Overview


Note

The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.


Cisco ISE supports protocol standards like RADIUS, its associated RFC Standards, and TACACS+. For more information, see the ISE Community Resources.

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior for standards-based authentication.

Cisco ISE interoperates fully with third-party TACACS+ client devices that adhere to the governing protocols. Support for TACACS+ functions depends on the device-specific implementation.

Validated Network Access Devices

RADIUS

Cisco ISE interoperates fully with third-party RADIUS devices that adhere to the standard protocols. Support for RADIUS functions depends on the device-specific implementation.

Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality. We recommend that you validate all network devices and their software for hardware capabilities or bugs in a particular software release.

If the network device does not support both dynamic and static URL redirects, Cisco ISE provides an Auth VLAN configuration by which URL redirect is simulated. For more information, see "Third-Party Network Device Support in Cisco ISE" section in Chapter "Secure Wired Access" in the Cisco Identity Services Engine Administrator Guide.

TACACS+

Cisco ISE interoperates fully with third-party TACACS+ client devices that adhere to the governing protocols. Support for TACACS+ functions depends on the device-specific implementation.

For information on enabling specific functions of Cisco ISE on network switches, see the “Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions” chapter in Cisco Identity Services Engine Administrator Guide.

ISE Community Resource

Does ISE Support My Network Access Device?

For information about third-party NAD profiles, see ISE Third-Party NAD Profiles and Configs.

For information on how to configure TACACS+ for Nexus devices, see Cisco ISE Device Administration Prescriptive Deployment Guide.


Note

  • Some switch models and IOS versions may have reached the end-of-life date and interoperability may not be supported by Cisco TAC.

  • You must use the latest version of NetFlow for the Cisco ISE profiling service. If you use NetFlow Version 5, you can use it only on the primary NAD at the access layer.


For Wireless LAN Controllers, note the following:

  • MAC authentication bypass (MAB) supports MAC filtering with RADIUS lookup.

  • Support for session ID and COA with MAC filtering provides MAB-like functionality.

  • DNS-based ACL feature is supported for WLC 8.0 and above. Not all Access Points support DNS-based ACL. See the Cisco Access Points Release Notes for more details.

For information about the devices that are validated with Cisco ISE, see Network Device Capabilities Validated with Cisco Identity Services Engine.

The following notations are used to mark the device support:

  • : Fully supported
  • X : Not supported

  • ! : Limited support, some functionalities are not supported.

The following functionalities are supported by each feature:

Table 1. Features and Functionalities
Feature Functionality

AAA

802.1X, MAB, VLAN Assignment, dACL

Profiling

RADIUS CoA and Profiling Probes

BYOD

RADIUS CoA, URL Redirection and SessionID

Guest

RADIUS CoA, Local Web Auth, URL Redirection and SessionID

Guest Originating URL

RADIUS CoA, Local Web Auth, URL Redirection and SessionID

Posture

RADIUS CoA, URL Redirection and SessionID

MDM

RADIUS CoA, URL Redirection and SessionID

TrustSec

SGT Classification

TACACS+

AAA NAD Access

Table 2. Supported End-to-End Flows

Platforms

AAA 802.1X

AAA MAB

Profiling

BYOD

Guest

Guest Originating URL

Posture

MDM

TrustSec

TACACS+

Switching

Routing

x

x

x

x

x

x

Wireless

Validated Cisco Network Access Devices

Table 3. Validated Cisco Network Access Devices

Product Category

Device Family

Cisco ISE 3.0

Cisco ISE 2.7

Cisco ISE 2.6/Patch 2

Cisco ISE 2.4/Patch 5/Patch 10

Cisco Switches

Cisco Catalyst 9000 series switch family including:

Catalyst 9200

Catalyst 9300

Catalyst 9400

Catalyst 9500

Catalyst 9600

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco IOS XE 16.9.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco IOS XE 16.9.2

Cisco IOS XE 16.6.2

Catalyst 4500-X

Cisco IOS 15.2(6)E

Cisco IOS 15.2(6)E

Cisco IOS 15.2(6)E

Cisco IOS 15.2(6)E

Catalyst 4500 Supervisor 8-E

Cisco IOS 3.11.0E ED

Cisco IOS 3.11.0E ED

Cisco IOS 3.11.0E ED

Cisco IOS 3.10.3E

Cisco IOS 3.10.3E

Cisco IOS XE 3.6.8E

Catalyst 3560-G

Cisco IOS 15.0(2)SE11

Cisco IOS 15.0(2)SE11

Cisco IOS 15.2(2)E6

Cisco IOS 12.2(55)SE11

Cisco IOS 12.2(55)SE11

Catalyst 3560-X

Cisco IOS 15.2.4E10

Cisco IOS 15.2(4)E9

Cisco IOS 15.2(2)E6

Cisco IOS 15.2(2)E6

Catalyst 3650

Catalyst 3650-X

Catalyst 3850

Cisco IOS XE 16.12.1

Cisco IOS XE 16.12.1

Cisco IOS 16.6.2 ES

Cisco IOS 16.6.2 ES

Catalyst 3750-G

Catalyst 3750-E

Cisco IOS 15.0(2)SE11

Cisco IOS 15.0(2)SE11

Cisco IOS 12.2(55)SE11

Cisco IOS 12.2(55)SE10

Cisco IOS 15.0(2)SE11

Catalyst 2960-S

Catalyst 2960-XR

Catalyst 2960-X

Cisco IOS 15.0(2)SE11

Cisco IOS 15.0(2)SE11

Cisco IOS 15.0(2)SE11

Cisco IOS 15.2.2E8

Catalyst 1000

Cisco IOS 15.2(7)E3

Cisco IOS 15.2(7)E3

Cisco IOS 15.2(7)E3

Cisco IOS 15.2(7)E3

Cisco Wireless LAN Controllers

Catalyst 9800-LC-eWC

Catalyst 9800-Fabric

Catalyst 9800-80

Catalyst 9800-40

Catalyst 9800-L

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco Mobility Express

Access Point 9115

Access Point 9117

Access Point 9117AXI

Access Point 9120

Access Point 9130

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.3.1

Cisco IOS XE 17.2.1

Cisco IOS XE 17.1.1

Cisco IOS XE 16.12.1

Cisco Routers

C8300-1N1S-4T2X

C8300-1N1S-6T

C8300-2N2S-4T2X

C8300-2N2S-6T

C8500-12X

C8500-12X4QC

C8200-1N-4T

ISR1100-4G

C8500L-8S4G

Cisco IOS XE 17.4.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.4.1

Cisco IOS XE 17.4.1


Note

The last validated version for the following devices is Cisco ISE 2.7:

  • Catalyst 4500-X

  • Catalyst 4500 Supervisor 8-E

  • Catalyst 3560-G

  • Catalyst 3650

  • Catalyst 3850

  • Catalyst 2960-S

  • Catalyst 2960-XR


Validated Cisco Digital Network Architecture Center Release

Table 4. Validated Cisco Digital Network Architecture Center Release

Validated Cisco DNA Center Version

Validated Cisco ISE Release

1.2.12.0

Cisco ISE 2.7

1.3.0.0

Cisco ISE 2.7

1.3.0.6

Cisco ISE 3.0

1.3.1.0

Cisco ISE 2.4 patch 9, patch 11

Cisco ISE 2.6 patch 2

Cisco ISE 2.7

1.3.1.4

Cisco ISE 2.4 patch 12

Cisco ISE 2.6 patch 6

Cisco ISE 2.7 patch 2

Cisco ISE 3.0

1.3.2.0

Cisco ISE 2.4 patch 10, patch 11

Cisco ISE 2.7

1.3.3.0

Cisco ISE 2.7 patch 1

Cisco ISE 3.0

1.3.3.4

Cisco ISE 2.6 patch 6

1.3.3.5

Cisco ISE 2.4 patch 13

Cisco ISE 2.7 patch 2

2.1.1.0

Cisco ISE 2.4 patch 12

Cisco ISE 2.6 patch 6, patch 7

Cisco ISE 2.7 patch 1, patch 2

Cisco ISE 3.0

2.1.1.1

Cisco ISE 3.0

2.1.2.0

Cisco ISE 2.4 patch 12, patch 13

Cisco ISE 2.6 patch 6, patch 8

Cisco ISE 2.7 patch 1, patch 3

Cisco ISE 3.0

2.1.2.4

Cisco ISE 3.0 patch 1

2.1.2.5

Cisco ISE 3.0 patch 1, patch 2

2.1.2.6

Cisco ISE 2.4 patch 14

Cisco ISE 2.7 patch 4

2.2.1.0

Cisco ISE 2.4 patch 13, patch 14

Cisco ISE 2.6 patch 7, patch 8, patch 9

Cisco ISE 2.7 patch 2

Cisco ISE 3.0 patch 1, patch 3

2.2.2.0

Cisco ISE 2.4 patch 14

Cisco ISE 2.6 patch 8, patch 9

Cisco ISE 2.7 patch 2, patch 3, patch 4

Cisco ISE 3.0 patch 1

For more information about Cisco ISE compatibility with Cisco Digital Network Architecture Center (Cisco DNA Center), see Cisco SD-Access Compatibility Matrix.

Validated Security Product Integrations (over pxGrid)

Table 5. Validated Security Product Integrations (over pxGrid)

Product

Cisco ISE 3.0

Cisco ISE 2.7

Cisco ISE 2.6

Cisco Firepower Management Center

Firepower Threat Defense with Cisco Firepower Management Center 6.5

Firepower Threat Defense with Cisco Firepower Management Center 6.6

Firepower Threat Defense with Firepower Device Management 6.5

Firepower Threat Defense with Firepower Device Management 6.6

Firepower Threat Defense with Cisco Firepower Management Center 6.4

Firepower Threat Defense with Cisco Firepower Management Center 6.4

Cisco Stealthwatch Management

Cisco Stealthwatch Management 7.1.2

Cisco Stealthwatch Management 7.0

Cisco Stealthwatch Management 6.9

Cisco Web Security Appliance

Cisco Web Security Appliance 12.0.1

Cisco Web Security Appliance 11.5.1

Validated Cisco Meraki Devices

Device Validated OS AAA Profiling BYOD Guest Guest Originating URL Posture MDM TrustSec1
Minimum OS
Meraki MS390 Latest MS 14.x release ! X X X X X
MS 14.5 ! X X X X X

Meraki MS120/MS125

Latest MS 14.x release

! X X
MS 12.x ! X X
All other Meraki MS models

Latest MS 14.x release

X X
MS 12.0 !2 X X
Meraki MR 802.1ac wave 2 Access Points Latest MR 27.x release
MR 26.0 X

Meraki MX Platforms

Latest Version

X

Latest Version

X
1 TrustSec is implemented using the Adaptive Policy feature. Adaptive Policy supports static and dynamic SGT assignment, inline SGT propagation, and enforcement of SGT-based policies. For more information, see Adaptive Policy Overview.
2 Meraki MS switches running OS version earlier than MS 14.5 do not support the Group Policy ACL feature. For more information, see Meraki MS Group Policy Access Control Lists.

Supported Protocol Standards, RFCs, and IETF Drafts

AAA Attributes for RADIUS Proxy Service

For RADIUS proxy service, the following authentication, authorization, and accounting (AAA) attributes must be included in the RADIUS communication:

  • Calling-Station-ID (IP or MAC_ADDRESS)

  • RADIUS::NAS_IP_Address

  • RADIUS::NAS_Identifier

AAA Attributes for Third-Party VPN Concentrators

For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:

  • Calling-Station-ID (tracks individual client by MAC or IP address)

  • User-Name (tracks remote client by login name)

  • NAS-Port-Type (helps to determine connection type as VPN)

  • RADIUS Accounting Start (triggers official start of session)

  • RADIUS Accounting Stop (triggers official end of session and releases ISE license)

  • RADIUS Accounting Interim Update on IP address change (for example, SSL VPN connection transitions from Web-based to a full-tunnel client)


Note

For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client’s VPN-assigned IP address to track the endpoint while on a trusted network.


System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation for this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

For information on the SSM On-Prem server releases that support smart licensing, see the topic Configure Smart Software Manager On-Prem for Smart Licensing in the Chapter "Licensing", in the Cisco ISE Administrator Guide for your release.

Supported Hardware

Cisco ISE, Release 3.0, can be installed on the following platforms:

Table 6. Supported Platforms

Hardware Platform

Configuration

Cisco SNS-3515-K9 (small)

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

Cisco SNS-3595-K9 (large)

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.


Caution

  • Cisco ISE 3.1 does not support Cisco Secured Network Server (SNS) 3515 appliance.

  • Cisco SNS 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

  • Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.


Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • VMware ESXi 5.x, 6.x, 7.x

    • Cisco ISE has been validated with Cisco HyperFlex HX-Series with VMware ESXi 6.5.

    • The process of installing Cisco ISE on VMware Cloud is exactly the same as that of installing Cisco ISE on VMware virtual machine.

      • Cisco ISE virtual machine that is deployed on VMware cloud in Amazon Web Services (AWS): Cisco ISE can be hosted on software-defined data center (SDDC) provided by VMware Cloud on AWS. Ensure that appropriate security group policies are configured on VMware Cloud to enable reachability to on-premises deployment, and required devices and services.

      • Cisco ISE virtual machine deployed on Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Azure, where Cisco ISE can be hosted as VMware virtual machine.

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on QEMU 1.5.3-160

  • Nutanix AHV 20201105.2096

For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.


Note

From Cisco ISE Release 3.0 onwards, the CPUs of the virtualization platform that hosts Cisco ISE virtual machines must support the Streaming SIMD Extensions (SSE) 4.2 instruction set. Otherwise, certain Cisco ISE services (such as ISE API gateway) will not work, and the Cisco ISE GUI cannot be launched. Both Intel and AMD processors support SSE Version 4.2 since 2011.


Federal Information Processing Standard Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.

When FIPS mode is enabled on Cisco ISE, consider the following:

  • All non-FIPS-compliant cipher suites will be disabled.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be 2048 bits or greater.

  • Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be 224 bits or greater.

  • Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.

  • SHA1 is not allowed to generate ISE local server certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • The local SSH server operates in FIPS mode.

  • The following protocols are not supported in FIPS mode for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Validated Browsers

Cisco ISE 3.1 has been validated with the following browsers:

  • Google Chrome 92 and 91

  • Mozilla Firefox 90 and 89

  • Mozilla Firefox ESR 78.12

  • Microsoft Edge 91

Validated External Identity Sources

Table 7. Validated External Identity Sources

External Identity Source

Version

Active Directory

3 4

Microsoft Windows Active Directory 2012

Windows Server 2012

Microsoft Windows Active Directory 2012 R2

5

Windows Server 2012 R2

Microsoft Windows Active Directory 2016

Windows Server 2016

Microsoft Windows Active Directory 2019

6

Windows Server 2019

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

OpenLDAP Directory Server

Version 2.4.23

Any LDAP v3 compliant server

Any version that is LDAP v3 compliant

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x and 8.x series

Any RADIUS RFC 2865-compliant token server

Any version that is RFC 2865 compliant

Security Assertion Markup Language (SAML) Single Sign-On (SSO)

Microsoft Azure

Latest

Oracle Access Manager (OAM)

Version 11.1.2.2.0

Oracle Identity Federation (OIF)

Version 11.1.1.2.0

PingFederate Server

Version 6.10.0.4

PingOne Cloud

Latest

Secure Auth

8.1.1

Any SAMLv2-compliant Identity Provider

Any Identity Provider version that is SAMLv2 compliant

Open Database Connectivity (ODBC) Identity Source

Microsoft SQL Server

Microsoft SQL Server 2012

Oracle

Enterprise Edition Release 12.1.0.2.0

PostgreSQL

9.0

Sybase

16.0

MySQL

6.3

Social Login (for Guest User Accounts)

Facebook

Latest

3

Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008 and later.

4

You can only add up to 200 Domain Controllers on Cisco ISE. On exceeding the limit, you will receive the following error:

Error creating <DC FQDN> - Number of DCs Exceeds allowed maximum of 200
5

Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.

6

Cisco ISE 2.6 Patch 4 and later support all the legacy features in Microsoft Windows Active Directory 2019.

See the Cisco Identity Services Engine Administrator Guide for more information.

Supported Unified Endpoint Management and Mobile Device Management Servers

Supported MDM servers include products from the following vendors:

  • Absolute

  • Blackberry - BES

  • Blackberry - Good Secure EMM

  • Cisco Meraki Systems Manager

  • Globo

  • IBM MaaS360

  • Ivanti (previously MobileIron UEM), core and cloud UEM services

  • JAMF Casper Suite

  • Microsoft Endpoint Configuration Manager

  • Mosyle

  • SAP Afaria

  • Sophos

  • SOTI MobiControl

  • Symantec

  • Tangoe

  • VMware Workspace ONE (earlier known as AirWatch)

  • 42 Gears

For the configurations that you must perform in your endpoint management servers to integrate the servers with Cisco ISE, see Integrate UEM and MDM Servers With Cisco ISE.

Supported Ciphers

In a clean or fresh install of Cisco ISE, SHA1 ciphers are disabled by default. However, if you upgrade from an existing version of Cisco ISE, the SHA1 ciphers retain the options from the earlier version. You can view and change the SHA1 ciphers settings using the Allow SHA1 Ciphers field (Administration > System > Settings > Security Settings).


Note

This does not apply to the Admin portal. When running in Federal Information Processing Standard Mode (FIPS), an upgrade does not remove SHA1 ciphers from the Admin portal.


Cisco ISE supports TLS versions 1.0, 1.1, and 1.2.

Cisco ISE supports RSA and ECDSA server certificates. The following elliptic curves are supported:

  • secp256r1

  • secp384r1

  • secp521r1

The following table lists the supported Cipher Suites:

Cipher Suite

When Cisco ISE is configured as an EAP server

When Cisco ISE is configured as a RADIUS DTLS server

When Cisco ISE downloads CRL from HTTPS or a secure LDAP server

When Cisco ISE is configured as a secure syslog client or a secure LDAP client

When Cisco ISE is configured as a RADIUS DTLS client for CoA

TLS 1.0 support

When TLS 1.0 is allowed

(DTLS server supports only DTLS 1.2)

Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings window. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Protocols > Security Settings.

When TLS 1.0 is allowed

(DTLS client supports only DTLS 1.2)

TLS 1.1 support

When TLS 1.1 is allowed

When TLS 1.1 is allowed

ECC DSA ciphers

ECDHE-ECDSA-AES256-GCM-SHA384

Yes

Yes

ECDHE-ECDSA-AES128-GCM-SHA256

Yes

Yes

ECDHE-ECDSA-AES256-SHA384

Yes

Yes

ECDHE-ECDSA-AES128-SHA256

Yes

Yes

ECDHE-ECDSA-AES256-SHA

When SHA-1 is allowed

When SHA-1 is allowed

ECDHE-ECDSA-AES128-SHA

When SHA-1 is allowed

When SHA-1 is allowed

ECC RSA ciphers

ECDHE-RSA-AES256-GCM-SHA384

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES128-GCM-SHA256

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES256-SHA384

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES128-SHA256

When ECDHE-RSA is allowed

When ECDHE-RSA is allowed

ECDHE-RSA-AES256-SHA

When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed

ECDHE-RSA-AES128-SHA

When ECDHE-RSA/SHA-1 is allowed

When ECDHE-RSA/SHA-1 is allowed

DHE RSA ciphers

DHE-RSA-AES256-SHA256

No

Yes

DHE-RSA-AES128-SHA256

No

Yes

DHE-RSA-AES256-SHA

No

When SHA-1 is allowed

DHE-RSA-AES128-SHA

No

When SHA-1 is allowed

RSA ciphers

AES256-SHA256

Yes

Yes

AES128-SHA256

Yes

Yes

AES256-SHA

When SHA-1 is allowed

When SHA-1 is allowed

AES128-SHA

When SHA-1 is allowed

When SHA-1 is allowed

3DES ciphers

DES-CBC3-SHA

When 3DES/SHA-1 is allowed

When 3DES/DSS and SHA-1 are enabled

DSS ciphers

DHE-DSS-AES256-SHA

No

When 3DES/DSS and SHA-1 are enabled

DHE-DSS-AES128-SHA

No

When 3DES/DSS and SHA-1 are enabled

EDH-DSS-DES-CBC3-SHA

No

When 3DES/DSS and SHA-1 are enabled

Weak RC4 ciphers

RC4-SHA

When "Allow weak ciphers" option is enabled in the Allowed Protocols page and when SHA-1 is allowed

No

RC4-MD5

When "Allow weak ciphers" option is enabled in the Allowed Protocols page

No

EAP-FAST anonymous provisioning only:

ADH-AES-128-SHA

Yes

No

Peer certificate restrictions

Validate KeyUsage

Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384

Validate ExtendedKeyUsage

Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:

  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA
  • DHE-RSA-AES128-SHA
  • DHE-RSA-AES256-SHA
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • RC4-SHA
  • RC4-MD5

Server certificate should have ExtendedKeyUsage=Server Authentication

Validated OpenSSL Version

Cisco ISE is validated with OpenSSL 1.0.2.x (CiscoSSL 6.0).

Validated Client Machine Operating Systems, Supplicants, and Agents

This section lists the validated client machine operating systems, browsers, and agent versions for each client machine type. For all devices, you must also have cookies enabled in the web browser. Cisco AnyConnect-ISE Posture Support Charts are available at: https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

Cisco ISE, Release 2.3 and later support only the Cisco AnyConnect and Cisco Temporal Agents.

All standard 802.1X supplicants can be used with Cisco ISE, Release 2.4 and above standard and advanced features as long as they support the standard authentication protocols supported by Cisco ISE. For the VLAN change authorization feature to work in a wireless deployment, the supplicant must support IP address refresh on VLAN change.

Posture and Bring Your Own Device (BYOD) flows are supported by the General Availability releases of the operating systems that are listed in the Cisco ISE UI, based on the latest Posture Feed Update. The Posture and BYOD flows may also work in the Beta macOS releases that are listed in the Cisco ISE UI. For example, if macOS 12 Beta (all) is listed in the Cisco ISE UI, Posture and BYOD flows may work on macOS 12 Beta endpoints. Support is provided on a best-effort basis as beta operating system releases often undergo significant changes between the initial and General Availability releases.

Note that when you update your Operating System (OS) to a new version, you may experience a delay (of a few hours or a day) in support and refection of the updated OS version in the Posture Feed Server.

Google Android

Cisco ISE may not support certain Android OS version and device combinations due to the open access-nature of Android implementation on certain devices.

The following Google Android versions have been validated with Cisco ISE:

  • Google Android 10.x

  • Google Android 9.x

  • Google Android 8.x

  • Google Android 7.x

The following Android devices have been validated with Cisco ISE. See the Validated Network Access Devices section for the list of devices for which BYOD flow is supported in Cisco ISE.

Table 8. Validated Android Devices

Device Model

Android Version

Google Pixel 3

10

OnePlus 6

10

Samsung S9

9

Google Nexus 6P

8.1

Huawei Mate Pro 10

8

Ensure that the Location service is enabled on the Android 9.x and 10.x devices before starting the supplicant provisioning wizard (SPW).

Android no longer uses Common Name (CN). The Hostname must be in the subjectAltName (SAN) extension, or trust fails.If you are using self-signed certificates, regenerate Cisco ISE self-signed certificate by selecting Domain Name or IP Address option from the SAN drop-down list for Portals. To view this window, click the Menu icon () and choose Administration > System > Certificates > System Certificates.

If you are using Android 9.x, you must update the posture feed in Cisco ISE to get the NSA for Android 9.

Apple iOS

While Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, the public certificate includes a CRL distribution point that the iOS device needs to verify but it cannot do it without network access. Click “confirm/accept” on the iOS device to authenticate to the network.

The following Apple iOS versions have been validated with Cisco ISE:

  • Apple iOS 13.x

  • Apple iOS 12.x

  • Apple iOS 11.x

The following iPhone/iPad devices have been validated with Cisco ISE. See the Validated Network Access Devices section for the list of devices for which BYOD flow is supported in Cisco ISE.

Table 9. Validated iPhone/iPad Devices

Device Model

iOS Version

iPhone X

iOS 13

iPhone 8

iOS 12.3

iPhone 7

iOS 13.2

iPhone 6

iOS 12.6

iPhone 5s

iOS 12, iOS 10.3

iPad

iPad OS 13.1


Note

  • If you are using Apple iOS 12.2 or later version, you must manually install the downloaded Certificate/Profile. To do this, choose Settings > General > Profile in the Apple iOS device and Click Install.

  • If you are using Apple iOS 12.2 or later version, RSA key size must be 2048 bits or higher. Otherwise, you might see an error while installing the BYOD profile.

  • If you are using Apple iOS 13 or a later version, regenerate the self-signed certificate for portal role by adding the <<FQDN>> as DNS Name in the SAN field.

  • If you are using Apple iOS 13 or a later version, ensure that SHA-256 (or greater) is selected as the signature algorithm.


Apple macOS

Table 10. Apple macOS

Client Machine Operating System

AnyConnect

Apple macOS 11

4.9.04043 or later

Apple macOS 10.15

4.8.01090 or later

Apple macOS 10.14

4.8.01090 or later

Apple macOS 10.13

4.8.01090 or later

Cisco ISE does work with earlier release of AnyConnect 4.x. However, only newer AnyConnect releases support newer features.


Note

For Apple macOS 11, you must use Cisco AnyConnect 4.9.04043 or above and MAC OSX compliance module 4.3.1466.4353 or above.


If you are using Apple macOS 11, you might see a prompt to install the profiles manually when you are installing the Cisco Network Setup Assistant. In this case, you must do the following:

  1. Navigate to the Downloads folder.

  2. Double-click the cisco802dot1xconfiguration.mobileconfig file.

  3. Choose System > Preferences.

  4. Click Profiles.

  5. Install the profiles.

  6. Click OK in the prompt that is displayed in the Cisco Network Setup Assistant to proceed with installation.


Note

The Supplicant Provisioning Wizard bundle for MAC OSX version 3.1.0.1 is common for all Cisco ISE releases. It has been verified with Cisco ISE 2.4 patch 12, Cisco ISE 2.6 patch 8, Cisco ISE 2.7 patch 3, and Cisco ISE 3.0 patch 2.


For information about the Windows and MAC OSX anti-malware, patch management, disk encryption, and firewall products that are supported by the Cisco ISE Posture Agent, see the Cisco AnyConnect-ISE Posture Support Charts.


Note

  • All browsers have capped the reported Apple macOS version to 10.15.7 and increased user privacy.

  • During provisioning we won’t be able to identify Apple macOS 11 endpoints. This leads to an issue with CP policy matching in Posture and BYOD flows when client is running Apple macOS 11. As a workaround, proceed with Posture and BYOD flows for Apple macOS 11 as Map CP policy as macOS All.

  • During classification we won’t be able to identify Apple macOS 11 endpoints. This leads to an issue with profiling policy matching when client is running Apple macOS 11.


Microsoft Windows

Table 11. Microsoft Windows

Client Machine Operating System

Supplicants (802.1X)

Cisco Temporal Agent

AnyConnect7

Microsoft Windows 11

  • Windows 11 Enterprise

  • Windows 11 Professional

  • Windows 11 Education

  • Windows 11 Home

  • Microsoft Windows 802.1x Client

  • AnyConnect Network Access Manager

4.10.04065 or later 4.10.04065 or later

Microsoft Windows 10

  • Windows 21H2

  • Windows 21H1

  • Windows 20H2

  • Windows 20H1

  • Windows 19H2

  • Windows 19H1

  • Windows 10 Enterprise

  • Windows 10 Enterprise N

  • Windows 10 Enterprise E

  • Windows 10 Enterprise LTSB

  • Windows 10 Enterprise N LTSB

  • Windows 10 Professional

  • Windows 10 Professional N

  • Windows 10 Professional E

  • Windows 10 Education

  • Windows 10 Home

  • Windows 10 Home Chinese

  • Windows 10.0 SLP (Single Language Pack)

  • Microsoft Windows 10 802.1X Client

  • AnyConnect Network Access Manager

4.5 or later

4.8.01090 or later

7 If you have AnyConnect Network Access Manager (NAM) installed, NAM takes precedence over Windows native supplicant as the 802.1X supplicant and it does not support the BYOD flow. You must disable NAM completely or on a specific interface. See the Cisco AnyConnect Secure Mobility Client Administration Guide for more information.

To enable wireless redirection in Firefox 70 for BYOD, Guest, and Client Provisioning portals:

  1. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Security Settings.

  2. Check the Allow SHA1 ciphers check box. SHA1 ciphers are disabled by default.

  3. In your Firefox browser, choose Options > Privacy & Settings > View Certificates > Servers > Add Exception.

  4. Add https://<FQDN>:8443/ as exception.

  5. Click Add Certificate and then refresh your Firefox browser.

Google Chromebook

Google Chromebook is a managed device and does not support the Posture service. See the Cisco Identity Services Engine Administration Guide for more information.

Table 12. Google Chromebook

Client Machine Operating System

Web Browser

Cisco ISE

Google Chromebook

Google Chrome version 49 or later

Cisco ISE 2.4 Patch 8

Cisco ISE BYOD or Guest portal may fail to launch in Chrome Operating System 73 even though the URL is redirected successfully. To launch the portals in Chrome Operating System 73, follow the steps below:

  1. Generate a new self-signed certificate from ISE GUI by filling the Subject Alternative Name field. Both DNS and IP Address must be filled.

  2. Export and copy the certificate to the end client (chrome book).

  3. Choose Settings > Advanced > Privacy and Security > Manage certificates > Authorities.

  4. Import the certificate.

  5. Open the browser and try to redirect the portal.

In Chromebook 76 and later, if you are configuring EAP-TLS settings using an internal CA for EAP, upload the CA certificate chain with SAN fields to the Google Admin Console Device Management > Network > Certificates. Once the CA chain is uploaded, the Cisco ISE generated certificate with SAN fields is mapped under Chromebook Authorities section to consider your Cisco ISE certificate as trusted.

If you are using a third-party CA, you do not have to import CA chain to Google Admin Console. Choose Settings > Advanced > Privacy and Security > Manage certificates > Server certificate Authority and select Use any default Certificate Authority from the drop-down list.

Validated Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals

These Cisco ISE portals support the following operating system and browser combinations. These portals require that you have cookies enabled in your web browser.

Table 13. Validated Operating Systems and Browsers

Supported Operating System8

Browser Versions

Google Android9 10.x, 9.x, 8.x, 7.x

  • Native browser

  • Mozilla Firefox

  • Google Chrome

Apple iOS 13.x, 12.x, 11.x

  • Safari

Apple macOS 11, 10.15, 10.14, 10.13

  • Mozilla Firefox

  • Safari

  • Google Chrome

Microsoft Windows 10

  • Microsoft IE 11.x

  • Mozilla Firefox

  • Google Chrome

8 The latest two officially-released browser versions are supported for all operating systems except Microsoft Windows; refer to Table 14 for the supported Internet Explorer versions.
9 Cisco ISE may not support certain Android OS version and device combinations due to the open access-nature of Android implementation on certain devices.

Validated Devices for On-Boarding and Certificate Provisioning

Cisco Wireless LAN Controller (WLC) 7.2 or later support is required for the BYOD feature. See the Release Notes for the Cisco Identity Services Engine for any known issues or caveats.


Note

To get the latest Cisco-supported client Operating System versions, check the posture update information. To do this:
  1. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Posture > Updates.

  2. Click Update Now.


Table 14. BYOD On-Boarding and Certificate Provisioning - Validated Devices and Operating Systems

Device

Operating System

Single SSID

Dual SSID (open > PEAP (no cert) or open > TLS)

Onboard Method

Apple iDevice

Apple iOS 13.x, 12.x, 11.x

Apple iPad OS 13.x

Yes

Yes10

Apple profile configurations (native)

Google Android

10.x, 9.x, 8.x, 7.x

Yes11

Yes

Cisco Network Setup Assistant

Barnes & Noble Nook (Android) HD/HD+12

Windows

Windows 10

Microsoft Windows 10 Version 2004 (OS build 19041.1) and higher is required for EAP TEAP.

Yes13

Yes

2.2.1.53 or later

Windows

Mobile 8, Mobile RT, Surface 8, and Surface RT

No

No

Apple macOS

Apple macOS 11, 10.15, 10.14, 10.13

Yes

Yes

2.2.1.43 or later

10 Connect to secure SSID after provisioning.
11

You cannot modify the system-created SSIDs using the Cisco supplicant provisioning wizard (SPW), if you using Android version 6.0 or above . When the SPW prompts you to forget the network, you must choose this option and press the Back button to continue the provisioning flow.

12 Barnes & Noble Nook (Android) works when it has Google Play Store 2.1.0 installed.
13 While configuring the wireless properties for the connection (Security > Auth Method > Settings > Validate Server Certificate), uncheck the valid server certificate option . If you check this option, ensure that you select the correct root certificate.

Validated Cisco Prime Infrastructure Release

Cisco Prime Infrastructure, Release 3.6 or above can be integrated with Cisco ISE 2.6 or above to leverage the monitoring and reporting capabilities of Cisco ISE.

Validated Cisco WAN Service Administrator Release

Cisco WAN Service Administrator, Release 11.5.1 or above can be integrated with Cisco ISE 2.7 or above.

Support for Threat Centric NAC

Cisco ISE is validated with the following adapters:

  • SourceFire FireAMP

  • Cognitive Threat Analytics (CTA) adapter

  • Rapid7 Nexpose

  • Tenable Security Center

  • Qualys (Only the Qualys Enterprise Edition is currently supported for TC-NAC flows)

Devices Validated with Cisco ISE 2.3 or Earlier

The following section lists the devices that are validated with Cisco ISE. Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior for standards-based authentication. Cisco ISE supports protocol standards like RADIUS, its associated RFC Standards, and TACACS+. For more information, see the ISE Community Resources.

Validated Cisco Access Switches

Table 15. Validated Cisco Access Switches

Device

Validated OS 14

AAA

Profiling

BYOD

Guest

Guest Originating URL

Posture

MDM

TrustSec 15

Minimum OS 16

IE2000

IE3000 

Cisco IOS 15.2(2)E4

Cisco IOS 15.2(4)EA6

Cisco IOS 15.0(2)EB

X

IE4000

IE5000

Cisco IOS 15.2(2)E5

Cisco IOS 15.2(4)E2

Cisco IOS 15.2(4)EA6

Cisco IOS 15.0.2A-EX5

IE4010

Cisco IOS 15.2(2)E5

Cisco IOS 15.2(4)E2

Cisco IOS 15.0.2A-EX5

CGS 2520

Cisco IOS 15.2(3)E3

X

Cisco IOS 15.2(3)E3

X

Catalyst 2960 LAN Base

Cisco IOS 15.0(2)SE11

X

X

Cisco IOS v12.2(55)SE5 17

!

X

!

!

X

Catalyst 2960-C

Catalyst 3560-C

Cisco IOS 15.2(2)E4

Cisco IOS 12.2(55)EX3

Catalyst 2960-L

Cisco IOS 15.2(6.1.27)E2

X

Cisco IOS 15.2(6)E2

X

Catalyst 2960-Plus

Catalyst 2960-SF

Cisco IOS 15.2(2)E4

Cisco IOS 15.0(2)SE7

X

Catalyst 2960-CX

Catalyst 3560-CX

Cisco IOS 15.2(3)E1

Cisco IOS 15.2(3)E

Catalyst 3560V2

Catalyst 3750V2

Cisco IOS 12.2(55)SE10

Cisco IOS 12.2(55)SE5

Catalyst 3560-E

Cisco IOS 15.0(2)SE11

Cisco IOS 12.2(55)SE5

Catalyst 3750-E

Cisco IOS 15.2(2) E6

Cisco IOS 15.0(2)SE11

Cisco IOS 12.2(55)SE5

Catalyst 3750-X

Cisco IOS 15.2(2) E6

Cisco IOS 15.2(2)E5

Cisco IOS 15.2(4)E2

Cisco IOS 12.2(55)SE5

Catalyst 4500 Supervisor 7-E, 7L-E

Cisco IOS XE 3.6.4

Cisco IOS XE 3.4.4 SG

X

Catalyst 4500 Supervisor 6-E, 6L-E

Cisco IOS 15.2(2)E4

X

Cisco IOS 15.2(2)E

X

Catalyst 5760

Cisco IOS XE 3.7.4

X

Catalyst 6500-E (Supervisor 32)

Cisco IOS 12.2(33)SXJ10

X

Cisco IOS 12.2(33)SXI6

X

Catalyst 6500-E (Supervisor 720)

Cisco IOS 15.1(2)SY7

X

Cisco IOS v12.2(33)SXI6

X

Catalyst 6500-E (VS-S2T-10G)

Cisco IOS 152-1.SY1a

X

Cisco IOS 15.0(1)SY1

X

Catalyst 6807-XL

Catalyst 6880-X (VS-S2T-10G)

Cisco IOS 152-1.SY1a

X

Cisco IOS 15.0(1)SY1

X

Catalyst 6500-E (Supervisor 32)

Cisco IOS 12.2(33)SXJ10

X

Cisco IOS 12.2(33)SXI6

X

Catalyst 6848ia

Cisco IOS 152-1.SY1a

X

Cisco IOS 15.1(2) SY+

X

14 Validated OS is the version tested for compatibility and stability.
15 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
16 Minimum OS is the version in which the features got introduced.
17 The IOS 12.x version does not fully support the Posture and Guest flows because of CSCsx97093. As a workaround, when you configure URL redirect in Cisco ISE, assign a value to “coa-skip-logical-profile.”

Validated Third Party Access Switches

Table 16. Validated Third Party Access Switches

Device

Validated OS 18

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 19

Minimum OS 20

Avaya ERS 2526T

4.4

!

X

X

X

X

X

4.4

!

X

X

X

X

X

Brocade ICX 6610

8.0.20

X

X

8.0.20

X

X

Extreme X440-48p

ExtremeXOS 15.5

X

X

X

ExtremeXOS 15.5

X

X

X

HP H3C

HP ProCurve

5.20.99

X

X

5.20.99

X

X

HP ProCurve 2900

WB.15.18.0007

X

X

WB.15.18.0007

X

X

Juniper EX3300

12.3R11.2

X

X

12.3R11.2

X

X

18 Validated OS is the version tested for compatibility and stability.
19 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
20 Minimum OS is the version in which the features got introduced.

For more information on third-party device support, see https://communities.cisco.com/docs/DOC-64547

Validated Cisco Wireless LAN Controllers

Table 17. Validated Cisco Wireless LAN Controllers

Device

Validated OS 21

AAA

Profiling

BYOD

Guest

Guest Originating URL

Posture

MDM

TrustSec 22

WLC 2100

AireOS 7.0.252.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

WLC 2504

AirOS 8.5.120.0(ED)

WLC 3504

AirOS 8.5.105.0

Not validated

WLC 4400

AireOS 7.0.252.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

WLC 2500

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.3.102.0

X

AireOS 8.4.100.0

X

AireOS 7.2.103.0 (minimum)

!

X

X

WLC 5508

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.3.102.0

X

AireOS 8.3.114.x

X

AireOS 8.3.140.0

X

AireOS 8.4.100.0

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

WLC 5520

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.3.102.0

X

AireOS 8.4.100.0

X

AireOS 8.5.1.x

AireOS 8.6.1.x

AirOS 8.6.101.0(ED)

AireOS 8.1.122.0 (minimum)

X

WLC 7500

AireOS 8.0.140.0

X

X

AireOS 8.2.121.0

X

AireOS 8.2.154.x

X

AireOS 8.3.102.0

X

AireOS 8.4.100.0

X

AirOS 8.5.120.0(ED)

AireOS 7.2.103.0 (minimum)

!

X

X

X

X

X

X

WLC 8510

AireOS 8.0.135.0

X

X

AireOS 7.4.121.0 (minimum)

X

X

X

X

X

WLC 8540

AireOS 8.1.131.0

X

X

AireOS 8.1.122.0 (minimum)

X

X

WiSM1 6500

AireOS 7.0.252.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

WiSM2 6500

AireOS 8.0.135.0

X

AireOS 7.2.103.0 (minimum)

!

X

WLC 5760

IOS XE 3.6.4

IOS XE 3.3 (minimum)

X

WLC for ISR (ISR2 ISM, SRE700, and SRE900)

AireOS 7.0.116.0

!

X

!

X

X

X

X

AireOS 7.0.116.0 (minimum)

!

X

!

X

X

X

X

21 Validated OS is the version tested for compatibility and stability.
22 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.

Refer to the Cisco Wireless Solutions Software Compatibility Matrix for a complete list of supported operating systems.


Note

Due to CSCvi10594, IPv6 RADIUS CoA fails in AireOS Release 8.1 and later. As a workaround, you can use IPv4 RADIUS or downgrade Cisco Wireless LAN Controller to AireOS Release 8.0.



Note

Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support endpoint posturing. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.


Supported Cisco Access Points

Table 18. Supported Cisco Access Points

Cisco Access Point

Minimum Cisco Mobility Express Version

AAA

Profiling

BYOD

Guest

Guest Originating URL

Posture

MDM

TrustSec

Cisco Aironet 1540 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1560 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1815i

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1815m

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 1815w

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 2800 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Cisco Aironet 3800 Series

Cisco Mobility Express 8.7.106.0

X

X

X

X

X

Validated Third Party Wireless LAN Controllers

Table 19. Validated Third Party Wireless LAN Controllers

Device

Validated OS 23

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 24

Minimum OS 25

Aruba 320026

Aruba 3200XM

Aruba 650

6.4

X

X

6.4

X

X

6.4

X

X

Aruba 7000

Aruba IAP

6.4.1.0

X

X

6.4.1.0

X

X

Motorola RFS 4000

5.5

X

X

5.5

X

X

HP 830

35073P5

X

X

35073P5

X

X

Ruckus ZD1200

9.9.0.0

X

X

9.9.0.0

X

X

23 Validated OS is the version tested for compatibility and stability.
24 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
25 Minimum OS is the version in which the features got introduced.
26 Aruba 3200 is supported for ISE 2.2 patch 2 and above.

For more information on third-party device support, see https://communities.cisco.com/docs/DOC-64547

Validated Cisco Routers

Table 20. Validated Cisco Routers

Device

Validated OS 27

Minimum OS 28

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 29

ISR 88x, 89x Series

IOS 15.3.2T(ED)

X

X

X

X

X

X

IOS 15.2(2)T

X

X

X

X

X

X

ASR 1001-HX

ASR 1001-X

ASR 1002-HX

ASR 1002-X

IOS XE 17.1.1

IOS XE 17.2.1

X

X

X

X

X

IOS XE 17.1.1

X

X

X

X

X

ISR 19x, 29x, 39x Series

IOS 15.3.2T(ED)

!

X

!

X

X

IOS 15.2(2)T

!

X

!

X

X

CE 9331

IOS XE 17.1.1

X

X

X

X

X

IOS XE 17.1.1

X

X

X

X

X

CGR 2010

IOS 15.3.2T(ED)

!

X

!

X

X

IOS 15.3.2T(ED)

!

X

!

X

X

4451-XSM-X L2/L3 Ethermodule

IOS XE 3.11

IOS XE 3.11

27 Validated OS is the version tested for compatibility and stability.
28 Minimum OS is the version in which the features got introduced.
29 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.

Validated Cisco Remote Access

Table 21. Validated Cisco Remote Access

Device

Validated OS 30

AAA

Profiling

BYOD

Guest

Posture

MDM

TrustSec 31

Minimum OS 32

ASA 5500, ASA 5500-X (Remote Access Only)

ASA 9.2.1

NA

NA

NA

X

ASA 9.1.5

NA

NA

X

NA

X

X

X

30 Validated OS is the version tested for compatibility and stability.
31 See the Cisco TrustSec Product Bulletin for a complete list of Cisco TrustSec feature support.
32 Minimum OS is the version in which the features got introduced.