Come to the Content Hub at, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more...

So, what are you waiting for? Click now!

And, if you are already experiencing the Content Hub, we'd like to hear from you!

Click the Feedback icon on the page and let your thoughts flow!


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.


Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, Cisco Wireless Controllers, Virtual Private Network (VPN) gateways, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on Secure Network Server appliances with different performance characterizations, and also as software that can be run on a virtual machine (VM). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For more information about the features that are supported in this Cisco ISE release, see the Cisco Identity Services Engine Administrator Guide.

To access documentation on, go to End-User Documentation.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation in this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE, Release 2.7, can be installed and run on the following platforms.

Table 1. Supported Platforms

Hardware Platform


Cisco SNS-3515-K9 (small)

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

Cisco SNS-3595-K9 (large)

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

Cisco ISE-VM-K9 (VMware, Linux KVM, Microsoft Hyper-V)

VMware ESXi 5.x, 6.x, 7.x

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, and pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.


  • Cisco Secured Network Server (SNS) 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

  • Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.

Federal Information Processing Standard Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.

When FIPS mode is enabled on Cisco ISE, consider the following:

  • All non-FIPS-compliant cipher suites will be disabled.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be of 2048 bits or greater.

  • Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be of 224 bits or greater.

  • Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.

  • SHA1 is not allowed to generate ISE local server certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • The local SSH server operates in FIPS mode.

  • The following protocols are not supported in FIPS mode for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • VMware ESXi 5.x, 6.x, 7.x

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on QEMU 1.5.3-160


Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. We recommend that you use the backup functionality included in Cisco ISE for archival and restoration of data.

Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node.

Supported Browsers

The supported browsers for the Admin portal include:

  • Mozilla Firefox 80 and earlier versions

  • Mozilla Firefox ESR 60.9 and earlier versions

  • Google Chrome 85 and earlier versions

  • Microsoft Internet Explorer 11.x

Support for Microsoft Active Directory

Cisco ISE works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019 at all functional levels.


  • It is recommended that you upgrade Windows server to a supported version as Microsoft no longer supports Window server 2003 and 2003 R2. .

  • Microsoft Active Directory Version 2000 or its functional level is not supported by Cisco ISE.

Cisco ISE supports multidomain forest integration with Active Directory infrastructure to support authentication and attribute collection across large enterprise networks. Cisco ISE supports up to 50 domain join points.

Improved User Identification

Cisco ISE can identify Active Directory users when a username is not unique. Duplicate usernames are common when using short usernames in a multidomain Active Directory environment. You can identify users by Software Asset Management (SAM), Customer Name (CN), or both. Cisco ISE uses the attributes that you provide to uniquely identify a user.

Update the value of the following:

  • SAM: Update this value to use only the SAM in the query (the default).

  • CN: Update this value to use only CN in the query.

  • CNSAM: Update this value to use CN and SAM in the query.

To configure the attributes mentioned above for identifying Active Directory users, update the IdentityLookupField parameter in the registry on the server that is running Active Directory:


Supported Ciphers

In a clean or fresh install of Cisco ISE, SHA1 ciphers are disabled by default. However, if you upgrade from an existing version of Cisco ISE, the SHA1 ciphers retain the options from the earlier version. You can view and change the SHA1 ciphers settings using the Allow SHA1 Ciphers field (Administration > System > Settings > Security Settings).


This does not apply to the Admin portal. When running in Federal Information Processing Standard Mode (FIPS), an upgrade does not remove SHA1 ciphers from the Admin portal.

Cisco ISE supports TLS versions 1.0, 1.1, and 1.2.

Cisco ISE supports RSA and ECDSA server certificates. The following elliptic curves are supported:

  • secp256r1

  • secp384r1

  • secp521r1

The following table lists the supported Cipher Suites:

Cipher Suite

When Cisco ISE is configured as an EAP server

When Cisco ISE is configured as a RADIUS DTLS server

When Cisco ISE downloads CRL from HTTPS or a secure LDAP server

When Cisco ISE is configured as a secure syslog client or a secure LDAP client

When Cisco ISE is configured as a RADIUS DTLS client for CoA

TLS 1.0 support

When TLS 1.0 is allowed

(DTLS server supports only DTLS 1.2)

Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings window. To view this window, choose Administration > System > Settings > Protocols > Security Settings.

When TLS 1.0 is allowed

(DTLS client supports only DTLS 1.2)

TLS 1.1 support

When TLS 1.1 is allowed

Allow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings window(Administration > System > Settings > Protocols > Security Settings).

When TLS 1.1 is allowed

ECC DSA ciphers














When SHA-1 is allowed

When SHA-1 is allowed


When SHA-1 is allowed

When SHA-1 is allowed

ECC RSA ciphers


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA is allowed

When ECDHE-RSA is allowed


When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed


When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed

DHE RSA ciphers









When SHA-1 is allowed



When SHA-1 is allowed

RSA ciphers








When SHA-1 is allowed

When SHA-1 is allowed


When SHA-1 is allowed

When SHA-1 is allowed

3DES ciphers


When 3DES/SHA-1 is allowed

When 3DES/DSS and SHA-1 are enabled

DSS ciphers



When 3DES/DSS and SHA-1 are enabled



When 3DES/DSS and SHA-1 are enabled



When 3DES/DSS and SHA-1 are enabled

Weak RC4 ciphers


When "Allow weak ciphers" option is enabled in the Allowed Protocols page and when SHA-1 is allowed



When "Allow weak ciphers" option is enabled in the Allowed Protocols page


EAP-FAST anonymous provisioning only:




Peer certificate restrictions

Validate KeyUsage

Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:


Validate ExtendedKeyUsage

Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:

  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • RC4-SHA
  • RC4-MD5

Server certificate should have ExtendedKeyUsage=Server Authentication

What is New in Cisco ISE, Release 2.7?

Auto-Logon of Self-Registered Guest after Sponsor Approval

You can now enable automatic logon for a self-registered guest after sponsor approval.

Business Outcome: The guest user is automatically logged in when the sponsor approves the guest access request. This simplifies the process and improves customer experience.

Cisco Support Diagnostics Connector

The Cisco Support Diagnostics Connector helps Cisco Technical Assistance Center (TAC) and Cisco support engineers to obtain deployment information from the primary administration node.

Business Outcome: TAC can now get support information of any particular node in a deployment through the connector. This data enables quicker and better troubleshooting.

CLI Show Logging Enhancement

When you run the show logging command in the Command Line Interface (CLI), the content is displayed in the Unix less environment. You can see the supported less commands by typing “H”.

Business Outcome: Less is more useful for viewing the content of large files. This saves time when examining log files.

EAP TEAP Support

Cisco ISE 2.7 supports the Tunnel Extensible Authentication Protocol (TEAP). The type-length-value (TLV) objects are used within the tunnel to transport authentication-related data between the EAP peer and the EAP server. You can use EAP-MS-CHAPv2 or EAP-TLS as the inner method. EAP chaining is supported for TEAP. EAP chaining allows Cisco ISE to run both the inner methods for user and machine authentication inside the same TEAP tunnel. This enables Cisco ISE to correlate the authentication results and apply the appropriate authorization policy, using the EAPChainingResult attribute.

Business Outcome: TEAP is a tunnel-based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) protocol to establish a tunnel and encrypt further communications.

Endpoint Ownership Enhancement

The Endpoint Ownership information is now stored across all the Policy Service nodes (PSNs) with the help of the Light Session Directory (LSD).

Business Outcome: This avoids endpoint ownership flapping.

Feed Service Update

If you have customized your profiler conditions and do not want the profiler feed to replace those conditions, you can manually download OUI updates without downloading the policy updates.

Business Outcome: Improved profiler accuracy with less overhead.

Grace Access

You can grant 5 to 30 minutes of internet access to self-registered guests who are waiting for sponsor approval to your corporate network.

Business Outcome: The guest users can access the internet while waiting for approval.

Guest Password Recovery

You can now enable the Reset Password option in the Guest portal for self-registered guests. Self-registered guests with valid guest account can use this option when they forget their password. When you click this option, the self-registration page is launched. You can enter your phone number or email address (whichever you are registered with) and enter a new password.

Business Outcome: Improves the customer experience and reduces calls to Customer Support team.

Interactive Help

The Interactive Help provides tips and step-by-step guidance to complete tasks with ease.

Business Outcome: This helps the end users to easily understand the work flow and complete their tasks with ease.

Phone Number as the Guest User Identifier

In addition to email address or username, guest users can now use their phone numbers as their user ID for guest access.

Business Outcome: Guest users can now use their mobile numbers as their user ID. This makes it easier for them to remember their user ID.

Profiler Forwarder Persistence Queue

The Profiler Forwarder Persistence Queue stores incoming events before they are sent to the profiler module for further processing.

Business Outcome: This reduces the loss of events due to a sudden burst of events. This queue uses the ISE Messaging Service, and is enabled by default. It requires port 8671 to be open between all Cisco ISE nodes.

Role Based Access Policy

In the Cisco ISE admin portal, the Policy menu option under Administration > Admin Access > Authorization has been renamed to RBAC Policy. The RBAC Policy window is used to add and configure policies for administrator groups.

Secure SMTP

Guest email notifications can now be sent through a secure SMTP server.

Business Outcome: Improved security for Guest emails in your network.

Secure Unlock Client

The Secure Unlock Client mechanism is used to provide root shell access on Cisco ISE CLI for a certain period of time.

Business Outcome: The Secure Unlock client feature has been implemented using the Consent Token tool, which securely grants privileged access for Cisco products in a trusted manner.

TrustSec Enhancements

The HTTPS REST API replaces the existing RADUIS protocol to provide all the required TrustSec information to the network devices.

Business Outcome: It enhances the efficiency and ability to download large configurations in a short period of time as compared to the existing RADIUS protocol.

Known Limitations and Workarounds

LDAP Server Reconfiguration after Upgrade


The primary Hostname or IP is not updated which causes authentication failures. This is because while upgarding the Cisco ISE deployment, the deployment IDs tend to reset.


When you enable the Specify server for each ISE node option in the Connection window ( Administration > Identity Management > External Identity Sources > LDAP > Add or choose an existing server) and then upgrade your Cisco ISE deployment with PSNs, the deployment IDs tend to reset.


Reconfigure the LDAP Server settings for each node. For more information, see LDAP Identity Source Settings section in the Administrative Access to Cisco ISE Using an External Identity Store chapter in the "Cisco Identity Services Engine Administrator Guide, Release 2.4".

pxGrid Certificate Issue

If you are using the "Netscape Cert Type" for the pxGrid certificate, Cisco ISE may reject that certificate after applying patch 2. Older versions of that certificate specified SSL Server, which now fails, since a client certificate is required. Either use a different certificate, or add "SSL Client" to the existing certificate.

Radius EAP Authentication Performance when Using Default Self-Signed Certificate

In Cisco ISE 2.7, the default self-signed certificate key size is increased to 4096 for enhanced security. Radius EAP authentication performance might be affected, if the default self-signed certificate is used for EAP authentication.

Few TLS Ciphers Cannot be Disabled

The following ciphers cannot be disabled in Cisco ISE:










The Cisco ISE scenarios that could use these ciphers include:

  • Cisco ISE as an EAP or ERS server

  • Cisco ISE downloads Certificate Revocation List from an HTTPS or a secure LDAP server

  • Cisco ISE as a secure TCP syslog or LDAP client

The Cisco ISE components that could use these ciphers include: Admin UI, all portals, MDM client, pxGrid, and PassiveID Agent.

Security Group Access Control List

When you try to create a Security Group ACL (SGACL), sometimes the following error message is displayed:

Failed to create policy, CFS provision failed.

This is because creating and updating egress matrix cell flows are not supported for multiple matrixes in Cisco ISE. The following External RESTful Services (ERS) requests are also not supported in the Multiple Matrix mode:




You should, therefore, uncheck the Allow Multiple SGACL check box in the TrustSec Matrix Settings (Work > TrustSec > Settings > TrustSec Matrix Settings) window. This enables you to create an SGACL, and no error message is displayed.

Valid User-Agent Header

From Cisco ISE Release 2.7, Cisco ISE requires a valid User-Agent header sent along in a web request to a Cisco ISE end-user facing portal, such as a Cisco ISE sponsor portal, to receive successful or redirects responses.

Response Status Lines

From Cisco ISE Release 2.7, Cisco ISE web services and portals return response status lines containing only the HTTP versions and the status codes, but not the corresponding reason phrases.

Upgrade Information


If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.

Upgrading to Release 2.7

You can directly upgrade to Release 2.7 from the following Cisco ISE releases:

  • 2.2

  • 2.3

  • 2.4

  • 2.6

If you are on a version earlier than Cisco ISE, Release 2.2, you must first upgrade to one of the releases listed above and then upgrade to Release 2.7.


We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.

Cisco ISE, Release 2.7, has parity with the Cisco ISE patch release: 2.2 Patch 15, 2.3 Patch 7, 2.4 Patch 10, 2.6 Patch 2.

License Changes

Device Administration Licenses

There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.

The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.

Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only node Licenses are available for sale.

However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.

The evaluation license allows device administration on one policy service node.

Licenses for Virtual Machine nodes

Cisco ISE is also sold as a virtual machine (VM). For this Release, we recommend that you install appropriate VM licenses for the VM nodes in your deployment. Install the VM licenses based on the number of VM nodes and each VM node's resources, such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys. However, the installation process will not be interrupted. From Cisco ISE, Release 2.4, you can manage your VM licenses from the GUI.

VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using a 3595-equivalent VM node with eight cores and 64-GB RAM, you might need a Medium category VM license if you want to replicate the same capabilities on the VM. You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.

VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features that are enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.

VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification pop-up window.

If you have not purchased an ISE VM license earlier, see the Cisco Identity Services Engine Ordering Guide to choose the appropriate VM license to be purchased.


If you have purchased ISE VM licenses without a PAK, you can request VM PAKs by emailing Include the Sales Order numbers that reflect the ISE VM purchase, and your Cisco ID in your email. You will be provided a medium VM license key for each ISE VM purchase you have made.

For details about VM compatibility with your Cisco ISE version, see "Hardware and Virtual Appliance Requirements" chapter in the Cisco Identity Services Engine Installation Guide for the applicable release.

For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before an ISE software upgrade in order to check if the configured data can be upgraded to the required ISE version. Most upgrade failures occur because of data upgrade issues. The URT is designed to validate the data before the actual upgrade, and reports and tries to fix the issues, wherever possible. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.


After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data is used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique to each deployment. Each admin user need not provide it separately.

Telemetry provides valuable information about the status and capabilities of Cisco ISE. Telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco ISE. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.

It may take up to 24 hours after the feature is disabled for Cisco ISE to stop sharing telemetry data. Starting with patch 1, telemetry is disabled immediately.

Types of data collected include Product Usage Telemetry and Cisco Support Diagnostics.

Cisco Support Diagnostics

The Cisco Support Diagnostics Connector is a new feature that helps Cisco Technical Assistance Center (TAC) and Cisco support engineers to obtain support information on the deployment through the primary administration node. By default, this feature is disabled. See the Cisco Identity Services Engine Administrator Guide for instructions on how to enable this feature.

Cisco ISE Live Update Portals

Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from to the corresponding device using Cisco ISE.

If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings. Choose Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

Client Provisioning and Posture Live Update Portals

You can download Client Provisioning resources from:

Work Centers > Posture > Settings > Software Updates > Client Provisioning.

The following software elements are available at this URL:

  • Supplicant Provisioning wizards for Windows and Mac OS X native supplicants

  • Windows versions of the latest Cisco ISE persistent and temporal agents

  • Mac OS X versions of the latest Cisco ISE persistent agents

  • ActiveX and Java Applet installer helpers

  • AV/AS compliance module files

For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.

You can download Posture updates from:

Work Centers > Posture > Settings > Software Updates > Posture Updates

The following software elements are available at this URL:

  • Cisco-predefined checks and rules

  • Windows and Mac OS X AV/AS support charts

  • Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.

If you do not want to enable the automatic download capabilities, you can choose to download updates offline.

Cisco ISE Offline Updates

This offline update option allows you to download client provisioning and posture updates, when direct internet access to from a device using Cisco ISE is not available or is not permitted by a security policy.

To download offline client provisioning resources:


Step 1

Go to:

Step 2

Provide your login credentials.

Step 3

Navigate to the Cisco Identity Services Engine download window, and select the release.

The following Offline Installation Packages are available for download:

  • win_spw-<version>—Offline SPW Installation Package for Windows

  • mac-spw-<version>.zip—Offline SPW Installation Package for Mac OS X

  • compliancemodule-<version>—Offline Compliance Module Installation Package

  • macagent-<version>—Offline Mac Agent Installation Package

  • webagent-<version>—Offline Web Agent Installation Package

Step 4

Click either Download or Add to Cart.

For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.

For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.

To download offline posture updates:


Step 1

Go to

Step 2

Save the file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems.

Step 3

Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 4

Click the arrow to view the settings for posture.

Step 5

Click Updates.

The Posture Updates window is displayed.
Step 6

Click the Offline option.

Step 7

Click Browse to locate the archive file ( from the local folder in your system.

The File to Update field is a mandatory field. You can select only one archive file (.zip) containing the appropriate files. Archive files other than .zip, such as .tar, and .gz are not supported.
Step 8

Click Update Now.

Cisco ISE Integration with Cisco Digital Network Architecture Center

Download and Install a New Patch

To obtain the patch file that is necessary to apply a patch to Cisco ISE, log in to the Cisco Download Software site at (you will be required to provide your login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

For instructions on how to apply the patch to your system, see the "Install a Software Patch" section in the Cisco Identity Services Engine Administrator Guide.

For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.


When installing Release 2.4 Patch 4 and later, CLI services will be temporarily unavailable during kernel upgrade. If the CLI is accessed during this time, the CLI displays the Stub Library could not be opened error message. However, after patch installation is complete, CLI services will be available again.


The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST). The bug IDs are sorted alphanumerically.


The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 2.7. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved.

The BST, which is the online successor to the Bug Toolkit, is designed to improve effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at

New Features in Cisco ISE Release - Cumulative Patch 3

Health Check

An on-demand health check option is introduced to diagnose all the nodes in your deployment. Running a health check on all the nodes prior to any operation helps identify critical issues, if any, that may cause downtime or blocker. Health Check provides the working status of all the dependent components. On failure of a component, it immediately provides troubleshooting recommendations to resolve the issue for a seamless execution of the operation.

Ensure that you run Health Check before initiating the upgrade process.

Business Outcome: Identify critical issues to avoid downtime or blockers.

DNS Cache

The DNS requests for hosts can be cached, thereby reducing the load on the DNS server.

This feature can be enabled in the configuration mode using the following command:

service cache enable hosts ttl ttl

To disable this feature, use the no form of this command.

no service cache enable hosts ttl ttl

Admin can choose the Time to Live (TTL) value, in seconds, for a host in the cache while enabling the cache. There is no default setting for ttl. The valid range is from 1 to 2147483647.


TTL value is honored for negative responses. The TTL value set in the DNS server is honored for positive responses. If there is no TTL defined on the DNS server, then the TTL configured from the command is honored. Cache can be invalidated by disabling the feature.

Business Outcome: Load on DNS Server is reduced.

Configure TCP Parameters

To configure the TCP parameters use the Configure TCP params option (option 25) in the application configure command. Make sure you are in the Admin CLI.

For the changes to take effect, reload the Cisco ISE server on modifying any of the parameters using the Admin CLI reload.


To configure the TCP parameters, use option 25.

ise/admin#application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]Configure TCP params

This CLI allows admins to modify the TCP parameters recycle/reuse/fin_timeout
For the changes to take effect, RELOAD ISE server on modifying any of the parameter using the admin cli 'reload'. Until reload is done, the changes will not be persisted.
Select the option to configure/display tcp params.
                        1. tcp recycle
                        2. tcp reuse
                        3. tcp fin_timeout
                        4. display tcp param values
                        0. Exit
                        [1/2/3/4/0]: 1
Enable/Disable tcp recycle parameter? [e/d]: e
param recycle is already enabled..
Select the option to configure/display tcp params.
                        1. tcp recycle
                        2. tcp reuse
                        3. tcp fin_timeout
                        4. display tcp param values
                        0. Exit
                        [1/2/3/4/0]: 2
Enable/Disable tcp reuse parameter? [e/d]: e
param reuse is already enabled..
Select the option to configure/display tcp params.
                        1. tcp recycle
                        2. tcp reuse
                        3. tcp fin_timeout
                        4. display tcp param values
                        0. Exit
                        [1/2/3/4/0]: 3
Set tcp fin_timeout (60 default) <0-180> : 60
updated timeout param..
Select the option to configure/display tcp params.
                        1. tcp recycle
                        2. tcp reuse
                        3. tcp fin_timeout
                        4. display tcp param values
                        0. Exit
                        [1/2/3/4/0]: 4
Current values of the tcp parameters: 
Recycle = ENABLED
Fin_timeout = 60
Select the option to configure/display tcp params.
                        1. tcp recycle
                        2. tcp reuse
                        3. tcp fin_timeout
                        4. display tcp param values
                        0. Exit


tcp recycle and tcp reuse parameters are disabled by default. tcp fin_timeout is set to 60 seconds by default. The valid range for tcp fin_timeout is from 0 to 180 seconds. You can set this attribute to a lower value to enhance the TACACS+ performance.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 3

The following table lists the resolved caveats in Release 2.7 cumulative patch 3.

Patch 3 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



ERS update/create for Authorization Profile failing XML schema validation


Active session is not deleted when nas-update=true accounting attribute is included


Status of pxGrid services should be shown as active/standby instead of running/disabled


Unable to configure grace period for more than one day due to posture lease


GNU gettext default_add_message Double-Free Vulnerability


SNMPv3 user added with wrong hash after reload causing SNMPv3 authentication failure


Incorrect DNS configuration can lead to TACACS+ or Radius authentication failure


"Health status unavailable" false alarm seen


Import NAD is failing with unsupported error when shared secret key has special character (8o\v|)


Info-ZIP UnZip File Overlapping Denial of Service Vulnerability CVSS v3.0 Base 7.5


EgressMatrixCell allows duplicate creation through ERS call


ISE 2.4 p5 crashes continuously around midnight, generating core files


Error message to be corrected in Trusted Certificate window


ISE 2.2 and above affected with memory leak. Everyday 1-2% increase in native memory by PORT_Alloc_Util()


Multiple Vulnerabilities in libcurl


Multiple Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities


File Remediation check is failing in ISE 2.7


"AD-Operating-System" attribute is not being fetched when this OS attribute is changed on the AD Server


Authorization conditions with AD groups not matched for TEAP EAP Chaining


runtime-aaa debugs do not print packet details in ascii


Not able to create whitelist policy via ERS API


SMS over HTTPS is not sending username/password to gateway


ISE BYOD with Apple CNA fails with 9800


ISE2.7 server runs out of processes after some MnT operation


Application Server takes more time to initialize


Error is thrown when Enter is used while creating profile description


MnT REST API for ReAuth fails when used in distributed deployment


ISE server-side authorization checks insufficient


CPU spikes are being observed at policy HitCountCollector


Rotation of diagnostics.log is not working


ISE PxGrid web clients couldn't list more than 25 subscribers


Sponsor portal display ? for non-English characters


Session cache getting filled with incomplete sessions


ISE does not reattempt wildcard replication for failed nodes


ISE RADIUS Accounting Report shows "No data found" under Accounting Details


Smart Licensing Compliance status "Released Entitlement" needs explanation


TacacsConnectionManager needs to be enhanced to remove the stale connections


Suspected memory leak in io.netty.buffer.PoolChunk


Guest email not sent after changing SMTP server


Mention in documentation that AAA server in TrustSec Work Center > Components > TrustSec AAA Servers page refers to RADIUS nodes


Config backup from CLI fails with error


Sponsor group membership is removed while adding/removing AD group


TC-NAC adapter stopped scanning with nexpose


During sponsor portal configuration, support information is not properly displayed in the flowchart


Portal background displays incorrectly


ISE is returning an incorrect version for the rest API call from DNAC


Import option is not working under TACACS command sets


ISE logging timestamp shows future date


ISE 2.6 patch 6 services fail to initialize after reload on SNS 3655 PSN


ERS SGT create is not permitted after moving from Multiple matrix to Single matrix


CIAM: ksh


ISE 2.4 patch 11 VPN + Posture: Apex Licenses are not being consumed


NDG added through ERS became associated with all network devices in database


When running ISE ERS API for internal user update, existing identity groups value is set to null


License out of compliance alarm displayed even for valid license


REST API MnT query to get device by MAC address takes more than 2 seconds


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


Free space on Undo tablespace not cleared as per cron script


Report repository export is not working with dedicated MnT node


CIAM: procps 3.3.10


CIAM: python (version 2.7.5, 2.7.14, and 3.7.1)


Clicking on Details of an Unknown NAD Alarm shows an error


CIAM: vim 7.4.160


Session API for MAC Address returning "Char 0x0 out of allowed range" error


GBAC sync breaks on deleting VN from SG if authorization profile is mapped to the same VN for different SG


Compress messages.x files in the system


Drop_Cache required for systems with High Memory Issues


ISE ERS API DELETE device returns 500 error with more than 1 call


Suspected memory leak in Elastic search


ISE Authorize-Only requests are not assessed against Internal User Groups


REST API call can remove Network Device Group referenced in Policy Set


Minimum character requirement for RADIUS secret is not checked when REST API is used to create NAD


Improve error messaging on My Device Portal while showing identity store issues


ERS REST API returns duplicate values multiple times when filter by location

option is used


Update "master guest report" to "primary guest report" everywhere in the ISE GUI


Session database columns are missing


ISE creates new site in insiteVM (tc-nac server)


Context Visibility fuses endpoint parameters on username update


ERS API response for XML or JSON request with invalid credentials is HTTP 401 with unexpected HTML body


Alarm Suppression required for ERS queries along with suppression on iselocalstore.log


Alarms and system summary is not showing up on ISE GUI


Authentication failure with error "12308 Client sent Result TLV indicating failure"


LDAP and ODBC identity store names do not allow hyphen


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


When ACI is configured in ISE for SXP integration, authentication fails if a third-party certificate is used


Guest password policy settings cannot be saved when set to ranges for alphabets or numbers


ISE allows duplicates device ID in ERS flow in all versions


CLDAP thread is hung and running infinite


ISE Radius Live Sessions page showing No Data Found


ISE 2.6 patch 7 not doing lookup for all mac addresses in mac list causing redirectless Posture to fail


ISE Authentication Status API call duration does not work as expected


ISE should either allow IP only for syslog targets or provide DNS caching


Guest authentication fails with "Account is not yet active" for incorrect password


Application server going to Initializing state on enabling endpoint debugs


Overlap of network devices using subnet and IP range


Application server crashes while transitioning into stopping state


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


Endpoint data not visible on secondary Admin node


Unable to connect with an ODBC identity source


Log Collection Error alarms appear repeatedly in ISE dashboard


Unable to restore backup of ISE 2.4 patch 12


Cisco Identity Services Engine Privilege Escalation Vulnerability


SYSAUX tablespace full despite fix for CSCvr96003


Unable to register IND with ISE on 2.4 patch 13


Session cache for dropped session not getting cleared, thereby causing high CPU usage on PSNs


Authorization profile not saved with proper attributes


ISE TCP ports 84xx not opened if there is shutdown interface with IP address assigned


Invalid objects in Database


ISE Authentication Status API Call does not return all records for the specified time range


Modify TCP settings to enhance TACACS+ and TCP on ISE


Policy Export without encryption key is not working properly after using the Export with Encryption Key option


While renewing ISE certificate for HTTPS, EAP, DTLS, and PORTAL, only PORTAL and Admin roles gets applied


BYOD Flow is broken in iOS 14 beta


Discovery host description text is misleading


Livelog sessions show incomplete authorization policy for VPN Posture scenario


Cannot start CSV export for selected user in internal ID Store


Radius passed-auth live logs not sent due to invalid IPv6 address


Manual NMAP not working when only custom ports are enabled


Unable to create posture condition for LANDESK


Remove ojdbc8 jar from ISE 2.6 and 2.7 patch branch


PSK cisco-av-pair throws an error if the key contains < or > symbol


MAC 11.x and its minor version support for ISE is not available


Evaluation of ISE for Apache Struts Aug20 vulnerabilities


Internal CA certificate not getting deleted when node is removed from deployment


Device admin service is getting disabled while updating Tacacs config


TrustSec enabled NADs not shown in TrustSec matrices when NDG column exceeds 255 characters


Mapped SGT entry cleared from Authorization Rules if SG name is modified in Cisco DNA Center


Health check doesn't work when ISE has NIC teaming enabled


8084/TCP EST service allowing weak and non-FIPS compliant ciphers


Heap Dump generation fails post reset-config of ISE node


Can't get the download link of NetworkSetupAssistant.exe using Aruba dynamic URL redirect


ISE Hotspot guest portal flow broken


When RADIUS Shared Secret is missing for ISE_EST_Local_Host, ISE application server goes to intializing state


Export of current active session reports only shows sessions that has been updated since midnight


Context Visibility CVS exported from CLI not showing IP addresses


ISE 2.6/2.7 repositories get deleted post ISE node reload


Suspended Guest User is not automatically removed from Endpoint Group


Saving command with parenthesis in TACACS command set gives an error


Group lookup failed as empty value is appended to the context


Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.7 patch 2


ISE RADIUS Live Log details missing AD-Group-Names under Other Attributes section


ISE SXP should have a mechanism to clear stale mappings learned from session


Need the ability to use a forward slash in the IP data type of internal user custom attribute


Proxy bypass settings does not allow upper case characters


Custom Attribute from Culinda not showing in endpoint GUI page


Network Device API call throws error 500 if you query an non-existent network device


Case sensitivity on User Identity Groups causes "Select Sponsor Group Members" Window to not load


Radius Server Sequence page showing "no data available"


Posture Assessment by Condition report displays No Data with Condition Status filter


Security Group values in Authorization Profile disappear shortly after fetching


Cannot modify AUP text


No password audit will be generated after changing ISE internal user password via Switch/Router CLI


ISE 3.0 DNS resolvability false alarm


Unable to retrieve LDAP Groups/Subject Attributes when % character is used twice or more in bind password.


Bias-free text/code in upgrade and database


ISE Posture auto-update not running


Network Device IP filter does not match IPs that are inside Subnets


Smart Licensing Entitlement tab gets stuck at "Refreshing" if there is connection failure


ISE 2.6 scheduled reports are not working when primary MnT node is down


ISE Collection filters not displayed in GUI


The following error message is displayed while trying to create SGT with the name "Employees": NetworkAuthZProfile with entered name exists


Unable to sync GBAC configuration between DNAC and ISE


Unable to load Context Visibility page for custom view in ISE 2.7p2


ISE Config Restore fails at 40% with error "DB Restore using IMPDP failed"


ISE GUI Login page shows the following error with Chrome 85/86: Oops. Something went wrong


Posture does not work with dynamic redirection on third party NADs


Upgrade license check should check ISE database for smart license registration


Offline/Online Feed would fail when Timezone on ISE is set to America/Santiago


Correct AD is not shown while editing external data source posture condition


NAD location is not updated in Context Visibility ElasticSearch


Authorization Profiles show "No data available" when the NAD profile is deleted


Endpoints not purged due to an exception


ISE TACACS logging timestamp shows future date


NADs shared secrets are visible in the logs while using APIs


ISE Service Account Locked and WMI not established when special characters are used in the password


Sophos 10.x definition missing from Anti-malware condition for MAC OSX


Authorization policy is not displayed properly if it has 50 rules or more in Japanese GUI


SCH connection attempted even if smart licensing is not enabled


Affected third-party software component has to be upgraded to a version that includes fixes for the vulnerability

Known Limitations in Cisco ISE 2.7 Patch 3

Change in SNMP User Password Format and SNMP Hash Minimum Length

After applying Cisco ISE 2.7 Patch 3, SNMP user configuration might be removed due to the change in the SNMP user password format. SNMP user passwords are now displayed in hash format. You must reconfigure the SNMP user settings again.

SNMP hash with less than 80 characters will not work and you will see the below error:

snmp-server user FT10 v3 hash fe7c35f09ff1238e369968a0be273f22 fe7c35f09ff1238e369968a0be273f22
          % Error: Decryption Failed. Could not add SNMP User 

New Features in Cisco ISE Release - Cumulative Patch 2

User Defined Network

User Defined Network is a Cisco DNA Center solution. User Defined Network is supported in Cisco ISE Release 2.7 Patch 2 through a hotfix. User Defined Network allows end users to create private networks, or User Defined Network rooms, and group their personal devices.

For example, a student in a university dorm that has User Defined Network enabled in its network can register their devices and add them to a personal User Defined Network room.

User Defined Network end users will be able to invite other users to temporarily bring their devices into their User Defined Network room, and vice versa.

To enable User Defined Network, Cisco ISE must be added to the on-premise Cisco DNA Center account.

Validate the integration of Cisco ISE with Cisco DNA Center from your Cisco ISE administrator portal. Choose Administration > pxGrid Services > All Clients.Choose Administration > pxGrid Services > Client Management > Clients. Cisco DNA Center should appear in the list of pxGrid clients.

When the User Defined Network solution is enabled, the Cisco DNA Center Cloud automatically sends to Cisco ISE the configuration information of all the User Defined Network-registered devices on the network. This includes information on the User Defined Network room that each device currently resides in.

Cisco ISE then shares this information with the Cisco Wireless LAN Controllers (WLC) that are configured to be part of the User Defined Network solution. This sharing is accomplished as part of the normal RADIUS protocol exchanges between Cisco ISE and the connected Cisco WLCs.

For profiling and logging changes in Cisco ISE due to User Defined Network, see the Cisco ISE Administrator Guide for your release. See Chapter "Segmentation" for the related profiling changes, and Chapter "Troubleshooting" for the related logging changes.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 2

The following table lists the resolved caveats in Release 2.7 cumulative patch 2.

Patch 2 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



ISE not returning configured Radius AVP 18 in access-reject


ISE RBAC Network Device Type/Location View not working


No AD domain attributes retrieved for RA-VPN/CWA if AD used for both authC and authZ


ENH // Smart License registration using HTTPS Proxy fails


Posture session state need to be shared across PSNs in multi-node deployment


CSCvi62805 ISE ODBC does not convert the mac address as per configured stored procedure


ISE sends CoA to active-compliant sessions when a node-group member is unreachable


ISC BIND krb5-subdomain and ms-subdomain Update Policies Vulnerability


ISE Crashes during policy evaluation for AD attributes


tcpdump print_prefix Function Stack-Based Buffer Overread Vulnerability


Error occurred in publishing threat events - AMP adapters


EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization.


AnyConnect displays Cisco NAC agent error when using Cisco temporal agent


libssh2 SSH_MSG_CHANNEL_REQUEST Packet Handling Out-of-Bounds Read V ...


ISE Secondary PAN node sending RST to other ISE node with src ip address


Filter by specific Network Device IP address on TACACS Live Logs


Significant memory increase in MNT during Longevity test


ISE PSN node crashing while fetching context attributes during posture plus RADIUS flow


Disabled PSN persona but TACACS port 49 still open.


Replication failed alarm generated and ORA-00001 exceptions seen on ise-psc.log


My Device Portal does not show a device after BYOD on-boarding with SAML authentication


GNU patch OS Shell Command Injection Vulnerability


Multiple Vulnerabilities in jquery - guest portals


EAP Chaining: Dynamic Attribute value is unavailable


Radius Authentication and Radius Account Report performance is slow


GNU patch do_ed_script OS Shell Command Execution Vulnerability


FasterXML jackson-databind Polymorphic Typing Vulnerability CVSS v3.1 Base: 9.8


Localdisk size needs to be increased to accommodate large corefiles


PxGrid ANC API support for Session-ID


2.4P10 Endpoint added via REST has visible policy assignment only in "edit" mode


ISE IP routing precedence issue


libmspack chmd_read_headers Function Denial of Service Vulnerability


Failing Network Devices CSV import, process silently aborting without reason


core file generated on PSN


ACI mappings are not published to SXP pxGrid topic


App server and EST services crash/restart at 1 every morning


Add the capability to filter out failed COA due to MAR cache checks among group nodes in ISE


Invalid root CA certificate accepted


Trustsec matrix pushing stale data


Highload on Mnt nodes with Xms value


SEC_ERROR_BAD_DATABASE seen in system/app debug logs while removing a trusted CA cert


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


ISE not updating SGT's correctly


AuthZ profile advanced profile for url-redirect does not allow custom HTTPS destination


Fail to import Internal CA and key on ISE2.6


NFS mounting causes crash


ISE 2.4: Administrator Login Report, Auth failed when using cert based admin auth


Creating a new user in the sponsor portal shows "invalid input"


collector log is dumped with pxgid and dnac messages


Tacacsprofile not retrieved properly using REST API


Authz Profiles not pulling properly using REST API (Pagination is missing)


Days duration is not getting updated in portal page customization for self registration portal


ISE: 2.4p9 Intermediate CA cert not installed when configuring SCEP RA


Unable to do portal customization for "certificate provisioning portal"


URT fails on a ConditionsData clause from INetworkAuthZCheck


Expired Certificates not listed for deletion


SXP Bindings are not published to pxGrid 2.0 clients


API is not retrieving the data when interim-updates are not stored DB


Having string 'TACACS' in AD join-point causes AD joinpoint to not show in AuthZ condition


ISE 2.4 Guest ERS Call Get-By-Name fails when guest username contains @ sign (


Multiple Vulnerabilities in patch


Multiple Vulnerabilities in sudo


ISE 2.6 Install: Input Validation- Check IP Domain Name


Vulnerability in unzip package - RHEL 7


ISE SNMP server crashes when using Hash Password.


Importing metadata xml file with special characters results in unsupported tags error


TACACS auth/acc reports are not visbile after restoring OP backup


.dmp files not deleted from /opt/oracle/base/admin/cpm10/dpdump even after the reset-config on ISE


X.Org libX11 Client Segmentation Fault Denial of Service Vulnerability


X.Org libX11 Off-by-One Memory Write Arbitrary Code Execution Vulnerabi


404 error upon refresh of success page of guest sponsored portal


NMAP - MCAFeeEPROOrchestratorClientscan fails to execute on 2.6 version of ISE


ISE expired tacacs session not cleared timely from session cache


Cert Revoke and CPP not functioning without APEX license.


Change "View" Options Wording in TrustSec Policy Matrix--ISE


POST getBackupRestoreStatus occures on every ISE page after navigating to Backup/Restore menu


No threshold option for High disk Utilization in Alarm Settings


Posture with tunnel group policy evaluation is eating away Java Mem


ISE shouldnt be allowing ANY in egress policy when imported


Time difference in ISE 2.6


[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for network devices


Exporting Endpoints from CLI results in java exception


IP SGT static mapping import not working correctly with hostnames


FasterXML jackson-databind xbean-reflect/JNDI Blocking Vulnerability


pxGrid 2.0 WebSocket distributed upstream connect issue


pxGrid 2.0 WebSocket ping pong too slow even on idled standalone


ISE doesn't display all device admin authz rules when there are more authz policies and exceptions


Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.6


TCPDump - Node and Interface field Unavailable


Radius Errors/Misconfigured supplicants tables do not exist after upgrade to ISE2.6


High Load Alarms coinciding with System Summary Dashboard not populating for some nodes


When accessing the portal with iPad using Apple CNA and AUP as a link we get 400 Bad Request error.


Publishing batch logic in Pxgrid when we use WMI and REST at the same time


ISE shouldn't allow ANY SGT or value 65535 to be exposed over SGT import or export


ISE ERS API Endpoint update slow when large number of endpoints exist


Cannot add/modify allowed values more than 6 attributes to System Use dictionaries


ISE2.7 compliance counter is 0


ISE 2.7 Anyconnect configuration's deferred updates do not get saved


Two rows created in upscsnconfig table in a upgraded setup


EP lookup takes more time causing high latency for guest flow


Identity group updates for an internal user in ISE


ISE 2.6 MDM flow fails if redirect value is present in the URL


[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for /ers/config/internaluser


ISE: If min pwd length is increased then exisiting shorter pwd fails to login via GUI with no error


MNT node election process is not properly designed.


Unavailability to modify compound conditions when these are already created.


Syslog Target configured with FQDN can cause Network Outage


App-server crashes if IP-access submitted w/o any entries


Intermittent password rule error for REST API Update Operation


ISE ERS API - GET call on Network Device is slow while processing SNMP configuration


ISE still generates false positive alarm "Alarms: Patch Failure"


ISE 2.6 Redundant "Application patch install has completed successfully" Alarm


Application server may crash when MAR cache replication is enabled


pxGrid unable to delete user in INIT state


Alarm Dashlet shows 'No Data Found'.


ISE 2.7 Certificate Authority Service disabled after patch 1 installation


Mismatched Information between CLI export and Context Visibility


Cannot select every individual product when creating Anti-Malware Condition for definition


No debug log for non working MNT widgets


ISE DACL Syntax check not detecting IPv4 format errors


ise-psc.log filled up with "check TTConnection is valid" causing relevant logs to roll over


ISE 2.6 : Create Guest User using external sponsor users via ERS fails with 401 Unauthorized Error


upn.log not available for upload in ISE UI


ISE is not allowing to disable Radius in NAD via API


PUT verb for /ers/config/internaluser/name/{username}makes id&password&name mandatory in req content


portal page customisation changes are not reflecting in certificate provisioning portal


High cpu on ISE 2.7 causing authentication latency


ISE - Rollback stuck indefinitely attempting to rollback from Patch 12


Machine Authentications via EAP-TLS fail during authorization flow citing a user not found error


Service account passwords returned from server in SMS and LDAP page

New Features in Cisco ISE Release - Cumulative Patch 1

Multi-DNAC Support

Cisco DNA Center systems cannot scale to more than the range of 25 to 100 thousand endpoints. Cisco ISE can scale to two million endpoints. Currently, you can only integrate one Cisco DNA Center system with one Cisco ISE system. Large Cisco ISE deployments can benefit by integrating multiple DNA Center clusters with a single Cisco ISE. Cisco now supports multiple Cisco DNA center clusters per Cisco ISE deployment, also known as Multi-DNAC.

Business Outcome: This feature for the Access Control app in Cisco DNA Center allows you to integrate up to four Cisco DNA Center clusters with a single Cisco ISE system.

Cisco AI Endpoint Analytics Support

Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep packet inspection, and probes from sources like Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.

Cisco AI Endpoint Analytics also uses artificial intelligence and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to an on-premise Cisco DNA Center.

These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.

Resolved Caveats in Cisco ISE Release - Cumulative Patch 1

The following table lists the resolved caveats in Release 2.7 cumulative patch 1.

Patch 1 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard or later, and Windows users must upgrade their SPW to WinSPWizard or later.

Caveat ID Number



CoA REST API is not working for ASA VPN Sessions


MNT API does not support special charactor


Live sessions show incorrect Authorization profile and Authorization Policy for VPN+Posture scenario


Multiple Vulnerabilities in procps-ng


Not able to delete certificate after hostname change


ISE 2.4 URT does not check is node is on a supported appliance


To enable CLI clock timezone command


Memory leak on ISE node with the openldap rpm running version 2.4.44


EAP-GTC Machine Authentication Failure Password Mismatch due to failing the UTF-8 Validation Checks


ISE 2.4 High CPU utilization on Secondary Admin Node


Radius session detail report are broken if calling-station-id contains CLIENTVPN


ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions


Renew ISE OCSP Responder Certificates not showing data under report - Change-Configuration-Audit


Automatic email to "Notify Known Guests" using the text to "Notify Imported Guests (Desktop only)"


Evaluation of ISE for CVE-2018-20685


Login page AUP as link does not work with iOS CNA browser


ISE : "MDM: Failed to connect to MDM server" log entry needs to have endpoint information


ISE ERS SDK NetowrkDeviceGroup DELETE does not specify ID location


After changing password via UCP, "User change password audit" report doesn't have "Identity"


Unable to get all tenable adapter repositories


Blank Course of Action for Threat events received from CTA cloud to TC-NAC adapter


ISE not using the device-public-mac attribute in endpoint database


EAP-FAST authentication failed with no shared cipher in case of private key encryption failed.


Export failed in ISE gui in case of private key encryption failed no ERROR msg in ISE GUI


Day0: iPad OS 13.1 BYOD flow got failed


pxGrid Arab Bank defensive code change


Unexpected COAs may be observed with SCCM MDM


ISE 2.4 Not entire fqdn is matched, but fragment of characters


DHCP messages are marking endpoints active increasing the active endpoint count


Typo in Max Sessions Page on Counter time limit tab


ISE 2.4 p9 Session directory write failed : String index out of range: -1


Unable to delete SCEP profile because it is referencing system certificates


ISE sponsor's e-mail gets CC'd even when view/print guests' passwords is disabled


" No policy server detect" on ISE posture module during high load .


Called-Station-ID missing in RADIUS Authentication detail report


SCCMException in SCCM flow,ISE updating the MDMServerReachable value as false in the MDMServersCache


Definition date for few AM product like mcafee and symantec is listed false


ISE: prefers cached AD OU over new OU after changing the Account OU


tzdata needs to be updated in ISE guest OS


ISE 2.2 patch 14 AD status shows up as "updating.." indicating the process is hung


ISE: LDAP bind test does not use the correct server when defined per node


ISE App crash due to user API


Valid Base and Plus licenses show out of compliance


LiveLogs show wrong username for '5436 NOTICE RADIUS: RADIUS packet already in the process' messages


Async Http Client Improper Input Validation Vulnerability


ISE fails to re-establish External syslog connection after break in connectivity


SYSAUX tablespace is getting filled up with AWR and OPSSTAT data


Profiling CoA for IP based Profile Policy isn't sent


ISE Messaging service triggers Queue Link error alarms with the reason basic_cancel


API calls show different result as GUI


Max Session Counter time limit option is not working


ISE doesn't display the correct user in RADIUS reports if the user was entered differently twice


ISE : TACACS : PSN crashes for TACACS+


Set max time frame to 60 mins when EndPoint default interval disabled


ISE: Reset config on 2.4 patch 9 throws some errors despite finishing successfully.


ISE Guest creation API validation for Guest Users valid Days doesn't take time into account


PassiveID: Configuring WMI with an AD account password that contains a $ will result in an error.


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


Apple minibrowser - Reset password link is not working in Self registration guest login page


Apple minibrowser - Cancel button is not working in Guest Self registration page


Policy engine continues to evaluate all Policy Sets even after rule is matched


Improve behavior against brute force password attacks


ISE 2.6 and 2.7 - Cannot add character ' on dACLs description field.


ISE 2.6 should allow multiple blank lines in dACL syntax, even if user chooses IPv4 (or) IPv6.


ISE 2.x Network Device stuck loading


Unable to configure CRL URL with 2 parenthesis at ISE 2.6


NAD group CSV imports should allow all supported characters in description field.


Missing the following properties in for <sns3615> ,<sns3655> <sns3695>


Self Registered Guest portal unable to save guest type settings


Unable to edit static group assignment


The CRL is expired with specific condition


ISE 2.6 CA Certificate with the same CN removed from Trusted Store while integrating with DNA-C


Condition disappeared from the library but is still in DB


ISE allows to insert a space before command under Command Sets


Backups are not triggering with special characters for encryption key


Multiple EP's profiled every second causing ISE nodes to go out of sync


Days to Expiry value, marked as 0 for random authentications


NAD CSV imports should allow all supported characters in the TrustSecDeviceID


ISE Admin User Unable To Change The Group For Internal Users


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


After importing network device / groups, unable to add new Location


ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory due to Inflater()


Errors when SG created using _ underscore sent from DNAC


ISE crashes due to empty string instead of username in RadiusProxyFlow::stripUserName()


ISE: Unable to use attribute "url-redirect" with HTTPS, same URL with HTTP works fine.


SMS not reaching guests when Country Code Attribute part of mobile number


Authentication goes to process fail when "Guest User" ID Store is used.


pxGrid 2.0 authorization profile attribute missing from the session directory

Open Caveats in Cisco ISE, Release 2.7

The following table lists the open caveats in Release 2.7:

Caveat ID Number



Renew ISE OCSP Responder Certificates CSR usage data not shown in Change Configuration Audit report


Device SGT troubleshooting provides wrong diagnostics


Node status is not displayed correctly in the System Summary dashlet


Issuance of Certificates fails for more than 10% of endpoints


Pop-up window that allows the admin to add comments to the approval request in the Network Device Deployment window is not properly displayed


RADIUS mappings are not published to SXP pxGrid topic


"show timezone" command doesn't show timezone on CLI


NET::ERR_CERT_REVOKED error seen in Chrome on macOS 10.15 when the validity of self-signed server certificate is set to 5 years


Max Session Counter time limit option is not working


While importing policy from CSV file, if there is policy download, partial updates observed

Communications, Services, and Additional Information

  • To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you are looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain information about general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.