Come to the Content Hub at, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more...

So, what are you waiting for? Click now!

And, if you are already experiencing the Content Hub, we'd like to hear from you!

Click the Feedback icon on the page and let your thoughts flow!


Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, Cisco Wireless Controllers, Virtual Private Network (VPN) gateways, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on Secure Network Server appliances with different performance characterizations, and also as software that can be run on a virtual machine (VM). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For more information about the features that are supported in this Cisco ISE release, see the Cisco Identity Services Engine Administrator Guide.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation in this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE, Release 2.6, requires the following platforms.


For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise- Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

Table 1. Supported Hardware Platforms and Personas

Hardware Platform



Cisco SNS-3515-K9 (small)


For the appliance hardware specifications, see the "Cisco SNS-3500 and SNS-3600 Series Appliances" chapter in the Cisco Identity Services Engine Hardware Installation Guide.

Cisco SNS-3595-K9 (large)

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

Cisco ISE-VM-K9 (VMware, Linux KVM, Microsoft Hyper-V)

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, and pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.


  • Cisco Secured Network Server (SNS) 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

  • Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.

Federal Information Processing Standard Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.

When FIPS mode is enabled on Cisco ISE, consider the following:

  • All non-FIPS-compliant cipher suites will be disabled.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA Private keys must be of 2048 bits or greater.

  • Elliptical Curve Digital Signature Algorithm (ECDSA) Private keys must be of 224 bits or greater.

  • Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.

  • SHA1 is not allowed to generate ISE local server certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • The Local SSH server operates in FIPS mode.

  • The following protocols are not supported in FIPS mode for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • ESXi 5.x (5.1 U2 and later support RHEL 7), 6.x

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on RHEL 7.1, 7.3, and 7.5


    If you are installing or upgrading Cisco ISE on an ESXi 5.x server to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later.

Supported Browsers

The supported browsers for the Admin portal include:

  • Mozilla Firefox 72 and earlier versions

  • Mozilla Firefox ESR 60.9 and earlier versions

  • Google Chrome 80 and earlier versions

  • Microsoft Internet Explorer 10.x and 11.x

  • Microsoft Edge beta 77 and earlier versions


  • If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).

  • If you use Chrome 65.0.3325.189, you may be unable to view guest account details in the print preview section.

  • When self-signed certificates are used, Cisco ISE portal may fail to launch in Microsoft Edge beta 77 browser even if URL redirection is successful. To resolve this issue:

    1. Add both DNS name and IP address in the Subject Alternative Name (SAN) field.

    2. After the ISE services are restarted, redirect the portal in a different browser.

    3. Choose View Certificate > Details and copy the certificate by selecting the base-64 encoded option.

    4. Install the certificate in Trusted path and relaunch the browser.

  • You might see a warning message while downloading an executable (EXE) file in Google Chrome 76 or later. To resolve this issue:

    1. In your browser, click the Settings menu at the top-right corner.

    2. At the bottom of the Settings window, click Advanced.

    3. Under Downloads, check the Ask Where to Save Each File before Downloading check box.

Support for Microsoft Active Directory

Cisco ISE works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, and 2016 at all functional levels.


  • It is recommended that you upgrade Windows server to a supported version as Microsoft no longer supports Window server 2003 and 2003 R2. .

  • Microsoft Active Directory Version 2000 or its functional level is not supported by Cisco ISE.

Cisco ISE supports multidomain forest integration with Active Directory infrastructure to support authentication and attribute collection across large enterprise networks. Cisco ISE supports up to 50 domain join points.

Improved User Identification

Cisco ISE can identify Active Directory users when a username is not unique. Duplicate usernames are common when using short usernames in a multidomain Active Directory environment. You can identify users by Software Asset Management (SAM), Customer Name (CN), or both. Cisco ISE uses the attributes that you provide to uniquely identify a user.

Update the value of the following:

  • SAM: Update this value to use only the SAM in the query (the default).

  • CN: Update this value to use only CN in the query.

  • CNSAM: Update this value to use CN and SAM in the query.

To configure the attributes mentioned above for identifying Active Directory users, update the IdentityLookupField parameter in the registry on the server that is running Active Directory:


Supported Ciphers

In a clean or fresh install of Cisco ISE, SHA1 ciphers are disabled by default. However, in case of an upgrade from an existing version of Cisco ISE, the SHA1 ciphers are preset to the options from the earlier version. You can view and change the SHA1 ciphers settings using the Allow SHA1 Ciphers field (Administration > System > Settings > Security Settings).

What is New in Cisco ISE, Release 2.6?

Base Licensing

The features described below require Cisco ISE base licensing.

CLI Access by External Identity Store

ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.

Business Outcome: You can manage a single source for passwords without the need to manage multiple password policies and administer internal users within ISE, thereby reducing time and effort.

IPv6 Support

In addition to the IPv4 support, Cisco ISE, Release 2.6 extends IPv6 support for the following functions or events:

  • ISE Management

    You can access and manage a Cisco ISE node over an IPv6 address, and configure an IPv6 address to Eth0 (Interface) during setup wizard as well as through CLI.

    You can also manage Secure Socket Shell (SSH) with IPv6 addresses. Cisco ISE supports multiple IPv6 addresses on any interface and these IPv6 addresses can be configured and managed using CLI.

  • Network Time Protocol Support

    You can access, configure, and manage Network Time Protocol (NTP) servers with IPv4, FQDN, IPv6 addresses, or with a mix of these.

    Cisco ISE also supports NTP server fallback mechanism and server authentication over an IPv6 address.

  • Domain Name System Support

    You can configure a combination of IPv4 and IPv6 Domain Name System (DNS) servers and even manage IPv4 or IPv6-based DNS servers through CLI and GUI. Static hostnames can be mapped with IPv6 addresses.

    For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6

  • External Repositories

    You can add an external repository in Cisco ISE with an IPv6 address. Communication between a Cisco ISE node and an IPv6 external repository is possible when the node has an IPv6 address configured to Eth0.

    For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6

  • Audit Logs and Reports

    You can view the reports relating to login and logout activities, password changes, and operational changes made by you while accessing Cisco ISE through an IPv6 address. These events can be viewed in the audit reports available in the Cisco ISE dashboard.

  • Simple Network Management Protocol

    Simple Network Management Protocol (SNMP) traps and MIBs can be communicated through IPv6 addresses. You can configure IPv4-based, IPv6-based SNMP or multiple SNMP (a mix of IPv4 and IPv6) servers.

  • Access Control Lists And Dynamic Access Control Lists

    From Cisco ISE, Release 2.6, you can define Access Control Lists (ACLs), Dynamic Access Control Lists (DACLs) and Cisco Airespace ACLs with IPv6 addresses.

  • Active Directory

    You can connect to the IPv6 Active Directory from Cisco ISE.

  • External Restful Service Portal

    External Restful Service is available on an IPv6 client.

  • Syslog Client or Logging Targets

    You can configure IPv6-based syslog targets.

  • Posture

    You can access RADIUS servers with an IPv6 address.

For more information on Cisco ISE, Release 2.6, IPv6 support, see Cisco Identity Services Engine Administrator Guide, Release 2.6.

Business Outcome: You can migrate to an IPv6-based network to complete the events mentioned above.

Japanese or English View of the Administrator Portal

The Administration console currently supports two languages, Japanese and English. You can select either the Japanese view or the English view under Account Settings.

Business Outcome: Suitable for Japanese-speaking and English-speaking administrators to configure and use Cisco ISE.

Policy Service Nodes and the Light Session Directory

The Light Session Directory feature can be used to store user session information and replicate it across the Policy Service Nodes (PSNs) in a deployment, thereby eliminating the need to be totally dependent on the Primary Administration Node (PAN) or the Monitoring and Troubleshooting (MnT) node for user session details. The Light Session Directory feature stores only the session attributes required for Change of Authorization (CoA). To enable the Light Session Directory feature, choose Administration > Settings > Light Session Directory and check the Enable Light Session Directory check box.

Business Outcome: Improved performance and scalability of Cisco ISE node.

REST Support for External Administrators

From Cisco ISE 2.6, External RESTful Services (ERS) users can either be internal users or belong to an external Active Directory. The Active Directory group to which the external users belong should be mapped to either the ERS Admin or the ERS Operator group. With this enhancement, administrators no longer have to create internal user counterparts for external users who need access to ERS services.

Business Outcome: The process of enabling external administrators to access RESTful services is simplified.

Support for Manufacturer Usage Descriptor

Manufacturer Usage Descriptor (MUD) is an IETF standard, which defines a way to on-board IoT devices. It provides seamless visibility and segmentation automation of IoT devices. MUD has been approved in IETF process, and released as RFC8520.

Cisco ISE, Release 2.6 supports identification of IoT devices. Cisco ISE automatically creates profiling policies and Endpoint Identity Groups. MUD supports profiling IoT devices, creating profiling policies dynamically, and automating the entire process of creating policies and Endpoint Identity Groups. Administrators can use these profiling policies to create manually Authorization Policies and Profiles. IoT devices emitting MUD URL in DHCP and LLDP packets are on board, using those profiles and policies. Full automation, including enforcement in the system, is expected to be added in a future release.

Cisco ISE performs unsigned classification of IoT devices, and accessed through profiler policies. ISE does not store the MUD attributes; the attributes are only used in the current session. In the Context and Visibility > Endpoints window, you can filter IoT devices by the Endpoint Profile field.

The following devices support sending MUD data to Cisco ISE:

  • Cisco Identity Services Engine 2.6

  • Cisco Catalyst 3850 Series Switches running Cisco IOS XE Version 16.9.1 & 16.9.2

  • Cisco Catalyst Digital Building Series Switches running Cisco IOS Version 15.2(6)E2

  • Cisco Industrial Ethernet 4000 Series Switches running Cisco IOS Version 15.2(6)E2

  • Internet of Things (IoT) devices with embedded MUD functionality

Profiler Support

Cisco ISE supports the following profiling protocols and profiling probes:

  • LLDP and RADIUS - TLV 127

  • DHCP - Option 161

Business Outcome: The number of IoT devices that are connected to enterprise networks is increasing. Until now, Cisco ISE could not classify these devices. From Release 2.6, Cisco ISE can classify and display the IoT devices that are connected to your network, using an automated process.

Syslog over ISE Messaging

From Cisco ISE, Release 2.6, Monitoring and Troubleshooting (MnT) WAN Survivability is available for UDP syslog collection. Syslogs are recorded using ISE Messaging Service. The Remote Logging Targets, where the syslogs are collected and stored uses port TCP 8671 and the Secure Advanced Message Queuing Protocols (AMQPs) for sending syslogs to MnT.

By default, the ISE Messaging Service option is disabled until Cisco ISE, Release 2.6 Patch 1.

From Cisco ISE, Release 2.6 Patch 2 onwards, by default, the ISE Messaging Service option is enabled.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6

Business Outcome: Operational data will be retained for a finite duration even when the MnT node is unreachable.

Hardening Improvements

The following caveats are fixed to ensure improved hardening of Cisco ISE:

  • CSCvj85532- Streamlined security enforcement upon administrators' authentication failures.

  • CSCvk46033- Improved security hardening for connections to the Cisco ISE SSH server.

  • CSCvk09565- Conformance to RFC 3164 standards.

  • CSCvj96345- Improved security for connections to the Cisco ISE Administration application.

TrustSec Deployment Verification Report

You can use this report to verify whether the latest TrustSec policies are deployed on all network devices and whether there are any discrepancies between the policies configured on Cisco ISE and those deployed on the network devices.

Business Outcome: You can easily verify whether the latest TrustSec policies are deployed on the network devices or if there are any discrepancies.

NFS Repository Credentials

When you add a repository and select NFS as the protocol, you can no longer enter credentials to connect to the repository.

Business Outcome: Using credentials to connect to an NFS repository caused problems.

Apex Licensing

The features described below require Cisco ISE apex licensing.

Identify Managed Devices with Dynamic MAC Addresses

AnyConnect 4.7 now provides a Unique Device ID (UDID) to identify a connected user. The UDID value can be mapped with information from Mobile Device Management (MDM) providers to help identify users who have the same MAC address. MAC address sharing is common in open offices, where more than one person shares a dock or USB dongle.

Business Outcome: You can develop a solution that uses the UDID to uniquely identify a user, when device connections are shared.

Flexible Remediation Notification

From Cisco ISE, Release 2.6, you can delay the grace period prompt from being displayed to the user until a specific percentage of grace period has elapsed.

For example, if the Delay Notification field in the Policy > Posture > Posture Policy window is set to 50 percent and the configured grace period is 10 minutes, Cisco ISE checks the posture status after 5 minutes and displays the grace period notification if the endpoint is found to be noncompliant. Grace period notification is not displayed if the endpoint status is compliant. If the notification delay period is set to 0 percent, the user is prompted immediately at the beginning of the grace period to remediate the problem. However, the endpoint is granted access until the grace period expires.

Business Outcome: Prevents unnecessary remediation prompts for endpoints waiting for JAMF software or Microsoft System Center Configuration Manager (SCCM) updates.

Generic or Custom Messaging Through Cisco AnyConnect

More informative messages can now be displayed by Cisco AnyConnect when it is used in the context of Cisco ISE Posture service. End users can now see messages about posture status and errors. You can modify the content that is displayed in AnyConnect posture profiles. Note that this feature requires Cisco AnyConnect Version 4.7.

Business Outcome: Better communication with end users.


Support for Cisco Secure Network Server 3600 Series Appliance

Cisco ISE 2.6 supports Cisco Secure Network Server 3615, Secure Network Server 3655, and Secure Network Server 3695 appliances.

For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise- Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

Business Outcome: Improved performance, scalability, and platform manageability over SNS 35xx series appliances.

Known Limitations and Workarounds

IP-SGT Bindings Are Not Propagated Under Certain Conditions

Under the following conditions, IP-SGT mappings are not propagated to ACI.

On the ISE administrators console, navigate to Work Centers -> TrustSec -> Components:

  1. Create a security group, but don't check Propagate to ACI.

  2. Create an IP-SGT binding with previously created Security Group. It may be a static, session or SXP binding.

  3. On the Security Group, click Propagate to ACI .

  4. Click Save.

  5. The Security Group synchs to ACI, but not IP-SGT that is mapped to the Security Group.



  1. Restart the ACI propagation in ISE and recreate the IP-SGT mappings.

    1. On the Work Centers->TrustSec->Settings->ACI Settings, uncheck “TrustSec-ACI Policy Element Exchange”, and save.

    2. Check TrustSec-ACI Policy Element Exchange, and save.

    3. The connection between Cisco ISE and ACI is reestablished.

  2. Delete the old IP-SGT bindings, and recreate them while Propagate to ACI is checked.


The connection between ACI and ISE reauthenticates every 24 hours, which also fixes this problem.

SXP Protocol Security Standards

Limitation: Security Group Exchange Protocol (SXP) transfers unencrypted data and uses weak Hash Algorithm for message integrity checking per draft-smith-kandula-sxp-06.
Workaround: There is no workaround.

For more information, see

Patch Build Download Using Chrome Browser

Limitation: Integrity checksum issues occur when you use the Google Chrome browser to download the patch build.
Condition: The Message Digest 5 (MD5) sum values do not match.
Workaround: Download the patch build using the FireFox browser. Verify that the downloaded patch bundle has the correct MD5 checksum.

Radius Logs for Authentication

Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.

Profiler RADIUS Probe

Limitation: Endpoints are not profiled; they are only authenticated and added to the database.
Condition: The RADIUS probe is disabled.
Workaround: Disable the profiling services completely.

NAM TLS 1.2 Incompatibility Warning

Limitation: ISE implementation of EAP-FAST does not support key generation in TLS 1.2.
Condition: If you are using NAM 4.7 to authenticate endpoints using EAP-FAST, remember that only certain versions of ISE support TLC 1.2, which is required for EAP-FAST. If you use an incorrect version of ISE, the authentication fails, and the endpoint does not have access to the network.
Workaround: In order to resolve this issue, upgrade the Cisco ISE software as shown for the following releases:
  • Cisco ISE Release 2.4: Patch 5 or later.

  • Cisco ISE Releases 2.0, 2.0.1, and 2.1. Install the Struts2-CVE-2018-11776 PSIRT fix, before you apply the hot patch. You can download the Struts2-CVE-2018-11776 PSIRT fix from Cisco software downloads.


In order to obtain hot patches for Cisco ISE releases earlier than Release 2.4, contact the Cisco Technical Assistance Center (TAC). Ensure that the ISE software has the latest patches applied before you apply the hot patch.

For more information, see

High Memory Utilization

Limitation: High memory utilization after installing or upgrading to Cisco ISE Version 1.3 or later.
Condition: Because of the way kernels manage cache memory, Cisco ISE might use more memory, which may trigger high memory usage (80 to 90%) and alarms.
Workaround: There is no workaround.

For more information, see CSCvn07836.

Diffie-Hellman Minimum Key Length

Limitation: Connection to LDAP server fails.
Condition: If the Diffie-Hellman minimum key length that is configured on the LDAP server is less than 1024, connection to the LDAP server fails.
Workaround: Change the Diffie Hellman key size on the LDAP server.

For more information, see CSCvi76985.

ECDSA Certificates

Limitation: Cisco ISE supports Elliptic Curve Digital Signature Algorithm (ECDSA) certificates with key lengths of 256 and 384 only.
Condition: ECDSA certificates that are used for EAP authentication are supported only for endpoints with Android Version 6.x and later.


Apple iOS is not supported if you use ECDSA as a system certificate. ECDSA certificates are supported only for Android 6.x and Android 7.x.

Workaround: You can select the key length in the Administration > System > Certificates > Certificate Management > System Certificates window.

Re-create Supplicant Provisioning Wizard References

Limitation: BYOD certificate provisioning flow is broken with both Internal and External Certificates.
Condition: When you upgrade to a new release, or apply a patch, the Supplicant Provisioning Wizard (SPW) is updated.
Workaround: Create new native supplicant profiles and new client-provisioning policies that reference the new SPWs.

Endpoint Protection Services API

As of Cisco ISE 1.4, ANC replaces Endpoint Protection Services. ANC provides additional classifications, and performance improvements. There are new APIs for ANC in the Cisco ISE SDK. While the ERS APIs might still work, we strongly recommend that you move to ANC.

Upgrade Information


If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.

Upgrading to Release 2.6

You can directly upgrade to Release 2.6 from the following Cisco ISE releases:

  • 2.1

  • 2.2

  • 2.3

  • 2.4

If you are on a version earlier than Cisco ISE, Release 2.1, you must first upgrade to one of the releases listed above and then upgrade to Release 2.6.


We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.

Cisco ISE, Release 2.6, has parity with 2.0 Patch 7, 2.1 Patch 8, 2.2 Patch 13, 2.3 Patch 5, and 2.4 Patch 5.

Supported Operating System for Virtual Machines

You can upgrade to Release 2.6 from either the GUI or the CLI.

Release 2.6 supports Red Hat Enterprise Linux (RHEL) 7.5.

If you are upgrading Cisco ISE nodes on a VMware virtual machine, after you upgrade, ensure that you change the guest operating system to Red Hat Enterprise Linux (RHEL) 7.5. To do this, you must power down the VM, change the guest operating system to RHEL 7.5, and power on the virtual machine after the change.

License Changes

Device Administration Licenses

There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.

The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.

Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only node Licenses are available for sale.

However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.

The evaluation license allows device administration on one policy service node.

Licenses for Virtual Machine nodes

Cisco ISE is also sold as a virtual machine (VM). For this Release, we recommend that you install appropriate VM licenses for the VM nodes in your deployment. Install the VM licenses based on the number of VM nodes and each VM node's resources, such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys. However, the installation process will not be interrupted. From Cisco ISE, Release 2.4, you can manage your VM licenses from the GUI.

VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using a 3595-equivalent VM node with eight cores and 64-GB RAM, you might need a Medium category VM license if you want to replicate the same capabilities on the VM. You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.

VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features that are enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.

VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification pop-up window.

If you have not purchased an ISE VM license earlier, see the Cisco Identity Services Engine Ordering Guide to choose the appropriate VM license to be purchased.


If you have purchased ISE VM licenses without a PAK, you can request VM PAKs by emailing Include the Sales Order numbers that reflect the ISE VM purchase, and your Cisco ID in your email. You will be provided a medium VM license key for each ISE VM purchase you have made.

For details about VM compatibility with your Cisco ISE version, see "Hardware and Virtual Appliance Requirements" chapter in the Cisco Identity Services Engine Installation Guide for the applicable release.

For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before an ISE software upgrade in order to check if the configured data can be upgraded to the required ISE version. Most upgrade failures occur because of data upgrade issues; the URT is designed to validate the data before the actual upgrade and reports and tries to fix the issues, wherever possible. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.


After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner displays. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. We use the collected data to provide better services and more features in forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Smart Call Home. The account is unique to each deployment. Each admin user need not provide it separately.

Cisco ISE Live Update Portals

Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from to the corresponding device using Cisco ISE.

If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings by choosing Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

Client Provisioning and Posture Live Update Portals

You can download Client Provisioning resources from:

Work Centers > Posture > Settings > Software Updates > Client Provisioning.

The following software elements are available at this URL:

  • Supplicant Provisioning wizards for Windows and Mac OS X native supplicants

  • Windows versions of the latest Cisco ISE persistent and temporal agents

  • Mac OS X versions of the latest Cisco ISE persistent agents

  • ActiveX and Java Applet installer helpers

  • AV/AS compliance module files

For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.

You can download Posture updates from:

Work Centers > Posture > Settings > Software Updates > Posture Updates

The following software elements are available at this URL:

  • Cisco-predefined checks and rules

  • Windows and Mac OS X AV/AS support charts

  • Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.

If you do not want to enable the automatic download capabilities, you can choose to download updates offline.

Cisco ISE Offline Updates

This offline update option allows you to download client provisioning and posture updates, when direct internet access to from a device using Cisco ISE is not available or is not permitted by a security policy.

Offline updates are also available for Profiler Feed Service. For more information, see the Configure Profiler Feed Services Offline.

To download offline client provisioning resources:


Step 1

Go to:

Step 2

Provide your login credentials.

Step 3

Navigate to the Cisco Identity Services Engine download window, and select the release.

The following Offline Installation Packages are available for download:

  • win_spw-<version>—Offline SPW Installation Package for Windows

  • mac-spw-<version>.zip—Offline SPW Installation Package for Mac OS X

  • compliancemodule-<version>—Offline Compliance Module Installation Package

  • macagent-<version>—Offline Mac Agent Installation Package

  • webagent-<version>—Offline Web Agent Installation Package

Step 4

Click either Download or Add to Cart.

For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.

For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.

To download offline posture updates:


Step 1

Go to

Step 2

Save the file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems.

Step 3

Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 4

Click the arrow to view the settings for posture.

Step 5

Click Updates.

The Posture Updates window is displayed.
Step 6

Click the Offline option.

Step 7

Click Browse to locate the archive file ( from the local folder in your system.

The File to Update field is a mandatory field. You can select only one archive file (.zip) containing the appropriate files. Archive files other than .zip, such as .tar, and .gz are not supported.
Step 8

Click Update Now.

Configuration Prerequisites

  • The relevant Cisco ISE license fees should be provided.

  • The latest patches should be installed.

  • Cisco ISE software capabilities should be active.

  • Read the Release Notes document for the corresponding release of Cisco Identity Services Engine.

Cisco ISE Integration with Cisco Digital Network Architecture Center

Download and Install a New Patch

To obtain the patch file that is necessary to apply a patch to Cisco ISE, log in to the Cisco Download Software site at (you might be required to provide your login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

For instructions on how to apply the patch to your system, see the "Install a Software Patch" section in the Cisco Identity Services Engine Administrator Guide.

For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.


When installing 2.4 Patch 4 and later, CLI services will be temporary unavailable during kernel upgrade. If the CLI is accessed during this time, the CLI displays the "Stub Library could not be opened" error message. However, after patch installation is complete, CLI services will be available again.


The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST).The bug IDs are sorted alphanumerically.


The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 2.6. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved.

The BST, which is the online successor to the Bug Toolkit, is designed to improve effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at

Resolved Caveats in Cisco ISE Release - Cumulative Patch 3

The following table lists the resolved caveats in Release 2.6 cumulative patch 3.

Patch 3 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Missing NAD info in Alarm "Unknown SGT was provisioned"


The software shouldn't allow to delete the pxGrid certificate on a ISE node


Pseudo double Auth request on AD


ISE 2.3+ does not have authentication condition Network Access:AuthenticationMethod


ISE easy wireless setup - SAW secure access wizard not working with wlc code >8.3


ISE : Accounting updates tolerance for suppression needs to be more efficient.


ISE does not provide the expected values in the context of EAP chaining


ISE ENH : Allow RADIUS Dictionary VSA "Vendor Attribute Size Field Length" of 2 bytes


ENH: Remove ciphers with Diffie-Hellman moduli size less than or equal to 1024 bits for SSL ISE


Cisco Identity Services Engine (ISE) Arbitrary Client Certificate Creation Vulnerability


Parser error seen with Threat Centric NAC CTA Configuration irrespective of ise version


ISE custom attributes not being applied to endpoint when pushed from cloudpost IND


MDMServerReachable does not work for SCCM MDM again


ISE 2.4 Live Logs Not Filtering


Multiple Vulnerabilities in jackson-databind


Qualys show connected state once disable/enable tc-nac if added before applying patch.


Disclose invalid username by Always show invalid name configuration not working


ISE 2.3 P5 ISE doesn't allows to delete SGT tag from GUI although it is not referenced


Guest portal client provisioning customization text doesn't save


ISE2.4 doesn't reset failedLoginAttempts after successful login of internal users to network device


ISE 2.2 Sponsor: Single click approval displays wrong message after clicking on approval link twice


The caluclation of required space for MNT backup need to be revalidated.


ISE 2.4 P5 : Profiling : Netflow probe not working on ISE Bonded Interface


ISE Profiler SNMP Request Failure Alarms should show the reason of failure


No serialization or batching when large scale(>300) NADs are moved between MatrixA to MatrixB


Env data is missing when TrustSec-ACI integration is enabled.


ISE: SMTP server sending Email notification gets Exhausted


ERS API that requires CSRF token always failing on PUT/POST/DELETE


Change in External admin permissions are not getting reflected in other nodes in deployment.


ISE deletes all endpoint if mac address is deleted twice at the same time


SystemTest : Error when deleting SCEP RA profile


Posture redirect fails with error 'unable to determine peer' in AnyConnect_ISEPosture.txt


ISE 2.4 With CTA threat, threat endpoints are not detecting


GUI Context Visibility report export slowness


AD Diagnostic tool shows low level API query failed w/ Response contains no answer. Check DNS config


Unable to disable MDM server if configured server is not reachable


SQLite FTS3 Query Processing Integer Overflow Vulnerability


Enforce NMAP skip host discovery and NMAP scan timeout


System Test: Temporial agent instalation is failing with internal system error.


[pxGrid XMPP Server] TCP/5222 insecure Diffie-Hellman prime p 1024 bits


Log Collection Error - Session directory write failed when AD Probe Session is inserted


Authentications start failing once AD throws KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN


Unable to remove an endpoint from the endpoint database due to permission error


2.4 P8/P9 Certificate chain does not get imported to Patch 8 and Patch 9


ISE LogicalProfile appears under Custom attributes in CV if configure after valid Custom attributes


ISE trustsec custom view doesn't sort properly with manual order


ISE ERS Create via the API does not use the specified ID


ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions


Can't use endpoint group description during runtime for authz profile


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


ISE fails to handle SAML authentication response token


Certificate provisioning portal error with ISE as SubCA and PKCS12 (sinlge file)


Renewed self-signed certificate doesn't get updated in trusted store


Restore failing for scheduled backup


Cannot Update Internal User with External Password ID Store via ERS--ISE


ISE fails to save configuration changes for large policy-sets


Wrong password being notified after password reset (Only on SMS)


Create Failing with ORA-02291 on CEPM.REF_ROLE_MASTER if groupId w/ prepending/trailing spaces


Core files on PSN servers causing High Disk Utilization alarms


ISE shows "Oops. Something went wrong" if session ID contains "-"


Not able to change the language in guest portal with option "Always use"


Incorrect audit report while updating Counter Time Limit in Max Sesssions page


Posture fails with "Posture failed due to server issues". when Primary PAN is unreachable


Certificate trust chain is incomplete for pxGrid on pxGrid alone persona


ISE PAN failover inactive days = elapsed days causing incorrect purging of EP's.


ISE: "Posture failed due to server issues" error during System scan on MAC OSX


ISE doesn't store self-registered EndPoints in configured custom group


ISE 2.6 ACI integration Trustesec ACI report doesn't have sent ip-sgt mappings to ACI


Export function in Network device groups fails when using RBAC


Network Conditions do not work with shorten IPv6


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


'Deleting All' Network Access Users doesn't appear on audit report


Cisco Identity Services Engine Information Disclosure Vulnerability


System Summary is not available for MNT nodes


Cisco Identity Services Engine Policy Set Name Cross Site Scripting Vulnerability


Using ECDSA signed certificates with the admin or pxgrid usage breaks pxgrid


ISE user import does not fail when username contains invalid characters


ISE Guest portal fails to parse http request with two questions marks


Static group information is lost from EP in some scenarios


PSN generates scheduled reports if no connectivity to MNT


Implementation of patch popup


ISE 2.6 : Fix for CSCvi89085 breaks detectMACAuthenticationOnPAP flow


Move to Mapping Group drop down menu limits SGT Mapping groups to 25


PassiveID Agent: No Syslog message is sent to MnT when the agent monitoring DC goes down


pxGrid controller contacting


Static group assignment losing from guest flow


"Cache not properly initialized" message in every Profiler Policy and cannot update Profiler Feed


When updating password for administrative user it is possible to bypass entering current password


ISE 2.4p9 Grace period is not working with PRA with VPN usecase


ISE sponsor portal - sorting by creation date doesnt work


ISE 2.4 Possible XSS input in Certificate Attributes message when "/" sign is in the name


Network devices added via restful API fails authentication with a 'Network Device not located' error


ACS to ISE migtool changes the intended results of auth policy


IPv6 RADIUS attributes cannot be mapped to any External attribute


IP SGT static mapping export fails for entries with no mapping data


Internal user using token password will be disabled due to password expired


ise.messaging.log not visible on support bundle or gui


Remove Unnecessary JQUERY-UI Files from ISE


Login page AUP as link does not work with iOS CNA browser


Move devices to another group botton should be disabled when access has been restricted to NDG


ISE 2.6 Patch 2: EAP-TLS auth not matching endpoint groups


REST API: Create Network Device with special character ("\") in password field is interpreted as utf


ISE fails to parse NMAP Scan information


ISE 2.7 BETA: My Devices portal fails to load due to invalid character in Endpoint Description


ISE 3695 appliance is having issue with Oracle parameters configured for super MNT


Day0: iPad OS 13.1 BYOD flow got failed


Hostname change causes ISE Messaging issues - MNT Failover and Queue Link Error-basic_cancel

Open Caveats in Cisco ISE Release - Cumulative Patch 3

Caveat ID Number



SGT Notification is missing on PxGrid V2 Client

New Features in Cisco ISE Release - Cumulative Patch 2

Syslog over ISE Messaging Service

The UDP syslogs (built-in UDP syslog targets - LogCollector and LogCollector2) will be delivered to the monitoring nodes using the existing ISE Messaging service infrastructure, which is by default enabled now. This enhances WAN survivability of syslog messages. Please ensure to open the TCP port 8671 on firewalls (if any) between all nodes for this feature to work.

You can disable this option to deliver the UDP Syslogs via UDP Ports. To do so, navigate to Administration > System > Logging > Log Settings page in the Cisco ISE GUI and uncheck the Use ISE messaging Service for UDP syslog delivery to MnT option.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6

Business Outcome

Operational data will be retained for a finite duration even when the monitoring nodes are unreachable.

Support for Elevated System Administrator Role

The Elevated System Administrator role is similar to the existing System Administrator role. Additionally with this role you can create, delete and update admin users except super admin users.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6.

Business Outcome

Elevated System Admin has the ability to manage admin users.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 2

The following table lists the resolved caveats in Release 2.6 cumulative patch 2.

Patch 2 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



Custom admin unable to create other restricted admin users


SXP Devices page - can't show all the name after 14 chars


Friendly info message has to be displayed instead of blank page for unauthorized access


Patch installation might generate alarm Application patch installation failed


Sponsor Portal Page takes more than 10 seconds to load


Session notification can emit bad values in ADNormalizedUsername, ADUserResolvedIdentities fields


ISE CoA doesnt work 2 days after initial auth


ISE-PIC Self signed certificate delete operation fails due to Secure Syslog Server reference error


CA Service still running on command line after Disabling internal certificate authority in Web UI


ISE guest flow max session limit does not send CoA Disconnect with third party NAD


Network access user with external password cannot be used as ISE admin


ISE replaces "ip:" to it's hostname in "ip:inacl" Cisco AV-Pair


Emails are not sent for alarm specific email configuration


EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization.


App status for ISE is in initialisation state


ISE: admin users unable to delete or modify groups if a tacacs user is saved without any group


ISE 2.4 : Misconfigured supplicant query is one of the reasons for high CPU on both MNT nodes


Latency observed with high TPS rates, when ISE messaging service is turned ON


ISE 2.4 - CLI password will not accept 3 $


ISE Custom Endpoint Attributes - Will not save or delete


Internal Administrator Summary report not allowing to select specific columns


Adding config to support PrA in PSN failover case


TCNAC adapter cannot be configured post upgrade from 2.2 to 2.6


ISE 2.6 ANC policy is applied with error "microservice_unavailable" on SMC


Sponsor guest portal rate limit time not honored


Allowed Protocols - Error creating an inline Allowed Protocol in Policy sets page


EAP-GTC Machine Authentication Failure Password Mismatch due to failing the UTF-8 Validation Checks


ISE 2.4 Patch 6 reload breaks backups


PassiveID flow should send User's SamAccountName and ExplicitUPN


ADNormalizedUserName Field Missing From Half of sessions


Plus Licenses Consumed without Plus Features


AD_User_Fetch information's are not in UI as well as Redis


Unable to delete multiple admin groups with multi select


ISE 2.4p3 Radius livelogs not showing due to invalid NAD ip address


Modifying Radius attributes to send in the request to External RADIUS Server is not working on ISE


Enable Pxgrid Profiling Probe Saves but will not enable


ISE dropping requests due to descriptor allocation exhaustion under external server latency scenario


ISE fails to match authz policy with endpoint ID group "unknown"


Custom Attribute (advanced filter in CV) not able to filter on risk score (integer value)


The AD connectivity issue occurred and the corefile was generated the same day


TACACS/AAA live log report not showing configuration change made from ACI


ISE 2.6 SFTP repository access fails


Deleting guest type throws error & not able to create new guest type with same name


Queue Link Error alarm generated after signing of ISE CA certificate by external Root CA


ise-elasticsearch.log files not purged in ISE 2.4 and 2.6


ISE 2.4 : Replication: Cluster information table has old FQDN


ISE 2.4 p6 400 error on sponsor portal after timeout.


BYOD flow is broken in IOS 12.2


Import of network device template throws error Failed illegal value for Encryption key


Multiple Vulnerabilities in struts2-core


Upgraded ISE Node Shows LDAP Identity Store Password in Plain


Authorization profile fails to import with no warnings or errors to user


CSCvp63136: US399914: 2.6 P2 - View third-party licenses and notices - Link Update


ISE 2.4 P8 posture scan running when switch to wired network not configured with dot1x


"Cisco Modified" Profiles are overwritten by the Profiler Feed Service


AUP guest portal error 400 when retrun from contact support link (iphone captive portal)


Email not received to guest if view/print guest password disabled


ISE MNT exception when receiving cisco-av-pair=addrv6=0x7f8c0d588608


ISE customer endpoint attribute type string doesn't allow certain numbers


ISE if using multiple matrices deploy button is missing


License usage for Plus either shows 0 or incorrect value


Export from Context Visibility-Endpoints does not contain Custom Attr for most of Endpoints


Unable to add network device with combination of any digit followed by () in software version field


[ 400 ] Bad Request error when refreshing the Mydevice portal


pxGrid to publish ADUser.. and ADHost..: SamAccountName and QualifiedName


ISE 2.6 patch 1 - AD User Test is returning 0 groups

Open Caveats in Cisco ISE Release - Cumulative Patch 2

Caveat ID Number



System Summary is not available for MNT nodes


IP-SGT maps are not propagated to ACI in specific scenario

Resolved Caveats in Cisco ISE Release - Cumulative Patch 1

The following table lists the resolved caveats in Release 2.6 cumulative patch 1.

Patch 1 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



ISE dmp files are not deleted from /opt/oracle/base/admin/cpm10/dpdump for failed backup attempts


ISE 2.x : Guest account activation time discrepancy for imported accounts


ERS API that requires CSRF token returns HTTP 404 instead of 403


Cannot delete security groups having virtual network mapping


Import two CA certs with same subject name


ISE Secure Access Wizard Easy Wireless null AD groups for BYOD, Secure Access, Sponsored guest flow


ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes"


NAD CSV imports should allow all supported characters


"No Data Available" when attempting to add endpoints to Identity Group with RBAC User


Guest creation fails ISE 2.3 after patch 5


Manage ACC calling infinite time when sponsoruser configured with permissions ALL&GROUP sponsor grps


ISE 2.4 slow database response with 500 authorization policies


ISE 2.4 - IP-SGT bindings disappear from SXP for user session


Removing SCEP RA Profile casues the associated CA chain to be silently removed from Trusted Store


Removal of unused logical profile may cause a wrong authorization result


Non-existed DACL is not verifyed by the ISE


[ISE 2.4]Unable to use created profiling policy in authorization condition


Backups from SFTP repository may show incorrect year in Modified time


Able to delete ACI IEPG in ISE.


ISE does not allow to add an SGT


address shows as HTML code in context visibility


ISE: failed to skip duplicate framed-pool attribute during migration


ISE endpoint purge ACTIVEDIRECTORY dictionary is not loading


pagination is not working in "All SXP mappings" page in ISE.


ISE deleting the newly created IP-SGT mapping


ISE truncates the SGT name after a "-" character and assigning a version id


System Scan throws internal error for MAC built-in FW remediation using ISE 2.4 Patch 7


RabbitMQ docker container is not coming up if port 15672 was already in use


ISE 2.4 Patch 6 installation breaks FQDN of Sponsor and MyDevices Portal


Failed to migrate dACLs from ACS 5.8 to ISE 2.6


CoA failure in Radius+PassiveID flow


After upgrading from ISE 2.0.1 Patch 4 to 2.4 Patch 6, CoA is not issued from ISE


ISE TLS 1.0 and 1.1 security settings are not applied for PxGrid, causing WSA to fail integration


Unable to add AD group if it contains "/." or "/.." in the AD group name


Change password for few of the internal users not working after upgrade to 2.6


APIC logs not seeing in sxp.log when SXP logging set to 'DEBUG'.


Delay in clearing of SXP mappings in ISE


EAP-TTLS settings page is not saved in ISE 2.6


Admin group cannot get access to "Users" at "Device Administration" tab after install patch 5


Default python change password script returns CRUD operation exception


ISE:WMI-Passed values may compromise the security of ISE. Please remove malicious scripting terms


CSV file of RADIUS authentications report may have duplicate records


ISE downloads unneeded RA certificate for BYOD


Device Administration Current Active Sessions report not available from 2.4 Patch 6


ISE DACL syntax checking validation failing on wildcard notation


Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler


pxGrid node name limit too short for FMC


pxGrid startup order causing profiler code to fail init


ISE 2.6 LiveLogs not seen and false Health Status is Unavailable alarm


ISE : Memory usage discrepancy in GUI and show tech


After Importing ISE PB to ISE , Login page are not loaded


ISE 2.3 : Posture report for endpoint by condition not working as expected


ISE : Improve Posture Assessment by Condition Report export rate for higher records (millions)


Admin Access Blank page when using valid RSA/RADIUS Token credentials but is not in ISE Admin DB


ISE 2.3/2.4 upgrade to the latest patch may break dynamic redirection for 3rd party NADs


[ENH] Change field Active Directory in External DataSource condition to mention Join Point


Successful Authentication Entries not shown in the RADIUS Report due to exceeding the CSV limit


Fix "Server not reachable" autologout

Communications, Services, and Additional Information

  • To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you are looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain information about general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.