the monitoring nodes are unreachable.
Support for Elevated System Administrator Role
The Elevated System Administrator role is similar to the existing System Administrator role. Additionally with this role you can create, delete and update admin users except super admin users.
For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6.
Business Outcome
Elevated System Admin has the ability to manage admin users.
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 2
The following table lists the resolved caveats in Release 2.6 cumulative patch 2.
Patch 2 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
Custom admin unable to create other restricted admin users |
|
|
SXP Devices page - can't show all the name after 14 chars |
|
|
Friendly info message has to be displayed instead of blank page for unauthorized access |
|
|
Patch installation might generate alarm Application patch installation failed |
|
|
Sponsor Portal Page takes more than 10 seconds to load |
|
|
Session notification can emit bad values in ADNormalizedUsername, ADUserResolvedIdentities fields |
|
|
ISE CoA doesn't work 2 days after initial auth |
|
|
ISE-PIC Self signed certificate delete operation fails due to Secure Syslog Server reference error |
|
|
CA Service still running on command line after Disabling internal certificate authority in Web UI |
|
|
ISE guest flow max session limit does not send CoA Disconnect with third party NAD |
|
|
Network access user with external password cannot be used as ISE admin |
|
|
ISE replaces "ip:" to it's hostname in "ip:inacl" Cisco AV-Pair |
|
|
Emails are not sent for alarm specific email configuration |
|
|
EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization. |
|
|
App status for ISE is in initialization state |
|
|
ISE: admin users unable to delete or modify groups if a tacacs user is saved without any group |
|
|
ISE 2.4 : Misconfigured supplicant query is one of the reasons for high CPU on both MNT nodes |
|
|
Latency observed with high TPS rates, when ISE messaging service is turned ON |
|
|
ISE 2.4 - CLI password will not accept 3 $ |
|
|
ISE Custom Endpoint Attributes - Will not save or delete |
|
|
Internal Administrator Summary report not allowing to select specific columns |
|
|
Adding config to support PrA in PSN failover case |
|
|
TCNAC adapter cannot be configured post upgrade from 2.2 to 2.6 |
|
|
ISE 2.6 ANC policy is applied with error "microservice_unavailable" on SMC |
|
|
Sponsor guest portal rate limit time not honored |
|
|
Allowed Protocols - Error creating an inline Allowed Protocol in Policy sets page |
|
|
EAP-GTC Machine Authentication Failure Password Mismatch due to failing the UTF-8 Validation Checks |
|
|
ISE 2.4 Patch 6 reload breaks backups |
|
|
PassiveID flow should send User's SamAccountName and ExplicitUPN |
|
|
ADNormalizedUserName Field Missing From Half of sessions |
|
|
Plus Licenses Consumed without Plus Features |
|
|
AD_User_Fetch information's are not in UI as well as Redis |
|
|
Unable to delete multiple admin groups with multi select |
|
|
ISE 2.4p3 Radius livelogs not showing due to invalid NAD ip address |
|
|
Modifying Radius attributes to send in the request to External RADIUS Server is not working on ISE |
|
|
Enable Pxgrid Profiling Probe Saves but will not enable |
|
|
ISE dropping requests due to descriptor allocation exhaustion under external server latency scenario |
|
|
ISE fails to match authz policy with endpoint ID group "unknown" |
|
|
Custom Attribute (advanced filter in CV) not able to filter on risk score (integer value) |
|
|
The AD connectivity issue occurred and the corefile was generated the same day |
|
|
TACACS/AAA live log report not showing configuration change made from ACI |
|
|
ISE 2.6 SFTP repository access fails |
|
|
Deleting guest type throws error & not able to create new guest type with same name |
|
|
Queue Link Error alarm generated after signing of ISE CA certificate by external Root CA |
|
|
ise-elasticsearch.log files not purged in ISE 2.4 and 2.6 |
|
|
ISE 2.4 : Replication: Cluster information table has old FQDN |
|
|
ISE 2.4 p6 400 error on sponsor portal after timeout. |
|
|
BYOD flow is broken in IOS 12.2 |
|
|
Import of network device template throws error Failed illegal value for Encryption key |
|
|
Multiple Vulnerabilities in struts2-core |
|
|
Upgraded ISE Node Shows LDAP Identity Store Password in Plain |
|
|
Authorization profile fails to import with no warnings or errors to user |
|
|
CSCvp63136: US399914: 2.6 P2 - View third-party licenses and notices - Link Update |
|
|
ISE 2.4 P8 posture scan running when switch to wired network not configured with dot1x |
|
|
"Cisco Modified" Profiles are overwritten by the Profiler Feed Service |
|
|
AUP guest portal error 400 when return from contact support link (iphone captive portal) |
|
|
Email not received to guest if view/print guest password disabled |
|
|
ISE MNT exception when receiving cisco-av-pair=addrv6=0x7f8c0d588608 |
|
|
ISE customer endpoint attribute type string doesn't allow certain numbers |
|
|
ISE if using multiple matrices deploy button is missing |
|
|
License usage for Plus either shows 0 or incorrect value |
|
|
Export from Context Visibility-Endpoints does not contain Custom Attr for most of Endpoints |
|
|
Unable to add network device with combination of any digit followed by () in software version field |
|
|
[ 400 ] Bad Request error when refreshing the Mydevice portal |
|
|
pxGrid to publish ADUser.. and ADHost..: SamAccountName and QualifiedName |
|
|
ISE 2.6 patch 1 - AD User Test is returning 0 groups |
Open Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 2
|
Caveat ID Number |
Description |
|---|---|
|
System Summary is not available for MNT nodes |
|
|
IP-SGT maps are not propagated to ACI in specific scenario |
|
| CSCwc83059 | Post full upgrade VCS information is missing |
Resolved Caveats in Cisco ISE Release 2.6.0.156 - Cumulative Patch 1
The following table lists the resolved caveats in Release 2.6 cumulative patch 1.
Patch 1 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
|
Caveat ID Number |
Description |
|---|---|
|
ISE dmp files are not deleted from /opt/oracle/base/admin/cpm10/dpdump for failed backup attempts |
|
|
ISE 2.x : Guest account activation time discrepancy for imported accounts |
|
|
ERS API that requires CSRF token returns HTTP 404 instead of 403 |
|
|
Cannot delete security groups having virtual network mapping |
|
|
Import two CA certs with same subject name |
|
|
ISE Secure Access Wizard Easy Wireless null AD groups for BYOD, Secure Access, Sponsored guest flow |
|
|
ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes" |
|
|
NAD CSV imports should allow all supported characters |
|
|
"No Data Available" when attempting to add endpoints to Identity Group with RBAC User |
|
|
Guest creation fails ISE 2.3 after patch 5 |
|
|
Manage ACC calling infinite time when sponsoruser configured with permissions ALL&GROUP sponsor grps |
|
|
ISE 2.4 slow database response with 500 authorization policies |
|
|
ISE 2.4 - IP-SGT bindings disappear from SXP for user session |
|
|
Removing SCEP RA Profile causes the associated CA chain to be silently removed from Trusted Store |
|
|
Removal of unused logical profile may cause a wrong authorization result |
|
|
Non-existed DACL is not verified by the ISE |
|
|
[ISE 2.4]Unable to use created profiling policy in authorization condition |
|
|
Backups from SFTP repository may show incorrect year in Modified time |
|
|
Able to delete ACI IEPG in ISE. |
|
|
ISE does not allow to add an SGT |
|
|
address shows as HTML code in context visibility |
|
|
ISE: failed to skip duplicate framed-pool attribute during migration |
|
|
ISE endpoint purge ACTIVEDIRECTORY dictionary is not loading |
|
|
pagination is not working in "All SXP mappings" page in ISE. |
|
|
ISE deleting the newly created IP-SGT mapping |
|
|
ISE truncates the SGT name after a "-" character and assigning a version id |
|
|
System Scan throws internal error for MAC built-in FW remediation using ISE 2.4 Patch 7 |
|
|
RabbitMQ docker container is not coming up if port 15672 was already in use |
|
|
ISE 2.4 Patch 6 installation breaks FQDN of Sponsor and MyDevices Portal |
|
|
Failed to migrate dACLs from ACS 5.8 to ISE 2.6 |
|
|
CoA failure in Radius+PassiveID flow |
|
|
After upgrading from ISE 2.0.1 Patch 4 to 2.4 Patch 6, CoA is not issued from ISE |
|
|
ISE TLS 1.0 and 1.1 security settings are not applied for PxGrid, causing WSA to fail integration |
|
|
Unable to add AD group if it contains "/." or "/.." in the AD group name |
|
|
Change password for few of the internal users not working after upgrade to 2.6 |
|
|
APIC logs not seeing in sxp.log when SXP logging set to 'DEBUG'. |
|
|
Delay in clearing of SXP mappings in ISE |
|
|
EAP-TTLS settings page is not saved in ISE 2.6 |
|
|
Admin group cannot get access to "Users" at "Device Administration" tab after install patch 5 |
|
|
Default python change password script returns CRUD operation exception |
|
|
ISE:WMI-Passed values may compromise the security of ISE. Please remove malicious scripting terms |
|
|
CSV file of RADIUS authentications report may have duplicate records |
|
|
ISE downloads unneeded RA certificate for BYOD |
|
|
Device Administration Current Active Sessions report not available from 2.4 Patch 6 |
|
|
ISE DACL syntax checking validation failing on wildcard notation |
|
|
Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler |
|
|
pxGrid node name limit too short for FMC |
|
|
pxGrid startup order causing profiler code to fail init |
|
|
ISE 2.6 LiveLogs not seen and false Health Status is Unavailable alarm |
|
|
ISE : Memory usage discrepancy in GUI and show tech |
|
|
After Importing ISE PB to ISE , Login page are not loaded |
|
|
ISE 2.3 : Posture report for endpoint by condition not working as expected |
|
|
ISE : Improve Posture Assessment by Condition Report export rate for higher records (millions) |
|
|
Admin Access Blank page when using valid RSA/RADIUS Token credentials but is not in ISE Admin DB |
|
|
ISE 2.3/2.4 upgrade to the latest patch may break dynamic redirection for 3rd party NADs |
|
|
[ENH] Change field Active Directory in External DataSource condition to mention Join Point |
|
|
Successful Authentication Entries not shown in the RADIUS Report due to exceeding the CSV limit |
|
|
Fix "Server not reachable" autologout |
Resolved Caveats in Cisco ISE Release 2.6.0.156
All Resolved Defects for ISE 2.6
Open Caveats in Cisco ISE Release 2.6.0.156
Open Caveats in Cisco ISE, Release 2.6
Communications, Services, and Additional Information
-
To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you are looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain information about general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Feedback