Come to the Content Hub at, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more...

So, what are you waiting for? Click now!

And, if you are already experiencing the Content Hub, we'd like to hear from you!

Click the Feedback icon on the page and let your thoughts flow!


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.


Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, Cisco Wireless Controllers, Virtual Private Network (VPN) gateways, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on Secure Network Server appliances with different performance characterizations, and also as software that can be run on a virtual machine (VM). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For more information about the features that are supported in this Cisco ISE release, see the Cisco Identity Services Engine Administrator Guide.

To access documentation on, go to End-User Documentation.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation in this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE, Release 2.6, can be installed and run on the following platforms.


For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise- Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

Table 1. Supported Platforms

Hardware Platform


Cisco SNS-3515-K9 (small)

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

Cisco SNS-3595-K9 (large)

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

Cisco ISE-VM-K9 (VMware, Linux KVM, Microsoft Hyper-V)

VMware ESXi 5.x, 6.x, 7.x

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, and pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.


  • Cisco Secured Network Server (SNS) 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

  • Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.

Federal Information Processing Standard Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.

When FIPS mode is enabled on Cisco ISE, consider the following:

  • All non-FIPS-compliant cipher suites will be disabled.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be of 2048 bits or greater.

  • Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be of 224 bits or greater.

  • Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.

  • SHA1 is not allowed to generate ISE local server certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • The local SSH server operates in FIPS mode.

  • The following protocols are not supported in FIPS mode for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • VMware ESXi 5.x, 6.x, 7.x

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on RHEL 7.1, 7.3, and 7.5


Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. We recommend that you use the backup functionality included in Cisco ISE for archival and restoration of data.

Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node.

Supported Browsers

The supported browsers for the Admin portal include:

  • Mozilla Firefox 80 and earlier versions

  • Mozilla Firefox ESR 60.9 and earlier versions

  • Google Chrome 85 and earlier versions

  • Microsoft Internet Explorer 11.x

Support for Microsoft Active Directory

Cisco ISE works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019 at all functional levels.


  • It is recommended that you upgrade Windows server to a supported version as Microsoft no longer supports Window server 2003 and 2003 R2. .

  • Microsoft Active Directory Version 2000 or its functional level is not supported by Cisco ISE.

Cisco ISE supports multidomain forest integration with Active Directory infrastructure to support authentication and attribute collection across large enterprise networks. Cisco ISE supports up to 50 domain join points.

Improved User Identification

Cisco ISE can identify Active Directory users when a username is not unique. Duplicate usernames are common when using short usernames in a multidomain Active Directory environment. You can identify users by Software Asset Management (SAM), Customer Name (CN), or both. Cisco ISE uses the attributes that you provide to uniquely identify a user.

Update the value of the following:

  • SAM: Update this value to use only the SAM in the query (the default).

  • CN: Update this value to use only CN in the query.

  • CNSAM: Update this value to use CN and SAM in the query.

To configure the attributes mentioned above for identifying Active Directory users, update the IdentityLookupField parameter in the registry on the server that is running Active Directory:


Supported Ciphers

In a clean or fresh install of Cisco ISE, SHA1 ciphers are disabled by default. However, if you upgrade from an existing version of Cisco ISE, the SHA1 ciphers retain the options from the earlier version. You can view and change the SHA1 ciphers settings using the Allow SHA1 Ciphers field (Administration > System > Settings > Security Settings).


This does not apply to the Admin portal. When running in Federal Information Processing Standard Mode (FIPS), an upgrade does not remove SHA1 ciphers from the Admin portal.

Cisco ISE supports TLS versions 1.0, 1.1, and 1.2.

Cisco ISE supports RSA and ECDSA server certificates. The following elliptic curves are supported:

  • secp256r1

  • secp384r1

  • secp521r1

The following table lists the supported Cipher Suites:

Cipher Suite

When Cisco ISE is configured as an EAP server

When Cisco ISE is configured as a RADIUS DTLS server

When Cisco ISE downloads CRL from HTTPS or a secure LDAP server

When Cisco ISE is configured as a secure syslog client or a secure LDAP client

When Cisco ISE is configured as a RADIUS DTLS client for CoA

TLS 1.0 support

When TLS 1.0 is allowed

(DTLS server supports only DTLS 1.2)

Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings window. To view this window, choose Administration > System > Settings > Protocols > Security Settings.

When TLS 1.0 is allowed

(DTLS client supports only DTLS 1.2)

TLS 1.1 support

When TLS 1.1 is allowed

Allow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings window(Administration > System > Settings > Protocols > Security Settings).

When TLS 1.1 is allowed

ECC DSA ciphers














When SHA-1 is allowed

When SHA-1 is allowed


When SHA-1 is allowed

When SHA-1 is allowed

ECC RSA ciphers


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed


When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed

DHE RSA ciphers









When SHA-1 is allowed



When SHA-1 is allowed

RSA ciphers








When SHA-1 is allowed

When SHA-1 is allowed


When SHA-1 is allowed

When SHA-1 is allowed

3DES ciphers


When 3DES/SHA-1 is allowed

When 3DES/DSS and SHA-1 are enabled

DSS ciphers



When 3DES/DSS and SHA-1 are enabled



When 3DES/DSS and SHA-1 are enabled



When 3DES/DSS and SHA-1 are enabled

Weak RC4 ciphers


When "Allow weak ciphers" option is enabled in the Allowed Protocols page and when SHA-1 is allowed



When "Allow weak ciphers" option is enabled in the Allowed Protocols page


EAP-FAST anonymous provisioning only:




Peer certificate restrictions

Validate KeyUsage

Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:


Validate ExtendedKeyUsage

Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:

  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • RC4-SHA
  • RC4-MD5

Server certificate should have ExtendedKeyUsage=Server Authentication

What is New in Cisco ISE, Release 2.6?

Base Licensing

The features described below require Cisco ISE base licensing.

CLI Access by External Identity Store

ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.

Business Outcome: You can manage a single source for passwords without the need to manage multiple password policies and administer internal users within ISE, thereby reducing time and effort.

IPv6 Support

In addition to the IPv4 support, Cisco ISE, Release 2.6 extends IPv6 support for the following functions or events:

  • ISE Management

    You can access and manage a Cisco ISE node over an IPv6 address, and configure an IPv6 address to Eth0 (Interface) during setup wizard as well as through CLI.


    If you choose to configure IPv6 address, you should also have an IPv4 address configured (in addition to IPv6 address) for the Cisco ISE node communication. Hence, dual stack (combination of both IPv4 and IPv6) is required.

    You can also manage Secure Socket Shell (SSH) with IPv6 addresses. Cisco ISE supports multiple IPv6 addresses on any interface and these IPv6 addresses can be configured and managed using CLI.

  • Network Time Protocol Support

    You can access, configure, and manage Network Time Protocol (NTP) servers with IPv4, FQDN, IPv6 addresses, or with a mix of these.

    Cisco ISE also supports NTP server fallback mechanism and server authentication over an IPv6 address.

  • Domain Name System Support

    You can configure a combination of IPv4 and IPv6 Domain Name System (DNS) servers and even manage IPv4 or IPv6-based DNS servers through CLI and GUI. Static hostnames can be mapped with IPv6 addresses.

    For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6

  • External Repositories

    You can add an external repository in Cisco ISE with an IPv6 address. Communication between a Cisco ISE node and an IPv6 external repository is possible when the node has an IPv6 address configured to Eth0.

    For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6

  • Audit Logs and Reports

    You can view the reports relating to login and logout activities, password changes, and operational changes made by you while accessing Cisco ISE through an IPv6 address. These events can be viewed in the audit reports available in the Cisco ISE dashboard.

  • Simple Network Management Protocol

    Simple Network Management Protocol (SNMP) traps and MIBs can be communicated through IPv6 addresses. You can configure IPv4-based, IPv6-based SNMP or multiple SNMP (a mix of IPv4 and IPv6) servers.

  • Access Control Lists And Dynamic Access Control Lists

    From Cisco ISE, Release 2.6, you can define Access Control Lists (ACLs), Dynamic Access Control Lists (DACLs) and Cisco Airespace ACLs with IPv6 addresses.

  • Active Directory

    You can connect to the IPv6 Active Directory from Cisco ISE.

  • External Restful Service Portal

    External Restful Service is available on an IPv6 client.

  • Syslog Client or Logging Targets

    You can configure IPv6-based syslog targets.

  • Posture

    You can access RADIUS servers with an IPv6 address.

For more information on Cisco ISE, Release 2.6, IPv6 support, see Cisco Identity Services Engine Administrator Guide, Release 2.6.

Business Outcome: You can migrate to an IPv6-based network to complete the events mentioned above.

Japanese or English View of the Administrator Portal

The Administration console currently supports two languages, Japanese and English. You can select either the Japanese view or the English view under Account Settings.

Business Outcome: Suitable for Japanese-speaking and English-speaking administrators to configure and use Cisco ISE.

Policy Service Nodes and the Light Session Directory

The Light Session Directory feature can be used to store user session information and replicate it across the Policy Service Nodes (PSNs) in a deployment, thereby eliminating the need to be totally dependent on the Primary Administration Node (PAN) or the Monitoring and Troubleshooting (MnT) node for user session details. The Light Session Directory feature stores only the session attributes required for Change of Authorization (CoA). To enable the Light Session Directory feature, choose Administration > Settings > Light Session Directory and check the Enable Light Session Directory check box.

Business Outcome: Improved performance and scalability of Cisco ISE node.

REST Support for External Administrators

From Cisco ISE 2.6, External RESTful Services (ERS) users can either be internal users or belong to an external Active Directory. The Active Directory group to which the external users belong should be mapped to either the ERS Admin or the ERS Operator group. With this enhancement, administrators no longer have to create internal user counterparts for external users who need access to ERS services.

Business Outcome: The process of enabling external administrators to access RESTful services is simplified.

Support for Manufacturer Usage Descriptor

Manufacturer Usage Descriptor (MUD) is an IETF standard, which defines a way to on-board IoT devices. It provides seamless visibility and segmentation automation of IoT devices. MUD has been approved in IETF process, and released as RFC8520. For more information, see

Cisco ISE, Release 2.6 and later supports identification of IoT devices. Cisco ISE automatically creates profiling policies and Endpoint Identity Groups. MUD supports profiling IoT devices, creating profiling policies dynamically, and automating the entire process of creating policies and Endpoint Identity Groups. Administrators can use these profiling policies to create manually Authorization Policies and Profiles. IoT devices sending MUD URL in DHCP and LLDP packets are on board, using those profiles and policies.

Cisco ISE performs unsigned classification of IoT devices. Cisco ISE does not store the MUD attributes; the attributes are only used in the current session. In the Context and Visibility > Endpoints window, you can filter IoT devices by the Endpoint Profile field.

The following devices support sending MUD data to Cisco ISE:

  • Cisco Catalyst 3850 Series Switches running Cisco IOS XE Version 16.9.1 & 16.9.2

  • Cisco Catalyst Digital Building Series Switches running Cisco IOS Version 15.2(6)E2

  • Cisco Industrial Ethernet 4000 Series Switches running Cisco IOS Version 15.2(6)E2

  • Internet of Things (IoT) devices with embedded MUD functionality

Profiler Support

Cisco ISE supports the following profiling protocols and profiling probes:

  • LLDP and RADIUS - TLV 127

  • DHCP - Option 161

Business Outcome: The number of IoT devices that are connected to enterprise networks is increasing. Until now, Cisco ISE could not classify these devices. From Release 2.6, Cisco ISE can classify and display the IoT devices that are connected to your network, using an automated process.

Syslog over ISE Messaging

From Cisco ISE, Release 2.6, Monitoring and Troubleshooting (MnT) WAN Survivability is available for UDP syslog collection. Syslogs are recorded using ISE Messaging Service. The Remote Logging Targets, where the syslogs are collected and stored uses port TCP 8671 and the Secure Advanced Message Queuing Protocols (AMQPs) for sending syslogs to MnT.

By default, the ISE Messaging Service option is disabled until Cisco ISE, Release 2.6 Patch 1.

From Cisco ISE, Release 2.6 Patch 2 onwards, by default, the ISE Messaging Service option is enabled.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6

Business Outcome: Operational data will be retained for a finite duration even when the MnT node is unreachable.

Hardening Improvements

The following caveats are fixed to ensure improved hardening of Cisco ISE:

  • CSCvj85532- Streamlined security enforcement upon administrators' authentication failures.

  • CSCvk46033- Improved security hardening for connections to the Cisco ISE SSH server.

  • CSCvk09565- Conformance to RFC 3164 standards.

  • CSCvj96345- Improved security for connections to the Cisco ISE Administration application.

TrustSec Deployment Verification Report

You can use this report to verify whether the latest TrustSec policies are deployed on all network devices and whether there are any discrepancies between the policies configured on Cisco ISE and those deployed on the network devices.

Business Outcome: You can easily verify whether the latest TrustSec policies are deployed on the network devices or if there are any discrepancies.

NFS Repository Credentials

When you add a repository and select NFS as the protocol, you can no longer enter credentials to connect to the repository.

Business Outcome: Using credentials to connect to an NFS repository caused problems.

Apex Licensing

The features described below require Cisco ISE apex licensing.

Identify Managed Devices with Dynamic MAC Addresses

AnyConnect 4.7 now provides a Unique Device ID (UDID) to identify a connected user. The UDID value can be mapped with information from Mobile Device Management (MDM) providers to help identify users who have the same MAC address. MAC address sharing is common in open offices, where more than one person shares a dock or USB dongle.

Business Outcome: You can develop a solution that uses the UDID to uniquely identify a user, when device connections are shared.

Flexible Remediation Notification

From Cisco ISE, Release 2.6, you can delay the grace period prompt from being displayed to the user until a specific percentage of grace period has elapsed.

For example, if the Delay Notification field in the Policy > Posture > Posture Policy window is set to 50 percent and the configured grace period is 10 minutes, Cisco ISE checks the posture status after 5 minutes and displays the grace period notification if the endpoint is found to be noncompliant. Grace period notification is not displayed if the endpoint status is compliant. If the notification delay period is set to 0 percent, the user is prompted immediately at the beginning of the grace period to remediate the problem. However, the endpoint is granted access until the grace period expires.

Business Outcome: Prevents unnecessary remediation prompts for endpoints waiting for JAMF software or Microsoft System Center Configuration Manager (SCCM) updates.

Generic or Custom Messaging Through Cisco AnyConnect

More informative messages can now be displayed by Cisco AnyConnect when it is used in the context of Cisco ISE Posture service. End users can now see messages about posture status and errors. You can modify the content that is displayed in AnyConnect posture profiles. Note that this feature requires Cisco AnyConnect Version 4.7.

Business Outcome: Better communication with end users.


Support for Cisco Secure Network Server 3600 Series Appliance

Cisco ISE 2.6 supports Cisco Secure Network Server 3615, Secure Network Server 3655, and Secure Network Server 3695 appliances.

For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise- Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

Business Outcome: Improved performance, scalability, and platform manageability over SNS 35xx series appliances.

Known Limitations and Workarounds

LDAP Server Reconfiguration after Upgrade


The primary Hostname or IP is not updated which causes authentication failures. This is because while upgrading the Cisco ISE deployment, the deployment IDs tend to reset.


When you enable the Specify server for each ISE node option in the Connection window (Administration > Identity Management > External Identity Sources > LDAP > Add or choose and an existing server) and then upgrade your Cisco ISE deployment with PSNs, the deployment IDs tend to reset.


Reconfigure the LDAP Server settings for each node. For more information, see LDAP Identity Source Settings section in the Administrative Access to Cisco ISE Using an External Identity Store chapter in the "Cisco Identity Services Engine Administrator Guide, Release 2.4".

Upgrade GUI Notification


Upgrade GUI shows that the upgrade progress at 0% for secondary PAN until upgrade is at 100%. The upgrade process continues in background and there’s no impact on upgrade.


While upgrading from Cisco ISE 2.4 Patch 8 to a higher release.


Check the ade.log file for the upgrade process. To display the ade.log file, enter the following command from the Cisco ISE CLI:
show logging system ade/ADE.log

For more information, see CSCvp78781.

pxGrid Certificate Issue


Default self-signed certificate for pxGrid fails.


While upgrading from Cisco ISE 2.7 Patch 7 to a higher release.


Either use a different certificate, or add "SSL Client" to the existing certificate.

IP-SGT Bindings Are Not Propagated Under Certain Conditions

Under the following conditions, IP-SGT mappings are not propagated to ACI.

On the ISE administrators console, navigate to Work Centers -> TrustSec -> Components:

  1. Create a security group, but don't check Propagate to ACI.

  2. Create an IP-SGT binding with previously created Security Group. It may be a static, session or SXP binding.

  3. On the Security Group, click Propagate to ACI .

  4. Click Save.

  5. The Security Group synchs to ACI, but not IP-SGT that is mapped to the Security Group.



  1. Restart the ACI propagation in ISE and recreate the IP-SGT mappings.

    1. On the Work Centers->TrustSec->Settings->ACI Settings, uncheck “TrustSec-ACI Policy Element Exchange”, and save.

    2. Check TrustSec-ACI Policy Element Exchange, and save.

    3. The connection between Cisco ISE and ACI is reestablished.

  2. Delete the old IP-SGT bindings, and recreate them while Propagate to ACI is checked.


The connection between ACI and ISE reauthenticates every 24 hours, which also fixes this problem.

SXP Protocol Security Standards

Limitation: Security Group Exchange Protocol (SXP) transfers unencrypted data and uses weak Hash Algorithm for message integrity checking per draft-smith-kandula-sxp-06.
Workaround: There is no workaround.

For more information, see

Patch Build Download Using Chrome Browser

Limitation: Integrity checksum issues occur when you use the Google Chrome browser to download the patch build.
Condition: The Message Digest 5 (MD5) sum values do not match.
Workaround: Download the patch build using the FireFox browser. Verify that the downloaded patch bundle has the correct MD5 checksum.

Radius Logs for Authentication

Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.

Profiler RADIUS Probe

Limitation: Endpoints are not profiled; they are only authenticated and added to the database.
Condition: The RADIUS probe is disabled.
Workaround: Disable the profiling services completely.

NAM TLS 1.2 Incompatibility Warning

Limitation: ISE implementation of EAP-FAST does not support key generation in TLS 1.2.
Condition: If you are using NAM 4.7 to authenticate endpoints using EAP-FAST, remember that only certain versions of ISE support TLC 1.2, which is required for EAP-FAST. If you use an incorrect version of ISE, the authentication fails, and the endpoint does not have access to the network.
Workaround: In order to resolve this issue, upgrade the Cisco ISE software as shown for the following releases:
  • Cisco ISE Release 2.4: Patch 5 or later.

  • Cisco ISE Releases 2.0, 2.0.1, and 2.1. Install the Struts2-CVE-2018-11776 PSIRT fix, before you apply the hot patch. You can download the Struts2-CVE-2018-11776 PSIRT fix from Cisco software downloads.


In order to obtain hot patches for Cisco ISE releases earlier than Release 2.4, contact the Cisco Technical Assistance Center (TAC). Ensure that the ISE software has the latest patches applied before you apply the hot patch.

For more information, see

High Memory Utilization

Limitation: High memory utilization after installing or upgrading to Cisco ISE Version 1.3 or later.
Condition: Because of the way kernels manage cache memory, Cisco ISE might use more memory, which may trigger high memory usage (80 to 90%) and alarms.
Workaround: There is no workaround.

For more information, see CSCvn07836.

Diffie-Hellman Minimum Key Length

Limitation: Connection to LDAP server fails.
Condition: If the Diffie-Hellman minimum key length that is configured on the LDAP server is less than 1024, connection to the LDAP server fails.
Workaround: Change the Diffie Hellman key size on the LDAP server.

For more information, see CSCvi76985.

ECDSA Certificates

Limitation: Cisco ISE supports Elliptic Curve Digital Signature Algorithm (ECDSA) certificates with key lengths of 256 and 384 only.
Condition: ECDSA certificates that are used for EAP authentication are supported only for endpoints with Android Version 6.x and later.


Apple iOS is not supported if you use ECDSA as a system certificate. ECDSA certificates are supported only for Android 6.x and Android 7.x.

Workaround: You can select the key length in the Administration > System > Certificates > Certificate Management > System Certificates window.

Re-create Supplicant Provisioning Wizard References

Limitation: BYOD certificate provisioning flow is broken with both Internal and External Certificates.
Condition: When you upgrade to a new release, or apply a patch, the Supplicant Provisioning Wizard (SPW) is updated.
Workaround: Create new native supplicant profiles and new client-provisioning policies that reference the new SPWs.

Endpoint Protection Services API

As of Cisco ISE 1.4, ANC replaces Endpoint Protection Services. ANC provides additional classifications, and performance improvements. There are new APIs for ANC in the Cisco ISE SDK. While the ERS APIs might still work, we strongly recommend that you move to ANC.

Upgrade Information


If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.

Upgrading to Release 2.6

You can directly upgrade to Release 2.6 from the following Cisco ISE releases:

  • 2.1

  • 2.2

  • 2.3

  • 2.4


When you upgrade to Cisco ISE 2.6 patch 7, you will see an error message if you were using the RE_AUTHENTICATE in an ANC policy. The existing policies will still work.

Applying patch 2 eliminates the error message. Or you can remove those policies before upgrading.

If you are on a version earlier than Cisco ISE, Release 2.1, you must first upgrade to one of the releases listed above and then upgrade to Release 2.6.


We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.

Cisco ISE, Release 2.6, has parity with 2.0 Patch 7, 2.1 Patch 8, 2.2 Patch 13, 2.3 Patch 5, and 2.4 Patch 5.

Supported Operating System for Virtual Machines

You can upgrade to Release 2.6 from either the GUI or the CLI.

Cisco ISE runs on the Cisco Application Deployment Engine operating system (ADEOS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE, Release 2.6, ADEOS is based on RHEL 7.5. For more information, see Cisco Identity Services Engine Upgrade Journey.

If you are upgrading Cisco ISE nodes on VMware virtual machines, after upgrade is complete, ensure that you change the Guest Operating System to supported version of Red Hat Enterprise Linux (RHEL). To do this, you must power down the VM, change the Guest Operating System to the supported RHEL version, and power on the VM after the change.

Patch Compatibility

This patch is compatible with the following patch releases:

  • 2.2 Patch 15

  • 2.3 Patch 7

  • 2.4 Patch 10

  • 2.6 Patch 2

License Changes

Device Administration Licenses

There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.

The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.

Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only node Licenses are available for sale.

However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.

The evaluation license allows device administration on one policy service node.

Licenses for Virtual Machine nodes

Cisco ISE is also sold as a virtual machine (VM). For this Release, we recommend that you install appropriate VM licenses for the VM nodes in your deployment. Install the VM licenses based on the number of VM nodes and each VM node's resources, such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys. However, the installation process will not be interrupted. From Cisco ISE, Release 2.4, you can manage your VM licenses from the GUI.

VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using a 3595-equivalent VM node with eight cores and 64-GB RAM, you might need a Medium category VM license if you want to replicate the same capabilities on the VM. You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.

VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features that are enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.

VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification pop-up window.

If you have not purchased an ISE VM license earlier, see the Cisco Identity Services Engine Ordering Guide to choose the appropriate VM license to be purchased.


If you have purchased ISE VM licenses without a PAK, you can request VM PAKs by emailing Include the Sales Order numbers that reflect the ISE VM purchase, and your Cisco ID in your email. You will be provided a medium VM license key for each ISE VM purchase you have made.

For details about VM compatibility with your Cisco ISE version, see "Hardware and Virtual Appliance Requirements" chapter in the Cisco Identity Services Engine Installation Guide for the applicable release.

For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before an ISE software upgrade in order to check if the configured data can be upgraded to the required ISE version. Most upgrade failures occur because of data upgrade issues. The URT is designed to validate the data before the actual upgrade, and reports and tries to fix the issues, wherever possible. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.

Cisco ISE Live Update Portals

Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from to the corresponding device using Cisco ISE.

If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings. Choose Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

Client Provisioning and Posture Live Update Portals

You can download Client Provisioning resources from:

Work Centers > Posture > Settings > Software Updates > Client Provisioning.

The following software elements are available at this URL:

  • Supplicant Provisioning wizards for Windows and Mac OS X native supplicants

  • Windows versions of the latest Cisco ISE persistent and temporal agents

  • Mac OS X versions of the latest Cisco ISE persistent agents

  • ActiveX and Java Applet installer helpers

  • AV/AS compliance module files

For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.

You can download Posture updates from:

Work Centers > Posture > Settings > Software Updates > Posture Updates

The following software elements are available at this URL:

  • Cisco-predefined checks and rules

  • Windows and Mac OS X AV/AS support charts

  • Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.

If you do not want to enable the automatic download capabilities, you can choose to download updates offline.

Cisco ISE Offline Updates

This offline update option allows you to download client provisioning and posture updates, when direct internet access to from a device using Cisco ISE is not available or is not permitted by a security policy.

To download offline client provisioning resources:


Step 1

Go to:

Step 2

Provide your login credentials.

Step 3

Navigate to the Cisco Identity Services Engine download window, and select the release.

The following Offline Installation Packages are available for download:

  • win_spw-<version>—Offline SPW Installation Package for Windows

  • mac-spw-<version>.zip—Offline SPW Installation Package for Mac OS X

  • compliancemodule-<version>—Offline Compliance Module Installation Package

  • macagent-<version>—Offline Mac Agent Installation Package

  • webagent-<version>—Offline Web Agent Installation Package

Step 4

Click either Download or Add to Cart.

For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.

For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.

To download offline posture updates:


Step 1

Go to

Step 2

Save the file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems.

Step 3

Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 4

Click the arrow to view the settings for posture.

Step 5

Click Updates.

The Posture Updates window is displayed.
Step 6

Click the Offline option.

Step 7

Click Browse to locate the archive file ( from the local folder in your system.

The File to Update field is a mandatory field. You can select only one archive file (.zip) containing the appropriate files. Archive files other than .zip, such as .tar, and .gz are not supported.
Step 8

Click Update Now.

Cisco ISE Integration with Cisco Digital Network Architecture Center

Download and Install a New Patch

To obtain the patch file that is necessary to apply a patch to Cisco ISE, log in to the Cisco Download Software site at (you will be required to provide your login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

For instructions on how to apply the patch to your system, see the "Install a Software Patch" section in the Cisco Identity Services Engine Administrator Guide.

For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.


When installing Release 2.4 Patch 4 and later, CLI services will be temporarily unavailable during kernel upgrade. If the CLI is accessed during this time, the CLI displays the Stub Library could not be opened error message. However, after patch installation is complete, CLI services will be available again.


The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST). The bug IDs are sorted alphanumerically.


The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 2.6. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved.

The BST, which is the online successor to the Bug Toolkit, is designed to improve effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at

New Features in Cisco ISE Release - Cumulative Patch 8

Health Check

An on-demand health check option is introduced to diagnose all the nodes in your deployment. Running a health check on all the nodes prior to any operation helps identify critical issues, if any, that may cause downtime or blocker. Health Check provides the working status of all the dependent components. On failure of a component, it immediately provides troubleshooting recommendations to resolve the issue for a seamless execution of the operation.

Ensure that you run Health Check before initiating the upgrade process.

Business Outcome: Identify critical issues to avoid downtime or blockers.

DNS Cache

The DNS requests for hosts can be cached, thereby reducing the load on the DNS server.

This feature can be enabled in the configuration mode using the following command:

service cache enable hosts ttl ttl

To disable this feature, use the no form of this command.

no service cache enable hosts ttl ttl

Admin can choose the Time to Live (TTL) value, in seconds, for a host in the cache while enabling the cache. There is no default setting for ttl. The valid range is from 1 to 2147483647.


TTL value is honored for negative responses. The TTL value set in the DNS server is honored for positive responses. If there is no TTL defined on the DNS server, then the TTL configured from the command is honored. Cache can be invalidated by disabling the feature.

Business Outcome: Load on DNS Server is reduced.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 8

The following table lists the resolved caveats in Release 2.6 cumulative patch 8.

Patch 8 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



ISE not returning configured Radius AVP 18 in access-reject


ERS Update/Create for "Authorization Profile" failing XML Schema Validation


nas-update=true accounting attribute will cause session to not be deleted.


ISE 2.4 BETA : The status of the pxGrid services should show as active/standby not running/disabled


Non-internal-CA signed pxGrid certificate incorrectly replaced upon ISE reload


CSCvi62805 ISE ODBC does not convert the mac address as per configured stored procedure


ISC BIND krb5-subdomain and ms-subdomain Update Policies Vulnerability


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


Latency observed with high TPS rates, when ISE messaging service is turned ON


Device Sensor not able to correctly parse DHCP attributes via RADIUS probe


ISE truncates the SGT name after a "-" character and assigning a version id


ISE Adds an additional character at the end of OperatingSystemVersion


Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler


ISE Repository Password is accepted in GUI but not CLI


Active endpoints missing from MNT session directory during 2.7 Longevity


core files are generated on PSN during 2.7 Longevity


GNU Wget Buffer Overflow Vulnerability


ISE TACACS livelogs does not have the option to filter using specific NAS ip address.


Application server stuck in Initializing due to corrupted indexes


High Auth Latency - no info which thread pool is guilty


Apache ActiveMQ Corrupt MQTT Frame Out of Memory Denial of Service V ...


Disabled PSN persona but TACACS port 49 still open.


Incorrect DNS config can lead to TACACS or Radius auth failure


ISE False alarm - Health status unavailable


System Summary is not available for MNT nodes


Import NAD is failing with unsupported error When shared secret key has special character (8o\v|)


glibc Multiple Vulnerabilities CVE-2018-11236, CVE-2018-11237, CVE-2018-6485 and CVE-2017-16997


Evaluate 32-bit glibc vulnerabilities RHSA-2018:0805


FreeType Buffer Over-Read Vulnerabilities


Samba Symbolic Link Traversal Vulnerability CVSS v3.1 Base: 5.4


Failing Network Devices CSV import, process silently aborting without reason


core file generated on PSN


Max Session Counter time limit option is not working


EgressMatrixCell Allows Duplicate Creation Through ERS Call


Service account passwords returned from server in SMS and LDAP page


ISE versions use old JDBC version ( which is not compatible with new Oracle Database


Authz Profiles not pulling properly using REST API (Pagination is missing)


X.Org libX11 Client Segmentation Fault Denial of Service Vulnerability


X.Org libX11 Off-by-One Memory Write Arbitrary Code Execution Vulnerable


"AD-Operating-System" attribute is not being fetched when this OS attribute changes on the AD Server


TCPDump - Node and Interface field Unavailable


Unavailability to edit saved compound conditions using conditions library.


SMS over HTTPS is not sending username/password to gateway


Application Server takes more time to initialize


ISE-2.x || MNT REST API for ReAuth fails when using in distributed deployment


ISE Server-side authorization checks insufficient


Application server may crash when MAR cache replication is enabled


pxGrid unable to delete user in INIT state


Mismatched Information between CLI export and Context Visibility


Cannot select 45 or more products when creating Anti-Malware Condition for definition


CPU spikes are being observed at policy HitCountCollector


Session cache getting filled with incomplete sessions


ise-psc.log filled up with "check TTConnection is valid" causing relevant logs to roll over


ISE 2.6 : Create Guest User using external sponsor users via ERS fails with 401 Unauthorized Error


ISE 2.6 : TacacsConnectionManager needs to be enhanced to remove the stale connections


suspected memory leak in io.netty.buffer.PoolChunk


ISE is not allowing to disable Radius in NAD via API


ISE : Oracle process reached limit : causing multiple issues


TC-NAC adapter stopped scanning with nexpose (insiteVM)


ISE 2.6p6 // Portal background displays incorrectly


ISE is returning an incorrect version for the rest API call from DNAC


Import option is not working under TACACS command sets


portal page customization changes are not reflecting in certificate provisioning portal


ISE logging timestamp shows future date


ERS SGT create is not permitted after moving from Multiple matrix to Single matrix


2.4P11 VPN + Posture : Apex Licenses are not being consumed,


NDG added through ERS became associated with all network devices in DB


When running ISE ERS API for internaluser update the existing identityGroups value is set to null


License out of compliance alarm with a valid license


ISE 2.4 p6 - REST API MnT query to get device by MAC address taking more than 2 seconds


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


code for securityGroupAclTopic missing from 2.4 and 2.6, but topic still advertised


Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest


Session API for MAC Address returning Char 0x0 out of allowed range


[CFD] GBAC sync breaks on deleting VN from SG if AuthZ profile is mapped to the same VN for diff SG


Compress messages.x files in the system


ISE 2.x, 3.x : Drop_Cache required for systems with High Memory Issues


suspected Memory Leak in Elastic search


ISE Authorize-Only requests are not assessed against Internal User Groups


Radius secret 4 chars min requirement is not checked when REST API used to create NAD


ERS REST API returns duplicate values multiple times when use filter by locations


SessionDB columns are missing from ISE (>=2.4)


ISE creates new site in insiteVM (tc-nac server)


Failed Logins to ISE GUI Are Not Seen in Audit Report When AD Is Selected as the Identity Source


ISE: REST API PUT query may fail after successful ERS Guest queries


Alarms and system summary is not showing up on ISE GUI


authentication failure with reason"12308 Client sent Result TLV indicating failure"


ISE allows duplicates device ID in ERS flow in all version.


ISE Radius Live Sessions Page Showing No Data Found


InternalUser Attributes in ATZ policy will fail TACACS+ ASCII Authentication


ISE Authentication Status API Call Duration does not work as expected


HitCount REFRESH and RESET button is not visible in ISE 26p7,p9


ISE should either allow IP only for syslog targets or provide DNS caching


Restore of Config backup on ISE 2.6 P7 is causing issues with node registration


ISE 2.4 Application server going to Initializing on enabling endpoint debugs


Overlap of network devices using subnet and IP range


ISE:SEV3:Endpoint data not visible on secondary Admin node .


ISE unable to connect with ODBC "Connection failed" with a port number


Log Collection Error alarms appear


TACACS Aggregate table is not purged properly.


Unable to register IND with ISE on 2.4 P13


Session Cache for dropped session not getting cleared; causing High CPU on the PSN's


ISE : Authz profile not saved with proper attributes when Security Group selected under common tasks


ISE Authentication Status API Call does not return all records for the specified time range


Modify TCP settings to enhance TACACS+ and TCP on ISE


Policy Export Is Not Being Saved Without Encryption After It is Saved With Encryption


MAC 11.0 support for ISE is not available


NFS Repository is not working from GUI


Evaluation of positron for Apache Struts Aug20 vulnerabilities


Health check doesn't work when ISE has NIC teaming enabled


Filters do not work for ISE Profiler Reports


Export of Current active session reports only shows sessions that has been updated since midnight


Saving command with parenthesis in TACACS command set gives an error (ISE 2.7 p2)


Group lookup failed as empty value to be appended to the context


ISE - Security Group values in Authorization Profile disappear shortly after fetching


No password audit will be generated after changing ISE internal user password via Switch/Router CLI


ISE 3.0 DNS resolvability false Alarm


Remove ojdbc8 from 2.6/2.7 patch branch


Multiple version of ojdbc in 2.6p7 results in licensing/mnt/deployment issues

New Features in Cisco ISE Release - Cumulative Patch 7

ANC Enhancement

MAC address is not always a unique identifier for an endpoint. USB NIC dongles means that multiple users can have the same MAC address. Plus, some endpoints have the same MAC address. MAC spoofing also shows duplicate MAC addresses.

To better identify an endpoint for the ANC service, Cisco ISE uses the IP address of the switch that the endpoint is connected to. The switch's IP address is the NAS-IPAddress attribute.

Endpoint sessions can use the MAC address and NAS-IPAddress in an ANC Policy.

MDM vendors can use NAS-IPAddress in pxGrid v2 API.

PxGrid v2 is required to use NAS-IPAddress in the new API. The existing API still works. But you cannot use both the old and new APIs together.

Upgrading Cisco ISE Consideration

If you upgrade to Cisco ISE 2.6 patch 7, you will see an error message if you were using the RE_AUTHENTICATE in an ANC policy. The existing policies will still work.

Applying Cisco ISE 2.6 patch 2 eliminates the error message. Or you can remove those policies before upgrading.

Enable Probe Data Publisher

The Probe Data Publisher initiates a pxGrid publisher on the Primary Policy Administration Node (PAN). When the primary PAN identifies a change in attributes for a connected endpoint, the updated attribute data is published to the relevant pxGrid Topic in Cisco ISE.

This option, by default, is not enabled. We recommend that this option be enabled only if you have an external data consumer configured.

To enable the Probe Data Publisher, go to Work Centers > Profiler > Settings, and check the Enable Probe Data Publisher checkbox.


After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data is used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique to each deployment. Each admin user need not provide it separately.

Telemetry provides valuable information about the status and capabilities of Cisco ISE. Telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco ISE. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.

It may take up to 24 hours after the feature is disabled for Cisco ISE to stop sharing telemetry data. Starting with patch 6, telemetry is disabled immediately.

Interactive Help

The Interactive Help provides tips and step-by-step guidance to complete tasks with ease.

Business Outcome: This helps the end users to easily understand the work flow and complete their tasks with ease.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 7

The following table lists the resolved caveats in Release 2.6 cumulative patch 7.

Patch 7 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



ISE RBAC Network Device Type/Location View not working


No AD domain attributes retrieved for RA-VPN/CWA if AD used for both authC and authZ


ISE sends CoA to active-compliant sessions when a node-group member is unreachable


ISE Crashes during policy evaluation for AD attributes


tcpdump print_prefix Function Stack-Based Buffer Overread Vulnerability


Logwatch files are not capped for size


AnyConnect displays Cisco NAC agent error when using Cisco temporal agent


ISE 2.4 URT fails with cert error


ISE restore option should not have <cr> Carriage return without encryption-key


'MAR cache distribution is not enabled' even when it has been enabled.


Remove older journal log files


libssh2 SSH_MSG_CHANNEL_REQUEST Packet Handling Out-of-Bounds Read V ...


Cannot configure scheduled config and operational backup with start date same as current day


GnuPG Filename Status Message Spoofing Vulnerability


ISE PSN node crashing while fetching context attributes during posture plus RADIUS flow


Evaluation of positron for TCP_SACK


Replication failed alarm generated and ORA-00001 exceptions seen on ise-psc.log


My Device Portal does not show a device after BYOD on-boarding with SAML authentication


GNU patch OS Shell Command Injection Vulnerability


FasterXML jackson-databind logback-core Class Polymorphic Deserializ ...


Multiple Vulnerabilities in jquery - guest portals


GNU patch do_ed_script OS Shell Command Execution Vulnerability


Apache Commons Beanutils PropertyUtilsBean Class Property Suppression Vulnerability


Blank Course of Action for Threat events received from CTA cloud to TC-NAC adapter


EAP-FAST authentication failed with no shared cipher in case of private key encryption failed.


FasterXML jackson-databind Polymorphic Typing Vulnerability CVSS v3.1 Base: 9.8


Apache Commons Compress File Name Encoding Algorithm DoS Vulnerability CVSS v3.0 Base: 7.5


Localdisk size needs to be increased to accommodate large corefiles


libmspack chmd_read_headers Function Denial of Service Vulnerability


ISE 2.2 patch 14 AD status shows up as "updating.." indicating the process is hung


ISE App crash due to user API


ACI mappings are not published to SXP pxGrid topic


App server and EST services crash/restart at 1 every morning


Add the capability to filter out failed COA due to MAR cache checks among group nodes in ISE


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


Policy engine continues to evaluate all Policy Sets even after rule is matched


Invalid root CA certificate accepted


Unable to configure CRL URL with 2 parenthesis at ISE 2.6


Trustsec matrix pushing stale data


Highload on Mnt nodes with Xms value


SEC_ERROR_BAD_DATABASE seen in system/app debug logs while removing a trusted CA cert


The CRL is expired with specific condition


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


ISE not updating SGT's correctly


AuthZ profile advanced profile for url-redirect does not allow custom HTTPS destination


ISE 2.6 CA Certificate with the same CN removed from Trusted Store while integrating with DNA-C


Condition disappeared from the library but is still in DB


Fail to import Internal CA and key on ISE2.6


NFS mounting causes crash


MACAdress API is not working(API/mnt/Session/MACAddress)


Creating a new user in the sponsor portal shows "invalid input"


Days to Expiry value, marked as 0 for random authentications


NAD CSV imports should allow all supported characters in the TrustSecDeviceID


ISE Admin User Unable To Change The Group For Internal Users


collector log is dumped with pxgid and dnac messages


Tacacsprofile not retrieved properly using REST API


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


After importing network device / groups, unable to add new Location


ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory due to Inflater()


Days duration is not getting updated in portal page customization for self registration portal


Errors when SG created using _ underscore sent from DNAC


ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory by PORT_Alloc_Util()


ISE 2.6 - Cannot enable FIPS if Default Device Admin has been modified


ISE: 2.4p9 Intermediate CA cert not installed when configuring SCEP RA


Unable to do portal customization for "certificate provisioning portal"


ISE crashes due to empty string instead of username in RadiusProxyFlow::stripUserName()


ISE: Unable to use attribute "url-redirect" with HTTPS, same URL with HTTP works fine.


URT fails on a ConditionsData clause from INetworkAuthZCheck


API is not retrieving the data when interim-updates are not stored DB


Multiple Vulnerabilities in binutils


Having string 'TACACS' in AD join-point causes AD joinpoint to not show in AuthZ condition


ISE 2.4 Guest ERS Call Get-By-Name fails when guest username contains @ sign (


Multiple Vulnerabilities in patch


Multiple Vulnerabilities in python


Multiple Vulnerabilities in sudo


ISE 2.6 Install: Input Validation- Check IP Domain Name


Vulnerability in unzip package - RHEL 7


ISE SNMP server crashes when using Hash Password.


Importing metadata xml file with special characters results in unsupported tags error


ISE 2.4 P11 On OP Backup Restore, EPOCH_TIME column is removed


.dmp files not deleted from /opt/oracle/base/admin/cpm10/dpdump even after the reset-config on ISE


404 error upon refresh of success page of guest sponsored portal


NMAP - MCAFeeEPROOrchestratorClientscan fails to execute on 2.6 version of ISE


ISE expired tacacs session not cleared timely from session cache


Cert Revoke and CPP not functioning without APEX license.


Change "View" Options Wording in TrustSec Policy Matrix--ISE


POST getBackupRestoreStatus occures on every ISE page after navigating to Backup/Restore menu


No threshold option for High disk Utilization in Alarm Settings


Posture with tunnel group policy evaluation is eating away Java Mem


ISE shouldn't be allowing ANY in egress policy when imported


Time difference in ISE 2.6


[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for network devices


IP SGT static mapping import not working correctly with hostnames


FasterXML jackson-databind xbean-reflect/JNDI Blocking Vulnerability


pxGrid 2.0 WebSocket distributed upstream connect issue


pxGrid 2.0 WebSocket ping pong too slow even on idled standalone


ISE doesn't display all device admin authz rules when there are more authz policies and exceptions


Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.6


Authentication goes to process fail when "Guest User" ID Store is used.


Radius Errors/Misconfigured supplicants tables do not exist after upgrade to ISE2.6


PERMGEN configured instead of metaspace for JDK8


When accessing the portal with iPad using Apple CNA and AUP as a link we get 400 Bad Request error.


Publishing batch logic in Pxgrid when we use WMI and REST at the same time


ISE shouldn't allow ANY SGT or value 65535 to be exposed over SGT import or export


ISE ERS API Endpoint update slow when large number of endpoints exist


Cannot add/modify allowed values more than 6 attributes to System Use dictionaries


EP lookup takes more time causing high latency for guest flow


Identity group updates for an internal user in ISE


ISE 2.6 MDM flow fails if redirect value is present in the URL


Hostname goes missing from CARS configuration


[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for /ers/config/internaluser


ISE: If min pwd length is increased then existing shorter pwd fails to login via GUI with no error


MNT node election process is not properly designed.


Syslog Target configured with FQDN can cause Network Outage


Authentication Status API call on ISE 2.6p5 returns blank output


App-server crashes if IP-access submitted w/o any entries


Intermittent password rule error for REST API Update Operation


ISE ERS API - GET call on Network Device is slow while processing SNMP configuration


Alarm Dashlet shows 'No Data Found'.


No debug log for non working MNT widgets


ISE DACL Syntax check not detecting IPv4 format errors


PUT verb for /ers/config/internaluser/name/{username}makes id&password&name mandatory in req content


EAP TLS authentication is getting failed in 2.6p5 /p6 after backup restore from 2.6p3


Machine authentication via EAP-TLS is failing during authorization flow with user not found error

Open Caveats in Cisco ISE Release - Cumulative Patch 7

Caveat ID Number



Multiple version of ojdbc in 2.6p7 results in licensing/mnt/deployment issues.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 6

The following table lists the resolved caveats in Release 2.6 cumulative patch 6.

Patch 6 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Posture session state need to be shared across PSNs in multi-node deployment


Provisioned Certificates are not getting deleted after revocation


SXP Bindings are not published to pxGrid 2.0 clients

New Features in Cisco ISE Release - Cumulative Patch 5

Cisco AI Endpoint Analytics Support

Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep packet inspection, and probes from sources like Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.

Cisco AI Endpoint Analytics also uses artificial intelligence and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to an on-premise Cisco DNA Center.

These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.

Open Caveats in Cisco ISE Release - Cumulative Patch 5

After you install Cisco ISE 2.6 Patch 5, guest authentications based on SSID may fail due to an issue being tracked by CSCvt36324. In this case, run the command
show running-config
to check if hostname is available. If the hostname is not available, contact Cisco TAC to troubleshoot this issue.

Caveat ID Number



Redirection not happening as hostname name missing from CARS configuration


Expired Evaluation profiler on ISE will cause default radius probe to enable

Resolved Caveats in Cisco ISE Release - Cumulative Patch 5

The following table lists the resolved caveats in Release 2.6 cumulative patch 5.

Patch 5 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



ISE Dashboard allows special characters: <>?"


Custom filters not working in Session Status column in Live Sessions window


CoA REST API is not working for ASA VPN Sessions


Endpoints lose static group assignment


MNT API does not support special character


Live sessions show incorrect Authorization profile and Authorization Policy for VPN and Posture scenario


TACACS authorization rule fails with no clear explanation when there is no command set defined for the rule if there is a VSA in the shell profile


Parsing NMAP smb-os-discovery data should remove &#xa; or \x00


Self-signed account creation error: "An attempt to text your account information to you has failed"


Multiple Vulnerabilities in procps-ng


Licensing consumption is incorrect for postured sessions with remote-access VPN


ISE 2.3 RSA SecurID authentication fails


Not able to delete certificate after hostname change


Multiple Vulnerabilities in openssh


Windows 7 device is profiled wrongly post Posture flow, due to anyconnect sending wrong useragent


After applying ISE 2.3 patch 5, creation of EOB Guest user does not work


Error occurred in publishing threat events with AMP adapters


Errors seen in /var/log/secure every 10 seconds for isemntlogproc


ISE 2.4 URT does not check if node is on a supported appliance


ISE 2.3: Location info and IPSEC info are reversed in Network Device Groups for some NADs


Multiple Vulnerabilities in krb5


To enable CLI clock timezone command


ProfilerCoA:- Exception in getting Policy details Exception seen in Profiler.log


Memory leak on ISE node with the openldap rpm running version 2.4.44


Patchupload files greater than 1GB don't get deleted while upgrading if upload through WebGUI is interrupted


Sponsored Guest account start date is not adjusted when account is extended


EAP-GTC Machine Authentication Failure password mismatch due to UTF-8 Validation Check failure


Cross-Site Request Forgery (CSRF) [OWASP_CSRFTOKEN bypass]


ISE 2.2 Sign On button grey out with Guest portal second factor Radius Token server authentication


ISE 2.4 live sessions cannot be filtered based on authentication or authorization policy


Cisco Smart Licensing cloud agent in waiting state causes GUI login delay in ISE 2.2


ISE 2.4 High CPU utilization on Secondary Admin Node


Able to delete CA from trusted page when external CA signs any system certificate


Internal User not found in prrt-server intermittently even though PrRTCpmBridge returns user found


IETF Dictionary Attribute Ascend-Client-Primary-DNS broken after upgrade


Expired guest accounts purge is stuck after daylight time change


Radius session detail report is broken if calling-station-id contains CLIENTVPN


Wrong job (HOURLY_STATS_JOB) running


Network device Import to ISE takes too long when IPV6 address is included


MnT Purge with option to export repository not working


When binding external CA sign certificate in intermediate CA CSR, certificate chain is broken in CA page


ISE TACACS Authentication and Accounting reports older than 30 days missing


ISE does not show logging when CTS pac is expired


Evaluation of ISE for CVE-2018-20685


Change logging level of 90140 INFO PassiveID: Message parsed syslog to DEBUG


Trashing IP SGT Static mappings across pages never completes


Maximum thread value limit is too low and triggers "Admin thread pool reached threshold value" alarm


SNMP traps on access switch connected to Access Points cause incorrect profiling.


All SNMP packets are logged to /var/log/messages file


ISE 2.4 localhost-<date>.log files growing up to and more than 8 Gb in size


No password audit is generated when a user changes ISE internal user enable password via ASA CLI


Application Server crash observed in Passive ID dashboard after some time if number of active sessions is more than 200K


Posture assessment by condition report is showing empty records


ISE Posture Agent Profile does not allow blank remediation timer


When creating Purging Rule, Radius directory hangs if there is no plus license


ISE 2.6 MUD URL is not parsed correctly if IP address or port is used


In external Radius scenario, ISE should replace state attribute before forwarding access challenge to NAD


Certificate is not loading from Oracle to NSSDB properly


ISE 2.4: Advanced Custom Filter option and export of reports not working as expected


"MDM: Failed to connect to MDM server" log entry must include endpoint information


Framed-Interface-Id RADIUS attribute not sent in access-accept if IPv6 address is in ::xx format


ISE ERS SDK NetworkDeviceGroup PUT does not show ID placement in the API call


ISE ERS SDK NetowrkDeviceGroup DELETE does not specify ID location


pxGrid XMPP GCL Reconnect failure


Network Device POST API allows for characters and spaces in Model name of device but GUI does not


After changing password via UCP, "User change password audit" report doesn't have "Identity"


When ISE and Cisco DNA Center are integrated, network devices do not appear in ISE when the secret value contains both special characters & and \


ISE fails to load network devices page while filtering on IP/Mask


Systemd vulnerabilities RHEL 7 RHSA-2019:0049


Read-only admin users are able to view TrustSec device configuration credentials


Unable to get all tenable adapter repositories


Network Devices description issue with Japanese Language


Radius Authentication report missing log when custom filter is used


ISE not using the device-public-mac attribute in endpoint database


Export failed in ISE GUI when private key encryption failed


Password lifetime expiration reminder appears for Internal Users with external passwords


ACS 5.7 to ISE 2.6 migration doesn't import authorization profiles


Multi Shared Secret Field is being populated for exported TACACS devices


Unexpected CoAs may be observed with SCCM MDM


Unable to access My Devices portal


GUI login with AD user failed when similar internal user is disabled


ISE not searching machine account properly on AD


ISE 2.4: Incorrect sponsor portal presented to user due to incorrect FQDN match


ISE services are not coming up after installing patch 2.3 p7


DHCP messages are marking endpoints active thereby increasing the active endpoint count


Typo in Max Sessions window in Counter Time Limit tab


PxGrid ANC API support for Session-ID


ISE 2.4 p9: Session directory write failed : String index out of range: -1 alarms seen in the deployment


Unable to delete SCEP profile because it is referencing system certificates


ISE MnT stops showing Live Logs after 90% Purge


ISE sponsor's e-mail gets CCed in guest credential email even when view/print guest' passwords is disabled


ISE IP routing precedence issue


Called-Station-ID missing in RADIUS Authentication detail report


SCCMException seen in SCCM flow and MDMServerReachable value is updated as false in MDMServersCache


WSA receives SIDs instead of AD groups from ISE


Definition date for few AM product like mcafee and symantec is listed false


ISE prefers cached AD OU over new OU after changing the Account OU


Config restore from one platform on another platform set incorrect UDI in sec_hostconfig table


tzdata needs to be updated in ISE guest OS


ISE LDAP bind test does not use the correct server when defined per node


Replication alarm when trustsec matrix CSV imported with EMPTY SGACL that is already EMPTY in GUI


Valid Base and Plus licenses show out of compliance


Live Logs show wrong username in "5436 NOTICE RADIUS: RADIUS packet already in the process" messages


ISE fails to re-establish External syslog connection after break in connectivity


SYSAUX tablespace is getting filled up with AWR and OPSSTAT data


NDG device references not removed from ISE DB thereby preventing NDG deletion


No profiling CoA for ip based profile policy


ERS Admin account disabled incorrectly due to password expiry


ISE Messaging service triggers Queue Link error alarms with reason basic_cancel


Different results seen in API calls and GUI


Max Session Counter time limit option is not working


ISE doesn't display the correct user in RADIUS reports if username is entered differently twice


ISE 2.3 p6 LDAP test GUI flow with multiple results does not generate error observed in runtime


Authorization Profile created using ERS API does not match with "ASA VPN" field in GUI


PSN crashes for TACACS+


Set max time frame to 60 mins when EndPoint default interval disabled


Reset config on 2.4 patch 9 throws some errors despite finishing successfully


ISE Guest creation API validation for Guest Users valid Days doesn't take time into account


PassiveID: Configuring WMI with an AD account password that contains $ character throws an error


LDAP ID store corruption alarm - Enhancement


Improve behavior against brute force password attacks


ISE 2.6 and 2.7 - Cannot add character ' in dACL description field


ISE 2.6 should allow multiple blank lines in dACL syntax, even if user chooses IPv4 or IPv6


ISE 2.x Network Device stuck loading


Self Registered Guest portal unable to save guest type settings


Unable to edit static group assignment


ISE allows to insert a space before command under Command Sets


Backups are not triggering with special characters for encryption key


Multiple endpoints profiled every second causing ISE nodes to go out of sync


RabbitMQ Container failed to start when port 15672 is in use


When an internal user is configured with external passwords, Enable authentication function is broken


HSTS is not implemented for root folder


"No policy server" error seen in ISE posture module during high load


Corrupt Endpoints: Attributes associated to the incorrect Endpoint


pxGrid 2.0 authorization profile attribute missing from the session directory

New Features in Cisco ISE Release - Cumulative Patch 3

Multi-DNAC Support

Cisco DNA Center systems cannot scale to more than the range of 25 to 100 thousand endpoints. Cisco ISE can scale to two million endpoints. Currently, you can only integrate one Cisco DNA Center system with one Cisco ISE system. Large Cisco ISE deployments can benefit by integrating multiple DNA Center clusters with a single Cisco ISE. Cisco now supports multiple Cisco DNA center clusters per Cisco ISE deployment, also known as Multi-DNAC.

Business Outcome: This feature for the Access Control app in Cisco DNA Center allows you to integrate up to four Cisco DNA Center clusters with a single Cisco ISE system.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 3

The following table lists the resolved caveats in Release 2.6 cumulative patch 3.

Patch 3 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Missing NAD info in Alarm "Unknown SGT was provisioned"


The software shouldn't allow to delete the pxGrid certificate on a ISE node


Pseudo double Auth request on AD


ISE 2.3+ does not have authentication condition Network Access:AuthenticationMethod


ISE easy wireless setup - SAW secure access wizard not working with wlc code >8.3


ISE : Accounting updates tolerance for suppression needs to be more efficient.


Supported server ciphers for TLSv1.2 need 2048-bit option


ISE does not provide the expected values in the context of EAP chaining


ISE ENH : Allow RADIUS Dictionary VSA "Vendor Attribute Size Field Length" of 2 bytes


Remove ciphers with Diffie-Hellman moduli size less than or equal to 1024 bits for SSL connections


Cisco Identity Services Engine (ISE) Arbitrary Client Certificate Creation Vulnerability


Parser error seen with Threat Centric NAC CTA Configuration irrespective of ise version


ISE custom attributes not being applied to endpoint when pushed from cloudpost IND


MDMServerReachable does not work for SCCM MDM again


ISE 2.4 Live Logs Not Filtering


Multiple Vulnerabilities in jackson-databind


Qualys show connected state once disable/enable tc-nac if added before applying patch.


Disclose invalid username by Always show invalid name configuration not working


ISE 2.3 P5 ISE doesn't allows to delete SGT tag from GUI although it is not referenced


Guest portal client provisioning customization text doesn't save


ISE2.4 doesn't reset failedLoginAttempts after successful login of internal users to network device


ISE 2.2 Sponsor: Single click approval displays wrong message after clicking on approval link twice


The calculation of required space for MNT backup need to be revalidated.


ISE 2.4 P5 : Profiling : Netflow probe not working on ISE Bonded Interface


ISE Profiler SNMP Request Failure Alarms should show the reason of failure


No serialization or batching when large scale(>300) NADs are moved between MatrixA to MatrixB


Env data is missing when TrustSec-ACI integration is enabled.


ISE: SMTP server sending Email notification gets Exhausted


ERS API that requires CSRF token always failing on PUT/POST/DELETE


Change in External admin permissions are not getting reflected in other nodes in deployment.


ISE deletes all endpoint if mac address is deleted twice at the same time


SystemTest : Error when deleting SCEP RA profile


Posture redirect fails with error 'unable to determine peer' in AnyConnect_ISEPosture.txt


ISE 2.4 With CTA threat, threat endpoints are not detecting


GUI Context Visibility report export slowness


AD Diagnostic tool shows low level API query failed w/ Response contains no answer. Check DNS config


Unable to disable MDM server if configured server is not reachable


SQLite FTS3 Query Processing Integer Overflow Vulnerability


Enforce NMAP skip host discovery and NMAP scan timeout


System Test: Temporal agent installation is failing with internal system error.


[pxGrid XMPP Server] TCP/5222 insecure Diffie-Hellman prime p 1024 bits


Log Collection Error - Session directory write failed when AD Probe Session is inserted


Authentications start failing once AD throws KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN


Unable to remove an endpoint from the endpoint database due to permission error


2.4 P8/P9 Certificate chain does not get imported to Patch 8 and Patch 9


ISE LogicalProfile appears under Custom attributes in CV if configure after valid Custom attributes


ISE trustsec custom view doesn't sort properly with manual order


ISE ERS Create via the API does not use the specified ID


ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions


Can't use endpoint group description during runtime for authz profile


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


ISE fails to handle SAML authentication response token


Certificate provisioning portal error with ISE as SubCA and PKCS12 (sinlge file)


Renewed self-signed certificate doesn't get updated in trusted store


Restore failing for scheduled backup


Cannot Update Internal User with External Password ID Store via ERS--ISE


ISE fails to save configuration changes for large policy-sets


Wrong password being notified after password reset (Only on SMS)


Create Failing with ORA-02291 on CEPM.REF_ROLE_MASTER if groupId w/ prepending/trailing spaces


Core files on PSN servers causing High Disk Utilization alarms


ISE shows "Oops. Something went wrong" if session ID contains "-"


Not able to change the language in guest portal with option "Always use"


Incorrect audit report while updating Counter Time Limit in Max Session page


Posture fails with "Posture failed due to server issues". when Primary PAN is unreachable


Certificate trust chain is incomplete for pxGrid on pxGrid alone persona


ISE PAN failover inactive days = elapsed days causing incorrect purging of EP's.


ISE: "Posture failed due to server issues" error during System scan on MAC OSX


ISE doesn't store self-registered EndPoints in configured custom group


ISE 2.6 ACI integration Trustesec ACI report doesn't have sent ip-sgt mappings to ACI


Export function in Network device groups fails when using RBAC


Network Conditions do not work with shorten IPv6


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


'Deleting All' Network Access Users doesn't appear on audit report


Cisco Identity Services Engine Information Disclosure Vulnerability


System Summary is not available for MNT nodes


Cisco Identity Services Engine Policy Set Name Cross Site Scripting Vulnerability


Using ECDSA signed certificates with the admin or pxgrid usage breaks pxgrid


ISE user import does not fail when username contains invalid characters


ISE Guest portal fails to parse http request with two questions marks


Static group information is lost from EP in some scenarios


PSN generates scheduled reports if no connectivity to MNT


Implementation of patch popup


ISE 2.6 : Fix for CSCvi89085 breaks detectMACAuthenticationOnPAP flow


Move to Mapping Group drop down menu limits SGT Mapping groups to 25


PassiveID Agent: No Syslog message is sent to MnT when the agent monitoring DC goes down


pxGrid controller contacting


Static group assignment losing from guest flow


"Cache not properly initialized" message in every Profiler Policy and cannot update Profiler Feed


When updating password for administrative user it is possible to bypass entering current password


ISE 2.4p9 Grace period is not working with PRA with VPN use case


ISE sponsor portal - sorting by creation date doesn't work


ISE 2.4 Possible XSS input in Certificate Attributes message when "/" sign is in the name


Network devices added via restful API fails authentication with a 'Network Device not located' error


ACS to ISE migtool changes the intended results of auth policy


IPv6 RADIUS attributes cannot be mapped to any External attribute


IP SGT static mapping export fails for entries with no mapping data


Internal user using token password will be disabled due to password expired


ise.messaging.log not visible on support bundle or gui


Remove Unnecessary JQUERY-UI Files from ISE


Login page AUP as link does not work with iOS CNA browser


Move devices to another group button should be disabled when access has been restricted to NDG


ISE 2.6 Patch 2: EAP-TLS auth not matching endpoint groups


REST API: Create Network Device with special character ("\") in password field is interpreted as utf


ISE fails to parse NMAP Scan information


ISE 2.7 BETA: My Devices portal fails to load due to invalid character in Endpoint Description


ISE 3695 appliance is having issue with Oracle parameters configured for super MNT


Day0: iPad OS 13.1 BYOD flow got failed


Hostname change causes ISE Messaging issues - MNT Failover and Queue Link Error-basic_cancel

Open Caveats in Cisco ISE Release - Cumulative Patch 3

Caveat ID Number



SGT Notification is missing on PxGrid V2 Client

New Features in Cisco ISE Release - Cumulative Patch 2

Syslog over ISE Messaging Service

The UDP syslogs (built-in UDP syslog targets - LogCollector and LogCollector2) will be delivered to the monitoring nodes using the existing ISE Messaging service infrastructure, which is by default enabled now. This enhances WAN survivability of syslog messages. Please ensure to open the TCP port 8671 on firewalls (if any) between all nodes for this feature to work.

You can disable this option to deliver the UDP Syslogs via UDP Ports. To do so, navigate to Administration > System > Logging > Log Settings page in the Cisco ISE GUI and uncheck the Use ISE messaging Service for UDP syslog delivery to MnT option.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6

Business Outcome

Operational data will be retained for a finite duration even when the monitoring nodes are unreachable.

Support for Elevated System Administrator Role

The Elevated System Administrator role is similar to the existing System Administrator role. Additionally with this role you can create, delete and update admin users except super admin users.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6.

Business Outcome

Elevated System Admin has the ability to manage admin users.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 2

The following table lists the resolved caveats in Release 2.6 cumulative patch 2.

Patch 2 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Custom admin unable to create other restricted admin users


SXP Devices page - can't show all the name after 14 chars


Friendly info message has to be displayed instead of blank page for unauthorized access


Patch installation might generate alarm Application patch installation failed


Sponsor Portal Page takes more than 10 seconds to load


Session notification can emit bad values in ADNormalizedUsername, ADUserResolvedIdentities fields


ISE CoA doesn't work 2 days after initial auth


ISE-PIC Self signed certificate delete operation fails due to Secure Syslog Server reference error


CA Service still running on command line after Disabling internal certificate authority in Web UI


ISE guest flow max session limit does not send CoA Disconnect with third party NAD


Network access user with external password cannot be used as ISE admin


ISE replaces "ip:" to it's hostname in "ip:inacl" Cisco AV-Pair


Emails are not sent for alarm specific email configuration


EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization.


App status for ISE is in initialization state


ISE: admin users unable to delete or modify groups if a tacacs user is saved without any group


ISE 2.4 : Misconfigured supplicant query is one of the reasons for high CPU on both MNT nodes


Latency observed with high TPS rates, when ISE messaging service is turned ON


ISE 2.4 - CLI password will not accept 3 $


ISE Custom Endpoint Attributes - Will not save or delete


Internal Administrator Summary report not allowing to select specific columns


Adding config to support PrA in PSN failover case


TCNAC adapter cannot be configured post upgrade from 2.2 to 2.6


ISE 2.6 ANC policy is applied with error "microservice_unavailable" on SMC


Sponsor guest portal rate limit time not honored


Allowed Protocols - Error creating an inline Allowed Protocol in Policy sets page


EAP-GTC Machine Authentication Failure Password Mismatch due to failing the UTF-8 Validation Checks


ISE 2.4 Patch 6 reload breaks backups


PassiveID flow should send User's SamAccountName and ExplicitUPN


ADNormalizedUserName Field Missing From Half of sessions


Plus Licenses Consumed without Plus Features


AD_User_Fetch information's are not in UI as well as Redis


Unable to delete multiple admin groups with multi select


ISE 2.4p3 Radius livelogs not showing due to invalid NAD ip address


Modifying Radius attributes to send in the request to External RADIUS Server is not working on ISE


Enable Pxgrid Profiling Probe Saves but will not enable


ISE dropping requests due to descriptor allocation exhaustion under external server latency scenario


ISE fails to match authz policy with endpoint ID group "unknown"


Custom Attribute (advanced filter in CV) not able to filter on risk score (integer value)


The AD connectivity issue occurred and the corefile was generated the same day


TACACS/AAA live log report not showing configuration change made from ACI


ISE 2.6 SFTP repository access fails


Deleting guest type throws error & not able to create new guest type with same name


Queue Link Error alarm generated after signing of ISE CA certificate by external Root CA


ise-elasticsearch.log files not purged in ISE 2.4 and 2.6


ISE 2.4 : Replication: Cluster information table has old FQDN


ISE 2.4 p6 400 error on sponsor portal after timeout.


BYOD flow is broken in IOS 12.2


Import of network device template throws error Failed illegal value for Encryption key


Multiple Vulnerabilities in struts2-core


Upgraded ISE Node Shows LDAP Identity Store Password in Plain


Authorization profile fails to import with no warnings or errors to user


CSCvp63136: US399914: 2.6 P2 - View third-party licenses and notices - Link Update


ISE 2.4 P8 posture scan running when switch to wired network not configured with dot1x


"Cisco Modified" Profiles are overwritten by the Profiler Feed Service


AUP guest portal error 400 when return from contact support link (iphone captive portal)


Email not received to guest if view/print guest password disabled


ISE MNT exception when receiving cisco-av-pair=addrv6=0x7f8c0d588608


ISE customer endpoint attribute type string doesn't allow certain numbers


ISE if using multiple matrices deploy button is missing


License usage for Plus either shows 0 or incorrect value


Export from Context Visibility-Endpoints does not contain Custom Attr for most of Endpoints


Unable to add network device with combination of any digit followed by () in software version field


[ 400 ] Bad Request error when refreshing the Mydevice portal


pxGrid to publish ADUser.. and ADHost..: SamAccountName and QualifiedName


ISE 2.6 patch 1 - AD User Test is returning 0 groups

Open Caveats in Cisco ISE Release - Cumulative Patch 2

Caveat ID Number



System Summary is not available for MNT nodes


IP-SGT maps are not propagated to ACI in specific scenario

Resolved Caveats in Cisco ISE Release - Cumulative Patch 1

The following table lists the resolved caveats in Release 2.6 cumulative patch 1.

Patch 1 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



ISE dmp files are not deleted from /opt/oracle/base/admin/cpm10/dpdump for failed backup attempts


ISE 2.x : Guest account activation time discrepancy for imported accounts


ERS API that requires CSRF token returns HTTP 404 instead of 403


Cannot delete security groups having virtual network mapping


Import two CA certs with same subject name


ISE Secure Access Wizard Easy Wireless null AD groups for BYOD, Secure Access, Sponsored guest flow


ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes"


NAD CSV imports should allow all supported characters


"No Data Available" when attempting to add endpoints to Identity Group with RBAC User


Guest creation fails ISE 2.3 after patch 5


Manage ACC calling infinite time when sponsoruser configured with permissions ALL&GROUP sponsor grps


ISE 2.4 slow database response with 500 authorization policies


ISE 2.4 - IP-SGT bindings disappear from SXP for user session


Removing SCEP RA Profile causes the associated CA chain to be silently removed from Trusted Store


Removal of unused logical profile may cause a wrong authorization result


Non-existed DACL is not verified by the ISE


[ISE 2.4]Unable to use created profiling policy in authorization condition


Backups from SFTP repository may show incorrect year in Modified time


Able to delete ACI IEPG in ISE.


ISE does not allow to add an SGT


address shows as HTML code in context visibility


ISE: failed to skip duplicate framed-pool attribute during migration


ISE endpoint purge ACTIVEDIRECTORY dictionary is not loading


pagination is not working in "All SXP mappings" page in ISE.


ISE deleting the newly created IP-SGT mapping


ISE truncates the SGT name after a "-" character and assigning a version id


System Scan throws internal error for MAC built-in FW remediation using ISE 2.4 Patch 7


RabbitMQ docker container is not coming up if port 15672 was already in use


ISE 2.4 Patch 6 installation breaks FQDN of Sponsor and MyDevices Portal


Failed to migrate dACLs from ACS 5.8 to ISE 2.6


CoA failure in Radius+PassiveID flow


After upgrading from ISE 2.0.1 Patch 4 to 2.4 Patch 6, CoA is not issued from ISE


ISE TLS 1.0 and 1.1 security settings are not applied for PxGrid, causing WSA to fail integration


Unable to add AD group if it contains "/." or "/.." in the AD group name


Change password for few of the internal users not working after upgrade to 2.6


APIC logs not seeing in sxp.log when SXP logging set to 'DEBUG'.


Delay in clearing of SXP mappings in ISE


EAP-TTLS settings page is not saved in ISE 2.6


Admin group cannot get access to "Users" at "Device Administration" tab after install patch 5


Default python change password script returns CRUD operation exception


ISE:WMI-Passed values may compromise the security of ISE. Please remove malicious scripting terms


CSV file of RADIUS authentications report may have duplicate records


ISE downloads unneeded RA certificate for BYOD


Device Administration Current Active Sessions report not available from 2.4 Patch 6


ISE DACL syntax checking validation failing on wildcard notation


Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler


pxGrid node name limit too short for FMC


pxGrid startup order causing profiler code to fail init


ISE 2.6 LiveLogs not seen and false Health Status is Unavailable alarm


ISE : Memory usage discrepancy in GUI and show tech


After Importing ISE PB to ISE , Login page are not loaded


ISE 2.3 : Posture report for endpoint by condition not working as expected


ISE : Improve Posture Assessment by Condition Report export rate for higher records (millions)


Admin Access Blank page when using valid RSA/RADIUS Token credentials but is not in ISE Admin DB


ISE 2.3/2.4 upgrade to the latest patch may break dynamic redirection for 3rd party NADs


[ENH] Change field Active Directory in External DataSource condition to mention Join Point


Successful Authentication Entries not shown in the RADIUS Report due to exceeding the CSV limit


Fix "Server not reachable" autologout

Communications, Services, and Additional Information

  • To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you are looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain information about general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.